Next-generation cars are complex. Cars today already have millions of lines of code and dozens of processors, controllers and sensors that generate enormous amounts of data – the content is so vast that they are often compared to data centers. But unlike a data center, cars move and need to keep everyone safe on the road. Car owners want a connected experience that’s intuitive, easy to use, personalized – not for just the driver, but for everyone in the car. Cars have become massively linked “data centers” on wheels, and it is imperative that all this valuable data is managed and analyzed safely and securely.
There is no safety without security
At the center of the driver and passenger in-cabin experience you’ll find heads up displays, digital clusters, telematics, navigation, media players, and voice and data communications – it’s “all the cool” of driver information systems (DIS) that makes driving more convenient and fun. But the flip side is that the connectivity in these applications also opens up the car to potential security vulnerabilities. So, for safety and security, we need embedded processors that incorporate strong built-in defense against known threat vectors. We also need a system that has the ability to get over-the-air firmware updates to patch any security vulnerabilities and to defend against newly discovered attack mechanisms.
Known in the industry as an established leader of infotainment processors, NXP’s i.MX family of applications processors power all kinds of DIS applications. Our newest line up – the i.MX 8 and 8X that we announced in October 2016 in Detroit – addresses security with a four-point layered approach to protect the entire system, from hardware to communication links. The four components of this layered defense are:
Let’s start with SECO
SECO (SEcurity COntroller) is an isolated, dedicated hardware security module (HSM). It is the root-of-trust for the system, not only for key management, but also for authenticating, monitoring and locking down the system controller firmware. For automotive ECU interoperability, SECO implements a flashless version of the security hardware extension protocol (SHE / SHE+) and fully meets the functional goals and objectives of the ‘EVITA Full’ specification for HSMs. It has a high quality and certifiable random number generator and supports all the required AES encryption modes required including CMAC, ECB, CBC, and Miyaguchi Preneel.
SECO is firmware based and has algorithm agility to grow for increasing security requirements. It ensures its firmware version is up to date and prevents use of outdated and perhaps more vulnerable firmware. Although it’s small, it packs a punch! It is capable of approximately 750 ECDSA signatures verification per second, for the P-256 curve; the SHA engine is on the order of 2 Gbps; and the AES engine has throughput of about 1 Gbps.
Hardware protection against physical attacks
i.MX 8 and 8X include protections against a favorite hacker attack strategy: modulating the processors power, voltage and thermal environments to uncover secrets. Simply ‘jiggling’ the power input can cause an unprotected processor to glitch, creating an opening even with an isolated HSM. Low voltage attacks run the processor below its required voltage, in hopes the processor will enter an unstable mode, thus creating an opening. Temperature can also be used to send the processor into a vulnerable mode by operating the processor outside its allowed temperature range. i.MX 8 & 8X provides protection against such physical tamper events, by continuously monitoring and responding to attacks by erasing secure keys (‘zero-izable memories’) and renders the processor inoperable (‘bricking’).
Multiple platforms, one chip
Multiple operating systems on a single processor are a fact of life in modern automobiles and exacerbate the security challenges faced by designers. HUD and Cluster systems require high uptime for critical information, navigation and media systems emphasize accessibility to apps, the network and personalized experiences. Each system can require a different operating system environment tailored to its function, all running on the same processor. i.MX 8 implements both full chip virtualization to securely run multiple rich operating systems and hardened, isolated Cortex M4 domains to run RTOS functions such as CAN communication and rear-view camera systems. These systems are necessary to ensure the operating systems do not interfere with one another and create vulnerabilities for hackers to exploit.
Firewall domaining is the key
i.MX 8 and 8X application processors are feature and function rich and designed for high performance and flexibility, attributes desirable for delivering compelling driver experiences. These experiences require multiple, isolated operating systems as well as the flexibility to update those experiences over-the-air (OTA) with new apps and upgrades. To protect and isolate all this concurrently running software, i.MX 8 and 8X implement a firewall domaining system where different software can be run and effectively sealed off from the rest of the system. Firewall domaining is a hardware-based private bus and permission set not accessible to system software. This works on conjunction with SECO to provide up to 16 isolated environments where processor hardware blocks and their memory storage locations can be placed and monitored for unusual activity. For example, an OTA upgrade can be sandboxed into a firewall and run on a main core, a GPU and a communication port. The system watches the OTA software run and if it attempts to access another portion of the chip (e.g. an ethernet port) unexpectedly, that likely means a malicious or malfunctioning payload is included and the OTA is not accepted.
The massively linked “data center” on wheels needs powerful security. The combination of four-layers of defense that i.MX 8/8X provides what enables safe and secure driver information systems in modern cars.
Additional information and resources