Secure Boot From Ground Up™

Secure boot exists to answer one question: should this firmware be allowed to run?

If the answer is no, the device must follow a defined fail-safe path, not guess. It must refuse execution, enter a safe state, and recover deterministically. That is what senior embedded engineers are expected to design, and it is exactly what you will build in this course.

This is not a “verify a signature” demo and it is not a black-box library tour. You will implement a complete, production-minded secure boot workflow on real STM32 hardware in bare-metal code. You will work through a deliberate sequence of engineering milestones that progressively turn a bare-metal MCU into a system that can make trust decisions, enforce policy, and recover safely when anything goes wrong.

What you build

By the end, you will have a portfolio-grade secure boot system that:

• Boots only authorized, signed firmware
• Rejects tampered, corrupted, or unexpected images before execution
• Enforces a policy-aware flash layout with verified slots
• Implements rollback control and trial boot plus confirm behavior
• Executes deterministic recovery when no valid image is available
• Produces release-ready engineering artifacts you can reuse in real products

How the course is structured

You start with the foundations: authenticity, integrity, trust boundaries, root of trust, chain of trust, policy decisions, and failure behavior. Then you implement the full system through a carefully designed project ladder, where each step becomes a concrete engineering capability.

Project milestones

Flash protection and immutability
You learn how real devices prevent boot code tampering. You implement and test flash write protection using option bytes, and you see the practical implications for debugging and recovery.

Integrity with firmware hashing
You implement SHA-256 integrity checks and learn the rules that make or break real systems: what bytes are covered, padding, placement, and how corruption and partial writes surface in real life.

Authenticity with digital signatures
You add ECDSA P-256 signature verification on-device. You embed a public-key trust anchor in firmware and build the full verification flow: hash plus signature equals authenticity.

Bootloader to application execution mechanics
You implement correct bootloader-to-app handoff: MSP setup, VTOR relocation, reset handler dispatch, and the details that prevent a dangerous class of failures like “verify one image, execute another.”

Secure boot, single-slot
You merge integrity and authenticity into the bootloader and enforce verify-then-jump. You add a fixed app header with policy-relevant metadata so the system can make disciplined boot decisions.

Capstone, SBSFU-style system
You implement a complete multi-slot secure boot system on STM32 with Slot A, Slot B, staging, flash-backed boot flags with integrity checks, rollback rules, and deterministic recovery paths. You also produce professional evidence artifacts: a threat model, a secure boot checklist, a test matrix, and test evidence.

• This course is different because you build the complete secure boot system end to end:
• The host side pipeline that packages images with headers, hashes, signatures, and policy relevant metadata
• The on device verifier that parses, hashes, verifies, enforces policy, and decides whether execution is allowed