Embedded Linux Security Engineer; Kernel​/Bootloader​/Ramdisk

Job Title

Embedded Linux Security Engineer (Kernel/Boot loader / Ramdisk)

Atlanta, GA

C2C

8 Years in Embedded Linux Development

Embedded Linux / Security / Kernel CVE Remediation / Firmware Hardening

Xilinx Zynq SoC (ARM-based)

2 Positions

We are seeking a highly skilled Embedded Linux Security Engineer with deep expertise in kernel-level CVE remediation, U-Boot boot loader hardening, and Buildroot-based firmware development. This role is critical to ensuring the security and resilience of our Xilinx Zynq-based hardware platform running Linux kernels, U-Boot bootloaders, and Buildroot-generated ramdisk images. The ideal candidate will be responsible for identifying, analyzing, triaging, and patching security vulnerabilities (CVE-based) across the entire embedded software stack — from the Linux kernel and boot loader through to user‑space applications, libraries, and services.

This is a hands‑on, technically demanding role requiring expertise in kernel patching, cross‑compilation tool chains, secure boot mechanisms, and embedded system hardening.

• Vulnerability Assessment & CVE Remediation
• Identify, analyze, and triage CVEs impacting the Xilinx Linux kernel, ramdisk packages, U-Boot, and embedded software stack using NVD, AMD/Xilinx Security Bulletins, and OSS tooling.
• Apply kernel patches, backport security fixes from upstream LTS kernels (e.g., 5.x LTS, Xilinx downstream), or implement mitigation workarounds.
• Patch vulnerabilities in U-Boot, kernel modules, device drivers, and user‑space packages (Busy Box, OpenSSL, etc.) — primarily focused on version upgrades and CVE-specific patches.
• Maintain detailed documentation of vulnerabilities, root cause analysis, mitigation steps, patch sources, and validation results.
• Track and report CVE remediation progress to stakeholders and external auditors.
• Buildroot-Based Embedded Linux System Maintenance
• Configure, customize, and maintain the Buildroot build environment used to compile U-Boot, Linux kernel, and ramdisk/root file system images.
• Ensure secure configuration of Buildroot-generated packages, system services, and network daemons.
• Optimize build configurations for minimal attack surface and reduced package footprint.
• Manage cross-compilation tool chains, package dependencies, and library versions.
• Secure Boot & Firmware Hardening
• Implement and validate secure boot mechanisms on Zynq platforms using Xilinx Peta Linux / Vitis toolchain.
• Harden the Linux OS, kernel configuration (kconfig), and boot chain against common attack vectors.
• Implement kernel module signing and enforce boot chain integrity.

• Strong hands‑on experience with Linux kernel patching, including CVE remediation, patch backporting, and diff/patch workflows.
• Deep knowledge of Buildroot build systems — package configuration, file system generation, and toolchain management.
• Expertise in U-Boot boot loader configuration, customization, secure boot implementation, and boot chain hardening.
• Proficiency in Embedded Linux development for ARM platforms, specifically Xilinx Zynq or similar SoCs.
• Familiarity with Xilinx‑specific kernel and boot loader repositories; experience with Peta Linux or Vitis toolchain is a strong plus.
• Solid understanding of cross‑compilation tool chains (gcc-arm, Buildroot toolchain, Yocto SDK).
• Kernel debugging skills using JTAG, GDB, kernel logs, and tracing tools.
• Knowledge of the target Linux kernel version family (Xilinx downstream / LTS 5.x or later).

• Proven experience in CVE analysis, CVSS scoring, vulnerability triage, and remediation prioritization.
• Familiarity with vulnerability databases and tools: NVD, AMD/Xilinx Security Bulletins, Trivy, or similar.
• Knowledge of secure boot mechanisms and kernel module signing.
• Experience hardening embedded Linux OS configurations.

• Proficiency in C for kernel module development, patching, low‑level debugging, and userspace‑kernel interaction.
• Shell scripting (Bash) for build automation and patch workflows.

• Version control:
  Git, Git Hub workflows, patch management.
• Build systems:
  Buildroot, Make, CMake, Yocto (familiarity).
• Debugging & analysis: GDB, JTAG debuggers, strace, valgrind.
• Documentation & tracking:
  Confluence, JIRA.
• Security tooling: NVD, Code Sonar, Code Sentry

• Bachelor's or Master's degree in Computer Science, Electrical Engineering, Cybersecurity, or a related field.
• 5+ years of professional experience in Embedded Linux development with a security focus.
• Hands‑on experience with Xilinx Peta Linux or Vitis tools on Zynq-7000 or Zynq Ultra Scale+ platforms.
• Experience with Yocto Project as an alternative embedded Linux build system.
• Proficiency in C for kernel module development, patching, low‑level debugging, and userspace‑kernel interaction.