Next-generation cars are complex. Cars today already have millions of
lines of code and dozens of processors, controllers and sensors that generate
enormous amounts of data – the content is so vast that they are often
compared to data centers. But unlike a data center, cars move and need to keep
everyone safe on the road. Car owners want a connected experience
that’s intuitive, easy to use, personalized – not for just the
driver, but for everyone in the car. Cars have become massively linked
“data centers” on wheels, and it is imperative that all this
valuable data is managed and analyzed safely and securely.
There is no safety without security
At the center of the driver and passenger in-cabin experience you’ll
find heads up displays, digital clusters, telematics, navigation, media
players and voice and data communications – it’s “all
the cool” of driver information systems (DIS) that makes driving more
convenient and fun. But the flip side is that the connectivity in these
applications also opens up the car to potential security vulnerabilities. So,
for safety and security, we need embedded processors that incorporate strong
built-in defense against known threat vectors. We also need a system that has
the ability to get over-the-air firmware updates to patch any security
vulnerabilities and to defend against newly discovered attack mechanisms.
Known in the industry as an established leader of infotainment processors,
NXP’s i.MX family of applications processors power all kinds of DIS
applications. Our newest line up – the i.MX 8 and 8X that we announced
in October 2016 in Detroit – addresses security with a four-point
layered approach to protect the entire system, from hardware to communication
links. The four components of this layered defense are:
-
SECO: An isolated, dedicated hardware security module (HSM) for
cryptography, authentication, monitor and response
-
Hardware protection against physical tampering (voltage, temperature, power)
-
Root-of-trust for multiple, concurrent operating systems, from power-on to
run-time
-
Hardware-based, in-processor firewall domains for data and memory integrity
of services
Let’s start with SECO
SECO (SEcurity COntroller) is an isolated, dedicated hardware security module (HSM). It is the
root-of-trust for the system, not only for key management, but also for
authenticating, monitoring and locking down the system controller
firmware. For automotive ECU interoperability, SECO implements a
flashless version of the security hardware extension protocol (SHE / SHE+) and
fully meets the functional goals and objectives of the ‘EVITA
Full’ specification for HSMs. It has a high quality and certifiable
random number generator and supports all the required AES encryption modes
required including CMAC, ECB, CBC and Miyaguchi Preneel.
SECO is firmware based and has algorithm agility to grow for increasing
security requirements. It ensures its firmware version is up to date and
prevents use of outdated and perhaps more vulnerable firmware. Although
it’s small, it packs a punch! It is capable of approximately 750
ECDSA signatures verification per second, for the P-256 curve; the SHA engine
is on the order of 2 Gbit/s; and the AES engine has throughput of about 1 Gbit/s.
Hardware protection against physical attacks
i.MX 8 and 8X include protections against a favorite hacker attack
strategy: modulating the processors power, voltage and thermal
environments to uncover secrets. Simply ‘jiggling’ the
power input can cause an unprotected processor to glitch, creating an opening
even with an isolated HSM. Low voltage attacks run the processor below
its required voltage, in hopes the processor will enter an unstable mode, thus
creating an opening. Temperature can also be used to send the processor
into a vulnerable mode by operating the processor outside its allowed
temperature range. i.MX 8 and 8X provides protection against such
physical tamper events, by continuously monitoring and responding to attacks
by erasing secure keys (‘zero-izable memories’) and renders the
processor inoperable (‘bricking’).
Multiple platforms, one chip
Multiple operating systems on a single processor are a fact of life in modern
automobiles and exacerbate the security challenges faced by designers.
HUD and Cluster systems require high uptime for critical information,
navigation and media systems emphasize accessibility to apps, the network and
personalized experiences. Each system can require a different operating system
environment tailored to its function, all running on the same processor. i.MX
8 implements both full chip virtualization to securely run multiple rich
operating systems and hardened, isolated Cortex M4 domains to run RTOS
functions such as CAN communication and rear-view camera systems. These
systems are necessary to ensure the operating systems do not interfere with
one another and create vulnerabilities for hackers to exploit.
Firewall domaining is the key
i.MX 8 and 8X application processors are feature and function rich and
designed for high performance and flexibility, attributes desirable for
delivering compelling driver experiences. These experiences require multiple,
isolated operating systems as well as the flexibility to update those
experiences over-the-air (OTA) with new apps and upgrades. To protect and
isolate all this concurrently running software, i.MX 8 and 8X implement a
firewall domaining system where different software can be run and effectively
sealed off from the rest of the system. Firewall domaining is a hardware-based
private bus and permission set not accessible to system software. This works
on conjunction with SECO to provide up to 16 isolated environments where
processor hardware blocks and their memory storage locations can be placed and
monitored for unusual activity. For example, an OTA upgrade can be sandboxed
into a firewall and run on a main core, a GPU and a communication port.
The system watches the OTA software run and if it attempts to access another
portion of the chip (for example, an Ethernet port) unexpectedly, that likely means a
malicious or malfunctioning payload is included and the OTA is not accepted.
The massively linked “data center” on wheels needs powerful
security. The combination of four-layers of defense that i.MX 8/8X provides
what enables safe and secure driver information systems in modern cars.
Additional information and resources
More information on i.MX and 8X
A world of hackers, connectivity and automotive processors –
what’s secure enough?