Principal Platform Security Architect

Job Overview:

We are looking for a Platform Security Architect to support the design and improvement of security mechanisms across platform firmware and embedded Linux environments.

This is a hands-on technical role spanning both embedded systems (e.g., Yocto-based platforms) and data center systems (e.g., BMC and platform firmware). The work includes securing boot chains, firmware update mechanisms, and Linux-based management environments, including embedded controllers and server management subsystems.

You will work closely with firmware and platform engineering teams to help integrate security controls across BIOS, BMC, and device firmware, and collaborate with internal security evaluation teams to support validation and continuous improvement of these controls.

The role involves working across low-level firmware, embedded Linux, and system hardening, with opportunities to contribute at both design and implementation levels.

Responsibilities:

• Firmware Security: Evaluate and support integration of security mechanisms across BIOS, BMC, and device firmware, including secure boot, firmware verification, update flows, rollback protection, and debug controls 
• Embedded Linux & BMC Security: Contribute to improving the security of Linux-based management environments through system hardening, service isolation, access control, and secure configuration 
• System Hardening: Identify potential attack surfaces and configuration gaps, and help apply and validate hardening measures and secure defaults 
• Security Validation & CI Integration: Collaborate with internal security evaluation and engineering teams to support testing, develop validation tools/scripts, and integrate security checks into CI workflows 
• Threat Analysis: Support threat modeling and analysis of firmware and management plane components to identify attack paths and improvement areas

Required Skills and Experience :

• Hands-on experience with embedded Linux systems, including building and customizing platforms using Yocto/OpenEmbedded
• Hands-on experience implementing and validating Linux hardening controls, including service/interface hardening, privilege management, and reduction of system attack surface 
• Experience contributing to the implementation or integration of security controls in firmware or embedded environments 
• Strong understanding of low-level firmware and boot flows, including BIOS/UEFI, bootloaders, and platform firmware components 
• Experience with secure boot chains and firmware trust models, including firmware verification and UEFI-based systems 
• Experience working with firmware update mechanisms, including signing, verification, and rollback protection 
• Familiarity with Arm architecture and boot processes, including early boot stages and firmware–hardware interaction 
• Familiarity with platform interconnects such as PCIe, and associated security considerations in device and data-center environments 
• Experience developing automation, validation tools, or scripts, including integration into CI workflows 
• Proficiency in C/C++ for systems or embedded development, with the ability to work with low-level components when needed 
• Understanding of Linux security fundamentals, including authentication, authorization, and system-level protections 
• Familiarity with file system and data protection mechanisms, including encryption approaches such as eCryptfs or similar 
• Ability to analyze and reason about firmware and system-level attack surfaces

“Nice To Have” Skills and Experience :

• Experience with BMC platforms or ecosystems such as OpenBMC 
• Experience with Linux security features (e.g., SELinux, AppArmor, capabilities) 
• Experience with firmware analysis, fuzzing, or security testing techniques
• Familiarity with container security in embedded or management environments 
• Familiarity with hardware roots of trust (e.g., TPM, DICE) 
• Familiarity with networking and network security concepts, particularly in management or data-center environments

In Return:

Please note that a relocation package (including visa sponsorship support) is available for this role, for candidates who require it. 

#LI-CI

Accommodations at Arm

At Arm, we want to build extraordinary teams. If you need an adjustment or an accommodation during the recruitment process, please email accommodations@arm.com. To note, by sending us the requested information, you consent to its use by Arm to arrange for appropriate accommodations. All accommodation or adjustment requests will be treated with confidentiality, and information concerning these requests will only be disclosed as necessary to provide the accommodation. Although this is not an exhaustive list, examples of support include breaks between interviews, having documents read aloud, or office accessibility. Please email us about anything we can do to accommodate you during the recruitment process.

Hybrid Working at Arm

Arm’s approach to hybrid working is designed to create a working environment that supports both high performance and personal wellbeing. We believe in bringing people together face to face to enable us to work at pace, whilst recognizing the value of flexibility. Within that framework, we empower groups/teams to determine their own hybrid working patterns, depending on the work and the team’s needs. Details of what this means for each role will be shared upon application. In some cases, the flexibility we can offer is limited by local legal, regulatory, tax, or other considerations, and where this is the case, we will collaborate with you to find the best solution. Please talk to us to find out more about what this could look like for you.

Equal Opportunities at Arm

Arm is an equal opportunity employer, committed to providing an environment of mutual respect where equal opportunities are available to all applicants and colleagues. We are a diverse organization of dedicated and innovative individuals, and don’t discriminate on the basis of race, color, religion, sex, sexual orientation, gender identity, national origin, disability, or status as a protected veteran.