MCUboot — Secure Bootloader for Microcontrollers
MCUboot is an open-source, hardware-independent secure bootloader for 32-bit microcontrollers. It provides the root of trust at the firmware level — ensuring that only cryptographically signed, authentic firmware images can execute on a device. MCUboot is the de facto bootloader for Zephyr RTOS and is increasingly required for CRA compliance.
Why MCUboot Matters
Without a secure bootloader, anyone with physical or remote access can flash modified firmware onto a device — bypassing all software security. MCUboot prevents this by:
- Verifying signatures before executing any firmware image
- Managing firmware slots for safe over-the-air (OTA) updates
- Rolling back to a known-good image if a new update fails
- Encrypting firmware images to prevent reverse engineering
Key Features
| Feature | Description |
|---|---|
| Image signing | Ed25519, ECDSA-P256, RSA-2048/3072 signature verification |
| Encrypted images | AES-CTR-128/256 firmware encryption at rest |
| Dual-slot update | Primary + secondary slot for fail-safe firmware swaps |
| Swap using scratch | Resumable updates — survives power loss mid-update |
| Rollback protection | Monotonic version counters prevent downgrade attacks |
| Serial recovery | MCUmgr protocol for USB/UART recovery if OTA fails |
| Measured boot | Hash chain for hardware attestation (TPM/TrustZone) |
Update Modes
| Mode | Mechanism | Power-Loss Safe | Flash Wear |
|---|---|---|---|
| Swap (scratch) | Copy primary → scratch, secondary → primary | ✅ Resumable | Higher |
| Swap (move) | In-place sector shuffling (no scratch area) | ✅ Resumable | Medium |
| Overwrite | Direct overwrite of primary slot | ❌ | Lowest |
| Direct XIP | Execute from either slot (no copy) | ✅ | None |
Supported Platforms
MCUboot is OS and hardware independent. It supports:
- RTOS: Zephyr, FreeRTOS, Apache NuttX, Apache Mynewt, Mbed OS, RIOT
- Vendors: Nordic (nRF52/53/91), STMicroelectronics (STM32L5, STM32U5, STM32H5), NXP (LPC, i.MX RT), Espressif (ESP32), Infineon/Cypress (PSoC 6)
- Architectures: ARM Cortex-M, RISC-V, Xtensa
CRA Compliance Connection
The EU Cyber Resilience Act mandates that connected products implement:
- ✅ Authenticated firmware updates — MCUboot provides this via image signing
- ✅ Rollback protection — MCUboot enforces monotonic version counters
- ✅ Vulnerability management infrastructure — MCUboot enables rapid security patch deployment via OTA
Related Terms
- Secure Boot — The broader concept of verified boot chains; MCUboot is the implementation layer for MCU-based systems.
- OTA Update — MCUboot manages the firmware slot swapping that makes secure OTA possible.
- CRA — EU legislation requiring secure boot and authenticated updates for all connected products.
MCUboot is our default bootloader for all embedded development projects — ensuring CRA-compliant secure boot and OTA from day one. See our Embedded Security & IoT capabilities.