Zephyr Cybersecurity

SBOM Generation (Software Bill of Materials)#

Zephyr supports generating SPDX-compliant Software Bill of Materials (SBOM) for your builds. This is essential for supply chain security and vulnerability tracking.

Prerequisites#

Add the following option to your prj.conf:

CONFIG_BUILD_OUTPUT_META=y

Generating SBOM#

1. Initialize the SPDX build directory:

west spdx --init -d build

2. Build your application:

west build -b stm32h573i_dk .

3. Generate the SPDX SBOM:

west spdx -d build

The generated SBOM files will be located in build/spdx/ and include:

• app.spdx: SBOM for your application code
• zephyr.spdx: SBOM for the Zephyr RTOS components
• build.spdx: Combined SBOM for the entire build

For more information, see the Zephyr SPDX documentation.

Rust Support#

Rust provides memory safety guarantees that can help prevent common security vulnerabilities such as buffer overflows, use-after-free, and data races.

Enable Rust in Zephyr#

Add the Rust language support to your Zephyr workspace:

west config manifest.project-filter +zephyr-lang-rust
west update

For native simulator targets, add the required Rust target:

rustup target add x86_64-unknown-none

CMakeLists.txt#

cmake_minimum_required(VERSION 3.20.0)

find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})

project(my_app)
rust_cargo_application()

Cargo.toml#

[package]
# This must be rustapp for now.
name = "rustapp"
version = "0.1.0"
edition = "2021"
description = "The description of my app"
license = "Apache-2.0 or MIT"

[lib]
crate-type = ["staticlib"]

[dependencies]
zephyr = "0.1.0"
log = "0.4.22"

Supported Platforms#

See the list of supported platforms.

For more information, see the Zephyr Rust documentation.

Useful Security Commands#

Hardening Configuration#

Analyze your configuration against Security Working Group recommendations:

west build -t hardenconfig

SBOM Generation#

west spdx --init -d ./build
west build -b <board> -- -DCONFIG_BUILD_OUTPUT_META=y
west spdx -d ./build