How do you design a field-updatable bootloader for embedded systems?

Secure bootloader design: Memory layout with separate bootloader, application, and backup regions; Communication interface (UART, USB, CAN, OTA); Authentication (cryptographic signature verification before flashing); Integrity checks (CRC/hash of application image); Rollback protection (version numbers, fuse bits); Failsafe mechanism (detect incomplete update, revert to backup). Implementation: Boot to application if valid, else bootloader mode; Accept encrypted/signed firmware; Verify before writing; Implement A/B scheme or backup for resilience; Lock bootloader after production. Consider: Secure boot chain, anti-rollback, and tamper resistance.