Cyber Resilience Act (CRA) – overview

The Cyber Resilience Act (CRA) was adopted by the European Council on October 10, 2024. It was then published in the Official journal of the EU on November 20, 2024 and enters into force today, December 10, 2024. Most of the law will start applying in 3 years, on December 11, 2027.

However, the obligation for manufacturers to report any actively exploited vulnerability or any security incident impacting the security of their product to ENISA will apply from September 11, 2026.
The other parts of the law that will start applying from June 11, 2026 apply to the member states and specify the details of setting up the administrative entities that will assess conformity with the CRA.

At Bootlin, we have been paying close attention to this topic for several reasons. First, the CRA will affect a large number of our clients, as almost every embedded device sold in the EU will need to comply with it. Second, the CRA also affects us directly, for instance as the maintainer of Snagboot.

This post is therefore the first in a series that will present our understanding of the CRA, and clearly lay out what one needs to have in mind in order to be confident of one’s compliance on time.

Am I directly impacted by the CRA?

In short, if you are one of the entities in the chain of electronic hardware with some type of connectivity or software being designed, written/manufactured, marketed, rented/sold or even provided for free in the context of a commercial activity in the European Union, then yes, you are very likely directly impacted by the CRA in some capacity. We’ll see how in this series of posts.

Page 9:

The proposed Regulation will apply to all products with digital elements whose intended and reasonably foreseeable use includes a direct or indirect logical or physical data connection to a device or network.

The CRA is concerned with:

  • products with digital elements, so a typewriter wouldn’t be impacted
  • that have some type of connectivity (network, bluetooth, but also USB or other cables), so a “dumb” electronic watch shouldn’t be impacted
  • being placed onto the internal EU market: if you build your own keyboard but don’t sell it or only outside of the EU, you need not worry about the CRA.

Large classes of devices are excluded from the CRA, because they are covered by other regulations:

  • Medical devices for human use are covered in 2017/745 and 2017/746
  • Motor vehicles and their trailers/ systems need to comply with 2019/2144
  • Civil aviation systems are the object of 2018/1139
  • National security, military and classified information systems are exempt from the CRA as long as they exclusively target these applications

Although the term “product” evokes hardware, the text of the CRA makes it very clear that it is intended to apply to both hardware and software.

As outlined in the regulation, it does not apply to Cloud services (SaaS) in general. However, it does apply to such services that are integral to the product functioning:

It does not regulate services, such as Software-as-a-Service (SaaS), except for remote data processing solutions relating to a product with digital elements understood as any data processing at a distance for which the software is designed and developed by the manufacturer of the product concerned or under the responsibility of that manufacturer, and the absence of which would prevent such a product with digital elements from performing one of its functions.

An exemption is explicitly provisioned for presentation and use in “trade fairs, exhibitions and demonstrations or similar events“, as well as for unfinished software, as long as it is:

  • only available for required testing for a limited time
  • clearly marked as such and as non-compliant with the CRA

Stricter obligations apply to the following products:

  • important products as defined in Annex III
    Class I of this category applies to a rather large list, including routers, switches, VPNs, SIEMs, antivirus software, smart home assistants, door locks, security cameras, OSes, bootloaders, password managers, microprocessors – microcontrollers – ASICs – FPGAs with security-related functionalities, network interfaces, toys that record voice or video or have location tracking, and wearable devices with health monitoring or used by children
    Class II includes hypervisors, container runtime systems, firewalls, IPS, IDS and tamper-resistant micoprocessors and microcontrollers.
  • critical products as defined in Annex IV:
  • Hardware Devices with Security Boxes, which is a technical domain defined in the EUCC and refers to systems where “security relies on a physical envelope […] that is designed to resist direct attacks, e.g. payment terminals, tachograph vehicle units, smart meters, access control terminals and Hardware Security Modules”
  • Smart meter gateways
  • smartcards and devices with secure elements
  • high-risk AI systems as defined in Article 6 of the AI Regulation

These systems will need to go through external assessment, depending on the exact category in which they fit.

What do I need to do and when?

The CRA applies to products as soon as they are placed on the EU market, meaning that compliance to the CRA should be part of the launch plan. Several provisions of the law apply to the design phase, and writing the documents that will be necessary for compliance will be easier to do as design advances than all at the end. The law is intended to have impact on technical design decisions made in the implementation of the product.

Ideally, design decisions and tests will be documented throughout  design and implementation then be compiled into the technical documentation that must be provided when the product launches.

The content and timeline of tasks and requirements depends on the role one fulfills out of the ones detailed below and in the CRA’s Article 3. The very first step in knowing what one needs to do to comply with the CRA is therefore to determine what role one does or will fulfill for every product.

  • Manufacturer: either the actual developer/manufacturer of the product, or the person/entity marketing it
  • Authorized representative: person or entity within the EU who received a written mandate to act on behalf of the manufacturer
  • Importer: if the manufacturer is outside of the EU, that is the entity placing the product on the market
  • Distributor: entity other than manufacturer or importer who places the product on the market
  • Open-Source software steward: entity systematically contributing to or supporting specific open-source software intended for commercial activity

Obligations apply at several stages. Initial obligations apply from the conception stage, from the moment the product is being designed. These initial obligations mostly consist of:

  • Taking security into account when designing and implementing the product
  • Documenting the risks that were taken into account and their mitigations
  • Preparing for the continuous obligations by designing the processes that will be used e.g. for responsibly handling vulnerabilities in the product

The continuous obligations apply starting when the product is placed on the market throughout its lifetime, and refer to a concept known as the support period, which will be detailed in the later post for manufacturers. In short, they require:

  • Updating the documentation produced to meet the initial obligations
  • Making that documentation available to users and authorities
  • Responsibly handling vulnerabilities
  • Reporting vulnerabilities known to be exploited as well as security incidents

The last stage is when the entity behind the product stops operating. The final obligation is to make authorities and users aware of this cessation of operations.

This is a broad overview, and there is of course more to discuss, which is why subsequent posts in this series (stay tuned!) will go into the details for manufacturers, who bear most of the responsibilities, and for open-source software stewards, as they are a slightly special case, and one whose criteria Bootlin and many in the embedded community fit.
This post will still go into reporting obligations, as they apply broadly, and will be the first to apply outside of conformity assessment bodies (not exactly the target audience of this series), in September 2026.

Reporting – ENISA and users

Starting September 11, 2026, all roles in the CRA are, under certain conditions for importers, distributors and representatives and always for manufacturers and open-source stewards, under obligation to report:

  • any vulnerability in the software that is known to be exploited
  •  severe incidents that impact the security of the software

Both must be reported to the single reporting platform that ENISA has been charged with creating in Article 16.
This single reporting platform mentioned above does not exist yet. It is the responsibility of ENISA, and should ultimately have one endpoint for each member state’s Computer Security Incident Response Team (CSIRT).
The list of those CSIRTs should theoretically be available at https://csirtsnetwork.eu/homepage, but appears to be currently not working. ENISA’s CNW can help with an educated guess: in the case of France, for instance, the CSIRT is the CERT-FR. Today, reporting incidents or vulnerabilities to the CERT-FR must be done by encrypted email, as indicated on this page (french). But ultimately, they should own an endpoint of ENISA’s reporting platform.

The CRA specifies what it means by “severe” incidents. That includes events that could negatively affect the software’s ability to protect the CIA triad: Confidentiality, Integrity, Authenticity of “sensitive or important data or functions” or even their availability. This will most likely be the case of any security incident.

The CRA explicitly addresses the introduction of malicious code into the software as a severe incident. The xz backdoor discovered earlier this year would be a prime example.

It is also specific as to how this reporting should happen:

  • A first notification should be published as soon as possible, and before 24h of the entity becoming aware. For an incident, it should include whether it is suspected to have been caused by malicious actions. For a vulnerability, it should include the member states where the product is known to be used.
  • As soon as possible and before 72h, an initial assessment and mitigations should be provided.
  • As soon as possible and within one month after the initial assessment above, the entity should publish a final report detailing the incident or vulnerability, its impact, the root cause and the mitigations.
    For a vulnerability, it should also include information about any malicious actor known to have exploited or be exploiting it.

Reports after the first are only mandatory if they would add information.
In the case of an incident which impact, root cause and mitigations are all known within 24h, only one notification need be sent

Conclusion

This first post should have given you some insights as to where you stand regarding the CRA. Though it might still be unclear what exactly you need to be doing, you should have a rough idea of what to expect and when to expect it.
The next post will go into the details of what manufacturers will need to do.

OpenWrt support for STM32MP updated and STM32MP2 added

Bootlin is happy to announce a new release of our OpenWrt feed openwrt-feed-st, which  provides integration of ST’s STM32MP platforms with the OpenWrt build system. This new release openstlinux-6.1-openwrt-master-mpu-v24.06.26 updates the BSP software components and adds support for the new STM32MP2 platform.

ST BSP Update

The components of the ST BSP were updated as follows:

STM32MP2 support

A few months ago STMicroelectronics released its new STM32MP25 processor family. It is composed of ARM64 processors based on single or dual Arm Cortex-A35 cores, combined with one Cortex-M33 and a wide range of peripherals.

A first evaluation board is already available, the STM32MP257F-EV1.

Our feed openwrt-feed-st provides 2 configurations for this STM32MP257F-EV1 evaluation board:

  • STM32MP257F-EV1: minimal configuration for the STM32MP257F-EV1
  • STM32MP257F-EV1-DEMO: more complete configuration for the STM32MP257F-EV1 which mainly includes the OpenWrt Web configuration interface.

The documentation in the openwrt-feed-st feed describes all steps to fetch the OpenWrt code, build it, flash the image and boot the board, with details for both STM32MP1 and STM32MP2 platforms.

Getting support

The issue tracker can be used to report bugs or get support.

Do not hesitate to contact us if you need embedded Linux support on ST platforms and/or on OpenWrt related topics!

Upgrading Snagboot to a fully-fledged factory flashing tool

Snagboot is a fully open-source and vendor-agnostic recovery and flashing tool released by Bootlin in 2023. It is composed of snagrecover and snagflash, which respectively run U-Boot on a target platform using USB recovery mode and flash non-volatile storage devices using USB gadgets exposed by U-Boot.

While the combination of snagrecover and snagflash allows to reflash a board during development, it doesn’t fully address the needs of factory flashing: fast processing of multiple boards in parallel, monitoring of individual board statuses during the flashing process, and compatibility with Windows, which is the most often used operating system on factory floors.

Back in March 2024, Texas Instruments contacted Bootlin with a project request: to grow Snagboot into an efficient factory flashing tool. The goal was for factory operators to have a way of efficiently flashing groups of devices using a single user-friendly interface.

While this project could have been executed internally by engineers at Texas Instruments, the team at TI realized the importance of keeping this work agnostic to TI and driving this truly as an Open Source project. We thank TI for partnering with us and sponsoring us to deliver this tool that will cater to the flash writing needs of a variety of small and medium sized manufacturing houses & industry in general.

Consequently, Bootlin is proud to release the 2.0 version of Snagboot, which includes a factory flashing tool that runs on both Windows and Linux!

This tool supports a wide range of platforms from different vendors. All boards using supported SoCs are themselves supported without any extra effort, provided proper U-Boot support exists and USB recovery ports are routed in hardware.

For example, the TI AM62 and AM64 SoCs are fully supported by Snagboot. Thus, all boards using those platforms are supported, including the TI evaluation boards for those processors as well as the popular open-hardware BeaglePlay platform.

Groups of devices can be recovered and flashed in parallel, and the flashing process can be monitored from  a convenient GUI:

This tool is called Snagfactory. It is fully integrated into the Snagboot package. As an added bonus, the snagrecover and snagflash commands now work on Windows as well!

An efficient and standardized factory flashing procedure is a valuable asset for device manufacturers. Not only does it affect unit production rates, it also increases reliability by removing variability from the flashing process.

A tool like Snagboot also provides better accountability, by storing detailed logs of each and every factory flashing operation. This facilitates auditing of these operations, as well as post-incident analysis. Snagfactory configuration files lend themselves well to versioning, which means that each flashing operation can be tied back to a specific configuration.

Moreover, the open-source and vendor-agnostic nature of Snagfactory will make it possible for bug fixes and new features to travel across company boundaries, thereby lending a competitive advantage to those companies who chose to participate in its development.

Features supported by Snagfactory include:

  • Ordered pipelines of factory flashing tasks.
  • GPT partitioning.
  • Flashing huge image files (larger than the Fastboot RAM buffer).
  • Flashing bmap sparse images.
  • eMMC hardware partitioning.
  • Prompting for operator action at a specific step in the factory flashing process.
  • Storing factory flashing results as detailed log files for accountability and troubleshooting purposes.

Installation instructions are available for Linux and Windows in the Snagboot documentation, which also includes a user manual for Snagfactory.

The configuration file format allows users to design pipelines of flashing tasks, to be applied in order to each device.

The following flashing tasks are currently supported:

  • gpt: write a GPT partition table to an eMMC or SD card
  • flash: write a binary image to a storage device or partition; supports specifying an offset, flashing bmap sparse files, and flashing huge images (larger than RAM buffer size)
  • mtd-parts: write an MTD logical partition scheme to the U-Boot environment; this allows targeting MTD partitions by name in the « flash » command
  • emmc-hwpart: burn an MMC hardware partition configuration; this is an irreversible operation; General Purpose partitions and EUDA are supported
  • prompt-operator: pause the factory flashing process for the board and prompt the operator to complete an action before resuming the pipeline
  • reset: runs a soft reset on the target and recovers the board
  • run: runs a Fastboot command on the target; arbitrary U-Boot commands can also be executed using oem_run

A special thanks goes out to Texas Instruments for funding and supporting this awesome project! We plan to continue growing Snagfactory alongside the original Snagboot tools, so don’t hesitate to contribute if you are so inclined.

Welcome to Thomas Bonnefille

Thomas BonnefilleWe’re happy to announce that Thomas Bonnefille has just joined the Bootlin engineering team!

Thomas Bonnefille recently graduated from ENSEEIHT, an engineering school based in Toulouse, France. During his studies, he actively participated to 7Robot, the ENSEEIHT robotics club, thanks to which he got involved in his first embedded Linux project: building a robot that ranked 9 out of a hundred participating teams at the French Robotic Cup.

Following this success, Thomas did his final internship at Bootlin, during which he worked on Buildroot, U-Boot and Linux kernel support and drivers for several RISC-V platforms. During his internship, he also got the chance to following many of the training courses offered by Bootlin.

Thomas is now joining our team as a full-time engineer, to work with our growing team based in Toulouse, to help our customers on numerous embedded Linux projects.

Thomas Bonnefille is also the fourth Thomas to work at Bootlin, after Thomas Petazzoni, Thomas Perrot and Thomas Richard! 🙂

Please see Thomas’s Bootlin page and LinkedIn profile.

Linux 6.12 released, Bootlin contributions inside

Linux 6.12 has been released during the past week-end, pretty much as expected after 7 release candidates. As usual, we recommend our readers to go through the amazing LWN.net articles covering the 6.12 merge window (part 1, part 2) to get a high-level overview of the major new features and improvements in this 6.12 release. One of the prominent improvement in this release, as far as the embeded industry is concerned, is obviously the merge of the final bits enabling PREEMPT_RT… which already caused our Real-Time Linux with PREEMPT_RT training course to be updated.

As usual, Bootlin again contributed to this release: with 118 commits merged, we are again in the top 20 contributing companies! Also, in addition to contributing our own code, several of our engineers are also maintainers, and as part of this work those engineers review and merge patches from other contributors. As part of this effort, for this 6.12 release:

  • Alexandre Belloni, as the RTC and I3C subsystems maintainer, merged 29 patches from other contributors
  • Miquèl Raynal, as the MTD subsystem co-maintainer, merged 24 patches from other contributors
  • Grégory Clement, as the Marvell platform maintainer, merged 4 patches from other contributors

Overall, 13 active Bootlin engineers made contributions to this release, which on a total staff of 24 people, means that more than half of our team has contributed to the Linux kernel for 6.12, a good indication of our strong focus on Linux kernel development and upstreaming!

Now looking at our contributions to 6.12, from a high-level:

  • Hervé Codina was our most prolific contributor, with 38 patches. Hervé has put the final touch to a massive effort aiming at supporting a very complex audio topology on fairly old Freescale/NXP platforms. This last bits of work have been focused on improving the drivers he had submitted to drivers/soc/fsl/qe to also support the MPC8312 processor, which has a slightly different QMC hardware block. We hope to publish soon a very detailed blog post on this work that spanned over several years and finally came to an end with these last patches!
  • Maxime Chevallier was the second most prolific contributor, with 25 patches merged. He mostly got his Ethernet PHY topology work merged, which he had presented on at Netdev last year and at Linux Plumbers this year. He also converted the fs_enet Ethernet MAC driver to the phylink API.
  • Miquèl Raynal was (as usual) active on the MTD subsystem, where he was mostly focused on improving the SPI NAND subsystem to support continuous read. Continuous read is an optimization that allows to improve the performance when reads from contiguous pages are made. The cover letter states: overall the speed gains are impressive: up to 45% when reading a block in 1-1-4 mode, where a substantial time is lost waiting for the chip to be ready.
  • Luca Ceresoli got his improvements to the dapm-graph and decode_stacktrace.sh tools merged.
  • Thomas Bonnefille, who worked as an engineering intern at Bootlin and recently joined as a full-time employee, saw his very first Linux kernel driver merged, an IIO driver for the ADC found in Sophgo RISC-V processors: drivers/iio/adc/sophgo-cv1800b-adc.c.
  • Thomas Richard improved power management support in the PCI code used on Texas Instruments platforms.
  • Théo Lebrun managed to get the pinctrl and reset drivers for the Mobileye EyeQ MIPS processors merged. He also worked with Thomas Richard on the Texas Instruments PCI power management effort.
  • Alexis Lothoré did quite a bit of work on eBPF tests, funded by the eBPF Foundation: he converted test_xdp_veth, test_dev_cgroup, get_current_cgroup_id_user, test_cgroup_stroage and test_skb_cgroup_id_user to the test_progs infrastructure.
  • Romain Gantois made a single contribution, but it adds a new feature to the TI TLV320AIC31xx audio codec driver. This feature allows to load filter coefficients from a firmware file, providing the ability to fine-tune the codec configuration.
  • Alexandre Belloni, Bastien Curutchet, Köry Maincent and Louis Chauvet also got a small number of patches merged, mostly fixes or small improvements. A patch from Clément Léger, who left Bootlin more than a year ago, also made its way upstream.

Here is the complete details of our 118 contributions to this kernel release:

Bootlin at Capitole du Libre, November 16/17 in Toulouse, France

Capitole du LibreCapitole du Libre is one of the major open-source conferences in France, possibly the most important community-driven open-source conference in France. Coincidentally, it was co-founded over 10 years ago by Bootlin CEO Thomas Petazzoni, but it’s now run by a large group of enthusiast volunteers.

As one of the Bootlin offices is precisely based in Toulouse, and Bootlin is strongly connected to open-source projects and communities, it is natural that Bootlin engineers have been attending Capitole du Libre for pretty much as long as it has existed, and the 2024 edition will be no exception to this rule:

Bootlin is hiring, for both full-time embedded Linux engineer positions, and for embedded Linux engineering internships, so do not hesitate to get in touch during the event to discuss career opportunities at Bootlin!

Additionally, our hardware and electronic design partner and friend Ratiotech will be present, and they are hiring electronic design engineers, get in touch as well!

We’re looking forward to meeting the open-source community at Capitole du Libre, discovering new projects, and learning new things. Join us and attend the event!

Feedback from Open Source Summit Europe 2024: our selection of talks #1

Open Source Summit Europe 2024The Open Source Summit Europe took place about a month ago in Vienna, and a large part of the Bootlin team attended the event, at which we also gave two talks.

At Bootlin, after such conferences, we also have a tradition of highlighting a number of talks we found interesting, and sharing this selection with our readers: we have asked each Bootlin engineer who attended Open Source Summit Europe 2024 to pick one talk they liked, and share a summary.

You’ll find in this first blog post a first selection of 3 talks: with their videos being available, this gives you the ideal playlist for the upcoming cold and rainy evenings!

Continue reading “Feedback from Open Source Summit Europe 2024: our selection of talks #1”

Welcome to Antonin Godard

After Mathieu Dubois-Briand and Olivier Benjamin, a third engineer joined this September our team at our Lyon office in France: we’re happy to welcome Antonin Godard.

After graduating from the french Telecom Paris engineering school in 2020, Antonin spent 4 years at Witekio, exclusively dedicated to embedded Linux system development. He has primarily been involved in Yocto-based projects, designing and architecturing BSPs for various customers and maintaining them. He also has experience with secure boot, CI/CD , CVE analysis, OTA updates and automated testing. Antonin also worked for a year in Witekio’s Seattle office, where he pursued his work on Yocto-based projects for American customers.

Over the years, Antonin got to work with Xilinx Zynq Ultrascale and NXP Layerscape SoCs as well as some experience with i.MX and x86 based-SoCs – for which he got bootloaders (U-boot / Grub), the Linux kernel and various open-source software up and running.

As part of his work at Bootlin, Antonin has already been involved in contributing to the Yocto Project documentation, and he will bring his expertise to help our customers on all embedded Linux topics. See Antonin’s profile on our website for more details.

Once again, welcome Antonin!

2025 internships at Bootlin

We have just published our 2025 internships booklet, documenting the internship topics we are offering to students in engineering who are completing their studies by a final internship.

Since this is mainly targeted at students based in France, who can join our offices in Lyon (France) or Toulouse (France), the internship descriptions are in French.

The topics we are proposing this year are:

  • exploration of Machine Learning solutions for embedded Linux
  • improvement of Snagboot, the universal embedded flashing tool
  • drivers and hardware support in Linux or U-Boot
  • enhancement of Device Tree support in the Linux kernel
  • porting Bootlin training to Qemu
  • evaluation and porting of Bootlin training to a new hardware platform
  • contributions to the Yocto ecosystem
  • contribution to the Buildroot project
  • monitoring the security of Linux BSPs
  • reference implementation of a secure embedded Linux OS
  • Ultra Wide Band (UWB) support in the Linux kernel
  • open topic on embedded Linux or Zephyr



Bootlin welcomes cybersecurity expert Olivier Benjamin

We’re happy to announce that Olivier Benjamin has recently joined the Bootlin engineering team!

For anyone in the tech industry, and especially the embedded industry, it is clear now that security is one of the most important topics of the recent and coming years both from a technical standpoint and from a regulatory standpoint (with regulations such as the CRA). Bootlin has already been helping its customers improve the security of their embedded Linux products by providing expertise on secure boot, encryption, TPM or maintenance of Linux BSPs.

With the arrival of Olivier in our team, we’re really happy to be significantly strengthening our security expertise. Indeed, Olivier has a very strong and solid security background: he started his career at security R&D firm Quarkslab doing embedded device security assessment, then he worked for several years for the french Ministry of Defense reverse engineering security implementation in embedded devices, searching for vulnerabilities and developing proofs of concept. He then joined AWS at Amazon, going through various security roles including incident response as well as looking into security vulnerabilities of concern for the hypervisor and kernel layers of EC2.

In addition to being a security expert, Olivier is also passionate about Linux and Open Source, matching well Bootlin’s DNA. Most notably, Olivier is a contributor to the UBPorts project, looking specifically at the Pine64 native port.

Check out Olivier’s profile on our website for more details. Once again, welcome Olivier!