Skip to content

meta-tolomeo Release Notes

For the full technical changelog, refer to the upstream repository.

[1.4.0+26.05] - 2026-05-22

Added

Firmware update artifacts can now be generated with AES encryption, adding an extra layer of protection to update packages both during transfer and when stored on the device.

[1.3.0+26.05] - 2026-05-19

Security

The May 2026 security update batch has been applied to this release.

Added

  • Local system updates. Firmware updates can now be applied directly on the device without going through the cloud OTA infrastructure, providing an alternative update path when direct cloud connectivity is not available.
  • OTA download streaming configuration. The download behaviour for over-the-air firmware updates can now be configured, giving more control over bandwidth usage during update delivery.

[1.2.1+26.03] - 2026-03-24

Security

Two known security vulnerabilities (CVE-2025-69223 and CVE-2025-43859) have been patched in this release.

Fixed

The component identifiers embedded in generated SBOMs are now correctly formatted, which improves the accuracy of CVE matching in the Cybersecurity module.

[1.2.0+26.03] - 2026-03-16

Added

  • QEMU ARM build targets. The metalayer now supports building and testing firmware images for ARM-based QEMU virtual machines, making it easier to develop and validate firmware before deploying to physical hardware.
  • U-Boot FIT signature verification. Secure boot can now verify firmware signatures at the bootloader level, strengthening the chain of trust for production devices.

Security

Three known security vulnerabilities (CVE-2025-62727, CVE-2025-54121, and a batch of additional March 2026 patches) have been resolved.

[scarthgap-1.1.0] - 2026-02-20

Added

  • CycloneDX SBOM generation. Firmware builds now automatically produce a Software Bill of Materials in CycloneDX format alongside a VEX file. These are the files you upload to the Cybersecurity module to track vulnerabilities across your firmware fleet.
  • Enhanced kernel CVE analysis. The kernel vulnerability pipeline now cross-references CVEs against the exact kernel configuration compiled into each build, reducing false positives when analysing findings in the Cybersecurity module.
  • Compressed delta OTA updates. Firmware update packages can now be generated as compressed delta artifacts, significantly reducing their size and the bandwidth required to deliver updates to devices in the field.

Fixed

A crash that prevented the edge agent from starting when the device data partition was full has been resolved. Devices in low-disk conditions will now continue operating correctly.

Removed

Support for ToloMEO Manager has been removed from this release.