Systems Security Engineer
TalentAlly · San Mateo, CA · Yesterday
MarketingContract
Platform Hardening & Architecture
- Design and implement the Hardware Root of Trust and Secure Boot architecture from the first-stage bootloader through the Linux kernel.
- Implement dm-verity for cryptographically verified read-only root filesystems and secure data encryption at rest.
- Develop, integrate, and maintain a TEE (e.g., OP-TEE) and author Secure/Trusted Applications (TAs).
- Enforce strict user-space isolation and sandboxing strategies using SELinux, AppArmor, cgroups, namespaces, and seccomp filters to protect core systems from untrusted applications.
Storage & Integrity Management
- Implement dm-verity for cryptographically verified read-only root filesystems and secure data encryption at rest.
Trusted Execution Environments
- Develop, integrate, and maintain a TEE (e.g., OP-TEE) and author Secure/Trusted Applications (TAs).
Application Sandboxing
- Enforce strict user-space isolation and sandboxing strategies using SELinux, AppArmor, cgroups, namespaces, and seccomp filters to protect core systems from untrusted applications.
DevSecOps Automation
- Build automated cryptographic signing pipelines within CI/CD infrastructure (e.g., GitLab CI, GitHub Actions) to securely sign bootloaders, kernels, and OTA payloads using HSMs or secure key vaults.
Production Provisioning Support
- Collaborate with manufacturing teams to write robust scripts and tools for burning permanent hardware configuration fuses (eFuses / OTP memory) securely, designing end-of-line (EOL) test software to validate security features before shipping.
System Resilience
- Architect multi-slot boot recovery layouts (e.g., A/B partitioning) to guarantee fail-safe resilience against failed OTA updates or corrupted boots.
Qualifications
- Education: Bachelor's degree in Computer Science, Computer Engineering, Electrical Engineering, or a related technical discipline (or equivalent practical experience).
- Core Experience: 6+ years of professional experience in Embedded Linux development, board bring-up, and Board Support Package (BSP) customization.
- Security Focus: 3+ years of dedicated, hands-on experience deploying device-level security features into physical production hardware.
- Low-Level Systems: Expert knowledge of bootloader configurations (e.g., U-Boot Verified Boot, Barebox) and customizing the Linux kernel storage/security subsystem (dm-crypt, dm-verity).
- Hardware Security Architecture: Deep understanding of modern processor security architectures, specifically ARM TrustZone (ARMv7-A / ARMv8-A, Exception Levels EL1EL3).
- Sandboxing & Access Controls: Proven track record implementing SELinux/AppArmor policies and utilizing standard Linux containment tools (cgroups, namespaces).
- Build Automation: Proficiency with embedded Linux build automated frameworks like the Yocto Project (BitBake recipe design) or Buildroot.
- Programming: Advanced proficiency in C and strong scripting skills in Python or Bash.
Preferred Qualifications
- Cryptography Expertise: Strong foundational knowledge of symmetric/asymmetric cryptography, hashing algorithms (SHA-256/384), public key infrastructure (PKI), and handling physical Hardware Security Modules (HSMs).
- Manufacturing Scale: Prior experience working with Contract Manufacturers (CMs) or internal factory lines to deploy secure key-injection and fuse-burning protocols.
- Advanced Sandboxing: Experience with embedded container runtimes (e.g., LXC, crun) or lightweight sandboxing frameworks tailored for resource-constrained architectures.
- Anti-Rollback Protection: Experience designing secure versioning and hardware-enforced anti-rollback strategies for OTA updates.
Benefits
- Creative Circle's Freelance Employee benefits package includes eligibility for Minimum Essential Coverage (MEC) medical plan, dental/vision/term life package, discount prescription program, critical illness, accident, tele-behavioral health, and 401(k) plan.
- Sick leave is provided to Candidates whose assignment work location is in a state or city subject to sick leave laws.
- A Minimum Value (MV) PPO medical plan, Employee Stock Purchase Plan, and paid holiday eligibility are based on length and dates of service.