From 007d0df7e7ec0d76fc2e2bf12a53184c26471239 Mon Sep 17 00:00:00 2001 From: Yogesh Hegde Date: Thu, 16 Apr 2026 14:25:47 +0530 Subject: [PATCH 1/4] feat(linux): Add SBOM section to release notes Add release artefacts SBOM information for AM64X,AM62X,AM62PX and AM62LX devices. Signed-off-by: Yogesh Hegde --- .../AM62LX/linux/Release_Specific_Release_Notes.rst | 7 +++++++ .../AM62PX/linux/Release_Specific_Release_Notes.rst | 5 +++++ .../devices/AM62X/linux/Release_Specific_Release_Notes.rst | 7 +++++++ .../devices/AM64X/linux/Release_Specific_Release_Notes.rst | 6 ++++++ 4 files changed, 25 insertions(+) diff --git a/source/devices/AM62LX/linux/Release_Specific_Release_Notes.rst b/source/devices/AM62LX/linux/Release_Specific_Release_Notes.rst index 9cfe71666..ded64c71a 100644 --- a/source/devices/AM62LX/linux/Release_Specific_Release_Notes.rst +++ b/source/devices/AM62LX/linux/Release_Specific_Release_Notes.rst @@ -37,6 +37,13 @@ found on the SDK download page or in the installed directory as indicated below. - Debian Manifest: `TI debian software manifest 11.01.16.13 `__ +Software Bill of Materials (SBOM) +================================= + +|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 +format for Yocto and CycloneDX 1.6 format for Buildroot. SBOMs for all released artifacts +are bundled into a single archive and can be found on the |__SDK_DOWNLOAD_URL__|. + Release 12.00.00.07.04 ====================== diff --git a/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst b/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst index 8be6e63a6..a5a377073 100644 --- a/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst +++ b/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst @@ -37,7 +37,12 @@ found on the SDK download page or in the installed directory as indicated below. - Debian Manifest: `TI debian software manifest 11.01.16.13 `__ +Software Bill of Materials (SBOM) +================================= +|SDK_FULL_NAME| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 +format by default. SBOMs for all released artifacts are bundled into a single +archive and can be found on the |SDK_DOWNLOAD_URL|. Release 12.00.00.07.04 ====================== diff --git a/source/devices/AM62X/linux/Release_Specific_Release_Notes.rst b/source/devices/AM62X/linux/Release_Specific_Release_Notes.rst index 1e87a80e6..fde19805e 100644 --- a/source/devices/AM62X/linux/Release_Specific_Release_Notes.rst +++ b/source/devices/AM62X/linux/Release_Specific_Release_Notes.rst @@ -35,6 +35,13 @@ found on the SDK download page or in the installed directory as indicated below. - Linux Manifest: :file:`/manifest/software_manifest.htm` +Software Bill of Materials (SBOM) +================================= + +|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 +format for Yocto and CycloneDX 1.6 format for Buildroot. SBOMs for all released artifacts +are bundled into a single archive and can be found on the |__SDK_DOWNLOAD_URL__|. + Release 12.00.00.07.04 ====================== diff --git a/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst b/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst index c931dee88..6d34767f2 100644 --- a/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst +++ b/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst @@ -35,6 +35,12 @@ found on the SDK download page or in the installed directory as indicated below. - Linux Manifest: :file:`/manifest/software_manifest.htm` +Software Bill of Materials (SBOM) +================================= + +|SDK_FULL_NAME| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 +format by default. SBOMs for all released artifacts are bundled into a single +archive and can be found on the |SDK_DOWNLOAD_URL|. Release 12.00.00.07.04 ====================== From 41da0b5b404953b89080ca668caf0544a64f7f3f Mon Sep 17 00:00:00 2001 From: Yogesh Hegde Date: Thu, 16 Apr 2026 14:28:37 +0530 Subject: [PATCH 2/4] feat(linux): Add how to guide for working with SBOMs Add How to guide for working with SBOM's with sections * Generating SBOM in SPDX and CycloneDX format * Tools and references for Working with SBOM i.e visualizing, merging, modifying SBOMs Signed-off-by: Yogesh Hegde --- configs/AM62LX/AM62LX_linux_toc.txt | 1 + configs/AM62PX/AM62PX_linux_toc.txt | 1 + configs/AM62X/AM62X_linux_toc.txt | 1 + configs/AM64X/AM64X_linux_toc.txt | 1 + .../linux/Release_Specific_Release_Notes.rst | 4 +- .../linux/Release_Specific_Release_Notes.rst | 4 +- .../FAQ/How_to_work_with_SBOM.rst | 175 ++++++++++++++++++ .../linux/How_to_Guides_Developer_Notes.rst | 1 + 8 files changed, 184 insertions(+), 4 deletions(-) create mode 100644 source/linux/How_to_Guides/FAQ/How_to_work_with_SBOM.rst diff --git a/configs/AM62LX/AM62LX_linux_toc.txt b/configs/AM62LX/AM62LX_linux_toc.txt index b9e69e127..15a26004d 100644 --- a/configs/AM62LX/AM62LX_linux_toc.txt +++ b/configs/AM62LX/AM62LX_linux_toc.txt @@ -127,6 +127,7 @@ linux/How_to_Guides/Target/How_To_Enable_M2CC3301_in_linux linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software +linux/How_to_Guides/FAQ/How_to_work_with_SBOM linux/How_to_Guides_Hardware_Setup_with_CCS linux/How_to_Guides/Hardware_Setup_with_CCS/AM62Lx_EVM_Hardware_Setup linux/Demo_User_Guides/index_Demos diff --git a/configs/AM62PX/AM62PX_linux_toc.txt b/configs/AM62PX/AM62PX_linux_toc.txt index eff335a52..9e86abea6 100644 --- a/configs/AM62PX/AM62PX_linux_toc.txt +++ b/configs/AM62PX/AM62PX_linux_toc.txt @@ -172,6 +172,7 @@ linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device linux/How_to_Guides/Target/How_to_Tune_Real_Time_Linux linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software +linux/How_to_Guides/FAQ/How_to_work_with_SBOM linux/How_to_Guides_Hardware_Setup_with_CCS linux/How_to_Guides/Hardware_Setup_with_CCS/AM62Px_EVM_Hardware_Setup linux/How_to_Guides/Target/How_To_Carve_Out_CMA diff --git a/configs/AM62X/AM62X_linux_toc.txt b/configs/AM62X/AM62X_linux_toc.txt index 96e533da1..949dd4ffa 100644 --- a/configs/AM62X/AM62X_linux_toc.txt +++ b/configs/AM62X/AM62X_linux_toc.txt @@ -176,6 +176,7 @@ linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device linux/How_to_Guides/Target/How_to_Tune_Real_Time_Linux linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software +linux/How_to_Guides/FAQ/How_to_work_with_SBOM linux/How_to_Guides_Hardware_Setup_with_CCS linux/How_to_Guides/Hardware_Setup_with_CCS/AM62x_EVM_Hardware_Setup diff --git a/configs/AM64X/AM64X_linux_toc.txt b/configs/AM64X/AM64X_linux_toc.txt index 5517f38f2..a8b017dfd 100644 --- a/configs/AM64X/AM64X_linux_toc.txt +++ b/configs/AM64X/AM64X_linux_toc.txt @@ -153,6 +153,7 @@ linux/How_to_Guides/Hardware_Setup_with_CCS/AM64x_EVM_Hardware_Setup linux/How_to_Guides/FAQ/How_to_Verify_Ipc_Linux_R5 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software +linux/How_to_Guides/FAQ/How_to_work_with_SBOM linux/How_to_Guides/Target/Processor_SDK_Linux_File_System_Optimization_Customization devices/AM64X/index_RTOS diff --git a/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst b/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst index a5a377073..5c9f256ea 100644 --- a/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst +++ b/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst @@ -40,9 +40,9 @@ found on the SDK download page or in the installed directory as indicated below. Software Bill of Materials (SBOM) ================================= -|SDK_FULL_NAME| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 +|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 format by default. SBOMs for all released artifacts are bundled into a single -archive and can be found on the |SDK_DOWNLOAD_URL|. +archive and can be found on the |__SDK_DOWNLOAD_URL__|. Release 12.00.00.07.04 ====================== diff --git a/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst b/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst index 6d34767f2..970b1825f 100644 --- a/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst +++ b/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst @@ -38,9 +38,9 @@ found on the SDK download page or in the installed directory as indicated below. Software Bill of Materials (SBOM) ================================= -|SDK_FULL_NAME| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 +|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 format by default. SBOMs for all released artifacts are bundled into a single -archive and can be found on the |SDK_DOWNLOAD_URL|. +archive and can be found on the |__SDK_DOWNLOAD_URL__|. Release 12.00.00.07.04 ====================== diff --git a/source/linux/How_to_Guides/FAQ/How_to_work_with_SBOM.rst b/source/linux/How_to_Guides/FAQ/How_to_work_with_SBOM.rst new file mode 100644 index 000000000..a98739528 --- /dev/null +++ b/source/linux/How_to_Guides/FAQ/How_to_work_with_SBOM.rst @@ -0,0 +1,175 @@ +.. _how-to-work-with-sbom: + +############################################################### +How to Guide for working with Software Bill of Materials (SBOM) +############################################################### + +******** +Glossary +******** + +.. glossary:: + + SBOM + Software Bill of Materials - is a comprehensive list of all the software components, dependencies, and metadata associated with an application. + + SPDX + Software Package Data Exchange - is an open standard (or format) for communicating Software Bill of Materials (SBOM) information including components, licenses, copyrights, and security references. + + CycloneDX + CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. + + VEX + Vulnerability Exploitability eXchange - is a standardized format for sharing information about vulnerabilities and their exploitability. + +*************** +Generating SBOM +*************** + +|__SDK_FULL_NAME__| Yocto build generates SBOMs in the following formats and versions: + +.. list-table:: + :header-rows: 1 + + * - Format + - Version + * - SPDX + - 3.0 + * - CycloneDX + - 1.6 + +Follow the steps below based on your required format. + +Generating SBOM in SPDX 3.0 Format +================================== + +SPDX 3.0 is generated by default when building |__SDK_FULL_NAME__| Yocto, no extra steps required. +If you require additional vulnerability information, follow these steps: + +1. Add the following line to your ``local.conf``: + + .. code-block:: text + + INHERIT += "vex" + +2. Build Yocto according to the build instructions in :ref:`Processor SDK - Building the SDK with Yocto `. + +The following artifacts will be generated in the Yocto deploy directory: + +.. list-table:: + :header-rows: 1 + :widths: 50 50 + + * - File + - Description + * - ``${IMAGE_NAME}.rootfs.spdx.json`` + - The SPDX v3.0 SBOM file + * - ``${IMAGE_NAME}.rootfs.json`` + - Vulnerability information file generated by ``vex.bbclass`` + + +Generating SBOM in CycloneDX Format +=================================== + +To generate SBOM in CycloneDX format, follow these steps: + +1. Start with the build instructions in :ref:`Processor SDK - Building the SDK with Yocto ` +2. After cloning ``oe-layersetup``, uncomment the ``meta-cyclonedx`` line in + the layer configuration file, for example: + + .. code-block:: text + + meta-cyclonedx,https://github.com/iris-GmbH/meta-cyclonedx.git,main,0170751b487162f8e476fd32d441ddfcf24ca78a,layers= + +3. Add the following line to your :file:`local.conf`: + + .. code-block:: text + + INHERIT += "cyclonedx-export" + +4. Continue to build Yocto according to the build instructions in :ref:`Processor SDK - Building the SDK with Yocto `. + +The following artifacts will be generated in the Yocto deploy directory: + +.. list-table:: + :header-rows: 1 + :widths: 50 50 + + * - File + - Description + * - :file:`${IMAGE_NAME}.rootfs.cyclonedx.bom.json` + - The CycloneDX SBOM file + * - :file:`${IMAGE_NAME}.rootfs.cyclonedx.vex.json` + - The CycloneDX VEX file + +***************** +Working with SBOM +***************** + +It is recommended to use open-source tools for working with SBOMs. +The following open-source tools are recommended for working with SBOMs: + +.. list-table:: + :header-rows: 1 + :widths: 20 40 40 + + * - Format + - Tool + - Description + * - CycloneDX + - `CycloneDX Sunshine `_ + - Visualize CycloneDX SBOMs in a human-readable format + * - CycloneDX + - `CycloneDX CLI `_ + - BOM analysis, modification, diffing, merging, format conversion, signing and verification. + * - SPDX + - `SPDX Open Source Tools `_ + - A collection of open-source tools for working with SPDX SBOMs + +.. note:: + + SPDX 3.0 is not yet widely supported by SPDX tools. Using such tools with + SPDX 3.0 files may give varied or unexpected results. + +************ +CVE Analysis +************ + +The `sbom-cve-check `_ tool can be +used to perform CVE analysis on the generated SPDX SBOM. + +1. Install the tool: + + .. code-block:: console + + pip install sbom-cve-check + + .. note:: + + It is recommended to install this tool in a Python virtual environment. + +2. Retrieve the following artifacts from the Yocto deploy directory: + + .. list-table:: + :header-rows: 1 + :widths: 50 50 + + * - File + - Description + * - :file:`${IMAGE_NAME}.rootfs.spdx.json` + - The SPDX v3.0 SBOM file + * - :file:`${IMAGE_NAME}.rootfs.json` + - Vulnerability information file generated by ``vex.bbclass`` + +3. Run the CVE analysis: + + .. code-block:: console + + sbom-cve-check --sbom-path ${IMAGE_NAME}.rootfs.spdx.json \ + --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json \ + --export-type yocto-cve-check-manifest \ + --export-path cve-check.json + +.. note:: + + ``sbom-cve-check`` only supports SPDX format and does not support CycloneDX. diff --git a/source/linux/How_to_Guides_Developer_Notes.rst b/source/linux/How_to_Guides_Developer_Notes.rst index cbc6a644f..da025d99f 100644 --- a/source/linux/How_to_Guides_Developer_Notes.rst +++ b/source/linux/How_to_Guides_Developer_Notes.rst @@ -38,6 +38,7 @@ Developer Notes How_to_Guides/FAQ/How_to_Configure_MSMC_memory How_to_Guides/FAQ/How_to_Check_Device_Tree_Info How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software + How_to_Guides/FAQ/How_to_work_with_SBOM How_to_Guides/Host/How_to_Build_a_Ubuntu_Linux_host_under_VMware How_to_Guides/Host/K3_Resource_Partitioning_Tool How_to_Guides/Host/How_to_Setup_and_Debug_using_Lauterbach From e7f9c4b65f8307b6e80af629dbb90fde9dd2eb5d Mon Sep 17 00:00:00 2001 From: Yogesh Hegde Date: Thu, 16 Apr 2026 17:43:06 +0530 Subject: [PATCH 3/4] feat(linux): Add link to working with SBOM Add link to working with SBOM in release specific section Signed-off-by: Yogesh Hegde --- source/devices/AM62LX/linux/Release_Specific_Release_Notes.rst | 1 + source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst | 2 ++ source/devices/AM62X/linux/Release_Specific_Release_Notes.rst | 1 + source/devices/AM64X/linux/Release_Specific_Release_Notes.rst | 1 + 4 files changed, 5 insertions(+) diff --git a/source/devices/AM62LX/linux/Release_Specific_Release_Notes.rst b/source/devices/AM62LX/linux/Release_Specific_Release_Notes.rst index ded64c71a..4182c3bd0 100644 --- a/source/devices/AM62LX/linux/Release_Specific_Release_Notes.rst +++ b/source/devices/AM62LX/linux/Release_Specific_Release_Notes.rst @@ -43,6 +43,7 @@ Software Bill of Materials (SBOM) |__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 format for Yocto and CycloneDX 1.6 format for Buildroot. SBOMs for all released artifacts are bundled into a single archive and can be found on the |__SDK_DOWNLOAD_URL__|. +For more refer :ref:`Working with SBOM `. Release 12.00.00.07.04 ====================== diff --git a/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst b/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst index 5c9f256ea..535237d96 100644 --- a/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst +++ b/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst @@ -43,6 +43,8 @@ Software Bill of Materials (SBOM) |__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 format by default. SBOMs for all released artifacts are bundled into a single archive and can be found on the |__SDK_DOWNLOAD_URL__|. +For more refer :ref:`Working with SBOM `. + Release 12.00.00.07.04 ====================== diff --git a/source/devices/AM62X/linux/Release_Specific_Release_Notes.rst b/source/devices/AM62X/linux/Release_Specific_Release_Notes.rst index fde19805e..26ca61ba2 100644 --- a/source/devices/AM62X/linux/Release_Specific_Release_Notes.rst +++ b/source/devices/AM62X/linux/Release_Specific_Release_Notes.rst @@ -41,6 +41,7 @@ Software Bill of Materials (SBOM) |__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 format for Yocto and CycloneDX 1.6 format for Buildroot. SBOMs for all released artifacts are bundled into a single archive and can be found on the |__SDK_DOWNLOAD_URL__|. +For more refer :ref:`Working with SBOM `. Release 12.00.00.07.04 ====================== diff --git a/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst b/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst index 970b1825f..184f5065d 100644 --- a/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst +++ b/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst @@ -41,6 +41,7 @@ Software Bill of Materials (SBOM) |__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 format by default. SBOMs for all released artifacts are bundled into a single archive and can be found on the |__SDK_DOWNLOAD_URL__|. +For more refer :ref:`Working with SBOM `. Release 12.00.00.07.04 ====================== From 89572e65a06b74352f380a83bf41263739877986 Mon Sep 17 00:00:00 2001 From: Yogesh Hegde Date: Fri, 17 Apr 2026 10:02:42 +0530 Subject: [PATCH 4/4] feat(linux): Add SBOM section to release notes for AM62DX Add release artefacts SBOM information to release notes for AM62DX device. Signed-off-by: Yogesh Hegde --- .../AM62DX/linux/Release_Specific_Release_Notes.rst | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/source/devices/AM62DX/linux/Release_Specific_Release_Notes.rst b/source/devices/AM62DX/linux/Release_Specific_Release_Notes.rst index f8eccf267..b90e2dff4 100644 --- a/source/devices/AM62DX/linux/Release_Specific_Release_Notes.rst +++ b/source/devices/AM62DX/linux/Release_Specific_Release_Notes.rst @@ -35,6 +35,13 @@ found on the SDK download page or in the installed directory as indicated below. - Linux Manifest: :file:`/manifest/software_manifest.htm` +Software Bill of Materials (SBOM) +================================= + +|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0 +format for Yocto. SBOM for released artifacts be found on the |__SDK_DOWNLOAD_URL__|. +For more refer :ref:`Working with SBOM `. + Release 12.00.00.07.04 ======================