Safety & Security Certifications
PikeOS is designed from the ground up to meet the most stringent industry standards for functional Safety. It supports certification up to SIL 4 (Railway), DAL A (Avionics), ASIL D (Automotive), and ECSS Cat. A (Space) on the same platform. This makes it the premier choice for complex systems requiring multi-standard compliance. PikeOS 5.1 is therefore certified to Common Criteria EAL 5+ or the Airbus SAR SAL.
Certification Kits (Documentation & Artifacts)
SYSGO provides comprehensive Certification Kits that include all necessary documentation, test plans, and evidence for regulatory authorities. These kits drastically reduce the time and cost associated with certifying a final product. They leverage SYSGO’s decades of experience in navigating the most demanding certification processes.
Common Criteria EAL 5+ Security Certification
As a world leader in secure virtualization, PikeOS Version 5.1 is certified according to Common Criteria EAL 5+ for its separation kernel. This high-level Security assurance verifies that the kernel's isolation mechanisms are architecturally sound and resistant to sophisticated attacks. It provides a trusted foundation for systems handling sensitive data or connected to external networks.
Deterministic Separation Kernel for Mixed-Criticality Workloads
The core of PikeOS is a high-performance, hard real-time separation kernel. It strictly enforces spatial and temporal partitioning through a MILS (Multiple Independent Levels of Security) architecture, ensuring that applications of varying criticality levels coexist without cross-interference. This provides guaranteed resource availability, bounded interrupt latencies, and predictable Worst-Case Execution Times (WCET), which are essential for the most demanding mission-critical systems.
Strict Time & Space Partitioning (Robust Isolation)
PikeOS ensures that applications are strictly isolated through hardware-supported memory protection and deterministic time-slice scheduling. A failure or malicious exploit in one partition cannot impact the performance or integrity of others. This robust partitioning is the key to hosting mixed-criticality workloads on a single SoC.
MILS Architecture (Multiple Independent Levels of Security)
The PikeOS architecture strictly adheres to the MILS concept, enabling the coexistence of components with different Security levels on a single processor. It enforces a "Security by Design" approach by controlling the information flow between partitions. This simplifies the development of secure gateways and cross-domain solutions.
Secure Boot & Hardware Root of Trust
To ensure system integrity from the first instruction, PikeOS integrates with hardware-based Security features like Secure Boot. It establishes a chain of trust by verifying signatures of the bootloader, kernel, and partition images. This prevents the execution of unauthorized or tampered software during the power-on sequence.
Trusted Platform Module (TPM) & Hardware Security Module (HSM)
PikeOS leverages hardware Security modules like TPMs to provide secure key storage and platform attestation. It can use these modules to perform cryptographic operations in a hardware-isolated environment. This is essential for meeting modern Cybersecurity requirements in automotive and industrial sectors.
Health Monitoring & Error Management Framework
Built-in health monitoring functions detect and handle system anomalies, such as memory violations or deadline misses, in real-time. The framework allows for configurable recovery strategies, such as restarting a single partition without affecting the rest of the system. This significantly enhances the overall availability and fault tolerance of the device.
Preemptive Real-Time Scheduling
Each partition runs its own preemptive priority scheduler with deterministic latency guarantees. Critical tasks receive timely CPU access even under load, ensuring bounded response times essential for mixed-criticality workloads.
Type 1 Hypervisor for Hardware Consolidation
By executing directly on the silicon with maximum CPU privilege, PikeOS eliminates the overhead and attack surfaces associated with a host operating system. This bare-metal architecture provides a secure abstraction layer that enables the concurrent execution of heterogeneous guest operating systems—ranging from general-purpose OSs like Linux and Android to specialized RTOSs—while maintaining near-native performance through hardware-assisted isolation and direct resource mapping.
Hardware Virtualization
PikeOS provides hardware virtualization extensions for ARM and x86 that enable efficient isolation of guest partitions with minimal performance overhead. By leveraging hypervisor-aware CPU features, PikeOS can run multiple virtual machines or containers side-by-side with native applications, each with its own memory space and execution context—all within a single physical system while maintaining strict Security boundaries between workloads.
Multi-Core Support (SMP & AMP Multiprocessing)
PikeOS provides advanced multi-core capabilities, supporting both Symmetric (SMP) and Asymmetric (AMP) multiprocessing. It includes mechanisms to mitigate cross-core interference, such as cache coloring and memory bandwidth monitoring. This ensures that real-time performance is maintained even as system complexity scales across multiple CPU cores.
Multiple Guest OS Support
PikeOS offers an industry-leading range of "Personalities" to run diverse guest operating systems concurrently. It supports or own ELinOS, as well as Linux, Android, Windows, certified POSIX, and specialized Avionics or Automotive standards like ARINC 653 and AUTOSAR. This allows developers to reuse legacy code and open-source libraries alongside Safety-critical tasks.
Cache Coloring
PikeOS supports cache coloring techniques that enable precise control over memory allocation to optimize cache performance across multiple partitions or virtual machines running on the same physical system. By assigning specific memory regions to predefined color classes that map to distinct cache sets, PikeOS reduces inter-partition cache pollution and contention—allowing workloads to share physical resources efficiently while maintaining predictable performance characteristics critical for real-time or Safety-critical applications.
Fine-Grained Locking
PikeOS implements fine-grained locking mechanisms that minimize contention and maximize system throughput by allowing multiple threads to access different resources concurrently without blocking each other unnecessarily. By using specialized synchronization primitives such as mutexes, semaphores, and spinlocks at a granular level, PikeOS enables high-performance parallel execution across partitions and threads—critical for real-time applications where latency spikes from coarse-grained locks could compromise determinism or Safety requirements.
Inter-Core Communication
PikeOS enables efficient data exchange between partitions using queuing ports and named pipes. These lightweight IPC (Inter-Process Communication) mechanisms ensure deterministic latency and prevent cross-partition interference even on multi-core platforms.
Intrusion Detection & Integrated Firewalls for Guest Partitions
Network traffic between partitions and external interfaces can be monitored and filtered using integrated Security components. PikeOS allows for the implementation of partition-specific firewalls to block unauthorized communication attempts. This adds an extra layer of defense-in-depth to virtualized environments.
wolfSSL & CycurHSM: Integrated Security & Crypto Libraries
Through partnerships with leading security providers, PikeOS offers pre-integrated libraries for encryption, TLS, and HSM management. These libraries are optimized for embedded use and support hardware acceleration where available. They enable secure end-to-end communication and protected storage of cryptographic keys.
Certified Network Stacks (TCP/IP, UDP, AFDX, ARINC 664)
PikeOS includes certifiable communication stacks tailored for both industrial and aerospace requirements. These stacks are designed for high reliability and can be integrated into Safety-critical certification paths. They provide the necessary connectivity for modern IoT and Avionics systems without sacrificing determinism.
Certified IP Networking (CIP)
CIP provides a robust UDP/IP networking stack fully compliant with standard RFC specifications, offering a familiar socket interface through both POSIX and PikeOS APIs. Designed for Safety-critical applications, CIP is certifiable within the scope of safety projects—enabling you to deploy secure, standards-based network communication in Aerospace, Industrial, or Automotive systems while meeting stringent certification requirements without compromising performance or reliability.
Certifiable File System (CFS)
PikeOS offers a certifiable file system designed for Safety-critical applications requiring formal verification and integrity guarantees. The CFS ensures data consistency through atomic operations and supports secure boot chains by providing tamper-evident storage for configuration data, certificates, and application images—enabling compliance with Safety standards like DO-178C, ISO 26262, and IEC 61508 without compromising performance or scalability.
Certifiable Math Library (CML)
PikeOS includes a certifiable math library that delivers rigorously validated floating-point and integer arithmetic functions suitable for Safety-critical domains. The CML provides deterministic behavior across different hardware platforms and compiler versions, with comprehensive test coverage and traceability to mathematical standards—allowing developers to implement Safety-critical algorithms in areas such as Aerospace control systems, Medical devices, or Automotive ECUs with confidence in numerical accuracy and reproducibility.
Device Driver Framework
The PikeOS device driver framework exposes a unified File Provider Interface that simplifies driver development across architectures. It also supports shared buffer communication to minimize data copying between drivers and applications.
Property-Based Runtime Configuration
System behavior can be reconfigured at runtime without rebuilding binaries using a property file system. This allows dynamic adjustment of network settings, priorities, and other parameters while preserving isolation guarantees.
Native Graphics & Virtualized GUI Support (GPU Sharing)
The platform provides sophisticated graphics support, allowing multiple partitions to share a single GPU or display controller. Safe graphical backends ensure that critical instruments and non-critical entertainment UIs remain isolated. It supports modern standards like OpenGL and Wayland to enable high-performance user interfaces.
System-wide Debugging & Hardware Trace Support
PikeOS offers advanced debugging tools that can inspect multiple partitions and the kernel simultaneously. It supports non-intrusive hardware tracing to capture timing behavior and system events with microsecond precision. These tools are vital for identifying complex race conditions and optimizing multi-core performance.
Multi-Language Support (C/C++, Ada, Rust)
The platform supports a variety of programming languages to suit different Safety and performance needs. While C and C++ are standard, PikeOS also provides excellent support for Ada and the memory-safe Rust language. This allows teams to use modern development paradigms while maintaining strict Safety compliance.
QEMU-based HW Emulators & Target Simulators
Developers can accelerate their projects by using integrated QEMU emulators to run PikeOS images on host PCs. This allows for software development and testing to begin long before final hardware is available. It supports a wide range of architectures including ARM, x86, PowerPC, and RISC-V.
CODEO: Eclipse-based Integrated Development Environment
CODEO is the unified development cockpit for PikeOS, providing a graphical environment for system configuration, coding, and deployment. It features specialized wizards for partitioning and resource allocation, significantly reducing the complexity of hypervisor setup. The IDE supports the entire lifecycle from initial prototyping to final system analysis.