Haystack
← Back to Jobs
Technology

Sr Embedded Security Engineer

Thinkbyte Consulting, Inc.Redwood City, CA🇺🇸United StatesPosted 15 Jul 2026

Quick Overview

Work Type
Hybrid
Level
Mid Senior

Job Description

About the Role

Embedded Systems Security Engineer
Onsite in Foster City, CA | 5 days in office
We are looking for an Embedded Systems Security Engineer to implement security solution to harden our
next-generation embedded Linux platform. In this role, you will bridge the gap between low-level hardware
security, kernel hardening, and secure user-space application containment. You will not only design
cryptographic defense mechanisms but will also automate security pipelines in CI/CD and partner directly
with manufacturing teams to ensure devices are provisioned securely and reliably at scale without
production risks.
Roles & Responsibilities:
Platform Hardening & Architecture: Design and implement the Hardware Root of Trust and Secure Boot
architecture from the first-stage bootloader through the Linux kernel.
Storage & Integrity Management: Implement dm-verity for cryptographically verified read-only root
filesystems and secure data encryption at rest.
Trusted Execution Environments: Develop, integrate, and maintain a TEE (e.g., OP-TEE) and author
Secure/Trusted Applications (TAs).
Application Sandboxing: Enforce strict user-space isolation and sandboxing strategies using SELinux,
AppArmor, cgroups, namespaces, and seccomp filters to protect core systems from untrusted
applications.
DevSecOps Automation: Build automated cryptographic signing pipelines within CI/CD infrastructure
(e.g., GitLab CI, GitHub Actions) to securely sign bootloaders, kernels, and OTA payloads using HSMs
or secure key vaults.
Production Provisioning Support: Collaborate with manufacturing teams to write robust scripts and tools
for burning permanent hardware configuration fuses (eFuses / OTP memory) securely, designing
end-of-line (EOL) test software to validate security features before shipping.
System Resilience: Architect multi-slot boot recovery layouts (e.g., A/B partitioning) to guarantee
fail-safe resilience against failed OTA updates or corrupted boots.
Qualifications:
Education: Bachelors degree in Computer Science, Computer Engineering, Electrical Engineering, or a
related technical discipline (or equivalent practical experience).
Core Experience: 6+ years of professional experience in Embedded Linux development, board
bring-up, and Board Support Package (BSP) customization.
Security Focus: 3+ years of dedicated, hands-on experience deploying device-level security features
into physical production hardware.
Low-Level Systems: Expert knowledge of bootloader configurations (e.g., U-Boot Verified Boot,
Barebox) and customizing the Linux kernel storage/security subsystem (dm-crypt, dm-verity).
Hardware Security Architecture: Deep understanding of modern processor security architectures,
specifically ARM TrustZone (ARMv7-A / ARMv8-A, Exception Levels EL1-EL3).
Sandboxing & Access Controls: Proven track record implementing SELinux/AppArmor policies and
utilizing standard Linux containment tools (cgroups, namespaces).
Build Automation: Proficiency with embedded Linux build automated frameworks like the Yocto Project
(BitBake recipe design) or Buildroot.
Programming: Advanced proficiency in C and strong scripting skills in Python or Bash.
Preferred Qualifications:
Cryptography Expertise: Strong foundational knowledge of symmetric/asymmetric cryptography,
hashing algorithms (SHA-256/384), public key infrastructure (PKI), and handling physical Hardware
Security Modules (HSMs).
Manufacturing Scale: Prior experience working with Contract Manufacturers (CMs) or internal factory
lines to deploy secure key-injection and fuse-burning protocols.
Advanced Sandboxing: Experience with embedded container runtimes (e.g., LXC, crun) or lightweight
sandboxing frameworks tailored for resource-constrained architectures.
Anti-Rollback Protection: Experience designing secure versioning and hardware-enforced anti-rollback
strategies for OTA updates.

Key Responsibilities & Skills
  • Embedded Linux Security
  • Hardware Root of Trust Design
  • Secure Boot Implementation
  • dm-verity & Encrypted Filesystems
  • Trusted Execution Environment (TEE) Integration
  • SELinux / AppArmor Hardening
  • Container & Namespace Isolation
  • Secure CI/CD Automation & Cryptographic Signing
  • Production Provisioning & Secure Fuse Programming
  • OTA Update Resilience & Anti-Rollback
  • ARM TrustZone Architecture
  • Board Support Package (BSP) Customization
  • Yocto / Buildroot Build Automation
Technical Skills
  • C / C++
  • Python / Bash
  • U-Boot / Barebox
  • Linux Kernel
  • Yocto Project / BitBake
  • Buildroot
  • SELinux / AppArmor
  • cgroups / namespaces / seccomp
  • GitLab CI / GitHub Actions
  • HSM / Secure Key Vault
  • LXC / crun
  • ARM TrustZone (ARMv7-A / ARMv8-A)
  • dm-crypt / dm-verity
Education

Bachelor's Degree in Computer Science, Computer Engineering, Electrical Engineering, Embedded Systems Engineering, Cybersecurity. Preferred: Master's in Computer Science, Master's in Electrical Engineering, Master's in Cybersecurity, PhD in Computer Engineering, PhD in Embedded Systems.

Industry Experience
  • Embedded Linux Devices
  • IoT / Consumer Electronics
  • Hardware Manufacturing / Contract Manufacturing
  • Secure Firmware Development
  • Automotive Embedded Systems

Skills

Embedded Systems
Encryption
Bash
C++
GitHub Actions
GitLab CI
IoT
PKI
Python
REST
SAFe
Vault

Similar jobs