AssureLoop is open-source release assurance tooling for Zephyr-based embedded firmware. It helps developers build a simulator firmware image, generate an SBOM, create a release manifest, sign and verify evidence, package an update, and exercise a local OTA lifecycle simulator before moving to physical hardware.
- Website: https://assureloop.dev
- GitHub release: v0.3.0 hardware-alpha
AssureLoop is:
- release assurance tooling for embedded firmware,
- a Zephyr-first simulator workflow,
- a way to produce and verify manifests, SBOMs, evidence bundles, signed image artifacts, update packages, and OTA simulator state,
- an alpha project for founder/testing and early design-partner feedback.
AssureLoop is not:
- a new RTOS,
- a production bootloader,
- a production OTA transport,
- a cloud update service,
- broad physical hardware board support,
- a production signing-key custody model,
- a safety or cybersecurity certification claim.
Current simulator target: qemu_cortex_m3.
The full demo requires a working Zephyr/west environment. Setup instructions are in docs/contributor-quickstart.md.
Windows PowerShell:
.\scripts\full-demo.ps1Bash:
bash scripts/full-demo.shThe full demo runs host tests, checks the Zephyr simulator build, creates and verifies a signed image, generates firmware evidence with SBOM, verifies the evidence bundle, creates and verifies an update package, and runs the OTA simulator.
Generated output stays under ignored paths such as build/, build-*,
dist/, and keys/.
Host-side tests and the README-based evidence demo do not require Zephyr or GNU make on Windows:
.\scripts\test-tools.ps1
.\scripts\evidence-demo.ps1
.\scripts\verify-demo.ps1Use a specific Python interpreter when needed:
.\scripts\test-tools.ps1 -Python pythonBash:
python3 -m unittest discover -s tests -v
make evidence-demo
make verify-demoFirmware build:
west build -b qemu_cortex_m3 firmware/appFirmware run:
west build -t runFirmware evidence with SBOM:
.\scripts\firmware-evidence-demo.ps1 -GenerateSbombash scripts/firmware-evidence-demo.sh --generate-sbomEvidence verification:
.\scripts\verify-firmware-evidence.ps1bash scripts/verify-firmware-evidence.shSigned image demo:
.\scripts\signed-image-demo.ps1bash scripts/signed-image-demo.shUpdate package demo:
.\scripts\update-package-demo.ps1bash scripts/update-package-demo.shOTA simulator demo:
.\scripts\ota-sim-demo.ps1
py tools\simulate_ota.py status --state dist\ota-sim\state.jsonbash scripts/ota-sim-demo.sh
python3 tools/simulate_ota.py status --state dist/ota-sim/state.jsonClean generated output on Windows:
.\scripts\clean.ps1- Project status
- Launch brief
- Technical FAQ
- Design partner feedback questions
- Release assurance flow
- Hardware target selection
- ST NUCLEO-H563ZI bring-up
- ST NUCLEO-H563ZI signed evidence
- ST NUCLEO-H563ZI MCUboot verification
- ST NUCLEO-H563ZI MCUboot update lifecycle
- v0.3 hardware-alpha release readiness
- v0.3 hardware-alpha release notes
- assureloop.dev domain setup
- Contributor quickstart
- Release checklist
- Architecture
- Threat model
- Release process
- Roadmap
GitHub Actions runs host tests, sets up Zephyr from west.yml, builds
qemu_cortex_m3, generates firmware evidence with SBOM, validates and verifies
the release manifest, verifies the evidence bundle, creates and verifies update
packages, builds the signed simulator image, and runs the OTA simulator.
CI uses direct steps instead of scripts/full-demo.sh so generated outputs can
be checked and uploaded as artifacts explicitly. CI does not use private signing
keys and does not commit generated build/, dist/, or keys/ output.
firmware/app/ Zephyr controller demo application
tools/ Release, evidence, verification, package, and OTA simulator tooling
scripts/ Windows PowerShell and Bash developer helpers
evidence/ Starter requirements, tests, and security checklist evidence
schemas/ Release manifest JSON Schema
samples/logs/ Sample controller/QEMU logs for trace reports
docs/ Project status, architecture, quickstart, and release docs
site/ Static public landing page for assureloop.dev
tests/ Host-side unit tests
.github/workflows/ CI workflow
west.yml Zephyr workspace manifest pinned to Zephyr v4.4.0
Use small, reviewable changes. Do not add physical board support, real OTA transport, cloud services, or production certification/security claims unless a specific issue scopes that work. See CONTRIBUTING.md and AGENTS.md.
Apache-2.0. See LICENSE.