Sr Embedded Security Engineer

REDWOOD CITY, CA, US • Posted 1 hour ago • Updated 1 hour ago
Contract W2
12 Months
On-site
Depends on Experience
Fitment

Dice Job Match Score™

🤯 Applying directly to the forehead...

Job Details

Skills

  • Embedded Linux Security
  • Hardware Root of Trust Design
  • Secure Boot Implementation
  • ARM TrustZone Architecture
  • Secure CI/CD Automation & Cryptographic Signing
  • C / C++
  • Python / Bash
  • U-Boot / Barebox
  • Linux Kernel
  • Yocto Project / BitBake
  • Buildroot
  • SELinux / AppArmor
  • cgroups / namespaces / seccomp
  • GitLab CI / GitHub Actions
  • HSM / Secure Key Vault
  • LXC / crun
  • ARM TrustZone (ARMv7-A / ARMv8-A)
  • dm-crypt / dm-verity

Summary

About the Role

Embedded Systems Security Engineer
Onsite in Foster City, CA | 5 days in office
We are looking for an Embedded Systems Security Engineer to implement security solution to harden our
next-generation embedded Linux platform. In this role, you will bridge the gap between low-level hardware
security, kernel hardening, and secure user-space application containment. You will not only design
cryptographic defense mechanisms but will also automate security pipelines in CI/CD and partner directly
with manufacturing teams to ensure devices are provisioned securely and reliably at scale without
production risks.
Roles & Responsibilities:
Platform Hardening & Architecture: Design and implement the Hardware Root of Trust and Secure Boot
architecture from the first-stage bootloader through the Linux kernel.
Storage & Integrity Management: Implement dm-verity for cryptographically verified read-only root
filesystems and secure data encryption at rest.
Trusted Execution Environments: Develop, integrate, and maintain a TEE (e.g., OP-TEE) and author
Secure/Trusted Applications (TAs).
Application Sandboxing: Enforce strict user-space isolation and sandboxing strategies using SELinux,
AppArmor, cgroups, namespaces, and seccomp filters to protect core systems from untrusted
applications.
DevSecOps Automation: Build automated cryptographic signing pipelines within CI/CD infrastructure
(e.g., GitLab CI, GitHub Actions) to securely sign bootloaders, kernels, and OTA payloads using HSMs
or secure key vaults.
Production Provisioning Support: Collaborate with manufacturing teams to write robust scripts and tools
for burning permanent hardware configuration fuses (eFuses / OTP memory) securely, designing
end-of-line (EOL) test software to validate security features before shipping.
System Resilience: Architect multi-slot boot recovery layouts (e.g., A/B partitioning) to guarantee
fail-safe resilience against failed OTA updates or corrupted boots.
Qualifications:
Education: Bachelors degree in Computer Science, Computer Engineering, Electrical Engineering, or a
related technical discipline (or equivalent practical experience).
Core Experience: 6+ years of professional experience in Embedded Linux development, board
bring-up, and Board Support Package (BSP) customization.
Security Focus: 3+ years of dedicated, hands-on experience deploying device-level security features
into physical production hardware.
Low-Level Systems: Expert knowledge of bootloader configurations (e.g., U-Boot Verified Boot,
Barebox) and customizing the Linux kernel storage/security subsystem (dm-crypt, dm-verity).
Hardware Security Architecture: Deep understanding of modern processor security architectures,
specifically ARM TrustZone (ARMv7-A / ARMv8-A, Exception Levels EL1-EL3).
Sandboxing & Access Controls: Proven track record implementing SELinux/AppArmor policies and
utilizing standard Linux containment tools (cgroups, namespaces).
Build Automation: Proficiency with embedded Linux build automated frameworks like the Yocto Project
(BitBake recipe design) or Buildroot.
Programming: Advanced proficiency in C and strong scripting skills in Python or Bash.
Preferred Qualifications:
Cryptography Expertise: Strong foundational knowledge of symmetric/asymmetric cryptography,
hashing algorithms (SHA-256/384), public key infrastructure (PKI), and handling physical Hardware
Security Modules (HSMs).
Manufacturing Scale: Prior experience working with Contract Manufacturers (CMs) or internal factory
lines to deploy secure key-injection and fuse-burning protocols.
Advanced Sandboxing: Experience with embedded container runtimes (e.g., LXC, crun) or lightweight
sandboxing frameworks tailored for resource-constrained architectures.
Anti-Rollback Protection: Experience designing secure versioning and hardware-enforced anti-rollback
strategies for OTA updates.

Key Responsibilities & Skills
  • Embedded Linux Security
  • Hardware Root of Trust Design
  • Secure Boot Implementation
  • dm-verity & Encrypted Filesystems
  • Trusted Execution Environment (TEE) Integration
  • SELinux / AppArmor Hardening
  • Container & Namespace Isolation
  • Secure CI/CD Automation & Cryptographic Signing
  • Production Provisioning & Secure Fuse Programming
  • OTA Update Resilience & Anti-Rollback
  • ARM TrustZone Architecture
  • Board Support Package (BSP) Customization
  • Yocto / Buildroot Build Automation
Technical Skills
  • C / C++
  • Python / Bash
  • U-Boot / Barebox
  • Linux Kernel
  • Yocto Project / BitBake
  • Buildroot
  • SELinux / AppArmor
  • cgroups / namespaces / seccomp
  • GitLab CI / GitHub Actions
  • HSM / Secure Key Vault
  • LXC / crun
  • ARM TrustZone (ARMv7-A / ARMv8-A)
  • dm-crypt / dm-verity
Education

Bachelor's Degree in Computer Science, Computer Engineering, Electrical Engineering, Embedded Systems Engineering, Cybersecurity. Preferred: Master's in Computer Science, Master's in Electrical Engineering, Master's in Cybersecurity, PhD in Computer Engineering, PhD in Embedded Systems.

Industry Experience
  • Embedded Linux Devices
  • IoT / Consumer Electronics
  • Hardware Manufacturing / Contract Manufacturing
  • Secure Firmware Development
  • Automotive Embedded Systems
Employers have access to artificial intelligence language tools (“AI”) that help generate and enhance job descriptions and AI may have been used to create this description. The position description has been reviewed for accuracy and Dice believes it to correctly reflect the job opportunity.
  • Dice Id: 90838929
  • Position Id: 9025802
  • Posted 1 hour ago
Create job alert
Set job alertNever miss an opportunity! Create an alert based on the job you applied for.

Similar Jobs

Foster City, California

Today

Easy Apply

Contract

$$99.26

Mountain View, California

Today

Full-time

USD 189,000.00 - 303,000.00 per year

Redwood City, California

Today

Full-time

Mountain View, California

Today

Full-time

USD 217,000.00 - 275,000.00 per year

Search all similar jobs