Burkhard Stubert

Surviving the EU Cyber Resilience Act

by Burkhard Stubert
2025/11/072025/11/07

As a machine or device manufacturer, you probably have some sleepless nights because of the Cyber Resilience Act (CRA). What do you have to do so that you can sell your products after 11 December 2027 and don’t have to pay penalties threatening the existence of your company?

Overview: Risk Assessment of the Essential Product Requirements

by Burkhard Stubert
2025/11/02

The risk assessment of the essential product requirements is the most important, most time-consuming and least understood of CRA compliance. It answers a crucial question: Can you upgrade your embedded system to a current version, free it from exploitable vulnerabilities and keep it that way – with reasonable effort?

by Burkhard Stubert
2025/08/112025/10/27

Many embedded Linux systems use a Wayland compositor like Weston for window management. Qt applications act as Wayland clients. Weston composes the windows of the Qt applications into a single window and displays it on a screen. I still have to find a Yocto layer that does not start Qt applications as root. This violates the cybersecurity principle that every application should only run with the least privileges possible. Let us figure out how to run Qt applications as non-root users and make our system more secure.

by Burkhard Stubert
2025/07/222025/10/27
5 Comments

Once we have removed an item from a BitBake variable, we cannot re-append it. The evaluation of the following three assignments of the variable BB_VAR yields the same result, no matter in which order the assignments are executed.

# Code under someone else's control
BB_VAR ?= "x z"
BB_VAR:remove = "a y"

# Code under our control
BB_VAR:append = " y"

### Result: BB_VAR = "x z" instead of "x y z"

by Burkhard Stubert
2025/07/072025/10/27
2 Comments

When we look closer at the support period, we’ll find more and more interesting questions.

Does the support period start, when the end user buys a product or when a product is released, manufactured or sold for the first time?
Can manufacturers set the length of the support period as they see fit?
Can manufacturers terminate the support period as they see fit?
What obligations do manufacturers have to satisfy during the support period? What after the support period?
Are there special rules for products released in the transitional period from 11 December 2024 to 10 December 2027?
Does the EU CRA apply to products released before 11 December 2024?

by Burkhard Stubert
2025/04/282025/10/27
4 Comments

According to Annex I Part II of the EU CRA, manufacturers must actively search for vulnerabilities in their embedded devices, fix them and publicly disclose them to their users and the cybersecurity authorities. Manufacturers must implement a process to release their devices without any know vulnerabilities and to keep their devices free of vulnerabilities during the whole product lifetime by providing security updates in a timely manner.

Burkhard Stubert

Surviving the EU Cyber Resilience Act

Overview: Risk Assessment of the Essential Product Requirements

Running Wayland Clients as Non-Root Users

DISTRO_FEATURES:append After DISTRO_FEATURES:remove Has No Effect

EU CRA: Start, Length and End of Support Period

EU CRA: Essential Requirements Related to Vulnerability Handling