SBOM for Embedded Firmware: Why Your Python-Generated List Won't Pass a CRA Audit
This post is part of the iotbastion editorial calendar. The full text is being drafted — placeholder content below so the template can be reviewed.
Why this matters
Embedded engineers ship products under constraints that don't exist in the rest of software: ROM-fixed bootloaders, parts on five-year backorder, customers in the field for a decade. Security guidance written for cloud teams falls apart on the bench.
This series exists to close that gap with reproducible technical detail, not vendor talking points.
What to expect
- Bench-verified procedures, not slideware
- Code that compiles against the toolchains people actually use
- Compliance mapped to the silicon, not to a checklist generator
If you want the full draft when it lands, the email list at the bottom of the page is the only way I notify subscribers.
Shipping before December 2027? Grab the CRA Compliance Checklist for Embedded Engineers — free, 3 pages, no marketing.
FAQ
What I'm writing about next
A bench walkthrough of CRA Annex I, requirement by requirement, against a real ESP32-based product — what passes, what fails, and what an auditor will probably argue about.
One post a week, plus the CRA checklist on signup.
No marketing.
If this was useful, the best compliment is forwarding it to a teammate.