HSM Code Signing

The Secubit HSM firmware extension, called vault, implements critical functionality such as key derivation, policy enforcement, transaction signing, PassKey authentication, and Merkle tree management. Because Vault code runs directly inside the HSM, protecting its integrity is essential for the overall security of the custody platform.

To prevent arbitrary or malicious code from being loaded into the device, the HSM enforces mandatory code signing at the hardware level. Every firmware extension must be signed with a trusted signing key that resides inside the HSM itself. Unsigned or improperly signed code is automatically rejected, ensuring that only verified and authorized binaries can execute within the secure boundary.

The code signing process for Vault is conducted as part of an official HSM ceremony. During this ceremony, the compiled Rust-based Vault code is presented to the HSM, which generates and applies its internal signature. A Crypto Officer must authorize this action by presenting their physical USB security key, providing multi-factor proof that the operation is intentional and approved.

Once the Vault extension has been signed, loading it into the HSM requires an additional level of authorization. A Security Officer must approve the load operation, ensuring that no code, even if properly signed, is introduced into the device without explicit administrative oversight. This dual-control mechanism enforces separation of duties: Crypto Officer authorizes the signing of code, while Security Officer authorizes its deployment.

Through this layered approach — hardware-enforced signatures, multi-factor ceremonies, and role-based approval — Secubit guarantees that only trusted, authenticated, and properly audited code can ever run inside its HSMs. This protects the integrity of the Vault and maintains the HSM as a tamper-resistant root of trust for the entire custody system.