7 · Flight Lifecycle

Flight Lifecycle: Onboarding to Reconciliation

Andi Lamprecht ·2026-05-11· 11 min read· Draft

The connected-mode flight loop. This page is the canonical reference for what happens cryptographically across one flight: how a drone is brought into the platform (Phase 0), how an authorization is issued (Phase 1), and how telemetry is bound to that authorization in flight (Phase 2). Disconnected operations layer on top of this foundation — see Disconnected Operations. Material adapted from work by Remek (PR #37).

1. Phase 0 — Drone Onboarding

Before a drone can be used in the platform, it must be onboarded. Onboarding establishes the drone’s hardware identity and security posture in the platform’s registry. This is a one-time event per airframe.

For background on the two independent certificate chains (TPM chip provenance and Drone OEM provenance), TPM NV storage, and PCR attestation, see Aircraft Hardware Identity.

Step 1 — TPM attestation challenge

The platform sends a nonce challenge to the drone. The drone’s TPM responds with:

Artifact	Source	Proves
EK Certificate	Read from TPM NV storage	Chains to the TPM chip manufacturer root CA — the chip is genuine
AK Certificate request	Signed by the EK	The Attestation Key lives inside the same TPM chip
PCR Quote	Signed snapshot of PCR values, signed by the AK	The software stack matches known-good hashes

The platform verifies the EK chain against the TPM manufacturer’s public root CA, then issues an AK Certificate confirming the signing key is hardware-bound.

Step 2 — Drone Assembly Certificate verification

The drone presents its Drone Assembly Certificate from TPM NV storage. The platform verifies it chains to the Drone OEM Root CA and that the EK public key inside it matches the EK presented in Step 1. This is the cross-reference that binds drone body to TPM chip — see Aircraft Hardware Identity §2.

Step 3 — Platform registration

The platform records the drone’s security posture:

{
  "drone_serial":     "DRN-00492",
  "assembly_cert":    "<fingerprint>",
  "tpm_manufacturer": "Infineon",
  "tpm_model":        "SLB9670",
  "ek_verified":      true,
  "pcr_baseline":     { "PCR[0]": "a3f9...", "PCR[4]": "7c1d...", "PCR[7]": "..." },
  "secure_boot":      true,
  "attested_at":      "2025-01-15T09:00Z",
  "key_storage":      "hardware-tpm"
}

This record is the ground truth against which all future authorization requests for this drone are evaluated. It is cryptographically established at onboarding — not self-reported by the pilot.

    sequenceDiagram
    autonumber
    participant Drone
    participant Platform
    Drone->>Platform: Onboarding request
    Platform-->>Drone: Nonce challenge
    Drone->>Drone: TPM produces EK cert + AK request + PCR Quote
    Drone-->>Platform: EK cert · AK request · PCR Quote
    Platform->>Platform: Verify EK chain to TPM manufacturer Root
    Platform-->>Drone: AK Certificate
    Drone-->>Platform: Drone Assembly Certificate (from NV storage)
    Platform->>Platform: Verify chain to OEM Root + EK match
    Platform->>Platform: Record posture (drone_serial, PCR baseline, ...)
    Platform-->>Drone: Onboarded

2. Pre-Flight Authorization

The pilot submits flight intent: identity, drone, location, time window, and purpose. The platform validates the drone serial number exists in the registry with a current valid attestation.

Multi-authority endorsement

The platform calculates which authorities must endorse the flight — based on airspace jurisdiction, operational competence, or both — and dispatches the authorization request to all of them simultaneously. First to respond is the first endorser. The flight may not commence until all required endorsements are collected.

The endorsement model and signature structure are documented in Authorization Package §3.

Pilot identity at authorization time

FTN alone is insufficient. It is verified server-side against the FAA IACRA API but does not cryptographically prove the person holding the certificate is present. It must be paired with login.gov identity proofing. Scanning a paper certificate is not acceptable.

For the full pilot identity model, see Pilot Identity.

Issuance

The platform assembles the base token and all endorsements into a composite Authorization Token, seals it with its own signature, and emits the structured Authorization Object onto the event stream. See Authorization Package §4.

3. In-Flight Telemetry Binding

Channel. Phase 2 telemetry is sent over a private mTLS channel from the drone (or its operator app) to ATOMx — not broadcast. The public-facing surface is the Remote ID Authentication Message described in Disconnected Operations §5.3, which carries the rotating Public Aircraft Token, not the internal package_id. Broadcasting package_id would defeat the unlinkability the Public Aircraft Token exists to provide.

The drone signs each telemetry packet with its hardware-bound private key:

Telemetry Packet {
  package_id:    "auth-943da899"          ← internal authorization identifier (mTLS-only, never broadcast)
  seq:           1042                     ← strictly incrementing
  timestamp:     2026-06-01T14:23:17.412Z
  position:      { lat, lon, alt, vel }
  signature:     <drone hardware key over all of the above>
}

Field	Role
`package_id`	Binds the packet to the Authorization Package; serves as the session identifier; prevents cross-session replay. Same identifier used in system-design §5.1 and Authorization Package §4.
`seq`	Strictly incrementing sequence number; the server rejects any packet with a sequence number it has already seen — prevents intra-session replay
`signature`	The drone’s hardware-bound key means only the physical device can produce valid signatures

What if the telemetry stream stalls?

A gap in telemetry does not drop the trust level — the Authorization Package and credentials remain valid. ATOMx tracks a per-package telemetry-confidence score (see system-design §1.7) that degrades after a configurable grace window. After the window, the authorized operational state shows “telemetry stale” and the conformance engine pauses evaluation rather than emitting false-positive deviations. Operator policy decides whether stalled telemetry triggers an automatic abort, return-to-launch, or only an alert.

4. Attack Vectors and Mitigations

Assuming firmware integrity and hardware key extraction are mitigated by TPM attestation and secure boot:

Attack	Mitigation
Cross-session replay	`flight_auth_id` differs per session
Intra-session replay / reordering	Sequence number, server tracks last seen
Stream injection	Packets without valid drone hardware signature rejected
Pilot identity spoofing	login.gov identity proofing + IACRA FTN verification
Drone identity spoofing	Hardware attestation challenge at onboarding
Firmware / bootloader tampering	PCR Quote at onboarding compared against baseline
GPS spoofing	Residual risk — requires independent position corroboration outside the drone

GPS spoofing is the residual risk that cryptography alone cannot solve. A drone with a hardware-bound key and attested firmware will honestly sign whatever its GPS sensor reports. Full mitigation requires independent position corroboration — cellular triangulation, ground radar, or ADS-B — which is an infrastructure problem, not a cryptography problem.

For the full threat model spanning identity, replay, disclosure, and operational threats, see Threat Model.

5. Relationship to Remote ID

Remote ID and the telemetry stream are separate channels serving different purposes:

Channel	Medium	Payload	Purpose
Remote ID	Local RF (Bluetooth / Wi-Fi)	Fixed tiny payload, no room for authorization data	Airspace awareness and law enforcement
Telemetry stream	Network-connected	Cryptographic binding to the authorization, full evidentiary record	Authorization conformance

They are complementary. The drone serial number in the Remote ID broadcast must match the drone identity in the authorization token. When ATOMx Authentication-Message attestations are emitted (see Disconnected Operations §5.1), the Public Aircraft Token in the broadcast resolves through the capsule to the same drone serial recorded in the registry.

6. Mid-Flight Events

In-flight authorization is not static. Several event classes can change the operational picture during a flight; each has a defined handling path.

6.1 Mid-Flight Amendment

Pop-up TFRs, sub-zone activations, dynamic restrictions, and authority instructions can amend a live authorization. The flow:

ATOMx (or the issuing authority) creates an amendment: same package_id, new package_version (see Authorization Package §8.3).
ATOMx sends a machine-readable compliance instruction to the operator/control system: exit, hold, land, reroute, or refile.
Where possible, ATOMx provides a pre-deconflicted route out of the affected area.
Operator/control system accepts, modifies, or executes the response.
Aircraft receives the new package_version either through its operator app or directly if it has its own connectivity.
The Conformance Engine begins evaluating against the new approved operation immediately on the operator side; it begins evaluating against it on the aircraft side once the new version has propagated.
Cooperative compliance does not downgrade identity trust. Non-compliance becomes an authorized-user investigation cue.

For flights underway in disconnected mode, amendment delivery is best-effort over whatever sideband channel is available; if the aircraft cannot be reached, ATOMx records the amendment as issued-but-not-acknowledged and the conformance engine flags any divergence post-flight.

6.2 Pilot Handoff

For long-duration flights or shift changes, one pilot may hand off RPIC responsibility to another. ATOMx supports this as a signed event:

Both pilots are affiliated with the operator; both have valid Pilot Certificates
Outgoing pilot signs a handoff record naming the incoming pilot
Incoming pilot countersigns
ATOMx amends the package to reflect the new pilot_identity_ref; package_version increments
Audit ledger records the handoff event with timestamp, position, and aircraft state

Handoff is denied if the incoming pilot is not affiliated with the operator, lacks current credentials, or holds an active suspension.

6.3 Multi-Aircraft and Swarm Operations

Swarm operations are modeled as a single Authorization Package referencing multiple aircraft, with one designated RPIC and one approved operating volume that contains the swarm geometry. Each aircraft signs its own telemetry and broadcasts its own Public Aircraft Token. The conformance engine evaluates the swarm against the aggregate approved operation, not each aircraft individually.

For a true Part 108 BVLOS swarm, the architecture admits operator-system identity as a peer of pilot identity (see Onboarding Operators and Pilots §5.2). The cryptographic substrate is in place; the regulatory path is forthcoming.

7. Revocation and Avatar Destruction

For connected operations, ATOMx uses an elegant revocation primitive: device-pair certificates issued per aircraft connection. To revoke, delete the server-side cert from inventory; the avatar pod dies; the client cert becomes useless. No CRL distribution, no rotation list. Combined with short-lived MTLS sessions issued via CSR, this collapses the revocation problem for connected operations. See Origins and Decisions §3.12.

Disconnected operations carry CRL snapshots inside each Offline Capsule — see Disconnected Operations §4.3.

8. Reconciliation

When connectivity returns at the aircraft, the operator’s ground system, or an authority field device, pending records are uploaded and reconciled into the ATOMx audit ledger. ATOMx specifically looks for replay, duplicate token use, broken seal, geo-mismatch, time tampering, and break-glass clusters. The full reconciliation flow is documented in Disconnected Operations §7.

9. Cross-References

The objects and signatures involved: Authorization Package
Where the hardware identity comes from: Aircraft Hardware Identity
Where the pilot identity comes from: Pilot Identity
The disconnected variant of this flow: Local Broadcast & Messaging

Implementation Readiness — Open Questions

Each entry below identifies a decision not yet locked. Items marked (ADR) should be formalized as an Architecture Decision Record before implementation begins. Items marked (blocking) must be resolved before the relevant feature can be built.

#	Question	Owner	ADR?	Blocking?
1	Telemetry transport protocol — MQTT (broker-mediated, QoS levels), QUIC (low-latency, multiplexed streams), or gRPC bidirectional streaming over HTTP/2? Choice drives mTLS termination, NAT traversal, and offline buffering semantics.	Engineering	Yes — ADR: Phase 2 Telemetry Transport Selection	Yes
2	Telemetry cadence and packet size budget — default Hz (1/2/5/10?), max payload bytes per signed packet, and whether cadence is fixed or adaptive to link quality. Drives bandwidth cost, TPM signing throughput, and storage volume.	Engineering + Product	Yes — ADR: Telemetry Cadence & Packet Envelope	Yes
3	Grace window for stalled telemetry — how many seconds/missed packets before the platform declares the flight “telemetry-lost” and triggers escalation (alert, auto-RTL, authorization suspend)? Needs to tolerate LTE handoffs without false positives.	Product + Security	Yes — ADR: Stalled-Telemetry Grace Window & Escalation Ladder	Yes
4	Mid-flight amendment ACK protocol — does the drone cryptographically acknowledge an amended `package_id` before the new envelope takes effect, or does the platform unilaterally rotate? What’s the rollback path if ACK is not received?	Engineering + Security	Yes — ADR: Mid-Flight Authorization Amendment Handshake	Yes
5	Pilot handoff dual-signature mechanics — sequential (outgoing signs release, incoming signs accept) vs. co-signed envelope; window of overlap; what happens if incoming pilot fails to counter-sign within N seconds.	Product + Security	Yes — ADR: Pilot Handoff Cryptographic Protocol	Yes
6	Swarm operation cardinality limits — max drones per authorization envelope, whether each drone holds an individual `package_id` or a shared one, and how revocation of a single airframe propagates within the swarm.	Product	Yes — ADR: Swarm Authorization Cardinality & Per-Airframe Binding	No
7	Avatar destruction race conditions — what is the contract when an avatar is destroyed mid-flight? Does the drone get a final signed “revoked” envelope, or do we rely on telemetry stall? How are in-flight signed packets received post-revocation reconciled?	Engineering + Security	Yes — ADR: In-Flight Revocation Semantics	Yes
8	Reconciliation conflict resolution — when post-flight anomaly detection flags drift (GPS jump, geofence excursion) but the signed flight log is internally consistent, which is authoritative? What is the dispute workflow?	Product + Security	Yes — ADR: Reconciliation Conflict Resolution Policy	No
9	GPS-spoofing detection logic — does detection live on-drone (multi-constellation cross-check, IMU fusion residual) or platform-side (trajectory plausibility against authorization envelope), or both? What confidence threshold triggers action?	Engineering + Security	Yes — ADR: GPS Spoofing Detection Strategy	No
10	Automatic abort / RTL trigger matrix — exhaustive list of conditions that cause autonomous abort (telemetry loss, geofence breach, revoked authorization, spoof detected, low battery) and which action each maps to (RTL, land-in-place, hover-and-alert).	Product + Security	Yes — ADR: Autonomous Abort & RTL Decision Matrix	Yes

Last updated on May 11, 2026

6 · Authorization Package 8 · Disconnected Operations