Beyond the Release: Managing Long-Term Risk and Compliance in Embedded Linux with Yocto

Beyond the Release: Managing Long-Term Risk and Compliance in Embedded Linux with Yocto

The embedded systems of the future will be judged by their long-term resilience and security. For many manufacturers, however, the shift from a product release to continuous lifecycle management is a significant operational hurdle.
Regulations like the EU’s Cyber Resilience Act (CRA) are formalizing this challenge, demanding ongoing vulnerability management and creating a backdraft of responsibility that impacts the entire supply chain.

This presentation highlights that a robust and reproducible build system is the cornerstone of any sustainable product strategy in this new environment. It will explore how the Yocto Project provides the essential framework for building future-proof and maintainable systems.
The discussion will cover how its architecture enables the critical features needed to manage long-term risk: full-stack patchability for targeted CVE fixes, reproducible builds for maintaining legacy devices, and automated Software Bill of Materials (SBOM) generation for regulatory transparency.
Attendees will gain actionable strategies for implementing lifecycle-aware embedded development and transforming existing product portfolios to meet evolving regulatory requirements.

Presented at

  • Embedded World Conference, Nuremberg, 2026-03-10
  • EmBO++, Bochum, 2026-03-20
  • Yocto Project Workshop @ Embedded Recipes, Nice, France

Download slides

Related Posts

How a modern Yocto setup could look like

How a modern Yocto setup could look like

In 2015, we built a sophisticated meeting room information system based on Android Things as a student project. As Android Things was deprecated in 2021, we started to use our Yocto Project experience to develop a maintainable, future proof embedded system.

When setting up a new project from scratch, we focused on proper solutions for

  • a maintainable, well supported and patchable build environment for the embedded systems
  • version control, reproducible builds and continuous integration
  • license management
  • a secure and stable update mechanism on image base and
  • managing releases The talk aims to show how we build a system that matches our requirements using the Yocto Project, KAS, Gitlab CI, and Mender.io. Besides, we will have a short outlook to the application built in Flutter.

Presented at

  • Yocto Project Summit 2022.11, virtual, 2022
  • buildingIoT, Munich, 2023

Download original slides (Yocto Project Summit) Download updated slides (buildingIoT)

Read Post
Building Embedded Systems with AOSP

Building Embedded Systems with AOSP

In our community, building embedded systems based on Linux, e.g. with Yocto or buildroot, is standard and well known. Considering Android, respectively the AOSP as a base system feels strange at the beginning as it is a huge ecosystem that implies high system requirements. Of course, embedded Android is not a solution for each issue. Nevertheless, the AOSP provides a sophisticated base platform which is packed with a

  • modern UI stack
  • robust media and camera implementation
  • modern AI runtime
  • well known abstraction between system and app development
  • energy optimization

and lots of other helpful infrastructure.
This makes AOSP an interesting approach for building more complex embedded systems.

Read Post
Yocto on the Edge - Unusual challenges when building not so embedded systems

Yocto on the Edge - Unusual challenges when building not so embedded systems

Building embedded systems with Yocto on ARM platforms is a common practice, but when the products move further to the edge and become less “embedded,” new challenges arise. In this session, we will explore the requirements and challenges faced when developing Yocto-based systems for edge computing based on Intel.

We will dive into topics such as provisioning x86-based platforms, securely managing Linux user logins on a read-only root file system with enforced password changes, and implementing A/B updates together with secure boot. Real-world project requirements will be used as a guide to discuss practical solutions and best practices for addressing these challenges.

Read Post