• Maintained by Fraunhofer AISEC, GyroidOS is an open-source, multi-arch OS-level virtualization solution designed for embedded devices with hardware security features, and aiming to support security certification processes such asCommon Criteria(ISO/IEC 15408),DIN SPEC 27070- IDS Trust Security profile, andIEC-62443 cybersecurity standards. • The virtualization layer is based on Linux-specific features like namespaces, cgroups, and capabilities to provide isolation of different guest operating system stacks on top of a single, shared Linux kernel. • It offers a much smaller footprint and additional separation of privileged instances compared to other container solutions, such as Docker. • GyroidOS security features Container isolation based on a modularized OS-level virtualization layer Secure boot (e.g., UEFI on x86) Kernel module signing Signed GuestOSes (containers) Measured boot and remote attestation Full disk encryption coupled to TPM and secure boot Restriction of superuser in containers with Linux capabilities Fine-grained device access with device cgroups whitelists Secure Element support for two-factor authentication, for instance, when starting containers (Work in progress ) Relocation of cryptographic keys and ciphers into TEEs (e.g., Kernel Crypto API) The main benefits of GyroidOS are that it is a fully open-source, portable software stack, implements an experimental converter functionality for Docker containers, offers flexible remote management, and features PKI support for software signing and device identity. • The two main use cases areapplication separation(similar to Docker) andIoT edge devicesrelying on a minimal version with just a kernel and a small ramdisk as a virtualization layer. • The virtualization solution works on the following targets: x86 32/64-bit using UEFI Secure Boot or Qemu TianoCore (simulated UEFI secure boot and sTPM) ARM64Raspberry Pi 4 and 5 with RPi Secure BootRaspberry Pi 3 with U-boot Verified BootTQ-Systems TQMa8MPxL with U-boot

Article Summaries:

  • Fraunhofer AISEC’s GyroidOS is an open‑source, OS‑level virtualization platform aimed at securing embedded devices and simplifying compliance with standards such as Common Criteria, DIN SPEC 27070, and IEC‑62443. Built on Linux namespaces, cgroups, and capabilities, it isolates guest OS stacks on a single kernel, offering a smaller footprint than Docker and stronger privilege separation. Key features include secure boot, kernel module signing, signed containers, measured boot, TPM‑backed disk encryption, fine‑grained device access, and support for two‑factor authentication via secure elements. GyroidOS targets x86, ARM, Raspberry Pi, and RISC‑V platforms, and serves as the reference implementation for the Trusted Connector in the International Data Space.
  • Maintained by Fraunhofer AISEC, GyroidOS is an open-source, multi-arch OS-level virtualization solution designed for embedded devices with hardware security features, and aiming to support security certification processes such as Common Criteria (ISO/IEC 15408), DIN SPEC 27070 - IDS Trust Security profile, and IEC-62443 cybersecurity standards. The virtualization layer is based on Linux-specific features like namespaces, cgroups, and capabilities to provide isolation of different guest operating system stacks on top of a single, shared Linux kernel. It offers a much smaller footprint and addit

Sources: