Move car safety modes to opendbc

.github/workflows/test.yaml

@@ -70,24 +70,6 @@ jobs:
       - name: Test communication protocols
         run: $RUN "cd tests/usbprotocol && ./test.sh"
 
-  safety:
-    name: safety
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        flags: ['', '--ubsan']
-    timeout-minutes: 20
-    steps:
-      - uses: actions/checkout@v2
-      - name: Build Docker image
-        run: eval "$BUILD"
-      - name: Run safety tests
-        timeout-minutes: 5
-        run: |
-          ${{ env.RUN }} "scons -c -j$(nproc) && \
-                          scons -j$(nproc) ${{ matrix.flags }} && \
-                          tests/safety/test.sh"
-
   misra_linter:
     name: MISRA C:2012 Linter
     runs-on: ubuntu-latest
@@ -116,20 +98,6 @@ jobs:
         timeout-minutes: 5
         run: ${{ env.RUN }} "cd tests/misra && pytest -n8 test_mutation.py"
 
-  mutation:
-    name: Mutation tests
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    steps:
-      - uses: actions/checkout@v2
-        with:
-          fetch-depth: 0 # need master to get diff
-      - name: Build Docker image
-        run: eval "$BUILD"
-      - name: Mutation tests
-        timeout-minutes: 5
-        run: ${{ env.RUN }} "GIT_REF=${{ github.event_name == 'push' && github.ref == 'refs/heads/master' && github.event.before || 'origin/master' }} cd tests/safety && ./mutation.sh"
-
   static_analysis:
     name: static analysis
     runs-on: ubuntu-latest

Dockerfile

@@ -37,7 +37,7 @@ RUN pip3 install --break-system-packages --no-cache-dir $PYTHONPATH/panda/[dev]
 
 # TODO: this should be a "pip install" or not even in this repo at all
 RUN git config --global --add safe.directory $PYTHONPATH/panda
-ENV OPENDBC_REF="87a51e38b53d91075419f01b4cd2e625ee7d4516"
+ENV OPENDBC_REF="39e10a045a4a5411a64de791ae463461f8a5f37b"
 RUN cd /tmp/ && \
     git clone --depth 1 https://github.com/commaai/opendbc opendbc_repo && \
     cd opendbc_repo && git fetch origin $OPENDBC_REF && git checkout FETCH_HEAD && rm -rf .git/ && \

README.md

@@ -17,9 +17,7 @@ panda speaks CAN and CAN FD, and it runs on [STM32F413](https://www.st.com/resou
 
 ## Safety Model
 
-When a panda powers up, by default it's in `SAFETY_SILENT` mode. While in `SAFETY_SILENT` mode, the CAN buses are forced to be silent. In order to send messages, you have to select a safety mode. Some of safety modes (for example `SAFETY_ALLOUTPUT`) are disabled in release firmwares. In order to use them, compile and flash your own build.
-
-Safety modes optionally support `controls_allowed`, which allows or blocks a subset of messages based on a customizable state in the board.
+panda is compiled with safety firmware provided by [opendbc](https://github.com/commaai/opendbc). See details about the car safety models, safety testing, and code rigor in that repository.
 
 ## Code Rigor
 
@@ -30,7 +28,7 @@ These are the [CI regression tests](https://github.com/commaai/panda/actions) we
 * A generic static code analysis is performed by [cppcheck](https://github.com/danmar/cppcheck/).
 * In addition, [cppcheck](https://github.com/danmar/cppcheck/) has a specific addon to check for [MISRA C:2012](https://misra.org.uk/) violations. See [current coverage](https://github.com/commaai/panda/blob/master/tests/misra/coverage_table).
 * Compiler options are relatively strict: the flags `-Wall -Wextra -Wstrict-prototypes -Werror` are enforced.
-* The [safety logic](https://github.com/commaai/panda/tree/master/board/safety) is tested and verified by [unit tests](https://github.com/commaai/panda/tree/master/tests/safety) for each supported car variant.
+* The [safety logic](https://github.com/commaai/panda/tree/master/opendbc/safety) is tested and verified by [unit tests](https://github.com/commaai/panda/tree/master/opendbc/safety/tests) for each supported car variant.
 to ensure that the behavior remains unchanged.
 * A hardware-in-the-loop test verifies panda's functionalities on all active panda variants, including:
   * additional safety model checks
@@ -40,7 +38,6 @@ to ensure that the behavior remains unchanged.
 
 The above tests are themselves tested by:
 * a [mutation test](tests/misra/test_mutation.py) on the MISRA coverage
-* 100% line coverage enforced on the safety unit tests
 
 In addition, we run the [ruff linter](https://github.com/astral-sh/ruff) and [mypy](https://mypy-lang.org/) on panda's Python library.
 

SConscript

@@ -84,6 +84,7 @@ def build_project(project_name, project, extra_flags):
     '..',
     panda_root,
     f"{panda_root}/board/",
+    f"{panda_root}/../opendbc/safety/",
   ]
 
   env = Environment(
@@ -188,4 +189,3 @@ SConscript('board/jungle/SConscript')
 # test files
 if GetOption('extras'):
   SConscript('tests/libpanda/SConscript')
-  SConscript('tests/libsafety/SConscript')

board/jungle/main.c

@@ -1,7 +1,7 @@
 // ********************* Includes *********************
 #include "board/config.h"
 
-#include "board/safety.h"
+#include "safety.h"
 
 #include "board/drivers/pwm.h"
 #include "board/drivers/usb.h"