Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates
leonanavi
16 views
20 slides
Oct 30, 2025
Slide 1 of 20
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
About This Presentation
The presentation “Fighting CVEs in Embedded Linux with the Yocto Project and OTA Updates” by Leon Anavi from Konsulko Group was presented during Torizon CRA Summit 2025 in Zurich. It focused on practical approaches to improving cybersecurity and software maintenance in embedded systems. It intro...
Slide Content
October 23, 2025 Swiss Life Arena Zurich, Switzerland
Fighting CVEs in
Embedded Linux with
the Yocto Project and
OTA Updates
Leon Anavi
[email protected]
Software Engineer
Embedded Linux with
the Yocto Project and
OTA Updates
Leon Anavi
[email protected]
Software Engineer
•Founded in 2012 by embedded Linux engineers with a long history in OSS
ecosystem and embedded systems markets
•Decades of hands-on experience in open source community projects and
developing commercial products based on embedded Linux
•Particular expertise at the system level. Contributors to OpenEmbedded,
Yocto Project, U-Boot, Automotive Grade Linux (AGL) and the Linux kernel
•Headquartered in San Jose, California. Globally distributed engineering
team across the North America and Europe
•https://www.konsulko.com/
Konsulko Group
ecosystem and embedded systems markets
•Decades of hands-on experience in open source community projects and
developing commercial products based on embedded Linux
•Particular expertise at the system level. Contributors to OpenEmbedded,
Yocto Project, U-Boot, Automotive Grade Linux (AGL) and the Linux kernel
•Headquartered in San Jose, California. Globally distributed engineering
team across the North America and Europe
•https://www.konsulko.com/
Konsulko Group
•Open source project under the Linux Foundation, focused on providing the
tools to create a custom Linux-based distributions for embedded devices
•Uses the OpenEmbedded Build System, which includes bitbake and the
essential layer OpenEmbedded Core
•Poky serves as the reference distribution which is provided as metadata (no
binaries) to help you bootstrap your own embedded Linux distribution
•Follows a bi-annual release cycle
•Provides Long-Term Support (LTS) releases
The Yocto Project
tools to create a custom Linux-based distributions for embedded devices
•Uses the OpenEmbedded Build System, which includes bitbake and the
essential layer OpenEmbedded Core
•Poky serves as the reference distribution which is provided as metadata (no
binaries) to help you bootstrap your own embedded Linux distribution
•Follows a bi-annual release cycle
•Provides Long-Term Support (LTS) releases
The Yocto Project
•SBOM (Software Bill of Materials) is a detailed inventory that lists all open
source components, libraries, and dependencies used in a software
application.
•The Yocto Project and OpenEmbedded support SBOM using the SPDX
(System Package Data Exchange) standard.
•SPDX output in JSON format as an IMAGE-MACHINE.spdx.json file
SBOM
source components, libraries, and dependencies used in a software
application.
•The Yocto Project and OpenEmbedded support SBOM using the SPDX
(System Package Data Exchange) standard.
•SPDX output in JSON format as an IMAGE-MACHINE.spdx.json file
SBOM
The Yocto Project Releases
Codename Version Release Date Support Level
Wrynose 6.0 April 2026 Future LTS
Whinlatter 5.3 October 2025 Future
Walnascar 5.2 May 2025 Until November 2025
Scarthgap 5.0 April 2024 LTS (until April 2028)
Kirkstone 4.0 May 2022 LTS (until April 2026)
Dunfell 3.1 April 2020
LTS (EOL since April
2024)
Codename Version Release Date Support Level
Wrynose 6.0 April 2026 Future LTS
Whinlatter 5.3 October 2025 Future
Walnascar 5.2 May 2025 Until November 2025
Scarthgap 5.0 April 2024 LTS (until April 2028)
Kirkstone 4.0 May 2022 LTS (until April 2026)
Dunfell 3.1 April 2020
LTS (EOL since April
2024)
•Unique identifier for a publicly known cybersecurity vulnerability
•Provides a standardized reference for tracking and discussing specific
security flaws
•Managed by MITRE and used globally in vulnerability databases and
security tools with funding from the US National Cyber Security Division of
the US Department of Homeland Security
•Launched in September 1999
•Alternative: the European Union Vulnerability Database (EUVD) was
announced in June 2024 and has been active since May 2025.
CVE (Common Vulnerabilities and Exposures)
•Provides a standardized reference for tracking and discussing specific
security flaws
•Managed by MITRE and used globally in vulnerability databases and
security tools with funding from the US National Cyber Security Division of
the US Department of Homeland Security
•Launched in September 1999
•Alternative: the European Union Vulnerability Database (EUVD) was
announced in June 2024 and has been active since May 2025.
CVE (Common Vulnerabilities and Exposures)
•Malicious code was discovered in the upstream tarballs of xz, starting with
version 5.6.0
•Results in a modified liblzma library that can be used by any software
linked against this library, intercepting and modifying the data interaction
with this library
•Common Vulnerability Scoring System (CVSS): 10
•Severity: CRITICAL
•https://www.cve.org/CVERecord?id=CVE-2024-3094
XZ: Small Package - Big Problems
version 5.6.0
•Results in a modified liblzma library that can be used by any software
linked against this library, intercepting and modifying the data interaction
with this library
•Common Vulnerability Scoring System (CVSS): 10
•Severity: CRITICAL
•https://www.cve.org/CVERecord?id=CVE-2024-3094
XZ: Small Package - Big Problems
•The Yocto Project has an infrastructure to track and address unfixed
known security vulnerabilities
•Current CVE status for OE-Core/Poky:
https://autobuilder.yocto.io/pub/non-release/patchmetrics/
CVE and the Yocto Project
known security vulnerabilities
•Current CVE status for OE-Core/Poky:
https://autobuilder.yocto.io/pub/non-release/patchmetrics/
CVE and the Yocto Project
Fixing CVEs
•Customer request: Upgrade outdated OpenSSH version affected by a
known CVE
•Challenge: legacy hardware based on a Chinese SoC with unsupported
BSP
•Solution: designed a brand new hardware module using a European SoC
that fits with the existing equipment of the customer
•Software stack: delivered a custom embedded Linux distribution using the
Yocto Project and OpenEmbedded based on the Scarthgap LTS release
•Software updates: implemented RAUC supporting secure OTA with HTTP
streaming and offline USB-based deployments
“War” Story
known CVE
•Challenge: legacy hardware based on a Chinese SoC with unsupported
BSP
•Solution: designed a brand new hardware module using a European SoC
that fits with the existing equipment of the customer
•Software stack: delivered a custom embedded Linux distribution using the
Yocto Project and OpenEmbedded based on the Scarthgap LTS release
•Software updates: implemented RAUC supporting secure OTA with HTTP
streaming and offline USB-based deployments
“War” Story
•A/B updates (dual redundant scheme)
•Delta (or adaptive) updates
•Container-base updates
•Combined strategies
Common Embedded Linux Update Strategies
•Delta (or adaptive) updates
•Container-base updates
•Combined strategies
Common Embedded Linux Update Strategies
•Dual A/B rootfs partitions provide redundancy, keeping one active while the
other is updated
•A data partition stores persistent information unaffected by updates
•An update client periodically checks the server for new releases
•When available, updates are downloaded and installed to the inactive
partition
•On reboot, the bootloader switches to the newly updated partition
•Automatic fallback restores the previous version if the update fails
A/B Updates
other is updated
•A data partition stores persistent information unaffected by updates
•An update client periodically checks the server for new releases
•When available, updates are downloaded and installed to the inactive
partition
•On reboot, the bootloader switches to the newly updated partition
•Automatic fallback restores the previous version if the update fails
A/B Updates
•Only the binary delta is sent to the device
•Uses a Git-like model for filesystem trees
•Reduces storage usage and bandwidth consumption
•Supports rollback to a previous system state
Delta Updates
•Uses a Git-like model for filesystem trees
•Reduces storage usage and bandwidth consumption
•Supports rollback to a previous system state
Delta Updates
Side by Side Comparison
Update StrategyStorage Space Update Size Rollback to a
Previous Stage
Fallback to a
Back-up Image on
a separate
partition
A/B Updates Large Large Yes Yes
Delta UpdatesSmall Small Yes No
Update StrategyStorage Space Update Size Rollback to a
Previous Stage
Fallback to a
Back-up Image on
a separate
partition
A/B Updates Large Large Yes Yes
Delta UpdatesSmall Small Yes No
RAUC SWUpdate
Swupd UpdateHub Balena.io AWS IoT
Memfault Mender QtOTA Snap
libostree (OSTree) qbee.io Aktualizr Eclipse HawkBit
Torizon Aktualizr-lite Flatpak
❌
FullMetalUpdate
❌
HERE OTA Connect
Open Source SOTA Solutions
Swupd UpdateHub Balena.io AWS IoT
Memfault Mender QtOTA Snap
libostree (OSTree) qbee.io Aktualizr Eclipse HawkBit
Torizon Aktualizr-lite Flatpak
❌
FullMetalUpdate
❌
HERE OTA Connect
Open Source SOTA Solutions
Side by Side Comparison
Features Mender RAUC SWUpdate Torizon
Aktualizr
Client Programming
Language
C++
(previously Go)
C C C++
(previously Rust)
Client License Apache 2.0 LGPL-2.1 GPLv2 Mozilla Public
License 2.0
Yocto Project
Integration
Scarthgap Scarthgap Scarthgap Scarthgap
Contributions GitHub Pull RequestsGitHub Pull RequestsMailing List GitHub Pull Requests
Management ServerYes 3
rd
Party 3
rd
Party Yes
Features Mender RAUC SWUpdate Torizon
Aktualizr
Client Programming
Language
C++
(previously Go)
C C C++
(previously Rust)
Client License Apache 2.0 LGPL-2.1 GPLv2 Mozilla Public
License 2.0
Yocto Project
Integration
Scarthgap Scarthgap Scarthgap Scarthgap
Contributions GitHub Pull RequestsGitHub Pull RequestsMailing List GitHub Pull Requests
Management ServerYes 3
rd
Party 3
rd
Party Yes
•The Yocto Project supports SBOM using the SPDX standard and has an
infrastructure to track and address unfixed known security vulnerabilities
•With numerous reliable open-source options available for updating
embedded Linux devices, investing in an in-house solution is rarely justified
•Mender, RAUC, and SWUpdate all handle A/B updates effectively but differ
in how they are implemented and the advanced features they offer
•Torizon is built with libostree and Aktualizer for delta updates
•Delta and/or adaptive updates are also possible with Mender and RAUC
•Selecting the most suitable OTA update solution can be difficult, as it
depends on the unique requirements of your project
Conclusions
infrastructure to track and address unfixed known security vulnerabilities
•With numerous reliable open-source options available for updating
embedded Linux devices, investing in an in-house solution is rarely justified
•Mender, RAUC, and SWUpdate all handle A/B updates effectively but differ
in how they are implemented and the advanced features they offer
•Torizon is built with libostree and Aktualizer for delta updates
•Delta and/or adaptive updates are also possible with Mender and RAUC
•Selecting the most suitable OTA update solution can be difficult, as it
depends on the unique requirements of your project
Conclusions
•https://archive.fosdem.org/2025/schedule/event/fosdem-2025-6299-
exploring-open-source-dual-a-b-update-solutions-for-embedded-linux/
•https://www.konsulko.com/mender-raspberry-pi-5
•https://www.konsulko.com/ota-updates-imx8mp-mender
•https://www.konsulko.com/ota-qbee-rauc-imx8mp
•https://www.torizon.io/
•https://mender.io/
•https://rauc.io/
•https://swupdate.org/
Useful Links
exploring-open-source-dual-a-b-update-solutions-for-embedded-linux/
•https://www.konsulko.com/mender-raspberry-pi-5
•https://www.konsulko.com/ota-updates-imx8mp-mender
•https://www.konsulko.com/ota-qbee-rauc-imx8mp
•https://www.torizon.io/
•https://mender.io/
•https://rauc.io/
•https://swupdate.org/
Useful Links
Q&A
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 16
- Slides 20
- Age 34 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
35 views
21
Know for Certain
DaveSinNM
23 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views