Authors: Michael Gielda, Kate Stewart

A Software Bill of Materials (or SBOM) makes the information about the software components running on a system available. Transparency and summarization are needed in embedded systems with resource constraints and where updates may have significant deployment or recall costs.    

In 2021, we saw significant indicators that having an SBOM is going to become a regulatory requirement in some embedded market segments (medical, energy, etc.) and the US Government came out with an executive order in May 2021 that has a timeline with expectations that the industry would be ready for generating SBOMs in 2022.   

Software Package Data eXchange® (SPDX®) is an international standard (ISO/IEC 5962:2021), able to express SBOM information, as well as other facts about software packages, files, and snippets.   It is uniquely able to specify the fidelity of information required for embedded software, and partition the information logically to express system level information.

The Zephyr Project incorporated the ability to generate SBOMs automatically during builds in 2021. This is done when building Zephyr executables using the ‘west spdx’ command. West is Zephyr’s meta-tool that supports the build infrastructure. There are multiple SBOMs created (one for the Zephyr sources,  one for the application sources, and one for the built image) that will link back to all the dependencies in the source files.

Antmicro’s Renode Zephyr Dashboard now includes SBOMs

A Platinum member of Zephyr Project, Antmicro, among other contributions (including maintaining Zephyr support for RISC-V and work around supporting Zephyr on FPGA platforms), has been ensuring Zephyr developers can access powerful simulation, testing, and debug capabilities of their open source simulation framework, Renode. 

Renode shares the vendor-neutral and user-centric approach of Zephyr, focusing on the security and developer productivity of the RTOS.

The two open source projects have been collaborating for many years now, but recently a great showcase of where Zephyr and Renode complement each other is demonstrated by the Renode Zephyr dashboard. 

The Renode tool visualizes the results of a continuous integration (CI) system running real Zephyr binaries on multiple architectures, boards and SoCs from a variety of vendors, incorporating the advantages of portable examples and the structured platform data provided by Zephyr. 

Renode’s flexibility and reconfigurability produces a concise dashboard displaying Zephyr-compatible boards currently supported in Antmicro’s open simulation framework.

This dashboard project utilizes the systemized information from Zephyr – which uses device trees to describe the platform data needed to pick and configure specific drivers and subsystems, which can then be mapped onto the plug and play, building blocks oriented nature of Renode.

Renode Dashboard Includes SBOMs in Standard Builds

As a member of the Zephyr’s Technical Steering Committee, Antmicro collaborates with other Zephyr members (which include many of Antmicro’s customers such as Google, Intel, or NXP) to ensure the use of a standardized and unified approach to implementing new ports. This concept of defining commonalities in platforms is an important step toward improving and generalizing support for silicon in embedded systems tooling.

Currently at 129 passing boards and spanning four different demos, including MicroPython and TensorFlow Lite Micro, the most recent version of the Zephyr Dashboard is enhanced with the ability to generate SBOM artifacts for all of its samples automatically.

This showcases how simple Zephyr makes it to generate reliable and accountable software and have accompanying SBOMs. The dashboard shows a breadth of platforms supported by both Zephyr and Renode, all of which have SBOMs. 

Using Renode helps you track various metrics (performance, coverage, memory use etc.) related to your software across time. The software BOM generation capability complements this picture, providing the traceability and security needed to build real-life commercial products.

About the Authors: 

Michael Gielda is VP Business Development at Antmicro, Chair of Outreach for CHIPS Alliance, and a member of the Marketing Committees in RISC-V International and The Zephyr Project.  Contact: mgielda@antmicro.com

Kate Stewart is VP Dependable Embedded Systems at The Linux Foundation, a technical co-lead in the SPDX project, and a governing board member for the CHAOSS project.    Contact: kstewart@linuxfoundation.org