Verdin iMX8M Plus - Keeping Yocto Packages Up to Date


Our device uses a Verdin iMX8M Plus SoM along with a Yocto image, which is based off of the Toradex Minimal Image.

From a cybersecurity management perspective, we are looking to keep the included Linux packages up to date so that known vulnerabilities are patched. Is there an easy way to build Yocto images with the latest packages?

We recently performed a build with the latest release of BSP 6.6.0 (dated 04/2024) but noticed some of the packages are a few years old. For example, this release uses glibc v2.35, which was released on 02/03/2022. It looks like the latest release of glibc is v2.39, which was released on 01/31/2024.

Any suggestions are appreciated!


Greetings @Kyle.W,

In general if you want to keep your Yocto build up-to-date you need to continually monitor available Yocto packages and their versions/updates. For example let’s look at glibc here since you mentioned it.

Our BSP 6.X is based on the LTS yocto release codenamed “Kirkstone”. The glibc recipe comes from opembedded-core. In the Kirkstone branch of openembedded-core the provided recipe for glibc is version 2.35: glibc « recipes-core « meta - openembedded-core - OpenEmbedded Core layer

This matches your observations. Now if you want a newer version of glibc you must look at future versions of Yocto. As I said currently we are on Kirkstone. A new yocto LTS was just released this month codname “Scarthgap”: Releases - Yocto Project

Whenever we release our BSP 7.X it is planned to be based on this Yocto version. Now let’s look at the glibc recipe in the Scarthgap branch: glibc « recipes-core « meta - openembedded-core - OpenEmbedded Core layer

Here it is version 2.39, which is what you’re looking for. Now you can try to backport this version of glibc into your custom meta-layer. Make sure your meta-layer is a higher priority so that this version of glibc has priority when getting selected during the build. As an example we have back-ported things like newer versions of Go into our Torizon OS meta-layer: meta-toradex-torizon/recipes-devtools/go at kirkstone-6.x.y · torizon/meta-toradex-torizon · GitHub

That’s more or less what you would need to do. Now keep in mind that each package recipe was tested and designed for the Yocto release they are in. This means when you backport glibc V2.39, there is a possibility a simple copy and paste will not just work. Perhaps changes or adaptions would be needed to get the recipe working in the older Yocto versions. This is something you would need to figure out during the backport itself.

In summary, you need to monitor available package versions, and backport if needed.

Best Regards,

1 Like

You might be interested in:

The Yoe distro releases monthly with the latest bits from Yocto and other layers like Qt6.

We’ve had pretty good success pulling the Toradex meta layers in for the AM62 (we hope to eventually push this as a supported Yoe platform).

1 Like