feat: add sbom Makefile target

Makefile

@@ -56,3 +56,48 @@ clean:
 	make -C benchmark clean
 	make -C tools clean
 	make -C examples clean
+
+# ---- SBOM generation ----
+CC            ?= cc
+WOLFSSL_DIR   ?= ../../wolfssl
+VERSION       := $(shell sed -n 's/^# wolfHSM Release v\([0-9][0-9.]*\).*/\1/p' ChangeLog.md | head -1)
+SRCS          := $(wildcard src/*.c)
+SBOM_CDX      := wolfhsm-$(VERSION).cdx.json
+SBOM_SPDX     := wolfhsm-$(VERSION).spdx.json
+
+.PHONY: sbom
+
+sbom:
+	@if [ -z "$(VERSION)" ]; then \
+	    echo "ERROR: could not parse version from ChangeLog.md." >&2; \
+	    exit 1; \
+	fi
+	@if [ -z "$(WOLFSSL_DIR)" ] || [ ! -d "$(WOLFSSL_DIR)" ]; then \
+	    echo "ERROR: WOLFSSL_DIR=$(WOLFSSL_DIR) is not a directory." >&2; \
+	    echo "       Set WOLFSSL_DIR to your wolfssl source tree." >&2; \
+	    exit 1; \
+	fi
+	@if [ ! -f "$(WOLFSSL_DIR)/scripts/gen-sbom" ]; then \
+	    echo "ERROR: $(WOLFSSL_DIR)/scripts/gen-sbom not found." >&2; \
+	    echo "       Use a wolfSSL tree that includes SBOM support." >&2; \
+	    exit 1; \
+	fi
+	@echo "wolfHSM version: $(VERSION)"
+	@echo "Sources:         $(words $(SRCS)) .c files in src/"
+	@_defines=$$(mktemp /tmp/wolfhsm-defines.XXXXXX) && \
+	trap 'rm -f "$$_defines"' EXIT && \
+	if ! $(CC) -dM -E -I. -I$(WOLFSSL_DIR) -x c /dev/null >"$$_defines" 2>/dev/null; then \
+	    echo "ERROR: $(CC) -dM -E failed." >&2; exit 1; \
+	fi && \
+	_py=$$(command -v python3 2>/dev/null || command -v python 2>/dev/null) && \
+	[ -n "$$_py" ] || { echo "ERROR: python3 not found." >&2; exit 1; } && \
+	"$$_py" $(WOLFSSL_DIR)/scripts/gen-sbom \
+	    --name wolfhsm \
+	    --version $(VERSION) \
+	    --supplier "wolfSSL Inc." \
+	    --license-file LICENSING \
+	    --options-h "$$_defines" \
+	    --srcs $(SRCS) \
+	    --cdx-out $(SBOM_CDX) \
+	    --spdx-out $(SBOM_SPDX)
+	@echo "Done: $(SBOM_CDX)  $(SBOM_SPDX)"

README.md

@@ -25,3 +25,28 @@ please refer to the following resources.
 - [wolfHSM Manual](https://www.wolfssl.com/documentation/manuals/wolfhsm/index.html)
 - [wolfHSM API Reference](https://www.wolfssl.com/documentation/manuals/wolfhsm/appendix01.html)
 - [wolfHSM Examples](https://github.com/wolfSSL/wolfHSM/tree/main/examples)
+
+## SBOM / EU CRA Compliance
+
+wolfHSM generates a Software Bill of Materials (SBOM) in CycloneDX 1.6 and
+SPDX 2.3 formats to support compliance with the EU Cyber Resilience Act (CRA).
+
+wolfHSM uses a custom build system; invoke `gen-sbom` from the wolfssl source
+tree directly:
+
+```sh
+python3 $WOLFSSL_DIR/scripts/gen-sbom \
+    --name wolfhsm \
+    --version $(head -1 $WOLFHSM_DIR/ChangeLog.md | grep -oE '[0-9]+\.[0-9]+\.[0-9]+') \
+    --supplier "wolfSSL Inc." \
+    --options-h $WOLFSSL_DIR/include/wolfssl/options.h \
+    --srcs $WOLFHSM_DIR/src/*.c
+```
+
+`WOLFSSL_DIR` must point to a wolfssl source tree containing `scripts/gen-sbom`
+(branch `feat/sbom-embedded`, or `master` once wolfSSL/wolfssl#10343 merges).
+`WOLFHSM_DIR` is the root of the wolfHSM source tree.
+
+Requires `python3` and `pyspdxtools` (`pip install spdx-tools`).
+
+For further CRA guidance see [wolfssl/doc/CRA.md](https://github.com/wolfSSL/wolfssl/blob/master/doc/CRA.md).