[00:04]
Viktor Petersson
All right, so the reason why I wanted to do an episode on Yocto was that in the last five or so years, we've seen a lot of accidental IoT engineers, people who kind of prototype something on the Raspberry PI and they managed to get some success.
[00:19]
Viktor Petersson
Maybe they had a Kickstarter that really took off.
[00:22]
Viktor Petersson
But what a lot of these people don't know is how you manage devices at scale.
[00:28]
Viktor Petersson
If you just take Raspbian or Raspberry PI os, package that, and ship that out to your customers, you're down for a world of pain.
[00:36]
Viktor Petersson
Trust me, I've been down there with screenly.
[00:39]
Viktor Petersson
It's not pretty.
[00:40]
Viktor Petersson
You end up writing a lot of logic and we ended up writing a ton of logic for trying to do device management properly.
[00:47]
Viktor Petersson
Eventually we moved to Ubuntu Core.
[00:49]
Viktor Petersson
Yocto is a very good alternative to that.
[00:53]
Viktor Petersson
What Yocto gives you is a framework for building disk images, but then it has a wide ecosystem that can take care of device updates using things like a B partitioning scheme, which is considered best practice.
[01:07]
Viktor Petersson
So it has a really good, mature ecosystem for using how to build and scale the IoT devices.
[01:15]
Viktor Petersson
So this is why I wanted to do Episode of yocto, to save a lot of people from time and agony and what we wasted on trying to solve this ourselves.
[01:23]
Viktor Petersson
So if you're looking to do some kind of project, look at Yocto.
[01:28]
Viktor Petersson
If you want a hosted version of this, there are plenty of companies that provide services around yocto.
[01:34]
Viktor Petersson
Balena is one of them, which I've had an app on the episode before on.
[01:38]
Viktor Petersson
So do take a look at that and onto the show.
[01:42]
Viktor Petersson
Welcome back to another episode of Nerding up with Victor.
[01:46]
Viktor Petersson
Today I'm joined by Josh and Joshua and Ross and we got to do a talk all about yocto.
[01:53]
Viktor Petersson
So I guess if we can do a quick round of introduction to maybe start.
[01:57]
Viktor Petersson
Joshua, if you want to start giving listeners kind of context before we dive into the deep world of yocto, about who you are backstory and how you got onto yocto.
[02:06]
Viktor Petersson
Maybe.
[02:07]
Joshua Watt
Yeah.
[02:08]
Joshua Watt
So my name is Joshua Watt and I'm a software engineer for Garmin, primarily working on embedded electronics for boats.
[02:19]
Joshua Watt
And I've been involved in Yocto since about 2016 and I've been on the OpenEmbedded Technical Steering Committee and the OCTO Technical Steering Committee along the way.
[02:33]
Joshua Watt
And yeah, so that's my background with the Octo project.
[02:37]
Viktor Petersson
Amazing.
[02:38]
Viktor Petersson
Thank you.
[02:38]
Viktor Petersson
Joshua and Ross, you have wealth experience in this world as well.
[02:43]
Ross Burton
Yeah.
[02:43]
Ross Burton
So I'm Ross Burton, I'm a software engineer at ARM.
[02:47]
Ross Burton
I'm in the Distros team.
[02:49]
Ross Burton
So we work making sure that ARM stuff works on distributions.
[02:55]
Ross Burton
So I'm one of the Yocto guys.
[02:57]
Ross Burton
I've been working on Yocto for off and on 20 years now, which is kind of terrifying.
[03:04]
Ross Burton
I just looked on my first commitment, it was in 2005.
[03:08]
Ross Burton
There were some diversions along the way, but yeah, I've got like commit number 11 or something in Pocketree.
[03:17]
Viktor Petersson
Impressive, Impressive.
[03:20]
Viktor Petersson
I want to start the conversation off with like giving perhaps people who are not even familiar with yocto.
[03:27]
Viktor Petersson
If you, if you lived in embedded or in, in the IOT world, I'm sure you've at least heard the name Yocto and come across it.
[03:35]
Viktor Petersson
But for the people who are unfamiliar with Yocto, what is Yocto like, what does it solve for and why does it exist in the first place?
[03:45]
Viktor Petersson
I'll leave that up to you to want to pick that to start it off.
[03:49]
Ross Burton
Well, I suppose the usual answer is Yocto is not a Linux distribution.
[03:55]
Ross Burton
It lets you make your own Linux distribution so very useful for embedded or automotive or industrial situations where, you know, Red Hat may not be suitable.
[04:07]
Ross Burton
So you can take Yocto and customize it and it's designed to be super flexible so you can trim it down and make exactly what you need to do.
[04:19]
Ross Burton
Yeah, it's interesting.
[04:21]
Ross Burton
It's definitely got a lot of interesting features which a lot of mainstream distributions don't have specifically for people that are productizing whatever they're making at the end of the day.
[04:35]
Viktor Petersson
Right.
[04:36]
Viktor Petersson
So just to recap that it's rarely used for the context of.
[04:42]
Viktor Petersson
I got my desktop, I want to run Linux on it.
[04:44]
Viktor Petersson
It's, it's more for.
[04:45]
Viktor Petersson
I have some kind of PCB with some kind of architecture on and I want to create a custom distribution of Linux that runs my software essentially.
[04:57]
Ross Burton
Yeah, yeah, you see it a lot in like consumer electronics or like deeply embedded things like I'm sure Garmin Josh can talk about some of the things that they make like our TV runs, yocto printers, soundbars.
[05:14]
Ross Burton
But also you find it in like infrastructure.
[05:18]
Ross Burton
So you find a lot of telecom backends would be running on YOKTO hardware or like big data centers might have VMCs which are built with Yocto.
[05:33]
Ross Burton
So yeah, the full stream, you know, micro, all the way up to, you know, data center scale.
[05:38]
Viktor Petersson
But we have, I guess there is a.
[05:41]
Viktor Petersson
It's not really for super low end devices or low resource devices.
[05:46]
Viktor Petersson
Slightly more.
[05:46]
Viktor Petersson
It's not for single board or.
[05:50]
Viktor Petersson
Sorry, single board is not the right word.
[05:51]
Viktor Petersson
It's not for like the lower end of the spectrum where you have like RTOs and that.
[05:56]
Viktor Petersson
So it's a tier up from that where you're running.
[06:00]
Viktor Petersson
So x86 arm and so on is largely where.
[06:04]
Viktor Petersson
Or I guess RISC V these days is where a lot of the boards are running on.
[06:10]
Viktor Petersson
Right?
[06:11]
Ross Burton
Yeah.
[06:12]
Ross Burton
And PowerPC and MIPS.
[06:13]
Viktor Petersson
All right, yes.
[06:14]
Ross Burton
We still have people using that hardware because once you ship something, like a lot of the deeply embedded vendors, they may make a product 15 years ago, they still support it.
[06:27]
Ross Burton
So they're still using yocto and they're still shipping this hardware, which a lot of people may think is.
[06:33]
Ross Burton
To a lot of us it's dead hardware.
[06:35]
Ross Burton
But it's got a lifespan of two decades.
[06:40]
Viktor Petersson
In particular, if you talk about more specialized hardware or special appliances, I guess they have much longer life cycles than your consumer hardware.
[06:47]
Viktor Petersson
Of course.
[06:48]
Ross Burton
Yes, that brings interesting problems.
[06:50]
Viktor Petersson
Yes, interesting.
[06:52]
Viktor Petersson
So I guess let's unpack some terminology in the Yoko world.
[06:58]
Viktor Petersson
At least for me when I first got involved.
[07:00]
Viktor Petersson
I mean I.
[07:01]
Viktor Petersson
I've.
[07:01]
Viktor Petersson
I've touched YOCTO quite a few times over the last like 10 years, but I never really got super deep down the rabbit hole.
[07:06]
Viktor Petersson
But I've built images using YOCTO a few times and I had to definitely.
[07:11]
Viktor Petersson
I wrote a blog post a few weeks ago that kind of caught up and about how to use SBoM, which is why I got re engaged in the YOCTO world.
[07:20]
Viktor Petersson
And that's how I got in touch with Yoshu, actually about.
[07:23]
Viktor Petersson
Because he was helping us in one of our CISA working groups about produce, like how we actually do S boms in that world.
[07:29]
Viktor Petersson
But when you start exploring YOCTO for the very first time, it's a pretty steep learning curve.
[07:38]
Viktor Petersson
I don't think it's a.
[07:40]
Viktor Petersson
I think it'll be a lie to say that it's just plug and play and you just got to figure out in 15 minutes.
[07:45]
Viktor Petersson
There are a lot of things to figure out.
[07:48]
Viktor Petersson
I mean, where should we even start?
[07:50]
Viktor Petersson
Like maybe like open embedded pokey bsps recipes?
[07:56]
Viktor Petersson
I mean there are.
[07:57]
Viktor Petersson
Yeah.
[07:58]
Viktor Petersson
Like these are not intuitive concepts, I guess until you get pretty deep down the rabbit hole.
[08:04]
Viktor Petersson
How do you guys best explain the fundamental core concept, if that makes sense in yocto?
[08:15]
Ross Burton
All right, so we can skip over the entire YOCTO versus open embedded thing because that's partly historical.
[08:27]
Ross Burton
And most people don't use that.
[08:29]
Ross Burton
You can use the terms interchangeably, even though they do identify entirely different things.
[08:33]
Ross Burton
Okay, so BSP is a board support package, which is a.
[08:39]
Ross Burton
I consider it a historical term.
[08:41]
Ross Burton
It doesn't really make any sense these days, but.
[08:44]
Ross Burton
But it's the configuration and the port for a particular target device, be it a KEMU machine running on your laptop or a particular piece of hardware.
[08:58]
Ross Burton
On my desk I've got a TI Beagle Play.
[09:01]
Ross Burton
So there's a BSP that targets that, then there's distros.
[09:08]
Ross Burton
So we have poky, which is the reference distribution, which is an example, which you should not use in production.
[09:17]
Ross Burton
It turns everything on for testing purposes, including stuff like you can log in without a password, which is useful when you're testing stuff, but less useful in shipping hardware.
[09:32]
Ross Burton
So it's a good starting point, but it should be customized at least, or ideally rewritten to match your use case.
[09:42]
Viktor Petersson
Right.
[09:44]
Ross Burton
What other main concepts are there?
[09:47]
Ross Burton
Individual recipes.
[09:51]
Ross Burton
So there's a recipe for the kernel and a recipe for the compilers, and your applications may be built out of multiple recipes.
[09:59]
Ross Burton
They build packages which are then combined to make an image, which is a thing you normally put on your target.
[10:07]
Viktor Petersson
Right.
[10:08]
Ross Burton
So that would be a disk image or something.
[10:10]
Viktor Petersson
And I think it's important to note here that everything is built from source, so you're not pulling in packages.
[10:19]
Viktor Petersson
When you say compiler, you basically mean we're building everything from scratch, like fully.
[10:25]
Viktor Petersson
Well, I guess you are bootstrapping using the compiler on the host, so you're not building the compiler for the compiler, but you're basically starting with everything from source and building everything from nothing, essentially.
[10:38]
Joshua Watt
Build the cross compiler for you and then use it to build all the stuff that goes on the target.
[10:42]
Joshua Watt
So the host dependencies that are required to get started are pretty minimal.
[10:47]
Joshua Watt
It's, you know, gcc, binutils, a couple other utilities, but you don't need any cross compilers or anything installed because we're going to build those for you.
[10:57]
Viktor Petersson
Right.
[10:57]
Viktor Petersson
And I guess it goes without saying, starting from scratch out of cache takes quite a while.
[11:03]
Viktor Petersson
In particular if you're cross compiling from a different one architecture, another architecture.
[11:07]
Viktor Petersson
Right.
[11:08]
Viktor Petersson
But even within singular architecture, it takes quite a while to build everything from scratch.
[11:12]
Viktor Petersson
Right?
[11:14]
Viktor Petersson
So poki, or poki, whatever, how you guys pronounce it, Pokeypoki is the reference.
[11:23]
Viktor Petersson
If you look at documentations online, I think a lot of people would just use and ship that for a lot of distributions.
[11:32]
Viktor Petersson
I guess one of the things I'm curious About there is kind of like horror stories.
[11:37]
Viktor Petersson
What you guys have seen in the world of just like, I'm just gonna repackage this and zip it out on a device completely insecure.
[11:45]
Viktor Petersson
Like, why have you guys seen.
[11:46]
Viktor Petersson
I'm sure you must have seen some terrifying things in that domain.
[11:51]
Joshua Watt
I don't know if I've seen anything like personally, but I have heard of people mentioning that they still ship with Paki and it's like, well, that's terrifying, right?
[12:05]
Joshua Watt
You know, I don't know if I've actually seen anything directly though.
[12:10]
Ross Burton
There's a fairly regular presenter at one of the yogto conferences called Marta who does security work and she has some horror slides of like unnamed devices, but they accidentally left on.
[12:24]
Ross Burton
But you can log in without a password.
[12:26]
Joshua Watt
Oh, wow.
[12:28]
Ross Burton
I was.
[12:30]
Ross Burton
The customization thing is kind of very important.
[12:34]
Ross Burton
I was actually looking through a license manifest for an unnamed vendor this morning trying to see does this thing, I think, use yocto.
[12:42]
Ross Burton
Use yocto.
[12:43]
Ross Burton
So the usual trick is find the GPL compliance document and look for particular things like, oh, that's one of our package names.
[12:50]
Ross Burton
So yes, this thing runs yocto going down it.
[12:55]
Ross Burton
Now, this is a data center infrastructure piece and it's shipping a 4x server and they're looking through the list.
[13:03]
Ross Burton
It's like your.
[13:04]
Ross Burton
Your security vulnerabilities are magnified because you're shipping everything.
[13:08]
Ross Burton
Instead of saying, this is a tiny piece of computer that doesn't need to have a display, let's not ship an X server.
[13:16]
Ross Burton
So you do see silly things like that occasionally.
[13:21]
Ross Burton
But yeah, the entire oops, I accidentally used Poky as my production device is something which you've been aware people do and shouldn't be doing.
[13:33]
Ross Burton
So the latest release puts up a very big message every time you log in saying, this is for testing and development purposes.
[13:41]
Ross Burton
Do not ship me.
[13:43]
Viktor Petersson
Right.
[13:43]
Ross Burton
So hopefully we won't ever see that in production.
[13:50]
Viktor Petersson
That.
[13:51]
Viktor Petersson
That's okay.
[13:52]
Viktor Petersson
Fair enough.
[13:53]
Viktor Petersson
So when people get started with yocto, what are the, some most common, I guess, misconceptions in.
[14:00]
Viktor Petersson
In like using yocto and like, what are the biggest maybe mental hurdles to get like your head around yoc'd as a concept?
[14:10]
Joshua Watt
I think one of the things that tends to be confusing early on is the relationship between recipes and packages and your final root file system, which is that like a recipe's purpose is to pull in your source code and compile it into packages.
[14:29]
Joshua Watt
Like, and these are.
[14:32]
Joshua Watt
We've got a bunch of different packaging formats, but it is like the same concept as like a DEB or an RPM or whatever type of package, binary package that then gets installed into your root file system.
[14:44]
Joshua Watt
I think that can be very confusing at first because it's kind of.
[14:49]
Joshua Watt
It feels like it should be more direct.
[14:51]
Joshua Watt
Like you take a recipe and that's what ends up on your root file system.
[14:54]
Joshua Watt
But there's actually an intermediate step of packaging there and not necessarily all the packages that a recipe produces are going to end up on your root file system.
[15:02]
Joshua Watt
So I think that can be confusing early on.
[15:06]
Ross Burton
Yeah, definitely.
[15:07]
Ross Burton
You see a lot of people confused about how they built a recipe and it doesn't appear on their target because you just built it, you didn't put it in the image.
[15:16]
Ross Burton
Or conversely trying to figure out how to make things smaller.
[15:20]
Ross Burton
It's like just stop installing the things and it won't be there.
[15:24]
Ross Burton
It does seem a bit complicated.
[15:26]
Ross Burton
Yeah.
[15:26]
Viktor Petersson
Yeah.
[15:27]
Viktor Petersson
I guess one of the things that I found confusing was, I mean, Joshua, you kind of alluded to it that there are different packagings.
[15:35]
Viktor Petersson
Like in the config file you can say like, oh, I want rpm, I want DEB files, or there are some.
[15:39]
Viktor Petersson
Few other ones.
[15:40]
Viktor Petersson
I think Alpine packaging is support as well.
[15:42]
Viktor Petersson
I think some other ones.
[15:43]
Viktor Petersson
Right.
[15:45]
Viktor Petersson
I by that kind of inferred that it becomes like Red Hat E or Debbie and E.
[15:53]
Viktor Petersson
But it's completely unrelated that it's purely just how do I get this package into my system more so than anything inferred into the actual system?
[16:03]
Viktor Petersson
I think that was for me at least conceptually confusing.
[16:07]
Joshua Watt
Yeah.
[16:08]
Joshua Watt
And I don't know the history of why we have all the different packaging formats, but we do.
[16:13]
Joshua Watt
And there's definitely been talk about adding more like APKs, for example.
[16:19]
Joshua Watt
There's been some discussion on the mailing list about that, but yeah, that can be confusing because it's like I'm producing an rpm.
[16:25]
Joshua Watt
Why can't I just point it at the Fedora RPM repos and install stuff?
[16:31]
Joshua Watt
And that's not the intent.
[16:33]
Joshua Watt
They are RPMs, but they are in no way compatible with anyone else's RPMs.
[16:38]
Joshua Watt
That's the format that you want to distribute your packages in.
[16:41]
Joshua Watt
And that's fine.
[16:42]
Viktor Petersson
Yeah, for me, I incorrectly assume that you're using like that is basically that base image you're using, essentially derived based on the packaging format to use different base images, but completely has nothing to do with that.
[16:56]
Viktor Petersson
So that at least threw me off quite significantly when I started to play with it.
[17:03]
Viktor Petersson
So you've now built your YOCTO image.
[17:07]
Viktor Petersson
You managed to kind of create something that runs.
[17:10]
Viktor Petersson
Right.
[17:10]
Viktor Petersson
Let's assume you have not used Pokey and you have actually tighten the ship a bit and you actually use it on its production grade.
[17:19]
Viktor Petersson
The next thing that I seen a lot of, I guess issues around YOCTO is around ota.
[17:27]
Viktor Petersson
Right?
[17:27]
Viktor Petersson
Because once you ship a device into production, great, but that's just the start of the journey.
[17:33]
Viktor Petersson
That's not the final piece.
[17:34]
Viktor Petersson
Right.
[17:34]
Viktor Petersson
You need to like, if there is a CVE out there, you need to be able to say, oh, I'm going to make sure that these devices are updated for it.
[17:41]
Viktor Petersson
Particularly going back to the previous point about oh, this might be a 15 year life cycle on this device.
[17:46]
Viktor Petersson
Right.
[17:46]
Viktor Petersson
Like how do I update these devices in the wild or at least provide a mechanism for that can be done manually over that duration.
[17:56]
Viktor Petersson
So let's switch topic to like ota, maybe not even ota, but like updating mechanisms a little bit in yocto.
[18:03]
Viktor Petersson
And how does that work?
[18:08]
Joshua Watt
Well, go ahead.
[18:10]
Ross Burton
Yeah, so basically this is another one of the places where YOCTO says this is a complicated topic.
[18:20]
Ross Burton
There are lots of variables, you decide, right?
[18:24]
Ross Burton
So by default we produce packages and you can run a feed server and just run APT update if you want.
[18:33]
Ross Burton
But in, you know, food like your random laptop, that's fine.
[18:39]
Ross Burton
But for something you've deployed to a million houses less ideal understatement.
[18:46]
Ross Burton
Yeah.
[18:48]
Ross Burton
So there's a number of options for proper battle tested updaters and I can think of like four.
[18:59]
Ross Burton
There's Menda, that's the OG one, right?
[19:03]
Ross Burton
Yeah.
[19:04]
Ross Burton
SW Update.
[19:06]
Ross Burton
Rauk.
[19:07]
Ross Burton
There's at least two more.
[19:08]
Ross Burton
I can't remember the names off the top of my head and they all are fairly solidly integrated into yocto.
[19:16]
Ross Burton
A lot of them have companies behind them doing like commercial support.
[19:20]
Ross Burton
So it basically is a choice of sitting down and saying what features do I actually want in my updater?
[19:27]
Ross Burton
And then finding the one that fits because they do have different feature sets.
[19:31]
Ross Burton
Yeah, yeah, It's a tricky problem, but it needs to be approached carefully because yeah, you don't want to actually brick a fleet of devices, nor do you.
[19:41]
Viktor Petersson
Want to ignore that problem and try to kind of shoehorn that into a product after go live either.
[19:47]
Viktor Petersson
Right?
[19:49]
Ross Burton
Yeah, it's something which several years ago were thinking, do we need to actually provide integrated into the core an OTA updater?
[20:00]
Ross Burton
But it didn't take a huge amount of research to realize this is a.
[20:04]
Ross Burton
It's a very broad problem and I don't know if it's feasible to say there is one answer, because that's fair enough.
[20:13]
Joshua Watt
And I think it does succinctly highlight one of the great advantages of the project, which is that there are all these third party layers that do this very well and they're very easy to integrate or relatively easy to integrate.
[20:28]
Joshua Watt
And then you have the choice to use what you, what works best for your product without, you know, too much hassle or, you know, people are able to support these things independently, you know, without much hassle.
[20:42]
Joshua Watt
So that's a great strength that we have with that.
[20:45]
Viktor Petersson
Yeah, being agnostic is definitely a strength in some ways, I would say.
[20:49]
Viktor Petersson
But I think at least if you're old school, you've been around embedded for a long time, OTA and these things, they are kind of like table stakes.
[20:58]
Viktor Petersson
Like we understand that's like a hardware, like a hard requirement before you even like put together a spec for a project, but at least over like, I guess with the rise of the Raspberry PI in particular, like you have a lot of people like or became like accidental IOT people, if that makes sense.
[21:15]
Viktor Petersson
And I'm one of them.
[21:16]
Joshua Watt
Right.
[21:16]
Viktor Petersson
With our, with screenly, like we would become like an accidental IoT project.
[21:20]
Viktor Petersson
And, and much to your point earlier, Ross, about trying to do DEB package updates in the wild, this is the path we took on Raspbian back in the days.
[21:32]
Viktor Petersson
Try to script that and do that at scale and it's a world of pain.
[21:39]
Viktor Petersson
The amount of fallback and logic you need to do to wrap around that is just insane, particularly when you factor in that the power might be cut any moment because these are devices that you have no control over.
[21:51]
Viktor Petersson
It's not a data center.
[21:52]
Viktor Petersson
Right.
[21:54]
Viktor Petersson
So I guess highlighting the need for OTA is something that would save a lot of people a lot of pain if it's really properly, I guess, instructed up front, really that, oh, do not even contemplate, go live without a strategy for ota.
[22:12]
Viktor Petersson
And, and I guess that's kind of a natural segue over to one of the other things I want to talk about, which is supply chain security and security at large in the embedded world.
[22:25]
Viktor Petersson
And I mean with the rise of CRA particular in Europe, it's no longer an option to think about how does the supply chain life cycle for these devices look like it's called like it can't be an afterthought, like a gun.
[22:41]
Viktor Petersson
Like your OTA needs to be the part of your day zero strategy.
[22:45]
Viktor Petersson
Right.
[22:47]
Viktor Petersson
And I'm Curious about what you guys have seen from the community with regards to CRA or ee.
[22:55]
Viktor Petersson
Cyber Resilience act for short.
[22:57]
Viktor Petersson
Really, for those who's not familiar with it, what how that has kind of shaped how people see yocto and how people use YOCTO differently.
[23:05]
Viktor Petersson
Like, I'm really curious about how obviously you guys have seen that.
[23:13]
Joshua Watt
Well, I think people have been more interested in their supply chain from the octo side of things.
[23:23]
Joshua Watt
I think one of another thing that's always been really good is we've always had a really good supply chain just because of the way the project works.
[23:32]
Joshua Watt
We start with a very minimal set of dependencies.
[23:35]
Joshua Watt
The recipes are pretty exhaustive in knowing how to build them and having all the metadata information about all the stuff being built.
[23:43]
Joshua Watt
And then we use that to build your cross compilers, like the tools you need to build the stuff you need to build and then we follow that through all the way to the final image that you're generating is also described that same way with that same level of detail.
[23:58]
Joshua Watt
And so intrinsically we've always had a pretty strong supply chain.
[24:05]
Joshua Watt
And so I think a lot of people that I've seen that are using the project as far as like CRA and stuff, they're not too worried about being able to justify their supply chain in way more detail than the CRA is asking for anyway.
[24:22]
Joshua Watt
So that hasn't been too much of a concern.
[24:24]
Joshua Watt
It's just been like, how do we get that information out of the project and into something that's digestible by, you know, people, machines or something like that.
[24:34]
Viktor Petersson
Yeah, you definitely have a strength by doing everything of source because there is, you have very few things you need to trust right outside of that, which is great.
[24:44]
Viktor Petersson
But I guess that really again highlights the need for OTA and being able to like, if you like now you know what version you're running and what license has.
[24:53]
Viktor Petersson
That's, that's a fantastic starting point, but it's the start of a journey, not the end goal.
[24:58]
Viktor Petersson
Right.
[24:59]
Viktor Petersson
so on that, I mean, kind of jumping a bit here, but like we talked about building a bit.
[25:06]
Viktor Petersson
And how far is YOCTO to fully deterministic builds today?
[25:11]
Viktor Petersson
Like is it possible to do four deterministic builds on the system today?
[25:17]
Joshua Watt
I think for, if you're talking, I mean the thing to keep in mind is when there's lots of different layers, right, with varying levels of, you know, third party layers we don't necessarily have as big a control over.
[25:30]
Joshua Watt
So it does depend on what software you bring in.
[25:32]
Joshua Watt
Yeah, but as far as like the core stuff, I believe we're fully reproducible or at least try to be fully reproducible as much as we can.
[25:41]
Joshua Watt
There sometimes are points in time where we're not just for reasons.
[25:46]
Joshua Watt
Some, some package upgrade did something and, but usually we're working on fixing it.
[25:52]
Joshua Watt
And we do track that.
[25:53]
Joshua Watt
There's a, a page on the website that tracks the reproducibility status of the core layers and that's supposed to be binary reproducible.
[26:03]
Joshua Watt
So you build it today, you know, you get a binary output, you build it in two years.
[26:10]
Joshua Watt
As long as you start from the same place, you should get the same binary output.
[26:15]
Joshua Watt
And kind of the way that's structured then in order to sort of allow end users to cover third party stuff, is the way that those tests are written is designed such that you can run them against your own stuff and not just core.
[26:29]
Joshua Watt
So what I always tell people is like, we've made sure that core can be reproducible, but if you care about reproducibility, you need to be running that test against your stuff and make sure that your stuff is reproducible because we can't guarantee your thing is reproducible, but we can't guarantee that the core stuff is.
[26:50]
Joshua Watt
Of course that's kind of how that works.
[26:52]
Joshua Watt
As far as reproducible builds goes.
[26:54]
Viktor Petersson
Okay, that's very cool because obviously that's a big upside with regards to supply chain security as well, like infinity appreciable build.
[27:02]
Viktor Petersson
So that's a big one.
[27:05]
Viktor Petersson
Let's dive into kind of like the second big meaty piece I wanted to talk about in today's call, which is basically how Joshua and I first met, which is around SBOMs really.
[27:16]
Viktor Petersson
And Joshua, you have written much if not most of the SBOM parsing inside of yocto.
[27:24]
Viktor Petersson
So maybe let's start before we dive into the nitty gritty details of why and how this done, I guess we have the philosophical debate of SPDX versus CycloneDx.
[27:37]
Viktor Petersson
How did you guys land on SPDX?
[27:39]
Viktor Petersson
What was the debate internally?
[27:41]
Viktor Petersson
I'm curious.
[27:43]
Joshua Watt
Well, there is the Linux foundation connection with spdx, which factored into it fairly heavily.
[27:51]
Joshua Watt
And I mean that's most of it.
[27:55]
Joshua Watt
Like I looked at both of them and SPDX kind of made sense.
[28:01]
Joshua Watt
And then the other thing that was really helpful was we knew that.
[28:05]
Joshua Watt
So when we started SPDX was on version 2.2, but we knew that they were working on 3.0 and so the plan from the beginning was always we're going to do SPDX 2.2 and we know our supply chain is very complicated and there's a good chance that we're going to want some more things added to the SPDX standard.
[28:32]
Joshua Watt
And so being able to do SPDX 2.2 and then be involved in the design and the development of SPDX3 was extremely beneficial because were able to help guide SPDX3 to really understand deep build supply chains, which is what we have.
[28:53]
Joshua Watt
And then also were able to help make sure that whatever came out of SPDX3 would align with what we wanted to say, you know, about our SBoM.
[29:02]
Joshua Watt
So that worked out really well just for those reasons.
[29:08]
Viktor Petersson
So, yeah.
[29:10]
Viktor Petersson
And what's the status on SPDx3 support in Yocto at the moment?
[29:16]
Joshua Watt
Yeah, so SPDx3 was added in, let me see here, the 5.1 release, just codename Styhead, and that was released in October 2024 and it's the default now.
[29:31]
Joshua Watt
So the next LTS release of Yocto will be SPDx3 by default.
[29:36]
Joshua Watt
You can still use SPDx2, you can turn it on.
[29:39]
Joshua Watt
But yeah, SPDx3 describes our system much better than SPDx2 does.
[29:48]
Joshua Watt
And so we very much prefer that people use that just because of how much better it works for our use cases, because were involved so early in the design process of it.
[29:56]
Viktor Petersson
Right.
[29:58]
Viktor Petersson
The thing that I thought was really fascinating when we kind of did a deep dive in how you build SBOMs in the first place, it's like, it's very different than how you build sboms normally, by virtue of you being kind of like a package manager or package builder, I guess is a better phrase for it.
[30:16]
Viktor Petersson
So maybe let's take a path down that road and just talk about how do you build sboms and like, what allows you to build sboms, I guess in a far more complete way than almost anybody else I've seen out there, because you can make assumptions that almost nobody else can make.
[30:38]
Viktor Petersson
Right.
[30:38]
Viktor Petersson
So yeah, take a deep dive down path down that road.
[30:42]
Joshua Watt
So because we're building everything from source, you know, our recipe files and the build system they have to know everything about how to build it from source.
[30:54]
Joshua Watt
You need to know the build time dependencies, you need to know the runtime dependencies of things, of the packages that you're producing.
[31:04]
Joshua Watt
And that needs to go all the way back to the cross compiler.
[31:09]
Joshua Watt
We've always been very good about tracking license information and things like that, because that's something our users care about, have cared about since before we had SBoMS.
[31:18]
Joshua Watt
And so the breadth of information that we have is very deep.
[31:25]
Joshua Watt
We can check some, all the source files that went into a build, because one of the other things that we've just pretty much always done is we've had very good build hygiene, making sure that every recipe that we're building is in its own little build silo, and so it's not leaking out and pulling in random stuff that it shouldn't be from other places as best we can.
[31:51]
Joshua Watt
We try really hard to do this, and so we have a very complete picture of what it takes to build stuff.
[31:57]
Joshua Watt
And so the SBOM support is primarily an exercise in taking the information we already know and putting it into a different file format.
[32:12]
Joshua Watt
It's more complicated than that.
[32:14]
Joshua Watt
I don't want to trivialize it, but it's not a ton of Python code.
[32:19]
Joshua Watt
Right, right.
[32:21]
Joshua Watt
It's not that bad.
[32:24]
Joshua Watt
So because we already started from such a good place, it made it pretty easy for us to end up with these very high quality and very complete SBOMs.
[32:37]
Joshua Watt
As I say a lot, it's quite easy to have an sbom that's 10 times the size of your final root file system.
[32:45]
Joshua Watt
If you turn on every single feature, like I want to check some every file and every build and every file that ends up on the root file system, you can get a very large SBOM order of magnitude larger than the actual binary you produced at the end of the day.
[32:58]
Joshua Watt
So very complete, if that's what you're going for.
[33:01]
Joshua Watt
We do have knobs to adjust the levels because not everyone wants that.
[33:06]
Viktor Petersson
Right.
[33:07]
Joshua Watt
And it's can be a lot.
[33:09]
Viktor Petersson
And how do.
[33:10]
Viktor Petersson
Yeah, so you mentioned you're capturing hashes, you're capturing build dependencies, runtime dependencies.
[33:16]
Viktor Petersson
Like that graph is very complex.
[33:19]
Viktor Petersson
Right.
[33:20]
Viktor Petersson
So like, I guess, is there anything missing at all?
[33:25]
Viktor Petersson
Or like, do you literally capture everything that you capture in build time in the SBoM, more or less from your artifact?
[33:34]
Joshua Watt
It's pretty complete.
[33:38]
Joshua Watt
I'm trying to think if there's anything in particular that's missing.
[33:46]
Joshua Watt
I can't think of anything off the top of my head that we have.
[33:48]
Joshua Watt
So with our SBOM support, one of the choices that we made was we do what's called, or what I like to call, like we capture like first principles, things, which is stuff that we are authoritative on because we're the ones doing the build.
[34:09]
Joshua Watt
So we try to avoid heuristics and things like that.
[34:13]
Joshua Watt
Like, you might see another, like other SBoM tools might do like a scan of a binary and say this is probably in there and that's fine, there's certainly nothing wrong with that.
[34:22]
Joshua Watt
But just because of where we are at in the supply chain, we kind of just take this first principles approach or reporting on the things that we know about because it's in the recipe or whatever, like we did.
[34:37]
Joshua Watt
We know.
[34:39]
Joshua Watt
And then you can layer on top of that scanning tools that do other stuff.
[34:43]
Joshua Watt
Right.
[34:44]
Joshua Watt
But it's not really worth it for us to maintain a bunch of heuristic tools in a project.
[34:50]
Joshua Watt
And I can't think of anything.
[34:51]
Joshua Watt
It's generally, again, it's generally pretty easy to map the information we have from the recipe or the build system into spdx.
[35:01]
Joshua Watt
As long as the property here, as long as there is a way to express it in spdx, it's generally not that complicated to do.
[35:08]
Joshua Watt
It's just a matter of manipulating the data around and restructuring it into the right format.
[35:14]
Viktor Petersson
And with regard to.
[35:15]
Ross Burton
Yeah, one thing we can do, which I think a lot of people may miss or other systems can't do, is because we build all the software from scratch, we can pick up statically linked libraries as well.
[35:30]
Ross Burton
So if your binary statically links to some compression library, it won't be obvious externally or in the package dependencies, but because the SVDX aggregation happens during the build, we can look at the debug symbols and go, oh look, it's got a statically linked copy of Zlib and that can go into the spdx, which will be hopefully very useful next time there's some tragic CVE involving a really low level library that has been statically linked everywhere.
[36:03]
Viktor Petersson
Right, right.
[36:04]
Viktor Petersson
And you also know the version because it's sandboxed inside of the build version.
[36:09]
Viktor Petersson
So like you really know what it's statically linking as well.
[36:13]
Ross Burton
Yeah.
[36:16]
Viktor Petersson
The only thing that I guess is missing, like I'm just putting the working group with it cisaw hat on is it's like the supplier information.
[36:25]
Viktor Petersson
Right.
[36:25]
Viktor Petersson
Is there a way to infer that?
[36:26]
Viktor Petersson
And if you are day job, can you implement that as part of the Okta toolchain, say this yocta image was built by Garmin or ARM or whatever and can you supply all those information as well as part of that build cycle to get to a full like augmented S POM as well?
[36:47]
Viktor Petersson
Or is that outside of scope of the tooling?
[36:50]
Joshua Watt
Yeah, so if you're particularly specifically talking about the like, there's a field in SPDX called like supplied by.
[36:56]
Viktor Petersson
Yeah, the top level.
[36:57]
Viktor Petersson
Yep, yeah, yep.
[36:58]
Joshua Watt
So you can set that.
[37:01]
Joshua Watt
There's a variable, a bitbake variable you can set in your local conf usually is where you'd set it.
[37:09]
Viktor Petersson
Right.
[37:09]
Joshua Watt
And you can set the supplier for your packages and it'll just show up in everything you build then.
[37:14]
Viktor Petersson
Right.
[37:16]
Joshua Watt
So that's definitely possible.
[37:18]
Joshua Watt
You can also do.
[37:19]
Joshua Watt
If you're talking about like who did a build.
[37:26]
Joshua Watt
Right.
[37:26]
Joshua Watt
Which might be different than the supplier.
[37:27]
Joshua Watt
Right.
[37:28]
Joshua Watt
So you can capture that information too.
[37:31]
Joshua Watt
I believe it's off by default, but again you can turn it on and that's what I'm talking about.
[37:35]
Joshua Watt
With all the knobs that are in the stuff, there's a lot of options to turn on more output than are on by default.
[37:44]
Joshua Watt
The defaults tend to try to walk the line between.
[37:54]
Joshua Watt
The more stuff you turn on, the slower it's going to go, right?
[37:56]
Viktor Petersson
Sure.
[37:57]
Joshua Watt
So they try to walk that line between build speed and then also the default that we have is to do reproducible S BOMs because there's definitely features you can turn on that will make them not reproducible, like precise build timestamps and stuff like that.
[38:14]
Joshua Watt
But again, that field exists, that supplied by field exists in spdx and we do have a way that you can set that.
[38:24]
Joshua Watt
I believe it's just off by default.
[38:26]
Viktor Petersson
Yeah.
[38:26]
Viktor Petersson
No, I guess what I'm hinting at is the NTIA minima element compliance element of it.
[38:31]
Viktor Petersson
Right.
[38:31]
Viktor Petersson
Because if you're supplying particular embedded hardware to the US government, for instance, you probably do need to meet these guidelines.
[38:37]
Viktor Petersson
Right.
[38:37]
Viktor Petersson
So that's where those pieces become more important.
[38:41]
Viktor Petersson
I guess the next thing I kind of want to cover, which is on kind of tangent this, but very much related, which is the VEX side of things.
[38:53]
Viktor Petersson
And I know Ross, you've been doing some work on the VEX side of things.
[38:56]
Viktor Petersson
A little bit touching there.
[38:57]
Viktor Petersson
So I guess and you both of it obviously are involved indirectly or directly with.
[39:02]
Viktor Petersson
With the work around this.
[39:03]
Viktor Petersson
So maybe how that's the whole cause of.
[39:07]
Viktor Petersson
Well, maybe if you can explain to the listeners like what's a vex file?
[39:11]
Viktor Petersson
And how does that come into play with SBoM?
[39:13]
Viktor Petersson
Maybe we can start there.
[39:16]
Ross Burton
So as we start with a little bit of history, in the previous releases we had a tool called CPUCheck and that would download the NVD database and just try and compare your recipes with the database and go, oh, here are these.
[39:36]
Ross Burton
Some CVEs you should probably know about.
[39:38]
Ross Burton
These have been fixed, fees have been.
[39:41]
Ross Burton
These are still unmitigated visa invalid.
[39:45]
Ross Burton
And that produced an Output in machine readable text and then JSON, which is fine, but it was all very bespoke YoC date Pacific tooling.
[39:57]
Ross Burton
But there's lots of limitations there.
[40:00]
Ross Burton
It's a one time report, right.
[40:02]
Ross Burton
So yeah, it's a snapshot of the state of the CVEs at the time that you did the build, which is not very useful two months later.
[40:11]
Ross Burton
Right.
[40:12]
Ross Burton
So we've been looking at improving that situation for some time and there's tangential drama with the CVE community, which probably should gloss over today, the entire episode on its own.
[40:29]
Ross Burton
But we are now, thanks to some epic work by Josh, we can dump the full set of CVEs that we know about into vspdx directly.
[40:43]
Ross Burton
So we don't generate a separate openvex file.
[40:47]
Ross Burton
Because vspdx is slowly becoming the one source of truth about your build.
[40:57]
Ross Burton
It's not just your SBoM, it's also every package contains this file list and these files are of these sizes.
[41:05]
Ross Burton
So you've got all the actual per file metadata.
[41:09]
Ross Burton
And also now, and These are the CVEs that at the time of the build we knew about.
[41:15]
Ross Burton
So we can say, oh, this issue, we fixed it with a patch.
[41:20]
Ross Burton
So then in a year's time you can use the tool to process the CVE data that you have in the SVDX and then you do an up to date scan.
[41:33]
Ross Burton
This is at the moment work in progress.
[41:37]
Ross Burton
There are bits of tooling floating around.
[41:40]
Ross Burton
There's a YOCTO VEX check tool I think it's called, which mostly works, but I don't think it scans the latest files that we've got.
[41:51]
Ross Burton
So that still needs a bit of work.
[41:53]
Ross Burton
But yeah, it's coming together and it's looks like in the next release we'll have all this all sorted out, which will improve dramatically.
[42:07]
Ross Burton
I just want to run a CV scan across my software store.
[42:10]
Viktor Petersson
Right.
[42:14]
Viktor Petersson
And it's really tracking that over time.
[42:16]
Viktor Petersson
Right.
[42:17]
Viktor Petersson
Like SBOM is a great tool for that.
[42:18]
Viktor Petersson
But then, yeah, it's a truth in time, not like a absolute truth forever.
[42:24]
Viktor Petersson
Like I have zero cvs, right.
[42:27]
Viktor Petersson
Or whatever they would be called in the future now that CVEs are semi gone or.
[42:35]
Viktor Petersson
Yes, yeah, let's avoid that.
[42:39]
Viktor Petersson
But so the idea then is you can generate this dump basically as an artifact of your work Joshua from the SBOMs.
[42:51]
Viktor Petersson
And then what's the relationship with upstream source and YOCTO source?
[42:59]
Viktor Petersson
Right, because you're pulling in upstream.
[43:01]
Viktor Petersson
But I presume there are sets of patches involved.
[43:04]
Viktor Petersson
You're not Just pulling master from upstream repo.
[43:07]
Viktor Petersson
You're applying a set of patches for insert reason.
[43:10]
Viktor Petersson
Right.
[43:11]
Viktor Petersson
How does that look in particular from a vantage point of vulnerability, patching and like and even I guess backporting patches Because I presume that's something that will kind of fall on the OCTA project as well.
[43:25]
Viktor Petersson
Right?
[43:28]
Viktor Petersson
Not sure who of you feel closer to that cat of worm.
[43:37]
Joshua Watt
We do apply patches for sure and there's a.
[43:43]
Joshua Watt
The way the patches are applied, there's a tag you can put in the patch that says this fixes a CVE and then the build system will see that and report it in the CVE statuses for the things and then that ends up in the SPDX output.
[44:00]
Joshua Watt
So it's pretty easy from a mechanical perspective.
[44:05]
Joshua Watt
As long as the patch exists, it's pretty easy to apply that and get that to show up in your build output and then get marked as fixed basically.
[44:18]
Joshua Watt
Yeah, so that's kind of how that works.
[44:21]
Viktor Petersson
But do you guys run situation where you have to backport as well or how does that.
[44:27]
Viktor Petersson
Because I would imagine that's a scenario that is very real.
[44:29]
Viktor Petersson
For particular if you're talking about life cycles of 15 years of a device.
[44:33]
Viktor Petersson
What's the LTS window by the way, for Yocto?
[44:36]
Viktor Petersson
Like what's the support window for an LTS release?
[44:39]
Ross Burton
LTSs have a four year cycle.
[44:41]
Viktor Petersson
Four year?
[44:42]
Ross Burton
Yeah, so that's four years from the YOCTO project itself.
[44:47]
Ross Burton
Obviously if you're producing hardware which you want to last 15 years, then either you need to maintain it yourself, but there are plenty of OSCs who will give you a supported YOCTO derivative for like 10 years or more.
[45:04]
Ross Burton
Yeah, we do backport a lot patches.
[45:08]
Ross Burton
As Josh said, if the stable releases tend to only get security fixes or like pretty serious bug fixes, so when patches do get taken back, they all need to have a little CPE tag in the patch identifying what CVEs were fixed.
[45:27]
Ross Burton
Yeah, that just bubbles through.
[45:29]
Viktor Petersson
Okay, okay, interesting.
[45:36]
Viktor Petersson
One thing I really like about this whole approach in general with SBOMs and how you build things is that you.
[45:42]
Viktor Petersson
I kind of hinted this before, but you're solving for the problem of unknowns, which is very real in the world of SBOMs because if you point any of these modern tools out there, like Sneak Trivia or any of these tools to generate SBoM, they're just basically, if you talk about an image, for instance, they basically is like reading the package database and then building an S SPOM based off that.
[46:09]
Viktor Petersson
It's not very difficult to circumvent that by either modifying the database or just chucking a binary in there that is not even picked up by these toolings.
[46:19]
Viktor Petersson
So that's one of the things I really enjoy with the approach for YOCTO and how you guys are doing that because it feels like one of the few tools out there that are like proper complete with regards to SBOM generation.
[46:34]
Viktor Petersson
And I guess Zephyr is another project that is doing well with regards to that from a slightly different angle and maybe that warrants another episode of going down the rabbit hole of Zephyr, which is completely different.
[46:46]
Viktor Petersson
Guys, this has been super interesting.
[46:48]
Viktor Petersson
I think I've covered most of the things I want to cover in today's episode and I think there are a lot of really interesting nuggets in what you guys have done.
[46:57]
Viktor Petersson
And for people who want to get started with yocto, people want to learn more, what do you guys recommend to avoid again, avoid the compet force and kind of get started the right way?
[47:11]
Ross Burton
Well, I'd start by going to Yoktoproject.org also the documentation from there is good if you start with the Quick Start guide and don't click on like full manual because you will get blown away.
[47:26]
Ross Burton
But the full manual is immense but the Quick Start guide is a few pages and that will get you started and just treat the rest of the full manual as a reference, not something you go to bed with to read.
[47:41]
Ross Burton
Also we could say we're an old school community so if you want to chat with people then we're still on IRC but there's an active IRC channel on Libra.
[47:53]
Ross Burton
Net it's Hashokto so yeah, come there have a chat if you've got any questions.
[47:59]
Ross Burton
We're friendly, very cool.
[48:03]
Viktor Petersson
And what's next on improving the security posture or in YOCTO in general?
[48:08]
Viktor Petersson
And what's on your guys?
[48:09]
Viktor Petersson
What are you guys excited about on the roadmap going forward for the next year?
[48:15]
Ross Burton
Not sure if excited is the one I do, but the CVE situation is something that well I committed to working out the CVE story for the next milestone which is like the next three months about a week before the drama all kicked off.
[48:33]
Ross Burton
So regretting my life choices there but hopefully we get some stability and we understand what the future is going to involve so that needs to be improved and the new tooling written to just have everything in the SPDX and generate reports from that is where we're going to be going shortly.
[48:54]
Ross Burton
So anyone who's been using the CVE check tool will probably be aware of its limitations, and hopefully the new tools will just replace that really nicely.
[49:04]
Viktor Petersson
And that's before you rewrite everything in Rust.
[49:06]
Viktor Petersson
Yeah.
[49:10]
Ross Burton
No, don't get me started on Rust.
[49:14]
Viktor Petersson
Josh, what's on your agenda?
[49:16]
Viktor Petersson
What are you excited about for the.
[49:18]
Joshua Watt
Roadmap as far as the SBOM support?
[49:24]
Joshua Watt
We're definitely looking at doing the VEX reporting that Ross is talking about.
[49:32]
Joshua Watt
I was trying to think if there was anything else major.
[49:36]
Joshua Watt
We're still heavily involved in the.
[49:38]
Joshua Watt
I'm still heavily involved in the SPDX community also.
[49:41]
Joshua Watt
They're working on their 3.1 release.
[49:44]
Joshua Watt
So there's a couple things that we're looking at there to just make it better in general.
[49:50]
Joshua Watt
I can't remember any specifics off the top of my head, but there's been a few things that's been like, we could do this a little better and so we should do that.
[49:58]
Joshua Watt
So we're planning on.
[50:00]
Joshua Watt
We'll probably be an early adapter of SPDX 3.1.
[50:04]
Viktor Petersson
Well, there are not that many tools out there that even do 3.0 yet, so I think you're very early on in that regard.
[50:13]
Viktor Petersson
Good.
[50:14]
Viktor Petersson
Well, thank you guys so much for coming on the show.
[50:17]
Viktor Petersson
I very much appreciate it and I hope people learn quite a few things about both YOCTO and about, well, SPX and as well as using SBOMs in the embedded world.
[50:29]
Viktor Petersson
So, again, thank you so much, guys.
[50:31]
Viktor Petersson
Have a good one.
[50:32]
Viktor Petersson
Thanks.
[50:33]
Joshua Watt
Thank you.
[50:34]
Ross Burton
Cheers.