Open Source Summit Europe 2025

When integrating eSIMs into a Linux based embedded device, one of the questions is how to manage that eSIM. In case of SGP.21 consumer eSIM or the new SGP.31 IoT eSIM, some software component for management and download of eSIM profiles (LPA or IPA) is required. In the past, this was mostly achieved by proprietary software.

More recently, Free and Open Source Software alternatives for this have materialized, like the "lpac" software. This talk covers those projects, what you can do with them and how to integrate them in your cellular-enabled embedded device. 

The talk will also compare this approach of eSIM integration with other approaches such as the venerable SGP.02 M2M eSIM or using an eUICC-integrated LPA/IPA (LPAe/IPAe).

Factory flashing is a critical stage in the lifecycle of any embedded product. It can quickly become a bottleneck in the supply chain, and its correct execution is essential to ensure that shipped devices are both fully functional and secure. Today’s available tools are often closed-source and tightly coupled to specific vendors, limiting flexibility and making customization difficult.

In 2023, Bootlin introduced Snagboot—an open-source, vendor-agnostic tool designed for recovering and reflashing embedded platforms. Building on this foundation, Bootlin and Texas Instruments collaborated in 2024 to expand Snagboot into a comprehensive factory flashing solution, maintaining its open-source and vendor-neutral nature.

In this talk, we’ll present Snagboot as a recovery and reflashing solution, highlighting its core tools, snagrecover and snagflash. We’ll then dive into the unique challenges of factory flashing and explain how our extended toolset—Snagfactory—addresses them effectively.

Over the last few years, 64-bit Linux has made it from Servers, PCs and high-end embedded machines lower down in the market, everywhere including the smallest embedded Linux targets. This gives new challenges for users that rely on existing 32-bit hardware being kept up to date, while new features development and testing on those machines keeps winding down.

Arnd gives an overview of which 32-bit systems are still supported, and how long that is going to be the case. This covers modern ARMv7/v8 hardware, older ARMv4/v5/v6 machines, and other embedded CPU architectures.

Specific issues include MMU-less microcontrollers, large memory, small memory, 32-bit userland on 64-bit hardware and the state of the 2038 epochalypse.

Embedded Linux security often focuses on protecting the devices against attackers using technical safeguards like secure boot and kernel hardening. While essential, this engineering-oriented perspective can result in overlooking a major threat vector: human behavior. Social engineering remains a common attack method, and even embedded devices with limited interactability can be vulnerable to this.

This presentation explores the relationships between developers, users, and attackers to identify security requirements and possible shortcomings in security planning. Core principles include:

- Prevent users (and developers) from compromising security
- Design for resilience against security failures
- Recognize that misunderstandings lead to errors
- Communicate clearly to reduce social engineering risk

While the talk isn't deeply technical, it presents embedded Linux–oriented solutions to these human-centric challenges where applicable. The presentation is accessible to people who are still beginners in the embedded world. My goal is to ensure that device developers consider the actions of both malicious actors and legitimate users in their threat models.

This talk emerged from observing reoccurring pain points in providing a usable and reliable test infrastructure for complex products. Significant time is spent on avoiding test bench overload, on an efficient workflow and on infrastructure problems. Especially for distributed or platform software, many configurations need to be tested – but hardware is usually scarce due to its costs. And when using a shared test setup, dealing with device reboots and interfaces can be cumbersome. If tests are executed on hardware for no reason and due to generally limited resources, testing then comes with long feedback cycles.

To address hardware availability and scalability (also regarding tested permutations), the talk proposes the use of emulated, close-to-hardware targets. While not being exact, QEMU can produce relevant feedback for parts of the software fast and location independent. By combining it with Labgrid, tests involve less ‘moving parts’ and reuse the provided device control, reducing overall maintenance.

The example code shown in the talk is meant to augment common test setups and serves to illustrate the conscious decision on which tests to run where, when and how.

Transitioning product delivery to upstream Long-Term Support (LTS) components (Linux, U-Boot, Buildroot) presents significant advantages, yet poses challenges. This presentation details a company's experience moving from vendor-specific solutions to upstream, emphasizing the process, hurdles, and ensuing benefits. We explore the strategic shift, highlighting the initial complexities of adapting to upstream workflows. Notably, we analyze the impact on platform maintenance, demonstrating a substantial reduction in time and resources required for updates. By leveraging community-driven LTS releases, the product's security and stability were enhanced, streamlining the delivery pipeline. This analysis underscores the efficacy of upstream adoption in fostering sustainable, efficient product lifecycles, and reducing the overhead associated with maintaining an up-to-date embedded platform.