You are responsible for validating and rolling out a new firmware image for production network routers that sit on critical service paths. The update fixes known stability issues, but a bad image or unsafe rollout could cause control-plane instability, traffic loss, or a prolonged outage. You need an automated way to prove the firmware is authentic, behaves correctly under production-like conditions, and can be deployed gradually without interrupting traffic.
How would you design an automated verification and rollout system for this firmware update so that you can detect bad images early, limit blast radius during deployment, and recover safely if the update causes regressions? Be explicit about the security controls, trust boundaries, and the signals you would use to decide whether to continue or roll back.