TexasInstruments · cshilwant · Apr 28, 2026 · Apr 16, 2026 · Apr 16, 2026 · Apr 16, 2026
@@ -100,6 +100,7 @@ linux/How_to_Guides/Target/How_to_Use_K3Conf_Tool
 linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides/Target/How_To_Carve_Out_CMA
 linux/How_to_Guides_Hardware_Setup_with_CCS
 linux/How_to_Guides/Hardware_Setup_with_CCS/AM62Dx_EVM_Hardware_Setup

@@ -127,6 +127,7 @@ linux/How_to_Guides/Target/How_To_Enable_M2CC3301_in_linux
 linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides_Hardware_Setup_with_CCS
 linux/How_to_Guides/Hardware_Setup_with_CCS/AM62Lx_EVM_Hardware_Setup
 linux/Demo_User_Guides/index_Demos

@@ -172,6 +172,7 @@ linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device
 linux/How_to_Guides/Target/How_to_Tune_Real_Time_Linux
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides_Hardware_Setup_with_CCS
 linux/How_to_Guides/Hardware_Setup_with_CCS/AM62Px_EVM_Hardware_Setup
 linux/How_to_Guides/Target/How_To_Carve_Out_CMA

@@ -176,6 +176,7 @@ linux/How_to_Guides/Target/Runtime_debug_unlock_on_secure_device
 linux/How_to_Guides/Target/How_to_Tune_Real_Time_Linux
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides_Hardware_Setup_with_CCS
 linux/How_to_Guides/Hardware_Setup_with_CCS/AM62x_EVM_Hardware_Setup
 

@@ -153,6 +153,7 @@ linux/How_to_Guides/Hardware_Setup_with_CCS/AM64x_EVM_Hardware_Setup
 linux/How_to_Guides/FAQ/How_to_Verify_Ipc_Linux_R5
 linux/How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
 linux/How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+linux/How_to_Guides/FAQ/How_to_work_with_SBOM
 linux/How_to_Guides/Target/Processor_SDK_Linux_File_System_Optimization_Customization
 
 devices/AM64X/index_RTOS

@@ -35,6 +35,13 @@ found on the SDK download page or in the installed directory as indicated below.
 
 -  Linux Manifest:  :file:`<PSDK_PATH>/manifest/software_manifest.htm`
 
+Software Bill of Materials (SBOM)
+=================================
+
+|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
+format for Yocto. SBOM for released artifacts be found on the |__SDK_DOWNLOAD_URL__|.
+For more refer :ref:`Working with SBOM <how-to-work-with-sbom>`.
+
 Release 12.00.00.07.04
 ======================
 

@@ -37,6 +37,14 @@ found on the SDK download page or in the installed directory as indicated below.
 -  Debian Manifest: `TI debian software manifest 11.01.16.13
    <https://dr-download.ti.com/software-development/software-development-kit-sdk/MD-YjEeNKJJjt/11.01.16.13/software_manifest_debian_am62lxx-evm_am62lxx-evm.htm>`__
 
+Software Bill of Materials (SBOM)
+=================================
+
+|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
+format for Yocto and CycloneDX 1.6 format for Buildroot. SBOMs for all released artifacts
+are bundled into a single archive and can be found on the |__SDK_DOWNLOAD_URL__|.
+For more refer :ref:`Working with SBOM <how-to-work-with-sbom>`.
+
 Release 12.00.00.07.04
 ======================
 

@@ -37,6 +37,13 @@ found on the SDK download page or in the installed directory as indicated below.
 -  Debian Manifest: `TI debian software manifest 11.01.16.13
    <https://dr-download.ti.com/software-development/software-development-kit-sdk/MD-9ti3Ig9hNi/11.01.16.13/software_manifest_debian_am62pxx-evm_am62pxx-evm.htm>`__
 
+Software Bill of Materials (SBOM)
+=================================
+
+|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
+format by default. SBOMs for all released artifacts are bundled into a single
+archive and can be found on the |__SDK_DOWNLOAD_URL__|.
+For more refer :ref:`Working with SBOM <how-to-work-with-sbom>`.
 
 Release 12.00.00.07.04
 ======================

@@ -35,6 +35,14 @@ found on the SDK download page or in the installed directory as indicated below.
 
 -  Linux Manifest:  :file:`<PSDK_PATH>/manifest/software_manifest.htm`
 
+Software Bill of Materials (SBOM)
+=================================
+
+|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
+format for Yocto and CycloneDX 1.6 format for Buildroot. SBOMs for all released artifacts
+are bundled into a single archive and can be found on the |__SDK_DOWNLOAD_URL__|.
+For more refer :ref:`Working with SBOM <how-to-work-with-sbom>`.
+
 Release 12.00.00.07.04
 ======================
 

@@ -35,6 +35,13 @@ found on the SDK download page or in the installed directory as indicated below.
 
 -  Linux Manifest:  :file:`<PSDK_PATH>/manifest/software_manifest.htm`
 
+Software Bill of Materials (SBOM)
+=================================
+
+|__SDK_FULL_NAME__| releases include Software Bill of Materials (SBOM) files in SPDX 3.0
+format by default. SBOMs for all released artifacts are bundled into a single
+archive and can be found on the |__SDK_DOWNLOAD_URL__|.
+For more refer :ref:`Working with SBOM <how-to-work-with-sbom>`.
 
 Release 12.00.00.07.04
 ======================

@@ -0,0 +1,175 @@
+.. _how-to-work-with-sbom:
+
+###############################################################
+How to Guide for working with Software Bill of Materials (SBOM)
+###############################################################
+
+********
+Glossary
+********
+
+.. glossary::
+
+   SBOM
+      Software Bill of Materials - is a comprehensive list of all the software components, dependencies, and metadata associated with an application.
+
+   SPDX
+      Software Package Data Exchange - is an open standard (or format) for communicating Software Bill of Materials (SBOM) information including components, licenses, copyrights, and security references.
+
+   CycloneDX
+      CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction.
+
+   VEX
+      Vulnerability Exploitability eXchange - is a standardized format for sharing information about vulnerabilities and their exploitability.
+
+***************
+Generating SBOM
+***************
+
+|__SDK_FULL_NAME__| Yocto build generates SBOMs in the following formats and versions:
+
+.. list-table::
+   :header-rows: 1
+
+   * - Format
+     - Version
+   * - SPDX
+     - 3.0
+   * - CycloneDX
+     - 1.6
+
+Follow the steps below based on your required format.
+
+Generating SBOM in SPDX 3.0 Format
+==================================
+
+SPDX 3.0 is generated by default when building |__SDK_FULL_NAME__| Yocto, no extra steps required.
+If you require additional vulnerability information, follow these steps:
+
+1. Add the following line to your :file:`local.conf`:
+
+   .. code-block:: text
+
+      INHERIT += "vex"
+
+2. Build Yocto according to the build instructions in :ref:`Processor SDK - Building the SDK with Yocto <building-the-sdk-with-yocto>`.
+
+The following artifacts will be generated in the Yocto deploy directory:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 50 50
+
+   * - File
+     - Description
+   * - :file:`${IMAGE_NAME}.rootfs.spdx.json`
+     - The SPDX v3.0 SBOM file
+   * - :file:`${IMAGE_NAME}.rootfs.json`
+     - Vulnerability information file generated by :file:`vex.bbclass`
+
+
+Generating SBOM in CycloneDX Format
+===================================
+
+To generate SBOM in CycloneDX format, follow these steps:
+
+#. Start with the build instructions in :ref:`Processor SDK - Building the SDK with Yocto <building-the-sdk-with-yocto>`
+#. After cloning ``oe-layersetup``, uncomment the ``meta-cyclonedx`` line in
+   the layer configuration file, for example:
+
+   .. code-block:: text
+
+      meta-cyclonedx,https://github.com/iris-GmbH/meta-cyclonedx.git,main,0170751b487162f8e476fd32d441ddfcf24ca78a,layers=
+
+#. Add the following line to your :file:`local.conf`:
+
+   .. code-block:: text
+
+      INHERIT += "cyclonedx-export"
+
+#. Continue to build Yocto according to the build instructions in :ref:`Processor SDK - Building the SDK with Yocto <building-the-sdk-with-yocto>`.
+
+The following artifacts will be generated in the Yocto deploy directory:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 50 50
+
+   * - File
+     - Description
+   * - :file:`${IMAGE_NAME}.rootfs.cyclonedx.bom.json`
+     - The CycloneDX SBOM file
+   * - :file:`${IMAGE_NAME}.rootfs.cyclonedx.vex.json`
+     - The CycloneDX VEX file
+
+*****************
+Working with SBOM
+*****************
+
+It is recommended to use open-source tools for working with SBOMs.
+The following open-source tools are recommended for working with SBOMs:
+
+.. list-table::
+   :header-rows: 1
+   :widths: 20 40 40
+
+   * - Format
+     - Tool
+     - Description
+   * - CycloneDX
+     - `CycloneDX Sunshine <https://github.com/CycloneDX/Sunshine/>`_
+     - Visualize CycloneDX SBOMs in a human-readable format
+   * - CycloneDX
+     - `CycloneDX CLI <https://github.com/CycloneDX/cyclonedx-cli>`_
+     - BOM analysis, modification, diffing, merging, format conversion, signing and verification.
+   * - SPDX
+     - `SPDX Open Source Tools <https://spdx.dev/tools/open-source-tools/>`_
+     - A collection of open-source tools for working with SPDX SBOMs
+
+.. note::
+
+   SPDX 3.0 is not yet widely supported by SPDX tools. Using such tools with
+   SPDX 3.0 files may give varied or unexpected results.
+
+************
+CVE Analysis
+************
+
+The `sbom-cve-check <https://pypi.org/project/sbom-cve-check/>`_ tool can be
+used to perform CVE analysis on the generated SPDX SBOM.
+
+#. Install the tool:
+
+   .. code-block:: console
+
+      pip install sbom-cve-check
+
+   .. note::
+
+      It is recommended to install this tool in a Python virtual environment.
+
+#. Retrieve the following artifacts from the Yocto deploy directory:
+
+   .. list-table::
+      :header-rows: 1
+      :widths: 50 50
+
+      * - File
+        - Description
+      * - :file:`${IMAGE_NAME}.rootfs.spdx.json`
+        - The SPDX v3.0 SBOM file
+      * - :file:`${IMAGE_NAME}.rootfs.json`
+        - Vulnerability information file generated by :file:`vex.bbclass`
+
+#. Run the CVE analysis:
+
+   .. code-block:: console
+
+      sbom-cve-check --sbom-path ${IMAGE_NAME}.rootfs.spdx.json \
+                     --yocto-vex-manifest ${IMAGE_NAME}.rootfs.json \
+                     --export-type yocto-cve-check-manifest \
+                     --export-path cve-check.json
+
+.. note::
+
+   :file:`sbom-cve-check` only supports SPDX format and does not support CycloneDX.
@@ -38,6 +38,7 @@ Developer Notes
    How_to_Guides/FAQ/How_to_Configure_MSMC_memory
    How_to_Guides/FAQ/How_to_Check_Device_Tree_Info
    How_to_Guides/FAQ/How_to_Integrate_Open_Source_Software
+   How_to_Guides/FAQ/How_to_work_with_SBOM
    How_to_Guides/Host/How_to_Build_a_Ubuntu_Linux_host_under_VMware
    How_to_Guides/Host/K3_Resource_Partitioning_Tool
    How_to_Guides/Host/How_to_Setup_and_Debug_using_Lauterbach