Platform Login

Qbee Container OS – Securing Embedded Linux Devices Under the CRA

The upcoming Cyber Resilience Act (CRA) forces companies to rethink how they secure, operate, and update their connected devices. One of the biggest challenges is maintaining an up-to-date and secure operating system (OS).

Today, companies typically choose between two approaches to managing their OS:

  1. Package-based OS management (using Debian, RPM, or similar)
  2. Custom Yocto builds tailored for embedded devices

 

Each has its strengths and weaknesses in terms of complexity, flexibility, and control:

  • Package-based approach: Easier to manage, but depends on upstream repositories for security patches, which may not always be timely or maintained. Security is trusted to a third party that might have no incentive to achieve good security.
  • Yocto builds: Provide a minimal attack surface with precise control, but are complex to develop and maintain and require constant vulnerability monitoring by the company building a Yocto image.

 

The main problem is that CRA compliance will be very expensive to achieve if the costs of plugging security issues in the OS cannot be shared across multiple business cases / companies.

Addressing the CRA Challenge with qbee.io today

With qbee package management and qbee’s file manager, users can create an overlay repository to deploy own patched packages faster than waiting for upstream updates that might never arrive. This is particularly useful for long-lifecycle devices that may not have an actively maintained upstream repository.

On the Yocto side, qbee supports image-based OTA updates based on rauc.io, making it easier to maintain secure and tailored embedded systems while reducing the attack surface.

Managing the Application Layer: Packages, OTA, or Containers

Beyond the OS, companies must also securely update their applications.

  • In package-based systems, applications can be deployed as traditional packages or binaries. qbee supports and automates this process.

  • In Yocto-based systems, application updates typically require a full A/B OTA update, replacing the entire OS image. Here qbee has a rauc integration and triggers the updates on the agent side as well as being the server backend serving the update bundles with adaptive streaming and differential updates. Especially the differential updates save bandwidth.

  • Containers offer an alternative assuming the base OS is managed properly: Platforms like qbee.io and balena.io manage application deployments via Docker or Podman. However, Balena comes with a major limitation—it controls both the OS and the update cycle, potentially slowing down security fixes. When using this you are completely depending on one company to update and maintain the OS – individually for your specific hardware platform.

 

qbee.io decouples OS updates from application updates. This allows businesses to adopt any OS strategy while leveraging independent, secure containerized applications across any hardware or Linux distribution or using package or binary based approaches.

A New Industry Proposal: A Secure, Open Source Container OS

But can this done smarter with less vendor lock-in? During internal brainstorming at qbee.io, we identified a critical industry need:

What if we could standardize and streamline security updates at the Yocto level?

Instead of each company struggling to maintain its own secure OS, a collective effort could maintain a CRA-compliant Yocto-based OS with frequent security fixes. Some industry initiatives are already emerging in this space, and we are actively discussing this with consulting firms and customers to gauge interest in building a sustainable business model.

This led us to develop the qbee Open Source Container OS. This is a reference architecture which can freely be changed if needed by anyone.
https://github.com/qbee-io/meta-qbee/tree/NOJIRA-qbee-docker-os

How the qbee Open Source Container OS Works

We propose a minimal, secure and open source OS optimized for containerized applications, based on:

Yocto Poky – A widely used embedded Linux base

RAUC (rauc.io) – A reliable A/B update mechanism

Docker/Podman – Enabling flexible containerized applications

qbee-agent-meta layer – qbee’s automation and management layer

This combination results in a lightweight, fully managed container OS with automated, secure updates from the upstream repositories since qbee will auto-build this for all platforms available here:
https://github.com/rauc/meta-rauc-community/tree/master

How does it work in practice?

 

  • The OS remains minimal and secure, automatically rebuilt whenever upstream Poky or anything else in the other layers changes

  • A RAUC-based OTA update process ensures a seamless, CRA-compliant security process with adaptive streaming and differential updates. When the update is deployed is controlled by the device owner. With qbee tools a CI/CD approach can be achieved.

  • Application containers run independently, fully decoupled from the OS.

By leveraging the meta-rauc-community project, which provides Yocto layers for various chip architectures, qbee automatically builds and maintains Yocto images from the upstream repository. Alternatively, vendors can support their kernel and layers on their own.

The ultimate goal? An open-source, industry-backed, secure container OS where updates are timely, transparent, and standardized. For platforms such as RPI even all kernel drivers are already implemented.

For this to happen it is crucial that the industry supports both the Yocto and the Rauc project. Only if the Yocto libraries are in good shape and frequently scanned and updated the security can be maintained. But this could and should be a combined effort of the whole industry.

 

Real-World Demonstration at Embedded World 2025

At Embedded World 2025 in Nuremberg, at booth 4-616, qbee.io will showcase a live demo of our container OS running on a Raspberry Pi and other platforms, highlighting:

Automated, secure OS updates

Seamless container management

possible future CRA compliance with a minimal attack surface

This approach allows board manufacturers to add custom drivers via meta layers or kernels, while many IoT and industrial device use cases won’t even require custom board drivers since they are only relying on standard Linux components such as network connectivity—reducing maintenance overhead.

The Future of Embedded Linux Security

With regulations like the CRA pushing for better security practices, the industry must rethink how we maintain embedded devices.

qbee.io invites partners, consulting firms, and customers to collaborate on a standardized, open-source secure OS, ensuring faster security fixes, streamlined updates, and long-term sustainability.

The cost for maintaining a secure Yocto base needs to be acknowledged and this should be financed by as many shoulders as possible in the industry downstream. The Yocto team is doing a great job providing a tremendous amount of value.

Interested to know more?