By Jack Ganssle

Wither Linux?

Summary: Linux and Android are the future. Or are they?

Frequent correspondent Charles Manning has been pondering the Linux/Android market, and wonders where it is all going. It's a mystery to me as well, but I can speculate.

Certainly the vendors have been dancing around Linux for a long time now. Most contributions to the code come from commercial companies, and there is a market in commercial support for the OS for embedded applications (think Montavista, Wind River, etc). It's not at all clear how healthy that business segment is as all of the companies involved are either privately-held or buried so deeply inside another organization that the numbers are not reported in a useful form.

Linux and derivative OSes offer a tremendous number of benefits, but come with baggage as well. In terms of the embedded space, I believe that most of the value they offer comes from the multitasking OS resources, the filesystem, the various rich GUIs, and the wide range of networking and communications protocols. Given that we live in an increasingly-connected world where screens are the preferred human interface, Linux is a natural fit for a lot of applications.

VDC's 2010 Market Intelligence Service report indicates that cost and real-time performance are the most important issues to people selecting an embedded operating system. Linux can score really well with the first - though with commercial support that advantage may erode to some extent - and not so great on the second. Reliability comes third in importance, and security barely makes the list as the 15th most important concern when selecting an OS.

The previous year's report showed 30% of us using some form of Linux, with 40% running a conventional RTOS.

So what does the future hold? The resources that Linux offers will surely be in ever-increasing demand, and Moore's Law insures that one of Linux's main flaws compared to an RTOS - massive memory requirements - will grow of lesser importance.

There are plenty of RTOSes that have wonderful GUIs, filesystems and communications packages so one would think these would be on an even playing ground with the FOSS alternatives. But managers tell me they are drawn to Linux (and embedded Windows) because application-level programmers are plentiful. Embedded folks cost more and are in shorter supply. As a result a lot of applications are segmented into the high-level sections that run under Linux, and a deeply-embedded portion that may even run on a separate processor, either under an RTOS or on bare metal.

But I think the industry is on the cusp of change.

If one were to dice, filter and sort the tech articles in the popular press over the last year or two, one message would dominate all of the others. Hacking. Stolen data. Leaked secrets. Compromised financial data. One would think the public would be in an uproar, but so far everyone seems as sanguine about data breeches as they are about aggressive TSA pat downs.

But the armies of electronic anarchy are clearly on the march, and as long as it's relatively easy to steal and not get caught, well, people will steal and not get caught. There will be a tipping point when the banks or the public will scream "enough!" The onus will suddenly be on us, the makers of these insecure systems, to lock them down.

It won't be pretty.

Fact is, we do know how to make secure systems. We choose not to. We're knowingly selling defective products. A blizzard of lawsuits will surely result in sudden mandates from on high to change our engineering approaches.

I have no idea if Linux can be made secure. But in the security circles I frequent no one believes it will ever do well on the Common Criteria EAL security metric. Currently both Linux and Windows are at EAL4+, which basically means they are secure as long as bad guys don't make a penetration effort. The highest levels, EAL6 and 7, are simply unattainable for these OSes due to their size. Yet commercial RTOSes, like offerings from Green Hills, exist today that have been certified to these high standards. (See http://www.niap-ccevs.org/vpl/?tech_name=Operating+System for a list of validated operating systems). The good news is that a variety of outfits are pushing their products through the Common Criteria certification process, so the universe of solutions we can tap is increasing. The bad news is that, by and large, the embedded community is uninterested in security. Today, at least. But as the old saying goes, if something can't continue forever, it won't.

Linux and it's brethren won't go away, of course. They may even garner more market share. But if that happens, I'm sure they'll be running on top of a secure OS or hypervisor.

What's your take?

Published January 13, 2011