Talk

Zephyr's Readiness for CRA

Watch Now

42:23

EOC 2025

Login to Watch

Kate Stewart

Kate Stewart works with the safety, security and license compliance communities to advance the adoption of best practices into embedded open source projects. Kate was one of the founders of SPDX, and is currently the specification coordinator. Since joining The Linux Foundation, she has launched the ELISA and Zephyr Projects, among others, and oversees other embedded projects hosted by the Linux Foundation. With over 30 years of experience in the software industry, she has held a variety of roles and worked as a developer in Canada, Australia, and the US and for the last 20 years has managed software development teams in the US, Canada, UK, India, and China. She received her Master's in computer science from University of Waterloo and Bachelor's of computer science from the University of Manitoba.

View full profile

Talk

Zephyr's Readiness for CRA

Kate Stewart

42:23 EOC 2025

Kate Stewart

42:23

The Cyber Resilience Act (CRA) will be coming into effect in a few short years. The Zephyr project has been working towards making it easier for product makers to comply with the CRA over the last few years, and will continue to work with the community to refine these capabilities as more details become available.

From automatic "Build SBOM" generation to LTS vulnerability fixes, the project has some useful starting points already in place that will help product makers leveraging Zephyr in their solutions.

This talk will discuss what is available, and where some of the gaps will be for product makers to consider.

1 / 5

Please log in or create an account to test your knowledge and see the answers.

According to Kate Stewart, which role best describes Zephyr under the Cyber Resilience Act (CRA)?

A Manufacturer responsible for CE marking and full product liability

B Market surveillance authority overseeing other projects

C Open-source steward that systematically supports the project

D Individual contributor exempt from any CRA obligations

E Certification body that issues compliance certificates

Which Zephyr capability did Kate highlight as helping manufacturers avoid unnecessary field updates by showing whether vulnerable code is actually included in a shipped image?

A Automated build SBOMs that link built objects back to source and show which .o files are in the final image

B A static source-only SBOM that lists all repository files regardless of being built

C A runtime sandbox that blocks vulnerable code execution at boot time

D Manual vendor inventory spreadsheets that list all potential dependencies

E Full source rewrites to remove vulnerable modules before shipping

What did Kate identify as one of the biggest gaps between what Zephyr (as a steward) currently does and what manufacturers will need to meet CRA obligations?

A Zephyr lacks any mechanism to generate SBOMs

B Zephyr cannot perform any security fixes or backports

C Zephyr's volunteer-driven response timelines and 90-day embargo do not match CRA early-warning windows like 24 hours

D Zephyr refuses to coordinate with any national or EU CSIRTs

E Zephyr does not allow manufacturers to sign up for notifications

Why did the Zephyr project extend its Long-Term Support (LTS) window to five years?

A To match the Linux kernel support policy exactly

B Because the project wants to avoid ever backporting security fixes

C To help manufacturers meet CRA expectations that support periods should be at least five years

D To ensure Zephyr will never cut another mainline release

E To remove the need for any commercial support options

Under the CRA, what approach should manufacturers take toward open-source components like Zephyr when integrating them into products?

A Passively rely solely on upstream open-source projects to provide all fixes without internal due diligence

B Treat open-source as a third party and perform due diligence: document risks, maintain SBOMs, designate points of contact, and report vulnerabilities

C Avoid using any open-source components entirely to eliminate risk

D Assume the steward will always be able to notify every downstream end user directly

E Only use open-source projects that already have a CE mark

Formatting help

italics	surround text with asterisks
bold	surround text with two asterisks
hyperlink	[hyperlink](https://example.com) or just a bare URL
inline code	surround text with single `backticks`
code block (multi-line)	wrap on its own lines with three backticks: ``` your code here ```
~~strikethrough~~	surround text with ~~two tilde characters~~
quote	prefix with >

Upvotes Newest Oldest

raymundagulto

Score: 0 | 11 months ago | no reply

Thanks for the very informative presentation. (I’ve sent a LinkedIn connection request. Hope it will be accepted).

SimonSmith

Score: 0 | 11 months ago | 1 reply

Good to hear the mention of Micrium uC/OS-III, which felt like it died when it was open-sourced a few years back around the time when SiliconLabs took it over and FreeRTOS took off. It's well documented, easy to use and has full source code.
https://github.com/weston-embedded/uC-OS3
https://micrium.atlassian.net/wiki/download/attachments/132386/100-uCOS-III-ST-STM32-003.pdf?version=1&modificationDate=1383921876000&cacheVersion=1&api=v2

acassis

Score: 1 | 11 months ago | no reply

Hi SimonSmith,
that is true, if you use SiliconLabs chips, then uC-OS is a good option!

datamstr

Score: 0 | 11 months ago | no reply

Excellent presentation Kate!

Nathan3

Score: 0 | 11 months ago | 1 reply

Thanks for the talk. Could you share the slides ? I don't see the link here.

Stephane.Boucher

Score: 0 | 11 months ago | no reply

The slides are now available.

Partners & Sponsors

CodeSecure

atym

embedd.it

IAR

Become a Sponsor