With the upcoming EU RED 3(3)def and EN 18031 legislation, it is crucial to fix known vulnerabilites. How can this be done in practice for i.MX 6ULL based systems?
We are currently using v.LF5.15.71_2.2.0, which includes Yocto Kirkstone. However, kernel 5.15.71 has a number of security vulnerabilites: 2077 according to cvedetails.com. Patching all of them is hardly feasible, even if tools such as Vigiles is used. By using the latest kernel in this kernel series, the number of vulnerabilties is greatly reduced: Latest 5.15 is 5.15.178 which "only" have 1019 known vulnerabilities (most probably with lower impact). Additionally, there are critical bug fixes as well.
The 5.15 kernel series is maintained to December 2026, meaning that new releases will happen, which closes known vulnerabilities.
Unfortunately, as far as I understand, the linux-imx branch is in principle not updated with newer micro releases; 5.15.71 is still the latest one, even though 5.15.71 is ~2.5 years old.
https://github.com/Freescale/linux-fslc/tree/5.15-2.2.x-imx is only slightly better, currently at 5.15.158.
Thus we are wondering: is it at all possible to achieve a secure i.MX 6ULL system, based on this BSP platform? Would you recommend the upstream, linux-fslc or linux-imx (BSP) kernel tree? Obviously, linux-fslc and upstream kernel have advantages in terms of security, but what is missing?
