Definition & Page Boundary (What this controller is—and isn’t)

This page solves (engineering deliverables)

• Block-level architecture that connects Secure Element / secure MCU, sensor front-ends, actuator drivers, power rails, radios, and NVM logs into one system.
• Trusted actuation gating: how “authorization → enable → motion → log” is enforced at integration level (not a crypto lecture).
• Actuation-burst power planning: where brownouts happen during unlock/lock, and what must be measured to prove margin.
• HMI front-end integration constraints: keypad scan robustness, fingerprint/face module power sequencing, ESD hardening, and low-power wake models.
• Field evidence mindset: minimal probe points (rails + current) and minimal log fields (reason codes + counters) that close the diagnosis loop.
• NVM + audit trail fundamentals: what must persist (counters/events/templates metadata) and how to avoid corruption on low battery.

Not covered (explicit exclusions to prevent scope creep)

• Mobile app UX, cloud/backend architecture, user management flows.
• Wireless protocol tutorials (pairing/commissioning step-by-step); only hardware constraints and observability are discussed.
• Access-control panel topology / building wiring practices / multi-door relay matrices.
• CCTV/video pipeline security, NVR/VMS recording integrity, watermarking, or timestamp non-repudiation workflows.
• Any bypass/exploitation or “how to defeat a lock” instructions.

Scope Guard (mechanical acceptance checklist)

System Architecture (Signal + power + trust paths)

The controller is best understood as three testable paths. This prevents “feature talk” and forces an evidence-based design: each path has its own constraints, probe points, and failure signatures.

Path A — Trust path (identity → authorization decision → actuator enable)

• Inputs: keypad events, biometric capture quality flags, tamper/safety inputs.
• Decision boundary: authorization must be computed inside the trusted boundary (secure MCU + SE support) with auditable reason codes.
• Hardware gating: actuator enable is a controlled signal (driver EN / power switch / gate) that cannot be “always-on” by mistake.
• Minimum evidence: auth result code, attempt counter, anti-rollback / policy state, tamper flag snapshot.

Path B — Power path (battery → rails → actuation burst → brownout protection)

• Actuation burst: unlock/lock is a short, high-current event that stresses battery internal resistance and rail stability.
• Risk: brownout/reset in the middle of motion can cause partial actuation, corrupted NVM updates, or “retry storms”.
• Architectural rule: separate (or strongly isolate) logic rails from motor/solenoid rails, and define a UVLO policy for “no-write” zones.
• Minimum evidence: min rail during burst, reset reason (brownout flag), motor current peak/shape, UVLO entry timestamp.

Path C — Data path (sensors → decision → logs)

• Observability is part of the architecture: without logs/counters, field failures become “mystery returns”.
• Logging principle: log the cause (reason codes), not just the symptom; include sequence counters to detect missing records.
• Isolation principle: store enough state to distinguish power collapse vs mechanical jam vs input quality failure.
• Minimum evidence: event ID, reason code, sequence counter, last-known state (sleep/wake/auth/actuate), last-good pointer (if used).

Threat & Safety Goals (Hardware-level requirements, not a crypto lecture)

High-level goals (what the hardware must guarantee)

• Prevent unauthorized actuation: the actuator cannot be energized unless an authorization decision is valid and the system state allows motion.
• Prevent rollback to insecure firmware (requirement): the boot chain must reject older/incompatible firmware states and record the reason.
• Protect biometric templates as stored assets: templates and their metadata must be stored in a protected boundary with integrity checks and traceable lifecycle events.
• Tamper awareness + safe behavior: tamper signals must drive policy actions (fail-secure vs fail-safe) with auditable event records.

Security & Safety requirement checklist (maps to later chapters)

Policy knobs (explicitly configurable, always auditable)

Secure Element & Secure Boot Integration (Practical wiring + lifecycle)

This section focuses on what engineers actually integrate: bus choice, reset/IRQ wiring, rail strategy, and the device lifecycle from factory provisioning to normal operation and recovery. The goal is a boot/identity system that remains correct under sleep-heavy operation and actuation-burst power stress.

Physical integration checklist (wiring + rails)

• Connectivity: choose I²C (fewer pins, shared bus) or SPI (clear timing, higher throughput) based on wake model and bus robustness needs.
• RESET line: define a deterministic reset sequence that survives brownouts; ensure default states cannot enable actuation.
• IRQ/INT line: allow the SE to signal completion/events without polling (saves power, improves determinism).
• Rails: ensure the SE has a clean rail and known behavior during actuation bursts; if a backup/keep-alive rail exists, define what it preserves (conceptual).
• ESD awareness: exposed keypad/metal housing increases transient risk; bus lines need protection and controlled return paths (details later in protection chapter).

Key material categories (conceptual, implementation-agnostic)

• Device identity: the lock’s hardware identity used to attest “which unit” is making decisions.
• Storage-protection assets: assets that protect sensitive stored data (e.g., template metadata boundary), with integrity outcomes that can be logged.
• Update-authorization assets: assets that determine whether an update state is accepted or rejected (policy-driven outcomes, not algorithm discussion).

Provisioning flow (factory) + first-boot states

• Unprovisioned: device starts in a restricted state (no actuation) until provisioning completes and is verified.
• Provisioned: identity/policy assets are present; the system transitions to normal operation and initializes the audit chain (sequence counters).
• First-boot checks: verify provisioning status flags, schema versions (if used), and monotonic counters before allowing actuator enable.
• Failure policy: partial provisioning or verification failure forces a recovery path and emits a reason code for service tools.

Anti-rollback counters (behavior-level rules)

• Where it lives: store the monotonic/anti-rollback counter in a protected boundary (e.g., SE-owned or protected record), not in an easily overwritten config region.
• When it updates: update the counter only after a verified transition to a “good” state (two-step: write → verify → commit).
• Low-voltage rule: if the system is inside a brownout-risk window, block counter updates and record “no-write” reason to avoid corruption.
• What it proves: any attempt to boot a lower/incompatible state results in a reject/recovery boot state with an auditable reason code.

Credential & HMI Front-Ends (Keypad + Fingerprint + Face Modules)

Keypad matrix scan (robustness under ESD/EMI)

• Matrix scan reliability: define scan windows, debounce rules, and a deterministic wake behavior for low-power modes.
• ESD entry point: keypad/housing are exposed; plan for transients that cause false presses, stuck lines, or spurious wake.
• Ghosting control: detect illegal row/column combinations and record a specific error class (short/open/stuck).
• EMI coexistence: avoid scanning during high-noise intervals (actuation, buzzer PWM, radio bursts) when feasible.

Fingerprint front-end (power sequencing + capture quality evidence)

• Power sequencing: bring up sensor rail → interface ready → release reset → start capture. Brownout recovery must return to a known state.
• Shield/guarding mindset: prioritize stable capture over maximum sensitivity; treat ESD and surface coupling as primary disturbances.
• Template storage boundary: template lifecycle events (add/remove/update) must be traceable with a result code and a sequence counter.
• Quality must be measurable: capture attempts must output a compact quality metric and a failure reason code.

Face / IR / depth module (power gating + illuminator sync)

• Default-off: keep the module power-gated by default; wake only for an authenticated capture window to reduce leakage and attack surface.
• Illuminator sync as a local driver: treat IR/LED illumination as a pulsed load; synchronize illumination to capture windows and log its state.
• Privacy-by-design signals: drive local indicators (LED/buzzer) and emit a log bit when the sensor/illum path is active.

Local indicators (LED / buzzer / haptics)

• Drive + EMI: PWM and switching edges can corrupt matrix scans and sensor captures; keep indicator timing and actuation windows well-defined.
• Power cost: indicator bursts should not coincide with the most power-stressed events unless necessary.
• Traceability: indicator actions should be correlated to the event reason (success / fail / tamper / low-batt).

Evidence hooks (minimum observability set)

Actuator Drive (Motor / Solenoid / Latch) — Power Electronics Inside a Lock

Actuator types (only what impacts the controller)

• DC motor + gearbox: large start-up surge, strong coupling between VBAT droop and speed; current signatures are highly diagnostic.
• Stepper motor: phase-current control dominates; missed steps/jam must be inferred from current/time behavior (conceptual).
• Solenoid pulse drive: pulse energy and freewheel path define heat/EMI; timing must be bounded and logged.

H-bridge / driver topology (energy paths matter)

• Enable gating: driver EN must be default-off and only asserted after authorization and interlocks are satisfied.
• Freewheel paths: define where energy flows during PWM off-time (recirculation) and during shutdown (flyback behavior).
• Current sensing: sample current where it can be trusted during transients; align sampling windows to PWM state and to motion phases.
• Rail coupling: actuation bursts can pull rails into brownout; define a policy to avoid “reset → retry storm”.

Stall / jam detection (behavior-level, evidence-based)

• Current signature check: compare the observed waveform to expected phases (startup peak → plateau → decay). Use minimal, auditable features.
• Timeout bound: if end-stop/position is not reached within a defined window, abort and log the reason.
• Back-EMF / speed sampling (if available): take a small sampling window to detect “energy without motion” behavior (conceptual).
• Retry policy: limit retries, separate “recoverable friction” from “hard jam” by signature + counter.

Safety interlocks (do not energize blindly)

• Door / bolt position sensors: verify state before and after actuation; record mismatch as a diagnosable code.
• Clutch / end-stop feedback: treat end-stop as an interlock event, not as “normal overcurrent”.
• Abort conditions: low-voltage, overcurrent beyond threshold, excessive duration, or inconsistent sensor states.

Evidence hooks (what to record + what to probe)

Power Tree & Low-Power Design (Battery Life Without Bricking During Unlock)

Battery sources & what matters electrically (AA vs Li)

• Internal resistance drives burst droop: cold/aging increases droop risk even when “battery %” appears high.
• Voltage platform differs: rail thresholds (warning / no-write / UVLO) must be defined per battery class.
• Evidence-first health metrics: track voltage under burst + estimated internal resistance over time buckets.

Rail grouping (design for power gating and fault containment)

• AON rail: minimal wake logic + time base + critical counters (kept stable across sleep).
• AUTH / Secure rail: authentication chain and decision path (enabled only when needed).
• HMI / Sensor rail: keypad + fingerprint + face/IR modules (power-gated by window).
• ACT rail: motor/solenoid drive domain (short, high current; strongest EMI + droop coupling).

Peak power budgeting (actuation burst without resets)

• Define the burst envelope: expected peak current, max duration, and a hard abort time bound.
• Hold-up and soft-start: use controlled ramp + limited inrush so the battery does not collapse at the start edge.
• Scheduling matters: avoid stacking high-current events (illumination + motor + radio TX) in the same window unless required.

Brownout strategy (UVLO + no-write zone + safe retry)

• Three zones: warning (reduced writes) → no-write zone (write-protect active) → UVLO/abort (actuation stop).
• Write-protect behavior: block all non-essential NVM writes during low voltage; log the reason code.
• Safe retry policy: rate-limit retries, enforce minimum recover time, and stop retrying when IR estimate is too high.
• Reset-to-retry storm prevention: if a brownout reset occurs during actuation, switch to a conservative mode with fewer bursts.

Fuel gauge & health metrics (what to log)

Low-Power Wireless & Coexistence (BLE/Thread/Sub-GHz as Hardware Constraints)

Radio choice matrix (power + latency + range + wake model)

Antenna constraints inside metal doors (principles only)

• Keepout zone: reserve a stable space around the antenna; avoid battery/motor/metal brackets in the near field.
• Ground reference discipline: define where RF ground is “quiet” versus where motor return current flows.
• Placement over tweaks: placement and routing typically outperform “more matching” when metal detuning dominates.

Coexistence with motor EMI (noise paths + mitigations)

• Noise sources: H-bridge edges, commutation events, burst current ripple.
• Paths: conducted (VBAT droop), ground return coupling, radiated into antenna zone.
• Mitigations: scheduling isolation, rail filtering, shielding/partitioning, and return-path control.
• Policy: define “radio quiet windows” during critical link events when actuation is active.

Commissioning modes vs normal modes (power gating + security posture)

• Commissioning: longer scan/advertise windows are acceptable but must be time-bounded and explicitly logged.
• Normal mode: short wake windows, strict rate limits, and clear gating conditions for radio power domains.
• Mode flags: track commissioning flag, self-test flag, and the time budget applied.

Evidence hooks (link health correlated to motor activity)

NVM, Templates & Audit Logs (What Must Persist, How to Avoid Corruption)

Partitioning: classify assets by risk and write pattern

• Credential metadata: user IDs, roles, validity windows, enrollment status (read-heavy, low write, must not drift).
• Templates vault: fingerprint/face template assets stored encrypted-at-rest (concept) with explicit wipe semantics.
• Monotonic counters: anti-rollback and accountability counters (must never go backward; write frequency managed).
• Audit log ring: append-only event stream with sequence numbers (write-heavy; power-fail tolerant).

Atomic updates: A/B records + last-good pointer

• A/B record rule: write the inactive record, validate with CRC/ECC, then flip a valid flag or update a last-good pointer.
• Power-safe commit: commit steps are gated by a “power OK” condition; low voltage forces a no-write decision and logs the reason code.
• Recovery behavior: on reboot, select the record with a valid flag + highest sequence, otherwise fall back to last-good.

Integrity checks: CRC/ECC (high level) + evidence counters

• CRC: detects partial writes and corrupted payloads; failures increment a counter for field correlation.
• ECC (if available): correctable vs uncorrectable counts separate “noise/soft errors” from “structural storage failure”.
• Bad-record handling: never “guess”; select last-good and log the fault class.

Wear strategy (high level): avoid hot-spot writes

• High-rate data (logs/counters): rotate records (ring) or spread updates to avoid burning a single address.
• Counter policy: commit counters in bounded steps (or via aggregated updates) while keeping monotonic behavior.
• Power linkage: storage writes must respect no-write zones defined by the power policy (brownout-safe).

Accountability: minimum audit event set

Evidence hooks (field correlation)

• last_good_record_pointer: confirms the last completed atomic commit.
• crc_fail_count / ecc_*_count: correlates storage faults vs power faults.
• monotonic counters: prove non-regression and bind logs to an ordering chain.
• audit log sequence: reveals gaps due to power gating or no-write zone decisions.

Field Update & Serviceability (Safe Update Without Scope Creep)

Update entry points (different triggers, one state machine)

• Local trigger: maintenance action inside the lock (time-bounded and logged).
• Service tool trigger: controlled maintenance interface (policy-defined exposure, high level).
• Radio-initiated trigger: update request that transitions into the same on-device update states (no backend discussion).

Rollback-safe slotting (concept) + commit rules

• Inactive-slot write: write the non-active slot; verify integrity before switching.
• Commit gating: switching active slot requires power OK + verified image + logged result code.
• Post-boot self-check: after reboot, a minimal health check either confirms the new slot or triggers rollback.

Power gating rules during update (prevent bricking)

• No actuation bursts during write/commit: the actuator domain must remain gated (or in a safe posture) while updating.
• No-write zone linkage: low voltage immediately pauses or aborts update writes with a power-fail marker.
• Resume policy: if permitted, resume from the last validated step using last-good pointers and result codes.

Service port exposure policy (high level) + reset semantics

• Exposure policy: define when a service interface can be enabled (e.g., maintenance mode), and log entry/exit events.
• Factory reset vs credential wipe: distinguish “configuration reset” from “credential/template removal” and audit both.
• Credential wipe: must record a dedicated event code and update template vault metadata consistently.

Evidence hooks: what must be observable in the field