security – Bootlin

sbom-cve-check v1.2.0 released

We are pleased to announce the release of sbom-cve-check v1.2.0, which focuses on offline usability, improved SPDX 3.0 support, and more flexible export options.

For the record, sbom-cve-check is a lightweight, standalone and easy-to-use tool that parses Software Bill Of Materials (SBOM) files and using publicly available databases of security vulnerabilities (CVEs), provides a report detailing which software components are affected by known security vulnerabilities. sbom-cve-check is developed and maintained by Bootlin engineer Benjamin Robin.

In the next sections we will describe the major updates brought by this 1.2.0 release.

Continue reading “sbom-cve-check v1.2.0 released”

Announcing sbom-cve-check, a lightweight CVE analysis tool for your SBOM

Today, we are happy to announce the first release of a brand new open-source project: sbom-cve-check, a lightweight CVE analysis tool for your Software Bill of Materials (SBOM). Written in Python, with minimal dependencies, and a very simple workflow in mind, sbom-cve-check will parse your SBOM (SPDX v2.2 or SPDX v3.0 currently supported), and using publicly available databases of security vulnerabilities, will generate a report of known security vulnerabilities affecting the software components listed in your SBOM.

This tool will be presented tomorrow, on December 2 at 3:40 PM during the Yocto Project Virtual Summit 2025.12 during a talk titled sbom-cve-check: Lightweight Python tooling for out-of-build CVE analysis of SPDX3 SBOMs, presented by Bootlin engineers Benjamin Robin and Olivier Benjamin.

Continue reading “Announcing sbom-cve-check, a lightweight CVE analysis tool for your SBOM”

Back from Open Source Summit Europe 2025: talks from Bootlin

Open Source Summit Europe 2025 Bootlin had a very strong presence at the recent Open Source Summit Europe, with 26 members of our team attending the event, 8 talks given by our engineers, and a booth at the technical showcase.

As the Linux Foundation just posted the videos of all talks from the event, now is a good time to publish the slides of our talks, alongside with the videos.

Continue reading “Back from Open Source Summit Europe 2025: talks from Bootlin”

Safe updates using RAUC on Raspberry Pi 5

RAUC on RaspberryPi 5 As part of a recent project at Bootlin, we implemented A/B Over-The-Air (OTA) updates on a a system based on the RaspberryPi 5 using RAUC. We ended up not using U-Boot as a bootloader and instead rely solely on the RaspberryPi firmware as a bootloader. This post will dive into the details of making this happen, and some advanced features of RAUC.

Continue reading “Safe updates using RAUC on Raspberry Pi 5”

Cyber Resilience Act (CRA) – Obligations for manufacturers

The EU’s new Cyber Resilience Act (CRA) sets out a comprehensive framework of cybersecurity requirements for products with digital elements. While most of its provisions will apply starting December 11, 2027, certain obligations—most notably, reporting duties for manufacturers—will kick in earlier, on September 11, 2026.

In a previous blog post, we offered an overview of the CRA and its broader context. In this article, we’re narrowing the focus to a key actor in the CRA’s ecosystem: the manufacturer. We’ll explore what qualifies someone as a manufacturer under the regulation, and what responsibilities that role carries under the new law.

Continue reading “Cyber Resilience Act (CRA) – Obligations for manufacturers”

The NIST’s new plan for digital signatures: impact on secure boot

In October 2024, the National Institute of Standards and Technology (NIST) published an initial public draft of Special Publication 800 – 131A, with the title “Transitioning the Use of Cryptographic Algorithms and Key Lengths”.
It details how the NIST expects the requirements for use of cryptography to protect non-classified information to evolve.

There are several key points, such as abandoning ECB and SHA-1, but the main one this post will investigate is digital signatures.

Continue reading “The NIST’s new plan for digital signatures: impact on secure boot”

Cyber Resilience Act (CRA) – overview

The Cyber Resilience Act (CRA) was adopted by the European Council on October 10, 2024. It was then published in the Official journal of the EU on November 20, 2024 and enters into force today, December 10, 2024. Most of the law will start applying in 3 years, on December 11, 2027.

However, the obligation for manufacturers to report any actively exploited vulnerability or any security incident impacting the security of their product to ENISA will apply from September 11, 2026.
The other parts of the law that will start applying from June 11, 2026 apply to the member states and specify the details of setting up the administrative entities that will assess conformity with the CRA.

At Bootlin, we have been paying close attention to this topic for several reasons. First, the CRA will affect a large number of our clients, as almost every embedded device sold in the EU will need to comply with it. Second, the CRA also affects us directly, for instance as the maintainer of Snagboot.

This post is therefore the first in a series that will present our understanding of the CRA, and clearly lay out what one needs to have in mind in order to be confident of one’s compliance on time.

Continue reading “Cyber Resilience Act (CRA) – overview”

OP-TEE support for Microchip SAMA5D2 processors

Over the past few years, we have been contributing to the OP-TEE project the support for the Microchip SAMA5D2 processor family, and we also helped with enabling OP-TEE on the Microchip SAMA7 processor family.

In this blog post, we propose a quick introduction to OP-TEE and then detail a few changes that have been
done to add support for Microchip SAMA5 processors to the OP-TEE project.

Continue reading “OP-TEE support for Microchip SAMA5D2 processors”

Bootlin at Open Source Experience and SIDO in Paris, Dec 6-7

Paris will be hosting next week-end a combined event composed of the Open Source Experience and SIDO, the first dedicated to open-source technologies, and the second to IoT, AI, digital infrastructure and cybersecurity.

Open Source Experience

Thomas Petazzoni, Bootlin CEO, will be representing Bootlin at these events, and will also be participating to the round table Embedded systems security: a technical and organizational approach on December 7, at 2:30 PM UTC+1. The abstract of the round table is:

Security is a major issue. Embedded systems are increasingly complex and connected, making them more vulnerable. The aim of this round table is to discuss best practices for guaranteeing security

Thomas will be speaking with Daniel Fages (Freelance), Eloi Bail (Savoir Faire Linux) and Jean-Charles Verdié (Canonical), and the round table will be moderated by Cédric Ravalec (Smile).

If you’re interested in discussing career, business or partnership opportunities with Bootlin, do not hesitate to contact Thomas Petazzoni ahead of the event to schedule a meeting.

Slides and videos of Bootlin talks at Live Embedded Event #2

The second edition of Live Embedded Event took place on June 3rd, exactly 6 months after the first edition. Even though there were a few issues with the online platform, it was once again great to learn new things about embedded, and share some of the work we’ve been doing at Bootlin on various topics. For the next edition, we plan to switch to a different online platform, hopefully providing a better experience.

But in the mean time, all videos of the event have been posted on the Youtube Channel of the event. The talks from Bootlin have been posted on Bootlin’s Youtube Channel.

Indeed, in addition to being part of the organization committee, Bootlin prepared and delivered 5 talks as part of Live Embedded Event, covering different topics we have worked on in the recent months for our customers.