CyberQuanta EVSE Platform

Full-stack EV charging infrastructure with OCPP 2.0.1 compliance, CRA readiness, built on MH1905 security processor, ATECC608B HSM, and Post-Quantum Cryptography (PQC).

Repositories

Backend, 2 firmware, 4 frontend, Yocto BSP, monitoring

~7,300

Test Suite

Backend: 4,888 + Firmware: 2,223 + Dashboard/UI: 326

Standards

OCPP, IEC 61851, ISO 15118, CRA, MID, CE

PQC

Post-Quantum Ready

Kyber-1024 + Dilithium3 hybrid cryptography

Problem Space

EV charging infrastructure is vulnerable to cyber attacks, regulatory changes, and quantum threats.

Cybersecurity

Charging stations are critical infrastructure. EU Cyber Resilience Act (CRA) becomes mandatory in 2027.

Quantum Threat

Harvest-now-decrypt-later attacks threaten current RSA/ECDSA. PQC migration is urgent.

Supply Chain

Firmware updates, dependency management, and SBOM requirements are complex.

Compliance

IEC 61851, ISO 15118, OCPP 2.0.1, MID, GDPR, CE — multi-standard compliance required.

System Architecture

8-layer defense-in-depth architecture — from hardware to monitoring.

Layer 1: Hardware Security — i.MX8M Plus + ATECC608B + SLB9672 TPM + STM32G474RE safety MCU
Layer 2: Secure Boot — HAB (High Assurance Boot), dm-verity, IMA
Layer 3: Operating System — Yocto Kirkstone, SELinux, ASLR, Stack Canaries
Layer 4: Cryptography — PQC (Kyber-1024 + Dilithium3) + ECDSA P-256 hybrid mode
Layer 5: Application — OCPP 2.0.1, ISO 15118 Plug&Charge, MID metering
Layer 6: Communication — TLS 1.3 + PQC, mTLS, WebSocket Secure
Layer 7: OTA Update — RAUC A/B, dual-signed (Dilithium3 + Ed25519)
Layer 8: Monitoring — Prometheus, Grafana, SIEM integration

Security Hardware

Four dedicated security chips — providing hardware root of trust.

ATECC608B (Microchip)

ECDSA P-256 HSM, secure key storage, monotonic counter, I2C 400kHz. Status: Stub — no real I2C connection yet.

SLB9672 (Infineon)

TPM 2.0, measured boot, platform integrity. EVSE integration in progress.

MH1905 (MEGAHUNT)

Cortex-A5 + RISC32 security processor, SM2/SM3/SM4 + RSA/AES, SPI/I2C. Under evaluation.

STM32G474RE (ST)

Safety MCU — GFI monitoring, relay control, emergency management. 55% written, 429 unit tests, 19 suites. Diagnostics, RPMsg, assert handler, system_init modules.

Post-Quantum Cryptography

Protection against quantum computer threats with NIST-standardized PQC algorithms.

CRYSTALS-Kyber-1024

NIST Level 5 KEM. Key encapsulation mechanism. Pubkey: 1568B, ciphertext: 1568B. Used in TLS 1.3 key exchange.

CRYSTALS-Dilithium3

NIST Level 3 digital signature. Pubkey: 1952B, signature: 3293B. Used in OTA and SBOM signing.

Hybrid TLS 1.3

ECDH P-256 + Kyber-1024 combined — both classical and quantum security. Active in platform.

Integration Strategy

ATECC608B: ECDSA P-256 (hardware). Kyber+Dilithium: software (liboqs 0.9+). Both together provide hybrid security.

Backend Platform

Scalable CSMS infrastructure with FastAPI + PostgreSQL 16 + Redis 7.

116K

Lines of Python

22 routers + 13 admin, 287 endpoints, 170 test files, ~95% branch coverage

4,888

Pytest Tests

169 files, 29 xfail (expected failures)

Completed Services

Auth, OCPP gateway, user mgmt, station mgmt, tariff, billing, reporting, WebSocket

Missing / Mock

ISO 15118 PnC backend, OCMF validation, real payment integration (Stripe mock), GDPR data erasure

Firmware Architecture

Bare-metal C11 on NXP i.MX8M Plus — 269K lines, 190 files, 14 modules.

OCPP 2.0.1 Client

WebSocket JSON-RPC, message queue, reconnect, 42 message types. 40% complete.

ISO 15118 Stack

V2G messaging, SLAC, DIN 70121 fallback. 20% complete.

Power Management

PWM control pilot, GFI monitoring, relay driver. 30% complete.

Security Module

ATECC608B driver (stub), TLS wrapper, cert management. Dependency: real hardware.

Honest Status Assessment

Transparent engineering assessment — showing what's completed and what remains.

62%

Code Written

~500K lines source code

45%

Functional

Tested and working — ~7,300 tests

24%

Prod Ready

Ready for deployment

M1-M4 complete: Host build, QEMU boot, backend API, unit tests
M5 in progress: QEMU integration testing (40%) — Yocto distro+machine conf created
M6-M8 progress: DT ready (15%), Hodet firmware written (12K LOC, 189 tests), Yocto security recipes added
M9-M10 pending: Real charging, certification (all 0%)
Estimated production timeline: 12-18 months, $1,000-1,500 hardware investment needed

Test Coverage & Code Quality

~7,300 tests — each verifying a concrete function. Categorized by international standards.

Standards Compliance (301 Tests)

IEC 61851 (charging safety, GFI, overcurrent), ISO 15118 (V2G comm), CE/EMC/LVD, CRA (13 articles), GDPR, MID metering, IEC 62443. Automated verification.

Firmware Safety Tests (2,223 Tests)

Unity framework (embedded C standard). GFI monitoring, control pilot, state machine, secure boot, HSM driver, memory safety. CTest + AddressSanitizer (40 ASan binaries).

Backend API (4,888 Tests)

pytest: Router tests (389), service logic (205), CQRS/DDD core (189), infra (96), integration (93 — httpx TestClient). ~95% branch coverage.

Static Analysis & Quality Gate

C: clang-tidy (MISRA), ASan. Python: Ruff + MyPy strict + Bandit (security). TS: ESLint + strict mode. Automated CI gate on every commit.

SBOM & Supply Chain

Software supply chain security with CycloneDX+VEX.

183

Components

Auto-gathered from 4 SBOMs — pip, cargo, apt, npm

CVEs Scanned

From OSV + NVD databases — 12 fixed, 4 accepted via VEX

CI/CD Integration

Automated SBOM generation + vulnerability scan + VEX update on every commit.

CRA Article 18

Supply chain security, 5-year support commitment, coordinated vulnerability disclosure.

CRA Compliance

EU Cyber Resilience Act — 13-article compliance framework.

Art. 10: Security Requirements

Security by design, secure defaults, attack surface minimization.

Art. 11: Vulnerability Management

Coordinated disclosure policy, 24h ENISA notification, 72h detailed report.

Art. 13: Technical Documentation

14 documents, risk assessment, SBOM, test reports, user guides.

Art. 23: Reporting

24-hour notification obligation for actively exploited vulnerabilities.

Deployment Architecture

Cloud + edge hybrid architecture — Kubernetes and OTA management.

Cloud Layer

Kubernetes (EKS/GKE), PostgreSQL 16 + TimescaleDB, Redis 7 cluster, Prometheus + Grafana.

Edge Layer

Yocto Linux, RAUC OTA, systemd, NetworkManager. On i.MX8M Plus.

Network Security

TLS 1.3 mandatory, mTLS station-to-cloud, WireGuard VPN optional.

Monitoring

Structured logs (JSON), distributed tracing, real-time alerting.

Roadmap

Completed and planned phases — honest timeline.

✓

Phase 1-2 (2024)

Architecture, CQRS/DDD, firmware skeleton, Yocto BSP, backend API, OCPP gateway

✓

Phase 3 (2025)

Software completion, ~7,300 tests, v3.2.0 frozen

→

Phase 4 (2026)

Hardware integration, i.MX8M + STM32 board bring-up, ATECC608B

○

Phase 5 (2026-27)

Certification: CE/MID, CRA, IEC 61851, field testing, production prep

Competitive Advantage

Key differentiators that set CyberQuanta apart.

PQC First Mover

One of the first platforms implementing post-quantum cryptography in EV charging.

CRA Ready

Full CRA compliance framework before 2027 mandate.

Open Source Based

Yocto, liboqs, RAUC — no vendor lock-in, community contribution.

Hardware Root of Trust

Multi-layer hardware security: ATECC608B + TPM 2.0 + MH1905 + STM32.

Summary & Next Steps

A strong foundation has been built. The path to production is clear and realistic.

What's Done

Backend API (4,888 tests, ~95% coverage), EVSE Firmware (1,792 tests, Unity), Sentinel MCU (431 tests, 20 modules), Dashboard 213+16 a11y (Vitest), Yocto BSP (32 recipes, QEMU boot).

What's Needed

Real hardware ($1K-1.5K), firmware completion, ATECC608B+STM32 integration, field testing, certification.

Timeline

12-18 months — Phase 4 (hardware integration) + Phase 5 (certification + field testing).

Investment Needed

i.MX8M Plus EVK ($400-600), ATECC608B dev kit ($50-100), STM32 NUCLEO ($30), power supply ($200-400).

1 / 15