- This course closed on January 7, 2025.
Learn basics of secure embedded development using a step-by-step approach, with examples using the Yocto Project.
Audience : Embedded developers, system architects and project managers developing embedded systems using Linux with the Yocto Project.
Course objectives :
- Learn best practices for embedded systems design
- Understand the CVE (Common Vulnerabilities and Exposures) system and related databases, know how to use them with YP ; Understand their limitations
- Understand the SBOM (Software Bill of Materials) generation and usage
- Learn basic methods of hardening an embedded Linux distribution based on the Yocto Project
- Know main methods of hardening the build system with GCC
- Know main methods of hardening the Linux kernel
- Manage permissions in a system, create additional users and launch processes as specific users
- Gain a critical regard of configuration and development practices in regard to security practices of embedded system
- Know how to use tools inside and outside the system to audit security of an embedded distribution
- Be able to choose layers and packages with security principles in mind
- Be able to propose improvements of security practices and argument about them
Duration : 5 days
Format :
- Online with instructor-led lectures and question-and-answer sessions (at fixed time, two or three sessions per day)
- Remote lab (build and qemu images) using a prepared environment for each participant during the session and one week afterwards ; with a possibility to download a copy of the environment for further learning
- Practical assignments for topic covered
- Instant messaging with the instructor, teaching assistants and other participants
- Example layers, scripts and solutions for each exercise
- Replays of all instructor-lead sessions
Languages : training materials in English. Instructions available in English and French.
Pre-requirements
- Basic knowledge of the Yocto Project : building an image, modifying a recipe with a .bbappend file, running an image with qemu
- Basic knowledge of Unix/Linux systems : participants should be able to perform basic operations using the command line : modifying, copying and moving files, accessing remote systems using ssh, troubleshooting
- Basic programming skills on at least one of the programming languages used by the YP : Python (recommended), shell etc
Required equipment :
- A computer with Internet access allowing SSH and videoconferencing (Jitsi)
- A camera (recommended) and a microphone for videoconferences
About the instructor
- Enrollment in this course closed on January 7, 2025.
Day 1: Intro
Welcome!
Working in a remote environment
Using the virtual lab
Why Embedded Security?
Day 1: System configuration
Basic system configuration
Basic system configuration – solution
Day 1: Creating a distro
Why a distro?
Creating a simple distro
Auditing your distro
Quiz of the day
Day 2: CVEs
What are CVEs?
Running cve-check
How cve-check handles the CVE database
Running cve-check on a whole layer
Day 2: Keeping your distro up-to-date
Techniques for updating recipes and layers
Your layers and CVEs
Reporting security issues
Quiz of the day
Day 3: SBOM (Software Bill of Materials)
What is a SBOM?
Generating an SBOM in the Yocto Project
Scripting SBOM
Day 3: Build hardening
What is hardening?
Compiler options
Quiz of the day
Day 4: More hardening
More than compiler hardening…
Linux kernel hardening
Running services as different users
Managing device permissions
Hardening practical example
Quiz of the day
Day 5: Architecture
Package choice
Debug and production build
External scanning
Legislations to come: the CRA and beyond
The final quiz
End of the course survey
Resources
Course slides
