BLADE-AGENT-HSM is a reference hardware-root-of-trust design that pairs with the AUTHREX-AGENT software shim and places the authority decision and audit record of an agentic-AI system outside the host trusted computing base. It binds authority tier (PCR0), audit ledger (PCR1), tool policy (PCR2), spawn quorum (PCR3), and tamper state (PCR4) to TPM 2.0 PCRs, backed by an NXP EdgeLock SE051 secure element and an Infineon SLB 9670 TPM, behind a five-command host ABI.
v4.0 (Zenodo deposit format). Five rendered figures embedded (architecture and PCR binding, authority-tier state machine, trust-level model, use-case campaign and coverage, and the software-only vs HSM-backed baseline). Adds the baseline experiment: over 50 trials each, hardware binding detects 100% of file-controlling anchor-re-key forgeries and host-side ledger rewrites that the software-only configuration detects 0% of. 28 references, the majority peer-reviewed (Greshake AISec 2023; Debenedetti AgentDojo NeurIPS 2024; Crosby and Wallach USENIX 2009; Coker et al. IJIS 2011; Sailer USENIX 2004; Klein seL4 SOSP 2009; Sha Simplex; Schneier and Kelsey; Haber and Stornetta; Merkle). Trace verifier with a three-level trust model; 275 deterministic checks across seven batteries.
All claims are specification-level: hardware TRL 2-3, emulator TRL 3-4. No first-article hardware, hardware-in-the-loop data, side-channel measurement, integrated-device certification, or agency endorsement is claimed. License: CC BY 4.0.
", "access_right": "open", "license": "CC-BY-4.0", "keywords": [ "hardware root of trust", "agentic AI governance", "AUTHREX-AGENT", "AUTHREX Systems", "attestation", "TPM 2.0", "secure element", "EAL6+", "FIPS 140-2", "ECDSA P-256", "ECDSA P-384", "platform configuration register", "PCR", "authority tier", "audit ledger", "tamper evidence", "CISA Careful Adoption of Agentic AI Services", "NSA AI Security Center", "Five Eyes", "FY26 NDAA Section 1513", "FY26 NDAA Section 6601", "NIST SP 800-53 Rev. 5", "SATA", "HMAA", "FLAME", "CARA", "USB-HID", "M.2 Key-E", "reference architecture", "open hardware", "COTS", "adversarial verification", "trace verification", "attestation pinning", "red-team console", "deterministic replay", "ML-DSA interface model", "remote attestation", "tamper-evident logging", "runtime assurance", "prompt injection", "formal invariants", "trust model", "baseline experiment", "software-only comparison", "out-of-band anchor" ], "communities": [ { "identifier": "ai-safety" }, { "identifier": "agentic-ai" }, { "identifier": "hardware-security" } ], "related_identifiers": [ { "relation": "isSupplementTo", "identifier": "https://authrex.systems/authrex-agent.html", "resource_type": "publication-workingpaper", "scheme": "url" }, { "relation": "isContinuationOf", "identifier": "10.5281/zenodo.19277887", "resource_type": "publication-workingpaper", "scheme": "doi" }, { "relation": "isContinuationOf", "identifier": "10.5281/zenodo.19232130", "resource_type": "publication-workingpaper", "scheme": "doi" }, { "relation": "isContinuationOf", "identifier": "10.5281/zenodo.19177472", "resource_type": "publication-workingpaper", "scheme": "doi" }, { "relation": "documents", "identifier": "https://github.com/burakoktenli-ai/blade-agent-hsm", "resource_type": "software", "scheme": "url" } ], "references": [ "CISA, NSA AI Security Center, ASD ACSC, CCCS, NCSC-NZ, NCSC-UK. Careful Adoption of Agentic AI Services. Joint guidance, 1 May 2026.", "United States Congress. National Defense Authorization Act for Fiscal Year 2026. Sections 1513 and 6601.", "Greshake, K. et al. Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection. AISec 2023. arXiv:2302.12173.", "Debenedetti, E. et al. AgentDojo: A Dynamic Environment to Evaluate Prompt Injection Attacks and Defenses for LLM Agents. NeurIPS 2024 Datasets and Benchmarks. arXiv:2406.13352.", "Perez, F., Ribeiro, I. Ignore Previous Prompt: Attack Techniques for Language Models. NeurIPS ML Safety Workshop 2022. arXiv:2211.09527.", "Zhan, Q. et al. InjecAgent: Benchmarking Indirect Prompt Injections in Tool-Integrated LLM Agents. Findings of ACL 2024. arXiv:2403.02691.", "Wallace, E. et al. The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions. 2024. arXiv:2404.13208.", "Trusted Computing Group. TPM 2.0 Library Specification, Rev. 1.59. 2019.", "Sailer, R. et al. Design and Implementation of a TCG-Based Integrity Measurement Architecture. USENIX Security 2004.", "Coker, G. et al. Principles of Remote Attestation. Int. J. Information Security 10(2):63-81, 2011. doi:10.1007/s10207-011-0124-7.", "Parno, B., McCune, J. M., Perrig, A. Bootstrapping Trust in Commodity Computers. IEEE S&P 2010.", "Costan, V., Devadas, S. Intel SGX Explained. IACR ePrint 2016/086.", "Haber, S., Stornetta, W. S. How to Time-Stamp a Digital Document. J. Cryptology 3(2):99-111, 1991.", "Merkle, R. C. A Digital Signature Based on a Conventional Encryption Function. CRYPTO 1987, LNCS 293.", "Schneier, B., Kelsey, J. Secure Audit Logs to Support Computer Forensics. ACM TISSEC 2(2):159-176, 1999.", "Crosby, S. A., Wallach, D. S. Efficient Data Structures for Tamper-Evident Logging. USENIX Security 2009, pp. 317-334.", "Sha, L. Using Simplicity to Control Complexity. IEEE Software 18(4):20-28, 2001.", "Klein, G. et al. seL4: Formal Verification of an OS Kernel. SOSP 2009.", "Lamport, L. The Temporal Logic of Actions. ACM TOPLAS 16(3):872-923, 1994.", "Hines, K. et al. Defending Against Indirect Prompt Injection Attacks With Spotlighting. 2024. arXiv:2403.14720.", "NXP Semiconductors. EdgeLock SE051 Family Data Sheet, Rev. 2.0. 2024. CC Report BSI-DSZ-CC-1162.", "Infineon Technologies AG. OPTIGA TPM SLB 9670 Datasheet, Rev. 1.4. 2023.", "W3C. Web Cryptography API. W3C Recommendation, 26 January 2017.", "NIST. FIPS 204: Module-Lattice-Based Digital Signature Standard (ML-DSA). 2024.", "Hanley, J. A., Lippmann-Hand, A. If Nothing Goes Wrong, Is Everything All Right? JAMA 249(13):1743-1745, 1983.", "NIST. SP 800-53 Revision 5. 2020. doi:10.6028/NIST.SP.800-53r5.", "Oktenli, B. BLADE-INFRA Governance Node v2.0. Zenodo, 2026. doi:10.5281/zenodo.19277887.", "Oktenli, B. BLADE-SPACE Governance Node v2.0. Zenodo, 2026. doi:10.5281/zenodo.20183269." ], "version": "4.0", "notes": "v4.0 (2026-05-20): Zenodo deposit format restored (deposit metadata, contents, version history, how-to-cite). Five rendered figures embedded. Added a software-only vs HSM-backed baseline showing 100% vs 0% detection of file-controlling forgeries and host-side ledger rewrites over 50 trials each (tests/test-baseline.mjs). Corrected the I1 design property to state precisely that the hardware binds what it is told to extend and the security guarantee is detection of divergence by the off-host appraiser, not prevention of host-side misreporting. Reframed the attestation-identity pinning result as an explicit application of the standard out-of-band-anchor requirement (PKI trust anchors, certificate pinning, Coker et al. trustworthy-mechanism principle) rather than a novel theorem. Policy citations made verbatim-accurate: CISA et al. Careful Adoption of Agentic AI Services (1 May 2026) and FY2026 NDAA Pub. L. 119-60 Section 1513 plus IAA Section 6601; reference [5] marked as a workshop paper. Independent research; civilian NIST cryptography; no ITAR exposure.", "doi": "10.5281/zenodo.20299821", "prereserve_doi": { "doi": "10.5281/zenodo.20299821" } }, "files_in_this_deposit": [ "blade-agent-hsm-zenodo-paper.pdf v2.0 - research paper, 16 sections. Section 9 rewritten for the adversarial high-assurance emulator and its 275-check verification campaign.", "blade-agent-hsm-sim.html - Browser-resident emulator (adversarial high-assurance build). Web Crypto API. Reference use cases, failure-mode scenarios, interactive red-team console (11 primitives), evidence-bundle exporter, and a cryptographic trace verifier with attestation-identity pinning.", "tests/ - Seven Node test batteries plus the embedded core (275 deterministic checks; Node 19+).", "golden-traces/ - Deterministic seeded audit trace (normal-flow.jsonl) and its signed P-384 anchor (normal-flow.anchor.json).", "test-report.json - Machine-readable verification summary (275/275, suite breakdown, critical findings closed).", "README_VALIDATION.md - Reproduction instructions and the trust-model statement.", "ASSURANCE_BOUNDARY.md - Explicit statement of what is and is not claimed.", "REQUIREMENTS_TRACEABILITY_MATRIX.csv - 20 requirements mapped to function, scenario, and test.", "ICD-AGENT-HSM-001.pdf - Interface Control Document Rev. 1.0.", "BLADE-AGENT-HSM-Integration-Guide.pdf - AUTHREX-AGENT integration guide.", "blade-agent-hsm.html - Reference web page (mirrored on authrex.systems).", "blade_agent_hsm_CONFIG.json - Canonical project state.", "blade_agent_hsm_PARTS.csv - 27-line BOM totalling USD 199.00.", "blade_agent_hsm_ELECTRICAL_CONNECTIONS.json - 54 electrical edges.", "blade_agent_hsm_MECHANICAL_CONNECTIONS.json - 25 mechanical edges.", "blade_agent_hsm_GUIDE.md - Assembly and bring-up guide.", "blade_agent_hsm_SCHEMATIC.svg - Bus-topology schematic.", "blade_agent_hsm_ZENODO_METADATA.json - This file." ], "audit_trail": "v1.0 (initial deposit) -> v1.1 (publication-audit revision, 2026-05-19): Strict editorial audit identified (a) two load-bearing citations needed verification, (b) AI-pattern writing including 50+ em-dashes, (c) over-strong technical claims, (d) one missing verb, (e) undefined symbol alpha, (f) ECDSA mischaracterisation in spawn_quorum description. All ten audit findings addressed: citations verified against primary sources (CISA URL, FY26 NDAA Section 1513, FY26 IAA Section 6601); em-dash count reduced; over-strong claims softened with caveats; missing verb added; alpha defined before use; spawn_quorum corrected to N-of-M verify-then-commit; benchmark methodology added (Apple M3 Pro, Chrome 124, 412 sig/s mean); TRL 5-6 progression path added (seven milestones, ~USD 130,000-180,000, 12-16 months); Acknowledgments and author email added. | v1.1 -> v2.0 (2026-05-20): emulator advanced to adversarial high-assurance build; Section 9 rewritten (275 deterministic checks across seven batteries; cryptographic trace verifier with per-entry ECDSA signature verification, signed P-384 anchor, out-of-band attestation pinning, three-level trust model; eleven-primitive red-team console; seeded-PRNG determinism); PQC relabelled as interface model; abstract, limitations, data availability, version history, and citation updated to v2.0; Node test harness, golden traces, test-report.json, and reviewer documents bundled for independent reproduction. | v2.0 -> v3.0 (2026-05-20): journal-formatted rewrite responding to strict peer review. Added 28-reference peer-reviewed Related Work; reframed as reference design; aligned claims to evidence; repaired validation framing (removed '3x', coverage not sample, added a winning adversary as positive test); formalized threat model and added invariants I1-I5 with proof sketches; removed deposit apparatus from the body. | v3.0 -> v4.0 (2026-05-20): Zenodo deposit format restored; five figures embedded; software-only vs HSM baseline added (100% vs 0%); I1 corrected to detection-not-prevention; pinning reframed as the standard out-of-band-anchor requirement; policy citations made verbatim-accurate; [5] marked workshop." }