# 2. Security Model

## Overview
Security is a non-negotiable requirement for industrial systems. The ASF project leverages the hardware security features of the ESP32-S3 to establish a robust Root of Trust and secure communication channels.

## Root of Trust
The following features are mandatory to ensure the integrity of the device and its firmware:

*   **Secure Boot V2:** Ensures only digitally signed firmware can run on the device.
*   **Flash Encryption:** Protects the firmware and sensitive data stored in flash memory from physical access.
*   **eFuse-based Anti-rollback:** Prevents the installation of older, potentially vulnerable firmware versions.

> **Industrial Standard:** These features are the baseline for any production-ready industrial embedded system.

## Device Identity & Authentication
A unique identity for each device is established using X.509 certificates and mutual TLS (mTLS).

| Item | Implementation |
| :--- | :--- |
| **Identity** | Device-unique X.509 certificate |
| **Private Key** | Stored securely in eFuse or encrypted flash |
| **Authentication** | Mutual TLS (mTLS) for all broker communications |
| **Provisioning** | Handled via a secure factory or onboarding mode |

### Key Insight
The ESP32-S3 is optimized to handle a single device certificate efficiently. It is recommended to avoid managing large certificate chains on the device itself to conserve resources.

## Key Lifecycle Management
The lifecycle of security keys is managed from manufacturing through operation and eventual revocation.

| Phase | Mechanism |
| :--- | :--- |
| **Manufacturing** | Injection of the unique device certificate and private key. |
| **Operation** | Use of TLS session keys for encrypted communication. |
| **Rotation** | Certificate rotation managed on the broker/server side. |
| **Revocation** | Use of Certificate Revocation Lists (CRL) or broker-side denylists. |