CN114911606A - Computing unit, method for verifying messages thereof, computer program and vehicle - Google Patents

Computing unit, method for verifying messages thereof, computer program and vehicle Download PDF

Info

Publication number
CN114911606A
CN114911606A CN202210125000.9A CN202210125000A CN114911606A CN 114911606 A CN114911606 A CN 114911606A CN 202210125000 A CN202210125000 A CN 202210125000A CN 114911606 A CN114911606 A CN 114911606A
Authority
CN
China
Prior art keywords
computing unit
partition
security module
memory
active partition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210125000.9A
Other languages
Chinese (zh)
Inventor
F·维默尔
T·洛茨佩奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Robert Bosch GmbH
Original Assignee
Robert Bosch GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Robert Bosch GmbH filed Critical Robert Bosch GmbH
Publication of CN114911606A publication Critical patent/CN114911606A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5077Logical partitioning of resources; Management or configuration of virtualized resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/44Program or device authentication
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/546Message passing systems or structures, e.g. queues
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/08Access security
    • H04W12/086Access security using security domains
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/10Integrity
    • H04W12/106Packet or message integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2129Authenticate client device independently of the user

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Vehicle Cleaning, Maintenance, Repair, Refitting, And Outriggers (AREA)
  • Small-Scale Networks (AREA)

Abstract

The invention relates to a method for verifying messages of a computing unit, wherein the computing unit comprises a security module and a plurality of partitions, wherein a cryptographic key for verifying the messages is stored in the security module, wherein a message verification routine is initiated by an active partition in order to verify the messages, characterized in that the active partition is identified and the security module provides the result of the verification calculation as a function of the identification of the active partition. The invention also relates to a computing unit, a computer program and a motor vehicle.

Description

Computing unit, method for verifying messages thereof, computer program and vehicle
Technical Field
The invention relates to a method for verifying a message of a computing unit, to a computer program and to a vehicle.
Background
Motor vehicles usually comprise a plurality of computing units, wherein at least one individual control unit is usually used for different domains (Dom ä nen), such as a drive train (e.g. engine controller), a chassis (e.g. ESP, ABS), driver assistance systems (e.g. distance tracking cruise control, lane keeping assistance, … …), a body computer (e.g. lighting, control of wipers … …) and infotainment. In addition to the at least one respective control unit, the field generally also comprises further subordinate control units, sensors and actuators. The separation of the domains provides a security advantage, among other things, in that a manipulated (korrumpier) controller of a domain cannot easily intervene in the operating mode of other controllers. In this way, it may be difficult for the infotainment system to operate the brake, for example, because it may be ensured by suitable mechanisms that the infotainment system does not impersonate a domain computer for the chassis function. That is, the separation of the individual domains typical for a motor vehicle on different computing units makes an important contribution to the safety of the motor vehicle.
In order to overcome the disadvantages of the zone controllers, in particular the high wiring outlay resulting therefrom, it is conceivable to equip the vehicle with a so-called zone controller (Zonensteuerger ä ten). In this case, the computing unit is distributed geometrically to the vehicle and the individual actuators are actuated by the respectively nearest zone controller. Thus, for example, provision can be made for: a zone controller is provided for the front of the vehicle, a zone controller is provided for the middle of the vehicle and a zone controller is provided for the rear of the vehicle. It is also conceivable to provide one zone controller for each vehicle corner (front left, front right, rear left and rear right). For the coordination task, a central vehicle computer can additionally be provided, which for example also undertakes communication with a computing unit outside the vehicle, as can occur in the case of over-the-air updating (OTA, FOTA, SOTA).
To be able to take full advantage of these zone designs, programs running in a conventional domain-oriented architecture on one controller each are distributed to each zone controller. To avoid interaction between the various software blocks on the zone controller, virtualization techniques are used. There is then usually a hypervisor (or kernel) on the zone controller that provides an interface to the virtual software blocks, the so-called partitions. The various partitions on the zone controller only interact directly with the hypervisor and not with each other. The hypervisor also provides a uniform hardware interface so that these partitions do not have direct access to hardware, such as memory, but rather do so through the hypervisor. Access to the security modules of the zone controller, for example Hardware Security Modules (HSMs), is likewise effected via the hypervisor.
Security modules are special-purpose modules, usually implemented in hardware, in which cryptographic operations can be performed in a particularly secure environment. The cryptographic keys required for this purpose are stored in a secure memory area of the security module. A partition that wants to authenticate an externally directed message may initiate a message authentication routine by means of which authentication is initiated by the security module. The result of the computation performed for this authentication is then returned by the security module to the requesting partition via the hypervisor, so that the message can be sent externally by this partition together with the authentication information. However, in the case of a zone controller that uses a virtualization technique to separate respective vehicle zones, there are problems as follows: another partition may initiate the same message verification routine such that a message of a false verification may be sent.
That is, the area design provides an advantage of minimizing the wiring cost, but has disadvantages in that: despite the use of known virtualization techniques, the security level of the domain-oriented E/E architecture in automotive vehicles is not reached.
Disclosure of Invention
The method according to the invention for authenticating a message of a computing unit, wherein the computing unit comprises a security module and a plurality of partitions, wherein a cryptographic key for authenticating the message is stored in the security module, wherein a message authentication routine is initiated by an active partition in order to authenticate the message, has the following advantages: the active partition is identified and the security module provides results of a verification calculation as a function of the identification of the active partition. In particular, the results of the verification calculation are not communicated to other partitions.
Advantageously, the message is a message sent by the active partition to a recipient outside the computing unit. The receiver can be located, for example, in the same motor vehicle as the computing unit. Alternatively, the message may also be a message sent to another partition within the computing unit, where the other partition acts as the recipient partition in this case. In this context, an active partition is to be understood as a partition which wants to send a message to a recipient, usually outside the computing unit, and which therefore calls a message verification routine. That is, the term "active partition" merely describes a perspective below and is not intended to imply that one or more other partitions of the compute unit are not performing compute operations.
In an advantageous embodiment, the computing unit comprises a hypervisor, wherein the identification of the active partition is performed by the hypervisor. In a particularly advantageous embodiment, the management program comprises an identification module which is set up to: the identification of the active partition is performed when the active partition invokes a message verification routine. The hypervisor has a higher security level than the partition, so that the hypervisor's identification of the active partition is more trusted than the active partition's own identification of the active partition.
Alternatively, the computing unit includes a memory including a plurality of sub-regions, wherein the identification of the active partition is performed based on the sub-region of the memory assigned to the active partition. It is advantageous that: the message is validated by registering the initiation information in a sub-region of the memory assigned to the active partition. The initiation information may be, for example, information that causes the security module to authenticate the message. The initiation information may be, inter alia, the message itself or a part of the message. The security module initiates the verification once the initiation information is deposited in the sub-region of the memory assigned to the active partition. Particularly advantageous are: each partition is exclusively assigned a sub-region of the memory such that each partition exclusively accesses the respective exclusively assigned sub-region of the memory. In this particularly advantageous embodiment, the sub-region of the memory assigned to the active partition can only be written by the active partition.
After the security module successfully authenticates, the results of the authentication calculation are provided in accordance with the identification of the active partition. That is, the results of the verification calculations are provided only to the previously identified active partitions. If the computing unit includes a hypervisor, communications between the security module and the active partition are preferably conducted via the hypervisor. If the computing unit does not include a hypervisor, then communication is preferably made directly between the security module and the active partition.
Advantageously, the active partition sends the message using the result of the verification calculation.
Particularly advantageous are: each partition is exclusively assigned a sub-region of the memory such that each partition exclusively accesses the respective exclusively assigned memory region. In order to maintain exclusivity, Memory separation techniques are advantageously used, which are provided, for example, by so-called Memory Management Units (MMUs) or Memory Protection Units (MPUs).
Advantageously, the security module is a hardware security module. Advantageously, the computing unit is a central vehicle controller, in particular a zone controller or a central computer of a motor vehicle. Vehicle computers (Vehicle computers), Vehicle Control Units (VCUs), or central gateway computers are other examples of central Vehicle controllers.
The method according to the invention can be applied particularly advantageously when each partition is assigned to a vehicle domain. The vehicle domains are, for example, the drive train domain, chassis domain, infotainment domain, body domain and driver assistance system (ADAS) domain. Alternatively, the partitions can also advantageously be assigned to the individual security levels, which enables, in particular, a significantly simplified integration of software functions of different manufacturers on the computing unit.
It is also advantageous: a computing unit, which is set up to carry out the method according to the invention; and a computer program which, when executed on the computing unit, causes the computing unit to perform each step of the method according to the invention.
Also advantageous is a motor vehicle comprising a plurality of zone controllers, wherein each zone controller is set up for carrying out the method according to the invention. Also advantageous is a motor vehicle comprising a central processing unit, wherein the central processing unit is set up to carry out the method according to the invention.
Drawings
Embodiments of the invention are described subsequently. Here:
fig. 1 shows a schematic diagram of a computing unit which is set up for carrying out a first exemplary embodiment of the method according to the invention;
FIG. 2 shows a schematic illustration of a computing unit which is set up for carrying out a second embodiment of the method according to the invention;
fig. 3 shows a schematic representation of the flow of an embodiment of the method according to the invention.
Detailed Description
Fig. 1 shows a schematic representation of a computing unit (8) which is set up for carrying out a first exemplary embodiment of the method according to the invention. The computing unit (8) comprises a hardware part (20) and a software part (10). The software portion (10) includes a hypervisor (16) and a first partition (12) and a second partition (14). The management program (16) comprises an identification module (17) which is set up to: when a partition (12, 14) invokes a message verification routine, the partition is identified as an active partition. The hardware portion (20) includes: a security module (22), which may be, in particular, a Hardware Security Module (HSM). The security module (22) comprises an internal memory in which a cryptographic key (23) is stored.
The first partition (12) and the second partition (14) maintain a communication connection with the hypervisor (16). The hypervisor (16) is in particular a hardware interface, so that the first partition (12) and the second partition (14) can send requests to the security module (22) by means of the hypervisor (16). The security module (22) may send the results of the verification calculations to the partitions (12, 14) via the hypervisor (16).
Fig. 2 shows a schematic representation of a computing unit (8) which is set up for carrying out a second exemplary embodiment of the method according to the invention. The computing unit (8) comprises a hardware part (20) and a software part (10). The software portion (10) includes a first partition (12) and a second partition (14). The hardware portion (20) includes: a security module (22), which may be, in particular, a Hardware Security Module (HSM); and a memory (26) comprising a first sub-region (27) and a second sub-region (28). The first sub-area (27) is assigned to the first partition (12) and the second sub-area (28) is assigned to the second partition (14) such that only the first partition (12) can write to the first sub-area (27) and only the second partition (14) can write to the second sub-area (28). The security module (22) comprises an internal memory in which a cryptographic key (23) is stored.
The security module is designed to read a first sub-area (27) and a second sub-area (28) of the memory (26). The security module (22) may send the results of the verification calculations to the partitions (12, 14) via data lines.
Fig. 3 shows a schematic representation of the flow of an embodiment of the method according to the invention. In step 100, the first partition (12) initiates a message verification routine in that the verified message should be sent by the first partition (12) to a recipient outside of the computing unit (8). By calling a message verification routine, the first partition (12) becomes the active partition with respect to the present invention. The call to the message verification routine includes: an authentication calculation, such as a cryptographic calculation, is initiated by the security module. For this purpose, the check value can be formed, for example, using the cryptographic key and the message to be transmitted.
If the computing unit (8) corresponds to the computing unit (8) of fig. 1, the active partition (12) is identified by means of an identification module (17) of the hypervisor (16).
If the computing unit (8) corresponds to the computing unit of fig. 2, the identification of the active partition (12) is performed as follows: the active partition (12) registers the initiation information in a first sub-region (27) of the memory (26) assigned to the first (in this case active) partition (12). Since only the first partition (12) can write to the first sub-area (27) of the memory (26), it is ensured that the initiation information comes from the first partition (12). In order to ensure that only the first partition (12) can write to the first sub-area (27) of the Memory (26), Memory splitting techniques may be used, which are provided, for example, by so-called Memory Management Units (MMUs) or Memory Protection Units (MPUs). The initiation information is read by the security module (22). Step 100 is followed by step 110.
In step 110, the message of the active partition, i.e. the first partition (12), is verified by cryptographic calculation using the cryptographic key (23). Step 120 is performed after step 110.
In step 120, the results of the cryptographic calculations performed in step 110 are transmitted to the active partition (12). Then step 130.
In step 130, a message to be sent by the first partition (12) to a recipient other than the computing unit (8) is sent together with the result of the cryptographic calculation. Thus, the verified message is sent.

Claims (12)

1. A method for authenticating messages of a computing unit (8), wherein the computing unit (8) comprises a security module (22) and a plurality of partitions (12, 14), wherein a cryptographic key (23) for authenticating messages is stored in the security module (22), wherein a message authentication routine is initiated by an active partition (12) in order to authenticate the messages, characterized in that the active partition (12) is identified and the security module (22) provides the result of the authentication calculation depending on the identification of the active partition (12).
2. The method of claim 1, wherein the computing unit comprises a hypervisor (16), and wherein the identification of the active partition (12) is performed by the hypervisor.
3. The method according to claim 1, characterized in that the computing unit comprises a memory (26), wherein the memory (26) comprises a plurality of sub-areas (27, 28), wherein the identification of the active partition (12) is performed based on the sub-area (27) of the memory (26) assigned to the active partition (12).
4. A method according to claim 3, characterized in that the verification of the message is performed by registering an initiation message in a sub-area (27) of the memory (26) assigned to the active partition (12).
5. Method according to claim 3 or 4, characterized in that each partition (12, 14) is exclusively assigned a sub-region (27, 28) of the memory (26), such that each partition (12, 14) exclusively accesses a respective exclusively assigned sub-region (27, 28) of the memory region (26).
6. The method according to any one of the preceding claims, wherein the security module (22) is a hardware security module.
7. Method according to any of the preceding claims, characterized in that the calculation unit (8) is a central vehicle controller, in particular a zone controller or a central computer of a motor vehicle.
8. The method according to claim 8, characterized in that the zones (12, 14) each represent a vehicle domain.
9. Method according to claim 8 or 9, characterized in that the partitions (12, 14) are assigned to different security levels.
10. A computing unit, which is set up for carrying out the method according to one of claims 1 to 9.
11. A computer program which, when executed on a computing unit, causes the computing unit to perform each step of the method according to any one of claims 1 to 9.
12. A motor vehicle comprising a plurality of zone controllers, characterized in that each zone controller is set up to carry out the method according to any one of claims 1 to 9.
CN202210125000.9A 2021-02-10 2022-02-10 Computing unit, method for verifying messages thereof, computer program and vehicle Pending CN114911606A (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
DE102021201231.0A DE102021201231A1 (en) 2021-02-10 2021-02-10 Method for authenticating a message from an arithmetic unit, arithmetic unit, computer program and vehicle
DE102021201231.0 2021-02-10

Publications (1)

Publication Number Publication Date
CN114911606A true CN114911606A (en) 2022-08-16

Family

ID=82493734

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210125000.9A Pending CN114911606A (en) 2021-02-10 2022-02-10 Computing unit, method for verifying messages thereof, computer program and vehicle

Country Status (2)

Country Link
CN (1) CN114911606A (en)
DE (1) DE102021201231A1 (en)

Also Published As

Publication number Publication date
DE102021201231A1 (en) 2022-08-11

Similar Documents

Publication Publication Date Title
JP6898420B2 (en) A specially programmed computing system with associated equipment configured to implement secure lockdown and how to use it.
CN108363347B (en) Hardware security for electronic control unit
CN107949847B (en) Electronic control unit for vehicle
US20190377336A1 (en) Method and system for distributed ledger technology communications for vehicles
Jo et al. Vulnerabilities of android OS-based telematics system
KR102529916B1 (en) System and method for verifying controlling of vehicle based on virtual machine
US9262617B2 (en) Method for providing software to be used by a control unit of a vehicle
US11960901B2 (en) Autonomous driving controller parallel processor boot order
CN109808697B (en) Vehicle control method, device and equipment
CN108632356B (en) Vehicle control method and system based on Internet of vehicles, vehicle-mounted terminal and server
US11873000B2 (en) Gesture detection for transport control
US11438332B2 (en) Distributed vehicle network access authorization
WO2021094967A1 (en) Automotive gateway providing secure open platform for guest applications
CN114911607A (en) Computing unit, method for verifying messages thereof, computer program and vehicle
CN108090376B (en) CAN bus data protection method and system based on TrustZone
CN114911606A (en) Computing unit, method for verifying messages thereof, computer program and vehicle
CN117056932A (en) Computer system for providing a plurality of functions to a device, in particular to a vehicle, by means of separating a plurality of zones
US20230052852A1 (en) Method for Authentic Data Transmission Between Control Devices of a Vehicle, Arrangement with Control Devices, Computer Program, and Vehicle
Hamad A multilayer secure framework for vehicular systems
US11804962B2 (en) System and method for establishing an in-vehicle cryptographic manager
US20210253135A1 (en) Determining transport operation level for gesture control
WO2021019637A1 (en) Security device, server device, security system, and security function setting method
US20230367910A1 (en) System for providing a plurality of functions for a device, in particular for a vehicle
JP2013120430A (en) Control device and computer program thereof
US20230072587A1 (en) Method for monitoring a component of an effect chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination