feat(linux): Add how to guide for working with SBOMs

yogeshhegde · yogeshhegde · commit 16bcbfe46174 · 2026-04-16T16:33:38.000+05:30
Add How to guide for working with SBOM's with sections
* Generating SBOM in SPDX and CycloneDX format
* Tools and references for Working with SBOM i.e visualizing, merging,
modifying SBOMs

Signed-off-by: Yogesh Hegde &lt;y-hegde@ti.com&gt;
diff --git a/configs/AM62LX/AM62LX_linux_toc.txt b/configs/AM62LX/AM62LX_linux_toc.txt
@@ -127,6 +127,7 @@ linux/How_to_Guides/Target/How_To_Enable_M2CC3301_in_linux
 linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides_Hardware_Setup_with_CCS
 linux/How_to_Guides/Hardware_Setup_with_CCS/AM62Lx_EVM_Hardware_Setup
 linux/Demo_User_Guides/index_Demos
diff --git a/configs/AM62PX/AM62PX_linux_toc.txt b/configs/AM62PX/AM62PX_linux_toc.txt
@@ -172,6 +172,7 @@ linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device
 linux/How_to_Guides/Target/How_to_Tune_Real_Time_Linux
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides_Hardware_Setup_with_CCS
 linux/How_to_Guides/Hardware_Setup_with_CCS/AM62Px_EVM_Hardware_Setup
 linux/How_to_Guides/Target/How_To_Carve_Out_CMA
diff --git a/configs/AM62X/AM62X_linux_toc.txt b/configs/AM62X/AM62X_linux_toc.txt
@@ -176,6 +176,7 @@ linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device
 linux/How_to_Guides/Target/How_to_Tune_Real_Time_Linux
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides_Hardware_Setup_with_CCS
 linux/How_to_Guides/Hardware_Setup_with_CCS/AM62x_EVM_Hardware_Setup
 
diff --git a/configs/AM64X/AM64X_linux_toc.txt b/configs/AM64X/AM64X_linux_toc.txt
@@ -153,6 +153,7 @@ linux/How_to_Guides/Hardware_Setup_with_CCS/AM64x_EVM_Hardware_Setup
 linux/How_to_Guides/FAQ/How_to_Verify_Ipc_Linux_R5
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides/Target/Processor_SDK_Linux_File_System_Optimization_Customization
 
 devices/AM64X/index_RTOS
diff --git a/source/devices/AM62LX/linux/Release_Specific_Release_Notes.rst b/source/devices/AM62LX/linux/Release_Specific_Release_Notes.rst
@@ -40,9 +40,9 @@ found on the SDK download page or in the installed directory as indicated below.
 Software Bill of Materials (SBOM)
 =================================
 
-|SDK_FULL_NAME| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
+|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
 format by default. SBOMs for all released artifacts are bundled into a single
-archive and can be found on the |SDK_DOWNLOAD_URL|.
+archive and can be found on the |__SDK_DOWNLOAD_URL__|
 
 Release 12.00.00.07.04
 ======================
diff --git a/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst b/source/devices/AM62PX/linux/Release_Specific_Release_Notes.rst
@@ -40,9 +40,9 @@ found on the SDK download page or in the installed directory as indicated below.
 Software Bill of Materials (SBOM)
 =================================
 
-|SDK_FULL_NAME| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
+|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
 format by default. SBOMs for all released artifacts are bundled into a single
-archive and can be found on the |SDK_DOWNLOAD_URL|.
+archive and can be found on the |__SDK_DOWNLOAD_URL__|.
 Release 12.00.00.07.04
 ======================
 
diff --git a/source/devices/AM62X/linux/Release_Specific_Release_Notes.rst b/source/devices/AM62X/linux/Release_Specific_Release_Notes.rst
@@ -38,9 +38,9 @@ found on the SDK download page or in the installed directory as indicated below.
 Software Bill of Materials (SBOM)
 =================================
 
-|SDK_FULL_NAME| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
+|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
 format by default. SBOMs for all released artifacts are bundled into a single
-archive and can be found on the |SDK_DOWNLOAD_URL|.
+archive and can be found on the |__SDK_DOWNLOAD_URL__|.
 
 Release 12.00.00.07.04
 ======================
diff --git a/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst b/source/devices/AM64X/linux/Release_Specific_Release_Notes.rst
@@ -38,9 +38,9 @@ found on the SDK download page or in the installed directory as indicated below.
 Software Bill of Materials (SBOM)
 =================================
 
-|SDK_FULL_NAME| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
+|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
 format by default. SBOMs for all released artifacts are bundled into a single
-archive and can be found on the |SDK_DOWNLOAD_URL|.
+archive and can be found on the |__SDK_DOWNLOAD_URL__|.
 
 Release 12.00.00.07.04
 ======================
diff --git a/source/linux/How_to_Guides/FAQ/How_to_work_with_SBOM.rst b/source/linux/How_to_Guides/FAQ/How_to_work_with_SBOM.rst
@@ -0,0 +1,111 @@
+***************************************************************
+How to Guide for working with Software Bill of Materials (SBOM)
+***************************************************************
+
+Generating an Software Bill of Materials (SBOM)
+===============================================
+
+|__SDK_FULL_NAME__| generates SBOMs in the following formats and versions:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 50 50
+
+   * - Format
+     - Version
+   * - SPDX
+     - 3.0
+   * - CycloneDX
+     - 1.6
+
+Follow the steps below based on your required format.
+
+Generating an SBOM in SPDX 3.0 Format
+-------------------------------------
+
+SPDX 3.0 is generated by default when building Yocto no extra steps required.
+If you require additional vulnerability information, follow these steps:
+
+1. Add the following line to your ``local.conf``:
+
+   .. code-block:: text
+
+      INHERIT += "vex"
+
+2. Build Yocto according to the build instructions in :ref:`Processor SDK - Building the SDK with Yocto <building-the-sdk-with-yocto>`.
+
+The following artifacts will be generated in the Yocto deploy directory:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 50 50
+
+   * - File
+     - Description
+   * - ``${IMAGE_NAME}.rootfs.spdx.json``
+     - The SPDX v3.0 SBOM file
+   * - ``${IMAGE_NAME}.rootfs.json``
+     - Vulnerability information file generated by ``vex.bbclass``
+
+
+Generating an SBOM in CycloneDX Format
+--------------------------------------
+
+To generate an SBOM in CycloneDX format, follow these steps:
+
+1. Start with the build instructions in :ref:`Processor SDK - Building the SDK with Yocto <building-the-sdk-with-yocto>`
+2. After cloning ``oe-layersetup``, uncomment the ``meta-cyclonedx`` line in
+   the layer configuration file, for example:
+
+   .. code-block:: text
+
+      meta-cyclonedx,https://github.com/iris-GmbH/meta-cyclonedx.git,main,0170751b487162f8e476fd32d441ddfcf24ca78a,layers=
+
+3. Add the following line to your ``local.conf``:
+
+   .. code-block:: text
+
+      INHERIT += "cyclonedx-export"
+
+4. Continue to build Yocto according to the build instructions in :ref:`Processor SDK - Building the SDK with Yocto <building-the-sdk-with-yocto>`.
+
+The following artifacts will be generated in the Yocto deploy directory:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 50 50
+
+   * - File
+     - Description
+   * - ``${IMAGE_NAME}.rootfs.cyclonedx.bom.json``
+     - The CycloneDX SBOM file
+   * - ``${IMAGE_NAME}.rootfs.cyclonedx.vex.json``
+     - The CycloneDX VEX file
+
+Working with Software Bill of Materials (SBOM)
+==============================================
+
+It is recommended to use open-source tools for working with SBOMs.
+The following open-source tools are recommended for working with SBOMs:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 20 40 40
+
+   * - Format
+     - Tool
+     - Description
+   * - CycloneDX
+     - `CycloneDX Sunshine <https://github.com/CycloneDX/Sunshine/>`_
+     - Visualize CycloneDX SBOMs in a human-readable format
+   * - CycloneDX
+     - `CycloneDX CLI <https://github.com/CycloneDX/cyclonedx-cli>`_
+     - BOM analysis, modification, diffing, merging, format conversion, signing and verification.
+   * - SPDX
+     - `SPDX Open Source Tools <https://spdx.dev/tools/open-source-tools/>`_
+     - A collection of open-source tools for working with SPDX SBOMs
+
+.. note::
+
+   SPDX 3.0 is not yet widely supported by SPDX tools. Using such tools with
+   SPDX 3.0 files may give varied or unexpected results.
diff --git a/source/linux/How_to_Guides_Developer_Notes.rst b/source/linux/How_to_Guides_Developer_Notes.rst
@@ -38,6 +38,7 @@ Developer Notes
    How_to_Guides/FAQ/How_to_Configure_MSMC_memory
    How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
    How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+   How_to_Guides/FAQ/How_to_work_with_SBOM
    How_to_Guides/Host/How_to_Build_a_Ubuntu_Linux_host_under_VMware
    How_to_Guides/Host/K3_Resource_Partitioning_Tool
    How_to_Guides/Host/How_to_Setup_and_Debug_using_Lauterbach
