Published: June 30, 2026
Last modified: June 30, 2026
Linux kernel updates – overlayfs
Some technical conferences go really deep into specific topics, and that is certainly the case for the Linux Storage, Filesystem, Memory Management, and BPF Summit.
At the recent event in May, Amir Goldstein presented updates to overlayfs, a feature widely used in embedded Linux. Overlayfs allows stacking file systems, making it possible, for example, to keep the main filesystem read-only while selectively allowing writes to configuration files and other persistent data. One notable addition is the ability to mount the filesystem with one set of credentials while accessing it with another.
LWN summary: https://lwn.net/Articles/1077052/
Linux kernel updates – old drivers removal and AI
The Linux kernel 7.1 removed a large number of legacy drivers, particularly for old networking hardware and ISDN devices. If you support old hardware in your products, have a look at the list.
LWN’s overview of Linux 7.1 also contains an interesting look at AI-assisted kernel development. While many new contributors now use AI tools, there are also signs that AI is being used to systematically hunt for bugs, including potential security issues.
Details: https://lwn.net/Articles/1077425/
Flashing in production
Embedded products produced in short series rarely benefit from automated programming lines. Firmware flashing is usually performed manually by operators, with consequences for both quality and security. Your key database can end up on an USB stick shared with dozens of other manufacturers.
The Agile Embedded podcast recently released an episode discussing what production actually looks like in practice. If you’ve never visited a manufacturing line, it’s well worth a listen.
Episode: https://agileembeddedpodcast.com/episodes/factory-firmware-flashing-with-pete-staples
Single Reporting Platform update (Cyber Resilience Act)
ENISA has updated the FAQ for the Single Reporting Platform, which manufacturers will use from September 11, 2026 to report exploited vulnerabilities and security incidents. While the platform itself is not yet operational, the FAQ already provides the list of questions that manufacturers will need to answer.
I’ve prepared a visual representation of the reporting fields here:
CRA-Single-Reporting-Platform-form-contentENISA FAQ on SRP: https://www.enisa.europa.eu/topics/product-security-and-certification/single-reporting-platform-srp
CRA-related standards are progressing
CRA standards are also progressing. If you have access through a European standardization body, it’s worth following the drafts. Several are currently available through public consultation:
https://docbox.etsi.org/CYBER/EUSR/Open
Vulnerability storm
AI-assisted vulnerability reports continue to create significant additional work for open source projects.
Some projects have started discussing the issue publicly. For example, Linus Torvalds recently noted in the Linux 7.1-rc4 announcement that kernel contributors are now expected to disclose when an AI tool was used to identify a reported vulnerability.
Reference: https://lwn.net/Articles/1073192/
EU Open Source Strategy
The European Commission has published its Open Source Strategy.
A few points stand out:
- Open source is explicitly recognized as strategic infrastructure for Europe.
- The strategy acknowledges that the ecosystem extends far beyond large foundations to include individual maintainers, small projects and companies.
- Rather than introducing a dedicated European Sovereign Tech Fund (see the link below), the focus is on procurement, adoption and sustainable commercial ecosystems around open source.
The document mentions approximately €2 billion over seven years in combined public and private investment. This is an important amount when we look at it directly, but remains a small percentage compared to Europe’s overall software spending.
Related initiative that could become the EU Sovereign Tech Fund:
https://digital-commons-edic.eu/projects/
Mentions
“Embedded Systems Security in 2026: The Shift from Code to Chain of Custody” https://www.embeddededit.com/article/embedded-security-ai-supply-chain-risks
Where we were
June 9 – Cloud Builders Embedded & IoT Conference https://cloud-builders.org/iot-conf/
June 24 – OSADL Networking Day https://www.osadl.org/?id=4426
Where you can meet us
July 8 – Webinar: “The Cyber Resilience Act: What Embedded Developers Need to Know”, together with Mind.
Registration: https://zoom.us/webinar/register/WN_tXJbF-ZlQBCRYkD5uGpNUg#/registration
To get this newsletter directly to your mailbox, subscribe!
