About the Role
Embedded Systems Security Engineer
Onsite in Foster City, CA | 5 days in office
We are looking for an Embedded Systems Security Engineer to implement security solution to harden our
next-generation embedded Linux platform. In this role, you will bridge the gap between low-level hardware
security, kernel hardening, and secure user-space application containment. You will not only design
cryptographic defense mechanisms but will also automate security pipelines in CI/CD and partner directly
with manufacturing teams to ensure devices are provisioned securely and reliably at scale without
production risks.
Roles & Responsibilities:
Platform Hardening & Architecture: Design and implement the Hardware Root of Trust and Secure Boot
architecture from the first-stage bootloader through the Linux kernel.
Storage & Integrity Management: Implement dm-verity for cryptographically verified read-only root
filesystems and secure data encryption at rest.
Trusted Execution Environments: Develop, integrate, and maintain a TEE (e.g., OP-TEE) and author
Secure/Trusted Applications (TAs).
Application Sandboxing: Enforce strict user-space isolation and sandboxing strategies using SELinux,
AppArmor, cgroups, namespaces, and seccomp filters to protect core systems from untrusted
applications.
DevSecOps Automation: Build automated cryptographic signing pipelines within CI/CD infrastructure
(e.g., GitLab CI, GitHub Actions) to securely sign bootloaders, kernels, and OTA payloads using HSMs
or secure key vaults.
Production Provisioning Support: Collaborate with manufacturing teams to write robust scripts and tools
for burning permanent hardware configuration fuses (eFuses / OTP memory) securely, designing
end-of-line (EOL) test software to validate security features before shipping.
System Resilience: Architect multi-slot boot recovery layouts (e.g., A/B partitioning) to guarantee
fail-safe resilience against failed OTA updates or corrupted boots.
Qualifications:
Education: Bachelors degree in Computer Science, Computer Engineering, Electrical Engineering, or a
related technical discipline (or equivalent practical experience).
Core Experience: 6+ years of professional experience in Embedded Linux development, board
bring-up, and Board Support Package (BSP) customization.
Security Focus: 3+ years of dedicated, hands-on experience deploying device-level security features
into physical production hardware.
Low-Level Systems: Expert knowledge of bootloader configurations (e.g., U-Boot Verified Boot,
Barebox) and customizing the Linux kernel storage/security subsystem (dm-crypt, dm-verity).
Hardware Security Architecture: Deep understanding of modern processor security architectures,
specifically ARM TrustZone (ARMv7-A / ARMv8-A, Exception Levels EL1-EL3).
Sandboxing & Access Controls: Proven track record implementing SELinux/AppArmor policies and
utilizing standard Linux containment tools (cgroups, namespaces).
Build Automation: Proficiency with embedded Linux build automated frameworks like the Yocto Project
(BitBake recipe design) or Buildroot.
Programming: Advanced proficiency in C and strong scripting skills in Python or Bash.
Preferred Qualifications:
Cryptography Expertise: Strong foundational knowledge of symmetric/asymmetric cryptography,
hashing algorithms (SHA-256/384), public key infrastructure (PKI), and handling physical Hardware
Security Modules (HSMs).
Manufacturing Scale: Prior experience working with Contract Manufacturers (CMs) or internal factory
lines to deploy secure key-injection and fuse-burning protocols.
Advanced Sandboxing: Experience with embedded container runtimes (e.g., LXC, crun) or lightweight
sandboxing frameworks tailored for resource-constrained architectures.
Anti-Rollback Protection: Experience designing secure versioning and hardware-enforced anti-rollback
strategies for OTA updates.
Key Responsibilities & Skills
- Embedded Linux Security
- Hardware Root of Trust Design
- Secure Boot Implementation
- dm-verity & Encrypted Filesystems
- Trusted Execution Environment (TEE) Integration
- SELinux / AppArmor Hardening
- Container & Namespace Isolation
- Secure CI/CD Automation & Cryptographic Signing
- Production Provisioning & Secure Fuse Programming
- OTA Update Resilience & Anti-Rollback
- ARM TrustZone Architecture
- Board Support Package (BSP) Customization
- Yocto / Buildroot Build Automation
Technical Skills
- C / C++
- Python / Bash
- U-Boot / Barebox
- Linux Kernel
- Yocto Project / BitBake
- Buildroot
- SELinux / AppArmor
- cgroups / namespaces / seccomp
- GitLab CI / GitHub Actions
- HSM / Secure Key Vault
- LXC / crun
- ARM TrustZone (ARMv7-A / ARMv8-A)
- dm-crypt / dm-verity
Education
Bachelor's Degree in Computer Science, Computer Engineering, Electrical Engineering, Embedded Systems Engineering, Cybersecurity. Preferred: Master's in Computer Science, Master's in Electrical Engineering, Master's in Cybersecurity, PhD in Computer Engineering, PhD in Embedded Systems.
Industry Experience
- Embedded Linux Devices
- IoT / Consumer Electronics
- Hardware Manufacturing / Contract Manufacturing
- Secure Firmware Development
- Automotive Embedded Systems