Security is critical throughout the lifetime of an embedded system. Continually changing threat environments, new deployment modes and third-party software updates mean that the BSP software for an embedded system device can no longer remain static and “frozen.”
We explored embedded system security and best practices for maintaining a BSP throughout its lifecycle in a recent webinar with our partner NXP.
If you missed the webinar, be sure to catch the replay here: https://www.nxp.com/design/training/full-life-cycle-security-maintenance-of-embedded-linux-bsps:TIP-FULL-LIFE-CYCLE-SECURITY-MAINTENANCE-D0602
Now available from NXP, the Vigiles Security Monitoring and Management Service and the BSP Lifecycle Maintenance Service were highlighted in the webinar as central to establishing and maintaining secure software.
During the event, we received great questions about vulnerability monitoring with Vigiles, embedded Linux security with various build systems, and other aspects of BSP maintenance.
Here are the top three questions we received during the webinar.
Q: Are both Vigiles and the BSP Lifecycle Maintenance Service available for non-Yocto BSPs?
A: Yes. Vigiles and the BSP Lifecycle Maintenance Service are available for non-Yocto BSPs. Vigiles has direct integration into Yocto, Buildroot and Timesys Factory build systems.
For all other build systems, you need to generate Software BOM and upload it to Vigiles. You can create your software manifest from scratch entirely online using the Vigiles “Create Manifest” UI. Once your manifest is uploaded, Vigiles will provide full monitoring of CVEs and fixes and support for triaging.
For BSP Lifecycle Maintenance, we can support most open source software. If a software manifest exists, we can maintain the security of your BSP.
Q: How are Vigiles results provided? Are the reports exportable (json/xml) for integration into company-wide issue trackers?
A: Yes. The Vigiles results can be exported. You can export them as a spreadsheet or a PDF, so the results can be easily integrated into your own issue tracker.
In an upcoming Vigiles release, you will also have the ability to get reports via JSON directly in your build system. This will provide further integration into your company-wide issue tracker.
Q: Can the patches for each maintenance release be pushed to our own GIT?
A: Yes. If you can grant our BSP Maintenance Service team access to your GIT repository, we can push the patches for each maintenance release directly into it.
You can learn more about the BSP Lifecycle Maintenance Service at https://www.nxp.com/pages/bsp-lifecycle-maintenance:BSP-LIFECYCLE-MAINTENCE.
I encourage you to register for a Vigiles SBOM Manager account, and give Vigiles a try with your own BSP. To register: https://timesys.com/register-nxp-vigiles/
About Timesys
Timesys has extensive experience with embedded system development and lifecycle management. Timesys has been instrumental in working with global leader semiconductor manufacturers with smart, quick and quality solutions for highly complex systems with accelerated product innovation and multiple product variants.