Skill

security-updates

Guides secure boot and OTA firmware updates for Zephyr RTOS using MCUboot integration, image signing, DFU protocols (MCUmgr), rollback protection, and mbedTLS crypto. Useful for production embedded systems.

Python

Bash

security

npx claudepluginhub beriberikix/zephyr-agent-skills --plugin zephyr-module

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Build production-ready, secure embedded systems using Zephyr's modular security stack and MCUboot bootloader.

Supporting Assets

assets/mcuboot_prj_fragment.confreferences/crypto_basics.mdreferences/dfu_protocols.mdreferences/image_signing.mdreferences/mcuboot_integration.mdreferences/rollback_protection.mdscripts/mcuboot_version_guard.py

SKILL.md

Similar Skills

volt-ota

Designs complete OTA update systems for embedded/IoT devices including partition layouts, update flows, rollback conditions, validation checks, fleet management, failure modes, and recovery.

11 tools

tonone

zephyr-foundations

Delivers Zephyr RTOS foundations: Embedded C patterns (BIT, CONTAINER_OF), concurrency primitives (mutexes, semaphores, spinlocks), devicetree hardware mapping, and defensive programming. For core logic, drivers, troubleshooting.

6 files

zephyr-skills

arm-cortex-expert

36.4k

Delivers complete compilable firmware and peripheral drivers (I²C/SPI/UART/ADC/DMA) for ARM Cortex-M MCUs (Teensy, STM32, nRF52, SAMD) with architecture and concurrency guidance.

antigravity-awesome-skills

Stats

Stars20

Forks4

Last CommitMar 7, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Zephyr Security & Updates

Build production-ready, secure embedded systems using Zephyr's modular security stack and MCUboot bootloader.

Core Workflows

1. MCUboot Integration

Set up the secure bootloader and define fail-safe flash partitions.

Reference: mcuboot_integration.md
Key Tools: CONFIG_BOOTLOADER_MCUBOOT, fixed-partitions, Devicetree.

2. Image Signing

Ensure firmware integrity with production-grade digital signatures.

Reference: image_signing.md
Key Tools: imgtool.py, ECDSA-P256, RSA.

3. DFU Protocols

Transport updates securely using MCUmgr or cloud-based OTA.

Reference: dfu_protocols.md
Key Tools: mcumgr, Golioth OTA, SMP transport.

4. Rollback Protection

Implement atomic swaps and image confirmation to prevent bricking devices.

Reference: rollback_protection.md
Key Tools: boot_write_img_confirmed(), mcumgr image test.

5. Crypto Basics

Implement secure storage and cryptographic operations using mbedTLS.

Reference: crypto_basics.md
Key Tools: CONFIG_MBEDTLS, TF-M, secure storage.

Quick Start (Kconfig for Secure Boot)

# Enable MCUboot support in application
CONFIG_BOOTLOADER_MCUBOOT=y

# Build with MCUboot using Sysbuild
west build -b nucleo_f401re --sysbuild samples/basic/blinky

Professional Patterns (Security-First)

Production Keys: Never use default MCUboot keys. Provision unique keys during manufacturing.
Heartbeat Confirmation: Only confirm a new image after the application has successfully connected to its cloud backend.
Version Integrity: Enable version monotonicity to prevent accidental or malicious firmware downgrades.

Automation Tools

mcuboot_version_guard.py: Enforce monotonic semantic version progression in update pipelines.

Examples & Templates

mcuboot_prj_fragment.conf: Starter secure-boot + image-management config fragment.

Validation Checklist

Signed image verifies at boot and unsigned/tampered image is rejected.
DFU flow completes end-to-end and boots into the new slot.
Rollback behavior triggers correctly when image confirmation is withheld.
Key handling and version policy prevent downgrade and test-key usage in production configs.

Resources

References:
- mcuboot_integration.md: Partition layouts and setup.
- image_signing.md: Key management and imgtool usage.
- dfu_protocols.md: MCUmgr commands and cloud OTA.
- rollback_protection.md: Swap mechanisms and confirmation code.
- crypto_basics.md: mbedTLS and secure storage.
Scripts:
- mcuboot_version_guard.py: Version monotonicity checker for release gates.
Assets:
- mcuboot_prj_fragment.conf: Secure-update config baseline.