Hybrid Post-Quantum + Classical Secure Boot for SmallSat Avionics: ML-DSA/ECC Firmware Authentication with Fail-Safe Updates

Satellites are often expected to operate unattended for years while still receiving security and safety updates. Long mission lifetimes also increase exposure to future cryptanalytic advances, including large-scale quantum attacks against today’s signature schemes. We present a hybrid secure-boot and firmware-authentication design aligned with IETF RFC 9019, where the bootloader acts as the firmware verifier. A signed manifest binds image hashes and version metadata, and the boot decision enforces a dual-signature policy: one classical (ECC/ECDSA) and one post-quantum (ML-DSA, NIST FIPS 204) over the same manifest. Avoiding dynamic memory allocation and minimizing dependencies to improve predictability and limit remote attack surface.
We implement this policy in a portable, open source publicly available (GPLv3) secure bootloader, called wolfBoot.
To address reliability constraints, hybrid verification is paired with a fail-safe update strategy using redundant flash slots. Updates are installed through copy/swap operations with explicit progress markers to tolerate resets or power interruptions. After the first boot of a newly installed image, the application must explicitly confirm operational readiness; if confirmation is missed (e.g., watchdog resets or failed communications bring-up), the boot process automatically reverts to the last known-good image, providing an emergency fallback path.
We report code size, RAM usage, and boot-time latency measurements for hybrid verification on representative embedded targets, and derive configuration guidance for balancing security level, signature size, and time-to-boot constraints in SmallSat systems.