12:00
-
12:20
-
12:20
Day 2
SBOMs for Embedded Firmware: The Zephyr RTOS Case Study
<p>SBOMs for embedded systems are harder than for typical apps: vendor HALs, out-of-tree modules, binary blobs... accurately capturing what <em>actually</em> ended up in the binary image deployed on your product is crucial for addressing future CVEs with confidence, as well as to comply with regulations such as CRA.</p>
<p>In this talk, I’ll show how Zephyr RTOS integrates SPDX-based SBOM generation into its CMake build system, and how we’re exploring SPDX 3 to describe things that aren’t just source code — build configuration, AI/ML artifacts, etc. — so that SBOMs for Zephyr-based products reflect the real security and compliance surface of the device, not just the code that was compiled.</p>