This repository provides a minimal, reproducible RISC-V bootloader baseline validated in QEMU.
Standards note: this asset is aligned with BRS-B principles (minimal boot path, explicit handoff, no heavy UEFI/ACPI dependency), but it is not a full BRS/BRS-B conformance claim.
Included in scope:
- deterministic UART update protocol behavior and CRC32 validation
- reproducible evidence artifacts (QEMU logs, validator output)
- baseline integrity checks for boot image payload
Out of scope:
- advanced production hardening details (e.g., key provisioning, tamper response)
- full key lifecycle architecture
- authenticated image signing or encryption (baseline uses CRC32 checksums only)
- real hardware validation (QEMU-only baseline)
For non-sensitive security issues:
- open a GitHub issue in this repository with prefix
[SECURITY] - include reproduction steps, expected behavior, observed behavior, and environment details
For potentially sensitive findings:
- do not post exploit details publicly
- open a brief contact request via GitHub issue (without exploit details) and request a secure follow-up channel
- published setup and validation paths are the primary focus for repository issue handling
- documented behavior regressions are the primary focus for repository issue handling
- additional delivery expectations belong in a separate project scope, not in this repository
Support in this repository is limited to:
- reproducibility issues in documented setup/validation paths
- correctness issues in published baseline behavior
Separate project scopes can define explicit response windows and acceptance criteria.