21 FEB • 2025 8 minutes
TLDR: I wanted to generate an up-to-date disk image for a Rock Pi 4 using Yocto that included CUPS and Docker to both get a better understanding of Yocto and test the new SBOM generation feature.
As with many single-board computers (SBCs) from China, the issue often isn’t the board itself but rather the software. RockPi from Radxa is no exception. If you go and download the latest disk images for this board, you will notice that they are all end-of-life (EoL). However, these boards are still great and work very well for many applications. This should be top of mind if you are building a product that uses any of these devices.
I wanted to use one of the RockPi 4 boards I had for a simple print server. It’s not a customer product, of course, but let’s assume it was. Since it has the option to add eMMC storage, I find it more reliable than Raspberry Pi (I know the Raspberry Pi 5 allows for proper storage). However, given that I neither trust the Radxa disk images nor did I want to set things up on an already EoL Linux distribution, I started doing some digging. As it turns out, the RockPi is supported in Yocto.
Say what you want about Raspberry Pi, but you can still download an up-to-date OS that runs on the Pi 1. In this article, I will show you not only how to build a disk image with Yocto (in this case for the Rock Pi 4, but it can easily be adjusted for other boards), but we will also talk a bit about how Yocto generates SBOMs (hint: it’s really clever) and where to find your SBOMs.
What is Yocto anyways?
The Yocto Project is an open-source framework for building custom Linux distributions tailored to embedded systems. It provides a flexible, modular build system based on BitBake and OpenEmbedded, enabling developers to create highly optimized and reproducible Linux images for specific hardware. Yocto is widely used in industries like automotive, IoT, and networking due to its ability to support diverse architectures and long-term maintenance needs. With its layered architecture, extensive BSP support, and strong focus on customization, Yocto is a powerful tool for developers looking to build and maintain embedded Linux systems efficiently.
I’ve toyed with it a few times over the years to build images for Raspberry Pis, but never really used it seriously. However, I recently crossed paths with some of the Yocto people in a CISA working group I’m co-chairing on SBOM generation. As it turns out, Yocto is very sophisticated when it comes to generating SBOMs, so I wanted to get some more up-to-date exposure to Yocto. Color me impressed. Not only did Yocto produce a Software Bill of Materials (SBOM) for me – it did so without even asking me.
Since Yocto builds everything from source and is essentially a package manager, it is able to capture all the dependencies into an SBOM. Moreover, since Yocto maintains detailed information about every dependency, it is able to generate very high-quality SBOMs.
Key Yocto Terminology
... continue reading