Get an SBOM from a Yocto build
Build a Yocto image for an NXP i.MX board on a Linux host, have Yocto emit an SPDX SBOM during the build, then scan it here. The example targets the i.MX 8M Quad EVK with core-image-minimal on the Yocto 4.0 LTS (kirkstone) release.
You need a Linux build host (Ubuntu or Debian here), about 50 GB of free disk, and time: the first build compiles a toolchain, U-Boot, the kernel and the root filesystem from source, which takes hours.
Step 1
Install the build dependencies
On Ubuntu or Debian:
# Build host packages (Ubuntu / Debian) sudo apt-get update && sudo apt-get install -y \ gawk wget git diffstat unzip texinfo gcc build-essential chrpath \ socat cpio python3 python3-pip python3-pexpect xz-utils debianutils \ iputils-ping python3-git python3-jinja2 python3-subunit zstd \ liblz4-tool file locales libacl1For other distributions, see the Yocto Project "Required Packages for the Build Host" list.
Step 2
Fetch Poky and the layers
Clone the core (Poky) plus the layers that add i.MX support, all on the matching LTS branch:
# Get Poky and the layers (Yocto 4.0 LTS, kirkstone) git clone -b kirkstone https://git.yoctoproject.org/poky git clone -b kirkstone https://git.yoctoproject.org/meta-arm git clone -b kirkstone https://git.openembedded.org/meta-openembedded git clone -b kirkstone https://github.com/Freescale/meta-freescaleStep 3
Configure the build and turn on the SBOM
Initialize the environment, add the layers, and set the machine. The SBOM comes from inheriting the
create-spdxclass;ACCEPT_FSL_EULAis required for the i.MX firmware and bootloader recipes:# Initialize the build environment (creates and enters ./build) source poky/oe-init-build-env build # Add the layers, in dependency order bitbake-layers add-layer ../meta-openembedded/meta-oe \ ../meta-openembedded/meta-python \ ../meta-arm/meta-arm-toolchain ../meta-arm/meta-arm \ ../meta-freescale # Select the board, enable the SBOM, accept the i.MX EULA cat >> conf/local.conf <<'EOF' MACHINE = "imx8mq-evk" INHERIT += "create-spdx" SPDX_PRETTY = "1" ACCEPT_FSL_EULA = "1" EOFOn a machine with limited RAM, also add
BB_NUMBER_THREADS = "2"andPARALLEL_MAKE = "-j 2"toconf/local.confso a parallel compile does not run out of memory.Step 4
Build
From inside the build directory:
bitbake core-image-minimalStep 5
Find the SBOM
create-spdx writes a top-level document for the image plus one document per package and recipe:
# Top-level image document (references the package docs): tmp/deploy/images/imx8mq-evk/core-image-minimal-imx8mq-evk.spdx.json # Full set, one document per package and recipe: tmp/deploy/spdx/imx8mq-evk/{packages,recipes,runtime}/ # Bundled archive of everything: tmp/deploy/images/imx8mq-evk/core-image-minimal-imx8mq-evk.spdx.tar.zstThe top-level
.spdx.jsonlists the image and references the package documents. For a single file with every component, merge the per-package documents inspdx/imx8mq-evk/packages/into one SPDX document, or unpack the.spdx.tar.zstbundle.Step 6
Scan it
Upload the SPDX file on the checker (the "I have an SBOM" tab).
Step 7
Automate it (optional)
To run this on every build instead of by hand, add the
meta-ac6-sbom-checkerlayer. It uploads the SBOM after each image is assembled and can fail the build when triage finds an actionable risk.# Add the meta-ac6-sbom-checker layer once bitbake-layers add-layer ../meta-ac6-sbom-checker # Then in conf/local.conf: upload and gate on every image build cat >> conf/local.conf <<'EOF' IMAGE_CLASSES += "ac6-sbom-upload" AC6_SBOM_API = "https://your-sbom-checker" AC6_SBOM_TOKEN = "sct_your_token" AC6_SBOM_FAIL_ON = "actionable" EOFGet an API token from your account page. Zephyr projects use the
west ac6-sbom-checkerextension for the same flow.
What you get
A core-image-minimal SBOM for the i.MX 8M Quad covers the real stack: the linux-fslc kernel, U-Boot, glibc, busybox and the rest. Scanning it runs every engine (Grype, OSV-Scanner, Trivy, cve-bin-tool, OSV.dev) plus KEV and EPSS, and returns one verdict with the vulnerabilities and SBOM-quality gaps.