Resource constrained embedded devices are often expected to be deployed and stay active in the field for prolonged amounts of time (sometimes decades (!)). With the advent of IoT devices that operate unattended with network (Internet) connectivity, possibly via IoT gateways, the necessity of software updates mechanisms to these kind of devices is evident. More powerful IoT devices cabable of running general purpose operating systems (such as embedded flavors of Linux) may leverage software update mechanisms designed for desktop or mobile devices. The focus of this talk, however, is small microcontroller class devices which run simple Real-Time Operating Systems (RTOSs) or no operating systems at all. These kind of devices often support a mechanism called In-Application Programming (IAP), which allows the software on the device itself to reprogram (erase/write) its internal flash memory or EEPROM. By utilizing a lightweight trust anchor, such as TrustZone-M, featured in the next generation of ARM-based MCUs with the ARMv8-M architecture it is possible provide a secure firmware update mechanism that can ensure the integrity of both the update image and the boot sequence of such a device in a provable manner.