Developed by Fraunhofer AISEC, GyroidOS is a multi-arch, open-source OS-level virtualization solution tailored for embedded devices equipped with hardware security features, and it intends to facilitate security certification processes such as Common Criteria (ISO/IEC 15408), DIN SPEC 27070 – IDS Trust Security profile, and IEC-62443 cybersecurity standards.
The virtualization layer utilizes Linux-specific features like namespaces, cgroups, and capabilities to isolate different guest operating system stacks on a single, shared Linux kernel. It offers a reduced footprint and enhanced separation of privileged instances compared to other container solutions like Docker.
GyroidOS security features include:
– Container isolation via a modularized OS-level virtualization layer
– Secure boot (e.g., UEFI on x86)
– Kernel module signing
– Signed GuestOSes (containers)
– Measured boot and remote attestation
– Full disk encryption linked to TPM and secure boot
– Restriction of superuser in containers using Linux capabilities
– Fine-grained device access with device cgroups whitelists
– Secure Element support for two-factor authentication, e.g., when starting containers
– (In progress) Relocation of cryptographic keys and ciphers into TEEs (e.g., Kernel Crypto API)
The principal advantages of GyroidOS include its open-source, portable software stack, experimental Docker container converter functionality, flexible remote management, and PKI support for software signing and device identity. Its primary applications are in application separation (akin to Docker) and IoT edge devices utilizing a minimal version with only a kernel and small ramdisk as a virtualization layer.
The virtualization solution targets the following:
– x86 32/64-bit with UEFI Secure Boot or Qemu TianoCore (simulated UEFI secure boot and sTPM)
– ARM64
– Raspberry Pi 4 and 5 with RPi Secure Boot
– Raspberry Pi 3 with U-boot Verified Boot
– TQ-Systems TQMa8MPxL with U-boot Verified Boot
– ARM32 – Raspberry Pi 2 with U-boot Verified Boot
– RISC-V 64-bit – BeagleV-Fire with Uboot Verified Boot
Fraunhofer AISEC seems to have been working on this project since the early 2010s, with GyroidOS under this name appearing around 2022. I discovered it through one of the forthcoming classes at Embedded World 2026 called “Embedded Linux Security Exercised on the Secure Platform GyroidOS.” A 3-hour class, it will delve into theory about Linux-kernel mechanisms, supporting methods from hardware and boot loaders, and employing GyroidOS as a foundation for a secure platform with its own services. Despite years of development, its usage appears limited, though it is the reference implementation for the Trusted Connector in the International Data Space (IDS).
More information is available on the documentation website and a GitHub account with a build repository, the daemons of the Container Management Layer (CML), manifests for supported platforms, and Yocto recipes.