Firmware integrity is a foundational requirement for securing Cyber-Physical Systems (CPS), where malicious or compromised firmware can result in persistent backdoors, unauthorized control, or catastrophic system failures. Traditional verification mechanisms such as secure boot, digital signatures, and centralized hash databases are increasingly inadequate due to risks from insider threats and single points of failure. In this paper, we propose a decentralized firmware integrity verification framework built on the Ethereum blockchain, offering tamperproof, transparent, and trustless validation. Our system stores SHA-256 hashes of firmware binaries within smart contracts deployed on the Ethereum Sepolia testnet, using Web3 and Infura for seamless on-chain interaction. A Python-based client tool computes firmware hashes and communicates with the blockchain to register and verify firmware authenticity in realtime. We implement and evaluate a fully functional prototype using real firmware samples, demonstrating successful contract deployment, hash registration, and integrity verification through live blockchain transactions. Experimental results confirm the reliability and low cost (in gas fees) of our approach, highlighting its practicality and scalability for real-world CPS applications. To enhance scalability and performance, we discuss extensions using Layer-2 rollups and off-chain storage via the InterPlanetary File System (IPFS). We also outline integration pathways with secure boot mechanisms, Trusted Platform Module (TPM)based attestation, and zero-trust architectures. This work contributes a practical and extensible model for blockchain-based firmware verification, significantly strengthening the defense against firmware tampering and supply chain attacks in critical CPS environments.

翻译：固件完整性是保障赛博物理系统安全的基础要求，恶意或受损的固件可能导致持久后门、未授权控制或灾难性系统故障。由于内部威胁和单点故障风险，传统验证机制如安全启动、数字签名和集中式哈希数据库日益显现不足。本文提出一种基于以太坊区块链构建的去中心化固件完整性验证框架，提供防篡改、透明且无需信任的验证机制。本系统将固件二进制文件的SHA-256哈希值存储在部署于以太坊Sepolia测试网的智能合约中，利用Web3和Infura实现无缝链上交互。基于Python的客户端工具计算固件哈希值，并通过区块链通信实现固件真实性的实时注册与验证。我们使用真实固件样本实现并评估了全功能原型，通过实时区块链交易成功演示了合约部署、哈希注册与完整性验证流程。实验结果证实了该方法的可靠性及低燃气成本，凸显了其在实际CPS应用中的实用性与可扩展性。为提升可扩展性与性能，我们探讨了基于Layer-2卷叠扩容方案和通过星际文件系统实现链下存储的扩展机制。同时规划了与安全启动机制、可信平台模块认证及零信任架构的集成路径。本研究为基于区块链的固件验证提供了实用且可扩展的模型，显著增强了关键CPS环境下对抗固件篡改与供应链攻击的防御能力。