What is MCUboot and why do I need it?

MCUboot is a secure bootloader used to verify firmware integrity and enable fail-safe partitions, preventing bricked devices after failed updates.

How do I sign firmware images for production?

Use imgtool.py with ECDSA-P256 or RSA keys, and manage production keys securely to sign images before deployment.

How is rollback protection implemented?

Implement atomic image swaps and require image confirmation (boot_write_img_confirmed) after a successful boot, often coordinated with mcumgr image tests.

security-updates

npx machina-cli add skill beriberikix/zephyr-agent-skills/security-updates --openclaw

Files (1)

SKILL.md

2.5 KB

Zephyr Security & Updates

Build production-ready, secure embedded systems using Zephyr's modular security stack and MCUboot bootloader.

Core Workflows

1. MCUboot Integration

Set up the secure bootloader and define fail-safe flash partitions.

Reference: mcuboot_integration.md
Key Tools: CONFIG_BOOTLOADER_MCUBOOT, fixed-partitions, Devicetree.

2. Image Signing

Ensure firmware integrity with production-grade digital signatures.

Reference: image_signing.md
Key Tools: imgtool.py, ECDSA-P256, RSA.

3. DFU Protocols

Transport updates securely using MCUmgr or cloud-based OTA.

Reference: dfu_protocols.md
Key Tools: mcumgr, Golioth OTA, SMP transport.

4. Rollback Protection

Implement atomic swaps and image confirmation to prevent bricking devices.

Reference: rollback_protection.md
Key Tools: boot_write_img_confirmed(), mcumgr image test.

5. Crypto Basics

Implement secure storage and cryptographic operations using mbedTLS.

Reference: crypto_basics.md
Key Tools: CONFIG_MBEDTLS, TF-M, secure storage.

Quick Start (Kconfig for Secure Boot)

# Enable MCUboot support in application
CONFIG_BOOTLOADER_MCUBOOT=y

# Build with MCUboot using Sysbuild
west build -b nucleo_f401re --sysbuild samples/basic/blinky

Professional Patterns (Security-First)

Production Keys: Never use default MCUboot keys. Provision unique keys during manufacturing.
Heartbeat Confirmation: Only confirm a new image after the application has successfully connected to its cloud backend.
Version Integrity: Enable version monotonicity to prevent accidental or malicious firmware downgrades.

Resources

References:
- mcuboot_integration.md: Partition layouts and setup.
- image_signing.md: Key management and imgtool usage.
- dfu_protocols.md: MCUmgr commands and cloud OTA.
- rollback_protection.md: Swap mechanisms and confirmation code.
- crypto_basics.md: mbedTLS and secure storage.

Source

git clone https://github.com/beriberikix/zephyr-agent-skills/blob/main/skills/security-updates/SKILL.mdView on GitHub

Overview

Zephyr Security & Updates provides a framework for production-ready, secure embedded systems using MCUboot, signed firmware, and secure DFU. It covers core workflows—MCUboot integration, image signing, DFU protocols, rollback protection, and crypto basics with mbedTLS—guiding you through OTA updates, boot security, and key management.

How This Skill Works

Core workflows are implemented with MCUboot for secure boot, production signing with imgtool, DFU via MCUmgr or cloud OTA, and rollback protection through atomic swaps and image confirmation. The stack relies on Kconfig flags (e.g., CONFIG_BOOTLOADER_MCUBOOT), partitions, and Devicetree, plus tools like mcumgr, imgtool, and mbedTLS to secure storage and cryptographic operations.

When to Use It

Planning over-the-air (OTA) updates for Zephyr devices.
Securing the boot process with MCUboot.
Managing cryptographic keys and production signing for firmware.
Enabling secure DFU via MCUmgr or cloud OTA.
Implementing rollback protection to prevent bricked devices.

Quick Start

Step 1: Enable MCUboot support in application: CONFIG_BOOTLOADER_MCUBOOT=y
Step 2: Build with MCUboot using Sysbuild: west build -b nucleo_f401re --sysbuild samples/basic/blinky
Step 3: Deploy and test OTA/DFU flow with MCUmgr or cloud OTA, ensuring image confirmation and rollback paths work

Best Practices

Never use default MCUboot keys; provision unique keys during manufacturing.
Proactively manage production keys and secure storage for keys and certificates.
Enforce heartbeat confirmation: only confirm a new image after cloud backend readiness.
Enable version monotonicity to prevent firmware downgrades.
Test DFU, rollback, and image confirmation flows in staging before production.

Example Use Cases

OTA update of a Zephyr-based sensor node using MCUmgr and a cloud OTA service like Golioth OTA.
Industrial gateway securely booting with MCUboot partitions and rollback protection.
Consumer device signed with imgtool using production ECDSA-P256 keys.
Cloud-based OTA/MCUmgr workflow employing SMP transport for firmware updates.
Secure storage and crypto operations implemented with mbedTLS and TF-M in Zephyr.

Frequently Asked Questions

Add this skill to your agents