Dear Reader,
In January, I took Marta Rybczynska’s fabulous one-week training course Embedded Security. Marta is the resident security expert of the Yocto Project. I can apply the training lessons directly to my projects. Here are some things I learned:
- Creating a read-only filesystem with overlays for writable directories or partitions.
- Prohibiting root login.
- Creating a list of CVEs for all packages of an embedded Linux system and filter the unpatched CVEs.
- Creating an SBoM for an embedded Linux system and query the huge SBoM for interesting information.
- Hardening applications and the Linux kernel.
You will have to implement all these features, when you make your devices compliant with the EU CRA. The training gives you amazing value for a small price.
Now let us see whether the anti-tivoisation clause should already hold for LGPL-2.1. The law firm JBB makes a compelling argument and made AVM, the manufacturer of the Fritz!Box routers and modems - settle.
Enjoy reading,
Burkhard 💜