HSM Customization in Rust

Secubit’s threat model assumes that any process executed outside of the Hardware Security Module (HSM) can be compromised by attackers. To eliminate this risk, all critical workflows — including key derivation, transaction signing, blockchain-specific transaction marshalling, the policy engine, end-to-end authentication with PassKey, and Merkle tree validation — are implemented inside the HSM. By doing so, no sensitive operation depends on external servers or application code that may be exposed to compromise.

To achieve this level of customization, Secubit extends the HSM firmware with custom modules tailored for its custody architecture. Although the HSM natively supports customization using a C compiler, Secubit deliberately chose Rust as its development language. Rust provides memory safety guarantees at compile time without requiring a garbage collector or runtime, eliminating entire classes of vulnerabilities such as buffer overflows, memory leaks, and use-after-free attacks that have historically plagued low-level systems code.

The Secubit development framework compiles Rust code into a form compatible with the HSM, then packages it into a signed firmware extension. This extension is signed by the HSM itself during a secure ceremony before being loaded into the device. The signature binding ensures that only authorized and verified extensions can run inside the secure boundary, maintaining the integrity of the HSM environment.

Rust-based extensions provide performance equivalent to C while dramatically reducing the attack surface. By combining Rust’s safety features with the HSM’s tamper-resistant hardware, Secubit delivers a hardened execution layer where policy enforcement, authentication, and signing operations cannot be bypassed or subverted by external threats.

This approach of Rust-driven HSM customization creates a platform that is not only secure by design but also extensible for supporting new blockchains, new cryptographic algorithms, or evolving custody policies without compromising the hardware root of trust.

The custom code that Secubit develops and deploys inside the HSM is called Vault. Vault is the core trusted component that implements policy enforcement, Merkle tree management, PassKey authentication, and blockchain-specific signing logic. It represents the heart of Secubit’s security model, acting as the binding layer between cryptographic keys, business rules, and end-user approvals.