SHE Secure Hardware Extension

SHE

Secure Hardware Extension

Data Security for Automotive Embedded Systems

Workshop on Cryptography and Embedded Security

Embedded World @ Nuremberg, February 2012



Data Security - What does it mean for Automotive?



SHE - Secure Hardware Extension - A new Standard?



SHE - Implementation



Outlook

Data Security

What does it mean for Automotive?



Areas of Use



Applications

Areas with Demand for Security

In-Vehicle Data Security



Data Security on the road today



On-chip Flash/ROM read-out protection against unauthorized access



Solution by Fujitsu: Flash/ROM security

• Available on 16LX,16FX, FR, FCR4



Future, Enhanced Data Security



Protect entire car system

• not limited to Flash/ROM read-out prevention



Authentication, Secure Communication and Data Storage

• within vehicle

• between vehicles (C2C)

• between vehicle and infrastructure (C2X)



En-/Decryption is key for future state-of-the-art MCUs

• Embedded and ASSP solutions will find their market segment

Target Applications



Theft protection / Immobilizer



Prevent unauthorized operation of vehicle



Disable ignition and alike



Component Protection



Membership validation of all ECUs built in a particular vehicle



Exchanging 1 ECU without authentication

• degrades functionality as unauthenticated functions will not work

• stops operation of all networked ECUs at next system start

• E.g. when engine control ECU is affected



Feature Activation



Enables certain functions in the delivered SW-package

ECUs to be protected by Cryptography



Gateway



Body Computer Module 1



Body Computer Module 2



Climate Control



Thermo Management Unit



Active Engine Mount



Instrument Cluster



Night Vision



Battery Management System



Charger



Safety Computer



Adaptive Cruise Control



Engine Control



Gear Box



Electronic Steering Column Lock



Power Electronics Hybrid



Central Computer



Rear Seat Entertainment



Sound



DVDC



TV-Tuner

EVITA



European research project June 2008 –Dec 2011



E-safety vehicle intrusion protected applications



Objective:

Design, verify, and prototype an architecture for automotive on-board

networks where security-relevant components are protected against

tampering and sensitive data are protected against compromise when

transferred inside a vehicle.

Security Models - Categorization

Full EVITA HSM Medium EVITA HSM Light EVITA HSM

V2X communication On-board communication On-board communication Maximum level of

functionality,

security and performance

Maximum level of functionality and security

Optimized for low cost HW-solution Asymmetric cryptographic engine & Hash engine Symmetric cryptographic engine Symmetric cryptographic engine e.g. AES-128 User-programmable functionality User-programmable functionality Pre-defined functionality

Secure CPU @ 100 MHz Secure CPU @ 25 MHz Secure Zone no CPU needed

64k 64k Optional NV Memory

512k 512k Optional NV RAM

PRNG with TRNG seed PRNG with TRNG seed Optional T/PRNG Security LT > 20 years



SHE - Security Objectives



SHE - Building Blocks



SHE - Performance Requirements

SHE

HIS - SHE

HIS portal on Security



HIS = Hersteller Initiative Software



SHE = Secure Hardware Extension - meets ‘Light EVITA HSM’

 Specification by HIS



Concept:



Add a Secure Zone



Prevent user access to

security functions other

than those given by logic

SHE - Security Objectives



Protect cryptographic keys from software attacks



Provide an authentic software environment



Let the security only depend on the strength of the underlying

algorithm and the confidentiality of the keys



Allow for distributed key ownerships

SHE – Building Blocks (1)



MCU with

Secure Zone



SHE data storage

- volatile

- non-volatile

- for KEY & MAC



Access only via

defined command

interface

SHE – Perspective from Specification (2)



SHE specifies Secure Zone components and algorithms



Cryptography

• En-/decryption unit

• AES 128 algorithm



ROM

• Secret key storage SECRET_KEY

• Unique key storage UID



RAM

• RAM key storage

• PRNG key storage



NV-Memory

• Boot key & MAC storage

• Master key, general purpose key storage RAM

ROM

NV-Memory Crypto-

SHE – Perspective from Specification (3)



Cryptography carries



Encryption unit

• AES 128-based



Decryption unit

• AES 128-based



CMAC

• Cipher-based Message Authentication Code generator



Miyaguchi-Preneel

• One-way compression function; compressed data cannot be recovered

• Input requests 128-bit wide chunks of data stream

• Outputs Hash-values to en-/decoding unit RAM ROM NV-Memory Crypto- graphy Applicable Standard

SHE – Perspective from Specification (3)



Cryptography carries



Encryption unit

• AES 128-based



Decryption unit

• AES 128-based



CMAC

• Cipher-based Message Authentication Code generator



Miyaguchi-Preneel

• One-way compression function; compressed data cannot be recovered

• Input requests 128-bit wide chunks of data stream

• Outputs Hash-values to en-/decoding unit RAM

ROM

NV-Memory Applicable Standard

SHE – Perspective from Specification (4)



RAM carries



RAM_KEY

• Temporary key used for arbitrary operations



PRNG_KEY

• Key used by the Pseudo Random Number Generator



PRNG_STATE

• Keeps status of Pseudo Random Number Generator ROM NV-Memory Crypto- graphy RAM

SHE – Perspective from Specification (4)



RAM carries



RAM_KEY

• Temporary key used for arbitrary operations



PRNG_KEY

• Key used by the Pseudo Random Number Generator



PRNG_STATE

• Keeps status of Pseudo Random Number Generator ROM NV-Memory Crypto- graphy

SHE – Perspective from Specification (5)



ROM carries



SECRET_KEY

• Unique key

• Used for im-/export of all other keys

• Has to be created with true random number generator (off-chip TRNG ) at production



UID

• Unique identifier • Authenticates MCU



Both SECRET_KEY and UID have to be fixed at production time

• 16 byte for SECRET_KEY and ≤15 byte for UID RAM

NV-Memory Crypto-

graphy ROM

SHE – Perspective from Specification (5)



ROM carries



SECRET_KEY

• Unique key

• Used for im-/export of all other keys

• Has to be created with true random number generator (off-chip TRNG ) at production



UID

• Unique identifier • Authenticates MCU



Both SECRET_KEY and UID have to be fixed at production time

• 16 byte for SECRET_KEY and ≤15 byte for UID RAM

NV-Memory Crypto-

SHE – Perspective from Specification (6)



NV-Memory carries

 MASTER_ECU_KEY • Set up by OEM (owner) • Enables change of other keys  BOOT_MAC_KEY • Enables particular boot request and thus establishing secure boot  BOOT_MAC • Authentication of boot code  KEY_<n>

• Dedicated key storage for arbitrary functions

• 3 – 10 keys

 PRNG_SEED

• Starting value for pseudo random number generator

 Irreversible Write Protection of keys in NV-memory

• Any key in NV-memory area shall not be changeable throughout life time of the device once write-protection was applied by user

RAM

ROM

Crypto-

SHE – Perspective from Specification (6)



NV-Memory carries

 MASTER_ECU_KEY • Set up by OEM (owner) • Enables change of other keys  BOOT_MAC_KEY • Enables particular boot request and thus establishing secure boot  BOOT_MAC • Authentication of boot code  KEY_<n>

• Dedicated key storage for arbitrary functions

• 3 – 10 keys

 PRNG_SEED

• Starting value for pseudo random number generator

 Irreversible Write Protection of keys in NV-memory

• Any key in NV-memory area shall not be changeable throughout life time of the device once write-protection was applied by user

RAM

ROM

Crypto- graphy

SHE - Performance Requirements



Start-up / Secure Boot is Critical Path



All SHE-equipped nodes have to perform secure boot process



Availability to be established before 1 sec elapses



MAC latency according SHE



< 2 µsec for a 128-bit block

• MAC = Message Authentication Code



Authentication of Flash contents at power up



<< 100 msec for 1 MByte required



Exact requirement depends on

• Oscillator start-up times

• Network start-up,

• NM communication,



SHE System



SHE Integration



SHE Implementation

SHE

Host System

SHE Host Driver

SHE

SHE System Diagram

EEFLASH

Public Secured

SHECO

NV_MEM IF SHE Firmware Data IF Command IF Host Interface

DMA

SHE - System Integration (ATLAS-L/TITAN)

Contains security config Content is

protected Bus master

Peripheral bus 3 64-bit Multilayer AXI bus

32 -bi t A HB sla ve bu s USB MediaLB Ethernet Subsystem I2S CRC Quad-SPI Boot ROM System RAM Retention RAM Timing Protection SRAM Interrupt Controller System Controller Peripheral bus 1 Cache Peripheral Protection M PU Cortex R4 CPU 32 -bi t A HB mas ter bu s MPU MPU MPU MPU MPU PPU Peripherals _Peripherals Peripherals Peripherals Peripheral bus 0 Peripherals Peripherals _Peripherals Peripherals 32 -bi t A HB sla ve bu s Watchdog External Interrupt RTC 64 -bi t A HB sla ve bu s GPIO Timers Timers Timers _Timers Peripheral Bus Bridge _{Bus Bridge} Peripheral Peripheral

Bus Bridge Debug / Trace Sec . TCFlash Bus slave Sec . EEFlash SHE

SHE Implementation

HW barrier Bus master Bus slave

SHE

_SHECO

FR60 CPU AES-128 En-/decode CMAC Miyaguchi-Preneel PRNG Tx/Rx FIFOs

Host AHB bus

NV_MEM_MASTER 32 -bi t AHB bu s

EEFLASH

Fla sh secu ri ty 64 -bi t A HB bus Public Sectors (6 x 8 K) Secured Sectors (2 x 8 K) MPU AXI Master

Host AXI bus

TRNG Command/Data I/F Data I/F Host Interface ROM RAM I bus 32 -bi t D bus Register I/F AHB D PPU protection Cycle counter

SHE - Secured Key Storage (1)

RAM EEFLASH SECRET_KEY

UID

MASTER_ECU_KEY FLAGS COUNTER BOOT_MAC_KEY FLAGS COUNTER BOOT_MAC FLAGS COUNTER KEY_<n> FLAGS COUNTER

PRNG_KEY PRNG_STATE RAM_KEY FLAGS EMPTY EMPTY EMPTY EMPTY EMPTY EMPTY



Common features

 32 byte large key slots

 Access only by SHECO CPU



NV memory

 Empty flag to distinguish between erased keys and keys written to 0xFF  Flags and 28bit counters are stored in

the same slot as the key

 SECRET_KEY and UID slots are write protected before device delivery

 No PRNG_SEED storage needed since on-chip TRNG is implemented



RAM

 PRNG_KEY is calculated from SECRET_KEY during

CMD_INIT_RNG command and stored in RAM slot

FLAGS FLAGS

FLAGS FLAGS

SHE - Secured Key Storage (2)

Em pt y W ri te -pr ot e ct ion Se cur e boot f ai lur e De bug ge r act iv at ion Wi ldc ar d U ID K ey usa ge P la in ke y SECRET_KEY F1 _T2 _3 3 UID F1 _T2 MASTER_ECU_KEY 4 _{   } BOOT_MAC_KEY 4 _{  } BOOT_MAC 4 _{  } KEY_<n> 4 _{    } PRNG_KEY 5 PRNG_STATE 5 RAM_KEY 5 _

1 _{Empty flags for SECRET_KEY and UID are set after the keys have been written (by Fujitsu)}

2 _{Write-protection flags for SECRET_KEY and UID are set after the keys have been written (by Fujitsu)} 3 _{SECRET_KEY inherits its protection flags from MASTER_ECU_KEY}

4 _{The initial value after production will be TRUE}

5 _{The initial value after power-up/HW-Reset will be TRUE}

Flags to be used for keys

– used

F – used, always false T – used, always true

SHE – Software (Firmware)



SHE firmware

 Implements SHE control logic + EEPROM emulation for key storage

 Is ROM based (no modification possible!)

 No debugging possible

 Entirely developed by Fujitsu



Secure Boot

 Extension of FCR4 Boot-ROM for Secure Boot

 Validation of boot loader with support of SHE and DMA

 Block length configured by of SHE_BL_SIZE (SHE parameter)

SHE – Software (AUTOSAR Driver)



AUTOSAR driver V4.xx



Implements SHE user accessible

functions



Handles hardware Interaction

 E.g I/F error handling



Host driver for SHE will become

Outlook



Cryptography becomes general trend for embedded systems



Majority of ECU/MCU will have to support en-/decryption



Data security will become mandatory feature for automotive

applications



Scaled between low-cost solutions like SHE for many ECUs and



High protection requirements for a subset of ECUs