Onboarding Aircraft
1. Factory Provisioning (at the OEM line)
Every aircraft ships with a hardware secure element — a dedicated tamper-resistant chip that holds cryptographic keys and performs signing on-chip. At the manufacturing line, the secure element:
- Generates its own keypair on first boot; the private key never leaves the chip
- Receives the ATOMx Root public key as an immutable trust anchor
- Receives its identity certificate signed by the manufacturer’s intermediate CA
- Has its TPM NV storage locked (EK Cert under
WRITE_ONCE, Drone Assembly Cert underWRITE_LOCKED)
sequenceDiagram
autonumber
participant SE as Aircraft Secure Element
participant Line as OEM Manufacturing Line
participant HSMo as OEM HSM
participant ATOMx
Line->>SE: Power on, initiate provisioning
SE->>SE: Generate keypair on-chip
SE->>Line: CSR (public key + airframe serial + hardware attestation)
Line->>HSMo: Forward CSR
HSMo->>HSMo: Sign with Manufacturer Intermediate CA
HSMo-->>Line: Aircraft Identity Certificate
Line->>SE: Install certificate + ATOMx Root public key + lock NV storage
Line->>ATOMx: Signed batch attestation (serials, firmware, attestation hashes)
ATOMx-->>Line: Registry entry: "manufactured, unassigned"
After provisioning, the aircraft’s lifecycle state in ATOMx is Manufactured, unassigned. It cannot fly yet — it has not been bound to an operator, and the platform has not performed its own attestation challenge.
2. Platform Onboarding (first connection)
The first time the aircraft connects to the platform — typically through the operator’s mobile app via the OEM controller (see Disconnected Operations §3.1) — the platform runs the TPM attestation challenge. This is documented in full in Flight Lifecycle §1. In summary:
- Platform sends a nonce challenge.
- Drone TPM responds with EK Certificate, AK Certificate request, and PCR Quote.
- Platform verifies EK chain to TPM manufacturer Root, issues AK Certificate.
- Drone presents Drone Assembly Certificate; platform verifies chain to OEM Root and the EK cross-reference.
- Platform records the security posture as the ground-truth registration record.
The result is the JSON registration record in Flight Lifecycle §1.3. This record is the ground truth against which all future authorization requests for this aircraft are evaluated. It is cryptographically established at onboarding, not self-reported by the pilot.
3. Aircraft Lifecycle States
| # | State | Entered By | What It Allows |
|---|---|---|---|
| 1 | Manufactured | OEM batch attestation submitted | Sit in inventory; no operator yet |
| 2 | Registered | Operator binds airframe serial to its org | Be assigned to pilots |
| 3 | Pilot-Assigned | Operator grants a pilot operating rights | Receive flight plans submitted by that pilot |
| 4 | Connected-Ready | Aircraft has performed a recent routine check-in (revocation list, time anchor, trust anchors all current) | Receive Authorization Packages |
| 5 | Authorized-for-Flight | Authorization Package issued and capsule loaded | Take off |
| 6 | Flying | Aircraft is airborne | Broadcast identity + telemetry; conform to approved operation |
| 7 | Reconciled | Aircraft has landed and uploaded its signed flight log | Return to Connected-Ready |
| — | Revoked | Aircraft certificate revoked (loss, theft, decommission, security event) | Nothing; cannot be re-authorized |
flowchart LR
M(Manufactured) --> R(Registered)
R --> P(Pilot-Assigned)
P --> C(Connected-Ready)
C --> A(Authorized-for-Flight)
A --> F(Flying)
F --> Re(Reconciled)
Re --> C
C --> X([Revoked])
classDef active fill:#eef3ff,stroke:#1f6feb
classDef terminal fill:#ffe1e1,stroke:#b91c1c
class M,R,P,C,A,F,Re active
class X terminal
4. Registration to an Operator
When an operator acquires the aircraft, they submit proof of ownership (or an OEM-signed transfer record) to ATOMx. ATOMx records a signed binding from the airframe serial to the operator’s org cert. State advances to Registered. This is also when the platform-side attestation challenge typically runs, if it has not already.
5. Pilot Assignment
A pilot under the operator’s org may be granted operating rights to specific airframes. The binding is recorded server-side; the aircraft itself does not need to know which pilot will fly it next, only that an Authorization Package presented at flight time is signed for an enrolled pilot under its bound operator.
6. Re-Attestation and Lifecycle Events
6.1 Re-Attestation Cadence
The TPM attestation challenge in §2 is not a one-shot event. ATOMx requires re-attestation:
| Trigger | Effect |
|---|---|
| Routine check-in (typically daily, or before each flight session) | Aircraft presents a fresh PCR Quote; ATOMx confirms PCRs match the current OEM-published baseline for the running firmware version |
| Firmware update | New PCR baseline rolls forward — see Aircraft Hardware Identity §9.3 |
| Trust-anchor refresh | Updated Manufacturer CA list pulled into aircraft’s signed reference store |
| Time-anchor freshness | Fresh signed time anchor delivered; if stale, aircraft enters time-degraded state |
An aircraft that has not completed a routine check-in within the configured window cannot enter Connected-Ready state and therefore cannot receive new Authorization Packages.
6.2 Re-Onboarding Triggers
Full re-onboarding (Phase 0 from scratch) is required when:
- TPM hardware is replaced (rare; see Aircraft Hardware Identity §9.4)
- Mainboard is replaced (most RMA cases)
- Whole airframe is replaced
- Cryptographic chain validation fails irrecoverably (tamper response triggered, secure-element fault)
- Aircraft is transferred between operator orgs across a registry boundary that requires fresh attestation
6.3 Loss, Theft, Decommissioning
| Event | Path |
|---|---|
| Reported lost | Operator marks aircraft as Suspect; flights paused; recoverable to active state if recovered |
| Reported stolen | Aircraft certificate Revoked; CRL update; aircraft cannot fly under any operator |
| End-of-life decommissioning | Operator submits decommission request; aircraft Revoked with reason; record retained for audit; can be donated to a museum but cannot be re-registered |
| RMA / repair | See §6.2 — usually requires re-onboarding |
6.4 Fleet Onboarding (Bulk Path)
For operators bringing tens or hundreds of aircraft online at once, ATOMx supports a bulk onboarding API that accepts a signed batch manifest from the operator referencing pre-validated aircraft serials and their corresponding OEM batch-attestation records. Each aircraft still completes its own TPM attestation challenge on first connection, but operator-side workflow (operator binding, pilot pre-assignment, default policy) is applied in one pass.
Bulk onboarding does not skip the per-aircraft cryptographic ceremony; it streamlines the operator-side ledger entries that surround it.
6.5 Transfer Between Operators
A transfer between operators is not a simple ownership rebinding — it produces an audit-significant event:
- Selling operator submits transfer record signed by an authorized operator user
- Buying operator countersigns
- ATOMx records the transfer; aircraft state moves to
Manufactured, unassignedif a fresh attestation is required, or directly toRegisteredunder the new operator if the current attestation is fresh and the buying operator’s risk policy accepts a warm transfer - Pilot assignments under the previous operator are revoked
- Outstanding authorizations are revoked or completed
Leasing is a special case of transfer with a defined return event; the lessor remains the regulatory owner of record.
7. The Fallback for BYOD or Non-TPM Aircraft
When an OEM lacks a TPM or the customer is bringing legacy hardware, ATOMx supports an encrypted-vault fallback: a non-root encrypted vault inside a read-only Docker container. The trust tier degrades from L5 (hardware-anchored) to L4 (software-anchored). Liability for key protection shifts to the customer. See Origins and Decisions §3.13.
8. Cross-References
- The OEM event that issues the aircraft certificate: Onboarding Manufacturers
- The hardware substrate that makes attestation possible: Aircraft Hardware Identity
- The runtime cryptographic mechanics of Phase 0: Flight Lifecycle §1
- The full lifecycle as seen from the disconnected-ops view: Disconnected Operations §3
Implementation Readiness — Open Questions
Each entry below identifies a decision not yet locked. Items marked (ADR) should be formalized as an Architecture Decision Record before implementation begins. Items marked (blocking) must be resolved before the relevant feature can be built.
| # | Question | Owner | ADR? | Blocking? |
|---|---|---|---|---|
| 1 | TPM attestation challenge wire format — exact protocol (TPM2_Quote payload framing, nonce length, signature algorithm, transport envelope, error codes). Needed for OEM SDK interop. | Engineering + OEM-external | Yes — ADR: Platform TPM Attestation Challenge Wire Protocol | Yes |
| 2 | Re-attestation cadence default — daily routine check-in vs per-flight quote vs hybrid (daily anchor + per-session freshness token). What window length defines “fresh” per trust tier (L5 vs L4)? | Product + Engineering | Yes — ADR: Re-Attestation Cadence and Freshness Windows | Yes |
| 3 | Freshness-check failure modes — which conditions degrade Connected-Ready → blocked (stale PCR Quote, stale time anchor, stale CRL, stale trust anchors), and what user-facing remediation path applies in each case. | Product + Engineering | Yes — ADR: Freshness Failure Taxonomy and Remediation | Yes |
| 4 | PCR baseline storage — where the OEM-published PCR baselines live in the registry, how they are signed, version-pinned per firmware build, and how the platform looks them up at quote-verification time. | Engineering + OEM-external | Yes — ADR: PCR Baseline Registry Schema and Signing | Yes |
| 5 | OTA firmware roll-forward protocol — exact sequence for baseline rotation: new PCR baseline pre-publish window, dual-baseline acceptance period, rollback handling, mid-update attestation behavior. | Engineering + OEM-external | Yes — ADR: OTA Firmware Roll-Forward and PCR Baseline Rotation | No |
| 6 | RMA detection mechanism — how the platform recognizes that a TPM, mainboard, or airframe has been swapped (EK Cert mismatch, Drone Assembly Cert change, OEM-signed RMA record) and which signal authoritatively triggers re-onboarding. | Engineering + OEM-external | Yes — ADR: RMA Detection and Re-Onboarding Triggers | No |
| 7 | Fleet bulk-onboarding API contract — request/response schema for the signed batch manifest, idempotency keys, partial-failure semantics, rate limits, and how per-aircraft attestation status is reported back asynchronously. | Engineering + Product | Yes — ADR: Fleet Bulk Onboarding API | No |
| 8 | Transfer-between-operators — legal workflow (bill of sale, regulatory owner-of-record handoff, ITAR/export considerations) vs technical workflow (countersigned transfer record, attestation refresh policy). Who signs what, and which steps gate the state transition. | Legal + Product | Yes — ADR: Operator-to-Operator Transfer Workflow | Yes |
| 9 | Leasing semantics in the registry — how lessor (regulatory owner) and lessee (operator) are represented, lease-term enforcement, automatic return event, sublease rules, revocation rights during the lease. | Legal + Product | Yes — ADR: Leasing and Dual-Party Aircraft Registration | No |
| 10 | Secure-element mid-flight failure — behavior when the SE faults or fails an in-flight self-test (e.g., during long BVLOS): does the aircraft RTL, continue under degraded trust, or terminate; how is the post-flight reconciliation handled. | Engineering + Product | Yes — ADR: Secure-Element Runtime Failure Response | Yes |
| 11 | Encrypted-vault fallback security parameters — KDF choice, key-rotation cadence, vault unlock UX, container hardening posture, audit logging, and the precise capability gap between L4 vault and L5 hardware tiers. | Engineering + Product | Yes — ADR: Encrypted-Vault Fallback Security Profile | No |