Attestation Protocol
The AuroraSOC attestation protocol provides end-to-end firmware integrity verification for all CPS/IoT devices. This document describes the cross-platform protocol implemented across three firmware stacks and verified by the Rust Core Engine.
Protocol Overview
Message Format
Attestation Payload (Device → Broker)
{
"device_id": "stm32_pac_01",
"firmware_hash": "a3f2b8c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0",
"boot_count": 42,
"signature_hex": "304402201a2b3c4d...f0e1d2c3",
"nonce": "abc123def456",
"board_family": "stm32",
"firmware_stack": "ada_spark",
"firmware_version": "2.0.0"
}
Signed Message Construction
The signed message is a simple concatenation (no delimiters):
message = device_id + firmware_hash + boot_count + nonce
Example:
stm32_pac_01a3f2b8c1d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f042abc123def456
This message is then SHA-256 hashed and signed with ECDSA P-256.
Per-Platform Implementation
STM32 (Ada/SPARK)
Hardware: PKA (Public Key Accelerator) + HASH peripheral
Key: Stored in OTP (One-Time Programmable) area
Transport: Ethernet → MQTT (TLS 1.3, mTLS)
Interval: Every main loop iteration (5s)
Extras: SPARK-proven relay safety interlock
nRF52840 (Rust Embassy)
Hardware: CryptoCell CC310
Key: Stored in UICR (User Information Configuration Registers)
Transport: BLE → MQTT-SN → ESP32-S3 gateway → MQTT broker
Interval: 5 minutes
Extras: USB honeypot alerts
ESP32-S3 (Zephyr C)
Hardware: Software ECDSA (no hardware crypto accelerator)
Key: Stored in NVS (Non-Volatile Storage) partition
Transport: WiFi → MQTT (TLS)
Interval: 5 minutes
Extras: Edge AI anomaly detection
Key Management
Vault PKI Configuration
# Device certificate role
vault write pki/roles/aurorasoc-devices \
key_type=ec \
key_bits=256 \
allow_any_name=true \
enforce_hostnames=false \
max_ttl=8760h \ # 1 year
client_flag=true \
server_flag=false
Security Properties
What Attestation Proves
| Property | How |
|---|---|
| Firmware authenticity | SHA-256 hash matches known-good binary |
| Device identity | ECDSA signature verifiable only with device's key |
| Freshness | Monotonic boot count prevents replay |
| Liveness | Regular attestation proves device is running |
What Attestation Does NOT Prove
| Limitation | Mitigation |
|---|---|
| Runtime memory integrity | Not covered (would need TrustZone/SGX) |
| Physical key extraction | OTP/UICR fuses are one-time write |
| Side-channel attacks | CC310 has countermeasures |
| Supply chain compromise | Out of scope (separate process) |
Boot Count Anti-Replay
The boot count is stored in hardware fuses that can only increase:
- STM32: OTP area (one-time programmable bits)
- nRF52840: UICR registers (erasable only via full chip erase)
- ESP32-S3: eFuse (one-time programmable)
Failure Handling
| Failure | System Response |
|---|---|
| Signature mismatch | Alert: severity=critical, device marked failed |
| Boot count regression | Alert: severity=critical, possible reflash attack |
| Certificate expired | Device marked expired, cert renewal required |
| No response (>10 min) | Device marked offline, Prometheus alert fires |
| Structural pass only | Device accepted with lower confidence, flagged for key enrollment |
Certificate Revocation
When a device is compromised, its certificate can be revoked via the API:
# Revoke device certificate
curl -X POST http://localhost:8000/api/v1/cps/devices/stm32_pac_01/revoke \
-H "Authorization: Bearer $TOKEN" \
-d '{"reason": "Compromised - tamper detected"}'
This triggers:
- Certificate revoked in Vault CRL
- Device
attestation_statusset torevoked - STM32 relay opens immediately (SPARK-proven safety interlock)
- Alert generated for SOC analysts
- NATS federation notifies other sites
Monitoring
Prometheus alert rules monitor attestation health:
- alert: CPSAttestationFailureRate
expr: rate(aurora_attestation_failures_total[5m]) / rate(aurora_attestation_total[5m]) > 0.1
for: 5m
labels:
severity: critical
annotations:
summary: "CPS attestation failure rate exceeds 10%"
- alert: CPSDeviceOffline
expr: time() - aurora_device_last_seen_timestamp > 300
for: 5m
labels:
severity: warning
annotations:
summary: "CPS device hasn't reported in 5+ minutes"