Frequently Asked Questions (FAQ)

General LynxOS & LynxOS-178  |  LynxSecure & LYNX MOSA.ic



  • What type of support does Lynx offer?

    Lynx offers three primary support levels and custom engineering services to address every phase of our customer's product life cycles from initial system architecture to deployment: 

    1. Premium Support: Time sensitive projects need a way to quickly address technical challenges. Lynx's dedicated support team will work directly with your team to identify and resolve these issues in a timely fashion.
    2. Deluxe Support: Extending the Premium Support offering, Lynx's Deluxe Support provides a dedicated support engineer who will manage phone support, field engineering resources, and bi-weekly meetings.
    3. Long Term support applies to customer projects that have a long life cycle that  extends beyond the standard Lynx software maintenance period.

    Additional details can be found on our Support Page. 

  • Who are your competitors?

    Our core products are real-time operating system (RTOS) and virtualization technologies. Depending on our customers' requirements, they may end up using our RTOS, our separation kernel (hypervisor), or our flagship technology, which is a complete development and integration framework, including Buildroot Linux, FreeRTOS support, and tools for building bare-metal applications.

    Our competitors therefore range between proprietary RTOS companies such as Wind River Systems, Green Hills Software, DDC-I, and Sysgo to various other proprietary and/or open source virtualization and RTOS solutions.

    For a list of the most common RTOS companies we see being used today for embedded and IoT projects, see our article, "What Are the Most Popular Real-Time Operating Systems 2020." To learn more about separation kernels and how they are distinct from RTOS-based hypervisors, read: "What is a Separation Kernel?"

  • Do you have consulting and professional services?

    When Lynx engages with prospective customers and analyzes the system requirements, we often identify gaps between the capabilities of off-the-shelf products and the desired system functionality. How that gap is addressed is really dependent on the preferred approach of the customer. For example, sometimes the intellectual property created in that work is something that they deem differentiated and worthy of owning. Often Lynx will deliver professional services to address the “gap”...

  • How can I evaluate your products?

    Evaluation versions of our products can be requested on our Get Started page.


    Products are listed here: 

    LYNX MOSA.ic™ Development Framework 

    LYNX MOSA.ic for Avionics (Bundle)

    LYNX MOSA.ic for Industrial (Bundle)

    LYNX MOSA.ic for UAVs & Satellites 

    LynxSecure Separation Kernel Hypervisor 

    LynxOS-178 RTOS

    LynxOS RTOS



  • What tools do you provide?

    The primary tools we provide are:

    • Command line modeling tool – LSK’s autoconfig
    • Luminosity – Eclipse-based IDE for LynxOS-178 and Buildroot Linux development
    • Command line tool chains based on GCC/GDB for both LynxOS-178 and Buildroot Linux
      • FreeRTOS support — GCC/GDB support (pending)
      • Lynx Simple Applications (bare-metal applications) currently have tool chain support based on GCC. We do not offer GDB support for LSAs.

    For a list of additional tools, please email us.

  • Can I run Lynx products on custom hardware?

    Yes. For a complete explanation of the cost considerations, please see our helpful article, "What is the Cost of a Board Support Package (BSP)?" or contact us directly and we would be happy to discuss your project with you. Note that because LYNX MOSA.ic allows builders to allocate CPU, Memory, and IO resources in a fine grained way (effectively providing architects with a "virtual motherboard"), the details of the system need to be fully described in software.

  • Can I use Linux with your technology?

    Linux fits into LYNX MOSA.ic in two ways. First, Buildroot embedded Linux is included with MOSA.ic as a pre-integrated guest OS. This means Buildroot Linux is easily deployed in one or multiple virtual machines in your design. Linux is useful should you require an advanced filesystem, network protocol, or to take advantage of its vast device driver library, or to run a Linux application, either your own or from the community.

    Heterogenous designs are enabled where Linux is used to host complex software, such as a mySQL database or as a gateway to utilise accelerated hardware such as a GPGPU, for example, alongside another virtual machine running an RTOS to host a safety critical or real-time application. Second, Linux is helpful as a configuration, prototyping or debugging aid. It can be used temporarily during development, for example, to validate USB hardware is working before porting the driver to your RTOS environment.

  • What other open source/open standards support do your solutions provide?

    Lynx uses open source and open standards in many places. Our RTOS is built with, and presents, the POSIX (Portable Operating System Interface), standard API set to applications. UNIX and Linux are built the same way and so are familiar and substantially compatible with LynxOS-178. Both our RTOS, LynxOS-178 and bare-metal target environments are built with the GCC compiler, additionally Lynx uses the GDB debugger and the Eclipse IDE.

  • Do you have any plans to support the RISC-V processor architecture?

    No RISC-V based parts on market today support hardware virtualization, which is a fundamental requirement for LynxSecure. We are engaged with several semiconductor companies under NDA to understand their RISC-V based product plans. We intend to support this architecture once the necessary components with hardware virtualization support are rolled out.

  • Can you provide some additional detail on your use of 3D diagrams?

    In the picture below, the blue represents applications, with the largest one being Linux, the mid-sized one being an RTOS (ours or one from a 3 rd party) and smallest being a bare metal application. We have gone to 3D as we think it helps showcase the differences of our approach. The traditional architecture on the left has a large underlying operating system. The OS takes up space. It owns the hardware resources and the applications are completely reliant on its correct operation. The vertical lines represent calls from the virtual machines requesting processor resources (fork), memory resources (malloc) or IO (open, close, read, write API calls). The Lynx system on the left simply allocates hardware to the different virtual machines/applications. After that, the application has direct access to those resources it has been permitted to use. This allocation of resources cannot be modified after boot.


  • Do Lynx products support Integrated Modular Avionics (IMA)?

    Yes. LynxOS-178 has native IMA support via the ARINC 653 standard, and LynxSecure supports partitioned architectures that can also be used to build IMA systems.

  • Does Lynx support secure boot, to authenticate the boot image?

    Both LynxSecure and LynxOS-178 rely on an external bootloader, and that is where secure boot needs to happen. Setting up secure boot is target specific. We have a how-to for x86 that describes how to digitally sign the LynxSecure binary and add keys to the BIOS to enable secure boot. On Xilinx the ATF (Arm Trusted Firmware) is used to control which parts of the SoC (CPU cores and FPGA) have access to which peripherals and memory. It also controls which SMC (system management calls), like “program FPGA”, the hypervisor and other parts of the SoC are allowed to make. Overall, a highly secure system can be built by following Xilinx specific guidance.

    We have a customer building a secure gateway that has removed uboot and boots LynxSecure (with bare-metal and LynxOS-178 guests) direct from the Xilinx FSBL (first-stage bootloader).

  • Which processor architectures / suppliers does LynxSecure support?

    Lynx supports Intel, Arm and Power (note that NXP since the early part of 2020 dropped the PowerPC term… we are working through our website and collateral to make these modifications) architectures. We do require hardware virtualization to be present in the component so in the case of Arm, our focus has been on the Armv8 architecture (Cortex-A5x and Cortex-A7x cores). Our primary silicon partnerships today are with Intel, NXP (both Arm and Power elements of the Layerscape families with plans for additional product areas including i.MX and S32x) and Xilinx. We are open to discussions for other silicon chips provided they include hardware virtualization support.

  • Does Lynx support, or intend to support NVIDIA platforms for embedded?

    Given LynxSecure’s support of Arm Cortex A53 and A72 cores, the base fundamentals are in place to support a broad range of nVidia’s product portfolio. That said, support of components from nVidia is not part of Lynx’s committed roadmap at this moment in time. As Lynx starts to broaden its footprint in markets beyond aerospace, we continue to evaluate the right partnerships and components to align with our technology.

  • Are Lynx Software Technologies products and services subject ITAR controls?


    Lynx Software Technologies’ (Lynx) products and services fall under the jurisdiction of the U.S. Department of Commerce Export Administration Regulations (EAR). Lynx’s software, services, documentation, data, and other information about the Lynx Software Technologies software are “commercial items” as that term is defined in U.S. 48 CFR § 2.101. PLEASE NOTE: LYNX PRODUCTS AND SERVICES ARE NOT SUBJECT TO ITAR. Lynx’s commercial products have never been on the ITAR U.S. Munitions List (USML) (codified in U.S. 22 CFR § 121.1).

    Lynx products classified under ECCN 5D002 are eligible for export under license exception “ENC.”

  • Does the Lynx Development Environment run on a Windows Host?

    The Lynx Development Environment requires a Linux host. We use the RedHat package manager, a popular, open source package management utility. This is supported on Linux systems including RHEL, CentOS and Fedora.

  • What is the relationship between Lynx and LynuxWorks?

    Lynx was founded in 1988 and originally known as Lynx Real-Time Systems. The company changed its name to LynuxWorks in 2000 after acquiring, and merging with, ISDCorp (Integrated Software & Devices Corporation), an embedded systems company with a strong Linux background. In May 2014, the company changed its name to the present name, Lynx Software Technologies. 

  • What are Lynx Simple Applications (LSAs)?

    LynxSecure Simple Applications are bare-metal applications which runs directly on the CPU as native applications. With direct hardware access, LSAs can interface natively to almost all devices. A very few must be paravirtualized because certain guests do not have direct access to the underlying hardware; Lynx provides drivers for these paravirtualized LSAs.

  • Which specific Intel® processors does Lynx support?

    Most of our recent focus has been on supporting the Intel C3708 processor (previously known as “Denverton”). Lynx continues to work closely with Intel and is planning to support both x6000E (previously known as “ElkHart Lake”), Tiger Lake and other, as-yet-unannounced processors. For additional information, contact us at
  • How does DMA work with virtual machines (VMs) that share a CPU core?

    What happens to the DMA when it tries to access a VM that not currently scheduled on the core?

    CPUs don’t move the bits in a DMA transaction. A device does not care whether the VM is scheduled (or not) as long as it knows where to put the DMA data. The RAM assigned to the VM is still present and is able to receive DMA transactions even when the VM is NOT currently scheduled on the CPU core.
  • Is Lynx actively working on multicore designs for systems requiring certification?

    Multicore safety is an area of expertise and active innovation for Lynx Software Technologies. Multicore designs should be approached with caution and careful planning to understand the complexity and minimize risks. Our experience is that there are large pitfalls and no easy solutions. We are engaged in several multicore avionics design and research projects and would be delighted to discuss multicore safety and partitioning strategies for your next project. Please contact us to learn more. 

  • My system must achieve safety and/or security certification. Do I need an RTOS?

    Not necessarily.  Hybrid designs can be certified and supported with a heterogeneous, multi-core safety- and security-partitioning framework.  

  • What is Eclipse?

    The Eclipse open source community was started in 2001 when IBM released the Eclipse Integrated Development Environment (IDE) as an open source development framework for Java and other languages. The Eclipse IDE framework provides an excellent platform for development environment interoperability while providing vendors an extensible mechanism through which proprietary plug-ins can be added to the Eclipse IDE. Starting from a single project, the Eclipse foundation has now expanded to over a 100 projects ranging from development tools, modeling tools, web tools and IoT protocols.

    More information about the Eclipse projects can be found here

    The Luminosity IDE from Lynx Software Technologies utilizes the Eclipse IDE as a framework and extends it through proprietary plugins.

  • What is LYNX Luminosity IDE?

    Based on the popular Eclipse IDE framework (see question and answer above), Luminosity is a full-featured Java™-based IDE for all Lynx cross-development platforms. 

    The Luminosity embedded development tools suite from Lynx offers powerful development, debug and analysis tools integrated into an Eclipse-based environment for maximum interoperability.
    Luminosity offers a modern interface based on open standards, giving a consistent user experience across the Lynx Software Technologies family of real-time operating systems. This consistent look and feel is also maintained across different host development platforms, and when developing for different target processor architectures.
    For more information, please see our Luminosity product page. 



  • I don't need do-178 certification, does that mean I don't need LynxOS-178?

    LynxOS-178 is built to the high software design assurance standard of DO-178C, but the certification artifacts are optional, which means that all users of LynxOS-178 benefit from this high quality. If your project needs to be certified to some standard or if real-time determinism is needed, then LynxOS-178 is an excellent RTOS.

    If you need certification to some standard (even if it’s not DO-178) you will need LynxOS-178. We develop LynxOS-178 using DO-178C processes. This is a rigorous standard, and customers that do not need DO-178 will still benefit from LynxOS-178’s certification package for their certification efforts.

    If you need real-time determinism, then LynxOS-178 is currently the RTOS of choice on the LYNX MOSA.ic™ development framework. However, we will soon be supporting FreeRTOS as an out-of-box RTOS solution on LYNX MOSA.ic as well. You will then be able to choose between FreeRTOS and LynxOS-178 as off-the-shelf RTOS solution, according to which out-of-the-box RTOS best fits your system’s needs. We also have customers that have ported their own RTOS solutions in preference to LynxOS-178. We do not force customers to use LynxOS-178 even when they want an RTOS and need real-time determinism.

    If neither certification nor real-time determinism is required for your project, then you do not need LynxOS-178. Buildroot, which is provided as part of LYNX MOSA.ic, or a 3rd party COTS OS (e.g. RedHat Linux or Windows) may be a better OS fit for your product.

    Read: Lynx announces support for FreeRTOS

    Read: Do you need an RTOS?

    Read: How to choose an RTOS

  • What languages does LynxOS-178 support?

    • LynxOS-178 supports the C programming language for both production mode and development mode (an enhanced set of APIs and capabilities to aid in development)
    • LynxOS-178 supports C++11/14 for development mode
    • LynxOS-178 supports Ada from Lynx’s partners. (e.g,. AdaCore)
  • Does LynxOS-178 support ARINC 653 partitioning?

    Yes. LynxOS-178 supports up to 16 ARINC 653 time, space, and resource partitions per OS instance. Each partition has its own allocation of CPU time, memory resources, timer resources, inode (file system) resources, etc.
    To learn more, visit the the "more information" page for LynxOS-178.

  • Is LynxOS-178 POSIX compliant?

    Yes. LynxOS-178 is a native POSIX RTOS. It implements POSIX.1-2008 (2016 Edition), which is POSIX's core functionality, POSIX.1b (the POSIX real-time extensions), and POSIX.1c (also known as POSIX pthreads extensions). 
    To learn more, visit the "more information" page for LynxOS-178.

  • What GNU C++ compiler versions does LynxOS-178 support?

    The LynxOS-178 cross-compiler toolchain currently uses the GNU Compiler Collection version 7.1.0 compilers for C and C++.

  • Does LynxOS-178 support the Future Airborne Capability Environment (FACE™) standard?

    FACE compliance refers to software has been modified to support the FACE application programming interfaces (APIs). FACE conformance requires that the software has been tested by third parties and verified to truly meet the standard.

    LynxOS-178 is conformant to the 2.0 FACE specification. It is compliant with v3.0 and is scheduled to be conformant in Q3 2020.

  • Does LynxOS have any features for reporting security risks?

    First, LynxSecure runs Initial built in test (IBIT) and continuous built in test (CBIT) to validate the crucial hardware registers that control the partitioning of the system remain valid. By design it should be impossible to programmatically change these, so CBIT is intended for things like single-event upset (SEU), ie cosmic rays, but it also protects against a hw faults or weakness (like rowhammer).

    Secondly, LynxSecure has an audit log. Guest VMs can be granted privilege to access the audit log and to receive an interrupt when events are stored. There are about 60 audit events, things like VM lacks permission to set the time, change the schedule, make hypercall X. The events can be filtered and actions defined should you wish to halt or reset a VM that generates event X. This detects badly behaved VMs or VMs attempting to “break out”.

  • When a new driver is added to the driver pool for LynxOS-178, must that driver be developed to the highest DO-178 DAL that the RTOS will be used for?

    Yes, LynxOS-178 must be certified to the highest DAL level of any of the applications running on it. Drivers are part of the OS, and so fall under the same rule. LynxOS-178 drivers are separate binaries that are loaded at boot time. This reduces certification costs because a driver can be added and certified without touching (redoing) the kernel artifacts.

  • Is there a WiFi driver for LynxOS-178?

    Lynx does not have WiFi support for LynxOS-178. Wifi is quite complicated, meaning that WiFi and safety certification are basically mutually exclusive. (We have not heard of any supplier offering "certified WiFi").

    While there are various approaches to implementing WiFi, one approach would be to port a driver and the protocol stack from Linux/UNIX. The Lynx net stack is based on BSD UNIX for example, and since LynxOS-178 is POSIX, UNIX applications port relatively easily. I.e., application code is highly compatible (the work is mostly in the drivers and make system).

    In many situations, it is most efficient to buy a WiFi hardware module; something self-contained that can be plugged into—or soldered down—to the chosen target. This is then programmed to the required settings, with data presented via a simple channel such as serial, USB, or ethernet.

  • Is LynxOS-178 ARINC-653 compliant or conformant?

    The LynxOS-178 RTOS conforms to the ARINC 653-1 Application Executive Software (APEX) Interface defined by the ARINC 653-1 standard. LynxOS-178 and LynxOS-SE provide the following system service groups in accordance with the ARINC 653-1 standard:

    • ARINC 653 Partition Management: services related to partition management. GET_PARTITION_STATUS and SET_PARTITION_MODE are Partition Management service requests.
    • ARINC 653 Process Management: services related to process management. GET_PROCESS_ID and GET_PROCESS_STATUS are Process Management service requests.
    • ARINC 653 Time Management: services related to time management. TIMED_WAIT and PERIODIC_WAIT are Time Management service requests.
    • ARINC 653 Interpartition Communication: services responsible for communication between processes residing in different partitions. There are two types of Interpartition Communication services:
      1. Sampling Port Services: A sampling port is a communication object allowing a partition to access a channel of communication configured to operate in sampling mode. CREATE_SAMPLING_PORT and WRITE_SAMPLING_MESSAGE are Sampling Port Services service requests.
      2. Queuing Port Services: A queuing port is a communication object allowing a partition to access a channel of communication configured to operate in queuing mode. CREATE_QUEUING_PORT and SEND_QUEUING_MESSAGE are Queuing Port Services service requests.
    • ARINC 653 Intrapartition Communication: services responsible for communication between processes residing in the same partition. There are four types of Intrapartition Communication service requests:
      1. Buffer Services: A buffer is a communication object used by processes of a same partition to send or receive messages. CREATE_BUFFER and SEND_BUFFER are Buffer Services service requests.
      2. Blackboard Services: A blackboard is a communication object used by processes of the same partition to send or receive messages. CREATE_BLACKBOARD and DISPLAY_BLACKBOARD are Blackboard Services service requests.
      3. Semaphore Services: A counting semaphore is a synchronization object commonly used to provide access to partition resources. CREATE_SEMAPHORE and WAIT_SEMAPHORE are Semaphore Service service requests.
      4. Event Services: An event is a synchronization object used to notify the occurrence of a condition to processes that may wait for it. CREATE_EVENT and SET_EVENT are Event Services service requests.
    • ARINC 653 Health Monitoring: The Health Monitor (HM) is invoked by an application calling the RAISE_APPLICATION_ERROR service or by the OS or hardware detecting a fault.
  • Are ARINC partitions "on" by default? Is it possible for an ARINC partition to NOT use ARINC 653 ports?

    ARINC 653 partitions are always enabled in LynxOS-178, but by default everything is in a single partition. 

    Software can be in an ARINC 653 partition and not use ARINC ports. In this sense, there is nothing “special” about a partition—it is just a normal LynxOS-178 application (that is, a set of processes, threads, a filesystem and device nodes). It could be multiple exe files where one calls another, which reads config files from disk and writes output to a network. Each exec file has access to the POSIX API as well as the ARINC API. This whole menagerie (the partition) has a restricted schedule and memory footprint.

    The ARINC 653 partitions in LynxOS-178 are configured in a text file called the VCT (Virtual machine Configuration Table). It defines the CPU schedule for the partitions, how much RAM each gets, what FS each has and what device nodes are visible. VM0 is a privileged partition, think of it as the “root” partition, it can see into the other partitions.

    We also provide an example VCT file with the maximum (16) partitions defined, the VCT file is easy to use, it is made up of about 50 parameters with relatively intuitive names. For additional and related information, please consult the LynxOS-178 User’s Guide.

  • Which FACE APIs are supported by LynxOS-178?

    Future Airborne Capability Environment  (FACE) support by our LynxOS®-178 real-time operating system (RTOS) includes:
    • 159 APIs for the FACE Security profile
    • 81 APIs for the FACE Safety Base Profile
    • 98 APIs for the FACE Safety Extended profile
    • additional ongoing profile coverage

    For additional questions, please view our LynxOS-178 Product Details Page or contact us.

  • Does LynxOS-178 have a standard file system?

    Yes, LynxOS-178 does have a standard filesystem. By that we mean, it has a “normal filesystem”, in the same way that Linux does. Ie the LynxOS-178 kernel starts, and mounts the file system soon after boot and uses scripts in the file system to do things like initialise the network and start a bash shell.  Also, LynxOS-178 has a file system “as standard”. That is, you cannot create a LynxOS-178 system without it. By default it is a RAM disk, but normal PC disk drives (HDD, SSD, USB sticks, etc) are all also supported too.

  • What is in the LynxOS-178 file system?

    By default the FS includes lots of LynxOS-178 ports of standard Unix utilities [see below]. RSH (remote shell) is supported as well as serial, so you can login to bash from serial or network. The intention is this Unix-like command line setup is used for development. Then, when you go to certification, you remove 95% of the file system contents, leaving only the applications you wrote and any support files (config files, log files) they need. You change the start-up script to call your application instead of bash, leaving you with a system with just the minimal necessary components, and hence less expensive to certify.

    Here is the complete list of every command Lynx includes in LynxOS-178 that customers can optionally populate their filesystem with:

    arp       dd          flash_info     lcs_launcher  netstat          route      true
    ash       devices     flash_sync     lcsnetstat    nfsstat          rpcinfo    tset
    awk       devinstall  flook          legacy_init   nice             rsh        umount
    banner    df          fsck           less          nohup            runshell   uname
    basename  diff        ftp            lesskey       ntpdate          sdiff      uncompress
    bash      diff3       gawk           lipcrm        ntpq             sed        uniq
    bashbug   dirname     gdbserver      lipcs         ntptrace         setactive  usbdevs
    cat       drinstall   gnutar         ln            pci_bar_mmap_pf  setprio    vi
    chgrp     drivers     grep           login         ping             sh         wc
    chmod     drm_stat    gunzip         ls            ping6            sleep      which
    chown     du          gzcat          microcom      prio             st         xargs
    cinit     dynaminst   gzexe          mkcontig      ps               sync       xntpd
    clear     echo        gzip           mkdir         pwd              tail       xntpdc
    cmp       egrep       head           mkffs         rc               tcpdump    zcat
    cofflook  env         hello          mkfs          rcp              tee        zcmp
    compress  expr        hostname       mknod         rdc              telnet     zdiff
    cp        false       id             mkpart        reboot           termcap    zforce
    cpio      ffsck       ifconfig       more          rlogin           tftp       zgrep
    cut       file        ixgbevf_start  mount         rm               time       zmore
    date      find        kill           mv            rmdir            touch      znew
  • Does LynxOS-178 include a power-fail safe filesystem?

    No, the LynxOS-178 file system is not power-fail safe. Instead, the filesystem is mounted as read-only. Power-fail safety is incredibly difficult to do reliably and expensive (lots of code to certify). So we rely on you setting up just the small bits of the FS you need as writable, specifically for use by your application(s). For eg /tmp is writable by default. It is expected that the system is setup to load the kernel and, let’s say, 5 custom applications from a RAM disk. Then those applications might mount a writable FS on an SSD for bulk data access (large map database for eg) or logging. In this situation, the OS and your apps will always run, and any FS power-fail corruption will be limited to writable areas on the SSD. And, since you have the OS guaranteed to be uncorrupted, you should build in ways to recover if the disk does get corrupted (scripts, the chkdsk utility, etc, called programmatically from your application). Bottom line, if you need to be writing heavily to large files on disk, consider buying a fail-safe filesystem from a 3rd party, or, even better using an embedded database instead of a FS. Disks are just not 100% reliable, they are very good, but think about how many external USB HDDs you have had over the years, and how they occasionally fail.



  • What is LynxSecure?

    Briefly, LynxSecure is a separation kernel, which is a minimal hypervisor. It is a static hypervisor that is configured on your host PC so that when it boots, it allocates target hw resources (cores, memory, peripherals) into fixed immutable virtual machines. The privileged setup code is discarded (for security) so that all that is left of LynxSecure is a set of event handlers to respond to and redirect interrupts and handle management calls like “shutdown”. The separation is achieved by hardware virtualization, which once configured, does not require active management (emulation, scheduling, etc). The goal of a separation kernel is to be minimal, elegant and efficient (LynxSecure is 15K on Arm). Initially (Rushby, 1981) this was so that formal methods could be used to prove separation for security, but more recently these properties have gained traction in the safety arena, to reduce safety certification costs and to provide multicore partitioning.

    Additional reading: 

    LynxSecure Product Page 

    What is a separation kernel? (Article) 

  • Is LynxSecure an RTOS?

    No. In contrast to other popular hypervisors built by software vendors targeting the embedded market, LynxSecure is not an OS, nor is it "built on" an RTOS. LynxSecure nether runs on top of an existing RTOS or explicitly leverages a helper RTOS. It is not a microkernel and only requires only a very minimal board support package (BSP). Additionally, LynxSecure never loads any high-level drivers (these interfaces are left to the Guest OS of your choosing), and does not run any system services (leaving it with no known attack vectors).

  • What are the origins of LynxSecure?

    LynxSecure was created in response to global events in the early 2000's which emphasized the need for improved safety and security. The technology was designed to satisfy real-time high assurance computing requirements in support of the NIST, NSA Common Criteria, and NERC CIP evaluation processes which are used to regulate military and industrial computing environments. It harnessed decades of university, government and corporate research which identified three fundamental principles for a separation kernel hypervisor, namely;

    1. Separate disparate applications into different domains
    2. Ensure each domain runs unaffected by another system
    3. Security-policy enforced information flow between subjects
  • How big is LynxSecure?

    There are about 20k lines of certifiable source code in this product.

  • Is a separation kernel a hypervisor?

    Yes. A separation kernel is a minimal, unique type of bare-metal (or Type-1) hypervisor. It is distinct in critical ways from Type-2 hypervisors, which require host operating systems (OS).

    The concept behind a separation kernel is to place as little software between each OS and the hardware as possible. System functions are distributed and decentralized to avoid a single point of failure. Hardware resources (memory, IO, processor cores) are provisioned to each of the applications on boot and this cannot then be reconfigured, resulting in improved system security. Applications cannot interfere either maliciously or accidentally with other applications. The simplicity of LynxSecure (about twenty thousand lines of code) also simplifies the task of safety certification.

    To learn more about separation kernels vs. operating systems, read: "What is a Separation Kernel?"

  • What is the difference between LynxSecure and LYNX MOSA.ic?

    LynxSecure is a separation kernel. LYNX MOSA.ic is a software framework which includes LynxSecure as a foundational element. LYNX MOSA.ic also includes Buildroot Linux, bare-metal tools, and other operating systems (from Lynx, from 3rd parties and soon from open source) which customers can harness to get a head start in their development work...

    Read: What is a separation kernel?

  • Is LynxSecure NIAP certified?

    Short answer: Lynx offers a NIST 800-53 package for LynxSecure, the current NIAP-supported certification and accredited process for critical systems. No new evaluations have been accepted for years (nor will they be accepted, as the SKPP is effectively dead).

    Detailed answer: The Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) is an International standard for IT products. Common Criteria defines security evaluation assurance levels (EALs) ranging from EAL1 (least secure) to EAL7 (most secure) to describe the security level achieved by Security Targets (components) being evaluated (tested) against a Protection Profile.

    For or a few years beginning in 2007, the Common Criteria included a profile for separation kernels called the Separation Kernel Protection Profile (SKPP) that real-time operating system (RTOS) providers such as Lynx, Wind River Systems, and Green Hills Software built products toward. The SKPP was sunset in 2011 by NIAP after problems with the first evaluation. The Common Criteria remains a useful standard, but no further SKPP evaluations will be accepted, and the SKPP is effectively dead. Instead, NIAP is directly supporting the certification and accreditation process for critical systems. NIST Special Publication 800-53, “Security and Privacy Controls for Federal Information Systems and Organizations” is a more general security approach that partly fills the SKPP gap. We offer a NIST 800-53 package for LynxSecure.

    LynxSecure was designed to satisfy real-time, high assurance computing requirements used to regulate military and industrial computing environments, such as NIST, NSA Common Criteria, and NERC CIP. Developed and maintained in San Jose, California in accordance with FAA DO-178 Safety Quality Standards and DoD Risk Management Framework guidelines, LynxSecure is certified, fielded, and maintained on classified DoD networks. The product has undergone many security assessments including penetration testing and design review by independent government security authorities.

    For the last several years, LynxSecure has gone through numerous delta certifications showcasing significant cost savings from the reuse of previously certified components that have remained unmodified throughout the lifecycle of a program’s tech refresh period. The technology has also enabled programs to effortless spawn derivative platforms into adjacent programs further maximizing component reuse. Lynx offers a DoD Risk Management Framework guide to aid the US Army’s security evaluation of the security enforcing properties of the platform. The package includes NIST security control traceability and Common Criteria Security Target traceability into the underlying kernel design requirements.

  • How are NIST certification artefacts delivered and updated?

    Our NIST security artefacts are for LynxSecure on x86. A block of services comes with the artefacts to train users how to adjust them for additional hardware. If desired, Lynx can engage in a discussion about professional services work to enact custom work for a specific customer.

  • How does LynxSecure ensure software partitioning?

    LynxSecure doesn’t partition software, it partitions hardware into virtual machines in which software executes. Each virtual machine can be granted very fine-grained privileges; the system can use one guest to perform one critical system function, and another guest to perform another critical system function. There is no need to bestow all of the system trust in a single guest operating system.

    In LynxSecure there is no root OS, helper OS, master OS, trusted OS, etc. Developers can however choose to emulate this approach by assigning all key system functionality to a guest OS of their choice. LynxSecure configures all partitioning in the system prior to the start of any guest OS. All hardware registers defining partitioning attributes (MMU, interrupt vectors, SMMU, PCIe, etc.) are set to the values required for the hardware to enforce the defined partitioning scheme. This includes CPU schedules, interrupt controllers, memory, devices, PCIe end points, DMA masters, etc. Once these registers are written/set, the code which performed the write is removed from the LynxSecure binary. From this point forward, it is literally not possible for LynxSecure to modify the defined partitioning, privileges, and security policies. Additional details are available in the LynxSecure Architecture guide (product documentation)

  • Can LynxSecure provide secure communication between operating systems and is it implemented by shared memory regions or via a virtual Ethernet link?

    For every architecture, LynxSecure defines one or more shared memory regions between guest operating systems.

    Each region is uni-directional/single-write.

    Each region is zero copy from the perspective of the Separation Kernel. LynxSecure has no role in copying or moving data from user to supervisor to user privilege modes. This clean approach provides a high performance, secure memory region as the underlying foundation for more advanced protocols. For Linux, Lynx Simple Applications and LynxOS-178, Lynx also provides drivers for FIFOs and vEthernet (Intel now, Arm mid 2020) communications between guests, relying on the underlying zero copy shared memory as transport.

  • Can LynxSecure provide a secure upgrade mechanism including cryptographic signing, transport encryption, downgrade attack prevention and other features?

    Solutions related to security are very SoC specific and dependent on key storage, cryptographic accelerators, and more. As such, it would be false to state that we have an off-the-shelf solution, when any solution will require a level of hardware-specific customization to leverage available resources.

    Solutions that are based on an underlying RTOS may implement platform-specific solutions which can then be exposed by that RTOS via higher level APIs. However, this will likely require that a comprehensive RTOS BSP is available. LynxSecure is not an RTOS and it relies on fine-grain privileged operating systems to use the software stack selected by our customers for each purpose.

    Customers using LynxSecure have created upgrade mechanisms which are platform or SoC specific solutions customized to their needs.

  • Does LYNX MOSA.ic support cache partitioning?

    Yes, our hypervisor, LynxSecure (the foundation of LYNX MOSA.ic) does support hardware cache partitioning on Intel architecture. We use the Intel RDT (resource director technology) CAT (cache allocation technology) feature to split the last level cache. Each CPU core or individual VCPU (CPU timeslice, ie VM) can be assigned a cache capacity bitmask to split the cache with the granularity supported by the hardware. Software cache-coloring is not supported today.

    Read blog post: Multicore Cache Allocation Technology (CAT) Demo

  • Do Network services in LYNX MOSA.ic directly contribute to protect the device from network attacks?

    The LYNX MOSA.ic framework and architecture allows customers to deploy their favored network protection solution within the guest OS that they prefer and have consequently assigned with the necessary hardware privileges and security policies. Lynx has not invested to incorporate these capabilities within LynxOS-178 as we feel there are more fully featured solutions available at lower cost. On Intel platforms, the Virtual Device Server (VDS), a privilege-restricted Linux guest OS, provides an ideal location where additional network or packet inspection services could be easily added on behalf of the full system.

  • What is meant by "independent application modules?"

    LYNX MOSA.ic is described as "a software framework for building and integrating complex multi-core safety- or security-critical systems using independent application modules." What, then, are "independent application modules?" 

    Independent application modules are isolated, static virtual machine environments (and their guests) created by the separation kernel which enable system architects to simplify their system designs by better managing software complexity inheritance. Certain applications may only require simpler bare-metal environments. Others may require more complex Linux environments. Application environments can be (1) bare-metal; (2) RTOS, Windows, or other 3rd-Party OS; (3) Linux. They are governed by an information flow policy that ensures system security and they cannot be dynamically altered during runtime.  

  • Can application modules be combined with different levels of criticality, where every application can be certified independently from the others?

    Yes. LynxSecure is a Separation Kernel that sets up and locks-down device partitioning at boot, prior to the start of guest OS. All security policies, hardware partitioning, and inter-guest memory access privileges are defined according to the engineer’s needs, with few design impositions due to the hypervisor. This allows builders to fine-tune the levels of complexity and safety- or security-criticality for each application module and to certify each module—and only the module(s) that require certification—independently.

  • How is the Architecture Configuration Policy set up? Is that setup contained within the system or is it external?

    The Architecture Configuration Policy is setup on the host PC using a modeling language, and compiled on the host into a bootable binary. That binary is self-contained and configures the target resources as described in your model immediately on power-on. The privileged code that does that is eliminated after the job is done, leaving the system secure.


  • Does LynxSecure have any features for reporting security risks?

    Firstly, LynxSecure runs Initial built in test (IBIT) and continuous built in test (CBIT) to validate the crucial hardware registers that control the partitioning of the system remain valid. By design it should be impossible to programmatically change these, so CBIT is intended for things like single-event upset (SEU), ie cosmic rays, but it also protects against a hardware faults or weakness (like rowhammer). Secondly, LynxSecure has an audit log. Guest VMs can be granted privilege to access the audit log and to receive an interrupt when events are stored. There are about 60 audit events. The events can be filtered and actions defined should you wish to halt or reset a VM that generates event X.

  • Does LynxSecure secure the storage of system secrets with any encryption system or similar?

    On x86 there is a module—a bare-metal virtual machine (VM)—called LSAstore that intercepts a block device (disk or partition) and provides transparent encrypted disk storage. But otherwise this is not a standalone feature because this can be trivially done with a bare-metal VM.

    There is a LynxSecure demo where a VM is given access to an encrypted storage area and a Yubikey USB digital key to unlock it and provide secure access to control a robot via IPC (FIFO). Shmem or virtNet IPC is also supported.

  • Does LynxSecure contain any certified cryptographic libraries?

    On x86 there is a module—a bare-metal virtual machine (VM)—called LSAstore that intercepts a block device (disk or partition) and provides transparent encrypted disk storage. LSAstore uses the OpenSSL FIPS object module. 

    But, in general, LynxSecure does NOT contain any certified cryptographic libraries. It is deliberately minimal (no console, no create-VM APIs, no login).

  • How intensive is it to have the NIST certification artifacts updated around a given piece of hardware?

    Our NIST security artifacts are for LynxSecure on x86. Our business model is that a block of services comes with the artifacts to train users how to tweak them for additional hardware. This task is expected to be easy enough to do within the block-of-time for all but really unusual devices. It would be more work for Lynx to update the NIST package for Arm, possibly a few months of work. But, we are looking for an excuse to do that work, and would be delighted to undertake it should you be interested in NIST security artifacts for LynxSecure on Arm.

  • How secure is the LynxSecure executable?

    Four examples help to illustrate security aspects of the executable:

    1. There is no means to load any application or modify the LynxSecure executable
    2. Guests cannot access LynxSecure memory
    3. LynxSecure cannot access guest memory
    4. No shared kernel memory exists between guests and LynxSecure
  • What is the LynxSecure hypervisor PCI BAR sharing feature?

    PCI Base Address Register sharing is a feature where the LynxSecure hypervisor can create a special shared memory region to share portions of a PCI device’s address range. It can be used to share the HWTimeStamp registers of a PTP NIC, or the framebuffer of a graphics card for example. This allows other VMs to share the accurate hardware timer in a simple and efficient way. The VGA usecase allows a physical graphics card to be shared so that multiple VMs can have their own (reduced size) framebuffer and share the screen. Of simultaneous shared access to the screen is useless, the way this works is that LynxSecure provides a mechanism to switch which the screen between each VMs framebuffer.

    For e.g. on an Intel x557 NIC, these 3 registers are shared in read only mode:

    Tx Time Sync Control Register - TSYNCTXCTL (0x00008C00)

    Tx Timestamp Value Low - TXSTMPL (0x00008C04)

    Tx Timestamp Value High - TXSTMPH (0x00008C08)

    PCI BAR sharing is done with the memregion autoconfig command. This example shares address 8000 of the PCI device NET0.IOMEM0 as a 0x1000 long memory region called NET0.TIMESYSNCREGS.

    autoconfig mksrp $TARGET \



    The hwtimestamp registers are only available to the NIC PF (NET0), which is owned by the vds0 VM. The other VM, fv0, must use PCI BAR sharing to access the hwtimestamp because it is only assigned a virtual function (it has virtual function 1 of NET0, shown as NET0#1 in LynxSecure syntax).

  • Are guest-to-guest communications secure for a LynxSecure based system?


    • Resources and security policies are defined at boot
    • User-space and zero copy memory ensures security-policy enforced guest-to-guest communication
    • Data does not pass through LynxSecure
    • Communications are Peer-to-Peer
  • Does Lynx have a patent portfolio?

    Indeed we do. We have a strong patent portfolio centered around four primary themes, namely;

    1. Anomaly Detection; Identifying behavioral access patterns inconsistent with regular system operation to detect anomalies and ensure functional correctness of applications
    2. Fault Isolation; Providing hard partitioning to prevent cascading faults from affecting system safety
    3. Fault Tolerance; Providing seamless recovery from system faults to ensure always-on operation
    4. Secure Display Isolation; Isolating applications to only accept connections coming from those authenticated as members of same isolated domain
  • Does LYNX MOSA.ic support formally modeled systems?

    We are familiar with and have supported customers that have used design tools like Simulink and SCADE to formally model systems. Architectural details that transcend functionality such as spatial, relational, and timing requirements of system subjects and objects will natively plug into the configuration interface of LynxSecure.

  • Can you share some high level details about certification for LynxSecure?

    LynxSecure is developed and maintained in San Jose, California in accordance with FAA DO-178 Safety Quality Standards and United States DoD Risk Management Framework guidelines.  LynxSecure is certified, fielded and maintained on classified DoD networks. The product has undergone many security assessments including penetration testing and design review by independent government security authorities.

  • In many designs, partitioning alone is insufficient to achieve a secure system. What can LynxSecure offer?

    Commonly, critical security function—such as a crypto algorithm, or data filter—and a unique information flow configuration must be established and protected to achieve a secure system. Critical functions can be placed in guests that leverage services of the separation kernel or independent trusted guests to monitor the work, liveliness, or integrity of the critical function. LynxSecure provides the following reference monitor features;

    • Audit Event Manager; The kernel contains a runtime state transition manager that can change the execution behavior of the system when a policy exception event occurs. Policy exceptions can come from guest generated hypercall events and hardware generated events – E.g. MMU/IOMMU exceptions. All events are recorded in an audit buffer.
    • Watchdog; Guests can be configured to strobe a virtual watchdog timer that the separation kernel will monitor. If a guest fails to strobe the watchdog in the permitted window of time the separation kernel will trigger a policy exception event.
    • Signal; Guests can use the kernel to trigger hardware events to other guests to wake up interrupt handlers.
    • Message; Guests can use the kernel to send a 64 byte message to another guest in a single direction. Guests must be configured in the mandatory access control policy to have access to the messaging capability and must specifically declare which guest it is permitted to message.
  • Can you provide an example of working with hardware security functionality provided by a semiconductor partner?

    Lynx developed Xilinx FPGA assisted boot and credential protection prototypes to serve as exemplar of fundamental boot and system initialization security design elements. Using the Xilinx SDK, Lynx integrated two security capabilities:

    • Using the Xilinx bootgen utilities (pat of SDK), the LynxSecure image was processed to create a signature of Separation Kernel and guest images. This signature is used by the Xilinx MPSoC boot process to ensure the system image has not been subverted. It can only execute on a specific hardware target
    • In addition to basic boot image and guest image integrity and authenticity protection, an additional capability allows guests to use the Xilinx encryption engine to protect keys used by guest applications
  • Why is the MOSA.ic for Industrial product only available for the x86 architecture today?

    Many of the initial customers who expressed a desire to evaluate this product, have use cases in factory environments running applications on legacy versions of Windows. Obviously this OS only runs on x86 platforms. Over time, we absolutely plan to support other processor architectures such as Armv8.

  • What is the reference platform for LYNX MOSA.ic for Industrial?

    The current version of LYNX MOSA.ic for Industrial supports two Intel®-based platforms. The first is a Dell EPC 5000. The specific variant is a Fanless ruggedized version featuring a 4 core, 8 thread Core i7 processor from Intel, 16GB Memory a 512GB SSD and 2 NIC cards. Also supported is the EXOR eCC3800 series, also a the fanless PC, featuring Intel Core i7 processor.

  • What else can you share regarding security aspects of LynxSecure?

    In addition to cert documents and workflows that we are happy to provide upon request (and in addition to offering NIST 800-53 security artifacts), LynxSecure offers other specific security features:

    1. An autoconfig option for the kernel and / or VMs, for Indirect Branch Restricted Speculation (IBRS) mitigation, that is, against Spectre variant 2.
    2. An autoconfig option for the kernel and / or VMs, to prevent Foreshadow, also known as L1 Terminal Fault (L1TF).
    3. A high performance IRQ (interrupt) based audit system where the instant a VM attempts to access unauthorized memory or objects, it is frozen by LynxSecure and an IRQ generated into a privileged VM that can view a log and decide what action to take.
    4. A hypervisor Module feature that allows binary modules to be added to the hypervisor at build time to add new hypercalls, callable by privileged VMs, to extend it for things like additional health monitoring, and custom firmware calls (like re-program FPGA).
    5. Memory sanitization. GOS memory is cleared before and after every guest restart. Extendable to sanitize user-resources as well.
    6. Random number generator disable. VM access to the CPU’s built in Random number generator can be disabled to prevent it being used as a covert information channel.
  • Describe the LynxSecure secure boot solution?

    LynxSecure relies on an external bootloader, and that is where secure boot begins.  Lynx does provide components from which a secure boot system can be built. Setting up secure boot is target specific. For example, we have a how-to for x86 that describes how to digitally sign your LynxSecure SRP binary and add keys to the BIOS to enable secure boot.

    Following the signed SRP, secure boot can be continued using the LynxSecure segmented boot feature. Additional details regarding this feature can be shared upon request. 

  • PTP (Precision Time Protocol, aka IEEE1588) shares time across the network, how can time be shared between VMs, does SR-IOV help?

    SR-IOV VF (virtual functions) do not support PTP. That is, the hwtimestamp capability, which is how PTP and 1588 work, is only available in the NIC’s PF (physical function).

    IEEE 1588 (PTP) lets you synchronise clocks over a LAN. It is important to have a single master clock per network node (PC or target SoC). The standard operation of PTP is that it continuously disciplines (adjusts) slave clocks to keep them accurate with the master. Once a node (SoC) is disciplined, then you want to share that accurate clock with all the LynxSecure VMs running on it. This is where PCI BAR Sharing comes in. It is a LynxSecure feature that allows windows in the PCI Register Address range to be shared by multiple VMs. It does exactly what is required, it directly shares the PTP HW Clock registers with other VMs within a single target.

    Lynx’s intention is to eventually have PTP support in LynxOS-178 guests running on top of LynxSecure. This is not available yet, but it means:

    Extend the LynxOS-178 network stack to support PTP. This will allow it to be a PTP master (provide time) or PTP slave (receive time). At the moment a Linux guest can be used to import PTP time onto the SoC. Once the SoC has an accurate PTP clock, PCI BAR sharing is used to give other VMs access the timer registers. On LynxOS-178 the memmap driver is used to map them into user space, then the adjtime() API is called to synchronise the local VMs time.

  • How does shared memory IPC (inter process communication) work between LYNX MOSA.ic guest operating systems?

    Shared memory is a standard feature of LynxSecure. Memory windows of configurable size, writability, cache ability etc, can be defined and shared between multiple VMs. Accessing shared memory regions the VMs is done:

    1. In Linux we provide a driver that maps memregions as a device node into /dev/lsk/memregion.

    2. In bare metal applications we provide macros that assist querying the RO (read only) page so your code can discover shared memory regions.

    3. In LynxOS-178 the memmap driver is used to map the memory into userspace.

  • Can FreeRTOS really offer the same RTOS determinism that LynxOS has?

    LynxOS and indeed LynxOS-178 are perfectly valid solutions. We have customers using it today for industrial applications including medical imaging equipment. FreeRTOS is the most widely used real-time operating system in the embedded industry. With an increasing amount of those systems becoming connected to the cloud, Lynx felt It was prudent to attach itself to the software ecosystems that are delivering this functionality. This is FreeRTOS (Amazon) and AzureRTOS (Microsoft). Since Lynx is a relatively new player in the industrial market, the pragmatic approach is to

    • Show how companies can reuse their existing code bases around FreeRTOS
    • Articulate a relatively quick an straightforward path to IEC61508 certification via Wittenstein that does this around FreeRTOS
    • Ride on coattails of cloud companies offering up container frameworks, cloud connectivity etc rather than us doing it ourselves on our RTOS