{"id":"9a4589c7-bd14-44af-a99e-992005c452dc","shortId":"dfDZgc","kind":"skill","title":"security-updates","tagline":"Secure boot and firmware update workflows for Zephyr RTOS. Covers MCUboot integration, production image signing, DFU protocols (MCUmgr), fail-safe rollback mechanisms, and mbedTLS crypto basics. Trigger when implementing over-the-air (OTA) updates, securing the boot process, or m","description":"# Zephyr Security & Updates\n\nBuild production-ready, secure embedded systems using Zephyr's modular security stack and MCUboot bootloader.\n\n## Core Workflows\n\n### 1. MCUboot Integration\nSet up the secure bootloader and define fail-safe flash partitions.\n- **Reference**: **[mcuboot_integration.md](references/mcuboot_integration.md)**\n- **Key Tools**: `CONFIG_BOOTLOADER_MCUBOOT`, `fixed-partitions`, Devicetree.\n\n### 2. Image Signing\nEnsure firmware integrity with production-grade digital signatures.\n- **Reference**: **[image_signing.md](references/image_signing.md)**\n- **Key Tools**: `imgtool.py`, ECDSA-P256, RSA.\n\n### 3. DFU Protocols\nTransport updates securely using MCUmgr or cloud-based OTA.\n- **Reference**: **[dfu_protocols.md](references/dfu_protocols.md)**\n- **Key Tools**: `mcumgr`, Golioth OTA, SMP transport.\n\n### 4. Rollback Protection\nImplement atomic swaps and image confirmation to prevent bricking devices.\n- **Reference**: **[rollback_protection.md](references/rollback_protection.md)**\n- **Key Tools**: `boot_write_img_confirmed()`, `mcumgr image test`.\n\n### 5. Crypto Basics\nImplement secure storage and cryptographic operations using mbedTLS.\n- **Reference**: **[crypto_basics.md](references/crypto_basics.md)**\n- **Key Tools**: `CONFIG_MBEDTLS`, TF-M, secure storage.\n\n## Quick Start (Kconfig for Secure Boot)\n```kconfig\n# Enable MCUboot support in application\nCONFIG_BOOTLOADER_MCUBOOT=y\n```\n```bash\n# Build with MCUboot using Sysbuild\nwest build -b nucleo_f401re --sysbuild samples/basic/blinky\n```\n\n## Professional Patterns (Security-First)\n- **Production Keys**: Never use default MCUboot keys. Provision unique keys during manufacturing.\n- **Heartbeat Confirmation**: Only confirm a new image after the application has successfully connected to its cloud backend.\n- **Version Integrity**: Enable version monotonicity to prevent accidental or malicious firmware downgrades.\n\n## Automation Tools\n- **[mcuboot_version_guard.py](scripts/mcuboot_version_guard.py)**: Enforce monotonic semantic version progression in update pipelines.\n\n## Examples & Templates\n- **[mcuboot_prj_fragment.conf](assets/mcuboot_prj_fragment.conf)**: Starter secure-boot + image-management config fragment.\n\n## Validation Checklist\n- [ ] Signed image verifies at boot and unsigned/tampered image is rejected.\n- [ ] DFU flow completes end-to-end and boots into the new slot.\n- [ ] Rollback behavior triggers correctly when image confirmation is withheld.\n- [ ] Key handling and version policy prevent downgrade and test-key usage in production configs.\n\n## Resources\n\n- **[References](references/)**:\n  - `mcuboot_integration.md`: Partition layouts and setup.\n  - `image_signing.md`: Key management and `imgtool` usage.\n  - `dfu_protocols.md`: MCUmgr commands and cloud OTA.\n  - `rollback_protection.md`: Swap mechanisms and confirmation code.\n  - `crypto_basics.md`: mbedTLS and secure storage.\n- **[Scripts](scripts/)**:\n  - `mcuboot_version_guard.py`: Version monotonicity checker for release gates.\n- **[Assets](assets/)**:\n  - `mcuboot_prj_fragment.conf`: Secure-update config baseline.","tags":["security","updates","zephyr","agent","skills","beriberikix","agent-skills","agentic-coding","zephyr-rtos"],"capabilities":["skill","source-beriberikix","skill-security-updates","topic-agent-skills","topic-agentic-coding","topic-zephyr-rtos"],"categories":["zephyr-agent-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/beriberikix/zephyr-agent-skills/security-updates","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add beriberikix/zephyr-agent-skills","source_repo":"https://github.com/beriberikix/zephyr-agent-skills","install_from":"skills.sh"}},"qualityScore":"0.462","qualityRationale":"deterministic score 0.46 from registry signals: · indexed on github topic:agent-skills · 25 github stars · SKILL.md body (3,095 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-24T07:01:42.726Z","embedding":null,"createdAt":"2026-04-18T23:05:01.452Z","updatedAt":"2026-04-24T07:01:42.726Z","lastSeenAt":"2026-04-24T07:01:42.726Z","tsv":"'1':67 '2':94 '3':116 '4':139 '5':164 'accident':257 'air':37 'applic':198,242 'asset':376,377 'assets/mcuboot_prj_fragment.conf':277 'atom':143 'autom':262 'b':211 'backend':249 'base':127 'baselin':383 'bash':203 'basic':30,166 'behavior':313 'boot':5,42,157,192,281,293,307 'bootload':64,74,88,200 'brick':150 'build':49,204,210 'checker':372 'checklist':288 'cloud':126,248,354 'cloud-bas':125 'code':361 'command':352 'complet':301 'config':87,180,199,285,335,382 'confirm':147,160,234,236,318,360 'connect':245 'core':65 'correct':315 'cover':13 'crypto':29,165 'crypto_basics.md':176,362 'cryptograph':171 'default':225 'defin':76 'devic':151 'devicetre':93 'dfu':19,117,299 'dfu_protocols.md':130,350 'digit':104 'downgrad':261,327 'ecdsa':113 'ecdsa-p256':112 'embed':54 'enabl':194,252 'end':303,305 'end-to-end':302 'enforc':266 'ensur':97 'exampl':274 'f401re':213 'fail':23,78 'fail-saf':22,77 'firmwar':7,98,260 'first':220 'fix':91 'fixed-partit':90 'flash':80 'flow':300 'fragment':286 'gate':375 'golioth':135 'grade':103 'handl':322 'heartbeat':233 'imag':17,95,146,162,239,283,290,296,317 'image-manag':282 'image_signing.md':107,344 'img':159 'imgtool':348 'imgtool.py':111 'implement':33,142,167 'integr':15,69,99,251 'kconfig':189,193 'key':85,109,132,155,178,222,227,230,321,331,345 'layout':341 'm':45,184 'malici':259 'manag':284,346 'manufactur':232 'mbedtl':28,174,181,363 'mcuboot':14,63,68,89,195,201,206,226 'mcuboot_integration.md':83,339 'mcuboot_prj_fragment.conf':276,378 'mcuboot_version_guard.py':264,369 'mcumgr':21,123,134,161,351 'mechan':26,358 'modular':59 'monoton':254,267,371 'never':223 'new':238,310 'nucleo':212 'oper':172 'ota':38,128,136,355 'over-the-air':34 'p256':114 'partit':81,92,340 'pattern':217 'pipelin':273 'polici':325 'prevent':149,256,326 'process':43 'product':16,51,102,221,334 'production-grad':101 'production-readi':50 'profession':216 'progress':270 'protect':141 'protocol':20,118 'provis':228 'quick':187 'readi':52 'refer':82,106,129,152,175,337,338 'references/crypto_basics.md':177 'references/dfu_protocols.md':131 'references/image_signing.md':108 'references/mcuboot_integration.md':84 'references/rollback_protection.md':154 'reject':298 'releas':374 'resourc':336 'rollback':25,140,312 'rollback_protection.md':153,356 'rsa':115 'rtos':12 'safe':24,79 'samples/basic/blinky':215 'script':367,368 'scripts/mcuboot_version_guard.py':265 'secur':2,4,40,47,53,60,73,121,168,185,191,219,280,365,380 'secure-boot':279 'secure-upd':379 'security-first':218 'security-upd':1 'semant':268 'set':70 'setup':343 'sign':18,96,289 'signatur':105 'skill' 'skill-security-updates' 'slot':311 'smp':137 'source-beriberikix' 'stack':61 'start':188 'starter':278 'storag':169,186,366 'success':244 'support':196 'swap':144,357 'sysbuild':208,214 'system':55 'templat':275 'test':163,330 'test-key':329 'tf':183 'tf-m':182 'tool':86,110,133,156,179,263 'topic-agent-skills' 'topic-agentic-coding' 'topic-zephyr-rtos' 'transport':119,138 'trigger':31,314 'uniqu':229 'unsigned/tampered':295 'updat':3,8,39,48,120,272,381 'usag':332,349 'use':56,122,173,207,224 'valid':287 'verifi':291 'version':250,253,269,324,370 'west':209 'withheld':320 'workflow':9,66 'write':158 'y':202 'zephyr':11,46,57","prices":[{"id":"79fb3624-921a-4d79-886b-02064c6dbdc2","listingId":"9a4589c7-bd14-44af-a99e-992005c452dc","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"beriberikix","category":"zephyr-agent-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T23:05:01.452Z"}],"sources":[{"listingId":"9a4589c7-bd14-44af-a99e-992005c452dc","source":"github","sourceId":"beriberikix/zephyr-agent-skills/security-updates","sourceUrl":"https://github.com/beriberikix/zephyr-agent-skills/tree/main/skills/security-updates","isPrimary":false,"firstSeenAt":"2026-04-18T23:05:01.452Z","lastSeenAt":"2026-04-24T07:01:42.726Z"}],"details":{"listingId":"9a4589c7-bd14-44af-a99e-992005c452dc","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"beriberikix","slug":"security-updates","github":{"repo":"beriberikix/zephyr-agent-skills","stars":25,"topics":["agent-skills","agentic-coding","zephyr-rtos"],"license":"apache-2.0","html_url":"https://github.com/beriberikix/zephyr-agent-skills","pushed_at":"2026-04-20T21:40:18Z","description":"A complete catalog of Agent Skills (agentskills.io) for Zephyr RTOS development.","skill_md_sha":"dc3691165e84cd1d80aa6bb27be75e82aa6f51cb","skill_md_path":"skills/security-updates/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/beriberikix/zephyr-agent-skills/tree/main/skills/security-updates"},"layout":"multi","source":"github","category":"zephyr-agent-skills","frontmatter":{"name":"security-updates","description":"Secure boot and firmware update workflows for Zephyr RTOS. Covers MCUboot integration, production image signing, DFU protocols (MCUmgr), fail-safe rollback mechanisms, and mbedTLS crypto basics. Trigger when implementing over-the-air (OTA) updates, securing the boot process, or managing cryptographic keys."},"skills_sh_url":"https://skills.sh/beriberikix/zephyr-agent-skills/security-updates"},"updatedAt":"2026-04-24T07:01:42.726Z"}}