ASF-Nabd/ASF_01_sys_sw_arch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

analysis

Browse Source
This commit is contained in:
mahmamdouh
2026-01-25 17:17:08 +01:00
parent edd3e96591
commit 0daead7821
21 changed files with 1636 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

56
System Design/Creating Gap Analysis and Solutions Documentation/Factory Provisioning Workflow.md Normal file
View File

@@ -0,0 +1,56 @@
# Factory Provisioning Workflow
## Overview
The factory provisioning workflow is the process of preparing a "blank" ESP32-S3 module for use in the field. This process must be secure, automated, and repeatable to ensure every device has a unique identity and the correct security settings.
## The Workflow Steps
### Phase 1: Hardware Preparation & Initial Flash
1. **Connect Device:** The blank module is placed in a programming fixture.
2. **Flash Bootloader & Partition Table:** The basic structure of the flash memory is defined.
3. **Flash Factory Firmware:** A minimal "testing" firmware is loaded to verify hardware functionality (GPIOs, Sensors, Wi-Fi).
### Phase 2: Security & Identity Injection
1. **Generate Unique Keys:** The provisioning PC generates a unique private key and a Certificate Signing Request (CSR) for the device.
2. **Sign Certificate:** The CSR is sent to the company's Certificate Authority (CA), which returns a signed X.509 certificate.
3. **Inject Identity:** The unique certificate and private key are written to the device's **NVS (Encrypted)** or **eFuse** area.
4. **Burn eFuses:**
* Enable **Flash Encryption**.
* Enable **Secure Boot**.
* Set the **Secure Boot Public Key Hash**.
* Disable JTAG (to prevent physical debugging/hacking).
### Phase 3: Final Application Loading
1. **Flash Production Firmware:** The full ASF application is loaded into the `ota_0` partition.
2. **Verify Integrity:** The system performs a full boot-up test to ensure it can decrypt the flash and verify the secure boot signature.
### Phase 4: Cloud Registration
1. **Register Serial Number:** The device's unique ID (MAC address or Serial) and its public certificate are uploaded to the Cloud/MQTT Broker's "Allowed Devices" list.
2. **Labeling:** A QR code is printed and attached to the device, containing its Serial Number and Provisioning Date.
## Workflow Diagram (Conceptual)
```text
[ Blank Device ]
|
v
[ 1. Hardware Test ] ----(Fail)----> [ Reject/Repair ]
|
v
[ 2. Identity Injection ] <---(From CA)--- [ Unique Certs ]
|
v
[ 3. Security Locking ] (Flash Encrypt, Secure Boot)
|
v
[ 4. Final App Flash ]
|
v
[ 5. Cloud Sync ] ----> [ Ready for Shipment ]
```
## Tools Required
* **esptool.py:** For flashing and eFuse operations.
* **esp_secure_cert_tool:** For managing certificates on ESP32.
* **Custom Provisioning Script:** A Python script to coordinate the CA communication and the flashing process.
* **Provisioning PC:** A secure computer with access to the company's private CA.