Qbitel EdgeOS logo

Qbitel

EdgeOS

Post-Quantum Foundation

Securing Critical Infrastructure
Before Quantum Decryption Becomes Operational

Qbitel EdgeOS is a Rust-based edge runtime engineered for long-lifecycle systems that cannot wait for retrofitted security. Native PQC, hardware-rooted identity, and deterministic execution are built into the core.

Explore FrameworkOpen Repository
Rust no_stdCritical InfrastructureCertificate-less IdentityAir-gapped Updates

Threat Pressure

  • Encrypted telemetry captured today can be decrypted later.
  • Infrastructure lifespans exceed classical cryptography timelines.
  • Regulatory migration windows are fixed for 2030-2035.

EdgeOS Signal Board

PQC Algorithms

ML-KEM-768, ML-DSA-65, FN-DSA-512

Runtime Model

Rust no_std, zero-heap deterministic core

Identity Primitive

PUF/eFUSE certificate-less trust

Quantum Threat Outlook

Legacy cryptography timelines and infrastructure timelines no longer match.

The security gap is not hypothetical. It is a lifecycle mismatch between deployed devices and rapidly evolving decryption capability.

Data shelf-life: 15+ years

Harvest-now decrypt-later is active today

Adversaries can capture encrypted telemetry now and decrypt it when cryptographically relevant quantum computers mature.

Operational lifespan: 15-30 years

Infrastructure outlives classical cryptography

Field devices in energy, rail, water, and defense remain deployed for decades, while RSA and ECC timelines keep shrinking.

Transition window: 2030-2035

Regulatory deadlines are already defined

Migration programs are aligned to NIST FIPS 203/204 and NSA CNSA 2.0 requirements across 2030-2035 windows.

EdgeOS Framework

Layered architecture for auditable trust.

The stack is intentionally modular: cryptography, identity, attestation, recovery, and updates are isolated for independent validation and release control.

Design Constraints

No heap allocation, deterministic scheduling, hardware-anchored identity.

q-boot

Secure bootloader with anti-rollback OTP counters and measured startup chain.

Boot trust chain

q-kernel

Deterministic microkernel designed for no-heap, resource-constrained operation.

Deterministic runtime

q-crypto

Built-in NIST-standardized PQC primitives with constant-time implementations.

Native post-quantum cryptography

q-hal

Hardware abstraction for MCU families and board-level secure peripherals.

Portable hardware layer

q-identity

Physical unclonable function identity for certificate-less device trust.

Hardware-rooted identity

q-attest

Remote attestation and signed posture proofs for fleet verification.

Continuous verification

q-update

OTA and air-gapped update channels with policy-gated key rotation.

Resilient lifecycle updates

q-mesh

Secure mesh networking optimized for constrained links and hostile environments.

Trusted edge connectivity

q-recover

Cryptographic key recovery and rotation flows for incident containment.

Recovery-ready controls

q-common

Shared primitives, errors, and contract types across all crates.

Shared trusted core
Core Components

10 crates, one security operating model.

Each crate can be inspected, tested, and integrated independently without compromising the full trust model.

q-boot

Secure startup

Measured boot sequence and immutable trust anchors for device startup.

q-kernel

Realtime control

Minimal microkernel scheduler tuned for hard realtime behavior and safety.

q-crypto

Cryptographic core

PQC algorithms and key-exchange APIs for handshake and firmware security.

q-identity

Identity anchoring

PUF and eFUSE identity primitives for unique device-level trust roots.

q-attest

Attestation

Remote attestation proofs for control plane policy validation.

q-update

Update safety

Signed update workflow with anti-rollback and staged release capability.

q-mesh

Edge networking

Secure mesh packet handling and link-level authenticated transport.

q-recover

Incident recovery

Compromised-key response workflow with deterministic recovery playbooks.

q-hal

Hardware adapters

Board and silicon adaptation interfaces for industrial hardware targets.

q-common

Shared primitives

Common types, defensive utilities, and low-level shared runtime helpers.

Native Cryptography

PQC is built in, not bolted on.

Algorithms are integrated into the runtime core for deterministic, constant-time operations on constrained microcontroller targets.

ML-KEM-768

Key encapsulation

FIPS 203NIST Level 3Balanced for edge

ML-DSA-65

Digital signatures

FIPS 204NIST Level 3Fleet signing ready

FN-DSA-512

Compact signatures

Falcon familyNIST Level 1+Latency-optimized
Security Architecture

Hardware-rooted and operationally deterministic.

The runtime is optimized for constrained edge devices where uptime, timing predictability, and identity trust are non-negotiable.

Pure no_std Rust

Entire runtime is written in Rust with deterministic memory behavior.

No heap allocationMemory-safeZero-cost abstractions

Hardware-bound identity

Device trust is anchored in PUF/eFUSE roots rather than external certificate chains.

Certificate-less trustPUF anchoredClone resistance

Secure lifecycle controls

Anti-rollback counters and signed firmware pipelines protect long-lived infrastructure fleets.

OTP countersSigned OTAKey rotation
Target Domains

Built for systems society depends on.

Qbitel EdgeOS is tailored for critical infrastructure categories where cryptographic failure directly affects safety, continuity, and national resilience.

Energy and Smart Grid

Protect smart meters, DER controllers, and substation gateways against delayed decryption attacks.

Smart energy metersSubstation gatewaysDER controllers

Railway and Transit

Secure signaling controllers and trackside equipment with attestable software supply chains.

Signaling controllersTrackside equipmentETCS onboard units

Defense and Intelligence

Establish resilient identity and encrypted telemetry for high-assurance field nodes.

Border sensorsTactical comms nodesSupply chain tracking

Industrial Manufacturing

Harden PLC-connected systems and industrial gateways with deterministic secure runtimes.

Secure PLCsSafety instrumented systemsIndustrial IoT gateways

Water and Utilities

Protect remote utility endpoints with cryptographic agility and air-gapped updates.

Pump stationsTelemetry endpointsRemote valve controllers
Operational Scenarios

Reference implementations for real deployments.

Example pipelines demonstrate how to combine PQC, identity attestation, and secure lifecycle operations under production-like constraints.

grid-attestation

Grid Substation Attestation

Provision identity, attest firmware, and enforce policy before control messages are accepted.

Blocks unauthorized firmware from joining the substation network.

$ cargo run --example grid-attestation --release

Identity proof < 280 msVerified policy gatesSigned event logs

rail-secure-update

Rail Signal Secure Update

Demonstrates signed firmware rollout with rollback resistance for rail signaling nodes.

Maintains deterministic timing while applying staged secure updates.

$ cargo run --example rail-secure-update --release

Rollback protectedNo service interruptionDual-bank validation

airgap-patch-flow

Air-Gapped Utility Patch Flow

Uses offline artifact signing and physically transferred bundles for isolated utility zones.

Supports compliant patching without persistent internet connectivity.

$ cargo run --example airgap-patch-flow --release

Offline signature verifyChain-of-custody auditTamper-evident bundle
Operational Tools

Signing and provisioning pipelines for secure fleets.

Tooling is designed for manufacturing lines, controlled environments, and field operations where policy and auditability are first-class requirements.

q-sign

Python CLI

Firmware signing toolchain for release artifacts, SBOM binding, and key policy enforcement.

Install

$ pip install q-sign

Sign firmware

$ q-sign sign --in firmware.bin --profile prod-grid

Verify package

$ q-sign verify --in firmware.bin.signed

q-provision

Python CLI

Factory and field provisioning CLI for identity enrollment and secure manufacturing workflows.

Install

$ pip install q-provision

Enroll PUF identity

$ q-provision enroll --device /dev/ttyUSB0 --mode puf

Issue policy bundle

$ q-provision bundle --tier critical --out device.bundle

Quick Start

From repository clone to secure deployment flow.

These commands form a practical starting path for build, validation, and device provisioning.

1

Clone repository

$ git clone https://github.com/yazhsab/qbitel-edgeos.git

Start from the reference implementation and docs.

2

Build secure runtime

$ cargo build --release --target thumbv7em-none-eabihf

Compiles no_std Rust runtime and core security crates.

3

Run host validation tests

$ cargo test -p q-crypto -p q-identity --release

Checks PQC and identity flows before flashing hardware.

4

Provision and flash

$ q-provision enroll --device /dev/ttyUSB0 && q-sign sign --in firmware.bin

Binds hardware identity and signs firmware for deployment.

RepositoryDeployment Guide
Compliance Roadmap

Aligned to mandatory migration and sector standards.

Transition plans and technical controls are mapped against evolving public standards and domain-specific requirements.

NIST FIPS 203

Implemented

ML-KEM key encapsulation

Active now

NIST FIPS 204

Implemented

ML-DSA digital signatures

Active now

NSA CNSA 2.0

In Progress

National security transition profile

2030 target alignment

IEC 62443

In Progress

Industrial control systems security

Roadmap integration

EN 50129 / EN 51159

In Progress

Railway safety and communication

Domain validation phase

Air-Gapped Ops Profile

Implemented

Offline secure update compliance

Operationally deployed