Maintained by Fraunhofer AISEC, GyroidOS is an open-source, multi-arch OS-level virtualization solution designed for embedded devices with hardware security features, and aiming to support security certification processes such as Common Criteria (ISO/IEC 15408), DIN SPEC 27070 – IDS Trust Security profile, and IEC-62443 cybersecurity standards.
The virtualization layer is based on Linux-specific features like namespaces, cgroups, and capabilities to provide isolation of different guest operating system stacks on top of a single, shared Linux kernel. It offers a much smaller footprint and additional separation of privileged instances compared to other container solutions, such as Docker.
GyroidOS security features
- Container isolation based on a modularized OS-level virtualization layer
- Secure boot (e.g., UEFI on x86)
- Kernel module signing
- Signed GuestOSes (containers)
- Measured boot and remote attestation
- Full disk encryption coupled to TPM and secure boot
- Restriction of superuser in containers with Linux capabilities
- Fine-grained device access with device cgroups whitelists
- Secure Element support for two-factor authentication, for instance, when starting containers
- (Work in progress ) Relocation of cryptographic keys and ciphers into TEEs (e.g., Kernel Crypto API)
The main benefits of GyroidOS are that it is a fully open-source, portable software stack, implements an experimental converter functionality for Docker containers, offers flexible remote management, and features PKI support for software signing and device identity. The two main use cases are application separation (similar to Docker) and IoT edge devices relying on a minimal version with just a kernel and a small ramdisk as a virtualization layer.
The virtualization solution works on the following targets:
- x86 32/64-bit using UEFI Secure Boot or Qemu TianoCore (simulated UEFI secure boot and sTPM)
- ARM64
- Raspberry Pi 4 and 5 with RPi Secure Boot
- Raspberry Pi 3 with U-boot Verified Boot
- TQ-Systems TQMa8MPxL with U-boot Verified Boot
- ARM32 – Raspberry Pi 2 with U-boot Verified Boot
- RISC-V 64-bit – BeagleV-Fire with Uboot Verified Boot
Fraunhofer AISEC appears to have worked on the project since the early 2010s, but the GyroidOS project name only appeared around 2022. I found it through one of the upcoming classes at Embedded World 2026 entitled “Embedded Linux Security Exercised on the Secure Platform GyroidOS”. It will be a 3-hour class covering theory about Linux-kernel mechanisms, supporting methods from hardware and boot loaders, and learning how to use GyroidOS as a baseline for a secure platform with its own services. Despite the many years of development, it doesn’t seem to be widely used, although it provides the reference implementation for the Trusted Connector in the International Data Space (IDS).
More details can be found on the documentation website and a dedicated GitHub account with a build repository, the daemons of the Container Management Layer (CML), the manifests for supported platforms, and the Yocto recipes.
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress. We also use affiliate links in articles to earn commissions if you make a purchase after clicking on those links.
