SBOMs for embedded systems are harder than for typical apps: vendor HALs, out-of-tree modules, binary blobs... accurately capturing what actually ended up in the binary image deployed on your product is crucial for addressing future CVEs with confidence, as well as to comply with regulations such as CRA.

In this talk, I’ll show how Zephyr RTOS integrates SPDX-based SBOM generation into its CMake build system, and how we’re exploring SPDX 3 to describe things that aren’t just source code — build configuration, AI/ML artifacts, etc. — so that SBOMs for Zephyr-based products reflect the real security and compliance surface of the device, not just the code that was compiled.