From Real-World Implementations to Standardisation: A Technical Standard for Boot Manager Security
Vertical standards for security requirements
What does the work you will carry out for the CYBERSTAND SSP consist of?
Through Sartura, we will contribute technical proposals for the boot manager security standard. Our team, including Robert Marko as U-Boot contributor, Damir Samardžić as embedded expert and myself as former U-Boot co-maintainer, will develop draft requirements that translate CRA mandates into practical specifications for bootloaders. We will propose implementation guidance based on our extensive experience with U-Boot boot manager and embedded systems in general, and contribute test specifications for conformity assessment. Our approach includes verifying draft requirements against state-of-the-art open-source boot managers to ensure practical implementability. We will actively participate in working groups, providing expert input on secure boot implementations, vulnerability handling, and lifecycle security specific to embedded boot managers.
What is the expected result and impact of this activity?
Sartura's contributions will help shape a practical and implementable standard for boot manager security. By providing proposals grounded in our team's real-world boot manager development experience, we aim to influence requirements that balance security robustness with implementation feasibility. Our input will help create clearer compliance pathways for manufacturers, especially SMEs, while strengthening the security foundation of European digital products. Through our participation, we expect to bridge the gap between high-level CRA requirements and the technical realities of embedded system development.
Which aspects of the Cyber Resilience Act (CRA) standardisation are you focusing on?
We are focusing on contributing to the vertical standard for "essential cybersecurity requirements for boot managers." Our proposals will address how CRA Annex I requirements translate to boot manager implementations, covering secure-by-default configurations, protection against unauthorized access, and vulnerability handling adapted for embedded systems. We bring expertise needed for secure boot architectures, and the practical challenges of updating boot managers in deployed devices.
