This patch series introduces a Python-based tool for generating SBOM
documents in the SPDX 3.0.1 format for kernel builds.

A Software Bill of Materials (SBOM) describes the individual components
of a software product. For the kernel, the goal is to describe the
distributable build outputs (typically the kernel image and modules),
the source files involved in producing these outputs, and the build
process that connects the source and output files.

To achieve this, the SBOM tool generates three SPDX documents:

- sbom-output.spdx.json
  Describes the final build outputs together with high-level
  build metadata.

- sbom-source.spdx.json
  Describes all source files involved in the build, including
  licensing information and additional file metadata.

- sbom-build.spdx.json
  Describes the entire build process, linking source files
  from the source SBOM to output files in the output SBOM.

The sbom tool is optional and runs only when CONFIG_SBOM is enabled. It
is invoked after the build, once all output artifacts have been
generated. Starting from the kernel image and modules as root nodes,
the tool reconstructs the dependency graph up to the original source
files. Build dependencies are primarily derived from the .cmd files
generated by Kbuild, which record the full command used to build
each output file.

Currently, the tool only supports x86 and arm64 architectures.

Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>

Luis Augenstein (14):
  tools/sbom: integrate tool in make process
  tools/sbom: setup sbom logging
  tools/sbom: add command parsers
  tools/sbom: add cmd graph generation
  tools/sbom: add additional dependency sources for cmd graph
  tools/sbom: add SPDX classes
  tools/sbom: add JSON-LD serialization
  tools/sbom: add shared SPDX elements
  tools/sbom: collect file metadata
  tools/sbom: add SPDX output graph
  tools/sbom: add SPDX source graph
  tools/sbom: add SPDX build graph
  tools/sbom: add unit tests for command parsers
  tools/sbom: Add unit tests for SPDX-License-Identifier parsing

 .gitignore                                    |   1 +
 MAINTAINERS                                   |   6 +
 Makefile                                      |   8 +-
 lib/Kconfig.debug                             |   9 +
 tools/Makefile                                |   3 +-
 tools/sbom/Makefile                           |  39 +
 tools/sbom/README                             | 208 ++++++
 tools/sbom/sbom.py                            | 129 ++++
 tools/sbom/sbom/__init__.py                   |   0
 tools/sbom/sbom/cmd_graph/__init__.py         |   7 +
 tools/sbom/sbom/cmd_graph/cmd_file.py         | 149 ++++
 tools/sbom/sbom/cmd_graph/cmd_graph.py        |  46 ++
 tools/sbom/sbom/cmd_graph/cmd_graph_node.py   | 142 ++++
 tools/sbom/sbom/cmd_graph/deps_parser.py      |  52 ++
 .../sbom/cmd_graph/hardcoded_dependencies.py  |  83 +++
 tools/sbom/sbom/cmd_graph/incbin_parser.py    |  42 ++
 tools/sbom/sbom/cmd_graph/savedcmd_parser.py  | 664 ++++++++++++++++++
 tools/sbom/sbom/config.py                     | 335 +++++++++
 tools/sbom/sbom/environment.py                | 164 +++++
 tools/sbom/sbom/path_utils.py                 |  11 +
 tools/sbom/sbom/sbom_logging.py               |  88 +++
 tools/sbom/sbom/spdx/__init__.py              |   7 +
 tools/sbom/sbom/spdx/build.py                 |  17 +
 tools/sbom/sbom/spdx/core.py                  | 182 +++++
 tools/sbom/sbom/spdx/serialization.py         |  56 ++
 tools/sbom/sbom/spdx/simplelicensing.py       |  20 +
 tools/sbom/sbom/spdx/software.py              |  71 ++
 tools/sbom/sbom/spdx/spdxId.py                |  36 +
 tools/sbom/sbom/spdx_graph/__init__.py        |   7 +
 .../sbom/sbom/spdx_graph/build_spdx_graphs.py |  82 +++
 tools/sbom/sbom/spdx_graph/kernel_file.py     | 310 ++++++++
 .../sbom/spdx_graph/shared_spdx_elements.py   |  32 +
 .../sbom/sbom/spdx_graph/spdx_build_graph.py  | 317 +++++++++
 .../sbom/sbom/spdx_graph/spdx_graph_model.py  |  36 +
 .../sbom/sbom/spdx_graph/spdx_output_graph.py | 188 +++++
 .../sbom/sbom/spdx_graph/spdx_source_graph.py | 126 ++++
 tools/sbom/tests/__init__.py                  |   0
 tools/sbom/tests/cmd_graph/__init__.py        |   0
 .../tests/cmd_graph/test_savedcmd_parser.py   | 383 ++++++++++
 tools/sbom/tests/spdx_graph/__init__.py       |   0
 .../sbom/tests/spdx_graph/test_kernel_file.py |  32 +
 41 files changed, 4086 insertions(+), 2 deletions(-)
 create mode 100644 tools/sbom/Makefile
 create mode 100644 tools/sbom/README
 create mode 100644 tools/sbom/sbom.py
 create mode 100644 tools/sbom/sbom/__init__.py
 create mode 100644 tools/sbom/sbom/cmd_graph/__init__.py
 create mode 100644 tools/sbom/sbom/cmd_graph/cmd_file.py
 create mode 100644 tools/sbom/sbom/cmd_graph/cmd_graph.py
 create mode 100644 tools/sbom/sbom/cmd_graph/cmd_graph_node.py
 create mode 100644 tools/sbom/sbom/cmd_graph/deps_parser.py
 create mode 100644 tools/sbom/sbom/cmd_graph/hardcoded_dependencies.py
 create mode 100644 tools/sbom/sbom/cmd_graph/incbin_parser.py
 create mode 100644 tools/sbom/sbom/cmd_graph/savedcmd_parser.py
 create mode 100644 tools/sbom/sbom/config.py
 create mode 100644 tools/sbom/sbom/environment.py
 create mode 100644 tools/sbom/sbom/path_utils.py
 create mode 100644 tools/sbom/sbom/sbom_logging.py
 create mode 100644 tools/sbom/sbom/spdx/__init__.py
 create mode 100644 tools/sbom/sbom/spdx/build.py
 create mode 100644 tools/sbom/sbom/spdx/core.py
 create mode 100644 tools/sbom/sbom/spdx/serialization.py
 create mode 100644 tools/sbom/sbom/spdx/simplelicensing.py
 create mode 100644 tools/sbom/sbom/spdx/software.py
 create mode 100644 tools/sbom/sbom/spdx/spdxId.py
 create mode 100644 tools/sbom/sbom/spdx_graph/__init__.py
 create mode 100644 tools/sbom/sbom/spdx_graph/build_spdx_graphs.py
 create mode 100644 tools/sbom/sbom/spdx_graph/kernel_file.py
 create mode 100644 tools/sbom/sbom/spdx_graph/shared_spdx_elements.py
 create mode 100644 tools/sbom/sbom/spdx_graph/spdx_build_graph.py
 create mode 100644 tools/sbom/sbom/spdx_graph/spdx_graph_model.py
 create mode 100644 tools/sbom/sbom/spdx_graph/spdx_output_graph.py
 create mode 100644 tools/sbom/sbom/spdx_graph/spdx_source_graph.py
 create mode 100644 tools/sbom/tests/__init__.py
 create mode 100644 tools/sbom/tests/cmd_graph/__init__.py
 create mode 100644 tools/sbom/tests/cmd_graph/test_savedcmd_parser.py
 create mode 100644 tools/sbom/tests/spdx_graph/__init__.py
 create mode 100644 tools/sbom/tests/spdx_graph/test_kernel_file.py

-- 
2.34.1

On Mon, Jan 19, 2026 at 07:47:17AM +0100, Luis Augenstein wrote:
> This patch series introduces a Python-based tool for generating SBOM
> documents in the SPDX 3.0.1 format for kernel builds.
> 
> A Software Bill of Materials (SBOM) describes the individual components
> of a software product. For the kernel, the goal is to describe the
> distributable build outputs (typically the kernel image and modules),
> the source files involved in producing these outputs, and the build
> process that connects the source and output files.
> 
> To achieve this, the SBOM tool generates three SPDX documents:
> 
> - sbom-output.spdx.json
>   Describes the final build outputs together with high-level
>   build metadata.
> 
> - sbom-source.spdx.json
>   Describes all source files involved in the build, including
>   licensing information and additional file metadata.
> 
> - sbom-build.spdx.json
>   Describes the entire build process, linking source files
>   from the source SBOM to output files in the output SBOM.
> 
> The sbom tool is optional and runs only when CONFIG_SBOM is enabled. It
> is invoked after the build, once all output artifacts have been
> generated. Starting from the kernel image and modules as root nodes,
> the tool reconstructs the dependency graph up to the original source
> files. Build dependencies are primarily derived from the .cmd files
> generated by Kbuild, which record the full command used to build
> each output file.
> 
> Currently, the tool only supports x86 and arm64 architectures.
> 
> Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
> Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
> Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>

This is great work, thank you so much for doing this!

Note, I just tested the series, on 6.19-rc6, and with CONFIG_SBOM
enabled, I get this following "message" at the end of the build when it
generates the sbom:

	make[3]: Nothing to be done for 'sbom'.

Is that intentional?

thanks,

greg k-h

On Mon, Jan 19, 2026 at 10:51:29AM +0100, Greg KH wrote:
> On Mon, Jan 19, 2026 at 07:47:17AM +0100, Luis Augenstein wrote:
> > This patch series introduces a Python-based tool for generating SBOM
> > documents in the SPDX 3.0.1 format for kernel builds.
> > 
> > A Software Bill of Materials (SBOM) describes the individual components
> > of a software product. For the kernel, the goal is to describe the
> > distributable build outputs (typically the kernel image and modules),
> > the source files involved in producing these outputs, and the build
> > process that connects the source and output files.
> > 
> > To achieve this, the SBOM tool generates three SPDX documents:
> > 
> > - sbom-output.spdx.json
> >   Describes the final build outputs together with high-level
> >   build metadata.
> > 
> > - sbom-source.spdx.json
> >   Describes all source files involved in the build, including
> >   licensing information and additional file metadata.
> > 
> > - sbom-build.spdx.json
> >   Describes the entire build process, linking source files
> >   from the source SBOM to output files in the output SBOM.
> > 
> > The sbom tool is optional and runs only when CONFIG_SBOM is enabled. It
> > is invoked after the build, once all output artifacts have been
> > generated. Starting from the kernel image and modules as root nodes,
> > the tool reconstructs the dependency graph up to the original source
> > files. Build dependencies are primarily derived from the .cmd files
> > generated by Kbuild, which record the full command used to build
> > each output file.
> > 
> > Currently, the tool only supports x86 and arm64 architectures.
> > 
> > Co-developed-by: Maximilian Huber <maximilian.huber@tngtech.com>
> > Signed-off-by: Maximilian Huber <maximilian.huber@tngtech.com>
> > Signed-off-by: Luis Augenstein <luis.augenstein@tngtech.com>
> 
> This is great work, thank you so much for doing this!
> 
> Note, I just tested the series, on 6.19-rc6, and with CONFIG_SBOM
> enabled, I get this following "message" at the end of the build when it
> generates the sbom:
> 
> 	make[3]: Nothing to be done for 'sbom'.
> 
> Is that intentional?

Ah, it's on the second run that I see this:

End of the first run that builds the sbom files:
...
  OBJCOPY arch/x86/boot/vmlinux.bin
  AS      arch/x86/boot/header.o
  LD      arch/x86/boot/setup.elf
  OBJCOPY arch/x86/boot/setup.bin
  BUILD   arch/x86/boot/bzImage
Kernel: arch/x86/boot/bzImage is ready  (#526)
  DESCEND sbom
  GEN     sbom-build.spdx.json sbom-output.spdx.json
[INFO] Skipped creating a dedicated source SBOM because source files cannot be reliably classified when the source and object trees are identical. Added source files to the build SBOM instead.

Then I build again and get the following:

  DESCEND objtool
  CALL    scripts/checksyscalls.sh
  INSTALL libsubcmd_headers
Kernel: arch/x86/boot/bzImage is ready  (#526)
  DESCEND sbom
make[3]: Nothing to be done for 'sbom'.


That make message shouldn't probably show up, right?

Also, I don't know if this is even possible, or you care about it, but if you
have ANY sbom file present, it is not regenerated:

	$ rm sbom-build.spdx.json sbom-output.spdx.json
	$ touch sbom-build.spdx.json sbom-output.spdx.json
	$ make
	  DESCEND objtool
	  CALL    scripts/checksyscalls.sh
	  INSTALL libsubcmd_headers
	Kernel: arch/x86/boot/bzImage is ready  (#526)
	  DESCEND sbom
	make[3]: Nothing to be done for 'sbom'.

So, if I change the build config, which will change the sbom output, will the
sbom be regenerated?  Should it depend on the config .h files to know this?

thanks,

greg k-h

> Also, I don't know if this is even possible, or you care about it, but
> if you have ANY sbom file present, it is not regenerated:
> [...]
> So, if I change the build config, which will change the sbom output,
> will the sbom be regenerated?
> Should it depend on the config .h files to know this?

Thanks for pointing this out.
Yes, we can add the following to the Makefile dependencies to ensure the
SBOM is regenerated when the build changes:
- $(objtree)/$(KBUILD_IMAGE)
- $(objtree)/include/generated/autoconf.h
- $(objtree)/modules.order (if CONFIG_MODULES is set)

This should cover most changes.
When you mentioned "config .h files," did you have any other specific
files in mind that should be included as dependencies?

Best,
Luis

-- 
Luis Augenstein * luis.augenstein@tngtech.com * +49-152-25275761
TNG Technology Consulting GmbH, Beta-Str. 13, 85774 Unterföhring
Geschäftsführer: Henrik Klagges, Dr. Robert Dahlke, Thomas Endres
Aufsichtsratsvorsitzender: Christoph Stock
Sitz: Unterföhring * Amtsgericht München * HRB 135082

On Mon, Jan 19, 2026 at 09:08:14PM +0100, Luis Augenstein wrote:
> > Also, I don't know if this is even possible, or you care about it, but
> > if you have ANY sbom file present, it is not regenerated:
> > [...]
> > So, if I change the build config, which will change the sbom output,
> > will the sbom be regenerated?
> > Should it depend on the config .h files to know this?
> 
> Thanks for pointing this out.
> Yes, we can add the following to the Makefile dependencies to ensure the
> SBOM is regenerated when the build changes:
> - $(objtree)/$(KBUILD_IMAGE)
> - $(objtree)/include/generated/autoconf.h
> - $(objtree)/modules.order (if CONFIG_MODULES is set)
> 
> This should cover most changes.
> When you mentioned "config .h files," did you have any other specific
> files in mind that should be included as dependencies?

I was referring to the autoconf.h file, thanks for figuring that out, I
couldn't remember what the exact name was.  So that should be sufficient
here.

thanks,

greg k-h