Designer’s guide on secure processors for automotive

Technological progress in areas such as connectivity, electrification and self-driving cars is quickly changing the automotive industry. As a result of these advancements, on-board systems have become much more complicated, making them more vulnerable to cyberattacks. The security of automotive systems is of utmost importance, resulting in an increasing focus on secure processors that are specifically tailored for automotive applications.

These processors serve as the fundamental support for vehicle security, protecting critical operations and confidential information. They enhance the security of automotive systems by incorporating security features directly into the hardware, thus increasing the difficulty for attackers to penetrate these systems.

Embedded security is a growing concern for automotive developers to protect automotive electronic systems and communication networks and as the use of software grows, according to a recent survey released by Perforce Software. The survey also finds an increasing focus on meeting regulations that require cybersecurity approval and enforcing secure coding practices. Automotive developers report that quality (29%), security (25%) and safety (21%) are their top development concerns.

Figure 1: Secure processors serve as the fundamental support for vehicle security, protecting critical operations and confidential information. (Source: Adobe Stock)

Key challenges in automotive security

One of the main security challenges in the automotive field concerns protection from cyberthreats. With the rise of connected vehicles, such as V2X and V2V communications, the attack surface for hackers has expanded, increasing the potential for tampering (e.g., altering firmware to bypass security features) and malicious attacks.

Modern vehicles integrate more and more software-dependent features, and this trend is likely to amplify as software-defined vehicle (SDV) architectures become more widespread. As vehicles become increasingly software-dependent, they are vulnerable to tampering.

While over-the-air (OTA) updates enhance vehicle performance to ensure state-of-the-art safety, they can introduce new security risks. Rigorous verification and authentication techniques are required because of the possibility of malicious code injection.

Moreover, the extensive reach of the supply chain presents challenges in guaranteeing the security of components and software throughout the manufacturing process. Any vulnerabilities or susceptibilities that arise at this stage can result in substantial and far-reaching repercussions.

Another challenge is protecting sensitive data, encompassing both personal information and proprietary vehicle data. To guarantee the safeguarding of confidential data, it is imperative to use robust encryption, ensure secure data transmission and enforce stringent access controls. Ensuring the security and privacy of data during the lifespan of the vehicle is a complex endeavor.

A key requirement for ensuring security in automotive is compliance with reference standards. These include the de-facto functional safety standard ISO 26262 (Road Vehicles—Functional Safety) and ISO/SAE 21434 (Road Vehicles—Cybersecurity Engineering Standard) for automotive cybersecurity.

The ISO/SAE 21434 standard applies to the electrical and electronic systems of mass-produced road vehicles, including software and related components and interfaces. Vehicle components covered by ISO 21434 include gateways, infotainment systems, sensors, cameras, security systems and general communication systems.

Recommended Enabling functional safety in automotive processors

Chipmakers such as Infineon Technologies AG continue to bolster cybersecurity features in their automotive microcontrollers (MCUs). Compliant with the ISO/SAE 21434 and ISO 26262 cybersecurity and safety standards, Infineon’s AURIX TC4x MCU family features a cybersecurity real-time module with dedicated memory and a cybersecurity satellite (CSS) that enables parallel execution of cryptographic operations.

The AURIX TC4x MCU family is now supported by Vector’s MICROSAR hardware security module (HSM) firmware. The CSS is directly managed by a MICROSAR Classic Crypto driver installed on the host CPU, resulting in optimized data transfer rates and avoiding any delays caused by interprocess communication with the CSS.

Figure 2: Infineon’s AURIX TC4x MCUs meet the requirements of future SDVs. (Source: Infineon Technologies AG)

Platform approach to secure processors

Connectivity in modern cars makes them vulnerable to cyberattacks. Hackers can not only access the vehicle’s systems, but they can also gain control of the car. To mitigate these risks, secure processors for automotive applications must incorporate several essential features, implemented either at the hardware or software level.

NXP Semiconductors, as an example, has proposed a multilayer approach to automotive security based on the following layers:

• Secure interfaces: The vehicle’s communication interfaces connect the vehicle and its occupants to the outside world. These communications must be secure to ensure user privacy and vehicle safety. This layer employs robust encryption and authentication to ensure that the vehicle communicates with known (trusted) entities and that received data is trustworthy.
• Secure gateway: This layer is a kind of firewall, controlling access from external interfaces to the vehicle’s internal network and determining which nodes in the vehicle’s network can communicate with one another. It provides domain isolation and converts between various automotive communication protocols.
• Secure network: This layer safeguards communication across various in-vehicle networks from data modification and theft. It features intrusion prevention and containment capabilities.
• Secure processors: Automotive-qualified MCUs and processors include dedicated security modules that safeguard software from manipulation and enable secure software updates and data protection.
• Secure car access: The last layer offers physical protection via anti-theft immobilizers and smart car access functions. New features in this area include remote lock and unlock, passive start, remote vehicle monitoring and access to the car via a smartphone or smart key device.

Automotive MCUs and processors embed a variety of security features. These include HSMs, trusted platform modules (TPMs), secure boot, firmware, OTA firmware updates, virtualization and isolation, as well as secure communication protocols.

The HSM is a specialized security chip embedded within the vehicle’s electronic control units (ECUs), responsible for managing cryptographic keys, performing encryption/decryption and running security protocols. HSMs include typical features such as tamper resistance, secure key storage and dedicated cryptographic processing units.

A TPM is a specialized hardware module, essentially a secure crypto-processor, that provides security functions, such as generating and storing cryptographic keys securely, hardware-based authentication and ensuring platform integrity. TPMs are often integrated into secure processors to provide a root of trust, a feature that verifies the authenticity of software and firmware running on the system.

Secure boot ensures that only verified and signed code is executed during the system startup. Additionally, secure processors implement secure OTA mechanisms that allow the vehicle’s firmware to be updated remotely while ensuring that only authenticated and untampered updates are applied.

Secure processors often support communication protocols such as Transport Layer Security or IPsec to ensure secure communication between the vehicle and external systems, such as cloud servers or other vehicles.

Virtualization allows designers to create isolated virtual machines, preventing security breaches in one domain from affecting others. This solution, which meets strict safety requirements, relies on hardware based on the memory protection unit, which provides isolation by enforcing access control policies for memory regions. This ensures that different processes or software components cannot interfere with each other. The Arm Cortex-R processors based on the Armv8-R architecture, such as the Cortex-R52+, provide virtualization to support SDV and zonal architectures.

Chipmakers are also taking a platform approach to SDV design. Renesas Electronics Corp., for example, provides all the hardware, operating systems, software and tools needed to develop next-generation vehicles with secure and continuous software updates with its R-Car Open Access (RoX) development platform for SDVs.

The RoX SDV platform has been specifically developed to cater to the requirements of R-Car SoCs, the forthcoming R-Car Gen 5 MCU/SoC family and future devices. The SDV platform offers automotive OEMs and Tier 1 suppliers the capabilities of developing a diverse array of scalable computational solutions for advanced driver-assistance systems (ADAS); intelligent vehicle integration; gateway and cross-domain fusion systems; and body control, domain and zone control systems.

Figure 3: Renesas’s RoX platform pre-integrates all fundamental layers required to develop SDVs, reducing design complexity, and supports a software-first approach and parallel hardware and software development. (Source: Renesas Electronics Corp.)

Secure processors

Here are a few examples of the latest security features for automotive applications.

STMicroelectronics’ STSAFE-V100-TPM is a hardware AEC-Q100 Grade 2–qualified TPM solution that is compliant with the latest Trusted Computing Group (TCG) TPM specification (2.0 Rev. 1.59). It can be easily integrated with standardized API, creating a secure system with root of trust and supporting functions required for authentication, secure boot, secure storage, software update, platform integrity and other secure services.

A typical application of the STSAFE-V100-TPM embeds the security features into the module that communicates with the ECU or body domain controller via a dedicated I²C or SPI interface. Data exchanged on this interface is compliant with the TCG TPM library specification 2.0. Typical applications of this TPM solution include EV charging, ADAS, telematics and gateways.

NXP Semiconductors offers a wide portfolio of integrated solutions supporting automotive security. The S32G3 processor, for example, developed for vehicle networking integrates up to eight Arm Cortex-A53 cores organized in two clusters of four cores with optional cluster lockstep for applications and services, up to four Arm Cortex-M7 dual-core lockstep for real-time applications, and a hardware security engine for secure boot and accelerated security services.

For applications in body, zone control and electrification, NXP offers the S32K3 MCUs. These scalable, low-power Arm Cortex-M series–based MCUs are AEC-Q100-qualified devices with a dedicated hardware security engine and an OTA firmware update capability. The S32K3 is now capable of connecting to AWS services, enhancing cloud accessibility on the S32 vehicle computing platform. The new S32K3 capability (Figure 4) offers automakers versatile cloud connectivity for their latest vehicle architectures.

Figure 4: NXP’s S32K3 MCUs support connection to AWS cloud, enabling new vehicle architectures. (Source: NXP Semiconductors)

Microchip Technology Inc. offers several products that meet automotive cybersecurity requirements and have been UL-certified as compliant with the ISO/SAE 21434 standard. The AEC-Q100 Grade 1–qualified dsPIC33C MPT secure digital signal controller (DSC) integrates an off-die secure subsystem compliant with the HSM architecture and the EVITA full specification for automotive security.

This secure processor can be used for integrating security features into digital power, motor control and wireless power (WPC 1.3 Qi high-power wireless charger authentication), as well as sophisticated sensing, touch and other high-performance automotive functions. The dsPIC33C DSCs are equipped with hardware security features that safeguard against remote digital assaults. Additionally, the integrated secure subsystem offers physical anti-tampering and side-channel attack safeguards, which restrict access to embedded system credentials and enhance overall security.