MCUboot

Overview

Open-source secure bootloader for 32-bit microcontrollers under the Trusted Firmware project. Provides image signing and validation, anti-rollback, A/B and swap update strategies, and a hardware-abstracted trust framework. Default bootloader for Zephyr; supported by NXP MCUXpresso SDK, Espressif ESP-IDF, Microchip Harmony, and others.

Benefits

• Industry-tested image-validation and rollback machinery — do not roll your own
• Cross-vendor support across Cortex-M, RISC-V, and Xtensa
• Pairs cleanly with OTA pipelines and SBOM/CRA documentation
• Active maintenance under Trusted Firmware

Limitations & Risks

• Configuration surface is large — key management and rollback policies are easy to misconfigure
• Flash overhead for swap/AB partitions is real on small parts
• Integration on bespoke RTOSes can be involved

Recommended Actions

Adopt MCUboot for any product shipping OTA updates — building this from scratch is no longer defensible. Use Zephyr's default integration as a reference; document key-management policy as part of the security plan.

Additional Notes

Pairs directly with #7 Firmware OTA Updates and #4 DevSecOps. Vendor-supplied bootloaders (e.g., STM32 Secure Boot and Secure Firmware Update) are alternatives where portability across MCU families is not a goal.

References & Links

• https://www.trustedfirmware.org/projects/mcuboot/
• https://docs.mcuboot.com/
• https://docs.zephyrproject.org/latest/services/device_mgmt/mcumgr.html