Embedded Linux products need OTA (Over-The-Air) updates. The three dominant OSS options for Yocto are SWUpdate (flexible, Lua scripting), Mender (integrated SaaS), and RAUC (security-first, lightest footprint). Pick based on licensing, server requirements, and team strengths.
Security patches, EU CRA vulnerability management mandates, field bug fixes — shipping a product you can't update is a liability. This guide compares all three by architecture, licensing, and Yocto integration to help you make the right choice.
Why OTA Updates Are Now Mandatory
OTA updates for embedded devices shifted from "nice to have" to "required."
Security: CVEs are published daily. Without a way to patch devices in the field, vulnerabilities stay open. SBOM/CVE management detects vulnerabilities, but detection without a delivery mechanism is useless.
Regulation: The EU Cyber Resilience Act (Regulation 2024/2847) requires security update capabilities from December 2027. Vulnerability reporting obligations kick in even earlier — September 2026. The FDA reviews software update plans for medical devices.
Cost: Physical recall and re-flashing costs hundreds of times more than an OTA update.
All three tools support A/B partition schemes (dual copy) with automatic rollback on update failure. That's the fundamental difference from manual flashing.
Quick Comparison
| Feature | SWUpdate | Mender | RAUC |
|---|---|---|---|
| License | GPL-2.0 | Apache-2.0 (client) | LGPL-2.1 |
| Latest version | 2025.12 | 5.1.0 | v1.15.1 |
| Language | C | Go / C++ | C (GLib) |
| Update format | .swu (cpio archive) | .mender (Artifact) | .raucb (bundle) |
| Server | hawkBit (OSS) | Mender Server (OSS/SaaS) | None (build your own) |
| Delta updates | OSS (rdiff) | Enterprise only | OSS (casync) |
| Signing | Optional | Optional | Mandatory |
| Scarthgap support | meta-swupdate | meta-mender | meta-rauc |
| Footprint | Small | Large | Smallest |
Architecture Comparison
SWUpdate — Maximum Flexibility
SWUpdate is the "do anything" option. Maintained by Stefano Babic, it follows a YYYY.MM release cadence (May and December).
How it works: Streams .swu files (cpio format). The sw-description file at the head defines the update procedure, and handlers process each component.
Strengths:
- Lua scripting for custom handlers (FPGA, MCU firmware, individual files)
- Built-in Eclipse hawkBit server integration (Suricatta daemon)
- Supports both image-based and file-level updates
- Delta updates are OSS (rdiff handler)
Weaknesses:
- High flexibility means steep initial learning curve
sw-descriptionuses a custom format (libconfig)- Server-side requires separate setup (hawkBit is a different Eclipse IoT project)
Mender — Integrated SaaS
Mender is designed as a client-server pair.
How it works: Uses .mender Artifact format to write images to A/B partitions. Standard layout is 4 partitions: boot / rootfs-A / rootfs-B / data.
Strengths:
- Hosted Mender (SaaS) gives you an OTA environment with zero server setup
- Web UI for device management, update deployment, and log viewing
- Update Modules support .deb/.rpm/Docker/single file updates
- Extensive documentation and tutorials
Weaknesses:
- Delta updates are Enterprise/Professional only (not available in OSS)
- 4-partition fixed layout constraint
- Go implementation results in a larger footprint than the other two
- SaaS pricing starts at $34/month (50 devices, Basic). Enterprise requires custom pricing
RAUC — Security-First, Lightest
RAUC puts cryptographic signing at the center of its design. Developed by Pengutronix, it's used by Valve's Steam Deck, IKEA's Dirigera smart home hub, Home Assistant OS, and Deutsche Bahn's onboard Linux (Linux4ICE).
How it works: Installs .raucb bundles (squashfs format) via D-Bus API. Bundle signature verification is mandatory — unsigned bundles are rejected by design.
Strengths:
- Mandatory signing ensures security at the design level
- Smallest footprint of the three tools
- Deep D-Bus and systemd integration
- Adaptive Updates (since v1.8) provide OSS delta updates via block-hash-index
- LGPL-2.1 makes it easier to embed in proprietary products
Weaknesses:
- No official management server — you build your own (or use third-party solutions)
- No web UI or device management dashboard
- File-level updates are less straightforward than image-based ones
- Smaller community compared to SWUpdate and Mender
Yocto Integration in Practice
How each tool integrates with Scarthgap.
SWUpdate + meta-swupdate
# bblayers.conf
BBLAYERS += "/path/to/meta-swupdate"
# conf/local.conf
IMAGE_INSTALL:append = " swupdate"
You define the sw-description file and update image structure yourself. Flexible but requires upfront investment.
For hawkBit server integration:
# conf/local.conf
IMAGE_INSTALL:append = " swupdate-www"
SRC_URI:append:pn-swupdate = " file://defconfig"
Mender + meta-mender
# bblayers.conf
BBLAYERS += "/path/to/meta-mender/meta-mender-core"
# conf/local.conf
INHERIT += "mender-full"
MENDER_ARTIFACT_NAME = "release-1.0"
Adding INHERIT += "mender-full" configures partition layout, bootloader integration, and client installation in one step. Connecting to Hosted Mender requires a tenant token.
RAUC + meta-rauc
# bblayers.conf
BBLAYERS += "/path/to/meta-rauc"
# conf/local.conf
IMAGE_INSTALL:append = " rauc"
In Scarthgap, platform configuration (system.conf, keyring, etc.) was separated into a rauc-conf.bb recipe. Use a bbappend to override system settings for your platform.
# system.conf example
[system]
compatible=my-product
bootloader=uboot
[slot.rootfs.0]
device=/dev/mmcblk0p2
type=ext4
[slot.rootfs.1]
device=/dev/mmcblk0p3
type=ext4
Which Tool Should You Choose
A decision flow based on project constraints.
Filter by license
| Constraint | Recommendation |
|---|---|
| Embedding in proprietary product | RAUC (LGPL-2.1) or Mender (Apache-2.0) |
| Must avoid GPL | RAUC > Mender > SWUpdate |
| License isn't a concern | All three are candidates |
SWUpdate is GPL-2.0. This typically isn't an issue unless you link against it directly, but legal review may be required.
Filter by server requirements
| Constraint | Recommendation |
|---|---|
| No bandwidth for server setup | Mender (Hosted Mender) |
| Using existing hawkBit | SWUpdate |
| Can build own server | RAUC / SWUpdate |
| No server needed (USB/local delivery) | All three work |
Filter by team and product characteristics
| Constraint | Recommendation |
|---|---|
| Need OTA running quickly | Mender (SaaS + docs) |
| Security is the top priority | RAUC (mandatory signing) |
| Diverse components (FPGA/MCU) to update | SWUpdate (Lua handlers) |
| Minimize footprint | RAUC |
| Need OSS delta updates | SWUpdate (rdiff) / RAUC (casync) |
| Want web UI for device management | Mender |
FAQ
Which OTA tool is easiest to get started with?
Mender. With Hosted Mender (SaaS) and INHERIT += "mender-full" in your Yocto config, you can have a working OTA pipeline without setting up any server infrastructure. The tradeoff is less flexibility and higher long-term cost.
Can I switch OTA tools later?
Technically yes, but it's painful. Each tool has a different partition layout, update format, and bootloader integration. Switching means re-partitioning and re-flashing all deployed devices. Choose carefully upfront.
Do these tools support Raspberry Pi?
All three have Raspberry Pi support. Mender has dedicated Raspberry Pi tutorials in their docs. RAUC and SWUpdate work with the standard meta-raspberrypi layer. For Raspberry Pi 5 specifically, check our Scarthgap guide.
What's the difference between A/B updates and differential (delta) updates?
A/B updates write a complete image to an inactive partition and switch boot targets on success. Delta updates only transfer the changed blocks, reducing bandwidth. SWUpdate (rdiff) and RAUC (Adaptive Updates) offer delta in OSS; Mender requires an Enterprise license.
Is RAUC's mandatory signing a hassle?
It adds initial setup time — you need to generate a CA and signing key — but it prevents accidentally deploying unsigned or tampered bundles. For products shipping to customers, mandatory signing is a feature, not a burden. The RAUC docs walk through PKI setup.
How does the EU CRA affect OTA requirements?
Regulation (EU) 2024/2847 requires products with digital elements to provide security updates throughout their lifecycle. Full compliance is required by December 2027, with vulnerability reporting obligations starting September 2026. An OTA mechanism is effectively mandatory for any connected embedded product sold in the EU.
Can I use these tools without Yocto?
Yes. All three support standalone installation on Debian/Ubuntu and other Linux distributions. But their deepest integration and partition management features are designed around Yocto/OpenEmbedded builds.
Wrapping Up
Each tool in one sentence:
| Tool | In a word | Best for |
|---|---|---|
| SWUpdate | Flexible all-rounder | Custom requirements, hawkBit users |
| Mender | Integrated SaaS | Quick deployment, avoid server ops |
| RAUC | Lightweight, signing-first | Security priority, minimal footprint |
All three are mature on Yocto Scarthgap. There's no wrong choice — the difference comes down to licensing, server requirements, and team strengths.
OTA paired with SBOM/CVE management is where the real value lies. Detect CVEs, build patches, deliver via OTA — this workflow is becoming the standard for embedded products. If you're still designing your Yocto layer structure, plan for OTA from the start — retrofitting is always harder.
Related articles: