Due to absence of a security forum for MPU's (while there is for MCU's) posting this here.
The CRA prohibits products with known CVE to be placed or made available on the EU market.
The ST Yocto ECO 6. Scrarthgap currently has 632C CVEs. The latetst Yocto master has 13.
As such,
1. how to place a product on the market while a distro without known CVE's does not exist ? A company may have great documentation and processes but if the actual supplied software has known CVE's there isn't a to place it on the market
2 Many devices may use even older ECO systems (5.10) images which may have even more CVE. How will there get patched ?
3. Where can information about the known CVE's in ST kernel , U-Boot, OPTEE and TF-A (dev packages) be found ?
