In this role, you'll design and deploy security features spanning hardware, firmware, and software, from secure boot and trusted execution environments to kernel hardening and application isolation. You'll also automate security workflows within the CI/CD pipeline and partner with manufacturing teams to ensure devices are securely provisioned and production-ready at scale.
The ideal candidate is an experienced embedded systems engineer with deep expertise in Linux security, secure boot architectures, and hardware root of trust implementations. They are equally comfortable developing low-level security features, automating security processes, and collaborating across engineering and manufacturing teams.
As an Embedded Systems Security Engineer, you'll:
- Design and implement Hardware Root of Trust and Secure Boot architectures from the first-stage bootloader through the Linux kernel.
- Implement cryptographically verified storage solutions, including dm-verity for read-only root filesystems and encryption for data at rest.
- Develop and maintain Trusted Execution Environment (TEE) solutions, such as OP-TEE, and author Trusted Applications (TAs).
- Implement user-space isolation and sandboxing using technologies such as SELinux, AppArmor, cgroups, namespaces, and seccomp.
- Build automated cryptographic signing pipelines within CI/CD environments to securely sign bootloaders, kernels, and over-the-air (OTA) update payloads using hardware security modules (HSMs) or secure key vaults.
- Partner with manufacturing teams to develop secure provisioning tools, including eFuse/OTP programming and end-of-line validation software.
- Design resilient boot and recovery architectures, including A/B partitioning strategies, to ensure reliable system recovery from failed updates or corrupted boots.
Ideal candidate profile
Qualifications: Education: Bachelor's degree in Computer Science, Computer Engineering, Electrical Engineering, or a related technical discipline (or equivalent practical experience). Core Experience:
6+ years of professional experience in Embedded Linux development, board bring-up, and Board Support Package (BSP) customization.
Security Focus: 3+ years of dedicated, hands-on experience deploying device-level security features into physical production hardware.
Low-Level Systems: Expert knowledge of bootloader configurations (e.g., U-Boot Verified Boot, Barebox) and customizing the Linux kernel storage/security subsystem (dm-crypt, dm-verity).
Hardware Security Architecture: Deep understanding of modern processor security architectures, specifically ARM TrustZone (ARMv7-A / ARMv8-A, Exception Levels EL1 EL3).
Sandboxing & Access Controls: Proven track record implementing SELinux/AppArmor policies and utilizing standard Linux containment tools (cgroups, namespaces).
Build Automation: Proficiency with embedded Linux build automated frameworks like the Yocto Project (BitBake recipe design) or Buildroot. Programming: Advanced proficiency in C and strong scripting skills in Python or Bash.