Yocto Project Summit 2025.12

Welcome - Day 1

Hands-On Setup

This seminar is for people who are new to using the Yocto Project and want an introduction to the basics of how to use bitbake and start to build images to be used with QEMU.

Two high-impact new arrivals in bitbake and openembedded-core are bitbake-setup and support for the clang toolchain. Lets give them a spin.

Hands-on class that demonstrates the features of devtool.

This seminar is for people who are new to using the Yocto Project and want an introduction to the basics of layers, building images, and other initial topics

After a few months of using Cursor AI backed by claude-4-sonnet in agentic mode on Yocto / OpenEmbedded development, I want to share the genuine productivity transformations I've experienced, and the critical lessons about where it goes wrong.

I'll show you how AI helped me remote into target hardware via SSH, capture webcam images of running code, analyse the output, and iterate until our e-ink display worked correctly. I'll demonstrate automated power consumption monitoring feeding back into BSP optimisation workflows.

I'll also share the gotchas: when AI creates overly complex solutions, goes down rabbit holes, and happily does the nonsensical things if you ask it to.

The key insight? You need feedback loops, you need experience, and you need to stay in control,

I'm hoping to begin a conversation with the community about how we build best practice to leverage AI pair programming in future.

Handling the complexity of automotive software projects with Openembedded/Yocto is very challenging. Contributing factors to this include the complex automotive SoCs in general and of course the vendor-supplied BSPs with many meta-layers. They include multiple image and distro variants, as well as specific machine configurations for the hardware and the emulation. On top of that the project developers put on top of that the project specific layers, build variants and configurations.

To handle that in automotive projects, a standardized way is required to deal with all of this complexity without developing something new. In our case KAS was adopted as the best solution, that fulfilled all the requirements on such a tool.

The talk will highlight the general idea of KAS and the problem it solves within Openembedded/Yocto projects. After explaining how to set up KAS projects the next step is an overview of how it is used in our automotive project will be given. It will be highlighted how we manage multiple layers, different machines, images and distros to build different targets with the help of KAS. Afterwards, it will be shown how it enabled our project to have a standardized way for developers and the CI to trigger builds with specific configurations easily.
At the end of the talk the key reasons to use KAS will be summarized and an outlook will be given onthe development that is currently happening with bitbake-setup.

This talk explains how STM32MP BSP Layer is developed and organized.

Social hangout - Day 1

Welcome - Day 2

Since the Linux kernel became a CVE Numbering Authority (CNA), the number of associated CVEs has increased. Security teams must address these CVEs to meet regulatory and customer requirements, increasing their workload unless automation is implemented. In this talk, we analyze the status of CVEs for each LTS kernel branch. Then, we demonstrate how leveraging CVE kernel metadata and recent SPDX generation enhancements within oe-core can reduce CVE false positives by 70% and provide detailed responses for all kernel-related CVEs. This process uses output from vex or the cve-check bbclass as input. Additionally, it enables more detailed per-binary information about the source code used to compile any package built with The Yocto Project.

Two major features have been added to Yocto Project in 2025: Configuration Fragments and the bitbake-setup command.

Configuration Fragments were introduced in Yocto Project 5.2 "Walnascar", allowing configuration changes to be organised into separate files which can easily be enabled or disabled via the OE_FRAGMENTS variable.

The bitbake-setup command will be introduced in Yocto Project 5.3 "Whinlatter", automating the initial setup of a build environment. This command will fetch required layers and enable configuration fragments based on user input. It makes use of a new conf/toolcfg.conf file to avoid clashing with any changes you wish to make in conf/local.conf.

After the introduction of bitbake-setup, the combined poky git repository is being retired - if you have been using this you will need to switch over to bitbake-setup or clone bitbake and openembedded-core directly.

In Yocto-based projects, the distribution is commonly a means to an end - sandwiched between the BSP and business logic, it often simply "exists". But what if the distro itself is the focus of the project, designed to be generic and reusable across multiple devices, products, or even organizations? This lightning talk explores the motivations, challenges, and strategies behind writing a targetless, general-purpose Yocto distribution.

The cve-check class allows to find out which packages in your Yocto Project build have unfixed vulnerabilities. In the recent months, Marta and the team has worked on a replacement called currently yocto-vex-check. In this talk she will share experiences from this experiment and explore how the Yocto Project could address the problem in the years ahead, taking into account the new legal requirements (CRA-Cyber Resilience Act) and the ongoing issues with the CVE program.

Previous presentations at the Yocto Summit on Secure Boot have primarily focused on what Secure Boot is. This presentation instead walks a developer through the step-by-step process to generate a Poky (walnascar) build that supports Secure Boot.

Self-paced version of the Tools hands-on class, specifically for the Beginner's Class students.

This session presents feedback from deploying dm-verity in a Secure Boot-enabled embedded Linux system built with The Yocto Project. We will outline the integration process, system-level constraints, and runtime implications for secure deployments.

This talk explores how to establish a complete secure boot chain on ARM-based embedded platforms using Yocto, combining SoC-level security mechanisms with Linux-level integrity protection. Through the example of NXP’s i.MX family, we’ll show how to leverage features such as HABv4, ARM TrustZone, and OP-TEE to create a verified, encrypted, and trusted execution environment from the first instruction to the root filesystem.

VulnScout is an open-source vulnerability assessment tool that analyzes SBOMs and aggregates results from sources such as CVE, OSV, and Yocto cve-check output. To make it directly usable within the Yocto ecosystem, we developed meta-vulnscout, a layer adding build tasks for automated and web analysis, similar in spirit to Toaster.

This talk will show how VulnScout helps improving the security envelope of Yocto-based systems and present our roadmap for tighter integration with Yocto workflows, including continuous monitoring, CI gating based on severity filters, and structured reporting. Attendees will learn how to run it today and what is coming next.

Software‑supply‑chain attacks increasingly exploit the dependency graphs hidden inside container base images. General‑purpose binary distributions can drag in hundreds of packages, making it difficult to generate accurate SBOMs and keep up with CVE patching. In this session you will learn how to use the Yocto Project to build lean, auditable container base images and matching package repositories that can serve as drop‑in replacements inside existing Docker or Podman build pipelines.

Meeting EU RED GEC-1 compliance requires a stronger focus on identifying and addressing vulnerabilities in embedded Linux systems. This talk shares lessons learned from building a practical CVE monitoring and remediation workflow using Yocto’s cve-check and related tooling.

Social hangout - Day 2

Welcome - Day 3

Hitachi Energy is in the middle of an exciting rollout of Linux-based energy grid automation and protection products. This talk walks through the story of the switch to embedded Linux using Yocto, challenging industry protocol support, EU CRA impact, OSS license obligation challenges, and all in a very long-lived and slowly evolving industry.

The lifetime of electronic products is not defined solely by hardware; software design has become a decisive factor. Design choices in embedded software, such as build reproducibility, dependency management, update strategy, and security configuration, have a direct impact on product reliability and long-term usability. This talk explores how robust and sustainable software practices can extend component lifetimes and reduce maintenance demands. Using the Yocto Project as a demonstration platform, it presents practical examples of reproducible builds, modular layer structures, and CI/CD integration that support system stability and maintainability. Attendees will gain insights into best practices for long-lived embedded products, including maintainable BSP creation and secure update management, emphasizing that designing for longevity is a shared responsibility between hardware and software engineering.

Maintaining a complex Yocto layer like meta-ros is more than just writing BitBake recipes—it's a balancing act across automation, cloud infrastructure, developer experience, and community collaboration. This talk explores how cross-domain skills—from Python scripting to cloud-native CI, and from configuration tooling to open source community engagement—can transform the sustainability and usability of embedded software layers.

Through real-world examples, Rob Woolley shares how embracing automation, reproducibility, and scalable testing has helped streamline maintenance and improve accessibility for developers. The session will also highlight the importance of fostering a vibrant community around open source projects, and how thoughtful tooling and infrastructure choices can empower contributors and users alike.

Whether you're a Yocto veteran or just getting started, this talk offers insights into how diverse technical skills and a collaborative mindset can make embedded development more approachable, efficient, and fun.

Yocto Project has a few years ago introduced the genericarm64 machine configuration. This talk explains what genericarm64 is, how it has been configured and how it can help developers to start with Yocto on arm64 based SoCs and to support multiple HW variants.

Vendor Board Support Packages (BSPs) are the standard for bringing new silicon to market, showcasing features, and promising an "easy" start. However, for those of us building products with long-term lifecycles, these BSPs often fail to meet quality requirements. They can be overly intrusive and typically don't separate feature showcases from the well-maintained base needed for product development. This focus on rapid demonstration frequently results in BSPs which are difficult to maintain, lack transparency, and are built on non-LTS Yocto and kernel versions, making them unsuitable for products expected to last 5, 10, or even 20 years.

Clang compiler recipes have been merged into OE-core layer with 5.3 release. Clang is used directly or indirectly in a lot of cases in Linux stack and increasingly in embedded linux systems. This talk will cover the rationale why it was promoted to OE-core. We will discuss the use cases where it is already used and how it is used.

This session explores the latest developments in toolchain testing, ongoing improvements, and upcoming features with a focus on GCC, GLIBC, Binutils, Rust and Clang/LLVM within the Yocto Project. Attendees will gain insights into the status of toolchain testing and improvements.

This is the journey of bringing up a custom STM32MP-based board, starting with an existing Buildroot repository and evolving toward a full Yocto Project setup using ST’s meta-st-stm32mp layers.

This will describe going from a Buildroot project to an exact replica with a Yocto Project using individual recipes and then updating it to use the meta-st-stm32mp layers.

Social hangout - Day 3