OS and Boot Managers Under the CRA (EN 304 623, 626)
Operating systems and boot managers are classified as Important Products Class I. Given their foundational role in every computing device, the CRA imposes specific security requirements.
Operating Systems (EN 304 626)
Key Requirements
- Secure defaults โ firewall enabled, unnecessary services disabled
- Mandatory access control โ SELinux/AppArmor enabled by default
- Encrypted storage โ full disk encryption support out of the box
- Automatic security updates โ enabled by default
- User separation โ proper privilege isolation
- Audit logging โ security-relevant events logged by default
Impact on Linux Distributions
- Red Hat, SUSE, Canonical, and other commercial distributors are manufacturers
- Community distributions (Fedora, Debian) are generally exempt as non-commercial
- Enterprise Linux customers should verify vendor CRA compliance
Impact on Embedded OS
- RTOS vendors must comply
- Custom Linux-based firmware is covered if commercially distributed
- Android OEMs are manufacturers for their modified Android distributions
Boot Managers (EN 304 623)
Key Requirements
- Secure Boot โ verify firmware and bootloader integrity
- Measured Boot โ create attestation of boot chain
- Rollback Protection โ prevent downgrade to vulnerable versions
- Signed Updates โ cryptographic verification of boot component updates
- Recovery โ secure recovery mechanism for failed updates
Affected Products
- GRUB, systemd-boot (when bundled commercially)
- UEFI firmware
- U-Boot (embedded systems)
- Proprietary bootloaders
Key Takeaway
If you ship an operating system or bootloader as part of a commercial product, CRA applies. Start with secure defaults, implement SBOM generation, and plan for 5+ years of security updates.
Building OS or firmware products for the EU market? I help organizations prepare for CRA compliance. Get in touch.