Renesas Introduces How Secure Boot Is Realized on Both Types of Devices
Hi, I’m Satoshi Yamanaka, Principal Engineer for Automotive Security at Renesas. I’ve been on the security team at Renesas for 3 years. My division is responsible for automotive security, and we are in charge of customer support. We are glad to be able to convey the importance of automotive security to our customers through this blog. This blog article, part 2 in a three-part series, aims to give readers a basic understanding of what secure boot is and why it is needed.
There are 2 types of security IP on RH850 MCUs, ICU-S and ICU-M. In this blog article, we introduce how secure boot is realized on both types of devices.
Secure boot in ICU-S and ICU-M can be implemented based on HIS (now AUTOSAR) Secure Hardware Extension (SHE) specification. If you want more information about the SHE specification, please refer to AUTOSAR SHE (URL: Specification of Secure Hardware Extensions (autosar.org)). Everyone can get the SHE specification from AUTSAR SHE site.
Secure boot implementation method using ICU-S on RH850
ICU-S is Intelligent Cryptographic Unit equivalent of EVITA light.
Security software works on the Main Processor Element (MainPE) in ICU-S MCUs. MainPE can use hardware resources in the ICU-S module, such as cryptographic accelerators and secure key storage, through the special function register interface of the ICUS.
ICU-S does not have a dedicated security-only CPU. Secure Boot runs from the non-secure CPU (PE1). To prevent tampering, the initial secure boot logic is stored in One Time Program (OTP) memory. The reset vector must point to this immutable of code to prevent tampering. Along with OTP, secure boot on ICUS devices uses the secure boot MAC key and secure boot MAC slots stored protected within the ICUS. In this strategy, the OTP memory and ICUS create the Root of Trust.
Method Summary:
·Hardware Root of Trust:OTP flash memory and storage of keys protected in ICUS
·Tamper resistance:MAC and MAC key are securely stored in the protected ICUS memory
·Cryptographic Algorithm:CMAC (NIST SP 800-38B)
Staged secure boot example using ICUS on RH850:
1.After MCU reset, CPU(PE1) starts and runs the secure boot program located in OTP memory.
2.The secure boot program verifies the User Program A.
·Secure boot program calculates the CMAC value from User Program A and Boot MAC key.
·Secure boot program verifies the calculation result and “CMAC value of Program A”(Note1).
3.If verification in step 2 passes, PE1 operates User Program A and verifies User Program B with help of the ICU-S.
·Same as step 2 (Program A -> Program B).
4.If verification in step 3 passes, User program (Program B) is executed by PE1.
Secure boot implementation method using ICU-M on RH850
ICU-M is the Renesas Intelligent Cryptographic Unit meeting the EVITA medium use case.
MCUs featuring ICU-M have a separate ICU-M processor called the Intelligence Cryptographic Unit Processor (ICUP). Security software runs entirely on the ICUP. ICUP has exclusive access to the hardware resources in the ICU-M, such as cryptographic accelerators and secure flash memory. Additionally, the ICUP can access some shared resources for communication with the Main Processor Element (MainPE).
Application software operating on the MainPE cannot directly access resources in ICU-M, such as cryptographic accelerators and secure flash. Therefore, the MainPE must request security services to ICUP through a defined communication interface. This interface is defined by the ICUM firmware design. MCUs featuring ICUM support inter processor communication through shared memory mailboxes as well as inter processor interrupts.
On devices with ICUM, Secure Boot runs from the secure ICUP. The initial secure boot logic is stored in secure code storage accessible only ICU-M. The secure boot implementation verifies the application using a secure boot key stored within the protected ICUM data flash. The secure boot key and ICUM form the hardware “Root of Trust”. After reset, the ICUP starts first and performs secure boot of the application software. After verification, the ICUP releases other processor elements in the MCU from the reset state and starts operation. As mentioned earlier, hardware resources in ICU-M, such as cryptographic accelerators and secure flash memory, are exclusively accessed by the ICUP.
Method Summary:
·Hardware Root of Trust:
ICU-M hardware. and Secure boot program on Secure Code Flash. (Attacker cannot change Secure boot program protected by ICU-M hardware)
·Tamper resistance:
Boot MAC is stored in protected data flash only accessible to ICUM.
·Cryptographic Algorithms:
CMAC (NIST SP 800-38B)
RSA Digital Signature Algorithm
Staged secure boot example using ICUM in RH850 MCU (symmetric algorithms)
1.ICUP is configured to be the boot processor after MCU reset.
2.User Program A is verified by Secure boot program in ICU-M.
Secure boot program calculates the CMAC value from User Program A and Boot MAC key.
Secure boot program verifies the calculation result and “CAMC value of Program A”.
3.If verification in step 2 passes, CPU(PE1) is started by ICUM (Security Software)
4.PE1 operates User Program A and verifies User Program B to use Secure software.
Same as step 2 (Program A -> Program B).
5.If verification in step 4 passes, User Program B is operated by PE1.
Staged secure boot example using ICUM in RH850 MCU (asymmetric algorithms)
1.ICUP is configured to be the boot processor after MCU reset.
2.User Program A is verified by Secure boot program in ICU-M.
Secure boot program calculates the message digest(hash) from User Program A.
Secure boot program calculates the message digest from Signature of Program A and Public key.
Secure boot program verifies both message digest.
3.If verification in step 2 passes, CPU(PE1) is started by ICUM (Security Software)
4.PE1 operates User Program A and verifies User Program B to use Secure software.
Same as step 2 (Program A -> Program B).
5.If verification in step 4 passes, User Program B is operated by PE1.
Conclusion
In summary…
1.ICU-S and ICU-M can make “root of trust” and “chain of trust”.
2.Secure boot in ICU-S and ICU-M can be implemented based on AUTOSAR (SHE) HIS.
3.Secure boot in ICU-M can be implemented based on signature verification.
Keep an eye out for part three in our secure boot series where Phil Lapczynski-san will introduce secure boot concepts on our R-Car SoC devices.
- +1 Like
- Add to Favorites
This document is provided by Sekorm Platform for VIP exclusive service. The copyright is owned by Sekorm. Without authorization, any medias, websites or individual are not allowed to reprint. When authorizing the reprint, the link of www.sekorm.com must be indicated.
Recommend
Achieving A Root of Trust With Secure Boot in Automotive RH850 and R-Car Devices
2021-12-27 - Design Article Renesas R-Car devices leverage hardware as the secure root of trust for building dependable, secure systems.
Radar transceivers: a key component for ADAS & Autonomous Driving-Basics of FMCW radar
2021-10-26 - Design Article This entry has provided an overview of the operating principle of the FMCW radar, used in automotive applications, and its implementation using MMICs and MCU/SoC.
Securing Automotive Over-the-Air Software Updates
2022-07-13 - Design Article Secure software update management systems combined with on-devices security ensure the best solution against attacks. Renesas continues to be a leading partner in secure software update innovation.
Cmsemicon‘s New BAT32A2 Series 32-bit MCU Complying with AEC-Q100 Standard Boosts Intelligent Automotive
2022-07-23 - New Product Introduction Cmsemicon has overcome the technical difficulties and recently released the new BAT32A2 series of automotive-grade MCUs with the AEC-Q100 Grade 1 automotive standard, now mainly used in automotive and high-end industrial markets.
Hosiden‘s World-first Automotive SoC Type Low Energy Module HRM3012 Acquired Bluetooth Version 5.1 Certification
2024-02-21 - Product Introduction Hosiden has developed a world first SoC type Bluetooth LE module, HRM3012, for automotive applications. This product has acquired Bluetooth Version 5.1 certification, and also supports the long range and 2M modes introduced in Bluetooth 5.0.
System Reference series for Automotive application ROHM Power Supply Design for SemiDrive X9M/X9E SoC
2024/12/21 - Application note & Design Guide
POWER SUPPLY SOLUTIONS,电源解决方案,BD9SA01F80-C,BD96801Q12-C,BD33IC0VEFJ-C
Geehy’s G32A1445 Automotive General-Purpose MCU Certified by TÜV Rheinland for ISO 26262 ASIL-B
2024-05-31 - Product Introduction On May 16, 2024, Geehy’s G32A1445 automotive general-purpose MCU officially received the ISO 26262 ASIL-B functional safety certification from TÜV Rheinland.
MindMotion‘s First Automotive MCU MM32A0144 Has Passed AEC-Q100 Automotive Certification
2023-06-10 - Manufacturer News MM32A0144 (MM32A0144C6PM), MindMotion‘s first automotive product series, has passed AEC-Q100 automotive-grade reliability test from a third-party authority. MM32A0144, featured with high performance, low power consumption and high reliability, can meet the needs of the automotive electronics industry.
What is the Difference between CPU and MCU?
2024-10-18 - Technical Discussion CPU (Central Processing Unit): The CPU is the core component of a computer system, responsible for executing instructions and processing data. It is typically used in systems with high performance requirements, such as personal computers, servers, and high-performance computing devices. MCU (Microcontroller Unit): An MCU is a single-chip system that integrates a processor core, memory, and peripherals, designed specifically for control applications. MCUs are commonly used in embedded systems such as home appliances, automotive electronics, and industrial control.
Geehy APM32F003F6U7 MCU Receives AEC-Q100 Certification
2024-04-25 - Product Introduction Geehy‘s APM32F003F6U7 MCU stands out as a pinnacle of automotive excellence, certified with the stringent AEC-Q100 standard. In the automotive industry, where safety is paramount, this MCU ensures reliability and stability under challenging conditions, making it a trusted choice for electronic components.
Automotive-grade MCU BAT32A237 from Cmsemicon Wins the 2023 Automotive Chip Top 50 Award
2024-01-19 - Product Introduction In the “Chip to E-Town” Automotive Chip Competition 2023, the Automotive-grade MCU BAT32A237 from Cmsemicon was recognized for its outstanding performance and awarded the 2023 Automotive Chip Top 50 in this automotive chip competition.
WAYON Launches AEC-Q100 Automotive Grade 8-bit MCU – WY8A8503
2024-08-11 - Product Introduction WAYON WY8A8503 Automotive Grade 8-bit MCU adopts a TSSOP20 package form, supporting a wide voltage operating range of 2.5V to 5.5V. It has a main frequency of 16MHz, 16KB Flash, and 512B+256B RAM. It integrates two UARTs, one standard SPI, one standard I2C, and enhanced 6-channel PWM and 8-channel 12-bit ADC.
A New Member of Geehy Automotive-Grade MCU APM32F072RBT7 Certified AEC-Q100
2023-04-22 - New Product Introduction Recently, Geehy APM32F072RBT7 MCU underwent strict reliability tests by the third-party GRGTest and successfully certified AEC-Q100. This indicates that following APM32F103RCT7, the automotive-grade MCU chip team is expanding.
Cmsemicon Launches Automotive MCU BAT32A233, Further optimizing Analog Peripheral Resources
2024-01-21 - Product Introduction Cmsemicon announced the release of a new automotive MCU product – the BAT32A233. This product boasts the advantages of small resources, high performance, and support for the hardware LIN2.2 interface, making it highly suitable for compact and flexible parts in automotive applications.
Empowering Intelligent Automotive Applications: Cmsemicon Launches Automotive-Grade SoC Chip BAT32A6300
2024-03-30 - Product Introduction Recently Cmsemicon announced the launch of the BAT32A series automotive-grade SoC chip—BAT32A6300. This chip provides a QFN32 package, meeting the requirements for size- and space-sensitive applications in the automotive body and advanced driver-assistance system (ADAS) domains.
Electronic Mall
Integrated Circuits
Discrete Components
Connectors & Structural Components
Assembly UnitModules & Accessories
Power Supplies & Power Modules
Electronic Materials
Instrumentation & Test Kit
Electrical Tools & Materials
Mechatronics
Processing & Customization
