Skip to content

Commit fc0392c

Browse files
committed
fix: capture real build config in sbom target and harden recipe
The sbom target fed `cc -dM -E` an empty /dev/null with only WOLFSSL_USER_SETTINGS, so gen-sbom's build properties collapsed to host compiler builtins (all filtered out as noise) and the SBOM did not reflect the selected configuration. Harvest the actual -D config macros from CFLAGS (filtered in the shell so defines whose values contain spaces, e.g. BOOTLOADER_PARTITION_SIZE=$((...)), survive intact) so the SBOM captures the real TARGET/SIGN/HASH/feature set. Also: - add preflight checks for empty WOLFBOOT_VERSION and missing GEN_SBOM - pass sources via --srcs-file to avoid ARG_MAX on large configs - include .S sources in the source set, not just .c - make HOSTCC and GEN_SBOM overridable - README: soften "CRA Compliance" wording, use wolfboot-<version>.* names, fix dangling wolfssl/doc/CRA.md link to point at the wolfSSL CRA Kit Signed-off-by: Sameeh Jubran <sameeh.j@gmail.com>
1 parent 999e986 commit fc0392c

2 files changed

Lines changed: 50 additions & 29 deletions

File tree

Makefile

Lines changed: 36 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -790,54 +790,73 @@ pico-sdk-info: FORCE
790790
## SBOM generation
791791
# Usage: make sbom TARGET=<target> SIGN=<scheme> [HASH=SHA256] [EXT_FLASH=0]
792792
#
793-
# TARGET and SIGN select the build configuration; they default to stm32f4 and
794-
# ED25519 (via tools/config.mk) if not supplied. Pass them explicitly to get
795-
# an SBOM that reflects your actual build configuration.
793+
# TARGET and SIGN select the build configuration. They come from the same
794+
# place as a normal build (command line, environment, or .config) and fall
795+
# back to the tools/config.mk defaults (stm32f4 / ED25519) when unset. The
796+
# recipe echoes the effective target/sign so a default build is visible; pass
797+
# them explicitly to get an SBOM that reflects your actual configuration.
796798
#
797-
# Extracts the configuration-specific C source list from OBJS (which is fully
799+
# Extracts the configuration-specific source list from OBJS (which is fully
798800
# assembled by this point — core wolfBoot + wolfcrypt + HAL sources are all
799-
# included), preprocesses wolfBoot's include dirs via cc -dM -E on the host,
800-
# and calls gen-sbom to emit CycloneDX and SPDX output files.
801+
# included), captures the build's -D configuration macros via $(HOSTCC) -dM -E
802+
# on the host, and calls gen-sbom to emit CycloneDX and SPDX output files.
801803
#
802804
# wolfcrypt sources are compiled directly into the wolfBoot image and are
803805
# therefore listed as wolfBoot's own sources, not as a separate component.
804806
#
805807
# Optional make variables:
808+
# HOSTCC Host C compiler for macro capture (default: cc)
809+
# GEN_SBOM Path to wolfssl scripts/gen-sbom
810+
# (default: $(WOLFBOOT_LIB_WOLFSSL)/scripts/gen-sbom)
806811
# CRA_PYTHON Python interpreter (default: python3)
807812

813+
HOSTCC?=cc
808814
WOLFBOOT_VERSION:=$(shell sed -n \
809815
's/.*LIBWOLFBOOT_VERSION_STRING[[:space:]]*"\([^"]*\)".*/\1/p' \
810816
include/wolfboot/version.h)
811-
GEN_SBOM:=$(WOLFBOOT_LIB_WOLFSSL)/scripts/gen-sbom
817+
GEN_SBOM?=$(WOLFBOOT_LIB_WOLFSSL)/scripts/gen-sbom
812818
SBOM_CDX_OUT:=wolfboot-$(WOLFBOOT_VERSION).cdx.json
813819
SBOM_SPDX_OUT:=wolfboot-$(WOLFBOOT_VERSION).spdx.json
814820
SBOM_PYTHON?=$(or $(CRA_PYTHON),python3)
815821

816822
sbom:
823+
@if [ -z "$(WOLFBOOT_VERSION)" ]; then \
824+
echo "ERROR: could not read LIBWOLFBOOT_VERSION_STRING from include/wolfboot/version.h" >&2; \
825+
echo " (check the file exists and its version format is intact)." >&2; \
826+
exit 1; \
827+
fi
828+
@if [ ! -f "$(GEN_SBOM)" ]; then \
829+
echo "ERROR: gen-sbom not found at '$(GEN_SBOM)'." >&2; \
830+
echo " Initialize the submodule: git submodule update --init lib/wolfssl" >&2; \
831+
echo " or point GEN_SBOM at a wolfssl tree: make sbom GEN_SBOM=/path/to/wolfssl/scripts/gen-sbom" >&2; \
832+
exit 1; \
833+
fi
817834
@echo "wolfBoot SBOM: version=$(WOLFBOOT_VERSION) target=$(TARGET) sign=$(SIGN)"
818835
@echo " Outputs: $(SBOM_CDX_OUT) $(SBOM_SPDX_OUT)"
819-
$(eval _SBOM_SRCS := $(wildcard $(patsubst %.o,%.c,$(OBJS))))
836+
$(eval _SBOM_SRCS := $(wildcard $(patsubst %.o,%.c,$(OBJS))) $(wildcard $(patsubst %.o,%.S,$(OBJS))))
820837
@if [ -z "$(_SBOM_SRCS)" ]; then \
821-
echo "ERROR: no .c sources found in OBJS — check that TARGET and SIGN are correct." >&2; \
838+
echo "ERROR: no source files found in OBJS — check that TARGET and SIGN are correct." >&2; \
822839
exit 1; \
823840
fi
824841
@set -e; \
825842
_dh=$$(mktemp /tmp/wolfboot-sbom-defines.XXXXXX); \
826-
trap 'rm -f "$$_dh"' EXIT; \
827-
cc -dM -E \
828-
-I"$(WOLFBOOT_ROOT)/include" \
829-
-I"$(WOLFBOOT_LIB_WOLFSSL)" \
830-
-I"$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src" \
831-
-DWOLFSSL_USER_SETTINGS \
843+
_sf=$$(mktemp /tmp/wolfboot-sbom-srcs.XXXXXX); \
844+
trap 'rm -f "$$_dh" "$$_sf"' EXIT; \
845+
_defs=""; \
846+
for _t in $(CFLAGS); do \
847+
case "$$_t" in -D*) _defs="$$_defs $$_t" ;; esac; \
848+
done; \
849+
$(HOSTCC) -dM -E -DWOLFSSL_USER_SETTINGS $$_defs \
832850
-x c /dev/null >"$$_dh" 2>/dev/null || \
833-
{ echo "ERROR: cc -dM -E failed; install a host C compiler." >&2; exit 1; }; \
851+
{ echo "ERROR: '$(HOSTCC) -dM -E' failed; install a host C compiler or set HOSTCC." >&2; exit 1; }; \
852+
printf '%s\n' $(_SBOM_SRCS) >"$$_sf"; \
834853
$(SBOM_PYTHON) "$(GEN_SBOM)" \
835854
--name wolfboot \
836855
--version "$(WOLFBOOT_VERSION)" \
837856
--supplier "wolfSSL Inc." \
838857
--license-file "$(WOLFBOOT_ROOT)/LICENSE" \
839858
--options-h "$$_dh" \
840-
--srcs $(_SBOM_SRCS) \
859+
--srcs-file "$$_sf" \
841860
--cdx-out "$(SBOM_CDX_OUT)" \
842861
--spdx-out "$(SBOM_SPDX_OUT)"
843862
@echo "SBOM written: $(SBOM_CDX_OUT) $(SBOM_SPDX_OUT)"

README.md

Lines changed: 14 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -127,29 +127,31 @@ make
127127

128128
See [docs/CMake](./docs/CMake.md) and [cmake includes](./cmake/README.md).
129129

130-
## SBOM / EU CRA Compliance
130+
## SBOM / EU CRA support
131131

132132
wolfBoot generates a Software Bill of Materials (SBOM) in CycloneDX 1.6 and
133-
SPDX 2.3 formats to support compliance with the EU Cyber Resilience Act (CRA).
133+
SPDX 2.3 formats. An SBOM is one of the software-transparency artifacts useful
134+
towards EU Cyber Resilience Act (CRA) obligations; it does not by itself make a
135+
product CRA compliant (that is a system- and process-level determination for
136+
the manufacturer).
134137

135138
```sh
136139
git submodule update --init lib/wolfssl
137140
make sbom TARGET=<target> SIGN=<alg> HASH=<alg>
138141
```
139142

140143
`TARGET`, `SIGN`, and `HASH` must match your wolfBoot build configuration (same
141-
as a normal `make` invocation). `gen-sbom` lives in the `lib/wolfssl` submodule
142-
and is used automatically. The artifact hash covers the compiled source files
143-
for the given configuration.
144+
as a normal `make` invocation), because the SBOM's source set and artifact hash
145+
are configuration-specific. `gen-sbom` lives in the `lib/wolfssl` submodule and
146+
is used automatically; override with `GEN_SBOM=/path/to/wolfssl/scripts/gen-sbom`
147+
if you keep wolfssl elsewhere.
144148

145-
Output files in the build directory:
149+
Output files are written to the build directory as
150+
`wolfboot-<version>.cdx.json` (CycloneDX 1.6) and `wolfboot-<version>.spdx.json`
151+
(SPDX 2.3 JSON), where `<version>` is read from `include/wolfboot/version.h`.
146152

147-
| File | Format |
148-
|------|--------|
149-
| `wolfboot-2.8.0.cdx.json` | CycloneDX 1.6 |
150-
| `wolfboot-2.8.0.spdx.json` | SPDX 2.3 JSON |
151-
152-
For further CRA guidance see [wolfssl/doc/CRA.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/CRA.md).
153+
For CRA guidance and worked SBOM examples, see the
154+
[wolfSSL CRA Kit](https://github.com/wolfSSL/wolfssl-examples/tree/master/cra-kit).
153155

154156
## Troubleshooting
155157

0 commit comments

Comments
 (0)