From 2324dc15130c08add911706d85c81c38f50ae924 Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Mon, 22 Jun 2026 18:39:33 -0700 Subject: [PATCH 1/2] feat: add sbom target to Makefile Adds sbom target that calls gen-sbom to produce CycloneDX and SPDX output files. Parses version from ChangeLog.md. Sources enumerated from src/*.c. Requires WOLFSSL_DIR pointing to wolfssl tree with the feat/sbom-embedded branch (includes gen-sbom). --- Makefile | 45 +++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 45 insertions(+) diff --git a/Makefile b/Makefile index 6d4763e3f..105976e19 100644 --- a/Makefile +++ b/Makefile @@ -56,3 +56,48 @@ clean: make -C benchmark clean make -C tools clean make -C examples clean + +# ---- SBOM generation ---- +CC ?= cc +WOLFSSL_DIR ?= ../../wolfssl +VERSION := $(shell sed -n 's/^# wolfHSM Release v\([0-9][0-9.]*\).*/\1/p' ChangeLog.md | head -1) +SRCS := $(wildcard src/*.c) +SBOM_CDX := wolfhsm-$(VERSION).cdx.json +SBOM_SPDX := wolfhsm-$(VERSION).spdx.json + +.PHONY: sbom + +sbom: + @if [ -z "$(VERSION)" ]; then \ + echo "ERROR: could not parse version from ChangeLog.md." >&2; \ + exit 1; \ + fi + @if [ -z "$(WOLFSSL_DIR)" ] || [ ! -d "$(WOLFSSL_DIR)" ]; then \ + echo "ERROR: WOLFSSL_DIR=$(WOLFSSL_DIR) is not a directory." >&2; \ + echo " Set WOLFSSL_DIR to your wolfssl source tree." >&2; \ + exit 1; \ + fi + @if [ ! -f "$(WOLFSSL_DIR)/scripts/gen-sbom" ]; then \ + echo "ERROR: $(WOLFSSL_DIR)/scripts/gen-sbom not found." >&2; \ + echo " Use a wolfSSL tree that includes SBOM support." >&2; \ + exit 1; \ + fi + @echo "wolfHSM version: $(VERSION)" + @echo "Sources: $(words $(SRCS)) .c files in src/" + @_defines=$$(mktemp /tmp/wolfhsm-defines.XXXXXX) && \ + trap 'rm -f "$$_defines"' EXIT && \ + if ! $(CC) -dM -E -I. -I$(WOLFSSL_DIR) -x c /dev/null >"$$_defines" 2>/dev/null; then \ + echo "ERROR: $(CC) -dM -E failed." >&2; exit 1; \ + fi && \ + _py=$$(command -v python3 2>/dev/null || command -v python 2>/dev/null) && \ + [ -n "$$_py" ] || { echo "ERROR: python3 not found." >&2; exit 1; } && \ + "$$_py" $(WOLFSSL_DIR)/scripts/gen-sbom \ + --name wolfhsm \ + --version $(VERSION) \ + --supplier "wolfSSL Inc." \ + --license-file LICENSING \ + --options-h "$$_defines" \ + --srcs $(SRCS) \ + --cdx-out $(SBOM_CDX) \ + --spdx-out $(SBOM_SPDX) + @echo "Done: $(SBOM_CDX) $(SBOM_SPDX)" From 6b7ee110df9ddc39ae20a7f626a722b1406cb22c Mon Sep 17 00:00:00 2001 From: Mark Atwood Date: Tue, 23 Jun 2026 17:40:28 -0700 Subject: [PATCH 2/2] docs: add SBOM/EU CRA Compliance section to README --- README.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/README.md b/README.md index 653da9105..381a77513 100644 --- a/README.md +++ b/README.md @@ -25,3 +25,28 @@ please refer to the following resources. - [wolfHSM Manual](https://www.wolfssl.com/documentation/manuals/wolfhsm/index.html) - [wolfHSM API Reference](https://www.wolfssl.com/documentation/manuals/wolfhsm/appendix01.html) - [wolfHSM Examples](https://github.com/wolfSSL/wolfHSM/tree/main/examples) + +## SBOM / EU CRA Compliance + +wolfHSM generates a Software Bill of Materials (SBOM) in CycloneDX 1.6 and +SPDX 2.3 formats to support compliance with the EU Cyber Resilience Act (CRA). + +wolfHSM uses a custom build system; invoke `gen-sbom` from the wolfssl source +tree directly: + +```sh +python3 $WOLFSSL_DIR/scripts/gen-sbom \ + --name wolfhsm \ + --version $(head -1 $WOLFHSM_DIR/ChangeLog.md | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') \ + --supplier "wolfSSL Inc." \ + --options-h $WOLFSSL_DIR/include/wolfssl/options.h \ + --srcs $WOLFHSM_DIR/src/*.c +``` + +`WOLFSSL_DIR` must point to a wolfssl source tree containing `scripts/gen-sbom` +(branch `feat/sbom-embedded`, or `master` once wolfSSL/wolfssl#10343 merges). +`WOLFHSM_DIR` is the root of the wolfHSM source tree. + +Requires `python3` and `pyspdxtools` (`pip install spdx-tools`). + +For further CRA guidance see [wolfssl/doc/CRA.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/CRA.md).