Mainline Linux combined with upcoming Cyber Resilience Act (CRA)

The upcoming European Cyber Resilience Act (CRA) aims to protect critical infrastructure from cyber-attacks. What does this mean for the embedded environment in particular?

It is no longer possible to work with the guiding principle of "never change a running system", which is absolutely correct, because there are still many devices out there that are completely unprotected against attackers.

The first step is to assess the risks associated with a product. The resulting action is derived from this. Here are some examples:

• Security by default: signed images / secure boot
• ? Limited attack surface
• ? Regular security updates: Keeping the Linux system up to date
• Over-the-air updates
• Vulnerability monitoring

Now you can see very clearly that it is always a matter of keeping a system up to date and making sure that updates can be applied to the products.

For a SOM vendor like DH, this means that we have to take care of two things in particular:

• ? Maintenance of the Linux and Yocto system
• Supporting the customer with updates in the field

Let's start with Maintenance. Here DH focuses on Mainline Linux and U-Boot by directly upstreaming the SOM support. No vendor specific BSP packages are used. So, it is very easy to switch to the latest available version and you are not dependent on the SoC vendor.

We also offer the project-specific option of upstreaming your specific device, making it even easier to keep your product up-to-date.

For long-term maintenance, we rely on LTS versions for both Yocto and Linux. An LTS Linux release fixes bugs and closes vulnerabilities, but does not add new features. This means that during the lifetime of an LTS kernel (2 years+) it is sufficient to update only to the newest LTS minor version (“y” in e.g. 6.6.y). This makes the process of releasing a new image for a product much easier, since no completely new kernel is used. This means that Yocto and a kernel release can go a period of 2 years before another major update becomes necessary.

In addition to maintenance, the product must be able to install updates in the field. For this we use the open-source update agent SWUpdate on the device side and hawkbit as the backend server. This combination can be adapted to the specific requirements of your project. DH can do this for you or support your developers.

All in all, we can say that maintenance will be the key of the upcoming CRA. This simply means that you should choose a SOM that also offers this option.