O2 logo

O2

Sr Embedded Security Engineer

O2

📍 Redwood City, United States 🇺🇸

full-time
senior
on-site
Posted —

Key Skills

LinuxSELinuxARMYoctodm-verity

Industry

Consumer ElectronicsAutomotive

Job Description

About The Role

Embedded Systems Security Engineer

Onsite in Foster City, CA | 5 days in office

We are looking for an Embedded Systems Security Engineer to implement security solution to harden our

next-generation embedded Linux platform. In this role, you will bridge the gap between low-level hardware

security, kernel hardening, and secure user-space application containment. You will not only design

cryptographic defense mechanisms but will also automate security pipelines in CI/CD and partner directly

with manufacturing teams to ensure devices are provisioned securely and reliably at scale without

production risks.

Roles & Responsibilities

  • Platform Hardening & Architecture: Design and implement the Hardware Root of Trust and Secure Boot

architecture from the first-stage bootloader through the Linux kernel.

  • Storage & Integrity Management: Implement dm-verity for cryptographically verified read-only root

filesystems and secure data encryption at rest.

  • Trusted Execution Environments: Develop, integrate, and maintain a TEE (e.g., OP-TEE) and author

Secure/Trusted Applications (TAs).

  • Application Sandboxing: Enforce strict user-space isolation and sandboxing strategies using SELinux,

AppArmor, cgroups, namespaces, and seccomp filters to protect core systems from untrusted

applications.

  • DevSecOps Automation: Build automated cryptographic signing pipelines within CI/CD infrastructure

(e.g., GitLab CI, GitHub Actions) to securely sign bootloaders, kernels, and OTA payloads using HSMs

or secure key vaults.

  • Production Provisioning Support: Collaborate with manufacturing teams to write robust scripts and tools

for burning permanent hardware configuration fuses (eFuses / OTP memory) securely, designing

end-of-line (EOL) test software to validate security features before shipping.

  • System Resilience: Architect multi-slot boot recovery layouts (e.g., A/B partitioning) to guarantee

fail-safe resilience against failed OTA updates or corrupted boots.

Qualifications

  • Education: Bachelor’s degree in Computer Science, Computer Engineering, Electrical Engineering, or a

related technical discipline (or equivalent practical experience).

  • Core Experience: 6+ years of professional experience in Embedded Linux development, board

bring-up, and Board Support Package (BSP) customization.

  • Security Focus: 3+ years of dedicated, hands-on experience deploying device-level security features

into physical production hardware.

  • Low-Level Systems: Expert knowledge of bootloader configurations (e.g., U-Boot Verified Boot,

Barebox) and customizing the Linux kernel storage/security subsystem (dm-crypt, dm-verity).

  • Hardware Security Architecture: Deep understanding of modern processor security architectures,

specifically ARM TrustZone (ARMv7-A / ARMv8-A, Exception Levels EL1-EL3).

  • Sandboxing & Access Controls: Proven track record implementing SELinux/AppArmor policies and

utilizing standard Linux containment tools (cgroups, namespaces).

  • Build Automation: Proficiency with embedded Linux build automated frameworks like the Yocto Project

(BitBake recipe design) or Buildroot.

  • Programming: Advanced proficiency in C and strong scripting skills in Python or Bash.

Preferred Qualifications

  • Cryptography Expertise: Strong foundational knowledge of symmetric/asymmetric cryptography,

hashing algorithms (SHA-256/384), public key infrastructure (PKI), and handling physical Hardware

Security Modules (HSMs).

  • Manufacturing Scale: Prior experience working with Contract Manufacturers (CMs) or internal factory

lines to deploy secure key-injection and fuse-burning protocols.

  • Advanced Sandboxing: Experience with embedded container runtimes (e.g., LXC, crun) or lightweight

sandboxing frameworks tailored for resource-constrained architectures.

  • Anti-Rollback Protection: Experience designing secure versioning and hardware-enforced anti-rollback

strategies for OTA updates.

Key Responsibilities & Skills

  • Embedded Linux Security
  • Hardware Root of Trust Design
  • Secure Boot Implementation
  • dm-verity & Encrypted Filesystems
  • Trusted Execution Environment (TEE) Integration
  • SELinux / AppArmor Hardening
  • Container & Namespace Isolation
  • Secure CI/CD Automation & Cryptographic Signing
  • Production Provisioning & Secure Fuse Programming
  • OTA Update Resilience & Anti-Rollback
  • ARM TrustZone Architecture
  • Board Support Package (BSP) Customization
  • Yocto / Buildroot Build Automation

Technical Skills

  • C / C++
  • Python / Bash
  • U-Boot / Barebox
  • Linux Kernel
  • Yocto Project / BitBake
  • Buildroot
  • SELinux / AppArmor
  • cgroups / namespaces / seccomp
  • GitLab CI / GitHub Actions
  • HSM / Secure Key Vault
  • LXC / crun
  • ARM TrustZone (ARMv7-A / ARMv8-A)
  • dm-crypt / dm-verity

Education

Bachelor's Degree in Computer Science, Computer Engineering, Electrical Engineering, Embedded Systems Engineering, Cybersecurity. Preferred: Master's in Computer Science, Master's in Electrical Engineering, Master's in Cybersecurity, PhD in Computer Engineering, PhD in Embedded Systems.

Industry Experience

  • Embedded Linux Devices
  • IoT / Consumer Electronics
  • Hardware Manufacturing / Contract Manufacturing
  • Secure Firmware Development
  • Automotive Embedded Systems

#JoinOurTeam #NowHiring #ApplyToday