What is Secure Boot for IoT Devices - and Why CRA Requires It | Platanor

Secure boot verifies that your device runs only firmware you signed. Here is how it works, why CRA treats it as a baseline requirement, and what a correct implementation looks like on Nordic nRF and STM32.

One of the questions that came up in a recent discussion about CRA compliance was whether secure boot is actually required or just recommended. The short answer is: it is required, and it is required because without it, none of your other security measures work reliably.

A device that boots unverified firmware is a device an attacker can fully own - regardless of how good the rest of your security architecture is.

If you are still assessing where your product stands on CRA requirements overall, our complete guide to the EU Cyber Resilience Act covers the full compliance picture including deadlines and product categories.

What happens when a device boots without secure boot

When your microcontroller powers on, it starts executing code from a defined memory location. On most embedded platforms, this is the bootloader - a small piece of code that initializes hardware and loads the main application firmware.

Without secure boot, the bootloader loads whatever firmware it finds at the expected address. It does not check whether that firmware was written by you, whether it has been modified since you shipped it, or whether it is legitimate in any way. It just runs it.

This means an attacker who can write to your device's flash memory - through a firmware update channel, a debug interface, physical access, or a vulnerability in your update mechanism - can replace your firmware with their own. The device will boot it without complaint. It will appear to function normally. It is now running attacker code.

The attacker does not need to break your encryption. They do not need your private keys. They just need to get their firmware onto the device, and the device will run it.

This is not a theoretical scenario. It is the standard attack against IoT devices that lack firmware integrity verification. The Mirai botnet, which took down significant internet infrastructure in 2016, was built largely on devices where firmware modification was trivial.

How secure boot works - the chain of trust

Secure boot solves this by making the device verify firmware authenticity before executing it. The mechanism is a cryptographic chain of trust that starts at the hardware level.

Here is how the chain works, step by step:

Step 1 - Root of trust in hardware. The process starts with something that cannot be modified after manufacturing: a public key hash burned into One-Time Programmable (OTP) memory, or a key stored in hardware security elements on the chip. This is the hardware root of trust. It is the anchor of the entire chain - the one thing the attacker cannot replace.

Step 2 - Bootloader verification. When the device powers on, the first-stage boot code (which lives in ROM and cannot be modified) reads the bootloader from flash and checks its cryptographic signature against the public key in OTP memory. If the signature is valid, the bootloader is authentic and execution continues. If the signature does not match, boot halts.

Step 3 - Application firmware verification. The bootloader, now verified, performs the same check on the main application firmware. It reads the firmware image, verifies its signature against a trusted public key, and only passes execution to the application if the signature is valid.

Step 4 - Chain continues. Each verified component can extend the chain further - verifying configuration data, checking software versions, validating update packages before applying them.

The result: the device only runs code that was signed with your private key. An attacker who replaces your firmware with their own cannot sign it with your key. The device will reject it and refuse to boot.

Why CRA treats secure boot as a baseline

Annex I of the CRA requires manufacturers to ensure the integrity of software running on connected products. The specific requirement is that products must include mechanisms to verify the authenticity and integrity of software - both at boot time and during updates.

Secure boot satisfies the boot-time requirement. Without it, there is no basis for claiming that the software running on a shipped device is the software you intended to ship.

This is why CRA treats secure boot not as an advanced security feature but as a baseline - the minimum foundation without which everything else is unreliable. Encrypted communications are only meaningful if you can trust that the device establishing the connection is running legitimate firmware. Unique device identity is only meaningful if the identity cannot be replaced along with a firmware swap.

Secure boot is the prerequisite that makes the rest of the security architecture trustworthy.

To understand the full set of December 2027 product requirements, see our guide on CRA product classification: Default, Important Class I, and Class II.

What this looks like on Nordic nRF and STM32

Nordic nRF (nRF5340, nRF9160, nRF52 series)

Nordic's security architecture centers on the Trusted Execution Environment (TrustZone-M on Cortex-M33 cores) and the NSIB - Nordic Secure Immutable Bootloader. The NSIB lives in the device's ROM-equivalent region and is the hardware root of trust on these platforms.

The typical secure boot chain on nRF:

NSIB verifies the first-stage bootloader (MCUboot) using a public key provisioned in the device's Key Management Unit (KMU) or UICR registers
MCUboot verifies the application image signature before loading it
Firmware images are signed with ECDSA (typically using a P-256 key pair) as part of the build process

Nordic's nRF Connect SDK includes MCUboot integration. The key management - generating signing keys, provisioning public keys into the device, signing images at build time - is where most teams need to put deliberate effort. The tooling exists; it requires intentional setup.

STM32 (STM32L5, STM32U5, STM32H5 series - TrustZone-capable)

ST implements secure boot through the STM32 Secure Boot and Secure Firmware Update (SBSFU) library, and more recently through the built-in Secure Boot (STiROT and OBKey) mechanisms on newer series.

The chain on STM32:

The immutable ROM bootloader reads the secure boot configuration and public key hash from Option Bytes (OTP-equivalent)
It verifies the application image before passing execution
Anti-rollback protection is enforced through a monotonic counter in Option Bytes - the device will reject firmware older than the current installed version

One important detail on STM32: Option Bytes must be locked before shipping. Development boards ship with Option Bytes in an unlocked state, which allows debug access and key replacement. Shipping a device with unlocked Option Bytes means an attacker with physical access can re-provision the root of trust key. This is a configuration step that has to be part of your manufacturing process.

The mistake that ships with more products than it should

Secure boot is disabled in the production build.

This happens more often than it should, and it happens for an understandable reason: secure boot complicates the development and testing workflow. Signing every firmware image, managing keys, dealing with devices that refuse to boot unsigned debug builds - it adds friction. So teams enable it in the security architecture, implement the mechanism correctly, and then leave a flag or build configuration that bypasses signature verification in production.

The device ships. It passes internal testing. The secure boot feature exists in the codebase. And it does nothing, because the production build has verification disabled or the signing key is a placeholder that was never properly provisioned.

The correct approach is to treat production configuration - Option Bytes locked, debug interfaces disabled, signing key provisioned, verification enforced - as a formal step in the manufacturing process with its own validation check. Not a development task that someone will get to.

FAQ

Does CRA specifically mention secure boot by name? The regulation uses the term "mechanisms to verify the integrity and authenticity of software" rather than "secure boot" specifically. Secure boot is the standard implementation of this requirement for embedded devices. A device that cannot verify firmware integrity at boot time does not meet the Annex I requirement.

Can I implement secure boot on hardware that does not have a hardware root of trust? Partially. Some lower-end microcontrollers lack OTP memory or hardware key storage. In those cases, software-only implementations provide weaker guarantees - an attacker with flash access can potentially replace both the verification code and the key. For CRA compliance, hardware-backed root of trust is the correct approach. It is a hardware selection decision that should be made at the architecture stage, not after the board is designed.

Does secure boot prevent all firmware attacks? No. Secure boot verifies that firmware is authentic at load time. It does not protect against vulnerabilities within the legitimate firmware itself - a properly signed firmware image can still contain bugs that attackers exploit at runtime. Secure boot is one layer of a defense-in-depth architecture, not a complete solution on its own.

What happens if my signing key is compromised? If your private signing key is compromised, an attacker can sign malicious firmware that passes verification. Key management - generating keys securely, storing private keys in hardware security modules, rotating keys if compromise is suspected - is as important as the implementation itself. A secure boot implementation is only as strong as the key management around it.

We have secure boot implemented. Does that mean we are CRA-compliant on firmware integrity? Secure boot covers boot-time integrity. CRA also requires integrity verification for firmware updates - the OTA update mechanism must verify the authenticity and integrity of update packages before applying them. These are related but separate requirements. Both need to be in place.

Sources: CRA Regulation (EU) 2024/2847 - Annex I; Nordic Semiconductor - Security documentation; STMicroelectronics - SBSFU application note AN5056

Denys Zaliznyak is the CTO of Platanor Technologies. Platanor designs and implements embedded security architecture for IoT and hardware manufacturers - including secure boot, device identity, and the full CRA compliance documentation package. platanor.com/contact