

## MAXIMIZING SECURITY USING THE SECURE MCU FEATURES

#### FTF-AUT-N1810

JUERGEN FRANK SR. SYSTEM ENGINEER FTF-AUT-N1810 MAY 17, 2016



PUBLIC USE



## AGENDA

- Security Use-Cases & Attacks
- Automotive Specifications
- NXP Automotive MCU Security Features
  - Secure Start-Up & Secure Boot
  - Flash Protection
  - PASS
  - TDM
  - Security Modules
  - CSE
  - HSM





## FTF-AUT-N1810

#### **TITLE: Maximizing Security using the Secure MCU Features**

This presentation will cover the Hardware Security Module (HSM) and how to use software kits NXP published for it (HSM Security Firmware and HSM SDK). Other device security features offered by modules like PASS or TDM and their configuration will be discussed, too.



## NXP Automotive Vehicle Security Architecture (4 +1 Solution)



- NXP #1 in Auto HW Security
- 4-Layer Cyber Security Solution
- Plus 'Best In Class' Car Access Systems
- Recognized Thought & Innovation Leader
- Partner of Choice for OEMS, T1s & Industry Alliances



## Hardware Security is a Must

- Crypto accelerators, to guarantee strict performance requirements
  - E.g. V2X message authentication, CAN authentication, secure boot, ...
- Hardware-enforced isolation, to protect against software attacks
  - E.g. system vs. user mode, TrustZone, SHE/HSM, ...
- Tamper-resistant hardware, to protect against advanced, physical attacks
  - -E.g. Secure Elements



## **Security Throughout the Entire Lifecycle**

- Increased security level at each stage of the development lifecycle
- Non-reversible, non-revocable
- Enable application development, debugging and failure analysis
- Without compromising security in the production vehicle

Field In Field Return Vehicle Security Level **Production** Application Development Out of Fab

Vehicle Lifecycle



## **Proven History in Driving Automotive Security**

Mid 2000s

Boot

sensors

• High Assurance

Fault detection



#### Late 2000s

 Crypto Services Engine (SHE)

#### • Active shields

#### 2010s +

- Hardware Security • Module (HSM)
- Secure Elements (SE) •
- Gateway, IVN security •





#### **Early 2000s**

- Enhanced • Censorship
- Infrastructure •

#### Mid 1990s

- Censorship •
- Infrastructure ٠

## 4 Layers to Securing a Car

#### **Layer 1: Protect External Interface**

Secure M2M authentication, secure key storage



#### Layer 2: Isolate Network

Domain isolation, firewall/filter, centralized intrusion detection (IDS)



#### Layer 3: Secure Network

CAN ID Killer, message authentication, distributed intrusion detection (IDS)

Safety domain

Comfort domain

Gateway

Braking

Έ.

Powertrain

Cluster

Body

#### Layer 4: Secure Processing

Secure boot, run time integrity, OTA updates





TCU

OBD

# SECURITY USE-CASES & ATTACKS



## **Security Use Cases**

#### **In-Vehicle Security**

- Immobilizer / Component Protection
- Mileage Protection
- Secure Boot and Chain of Trust
- Secure Communication
- DRM for Batteries

#### **Connected Vehicle Security**

- Android application download
- DRM for content download/streaming
- Remote ECU firmware update
- Black-box for due government or insurance
- Car-to-Car communication



## **Other Automotive Security Threats**

**Transportation Department Warns Against Counterfeit Air Bags** October 10, 2012, NHTSA estimates it affects 0.1% of US Fleet, availability of such replacement systems traces back to 2003 (!)





#### DARPA Funded Researchers Take Control Of Two Vehicles

Using a Macbook connected to the On-Board Diagnostics Port Dr. Charlie Miller and Chris Valasek. July, 2013, Defcon: Adventures in Automotive Networks and Control Units [http://illmatics.com/car\_hacking.pdf]

#### Mileage Manipulation (in Germany)

- 2 million manipulated cars per year
- Average increases in value per car ~3000€
- Total loss 6 billion euro





## The ConnectedDrive – Unlock the Doors

#### Issue/Hack:

- No individual keys per car
- Keys stored in readable flash / Firmware readable
- Debug-port active
- Outdated or no encryption on some services
- No integrity check of the device configuration
- No authentication of the counterpart station
- ~ 2.2 million affected cars

#### **Security Requirements:**

- Improve key management
- · Use existing device features (e.g. disable debug port)
- Crypto modules with:
- Secure key storage
- Actual cipher algorithm (e.g. AES-128) support





## **Vehicle – Out of Control**

#### **Issue/Hack:**

- Radio/Infotainment system is directly connected both CAN busses
- Weak Wi-Fi password system and network configuration (e.g. open D-Bus)
- Weak firmware update process
- Debug-port active
- No secure boot
- Flash content readable
- No encrypted firmware image, no signatures
- OEM has to recall 1.4 Million Cars Over Hacking

#### Solution:

- Improve network architecture
- Firmware image authentication during update
- Use Secure Boot
- Use Message Authentication for safety relevant messages (e.g. Break / Steering Wheel control)
- Use existing device features (e.g. disable debug port)



Due several weakness it's possible to execute code on the MPU remotely via the GSM network. Additional it's possible to modify the MCU firmware and send faked CAN messages via the MCU into the car network. Finally it was possible to deactivate the breaks remotely!



#### **Automotive Security Specifications**

- HIS SHE Specification
  - Created by German OEMs, published as official HIS standard
- EVITA Project  $\rightarrow$  Hardware Security Module (HSM)
  - Defined three security modules of different complexity (low, medium, high) for different use-cases
- SAE J3061<sup>™</sup> / J3101<sup>™</sup>
  - J3061<sup>™</sup>: CYBERSECURITY GUIDEBOOK FOR CYBER-PHYSICAL VEHICLE SYSTEMS
  - J3101<sup>™</sup>: Hardware Protected Security for Ground Vehicles
- Trusted Computing Group Trusted Platform Module 2.0 (TPM) automotive profile
- Autosar Specifications
  - E.g. Secure Onboard Communication (Release 4.2.2)



## NXP MCU SECURITY FEATURES



## **HSM Security Architecture**

Features:

- Device life cycle scheme
- Unique ID for each device
- Debugger restrictions
- Flash Protection (TDM & PASS)
   OTP
  - read / write & erase
  - diary to log erasing-steps



SSCM:System Status Configuration ModulePASS:Password And Device Security ModuleTDM:Tamper Detection Module

HSM:Hardware Security ModuleMPU:Memory Protection UnitDCF:Device Configuration Format



#### **Secure System Configuration – Side Attack**

|                  | Wait for POR LVD<br>trigger                    | Flash virgin check<br>(Device2 only)                                                                                       | TESTMODE<br>pin                                                                                                                                                       | Read FA sealing<br>word                                                                                      | Life-Cycle<br>DCF                                                                                                                                                                | DCF read<br>(integrity)                                           |
|------------------|------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|
| Power-on         |                                                |                                                                                                                            |                                                                                                                                                                       |                                                                                                              |                                                                                                                                                                                  |                                                                   |
|                  |                                                |                                                                                                                            |                                                                                                                                                                       |                                                                                                              |                                                                                                                                                                                  |                                                                   |
| VCC              |                                                | 1.177     safe_window_check       1.05V                                                                                    | <u>No clock i</u>                                                                                                                                                     | manipulation is possible a                                                                                   | as internal RCOSC is used                                                                                                                                                        |                                                                   |
| Attack<br>goal   | No attack is possible                          | Create a fake<br>Flash virgin status<br>so that the<br>Test Mode interface is open                                         | Be able to manipulate the<br>voltage and the temperature<br>without any reaction from<br>the internal protection<br>mechanisms                                        | Disable the FA sealing,<br>so that secret data<br>can be accessed<br>in Test Mode<br>when LifeCycle = FA     | Revert the life<br>cycle to an "older"<br>so that the security<br>mechanism are<br>open                                                                                          | Manipulate information<br>read from the Flash<br>during the reset |
| Attack<br>method | -                                              | Voltage or<br>Temperature<br>manipulation                                                                                  | Force TESTMODE pin                                                                                                                                                    | Voltage or<br>Temperature<br>manipulation                                                                    | Read the 1st LlfeCycle<br>DCF and the apply<br>Voltage or<br>Temperature<br>manipulation                                                                                         | Voltage or<br>Temperature<br>manipulation                         |
| Effect           | -                                              | Corrupt the Flash<br>Virgin check reading                                                                                  | Voltage and Temperature monitors cane be disabled                                                                                                                     | Corrupt the Seal word check reading                                                                          | Only the 1st LifeCycle<br>will be valid: protections<br>are disabled                                                                                                             | Corrupt the DCF value                                             |
| Solution         | The device will<br>not exit the<br>Reset phase | Flash = Virgin only if<br>1. Read word failed<br>AND<br>2. Seal pad + No fail from<br>(non-maskable)<br>Volt/Temp monitors | <ol> <li>Pre-Life cycle: the<br/>monitor disabling is<br/>applied only if a<br/>specific key is written<br/>Into the Flash</li> <li>4xDCF parallel reading</li> </ol> | Voltage monitors disabling<br>is protected by Pre-Life<br>cycle<br>They can't be disabled<br>when "In Field" | <ol> <li>Voltage monitors disable<br/>is protected by Pre-Life cycle<br/>They can't be disabled<br/>when "In Field"</li> <li>4xDCF LifeCycle are read<br/>in one shot</li> </ol> |                                                                   |



#### **UTest Memory Map**

| Address  | Size<br>[Bytes] | Description                         | Address    | Size<br>[Bytes] | Description                          |
|----------|-----------------|-------------------------------------|------------|-----------------|--------------------------------------|
| 00400000 | 2               | Sensor Calibration A                | 0x00400140 | 32              | PASS Password Group 0                |
| 0400002  | 2               | Sensor Calibration B                | 0x00400160 | 32              | PASS Password Group 1                |
| 400004   | 2               | Sensor Calibration C                | 0x00400180 | 32              | PASS Password Group 2                |
| 00006    | 2               | Sensor Calibration D                | 0x004001A0 | 32              | PASS Password Group 3                |
| 0400008  | 4               | Reserved                            | 0x004001C0 | 32              | Reserved - PASS Password Group       |
| 40000C   | 4               | Test Mode Disable Seal              | 0x004001E0 | 32              | Reserved - PASS Password Group 5     |
| 0400010  | 16              | Test Mode Disable Block Group A     | 0x00400200 | 16              | Lifecycle slot 0 – FSL Production    |
| 0400020  | 16              | Factory Erase diary Location        | 0x00400210 | 16              | Lifecycle slot 1 – Customer Delivery |
| 100030   | 16              | Test Mode Disable Block Group B     | 0x00400220 | 16              | Lifecycle slot 2 – OEM Production    |
| 400040   | 32              | Customer Single Bit Correction Area | 0x00400230 | 16              | Lifecycle slot 3 – In-Field          |
| 400060   | 32              | Customer Double Bit Detection Area  | 0x00400240 | 16              | Lifecycle slot 4 – Failure Analysis  |
| 0400080  | 32              | Customer EDC after ECC Area         | 0x00400250 | 176             | Reserved                             |
| 04000A0  | 32              | UID                                 | 0x00400300 | 8               | DCF Start Record                     |
| 04000C0  | 4               | Soft DCF Record Start Address       | 0x0040308  | 64              | DCF HSM 'ROM' keys                   |
| 04000C4  | 4               | Reserved                            | 0x00400348 | 3256            | DCF Records                          |
| 04000C8  | 56              | Reserved                            | 0x00401000 | 12288           | Reserved for custom OTP data         |
| 00400100 | 4               | Test Mode Override Passcode         |            |                 |                                      |
| 00400104 | 28              | Reserved                            |            |                 |                                      |
| 00400120 | 32              | JTAG Password                       |            |                 |                                      |



## **Secure System Configuration**

During reset phase configuration data is moved from a special flash block (UTEST) to the security modules by the SystemStatusConfigurationModule (SSCM) :





## **Device Configuration Format (DCF)**

Description

|                 | Word | DCF entry ( 2x 32bit words ) |          |        |      |    |   |
|-----------------|------|------------------------------|----------|--------|------|----|---|
| Data            | 0    |                              | WDATA[3  | 31:0]  |      |    |   |
| Destination     | 1    | Module                       | Register | Parity | Stop |    | N |
| Module/Register |      | [14:0]                       | [12:2]   | ,      | p    |    |   |
|                 | L    | γ                            | 1        |        |      |    |   |
|                 |      |                              |          |        |      | -> |   |
|                 |      |                              |          |        |      |    |   |
|                 |      |                              |          |        |      |    |   |
|                 |      |                              |          |        |      |    |   |

| Module | Client                                     |
|--------|--------------------------------------------|
| CS2    | Self-Test Control Unit (STCU)              |
| CS3    | Password and Device Security Module (PASS) |
| CS4    | Tamper Detection Module (TDM)              |
| CS5    | Hardware Security Module (HSM)             |
| CS7    | MISC                                       |
| CS14   | BAF Soft Clients                           |
|        |                                            |

| Empty flash $\rightarrow$ no action |  |  |  |  |  |  |
|-------------------------------------|--|--|--|--|--|--|
| No Start Record                     |  |  |  |  |  |  |
| No Start Record                     |  |  |  |  |  |  |
| No Start Record                     |  |  |  |  |  |  |
| No Start Record                     |  |  |  |  |  |  |
|                                     |  |  |  |  |  |  |

No Start Record

| Initial Programming     |  |  |  |  |  |  |
|-------------------------|--|--|--|--|--|--|
| Start Record            |  |  |  |  |  |  |
| Data Record – CS1, AD=0 |  |  |  |  |  |  |
| Data Record – CS2, AD=0 |  |  |  |  |  |  |
| Data Record – CS0, AD=0 |  |  |  |  |  |  |
| Stop Record             |  |  |  |  |  |  |
|                         |  |  |  |  |  |  |

No special DCF strategy is used. Not implemented for DCF clients. Only used for TEST only DCF clients not accessible by the user. A register using the Write Once strategy can only be written once. The DCF client ignores subsequent writes. DCF clients that use the Triple Voted strategy have three copies of the register. The SSCM will write to all three registers in a single write cycle. The outputs of the 3 registers are majority voted together to determine the correct data value. Triple voting allows for a 'bit-flip' error to occur without changing the DCF client output data. DCF clients that use the Triple Voted with 2nd write strategy have three copies of the register. The SSCM will write to all three registers in a single write cycle. The outputs of the 3 registers are majority voted together to determine the correct data value. During the second execution of Phase 3 of the reset sequence, the SSCM will attempt to write the Data Record – CS1, AD=0 DCF client again. At this time, the DCF client checks to see that the register contains the same data that is being written again. A bit in a DCF client can only be written from a logic 1 to a logic 0. An attempt to write a bit with this attribute to a logic 1 will be ignored. A bit in a DCF client can only be written from a logic 0 to a logic 1. An attempt to write a bit with this attribute to a logic 0 will be ignored.

Extension Start Record





**Client Strategy** 

None

Parity Write Once

**Triple Voted** 

**Triple Voted** with second

write

Write 0 only

Write 1 only

#### **UTest – Dump**

|                                  | С        | 8        | 4        | 0        | С        | 8        | 4        | 0        | Address   |
|----------------------------------|----------|----------|----------|----------|----------|----------|----------|----------|-----------|
|                                  |          |          |          |          | •••      |          |          |          |           |
|                                  | FFFFFFFF | FFFFFFFF | 55AA50AF | 55AA50AF | 55AA50AF | 55AA50AF | 55AA50AF | 55AA50AF | 00400200  |
| Lifecycle slots<br>Valid/Invalid | FFFFFFF  | FFFFFFFF | 00400220  |
|                                  | FFFFFFFF | 00400240  |
| 2x Secret Key                    |          |          |          |          | •••      |          |          |          | CF- Start |
| (128bits)                        | 0000000  | 00000000 | 00000000 | 0000000  | 00000000 | 00000000 | 00000000 | 05AA55AF | 00400300  |
|                                  | 0000000  | 00000000 | 00000000 | 00000000 | 00000000 | 00000000 | 00000000 | 00000000 | 00400320  |
|                                  | 0008000C | 7F000000 | 00080008 | 2C015674 | 00080008 | D3FEA98B | 0000000  | 00000000 | 00400340  |
| DCF Records                      | FFFFFFFF | FFFFFFFF | FFFFFFFF | FFFFFFFF | 00400040 | 0000003  | 00080000 | 00000400 | 00400360  |
|                                  | DCF- End | FFFFFF   | FFFFFFFF | FFFFFFFF | FFFFFFFF | FFFFFFFF | FFFFFFFF | FFFFFFFF | 00400380  |
|                                  |          | •••      |          |          |          |          |          |          |           |

| Data     | Destination<br>Module/Register | Module<br>[14:0]    | Reg<br>[16:2]          | Parity | Stop | Module & Register |
|----------|--------------------------------|---------------------|------------------------|--------|------|-------------------|
| D3FEA98B | 00080008                       | 000_0000_0000_0100ъ | 0_0000_0000_0000_1000ъ | 0      | 0    | STCU.SKC          |
| 2C015674 | 00080008                       | 000_0000_0000_0100ъ | 0_0000_0000_0000_1000ъ | 0      | 0    | STCU.SKC          |
| 7F000000 | 0008000C                       | 000_0000_0000_0100ъ | 0_0000_0000_0000_1100ъ | 0      | 0    | STCU.CFG          |
| 00000400 | 00080000                       | 000_0000_0000_0100ъ | 0_0000_0000_0000_0000ъ | 0      | 0    | STCU.RUN          |
| 0000003  | 00400040                       | 000_0000_0010_0000ъ | 0_0000_0000_0100_0000ъ | 0      | 0    | HSM.ENABLE_CONFIG |
| FFFFFFFF | FFFFFFFF                       | 111_1111_1111_1111b | 1_1111_1111_1111_1100b | 1      | 1    | DCF-Stop          |



## Lifecycle Mechanism & States

**PUBLIC USE** 

21

**#NXPFTF** 



NP

#### **Secure Boot – Detect Code Manipulation**

The BAF is located in a 16 KB block of flash that is mapped adjacent to the UTEST flash memory block. It is one time programmable (OTP) and is programmed during factory test.

#### **Functions:**

- BAF is executed by CPU0
- Checks the life cycle of the device
- Run Secure Boot loop (optional)
- Execute SoftDCF clients (optional)
- Search boot header and boot options
- If no boot header is found, it downloads application code via LINFlexD





#### **Flash Memory Protection**

Non volatile flash memory consists of multiple blocks with different purpose and access possibilities:

- -Read (location, master, lifecycle)
- -Erase (location, master, lifecycle, OTP)
- -Write (location, master, lifecycle, OTP)

The Password And Device Security Module (PASS) and the TamperDetectionModule (TDM) handle the access.





#### **PASS Overview**

- The PASS module provide the following features:
  - Lock & JTAG passwords comparison (all 256bits long)
  - -Life cycle status register
- Each Lock password correspond to a group of 4 configuration registers: Lock0/1/2/3.
- On a successful Lock password comparison, write access is granted to the register corresponding to the password group

| DEBUG | JTAG PWD    |       |  |  |
|-------|-------------|-------|--|--|
|       |             | Lock3 |  |  |
| PWD3  | PWD group 3 | Lock2 |  |  |
|       |             | Lock1 |  |  |
|       |             | Lock0 |  |  |
|       |             | Lock3 |  |  |
| PWD2  | PWD group 2 | Lock2 |  |  |
| DWDO  |             | Lock1 |  |  |
|       |             | Lock0 |  |  |
| PWD1  |             | Lock3 |  |  |
|       | PWD group 1 | Lock2 |  |  |
|       |             | Lock1 |  |  |
|       |             | Lock0 |  |  |
|       |             | Lock3 |  |  |
| PWD0  | PWD group 0 | Lock2 |  |  |
|       |             | Lock1 |  |  |
|       |             | Lock0 |  |  |





#### **PASS – Erase/Pgm Protection**

**#NXPFTF** 25 PUBLIC USE







## **PASS Lock Registers**

The resulting lock status of a Flash block is determined by the logical ORing of the block lock bits in all password groups. If a block is locked in multiple groups, then all lock bits for the block need to be cleared (by writing the corresponding lock register bit) before program and erase is possible.



## **TDM - One Time Programable**

#### **One Time Programable (OTP) definition:**

- A Flash block assigned as OTP cannot be erased.
- Programming can only be done on an erased location.
- Overprogramming is not possible.





#### **TDM – OTP DCF Record**





## **TDM – Diary**

Erase cycles are permanently recorded in the diary. OEM can compare erase cycles between OEM database and ECU and as such detect tamper events.

Every erase event requires a diary update before actual execution. Maximum 6 diary regions are defined by DCF records.

Before a flash block assigned to a diary region can be erased an update to the diary has to be made which is supervised by the TDM.





## **TDM – Diary Configuration**

Read While Write **Boundaries** 16 KB UTES There are 6 tamper detect regions (TDR) in the diary (12KB overall) with 64 KB HSM **64 KB HSM** each having 256 x 8 bytes (2KB). **16 KB HSM** 16 KB BAF For every region specific flash blocks can be independently monitored. 32 KB 32 KB 32 KB 32 KB 64 KB TDR 0 64 KB \_ \_ \_ \_ One entry in a TDR Entry 0 TDR 1 16 KB (diarv) 16 KB (for example a counter) Entry 1 Entry 0 16 KB 16 KB TDR x is 8 bytes long and can Entry 3 Entry 1 16 KB 16 KB Entry 0 Entry ... hold any data. Entry 3 16 KB 16 KB Entry 255 Entry 1 Entry ... 32 KB 32 KB Entry 3 Entry 255 \_ \_ \_ \_ \_ \_ \_ Entry ... HSM HSM Set of DCF Records: Entry 255 Start address(aligned on 4KB) of the diary in a flash block: 8x 256 KB 8x 256 KB DCF\_TDR\_DIARY\_BASE Address \_ \_ \_ \_ \_ \_ \_ \_ \_ 4 DCF records per TDR to define the blocks being monitored by a TDR: 3x 256 KB 3x 256 KB DCF\_TDR\_LOCKx LOCK3 LOCK2 LOCK1 LOCK0 



#### **Flash Memory Protection Levels**





#### **Cryptographic Services Engine (CSE)** e.g. MPC564xB/C

- CSE module implements the official HIS SHE-Specification
- 32-bit secure core working at 120 MHz
- AES-128
  - Supported crypto modes: ECB & CBC
  - Throughput 100 Mbit/sec
  - Latency 2  $\mu s$  per one encoding/decoding ops
- CSE module interfaces:
  - Crossbar master interface
  - Configuration interface
- Secure flash blocks assigned to the CSE module. Accesses from other masters are impossible.
- PRNG seed generation via TRNG
- CSE Core not programmable by customer





33 PUBLIC USE #NXPFTF juergen.frank@freescale.com

#### Hardware Security Module (HSM) v1: MPC5746M / MPC5777M & v2: MPC5748G / MPC5746C

#### HSM is free programmable by the customer, additional security algorithm could implemented in software

#### **Features:**

- e200z0h core (v1: 100MHz / v2: 80 MHz)
- 4Kbytes Instruction cache
- Secure Debugger Interface
- Cryptographic Modules with AES-128, Random Number Generator, DMA
- Sensor Interface monitor for voltage, temperature and clock (v1)
- Memory
  - SRAM (v1: 40 Kbytes / v2: 32 Kbytes)
  - Flash
     code: 2 x 64 Kbytes + 1 x 16KBytes
     data : 2 x 16 Kbytes



juergen.frank@freescale.com



#### **SHE Firmware**

- Release 1.0 is available for MPC574xG (3M & 6M)
- Firmware implements the CSE2 feature set (SHE firmware + Global-B requirements) on the HSM
- Firmware "emulates" the CSE register interface, to simplify porting of existing SW stacks (e.g. Elektrobit)
- Firmware is delivered pre-programed in the device
  - No SHE firmware programming and DCF configuration required by customer

## **Security SDK Feature Set**

- HSM startup code
- Configurable user interface, which helps application access security features implemented in HSM from HOST Application cores
- Services to expose HSM platform feature for Application development like Cache & Interrupt Controller APIs, SMPU Configuration APIs, CMU APIs, Timer APIs (Watch dog & PIT), Host Register Interface APIs, Flash Programming interfaces
- Support functions to manage secure key area
- True & Pseudo Random number generator handling
- Debugger Activation protocol support
- FSL Crypto Library
  - Symmetric cryptography support.
    - AES-128 Encryption & Decryption
    - Confidentiality mode: ECB, CBC, CFB, OFB, CTR, XTS
    - Authentication modes: AES-128 based CMAC
    - Confidentiality + Authentication modes: GCM
  - Asymmetric Cryptography support:
    - RSA, ECC based encryption & Decryption
  - Hashing Algorithm : SHA2/SHA3
- The SDK is intended to be ported to next HSM generation



#### **Attack and Protection Schemes - Summary**

| Attacker Method                             | Protection Scheme                                                                                           | NXP Solutions                                                                                                                                                                                                                                                             |
|---------------------------------------------|-------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Flash Modification                          | <ul> <li>Secure Boot (e.g. like SHE)</li> <li>Protect FLASH blocks against modifications</li> </ul>         | <ul> <li>CSE &amp; HSM offers full secure boot support</li> <li>PASS module implements password-based read/write protection</li> <li>TDM provides a mechanism for configuring individual flash memory blocks as One Time Programmable (OTP)</li> </ul>                    |
| Read FLASH content                          | <ul> <li>Disable the debugger interface</li> <li>FLASH Read Protection</li> <li>Read crypto keys</li> </ul> | <ul> <li>Censorship / Life-Cycle offers a debug disable feature (with/without password)</li> <li>PASS module implements password-based read protection</li> <li>CSE &amp; HSM offers a secure key storage</li> <li>CSE &amp; HSM can en-/decrypt firmware/data</li> </ul> |
| Car network without access                  | <ul><li>Encryption for information hiding</li><li>Signatures for message authentication</li></ul>           | <ul> <li>CSE &amp; HSM offers via AES-128 a standard algorithm with CMAC<br/>support</li> </ul>                                                                                                                                                                           |
| Replay attacks on car networks              | Usage of challenge-response process                                                                         | <ul> <li>CSE &amp; HSM offers a TRNG/PRNG system to generate a random<br/>number (challenge)</li> </ul>                                                                                                                                                                   |
| Replacing an ECU with a another one         | <ul> <li>Usage of secure communication and unique ECU<br/>Ids (UID)</li> </ul>                              | CSE & HSM devices offers a UID programmed by Freescale                                                                                                                                                                                                                    |
| Physical attacks via out-off-spec execution | <ul> <li>Monitors for voltage / temperature / frequency</li> <li>Glitch-Resistent design</li> </ul>         | <ul> <li>Devices has sensor for several environ conditions</li> <li>Device configuration modules are reviewed and hardened against glitch attacks</li> </ul>                                                                                                              |
| Side channel attacks                        | Increase the overall power-noise                                                                            | <ul> <li>On c55 devices customer can configure random noise during secure<br/>boot and encryption</li> </ul>                                                                                                                                                              |



## Summary

- NXP overs since years innovative automotive security solutions
- Crypto modules alone didn't support all customer usecases
- NXP offers security solutions for all 32bit-MCU segments

| NXP Security Solution for Automotive MCU |                     |                      |                            |  |  |  |  |  |
|------------------------------------------|---------------------|----------------------|----------------------------|--|--|--|--|--|
|                                          | Device              | Platform             | Module                     |  |  |  |  |  |
|                                          | MPC564xB/C          |                      | CSE                        |  |  |  |  |  |
|                                          | MPC5746M / MPC5777M |                      | HSMv1                      |  |  |  |  |  |
| MCU<br>( internal flash)                 | MPC5748G / MPC5746C | PowerPC<br>e200      | HSMv2                      |  |  |  |  |  |
| CU<br>al flash                           | MPC5777C            | MPC5777C             |                            |  |  |  |  |  |
| 5                                        | Radar MCU           |                      | CSE2                       |  |  |  |  |  |
|                                          | MAC57D54H           | ARM Cortex-<br>A5/M4 | CSE2                       |  |  |  |  |  |
| N<br>(flas                               | S32V243             | ARM Cortex-          | CSE3 / OTFAD/<br>TrustZone |  |  |  |  |  |
| MPU<br>(flash-less)                      | VFxxx               | Ax/Mx<br>& ARM9/11   | Trust Zone                 |  |  |  |  |  |
| S)                                       | i.Mx                |                      | + CAAM                     |  |  |  |  |  |





## SECURE CONNECTIONS FOR A SMARTER WORLD

#### ATTRIBUTION STATEMENT

NXP, the NXP logo, NXP SECURE CONNECTIONS FOR A SMARTER WORLD, CoolFlux, EMBRACE, GREENCHIP, HITAG, I2C BUS, ICODE, JCOP, LIFE VIBES, MIFARE, MIFARE, MIFARE Classic, MIFARE DESFire, MIFARE Plus, MIFARE FleX, MANTIS, MIFARE ULTRALIGHT, MIFARE4MOBILE, MIGLO, NTAG, ROADLINK, SMARTLX, SMARTMX, STARPLUG, TOPFET, TrenchMOS, UCODE, Freescale, the Freescale logo, AltiVec, C 5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C Ware, the Energy Efficient Solutions logo, Kinetis, Layerscape, MagniV, mobileGT, PEG, PowerQUICC, Processor Expert, QorIQ, QorIQ Qonverge, Ready Play, SafeAssure, the SafeAssure logo, StarCore, Symphony, VortiQa, Vybrid, Airfast, BeeKit, BeeStack, CoreNet, Flexis, MXC, Platform in a Package, QUICC Engine, SMARTMOS, Tower, TurboLink, and UMEMS are trademarks of NXP B.V. All other product or service names are the property of their respective owners. ARM, AMBA, ARM Powered, Artisan, Cortex, Jazelle, Keil, SecurCore, Thumb, TrustZone, and µVision are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. ARM7, ARM9, ARM11, big.LITTLE, CoreLink, CoreSight, DesignStart, Mali, mbed, NEON, POP, Sensinode, Socrates, ULINK and Versatile are trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2015–2016 NXP B.V.