Euroforum 2015 final

EUROFORUM Elektroniksysteme im Automobil - Copyright Visteon Corporation 2015

Dipl.-Ing. Harald SchöppVisteon Corporation

Integration vs. Separation:Improved Security through Integration

of Electrical Domains


Overview

• Integration vs. Separation – the ever lasting challenge

• Improved Security – based on state-of-the-art multicore architectures

• Implementation Example


The Connected Car – Forcing Challenges

• During the past decade, the focus has been on the development ofin-vehicle networking and integration inside dedicated domains

• No significant SW or HW architecture change in the last decade• The SW monolith continues to grow in size and has become hardly manageable• Connectivity has been added to the system but the architecture remains the same• The vehicle is connected to the Internet but is not part of the Cloud

• The current decade is focused on the development of the Connected Car and its varying aspects. All in-vehicle functions and features will interact with the Cloud

• Increasing integration and usability forces the abolishment of domain boundaries – at least at an ECU level

• New technological foundations are required


Infotainment Architecture Evolution

1 DIN

- Fully Integrated -

Networked via MOST

- Distributed -

2 DIN

- Highly Integrated -


E/E Architecture Evolution

?Classical Architecture

- Strongly Fragmented -

Domain Architecture

- Higher Integration Inside Domains

What is next?


Some Analogies …

Vision:Eye vs. Camera

Networking:

Nervous System vs. Vehicle Network

Processing:

Brain vs.Computing Unit


ALL Integrated Computing – The Solution ?


Critical Factors

Cross-domain Integration has to happen step by step:

• Consolidation of functions across domains reduce cost and redundancies

• Evolution and re-use: preserve what is proven mature

• Clear separation of safety critical and non-safety critical functions

• Manageability of complexity - parallelization

• Controlled updatability across domains


Instrument Cluster

Infotainment Head Unit

Connectivity Unit

Driver Assistance Systems

Domain Integration – Starting with Cockpit Controllers


Cockpit Evolution – Requirements

Driver Interaction Electronics

Cloud

HUD

Cluster

InfotainmentFusion

• Fuse driver information, infotainment, Cloud connectivity and driver assist into a single platform for higher integration and seamless HMI

• Reduce complexity with new system partitions across multiple domains, support parallel work streams

• Configure the system before SOP then maintain and enhance and control over lifecycle, preferablyvia the Cloud, safely and securely

• Prepare and adapt the vehicle infrastructure for assisted / highly autonomous driving

Fusion


• Mapping domains and application areas to individual cores of a multi-core Architecture

• Clear separation with controlled security

• Parallelizing of complexity

• Individual updateability

• One common HMI architecture,supporting a scalable number of displays

• Full system scalability from one to x cores

Driver Information

ASIL B

Infotain-ment

Unified Multi-User / Multi-Domain Capable HMI

Cloud

SensorFusion

ASIL B/C

ADAS

ASIL B

ADAS

ASIL B/C

HMIMultimedia

OEM AppsNavigation

ConsumerApps

RSEMgmt.

FirewallControl

GatewayCore

UpdateMmgt.

TrustedCore

Solution Proposal: Multi-Core Architecture – SmartCoreTM


Multiple Operation System with Graphics X-Tention: MOS.x

Multi Source/Multi Sink Audio/Video Compositor

Hardware Separation

DI

INTEGRITY

IVI

Linux

ADAS

QNX

Cloud

Android

MOSX HW

VMM

• Multiple OS running in its own HW space: “OS coexistence” with separation• Enable new system partitioning while creating parallel work streams• Multiple, independent video/graphics and audio stream management

System on Chip


Downscaling – Dual Core Solution

Multi Source/Multi Sink A/V Compositor

Hardware Separation

DI

QNX/INTEGRITY

IVI

Linux / QNX

MOSX HW

VMM

• Entry version: no modification required inside the segments

System on Chip


Multi-Level Security Concept - Mixed Criticality Smart Cores

Multi Source/Multi Sink Graphics Compositor

Hardware Separation

DI

INTEGRITY

IVI

Linux

System on Chip

ADAS

QNX

Cloud

Android

Non-Bypassable invocation of hardware virtualization capabilities enforces system separation.

Availability protected by fixed hardware resource assignment and signal routing.

MOSX

HW

VMM

Static defined information and data flow. Prevention of covert channels. Complete communication mediation.

Static Ownership of peripherals by one core with secured access


System Level Security - SmartCore

Hardware Separation

Application

OS

App Level

Kernel Level

VMM Level

SoC LevelSoC

Applications running in user mode

OS or it‘s core functions of the Kernel running in Supervisor mode

Configuration is done during boot time and protected byVMM mode.

Secure integration of hardware resources (SoC inherent)


System Level Security – Trusted Core

Hardware Separation

TEE/TPM

Over the air update

Secure Boot Secure StorageCrypto Key

Management

CryptoEngine

OEMBackend

INTEGRITY

DI

Linux

IVI

QNX

ADAS

Android

Cloud

ConsumerBackend

• TEE – Trusted Execution Environment

• TPM – Trusted Platform Module

• Compliance to trusted computing group and global platform specification

• Remote attestation for trusted connectivity

• Secure Boot establishes a chain of trust

• OEM has full control over vehicle


SmartCore™ - First Implementation

Cloud Connectivity Unit

ADAS ECU

Instrument Cluster

Four Separate Systems

The Past

Integrates driver information, ADAS, infotainment and Cloud connectivity with seamless HMI

Infotainment Head Unit

The Future


SmartCore™ – Entry Version

Integration of driver information and infotainment in the instrument cluster

Cluster Display

Steering Wheel Controls


Summary• Architectural evolution will dissolve

classical domain boundaries over time

• Multicore SoCs are an ideal architecture for a next integration level

• Clear separation on SoC level with managed security is a prerequisite

• Cloud connectivity presents another challenge with IT security

Driver Inform.

ASIL B

Integrity /

QNX

Infotain-ment

Linux/QNX

Cloud Services

Android/iOS

Security Gateway

&Firewall Control

Integrity / QNX

Intelligent Firewall Management

MOSX

VMM

Multi-Source Multi Sink A/V Compositor

Body Network

Overall security chain must be a joint effort of OEM, Tier1 and service provider


Thank you !

Q&A

Euroforum 2015 final

Automotive

Transcript of Euroforum 2015 final