The Embedded Open Source Summit took place from April 16-18 in Seattle, Washington, alongside the Open Source Summit North America. The Zephyr Developer Summit was part of the EOSS, aimed at developers using or considering Zephyr in embedded products. This year, we concentrated on supporting topics relevant to Zephyr users, upstream contributors, and maintainers.
More than 860 individuals from 721 organizations across 46 countries registered for the EOSS conference. The Zephyr track featured over 50 technical sessions, both in-person and on-demand, focusing on users, upstream developers, and maintainers.
Videos from the Zephyr Developer Summit are available on the Zephyr Project YouTube channel. We will highlight a few videos each week in a blog for easy access.
Today we are featuring:
Practical SBOM Management with Zephyr and SPDX – Benjamin Cabé, The Linux Foundation
Practical SBOM Management with Zephyr and SPDX – Benjamin Cabé, The Linux Foundation
In his presentation at the Zephyr developer summit during the Open Source Summit North America, Benjamin Cabé, Developer Advocate at The Zephyr Project, focused on the critical role of Software Bill of Materials (SBOM) in ensuring the security and compliance of embedded software, specifically within the context of the Zephyr project.
Benjamin began by highlighting the complexities involved in writing secure embedded software, noting that what is considered secure today may not be secure tomorrow. A typical Zephyr application consists of various components, including the Zephyr kernel, device drivers, vendor Hardware Abstraction Layers (HALs), and application code. The interdependence of these components makes it challenging to identify and track all the elements that could potentially introduce security vulnerabilities such as Common Vulnerabilities and Exposures (CVEs).
The presentation centered on the concept of SBOMs, which serve as a detailed manifest of all software components used in a project. He explained how SBOMs can provide transparency into the software supply chain by documenting the origins, licenses, and relationships of each component. This transparency is essential for assessing the security posture of an application, ensuring compliance with legal and regulatory requirements, and making informed decisions about software sourcing and dependency management.
Benjamin introduced several tools and standards that developers can use to generate, analyze, and manage SBOMs within the Zephyr ecosystem. One key standard discussed was SPDX (Software Package Data Exchange), an ISO standard that provides a format for communicating the contents of an SBOM. He detailed how Zephyr integrates with SPDX, enabling developers to automatically generate SBOMs as part of their build process using the West meta-tool and CMake.
The talk also covered practical aspects of SBOM management, including:
Tooling and Automation: Benjamin demonstrated how to leverage Zephyr’s existing tools to generate comprehensive SBOMs that include metadata such as file hashes, license information, and the origins of software components. He highlighted the importance of automating SBOM generation to ensure that it becomes an integral part of the development workflow rather than an afterthought.
Security and Vulnerability Management: He emphasized the value of SBOMs in tracking and responding to security vulnerabilities. By capturing detailed information about the software components and their versions, developers can quickly determine if their applications are affected by newly disclosed CVEs. He showcased tools like Intel’s vulnerability checker, which can use the data from SBOMs to identify security risks in Zephyr-based applications.
Licensing and Legal Compliance: The talk also touched on the legal implications of using open source software in embedded systems. He explained how SBOMs can help developers navigate complex licensing landscapes by clearly documenting the licenses of all included components, thus avoiding potential legal conflicts.
Challenges and Future Directions: Benjamin acknowledged the challenges of creating accurate and comprehensive SBOMs, particularly in the embedded space where products often have long lifecycles and may incorporate both open-source and proprietary software. He discussed ongoing efforts to enhance Zephyr’s SBOM capabilities, including improving support for the latest version of SPDX (3.0) and adding more metadata to track dependencies and security implications more effectively.
Throughout the talk, Benjamin provided practical examples and demonstrations of how developers can use these tools to enhance the security and compliance of their Zephyr-based projects. He encouraged the community to contribute to the ongoing development of SBOM-related tooling in Zephyr, emphasizing that robust SBOM management is not just a regulatory requirement but also a best practice for building secure and reliable embedded systems.
The session concluded with a call to action for developers to integrate SBOM generation into their workflows and to participate in the community efforts to further improve the tools and standards that support secure software development in the embedded space.
Watch the rest of the Zephyr Developer Summit videos here. The schedule and links to the slides can be found here. Photos from the EOSS can be found here.
For more information about the 2024 event, stay tuned by subscribing to the Zephyr quarterly newsletter or connect with us on @ZephyrIoT, Zephyr Project LinkedIn or the Zephyr Discord Channel to talk with community and TSC members.