burakoktenli / blade-agent-hsm Public

BLADE-AGENT-HSM: Beam-Layer Authority for Directed Engagements, Agent Hardware Security Module. A tamper-evident hardware root of trust for autonomous AI agents and the hardware companion to the AUTHREX-AGENT software shim. Non-exportable ECDSA P-256/P-384 keys in a CC EAL6+ secure element, authority-tier state in a TPM 2.0 PCR bank, HKDF per-tool tokens, spawn-quorum aggregation, and a multi-modal tamper cascade. Five-opcode 64-byte ABI; USB-A stick and M.2 Key-E module from one 4-layer PCB. Seventh BLADE platform. Reference cost ~$199/unit, ~$8,250 NRE. Verified by an adversarial high-assurance emulator (275/275 deterministic checks, P-384 signed golden-trace anchor). TRL 2-3 silicon / 3-4 emulator. Aligned with CISA/NSA/Five Eyes agentic-AI guidance and FY26 NDAA Sections 1513 and 6601.

blade-agent-hsmhardware-root-of-trustagentic-aiauthrex-agenttpm-2.0secure-elementeal6ecdsa-p256ecdsa-p384hkdfattestationtamper-evidentse051slb9670stm32l432prompt-injectionnist-sp-800-53ndaa-1513
Adversarial emulator 15 files CC BY 4.0 DOI: 10.5281/zenodo.20299821
main 15 files · v4.0 · May 2026
Zenodo Open Emulator Project Page
blade-agent-hsm-simulation.htmlAdversarial high-assurance browser emulator · real Web Crypto · failure-mode scenarios · evidence-bundle exportMay 2026
blade-agent-hsm-zenodo-paper.pdfCompanion paper: A Reference Hardware-Root-of-Trust Design and Verified Emulator for Agentic-AI Authority Governance (16 sections, 5 figures, 28 refs)May 2026
ICD-AGENT-HSM-001.pdfInterface Control Document: full ABI frame layout, pinout, and PCR allocationMay 2026
BLADE-AGENT-HSM-Integration-Guide.pdfHost-integration guide for the USB-A and M.2 Key-E variantsMay 2026
blade_agent_hsm_CONFIG.jsonNode and pin reference configuration for the reference designMay 2026
blade_agent_hsm_ELECTRICAL_CONNECTIONS.jsonElectrical netlist: pin-level power and data connectionsMay 2026
blade_agent_hsm_MECHANICAL_CONNECTIONS.jsonMechanical connections: enclosure, standoffs, and retentionMay 2026
blade_agent_hsm_PARTS.csvBill of materials (27 line items) with manufacturer part numbers and certification columnsMay 2026
blade_agent_hsm_GUIDE.mdAssembly, integration, and test notesMay 2026
blade_agent_hsm_SCHEMATIC.svgVector system schematic (node-graph view, renders in-browser)May 2026
README_VALIDATION.mdReproduction instructions for the 275-check campaign and the baseline; trust-model statementMay 2026
ASSURANCE_BOUNDARY.mdExplicit statement of what is and is not claimedMay 2026
REQUIREMENTS_TRACEABILITY_MATRIX.csv20 requirements mapped to function, scenario, and testMay 2026
test-report.jsonMachine-readable verification summary (275/275, suite breakdown, critical findings closed)May 2026
metadata.jsonZenodo deposit metadata (authors, keywords, related identifiers, references)May 2026
README.md

BLADE-AGENT-HSM

Beam-Layer Authority for Directed Engagements, Agent Hardware Security Module - Reference Design and Verified Emulator

A tamper-evident hardware root of trust for autonomous AI agents, and the hardware companion to the AUTHREX-AGENT software shim. BLADE-AGENT-HSM signs an agent's audit ledger with non-exportable ECDSA P-256/P-384 keys held in a CC EAL6+ secure element, stores the authority-tier state in a TPM 2.0 PCR bank, derives per-tool authorization tokens via HKDF, aggregates sub-agent spawn-quorum signatures, and triggers a key-zeroizing abort on physical tamper. It exposes a fixed 64-byte five-opcode ABI and ships in two form factors from one 4-layer PCB: a USB-A stick and an M.2 Key-E module. Seventh platform in the BLADE family and the first hardware root of trust.

This is a research demonstrator (TRL 2-3 silicon / 3-4 emulator). No certified hardware exists. No FIPS, Common Criteria, EAL, NSA, NASA, or DoD endorsement, validation, or certification of any kind is claimed. Silicon timing is modeled, not measured; post-quantum (ML-DSA) fields model interface shape only.

Publication

DOI: 10.5281/zenodo.20299821
Author: Burak Oktenli · Georgetown University, M.P.S. Applied Intelligence
ORCID: 0009-0001-8573-1667
License: CC BY 4.0 · Version: v4.0 · May 2026

Policy and Standards Drivers

  • CISA, NSA AI Security Center, and Five Eyes joint guidance Careful Adoption of Agentic AI Services (1 May 2026): hardware-anchored identity, non-repudiable audit, least-privilege authority.
  • FY26 NDAA Sections 1513 and 6601: AI assurance and authority provisions.
  • NIST SP 800-53 Rev. 5 (AU, SC, SR families) and FIPS 140-2 / 140-3.
  • TCG TPM 2.0 Library Specification (PCR banks, quote, sealed storage).

Key Specifications

  • Secure element: NXP EdgeLock SE051C2HQ1/Z01V (CC EAL6+); non-exportable ECDSA P-256/P-384, ECDH, AES-256-GCM, SHA-256/384, HKDF, on-chip RNG
  • TPM: Infineon SLB 9670VQ2.0 TPM 2.0 (FIPS 140-2 Level 2); PCR0-7, quote, sealed storage, attestation key
  • Governance MCU: STMicro STM32L432KCU6 (Arm Cortex-M4F, 80 MHz, USB-FS device)
  • TRNG / serial: Microchip ATSHA204A second-source entropy and device serial number
  • Tamper: active PCB mesh (L2/L3, 8-12 ohm, polled 10 ms) + voltage-glitch window (2.7/3.6V) + thermal monitor
  • Power: host 5V to 3.3V rail (TPS73633 LDO); 80 mA typical, 250 mA peak; MAX16162 supervisor; TPD2E001 USB ESD
  • Form factors: USB-A stick (84 x 24 x 9 mm) and M.2 Key-E module (Type 2280); single 30 x 80 mm 4-layer PCB
  • Reference cost: ~$199 per unit (qty 10-100); ~$8,250 first-article NRE; ~$8,449 first-article total

Five-Opcode ABI (64-byte frame)

  • 0x10 audit_sign - sign a 32-byte ledger hash with the SE051 ECDSA P-256 key
  • 0x11 pcr_extend - extend a named PCR (0-7) in the TPM
  • 0x12 pcr_quote - TPM quote over a PCR selection and a caller nonce
  • 0x13 tool_auth - HKDF-derive a per-tool token, bound to the active tier
  • 0x14 spawn_quorum_sign - verify N-of-M sub-agent signatures, aggregate via SE051

Authority Tiers (TPM PCR0)

  • T3 green: autonomous within tool policy; every action signed and logged
  • T2 amber: supervised; sign after acknowledgment
  • T1 red: confirmed; explicit operator confirmation required
  • T0 blinking red + alarm: halted and locked; keys zeroized; only pcr_quote served until re-provisioning

Validation

  • 275 deterministic checks across seven Node test batteries (275 of 275 passing; confirmed over three reruns)
  • Software-only-versus-HSM baseline quantifying what the hardware anchor adds
  • Deterministic golden trace plus a P-384 signed anchor over event count, final PCR digests, and trace SHA-256
  • Per-entry ECDSA P-256 audit signatures verified by the bundled trace verifier; truncation or substitution fails
  • Adversarial forgery resistance with an out-of-band identity pin, including against anchor re-key attacks

Related Work

  • BLADE-EDGE (defense): 10.5281/zenodo.19177472
  • BLADE-AV (automotive): 10.5281/zenodo.19232130
  • BLADE-MARITIME (maritime): 10.5281/zenodo.19246785
  • BLADE-INFRA (critical infrastructure): 10.5281/zenodo.19277887
  • BLADE-SPACE (orbital): 10.5281/zenodo.20183269
  • BLADE-CUAS (counter-UAS): 10.5281/zenodo.20299604

Author

Burak Oktenli
Georgetown University, M.P.S. Applied Intelligence
ORCID: 0009-0001-8573-1667
Website: burakoktenli.com