All tutorials

Get an SBOM from a Yocto build

Build a Yocto image for an NXP i.MX board on a Linux host, have Yocto emit an SPDX SBOM during the build, then scan it here. The example targets the i.MX 8M Quad EVK with core-image-minimal on the Yocto 4.0 LTS (kirkstone) release.

You need a Linux build host (Ubuntu or Debian here), about 50 GB of free disk, and time: the first build compiles a toolchain, U-Boot, the kernel and the root filesystem from source, which takes hours.

  1. Step 1

    Install the build dependencies

    On Ubuntu or Debian:

    # Build host packages (Ubuntu / Debian)
    sudo apt-get update && sudo apt-get install -y \
      gawk wget git diffstat unzip texinfo gcc build-essential chrpath \
      socat cpio python3 python3-pip python3-pexpect xz-utils debianutils \
      iputils-ping python3-git python3-jinja2 python3-subunit zstd \
      liblz4-tool file locales libacl1

    For other distributions, see the Yocto Project "Required Packages for the Build Host" list.

  2. Step 2

    Fetch Poky and the layers

    Clone the core (Poky) plus the layers that add i.MX support, all on the matching LTS branch:

    # Get Poky and the layers (Yocto 4.0 LTS, kirkstone)
    git clone -b kirkstone https://git.yoctoproject.org/poky
    git clone -b kirkstone https://git.yoctoproject.org/meta-arm
    git clone -b kirkstone https://git.openembedded.org/meta-openembedded
    git clone -b kirkstone https://github.com/Freescale/meta-freescale
  3. Step 3

    Configure the build and turn on the SBOM

    Initialize the environment, add the layers, and set the machine. The SBOM comes from inheriting the create-spdx class; ACCEPT_FSL_EULA is required for the i.MX firmware and bootloader recipes:

    # Initialize the build environment (creates and enters ./build)
    source poky/oe-init-build-env build
    
    # Add the layers, in dependency order
    bitbake-layers add-layer ../meta-openembedded/meta-oe \
      ../meta-openembedded/meta-python \
      ../meta-arm/meta-arm-toolchain ../meta-arm/meta-arm \
      ../meta-freescale
    
    # Select the board, enable the SBOM, accept the i.MX EULA
    cat >> conf/local.conf <<'EOF'
    MACHINE = "imx8mq-evk"
    INHERIT += "create-spdx"
    SPDX_PRETTY = "1"
    ACCEPT_FSL_EULA = "1"
    EOF

    On a machine with limited RAM, also add BB_NUMBER_THREADS = "2" and PARALLEL_MAKE = "-j 2" to conf/local.conf so a parallel compile does not run out of memory.

  4. Step 4

    Build

    From inside the build directory:

    bitbake core-image-minimal
  5. Step 5

    Find the SBOM

    create-spdx writes a top-level document for the image plus one document per package and recipe:

    # Top-level image document (references the package docs):
    tmp/deploy/images/imx8mq-evk/core-image-minimal-imx8mq-evk.spdx.json
    # Full set, one document per package and recipe:
    tmp/deploy/spdx/imx8mq-evk/{packages,recipes,runtime}/
    # Bundled archive of everything:
    tmp/deploy/images/imx8mq-evk/core-image-minimal-imx8mq-evk.spdx.tar.zst

    The top-level .spdx.json lists the image and references the package documents. For a single file with every component, merge the per-package documents in spdx/imx8mq-evk/packages/ into one SPDX document, or unpack the .spdx.tar.zst bundle.

  6. Step 6

    Scan it

    Upload the SPDX file on the checker (the "I have an SBOM" tab).

  7. Step 7

    Automate it (optional)

    To run this on every build instead of by hand, add the meta-ac6-sbom-checker layer. It uploads the SBOM after each image is assembled and can fail the build when triage finds an actionable risk.

    # Add the meta-ac6-sbom-checker layer once
    bitbake-layers add-layer ../meta-ac6-sbom-checker
    
    # Then in conf/local.conf: upload and gate on every image build
    cat >> conf/local.conf <<'EOF'
    IMAGE_CLASSES += "ac6-sbom-upload"
    AC6_SBOM_API   = "https://your-sbom-checker"
    AC6_SBOM_TOKEN = "sct_your_token"
    AC6_SBOM_FAIL_ON = "actionable"
    EOF

    Get an API token from your account page. Zephyr projects use the west ac6-sbom-checker extension for the same flow.

What you get

A core-image-minimal SBOM for the i.MX 8M Quad covers the real stack: the linux-fslc kernel, U-Boot, glibc, busybox and the rest. Scanning it runs every engine (Grype, OSV-Scanner, Trivy, cve-bin-tool, OSV.dev) plus KEV and EPSS, and returns one verdict with the vulnerabilities and SBOM-quality gaps.

NextGet an SBOM from Zephyr