Skip to content

Security

The ToloMEO edge platform is designed with security as a first-class concern. The production distribution (tolomeo-prod) ships with secure boot, kernel hardening, audit and integrity frameworks enabled, and automated SBOM generation on every build.

Secure boot

The NXP i.MX8M Plus target supports hardware-backed secure boot. Bootloader and kernel images are signed using NXP CST (Code Signing Tools). Only signed images from a trusted source can boot on a production device. See the Hardening and Secure Boot flow for key generation and the full chain-of-trust setup.

Security hardening

The tolomeo-prod distribution enables the following by default:

  • Kernel hardening flags
  • Audit framework
  • IMA/EVM integrity checking
  • Lynis security scanner
  • Kernel hardening checker

The tolomeo-devel distribution omits hardening to allow iterative development workflows.

SBOM generation

A CycloneDX SBOM and a VEX file are generated automatically at the end of every image build. See the SBOM Tracking flow for uploading, triaging, and reporting on the generated artifacts.

build/tmp/deploy/cyclonedx-export/<machine>/<image>/
├── bom.json    # Software Bill of Materials (CycloneDX 1.6)
└── vex.json    # Vulnerability Exploitability eXchange

The bom.json file can be uploaded directly to the Cybersecurity module in ToloMEO cloud for CVE analysis and vulnerability tracking.

Supplier attribution

The meta-tolomeo layer pre-configures DAVE Embedded Systems as a supplier. If you are building a custom layer on top, add your company supplier information to ensure correct attribution in the SBOM:

# In your distro configuration
CDX_SUPPLIER_MAP[mycompany.name] = "My Company Name"
CDX_SUPPLIER_MAP[mycompany.urls] = "https://www.mycompany.com"

# Assign to your top-level recipes
CDX_COMPONENT_SUPPLIER = "mycompany"

Supplier assignment propagates automatically to dependencies. You only need to assign it to top-level packages; the build system handles the rest.

Kernel VEX generation

Yocto's default CVE report for the Linux kernel contains false positives because it matches CVEs against the kernel version without considering which code paths are actually compiled. The meta-tolomeo layer integrates optional kernel CVE enrichment directly into the build pipeline: when enabled, CVEs are cross-referenced against the compiled source list and the kernel vulnerability database at build time, and the resulting enriched data is picked up automatically during SBOM assembly.

No manual steps are required. The enriched vex.json is produced alongside bom.json at the end of the build and can be uploaded to the Cybersecurity module to suppress false positives and provide accurate kernel vulnerability assessments.