Skip to content

tendervault/assureloop

AssureLoop

CI

AssureLoop is open-source release assurance tooling for Zephyr-based embedded firmware. It helps developers build a simulator firmware image, generate an SBOM, create a release manifest, sign and verify evidence, package an update, and exercise a local OTA lifecycle simulator before moving to physical hardware.

Website

What AssureLoop Is / Is Not

AssureLoop is:

  • release assurance tooling for embedded firmware,
  • a Zephyr-first simulator workflow,
  • a way to produce and verify manifests, SBOMs, evidence bundles, signed image artifacts, update packages, and OTA simulator state,
  • an alpha project for founder/testing and early design-partner feedback.

AssureLoop is not:

  • a new RTOS,
  • a production bootloader,
  • a production OTA transport,
  • a cloud update service,
  • broad physical hardware board support,
  • a production signing-key custody model,
  • a safety or cybersecurity certification claim.

Current simulator target: qemu_cortex_m3.

Run The Full Simulator Demo

The full demo requires a working Zephyr/west environment. Setup instructions are in docs/contributor-quickstart.md.

Windows PowerShell:

.\scripts\full-demo.ps1

Bash:

bash scripts/full-demo.sh

The full demo runs host tests, checks the Zephyr simulator build, creates and verifies a signed image, generates firmware evidence with SBOM, verifies the evidence bundle, creates and verifies an update package, and runs the OTA simulator.

Generated output stays under ignored paths such as build/, build-*, dist/, and keys/.

Quick Start Without Zephyr

Host-side tests and the README-based evidence demo do not require Zephyr or GNU make on Windows:

.\scripts\test-tools.ps1
.\scripts\evidence-demo.ps1
.\scripts\verify-demo.ps1

Use a specific Python interpreter when needed:

.\scripts\test-tools.ps1 -Python python

Bash:

python3 -m unittest discover -s tests -v
make evidence-demo
make verify-demo

Common Simulator Commands

Firmware build:

west build -b qemu_cortex_m3 firmware/app

Firmware run:

west build -t run

Firmware evidence with SBOM:

.\scripts\firmware-evidence-demo.ps1 -GenerateSbom
bash scripts/firmware-evidence-demo.sh --generate-sbom

Evidence verification:

.\scripts\verify-firmware-evidence.ps1
bash scripts/verify-firmware-evidence.sh

Signed image demo:

.\scripts\signed-image-demo.ps1
bash scripts/signed-image-demo.sh

Update package demo:

.\scripts\update-package-demo.ps1
bash scripts/update-package-demo.sh

OTA simulator demo:

.\scripts\ota-sim-demo.ps1
py tools\simulate_ota.py status --state dist\ota-sim\state.json
bash scripts/ota-sim-demo.sh
python3 tools/simulate_ota.py status --state dist/ota-sim/state.json

Clean generated output on Windows:

.\scripts\clean.ps1

Documentation

CI Validation

GitHub Actions runs host tests, sets up Zephyr from west.yml, builds qemu_cortex_m3, generates firmware evidence with SBOM, validates and verifies the release manifest, verifies the evidence bundle, creates and verifies update packages, builds the signed simulator image, and runs the OTA simulator.

CI uses direct steps instead of scripts/full-demo.sh so generated outputs can be checked and uploaded as artifacts explicitly. CI does not use private signing keys and does not commit generated build/, dist/, or keys/ output.

Repository Layout

firmware/app/              Zephyr controller demo application
tools/                     Release, evidence, verification, package, and OTA simulator tooling
scripts/                   Windows PowerShell and Bash developer helpers
evidence/                  Starter requirements, tests, and security checklist evidence
schemas/                   Release manifest JSON Schema
samples/logs/              Sample controller/QEMU logs for trace reports
docs/                      Project status, architecture, quickstart, and release docs
site/                      Static public landing page for assureloop.dev
tests/                     Host-side unit tests
.github/workflows/         CI workflow
west.yml                   Zephyr workspace manifest pinned to Zephyr v4.4.0

Contributing

Use small, reviewable changes. Do not add physical board support, real OTA transport, cloud services, or production certification/security claims unless a specific issue scopes that work. See CONTRIBUTING.md and AGENTS.md.

License

Apache-2.0. See LICENSE.