Arm Mbed Linux OS
Arm Mbed Linux OS (MBL) is a free, open-source IoT operating system based on the embedded Linux Yocto Project. It is designed for Cortex-A devices, which can run multiple, complex applications and perform edge computing. MBL provides the common services these applications rely on, such as access to hardware peripherals, security and connectivity protocols and access to the Pelion IoT Platform.
Arm Mbed now offers a duo of operating systems to support Cortex-M and Cortex-A microprocessors: Mbed OS and Mbed Linux OS. If you want to quickly test a market with Cortex-A devices and then move to Cortex-M for mass production, we now make that easy.
Because MBL is aimed specifically at IoT devices, it places a major emphasis on platform security. At the core of device security is Trusted Firmware (TF-A) and OP-TEE, an open source trusted execution environment that conforms to the Global Platform TEE specification. Platform Security Architecture (PSA) and other security related trusted services can run in this framework. MBL also relies on the Linux kernel's isolation mechanisms to protect device integrity and sensitive data: each application runs in its own OCI-compliant container, so a compromised application cannot damage other applications or the device.
You can develop and build applications in using a variety of standard tools such as C cross-compilation, Python or Node.js. Applications are then packaged and deployed to MBL in an application container. By using standard tools, you can quickly repurpose existing Linux applications to run on MBL.
Developer preview features
MBL is currently available as a developer preview to selected users. To request access, please contact us.
The preview release provides:
- An OpenEmbedded-based OS distribution, enabling extensibility and support for the latest updates and features.
- Hardware and software-based isolation mechanisms for security:
- Dedicated hardware within most Cortex-A devices enforces the most secure isolation boundary. This technology, called TrustZone, allows the most sensitive code and data to run within a so-called Secure World. MBL includes a trusted operating system for this Secure World called Open Source Trusted Execution Environment (OP-TEE). OP-TEE is essentially an operating system within an operating system, which is loaded by the Trusted Firmware and would typically be used to protect cryptographic keys and other sensitive data assets.
- Secure boot methodology based on Linaro's Trusted Firmware A for both the ARMv7-A and ARMv8-A platforms. Trusted Firmware is a minimal secure bootloader that runs when a Cortex-A microprocessor is executing in TrustZone's "secure world" mode.
- Open Container Initiative (OCI)-compliant containers for applications, protecting against compromised applications and facilitating a modern development workflow. Based on the RUNC engine, this Docker-like system allows OEMs to package services or applications as independent container images that run entirely within a sandbox. This provides two benefits. First, if an attacker compromises a single application, it's far harder for the attack to spread beyond the infected container. This will help to reduce the impact of an attack and ensure a device can easily be restored to a secure state. Second, applications can be developed independently of the underlying IoT platform. For example, it's easier for a developer to build and test on their desktop workstation or laptop.
- Developer command-line tools to facilitate discovery, setup and local update of development devices.
- A lightweight, feature rich connection manager for Ethernet and Wi-Fi connections.
- The integration with Pelion Device Management services offers:
- Support for the Device Management Client for in-field provisioning and over-the-air device configuration.
- Device discovery and secure identity in the Device Management device directory, to protect against impersonation or cloning.
- Large-scale management of device groups.
- Device management and status monitoring, including notifications of connection status.
- Access control at the account level.
- Over-the-air, digitally signed and verified updates for applications and the root file system. MBL uses updates to send new features and security patches to deployed devices, fixing vulnerabilities before they're exploited.
The following diagram illustrates the components and services that MBL provides:
When used in conjunction with Device Management, MBL provides a secure platform for developing, operating and managing IoT applications
There are two paths to working with MBL:
- If you are a Linux developer interested in contributing to MBL or porting it to a new device:
- Please build MBL locally so you can test.
- Use our porting or contributing guides (coming soon).
- If you are an application developer interested in building applications for devices that run MBL:
Both MBL and our test suites will be open source, helping you automate product testing in a modern continuous integration pipeline. For more information, please see the Contributing section in the MBL source.