Embed Size (px)
Citation preview
EB‘s security solutions
Roman Iseler July 27, 2017
EB Tech Day 2017 - Farmington Hills
© Elektrobit (EB) 2017
EB‘s security solutions
EB’s security portfolio
2
EB’s security track record
• Mass production approved implementations
• 15 years of experience in the field of embedded security
• EB’s security solutions are on the street in millions of cars
• EB delivered SSW security modules for BMW, Daimler, VW, Audi, Continental
• OEM consulting and project specific security solutions for GM, Renault, Volvo
• Secure separation
• Crypto
• Secure HW
• Security Consulting
• OTA
• Security applications
• Key management
• Secure Networks
• Testing & Certification
• Car2X
• Role & Rights management
© Elektrobit (EB) 2017
AUTOSAR Architecture – Focus on Security
EB‘s security solutions
3
Ap
plic
atio
n
Com Services Com, PduR, IPduM
CAN
CanTp CanNm CanSm CanIf
LIN
LinTp LinNm
LinSm LinIf
FlexRay
FrTp FrNm FrSm FrIf
FrArTp
Memory
NvM Crc Ea
Fee MemIf
MCAL
Bas
ic S
oft
war
e
Can Lin
Eep
Fls
FlsTst
Wdg
Adc
Mcu
Port
Dio
Icu
Gpt
Pwm
Spi
IoHwAbs
Watchdog
WdgM Wdglf
Mode Mgmt.
ComM EcuM BswM
Nm
Application SWC Application SWC Application SWC Application SWC Application SWC
IP
SomeIPTp UdpNm
SoAd TcpIp (v4)
EthSm EthIf
DOIP
SD
ACG Base
Det EcuC Make
MemMap Xfrm
Studio
Import: DBC, LDF, FIBEX
ECU Configuration SWC Description
System Description Diagnostic Extract
Export: ECU Configuration SWC Description
System Description Diagnostic Extract
A2L
Key Features: BSW and Rte
Configuration, Signal Mapping, Port Mapping,
Automation Framework,
User Guidance, Workflows, Open API for User
Modules,
Diagnostic
Dem Dcm FiM
Time Sync
StbM CanTSyn FrTSyn
EthTSyn
DLT
OS (Single-Core)
OS (Multi-Core)
Safety OS (Single-Core)
Safety OS (Multi-Core)
Safety TimE Protection
Eth
QoS
Eth
EthSwt
EthTrcv
LinTrcv Fr Fr
FrTrcv
CanTrcv
RamTst RamTst
Configurators MemAs CanAs FrAs HidWiz SvcAs
Workflows
BswMAs
Platform
SwcAs
OS
Runtime Environment ACG Transformers
ComXF SOMEIPXF
E2E Profiles
1C
4 5 6
2 1A
Safety E2E Wrapper
TimeSync
All bold names are licensable items.
Safety E2E Transformer
E2E COM E2E SOME/IP
PbCfgM
FrBufOpt RxFifoOpt
Partial Networking
RTE (Partitioning)
Safety RTE
RTE RteAs
LDCOM
IPv6 TcpIp(v6)
OBD
7
Security (ASR 4.3)
SECOC CSM and CryIf
Crypto Driver Software EB tresos®
3rd Party
OEM
AutoCore HW-depend.
Tools
Safety
AutoCore Generic
Alternatives
Customer
EB products OEM-specific
XCP
Libs
CDD
J1939
Stack Wrapper Crypto
© Elektrobit (EB) 2017
EB‘s security solutions
4
New AUTOSAR 4.3 security stack
• New modules (SecOC, CSM, CryIf, CryptoDrivers)
• Flexible SecOC freshness value handling on application level
• Optimized support for SecOC
• Single call API (synchronous/asynchronous)
• Added support for cryptographic key handling
• Official support for (multiple) software and hardware drivers
• Parallel job processing in hardware if supported
• Job queueing and priority handling
CryIf
Crypto Driver (HW Interface)
CSM
SecOC
Crypto Drv (SW-lib)
CrySHE
CSM
CRY Crypto
algorithms
SecOC
AUTOSAR 4.2
© Elektrobit (EB) 2017
Micro-controller Drivers CryDrv
EB‘s security solutions
5
Csm/CryIf/CryDrv
CSM:
• data path is separated from the key management to be able to change the crypto algorithm without modifying the data paths in the application.
• user-concept. multiple independent jobs can be processed in parallel within the CSM.
• prioritized queues to improve performance
Crypto Interface:
• mapping to a concrete hardware unit or a software library.
Crypto Driver:
• MCAL BSWMD contains the algorithms supported by the driver/hardware.
• Especially for the HSM features for higher utilization or more deterministic response times.
Com-plex
Dri-vers
Microcontroller (µC)
RTE
Crypto Hardware Abstraction
Communication Drivers
Communication Services
COM HW Abstr.
I/O
Drivers
I/O HW Abstraction
Application Layer
Lib-raries
SecOC
App1
System Services
App2
CryIf
CryDrv
HSM SHE …
CryDrv (sw-based)
App3
Csm
© Elektrobit (EB) 2017
EB crypto driver for existing 3rd party HSM firmware
EB‘s security solutions
6
HSM
CPU, INTC, … HSM Registers Mem TRNG, AES Timer, …
HSM Firmware
EB CrySHE Product HSM Features (SHE+)
Infineon, Renesas, Freescale, …
Classic AUTOSAR
Host environment
HSM Registers
Host
CPU, INTC, …
RTE API
OS
SWC SWC SWC
CryDrv (HSM Interface)
CSM
CryIf
CryDrv (SW-lib)
© Elektrobit (EB) 2017
EB trusted HSM software platform architecture
EB‘s security solutions
7
HSM Registers
Host HSM
CPU, INTC, …
CryDrv (HSM Interface)
Nano Kernel OS
HSM Interface
Storage Crypto
HW drivers
Application
specific
drivers
Generic Application Interface
Request dispatcher
Key management
Secure boot
Crypto algorithms
Customer
Application
Customer
Application
HSM Firmware Classic AUTOSAR
RTE API
OS
CSM
SWC SWC SWC
Customer modules
EB trusted HSM platform HSM Features (SHE+, Evita medium/full, customer extensions) Host environment
CPU, INTC, … HSM Registers Mem TRNG, AES Timer, …
HSM
AppIF CryIf
CryDrv (SW-lib)
© Elektrobit (EB) 2017
EB‘s security solutions
8
Use case examples – Secure Onboard Communication
• EB is an active member of the AUTOSAR concept group “Secure Onboard Communication - SecOC“
• The concept is part since AUTOSAR 4.2.1
• Main characteristics:
Security protection on bus level
CMAC with freshness value
Protection/Verification on PduR level
Independent from Bus or protocol
• Integration with AUTOSAR cryptographic module (e.g. Csm)
• Easy tool driven configuration
• Latest Evolution – AUTOSAR 4.3:
Concepts for Freshness Management
Performance optimizations
…
PduR SecOC CSM
[SW]
Com
XxxIf/XxxTp
SW-C
Freshness Value
Validated message
Secured message (CRY)
[HW]
RTE
© Elektrobit (EB) 2017
EB‘s security solutions
9
Secure boot
Idea: Verify all SW before it is executed
• Actual sequence depends on your boot strategy
Example: “Secure Boot” component with the following parts
• HSM application to verify the boot manager
• Boot Manager: To verify flash loader and application
• Flash loader verification
• Application verification and error handling (e.g. shutdown)
Cryptography via HSM driver needed for all parts
HSM
Boot manager
Start-Up code of application
Application
© Elektrobit (EB) 2017
EB‘s security solutions
10
Secure boot
The big question:
How much boot time do you have left nowadays?
Typical answer:
None
Solution:
So called parallel or authenticated boot
Boot up your ECU the normal way and do a time shifted verification of the booted SW
© Elektrobit (EB) 2017
EB‘s security solutions
11
Parallel secure boot
This is just one possible sequence:
• “Secure Boot” verification of Boot Manager and Flashloader
• Start of application
• HSM verifies application in parallel
• HSM persistently stores information about previous verification result
• On the next start, HSM inhibits start of application if signature is invalid Sequential Secure Boot
Verification of Boot Manager
Verification of Application
Boot Manager
Application
Main Core HSM
Cryptography via HSM driver needed for all parts
© Elektrobit (EB) 2017
EB‘s security solutions
Secure separation
• Hypervisor
• Virtualization
Crypto
• Algorithms
• SHE drivers
• HSM drivers
• Security Processes
Secure HW
• HSM firmware
• Security architecture
• Future Security HW
Security Consulting
• Architecture
• Solutions
• How-To
OTA
• Secure Connection
• Update strategies
• Implementation
• Backend
Role & Rights management
• Identity
• Role
• Rights
Security applications
• Unlock / Download
• SW as Product
• Secure Com
Key management
• Sym/Asym
• Key Derivation
• Initial / Update
Secure Networks
• Firewall
• ADS/IDS/IPS
• Secure network elements (SDN
Testing & Certification
• Functional
• Pen Testing
• FIPS / Com. Criteria
Car2X
• Consulting
• Implementation
• Testing
12
EB security portfolio
Thank you. Get in touch!
elektrobit.com/security
13
Product Manager Security
Program Manager Security
![Security Systems...DoC Number: DECL EC PRS-CSM ; DoC Version: 1.0 Security Systems EU PROHLÁŠENÍ O SHODĚ (č. DECL EC PRS-CSM) [CS] Model výrobku/výrobek: PRS-CSM Jméno a adresa](https://img.pdfslide.us/doc/110x75/5ed72f4cc30795314c175adb/security-systems-doc-number-decl-ec-prs-csm-doc-version-10-security-systems.jpg)
