Theatre

Practical SBOM Management with Zephyr and SPDX

Watch Now

34:35

EOC 2024

Login to Watch

Benjamin Cabé

Benjamin Cabé is a technology enthusiast with a passion for empowering developers to build innovative solutions. He has over 15 years of experience leading developer engagement initiatives with some of the top communities and companies in the IoT, embedded, and AI. He has invented an award-winning open source and open hardware artificial nose that he likes to use as an educational platform for people interested in diving into the world of embedded development. He is currently a Developer Advocate for the Zephyr Project at the Linux Foundation and lives in Toulouse, France, where he enjoys baking sourdough bread with the help of his artificial nose.

View full profile

Theatre

Practical SBOM Management with Zephyr and SPDX

Benjamin Cabé

34:35 EOC 2024

Benjamin Cabé

34:35

Writing secure embedded software is a challenging task. What's more, what might be considered secure today may not be secure tomorrow. A Zephyr application is composed of many components, from the Zephyr kernel, to device drivers, to vendor HALs, to application code, and it can be difficult to exactly identify the components you're depending on to be able to assess whether you're vulnerable to a particular CVE or not.

This talk will show you in very practical terms how to leverage state of the art standards and tools to precisely identify the "manifest" (a.k.a. Software Bill of Materials, SBOM) of your Zephyr application, and how to use that information to assess your security posture and to respond to security incidents.

We will demo a variety of tools that you may want to add to your development workflow to generate Zephyr SBOMs, visualize the information they contain, check them against known vulnerabilities, and more.

1 / 4

Please log in or create an account to test your knowledge and see the answers.

What is the primary practical benefit of maintaining an SBOM for a Zephyr-based embedded product, as emphasized in the talk?

A It lets you determine whether specific disclosed vulnerabilities actually affect your shipped products and which subset of devices are impacted.

B It replaces the need to maintain a hardware BOM for physical components.

C It guarantees your product will be free of future vulnerabilities.

D It eliminates the need to track open-source licenses in your codebase.

E It automatically improves runtime performance of the device.

According to the presentation, which sequence best describes the recommended Zephyr workflow to generate an SPDX SBOM for your application?

A Run spdx-init to prepare the build folder so CMake captures metadata, build again with special flags to capture more metadata, then use West and Python scripts to produce the SBOM (three files).

B Just run CMake once and it will automatically produce a complete SPDX SBOM by default without extra steps.

C Manually write an SPDX file listing source files and licenses; Zephyr build tools are not involved.

D Use only cve-bin-tool to scan the source and generate the SPDX SBOM.

E Rely solely on the GitHub dependency graph to create an SPDX SBOM for Zephyr applications.

Why does the speaker recommend including toolchain and build metadata (compilers, flags, etc.) in an SBOM for embedded builds?

A Because compiler flags directly reduce binary size at runtime and the SBOM enforces those optimizations.

B Because build tools and compiler settings affect the final image, and recording them helps with reproducibility, license and vulnerability analysis.

C Because build metadata allows you to obfuscate proprietary code so others cannot inspect it.

D Because only binaries matter for security, so toolchain details can be omitted without consequence.

E Because capturing toolchain data is only useful for legal teams and has no technical benefit.

After generating an SPDX SBOM for a Zephyr application, what practical next step does Benjamin recommend to make the SBOM useful for security and compliance?

A Immediately publish the raw SPDX file to customers without validating its contents.

B Manually compare every source file by hand to public CVE reports (no tooling).

C Run SBOM quality and completeness checks and scan against vulnerability databases using tools like the NTIA checker, SBOM QS, and cve-bin-tool.

D Delete the SBOM and rely on memory and developer notes for traceability.

E Only trust the GitHub dependency graph and avoid other SBOM quality checks.

Formatting help

italics	surround text with asterisks
bold	surround text with two asterisks
hyperlink	[hyperlink](https://example.com) or just a bare URL
code	surround text with `backticks`
~~strikethrough~~	surround text with ~~two tilde characters~~
quote	prefix with >

Upvotes Newest Oldest

Bartlomiej

Score: 0 | 2 years ago | 3 replies

Do you plan to add the ability to generate SBOM to the west twister command?

kartbenSpeaker

Score: 0 | 2 years ago | 1 reply

Hi!
Twisted is used to run unit tests, so could you elaborate on what you exactly mean as I am not sure I understand the question :) Cheers!

Bartlomiej

Score: 0 | 2 years ago | no reply

You can also build projects with Twister. In the *.yaml file, you can indicate that twister should create several binary files based on the configuration indicated there (additional kconfigs, additional shelids, various programming libraries, etc.). Therefore, it would be easier if twister could have the option to generate SBOM files. It is easier to integrate it on CI where we require that an SBOM be generated for each binary in my company. I may have mixed something up.

Bartlomiej

Score: 0 | 2 years ago | no reply

This post has been deleted by the author

Bartlomiej

Score: 0 | 2 years ago | no reply

This post has been deleted by the author

Partners & Sponsors

STMicroelectronics

Memfault

NXP

Micro Digital, Inc.

MySQL

Become a Sponsor