Beyond the Release: Managing Long-Term Risk and Compliance in Embedded Linux with Yocto

Anna-Lena Marx presents practical solutions for ensuring compliance, long-term maintainability and continuous security in embedded systems using Yocto – well beyond the initial release!

Sustainable embedded security: Yocto as a response to the Cyber Resilience Act

The new Cyber Resilience Act (CRA) marks a turning point in embedded development: software is no longer merely an accessory to hardware, but is becoming a central architectural principle. With requirements for continuous vulnerability management and manufacturer liability for at least five years, the CRA is forcing companies to radically rethink their approach – moving away from ‘one-off releases’ towards systems that can be maintained over the long term.

The pitfalls of conventional development approaches

In her keynote, Anna-Lena Marx identifies the critical pitfalls that threaten many projects these days. These include, in particular:

  • Vendor BSP Risk: Heavily modified ‘forked kernels’ in board support packages delay or prevent necessary security updates.
  • Layer Bloat: Proliferation in software stacks makes it harder to keep track of everything and increases the attack surface.

Yocto as „Compliance Engine“

The solution lies in having complete control over the system. Yocto acts as a powerful compliance engine in this regard. Through fully reproducible builds and direct access to the source code, it enables the level of transparency that is essential for regulatory requirements.

Yocto natively supports CRA requirements through its built-in tools:

  • Automated SBoM generation: Creation of a comprehensive software bill of materials.
  • Integrated licence management: Regulatory compliance across the entire stack.
  • CVE Checking: Early identification and resolution of known vulnerabilities throughout the build process.

Security throughout the entire lifecycle

Finally, the keynote demonstrates why a modern security strategy must extend beyond the build system itself. Discover why thoroughly tested, image-based and signed updates are essential for keeping embedded Linux products secure and compliant with regulations on the market for years to come

Download the conference slides here:

Beyond the Release: Managing Long-Term Risk and Compliance in Embedded Linux with Yocto (PDF)

Haben Sie Fragen?

Anna-Lena Marx

Senior Embedded Systems Engineer