Yocto vs Ubuntu Core: security

Security spans a variety of aspects, from mission-critical support and strict confinement to tracking, fixing and timely delivery of security patches.

Some security solutions are available with Yocto. For instance, the meta-security layer aims to harden, protect, and detect vulnerabilities on embedded devices by providing recipes for open-source security packages related to, among others, secure boot, runtime security scanners and intrusion detection. However, when working with Yocto for their embedded Linux project, developers are ultimately responsible for providing and shipping security patches to their images. Also, some Board Support Package (BSP) layers disable security capabilities like cgroup, namespace and BPF support.

Furthermore, implementing security with manufacturer-provided tools is not easy, as their primary goal is not to deliver good software but rather to sell hardware. For instance, manufacturers usually optimise a BSP for rapid prototyping, with developers needing further work to make it production-ready. With manufacturers taking open-source software and adding some drivers to it before handing it to their customers, developers are on their own when working on the security of an embedded Linux project. It follows security maintenance often proves a pain point when using Yocto.

On the other hand, Ubuntu Core takes a security-first approach starting with its architecture design, ensuring built-in security throughout the entire application and device lifecycle.

The minimal OS, the kernel, and device drivers are packaged and installed as snaps, as are gadget-specific applications. During installation, Ubuntu Core examines the snaps metadata to derive AppArmor profiles, Seccomp filters and device cgroup rules, alongside traditional file permissions (e.g. owner, group, file ACLs). At runtime, Ubuntu Core rigidly sandboxes individual applications via a policy-based system that restricts access to the filesystem, network interfaces, system calls, and other standard Linux facilities. Snaps run confined within a restrictive security sandbox without custom flags at installation. This approach provides strong application confinement and an extraordinary amount of fine-grained security control, guaranteeing adequate protection of the device and any associated data.

Ubuntu Core does not limit its security to snaps. The OS abstracts the root of trust implementation for its secure boot by proving the boot firmware integrity before establishing trust in userspace processes for ARM and x86 SoCs. Furthermore, it supports full disk encryption, protecting both the confidentiality and integrity of a device’s data in case of physical access.

1 Like