

# RECENT ADVANCES IN SECURE MCU SECURITY OFFERINGS

#### FTF-AUT-N1812

JUERGEN FRANK SR. SYSTEM ENGINEER FTF-AUT-N1812 MAY 16, 2016



PUBLIC USE



# AGENDA

- Security Use Cases and Attacks
- The HIS SHE Specification Overview
- Crypto Service Engine (CSE) Overview
- CSE3 on Flash-less Devices (e.g. S32V243)



## NXP Automotive Vehicle Security Architecture (4 +1 Solution)



- NXP #1 in Auto HW Security
- 4-Layer Cyber Security Solution
- Plus 'Best In Class' Car Access Systems
- Recognized Thought & Innovation Leader
- Partner of Choice for OEMS, T1s & Industry Alliances



## Hardware Security is a Must

- Crypto accelerators to guarantee strict performance requirements
  - E.g. V2X message authentication, CAN authentication, secure boot, …
- Hardware-enforced isolation to protect against software attacks
  - E.g. system vs. user mode, TrustZone, SHE/HSM, ...
- Tamper-resistant hardware to protect against advanced, physical attacks
  - E.g. Secure Elements



# **Security Throughout the Entire Lifecycle**

- Increased security level at each stage of the development lifecycle
- Non-reversible, non-revocable
- Enable application development, debugging and failure analysis
- Without compromising security in the production vehicle

Field In Field Return Vehicle Security Level **Production** Application Development Out of Fab

Vehicle Lifecycle



## **Proven History in Driving Automotive Security**

Mid 2000s

Boot

sensors

• High Assurance

Fault detection



- Crypto Services Engine (SHE)
- Active shields

#### 2010s +

- Hardware Security Module (HSM)
- Secure Elements (SE)
- Gateway, IVN security





#### Early 2000s

- Enhanced
   Censorship
- Infrastructure

#### Mid 1990s

- Censorship
- Infrastructure

## 4 Layers to Securing a Car

#### **Layer 1: Protect External Interface**

Secure M2M authentication, secure key storage



#### Layer 2: Isolate Network

Domain isolation, firewall/filter, centralized intrusion detection (IDS)



#### Layer 3: Secure Network

CAN ID Killer, message authentication, distributed intrusion detection (IDS)

Safety domain

Comfort domain

Gateway

Braking

**A** )

Powertrain

Cluster

Body

#### Layer 4: Secure Processing

Secure boot, run time integrity, OTA updates







TCU

OBD

# SECURITY USE -CASES & ATTACKS



## **Security Use Cases**

#### **In-Vehicle Security**

- Immobilizer / Component Protection
- Mileage Protection
- Secure Boot and Chain of Trust
- Secure Communication
- DRM for Batteries

#### **Connected Vehicle Security**

- Android application download
- DRM for content download/streaming
- Remote ECU firmware update
- Black-box for due government or insurance
- Car-to-Car communication



### **Other Automotive Security Threats**

**Transportation Department Warns Against Counterfeit Air Bags** October 10, 2012, NHTSA estimates it affects 0.1% of US Fleet, availability of such replacement systems traces back to 2003 (!)





#### DARPA Funded Researchers Take Control Of Two Vehicles

Using a Macbook connected to the On-Board Diagnostics Port Dr. Charlie Miller and Chris Valasek. July, 2013, Defcon: Adventures in Automotive Networks and Control Units [http://illmatics.com/car\_hacking.pdf]

#### Mileage Manipulation (in Germany)

- 2 million manipulated cars per year
- Average increases in value per car ~3000€
- Total loss 6 billion euro





## The ConnectedDrive – Unlock the Doors

#### Issue/Hack:

- No individual keys per car
- Keys stored in readable flash / Firmware readable
- Debug-port active
- Outdated or no encryption on some services
- No integrity check of the device configuration
- No authentication of the counterpart station
- ~ 2.2 million affected cars

#### **Security Requirements:**

- Improve key management
- · Use existing device features (e.g. disable debug port)
- Crypto modules with:
- Secure key storage
- Actual cipher algorithm (e.g. AES-128) support





## **Vehicle – Out of Control**

#### **Issue/Hack:**

- Radio/Infotainment system is directly connected both CAN busses
- Weak Wi-Fi password system and network configuration (e.g. open D-Bus)
- Weak firmware update process
- Debug-port active
- No secure boot
- Flash content readable
- No encrypted firmware image, no signatures
- OEM has to recall 1.4 Million Cars Over Hacking

#### Solution:

- Improve network architecture
- Firmware image authentication during update
- Use Secure Boot
- Use Message Authentication for safety relevant messages (e.g. Break / Steering Wheel control)
- Use existing device features (e.g. disable debug port)



Due several weakness it's possible to execute code on the MPU remotely via the GSM network. Additional it's possible to modify the MCU firmware and send faked CAN messages via the MCU into the car network. Finally it was possible to deactivate the breaks remotely!



# THE HIS - SHE SPECIFICATION -OVERVIEW



## **SHE Specification I – Secure Data**

Key values moved from public memory space to secure memory space. The secure memory space is only accessible by the security module. Application work with key references!

|                | Write<br>Protection | Secure Boot<br>Failure | Debugger<br>Activation | Wildcard UID | Key Usage | Plain Key | Counter | Overall data<br>bits |
|----------------|---------------------|------------------------|------------------------|--------------|-----------|-----------|---------|----------------------|
| MASTER_ECU_KEY | Х                   | Х                      | Х                      | Х            |           |           | Х       | 160                  |
| BOOT_MAC_KEY   | Х                   |                        | Х                      | Х            |           |           | Х       | 159                  |
| BOOT_MAC       | Х                   |                        | Х                      | Х            |           |           | Х       | 159                  |
| KEY_ <n></n>   | Х                   | Х                      | Х                      | Х            | Х         |           | Х       | 161                  |
| RAM_KEY        |                     |                        |                        |              |           | Х         |         | 129                  |
| SECRET_KEY     |                     | X <sup>1</sup>         | X1                     |              |           |           |         | 128                  |
| UID            |                     |                        |                        |              |           |           |         | 120                  |

<sup>1</sup> ECRET\_KEY inherits its protection flags from MASTER\_ECU\_KEY





#### **SHE Specification II – Functions**

| #                    | SHE – Functions                                                          | Usage                       |
|----------------------|--------------------------------------------------------------------------|-----------------------------|
| 1<br>2<br>3<br>4     | CMD_ENCRYPT_ECB<br>CMD_ENCRYPT_CBC<br>CMD_DECRYPT_ECB<br>CMD_DECRYPT_CBC | Encryption /<br>Decryption  |
| 5<br>6               | CMD_GENERATE_MAC<br>CMD_VERIFY_MAC                                       | Signing /<br>Authentication |
| 7<br>8<br>9          | CMD_LOAD_KEY<br>CMD_LOAD_PLAIN_KEY<br>CMD_EXPORT_RAM_KEY                 | Key Management              |
| 10<br>11<br>12       | CMD_INIT_RNG<br>CMD_EXTEND_SEED<br>CMD_RND                               | Random Number<br>System     |
| 13<br>14<br>15       | CMD_SECURE_BOOT<br>CMD_BOOT_FAILURE<br>CMD_BOOT_OK                       | Secure Boot                 |
| 16<br>17<br>18<br>19 | CMD_GET_STATUS<br>CMD_GET_ID<br>CMD_CANCEL<br>CMD_DEBUG                  | Module Handling             |

$$\begin{split} &\mathsf{K}_1 = \mathsf{KDF}(\mathsf{K}_{\mathsf{AuthID}}, \,\mathsf{KEY}\_\mathsf{UPDATE}\_\mathsf{ENC}\_\mathsf{C}) \\ &\mathsf{K}_2 = \mathsf{KDF}(\mathsf{K}_{\mathsf{AuthID}}, \,\mathsf{KEY}\_\mathsf{UPDATE}\_\mathsf{MAC}\_\mathsf{C}) \\ &\mathsf{M}_1 = \mathsf{UID'}|\mathsf{ID}|\mathsf{AuthID} \\ &\mathsf{M}_2 = \mathsf{ENC}_{\mathsf{CBC},\mathsf{K1},\mathsf{IV}=0}(\mathsf{C}_{\mathsf{ID}}'|\mathsf{F}_{\mathsf{ID}}'|`0...0"_{95}|\mathsf{K}_{\mathsf{ID}}') \\ &\mathsf{M}_3 = \mathsf{CMAC}_{\mathsf{K2}}(\mathsf{M}_1|\mathsf{M}_2) \end{split}$$

CMD\_LOAD\_KEY stores key value in secure NVM

#### Note:

To be able to update a key you have to know the actual key value or the MASTER\_ECU\_KEY value.



#### **SHE Specification – Secure Boot**

- Secure Boot verifies the custom firmware after POR
- SHE offer these secure boot flows:
  - 1.Parallel Boot Application core and SHE module comes out of reset at the same time
  - 2.Sequential Boot SHE module comes out of reset and verifies the custom code, after the application core comes out of reset and execute the code (independent of secure boot result!)
  - 3.Strict Sequential Boot SHE module comes out of reset and verifies the custom code, after the application core comes out of reset and execute the code if secure boot finalized positive

Note: SHE feature - Autonomous boot-strap is critical!



# CRYPTO SERVICE ENGINE (CSE) – OVERVIEW



#### **S32 Freescale Security Modules**





# Cryptographic Services Engine (CSE)

#### The 1<sup>st</sup> Implemented SHE Spec. Module in the World

The CSE moves the crypto keys from public memory into the secure memory. The applications works only with key references instead with key values. Only the CSE can access the keys, for an key update the actual value must be known.

- CSE module implements the official HIS SHE-Specification
- 32-bit secure core working up to 133 MHz
- AES-128
  - Supports the cipher modes: ECB & CBC
  - Throughput of 100 Mbit/sec & 2µs latency per encoding/decoding operation
- CSE module interfaces:
  - Crossbar master interface  $\rightarrow$  full memory window access
  - Configuration interface  $\rightarrow$  offers easy to use programming model
- Unique ID 120bit
- Secure Boot support
- Secure flash blocks are fix assigned to the CSE module. No other masters can access these memory
- PRNG seed generation via TRNG





## **CSE2 Enhancements**

To improve and support safety & secure communication better these enhancements are implemented in cooperation with US car OEMs:

- Introduction of a new security flag per GPR-Keys
   The flag defines the communication role (sender or receiver) of the ECU. Only the sender is able to publish an CMAC value. Receiver are only
   able to verify the CMAC.
- Double the number of general purpose keys (from 10 to 20) More keys allows more communication domains; each with his own individual key!
- Secure Boot result stored in NVM (configurable by customer)
  The secure boot result is storable in the flash memory, for this it's re-useable after leaving power down modes. Otherwise secure-boot sensitive keys are not useable anymore.
- Reset Generation on Secure Boot Fail (configurable by customer) For high-security ECUs its useful to stay in reset, if secure boot fails.
- SHE-Compression (Miyaguchi-Preneel construction) available via API



#### **CSE3** Enhancements – SHE for Flash-less Devices

CSE3 offers an alternative security key storage solution and brings the SHE Spec. API to flash-less devices without loss of security<sup>1</sup>:

CSE3 is an enhanced version of the CSE2

Uses the same API and functions, so existing software drivers are easy portable to the new architecture.

- CSE3 handles the main keys in an encrypted key file The key-file could be stored in any NVM memory, the encryption key for the key-file is stored in a fuse array on the device. The file is protected against cloning and re-play attacks and is bound to the device.
- 1st implementation of the CSE3 in S32V2

<sup>1</sup>The SHE Specification requires device internal flash







## HSM Security Firmware – A SHE Implementation on HSM

- Release 1.0 is available for MPC574xG (3M & 6M)
- Firmware implements the CSE2 feature set (SHE firmware + Global-B requirements) on the HSM
- Firmware "emulates" the CSE register interface, to simplify porting of existing SW stacks
- Firmware is delivered pre-programed in the device
  - No SHE firmware programming and DCF configuration required by customer



# CSE3 ON FLASH -LESS DEVICES





NP

# Cryptographic Services Engine v3 (CSE3)

- CSE module implements main elements of the HIS SHE-Specification
- 32-bit secure core working at 133 MHz
- AES-128
  - Supported crypto modes: ECB & CBC
  - Throughput ~100 Mbit/sec
  - Latency 2µs per one encoding/decoding ops
- CSE module interfaces:
  - System master interface
  - Configuration interface
- PRNG seed generation via TRNG
- CSE Core not programmable by customer
- Encrypted code and key image are stored in external memory
- Several tempter detect inputs and a tamper detect enable
- CSE3 offers the same security features as CSE2



### **Boot Flow I – Controlled by ROM Code**





#### **Boot Flow II – Controlled by ROM Code**



27 PUBLIC USE

#### **CSE Register Interface**

| Register                                | Usage                                                                                                                                                           |          |              |
|-----------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|--------------|
| Control Register                        | Configuration information                                                                                                                                       |          |              |
| Status Register                         | Status information                                                                                                                                              |          |              |
| Interrupt Register                      | Command Complete Interrupt Flag                                                                                                                                 |          |              |
| Error Code Register                     | Contains any error information returned by latest command                                                                                                       |          | 0            |
| CSE TRNG Control Register               | TRNG Test Mode on/off                                                                                                                                           | <u> </u> | C<br>R<br>(A |
| Command Register                        | Commands are written here (after the Command Parameter registers have been written)                                                                             |          | a            |
| Command Parameter 1-5<br>Register       | General purpose registers whose meaning depends upon command being executed.<br>Often used to point to addresses of input and output data                       |          |              |
| CSE Key Image Address 0 / 1<br>Register | Must be initialized with addresses of the latest key images before either the SECURE_BOOT or INIT_CSE commands are issued (e.g. via secure call back functions) |          | C<br>A       |
| CSE OTP Status Register                 | Secure Counter Value (up to 42) from OTP memory                                                                                                                 |          | R            |
| CSE Publish Count                       | Holds the publish counter value of the loaded key image                                                                                                         |          |              |

CSE2 Register Set (Autosar driver available)

CSE3 Additional Register Set



## **One Time Programmable (OTP) Memory**

| OTP Field      | Size | System<br>Access | Programm by                           | Usage                                                                                                                                   |  |  |
|----------------|------|------------------|---------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------|--|--|
| Secret Key     | 128  |                  | Freescale;                            | SHE-Secret Key, random number                                                                                                           |  |  |
| IAK            | 128  |                  | programmed and<br>locked during       |                                                                                                                                         |  |  |
| UID            | 120  | R                | device production                     | SHE UID value                                                                                                                           |  |  |
| Flash Key      | 128  | W                | Customer;<br>programmed and<br>locked | <pre>if (Secure Counter &gt; 1)     for encryption of the CSE image files if (Secure Counter == 0)     use 0 for image encryption</pre> |  |  |
| Secure Counter | 128  | R/W              | Customer;<br>programmed               | Prevent rollback-attacks (re-usage of old images)                                                                                       |  |  |



## **Encrypted CSE Images**

- Key Image 1 KByte
- Firmware Image 12 KByte
- The key image is encrypted and authenticated by the CSE using keys derived from the Flash Key and Secret Key. A Secure Counter value of zero indicates the Flash Key is not programmed and a default value of zero is used for the Flash Key.

#### **Steps to prepare the device:**

- 1. Program the Flash Key.
- 2. Issue the INIT\_RNG command.
- 3. Issue the PUBLISH\_KEY\_IMG command with the secure counter input parameter set to one.
- 4. Store the generated key image to non-volatile memory.
- 5. Program the OTP Secure Counter to one.



#### Key Image

- Size: 1KByte
- Using the AES standard big endian convention
- Generated by the PUBLISH\_KEY\_IMG
- Image Address is determine by system boot ROM code

| Index         | Field                    | Size<br>(bytes) | Format | Description                                            |
|---------------|--------------------------|-----------------|--------|--------------------------------------------------------|
| a[0], a[1]    | Header Mark              | 2               | 0,1    | 0x4B49                                                 |
| a[2]          | Reserved                 | 1               | 0,1    | 0x00                                                   |
| a[3]          | Format                   | 1               | 0,1    | Key image format, 0x00 or 0x01                         |
| a[4] a[7]     | Firmware Address         | 4               | 0,1    | CSE firmware start address                             |
| a[8] a[23]    | Firmware CMAC            | 16              | 1      | CMAC covering the firmware image                       |
| a[24] a[39]   | Key CMAC                 | 16              | 1      | CMAC covering the rest of the key<br>image (984 bytes) |
| a[40] a[54]   | UID                      | 15              | 1      | Unique ID                                              |
| a[55]         | Reserved                 | 1               | 1      |                                                        |
| a[56] a[59]   | Publish Counter          | 4               | 1      | Count of publish operations<br>(unsigned)              |
| a[60] a[62]   | Reserved                 | 3               | 1      |                                                        |
| a[63]         | Secure Counter           | 1               | 1      | Secure counter (6-bit unsigned)                        |
| a[64] a[79]   | Key IV                   | 16              | 1      | Key slot encryption IV                                 |
| a[80] a[95]   | Reserved                 | 16              | 1      |                                                        |
| a[96] a[1023] | 29 Key Slots (encrypted) | 960             | 1      | 29 Key Slots (encrypted)                               |

#### **CSE3 Commands**

| CMD  | Command        | Description            | CMD  | Command         | Description                             |
|------|----------------|------------------------|------|-----------------|-----------------------------------------|
| 0x01 | ENC_ECB        | Encrypt ECB            | 0x0E | BOOT_FAILURE    | Boot Failure                            |
| 0x02 | ENC_CBC        | Encrypt CBC            | 0x0F | BOOT_OK         | Boot OK                                 |
| 0x03 | DEC_ECB        | Decrypt ECB            | 0x10 | GET_ID          | Get ID                                  |
| 0x04 | DEC_CBC        | Decrypt CBC            | 0x11 | CANCEL          | Cancel                                  |
| 0x05 | GENERATE_MAC   | Generate MAC           | 0x12 | DEBUG_CHAL      | Debug Challenge                         |
| 0x06 | VERIFY_MAC     | Verify MAC             | 0x13 | DEBUG_AUTH      | Debug Authorization                     |
| 0x07 | LOAD_KEY       | Load Key               | 0x14 | TRNG_RND        | Generate TRNG Random Number             |
| 0x08 | LOAD_PLAIN_KEY | Load Plain Key         | 0x15 | INIT_CSE        | Initialize CSE                          |
| 0x09 | EXPORT_RAM_KEY | Export RAM Key         | 0x16 | MP_COMPRESS     | Miyaguchi-Preneel (MP) Compression      |
| 0x0A | INIT_RNG       | Initialize RNG         | 0x17 | PUBLISH_KEY_IMG | Publish Key Image                       |
| 0x0B | EXTEND_SEED    | Extend PRNG Seed       | 0x18 | LOAD_SEC_RAM    | Load Secure SRAM (not the CSE SRAM!!)   |
| 0x0C | RND            | Generate Random Number | 0x19 | OPEN_SEC_RAM    | Open Secure SRAM (not the CSE SRAM!!)   |
| 0x0D | SECURE_BOOT    | Secure Boot            | 0x1A | EXPORT_SEC_RAM  | Export Secure SRAM (not the CSE SRAM!!) |

new commands of CSE3



#### **Application Notes**

- AN4234 Using the Cryptographic Service Engine (CSE)
- AN4235 Using CSE to protect your Application Code via a Chain of Trust

In <AN4234SW/tools/bin>

AES\_CMAC\_CMD.exe Usage AES\_CMAC\_CMD.out <Key Value> <Message Length in Bits> <Message File name>

AES\_ENC\_CBC\_CMD.exe Usage AES\_ENC\_CBC\_CMD.out <Key Value> <IV Value> <Message File name>

AES\_ENC\_ECB\_CMD.exe Usage AES\_ENC\_ECB\_CMD.out <Key Value> <Plaintext Value>

AES\_MP\_KDF\_CMD.exe Usage is AES\_MP\_KDF\_CMD.c <key value> <key constant>



## Summary

- NXP overs since years innovative automotive security solutions
- NXP offers security solutions for all 32bit-MCU segments
  - -Low CSEc
  - -Mid-CSE
  - High HSM with CSE firmware

| NXP Security Solution for Automotive MCU |                     |                      |                            |  |  |  |
|------------------------------------------|---------------------|----------------------|----------------------------|--|--|--|
|                                          | Device              | Platform             | Module                     |  |  |  |
|                                          | MPC564xB/C          |                      | CSE                        |  |  |  |
|                                          | MPC5746M / MPC5777M |                      | HSMv1                      |  |  |  |
| MCU<br>( internal flash)                 | MPC5748G / MPC5746C | PowerPC<br>e200      | HSMv2                      |  |  |  |
| CU<br>al flash                           | MPC5777C            |                      | CSE2                       |  |  |  |
| 5                                        | Radar MCU           |                      | CSE2                       |  |  |  |
|                                          | MAC57D54H           | ARM Cortex-<br>A5/M4 | CSE2                       |  |  |  |
| N<br>(flas                               | S32V243             | ARM Cortex-          | CSE3 / OTFAD/<br>TrustZone |  |  |  |
| MPU<br>(flash-less)                      | VFxxx               | Ax/Mx<br>& ARM9/11   | Trust Zone                 |  |  |  |
| 3)                                       | i.Mx                |                      | + CAAM                     |  |  |  |





## SECURE CONNECTIONS FOR A SMARTER WORLD

#### ATTRIBUTION STATEMENT

NXP, the NXP logo, NXP SECURE CONNECTIONS FOR A SMARTER WORLD, CoolFlux, EMBRACE, GREENCHIP, HITAG, I2C BUS, ICODE, JCOP, LIFE VIBES, MIFARE, MIFARE, MIFARE Classic, MIFARE DESFire, MIFARE Plus, MIFARE FleX, MANTIS, MIFARE ULTRALIGHT, MIFARE4MOBILE, MIGLO, NTAG, ROADLINK, SMARTLX, SMARTMX, STARPLUG, TOPFET, TrenchMOS, UCODE, Freescale, the Freescale logo, AltiVec, C 5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C Ware, the Energy Efficient Solutions logo, Kinetis, Layerscape, MagniV, mobileGT, PEG, PowerQUICC, Processor Expert, QorIQ, QorIQ Qonverge, Ready Play, SafeAssure, the SafeAssure logo, StarCore, Symphony, VortiQa, Vybrid, Airfast, BeeKit, BeeStack, CoreNet, Flexis, MXC, Platform in a Package, QUICC Engine, SMARTMOS, Tower, TurboLink, and UMEMS are trademarks of NXP B.V. All other product or service names are the property of their respective owners. ARM, AMBA, ARM Powered, Artisan, Cortex, Jazelle, Keil, SecurCore, Thumb, TrustZone, and µVision are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. ARM7, ARM9, ARM11, big.LITTLE, CoreLink, CoreSight, DesignStart, Mali, mbed, NEON, POP, Sensinode, Socrates, ULINK and Versatile are trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. Oracle and Java are registered trademarks of Oracle and/or its affiliates. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks licensed by Power.org. © 2015–2016 NXP B.V.