Drones and unmanned aerial vehicles are increasingly deployed in commercial, industrial, and defence-adjacent applications, from infrastructure inspection and precision agriculture to logistics and surveillance. As these platforms carry out missions of growing consequence, the security of the software running on the flight controller has become a critical concern. An unsecured flight controller is vulnerable to firmware tampering attacks that could alter the drone's behaviour, introduce malicious functionality, or compromise the safety of the platform and its surroundings.
India's regulatory framework for commercial drones, administered through the Directorate General of Civil Aviation (DGCA) and informed by national cybersecurity policy, imposes specific requirements on the security architecture of commercially operated UAV platforms, including requirements around firmware integrity, secure update mechanisms, and protection against unauthorised software modification.
An Indian drone technology company developing commercial UAV platforms on the Ardupilot open-source flight controller framework approached Embien to develop a production secure bootloader for their STM32H7-based flight controller. The bootloader had to enforce firmware integrity and authenticity through cryptographic signature validation, support secure firmware updates over both UART and CAN interfaces, protect sensitive operational log data, and meet the cybersecurity requirements applicable to commercially operated drones in India.
The Ardupilot framework, while a mature and capable open-source flight controller platform widely used in commercial drone development, does not include a production-grade secure boot implementation by default. Integrating a secure bootloader into the Ardupilot boot chain on the STM32H7 required careful understanding of the Ardupilot firmware structure, memory layout, and boot sequence, ensuring that the secure bootloader could validate and hand off to the Ardupilot application firmware without disrupting the timing or behaviour of the flight controller's initialisation sequence.
The STM32H7's flash memory architecture, with its multiple flash banks, option bytes, and secure area configuration, had to be carefully managed to implement the bootloader and application partitioning required for secure boot while preserving the flash layout expected by the Ardupilot firmware build system. Option byte configuration for read-out protection and secure area definition had to be applied correctly to prevent the bootloader's cryptographic keys and security-sensitive code from being extracted through debug interfaces.
The RSA asymmetric signature validation requirement, verifying the cryptographic signature of the firmware image before execution, introduced a computational overhead at boot time that had to be managed within the drone's power-on to flight-ready timing budget. RSA signature verification is computationally intensive on a microcontroller, and the implementation had to be optimised to complete within an acceptable time without compromising the cryptographic strength of the validation.
Supporting firmware updates over both UART and CAN interfaces, the two primary physical connectivity options on Ardupilot-based platforms, required implementing reliable, error-tolerant firmware image reception on both channels, with the received image validated cryptographically before being programmed to flash.

Secure Boot Architecture on STM32H7
The secure bootloader occupies a protected region of the STM32H7's internal flash, configured through option bytes to be read-out protected against external debug access. On every power-on or reset, the STM32H7 begins execution in the bootloader before any Ardupilot application code runs. The bootloader performs a complete cryptographic validation of the application firmware image stored in the application flash partition before transferring execution, ensuring that only firmware carrying a valid RSA signature from the authorised signing authority can run on the platform.
The bootloader's own integrity is protected through the STM32H7's hardware secure area configuration, preventing the bootloader code and the embedded public key from being modified or extracted. This hardware-anchored protection ensures that the root of trust established by the bootloader cannot be bypassed even by an attacker with physical access to the device and a debug probe.
RSA Asymmetric Signature Validation
Firmware integrity and authenticity are enforced through RSA asymmetric signature validation. At the production signing stage, a firmware image is signed using the private key held by the drone manufacturer, generating a signature that is appended to the firmware image as a header. The corresponding public key is embedded in the secure bootloader at manufacturing time.
On each boot, the bootloader computes the hash of the application firmware image stored in flash and validates it against the appended signature using the embedded public key. If the signature is valid, confirming that the firmware was signed by the holder of the private key and has not been modified since signing, the bootloader transfers execution to the application. If validation fails, indicating either an unsigned image or a tampered one, the bootloader refuses to execute the application and enters a safe fault state, preventing compromised firmware from running on the flight controller under any circumstances.
The RSA validation implementation was optimised for the STM32H7's Cortex-M7 core, leveraging the processor's hardware floating-point and DSP capabilities where applicable to minimise the validation time within the drone's boot timing budget.
Secure Firmware Update over UART and CAN
Firmware updates are supported over both UART and CAN interfaces, the two connectivity options most commonly available on Ardupilot-based drone platforms. The update process receives the new firmware image, pre-signed by the manufacturer's signing toolchain, over the selected interface, storing it in a designated staging area in flash. Once reception is complete, the bootloader validates the received image's RSA signature before programming it to the application partition. An image that fails signature validation is rejected and discarded, the existing firmware remains intact and the drone continues to operate on the last validated firmware version.
The firmware reception protocol handles packet loss, retransmission, and connection interruption gracefully, ensuring that a failed or incomplete update does not leave the flash in a partially written state that could prevent the drone from booting. Checksum validation of the received image prior to RSA validation provides an additional integrity check that filters out transmission errors before the more computationally expensive cryptographic validation is invoked.
Secure Log Storage
Operational log data, recording flight events, system diagnostics, and security-relevant events such as boot validation outcomes and update attempts, is stored in a protected flash region accessible only through controlled interfaces. The secure log storage prevents unauthorised access to or modification of the log data, preserving the integrity of the audit trail required for incident investigation and regulatory compliance purposes. Log entries are protected against tampering through integrity verification mechanisms that detect any post-write modification of stored log content.
Signing Toolchain and Key Management
A complete firmware signing toolchain was developed and delivered alongside the bootloader, providing the drone manufacturer with scripts for RSA key pair generation, firmware image signing, and bootloader and application binary merging for production programming. The toolchain was designed for integration into the customer's firmware build pipeline, enabling signed firmware images to be produced as a standard output of the build process without manual intervention. Public key update support was also implemented in the bootloader, allowing the embedded public key to be rotated under controlled conditions if required, providing a path to key revocation and replacement over the product lifetime.
Indian Drone Cybersecurity Compliance
The complete secure bootloader implementation, covering firmware integrity validation, secure update, debug interface protection, and audit logging, was aligned with the cybersecurity requirements applicable to commercially operated drones in India. The implementation was documented with the technical evidence required to support the customer's regulatory compliance submissions, covering the security architecture, the cryptographic algorithms and key lengths employed, the threat mitigations provided by each security mechanism, and the validation approach used to verify correct implementation.
This Ardupilot secure bootloader project demonstrates Embien's capability to deliver production-grade embedded security implementations for commercial UAV platforms operating under regulatory cybersecurity requirements. By developing a hardware-anchored secure boot architecture on the STM32H7, with RSA firmware validation, dual-interface secure update, secure log storage, and a complete signing toolchain, Embien provided its drone technology customer with a security foundation that meets Indian drone cybersecurity requirements and protects the integrity of their flight controller software throughout the product lifecycle. This project reflects Embien's growing expertise in embedded security for safety-critical and regulated autonomous systems, a domain where the consequences of inadequate firmware protection extend well beyond data security to the physical safety of the platform and its surroundings.
Partner with Embien for production secure bootloader development on Ardupilot and other embedded flight controller platforms.