2. Security Model

Overview

Security is a non-negotiable requirement for industrial systems. The ASF project leverages the hardware security features of the ESP32-S3 to establish a robust Root of Trust and secure communication channels.

Root of Trust

The following features are mandatory to ensure the integrity of the device and its firmware:

Secure Boot V2: Ensures only digitally signed firmware can run on the device.
Flash Encryption: Protects the firmware and sensitive data stored in flash memory from physical access.
eFuse-based Anti-rollback: Prevents the installation of older, potentially vulnerable firmware versions.

Industrial Standard: These features are the baseline for any production-ready industrial embedded system.

Device Identity & Authentication

A unique identity for each device is established using X.509 certificates and mutual TLS (mTLS).

Item	Implementation
Identity	Device-unique X.509 certificate
Private Key	Stored securely in eFuse or encrypted flash
Authentication	Mutual TLS (mTLS) for all broker communications
Provisioning	Handled via a secure factory or onboarding mode

Key Insight

The ESP32-S3 is optimized to handle a single device certificate efficiently. It is recommended to avoid managing large certificate chains on the device itself to conserve resources.

Key Lifecycle Management

The lifecycle of security keys is managed from manufacturing through operation and eventual revocation.

Phase	Mechanism
Manufacturing	Injection of the unique device certificate and private key.
Operation	Use of TLS session keys for encrypted communication.
Rotation	Certificate rotation managed on the broker/server side.
Revocation	Use of Certificate Revocation Lists (CRL) or broker-side denylists.

1.9 KiB Raw Blame History