Platform Security Engineering - OpenBMC

About The Position

Requirements

• 8+ years of experience in systems security, with at least 5 years focused on firmware and hardware security (firmware, bootloaders, and OS-level security).
• Strong technical cross-functional leadership skills and direction setting.
• Hands-on OpenBMC/BMC firmware experience on x86 and/or Arm, from bring-up through production with hands-on D-Bus/sdbusplus.
• Strong C/C++ and Python skills.
• Deep Linux user-space/kernel fundamentals.
• Yocto/OpenEmbedded proficiency.
• A security mindset applied to firmware, not bolted on afterward.
• Upstream contributions to OpenBMC, U-Boot, DMTF, or OCP.
• Working knowledge of out-of-band and in-band management, relevant DMTF specs, and the device interfaces they run over.
• Strong debugging skills and a track record of shipping reliable, well-tested code.
• Clear communication across internal teams and external vendors.
• Ability to work effectively across hardware and software boundaries.
• Knowledge of NIST firmware security guidelines and hardware security frameworks, specifically SP 800-193 and 800-147/155.

Nice To Haves

• Hardware roots of trust and attestation: Caliptra, OCP S.A.F.E., TPM/HRoT, SPDM.
• Memory-safe systems code in Rust or Zig.
• Firmware vulnerability research, reverse-engineering, or fuzzing.
• Previous work with AI/ML infrastructure security.

Responsibilities

• Design, build, and ship OpenBMC firmware and manageability features for x86 and Arm (including GPU) platforms, from bring-up through production, using Yocto/OpenEmbedded.
• Build the management stack on DMTF/OCP standards (MCTP, PLDM, SPDM, Redfish, RDE) and IPMI/KCS, including sensors, telemetry, inventory, logging, and RAS.
• Implement BMC-to-BIOS/host communications, eSPI/LPC, and thermal/fan/power management (PMBus).
• Work at the hardware/firmware boundary, including I2C/I3C, SPI, PCIe, SMBus, device trees, and U-Boot, Linux user-space/kernel.
• Own the BMC security posture, including secure and measured boot, root of trust, attestation (SPDM), authenticated update (PLDM FW Update), rollback protection, and attack-surface reduction.
• Lead threat modeling and secure design reviews.
• Run coordinated vulnerability disclosure with vendors and the upstream community.
• Build verification tooling, including static analysis, fuzzing, firmware extraction, and CI gating.

Benefits

• Competitive compensation
• Optional equity donation matching
• Generous vacation
• Parental leave
• Flexible working hours
• Lovely office space