FOSDEM 2026

"Build Once, Trust Always: Single-Image Secure Boot with barebox" ( 2026 )

Sunday at 11:00, 25 minutes, UD2.120 (Chavanne), UD2.120 (Chavanne), Embedded, Mobile and Automotive Ahmad Fatoum , slides , video

Secure-boot projects often end up with a zoo of nearly-identical bootloader images for development, factory, and field use with each variant adding more risk.

This showcase illustrates how to avoid this entirely: one bootloader image that adapts securely to each lifecycle stage using fuse-based state transitions, device-bound unlock tokens, and policy-driven access control.

With barebox and OP-TEE, we’ll show how these mechanisms enforce secure operation while still allowing controlled debugging and recovery, without ever maintaining multiple images.

2026

0.54 "Tamper-resistant factory data from the bootloader"
0.53 "A Modern Look at Secure Boot"
0.52 "Netboot without throwing a FIT"

2025

0.57 "Lessons learned from deploying boot security features on embedded systems"
0.52 "Generating immutable, A/B updatable, securely booting Debian images"
0.51 "Building flashless servers with Open Source Firmware for higher security and better flexibility"
0.51 "Bootable Containers and Image Mode: Transforming Linux OS Management with Bootc"
0.51 "Trusted boot with the Genode OS Framework"
0.51 "wolfBoot: resilient, quantum-resistant secure boot for all architectures"
0.51 "systemd & TPM in 2025"

Related: