Achieving A Root of Trust With Secure Boot in Automotive RH850 and R-Car Devices

2021-12-27 Renesas
SoC,System on chip,RH850,Renesas SoC,System on chip,RH850,Renesas SoC,System on chip,RH850,Renesas SoC,System on chip,RH850,Renesas

Thank you for taking the time to read our security blog. This is part three in a three-part series about secure boot. If you haven’t check out the previous two articles they are: (Part 1 – Secure Boot Introduction) and (Part 2 – Secure Boot of MCU Devices). In our last installment, my colleague Mr. Yamanaka-san described secure boot on our RH850 MCU devices. In this blog I will cover secure boot on our Arm based RENESAS R-Car Gen 3 SoC devices.


Secure boot on R-Car

System on chip (SoC) devices have more complex boot sequences than typical microcontroller devices. Secure boot ensures integrity and authenticity through the entire boot chain. The software can be optionally stored encrypted at rest to protect confidentiality.

Building a chain of trust

To provide secure boot on R-Car, Renesas builds a chain of trust rooted in the hardware. The mask ROM and HBK (boot key hash) act as an immutable trust anchor. These cannot be altered in production. Throughout the boot chain, each part of the chain of trust is verified by the earlier (authorized) part. Chaining of elements allows all stages verification to point back to the original root of trust, like links in a chain. The starting point of this verification process is the mask ROM of the R-Car. It is executed immediately after reset.

Key Takeaway: Renesas builds a chain of trust rooted in the hardware

·Mask ROM and HBK function as an immutable trust anchor, these cannot be altered

·Each part of the chain of trust is verified by the previous (authorized) part

·The starting point of this verification process is the mask ROM of the R-Car device as the “Root of Trust”


Preparing the secure boot environment

In R-Car devices, secure boot starts with preparing the signing chain. Preconditions to the signing process include generating two RSA key pairs (the device root key pair and the secure boot key pair) and generating the device root public key hash (HBK). Each customer will have a unique root key controlled in their secure OT environment. Root and secure boot private keys must be stored securely to ensure overall system security. Once the key pairs are created, a Renesas supplied tool generates a cryptographic hash of the root public key. This public root key hash (HBK) is provided to Renesas and programed into R-Car devices during manufacturing. The HBK is used in the secure boot chain to verify the integrity and authenticity of the root public key.

Signing images

After the environment is prepared, the signing process can begin. Taking the root and secure boot key pairs and software image as inputs, the signing tool generates two certificates: 1) A root key certificate that contains the public root key and 2) The content certificate that contains the secure boot public key and image signature contents. The software image and certificates are programmed into the R-Car device memory. Only public keys are stored on the R-Car device.

After reset release (1) the Secure Boot function is called (2). The Secure Boot function verifies the software using the root key and content certificates (3). The deployed software will only be executed by the device if the verification process is successful (4).


Here is an exploded version of the secure boot sequence.

Steps:

1.Device reset released

2.The device executes the mask ROM. If device is in security enabled state, secure boot is executed.

3.The mask ROM loads certificates and content from external flash

4.The mask ROM parses the root key certificate and extracts the root key. The root key hash is calculated and compared to the known root key hash (HBK). If the key is correct, the system proceeds to the next step.

5.The mask ROM calculates and compares the hash of the boot key found in the secure boot content certificate to the secure boot key hash found in the key certificate (verified in the previous step). If the check passes, the public key is used to verify the content certificate signature. If the in the content certificate is valid, the data in the content certificate is used to calculate the validity and integrity of the next boot stage. If everything check out execution jumps to the next boot stage.

6.Subsequent boot stages can call into the mask ROM secure boot functions to validate later stage content. In this example the IPL calls into the mask ROM API to verify applications 1-3. By calling the mask ROM API in later stages, the designer can take advantage of the hardware acceleration for the RSA signature check and SHA accelerator for hashing.

7.The mask ROM verifies the content certificate is loads the next boot stage

8.The IPL can validate every image, or only a subset of images it loads. In this example application 1-3 use the secure boot API which application 4 and 5 use another method.

9.When the IPL is done loading and verifying content, it jumps to the next boot stage.


Conclusion:

SoCs have a longer boot chain than MCU devices. The secure boot logic in our R-Car devices allows the designer to take advantage of hardware acceleration of signature checks throughout the boot process. Renesas R-Car devices leverage hardware as the secure root of trust for building dependable, secure systems. Thank you for taking the time to learn more about secure boot on R-Car devices!


技术资料,数据手册,3D模型库,原理图,PCB封装文件,选型指南来源平台:世强硬创平台www.sekorm.com
现货商城,价格查询,交期查询,订货,现货采购,在线购买,样品申请渠道:世强硬创平台电子商城www.sekorm.com/supply/
概念,方案,设计,选型,BOM优化,FAE技术支持,样品,加工定制,测试,量产供应服务提供:世强硬创平台www.sekorm.com
集成电路,电子元件,电子材料,电气自动化,电机,仪器全品类供应:世强硬创平台www.sekorm.com
  • +1 赞 0
  • 收藏
  • 评论 0

本文由Batman转载自Renesas,原文标题为:Achieving a root of trust with secure boot in automotive RH850 and R-Car devices – Part 3,本站所有转载文章系出于传递更多信息之目的,且明确注明来源,不希望被转载的媒体或个人可与我们联系,我们将立即进行删除处理。

评论

   |   

提交评论

全部评论(0

暂无评论

相关推荐

【经验】SoC R CAR V3H2 端侧推理输出的rcar_output.npy数据查看方法

RENESAS R CAR V3H2 端侧推理输出的数据有cvs格式,总共512个输出,同时把cvs数据转化为npy格式保存为一个rcar_output.npy文件,那我如何查看这些数据呢,本文记录数据查看方法。

设计经验    发布时间 : 2023-09-23

【经验】SoC R CAR V3H2 cnn模型转换后执行以及benchmark过程实操指南

RENESAS SoC R CAR V3H2 cnn模型转换后的输出文件有bcl和.pb 2类,都是可以在端侧执行的,本文记录.pb的推理输出以及benchmark过程实操及解析。

设计经验    发布时间 : 2023-09-21

【经验】使用瑞萨SoC R CAR V3H2 cnn工具链实现onnx模型转caffe模型的实操

R CAR V3H2 的cnn神经网络模块需要运行int16的定点模型,而onnx模型首先需要通过cnn工具链转成caffe模型,然后再转成端侧的可执行模型,本文使用瑞萨的cnn工具链实现onnx模型转caffe模型。

设计经验    发布时间 : 2023-08-14

用户指南  -  RENESAS  - Rev 1.00  - 2017年01月31日 PDF 英文 下载

【产品】瑞萨新一代SOC R-Car V3H,专为自动驾驶前置摄像头应用

瑞萨开发了专门针对前置摄像头应用的SoC——R-Car V3H,集成了专门针对图像处理的功能单元,它比R-Car V3M在视觉处理方面的性能提高了5倍,并只有0.3瓦的超低功耗,更好的适应自动驾驶的需求。

新产品    发布时间 : 2018-03-07

瑞萨公开下一代车用SoC和MCU处理器产品路线图,全新R-Car MCU系列扩展其车辆控制产品阵容

瑞萨电子公开了针对汽车领域所有主要应用的下一代片上系统(SoC)和微控制器(MCU)计划。未来产品阵容包括采用先进小芯片封装(Chiplet)集成技术的R-Car SoC和基于Arm®核的车用MCU。

原厂动态    发布时间 : 2023-11-11

【选型】车联网V2X车载端产品(V-BOX)推荐:车规级SoC RCAR M3,7核主频1.8ghz、运力30DMIPS

3GPP给出了相关的应用场景,车联网(V2X)分:V2N/V2I/V2P/V2V这几种应用。那么在硬件设计上,现阶段主要是V2X的车载OBU产品和路测的RSU产品。笔者当下接到的项目则是整合传统T-BOX的OBU产品:V-BOX。整个系统功能融合了TBOX和V2I/V2N/V2V的功能。可以使用瑞萨RCAR M2 SoC,内部集成2核A57和4核A53,还有实时内部R7。

器件选型    发布时间 : 2020-05-23

【产品】全新开放式平台,加大对ADAS及自动驾驶的支持

新型R-Car V3M SoC符合ISO26262功能安全标准,为视觉处理提供了低功耗硬件加速功能,还配有内置图像信号处理器。

新产品    发布时间 : 2017-04-25

Renesas next generation Automotive Vehicle Computer VC4 – A winning combo solution with R-Car ecosystem partner support

The VC4 is based on a complete Renesas chipset is the ideal platform to evaluate new E/E Architectures using the R-Car S4 in Gateway, Car Server or Zone Control applications.

新产品    发布时间 : 2022-04-20

【应用】支持EtherCAT协议的瑞萨单芯片SoC用于伺服系统,实现实时响应,降低20%成本

在伺服系统的应用上,对于主控SoC的选择非常重要,Renesas SoC RZ/T1系列的R7S910025可以实现联网实时响应,采用ARM Coretex-R4F高实时性内核,自带FPU浮点运算单元,最高支持600MHz主频,达到962MIPS的运行速度。

应用方案    发布时间 : 2020-04-27

DA16200 Ultra Low Power Wi-Fi SoC

型号- DA16200-00000F22,DA16200-00001F22,DA16200-00001A32,DA16200-RRXXXYYZ,DA16200,DA16200-00000A32

数据手册  -  RENESAS  - Revision 3.7  - 12-Jul-2023 PDF 英文 下载

【经验】SoC R CAR V3H2 CNN工具链转换restnet18 caffe模型为端侧可执行命令过程解析

RENESAS SoC R CAR V3H2 CNN工具链最主要的功能就是把caffe,onnx等模型转换为V3H2 芯片端可执行模型,命令,本文记录并分析此转换过程。

设计经验    发布时间 : 2023-09-16

【经验】采用瑞萨R-Car H3 SOC的车载域控制器PCB叠层设计方案

瑞萨R-Car H3处理器(SOC)是汽车域控制器专用SOC,它拥有1384个PIN,功能多、系统复杂,PIN密度很大而PIN间距很小,因此用它来设计的域控制器,其PCB板叠层结构跟常用的很不一样,需要设计独特的PCB叠层结构。笔者曾设计过一款采用了瑞萨R-Car H3 SOC的域控制器,以下为其PCB叠层结构的设计分享。

设计经验    发布时间 : 2018-08-04

【经验】解决瑞萨RZ/T1 SoC芯片最小系统硬驱IIC断点死循环问题

客户反应问题:设置瑞萨RZ/T1高性能SoC芯片最小系统硬驱IIC断点,执行不下去,进入while死循环。本文介绍如何解决该问题。

设计经验    发布时间 : 2021-02-13

数据手册  -  RENESAS  - 2023/8/28 PDF 英文 下载

展开更多

电子商城

查看更多

品牌:瑞纳捷

品类:国密安全芯片

价格:¥6.3333

现货: 146,200

品牌:SILICON LABS

品类:Wireless Gecko SoC

价格:¥8.1764

现货: 104,128

品牌:SILICON LABS

品类:Mighty Gecko Multi-Protocol Wireless SoC

价格:¥27.0929

现货: 90,767

品牌:SILICON LABS

品类:Wireless SoC

价格:¥31.7756

现货: 88,300

品牌:芯海

品类:蓝牙芯片

价格:¥3.3334

现货: 77,827

品牌:SILICON LABS

品类:Wireless SoC

价格:¥35.3989

现货: 77,507

品牌:SILICON LABS

品类:Wireless SoC

价格:¥19.9760

现货: 72,809

品牌:SILICON LABS

品类:Wireless Gecko SoC

价格:¥10.4994

现货: 61,779

品牌:SILICON LABS

品类:Wireless Gecko SoC

价格:¥11.5212

现货: 59,367

品牌:SILICON LABS

品类:Wireless SoC

价格:¥25.6438

现货: 49,208

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

现货市场

查看更多

品牌:RENESAS

品类:32-BIT GENERAL MCU

价格:¥257.6400

现货:58,799

品牌:RENESAS

品类:MPU

价格:¥76.0449

现货:602

品牌:RENESAS

品类:SOC

价格:¥23.5809

现货:442

品牌:RENESAS

品类:SoC

价格:¥2,533.3731

现货:362

品牌:RENESAS

品类:SOC

价格:¥18.2280

现货:313

品牌:RENESAS

品类:SoC

价格:¥1,717.6000

现货:299

品牌:RENESAS

品类:SOC

价格:¥291.9920

现货:295

品牌:RENESAS

品类:MODEM

价格:¥8.8740

现货:264

品牌:RENESAS

品类:SOC

价格:¥309.1680

现货:185

品牌:RENESAS

品类:SOC

价格:¥1,030.5600

现货:153

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

品牌:

品类:

价格:

现货:

服务

查看更多

SMT贴片加工

可贴PCB板厚范围:0.6~2.0mm,也支持生产软硬接合板,拼板长宽:50*50mm~550*500mm,PCBA快速贴片支持01005CHIP元件。

最小起订量: 1片 提交需求>

贴片LED二极管/灯珠定制

可定制LAMP LED、 CHIP LED、 PLCC LED、 汽车用车规级LED、COB LED的尺寸/电压/电流等参数,电压1.5-37V,电流5-150mA,波长470-940nm。

最小起订量: 30000 提交需求>

查看更多

授权代理品牌:接插件及结构件

查看更多

授权代理品牌:部件、组件及配件

查看更多

授权代理品牌:电源及模块

查看更多

授权代理品牌:电子材料

查看更多

授权代理品牌:仪器仪表及测试配组件

查看更多

授权代理品牌:电工工具及材料

查看更多

授权代理品牌:机械电子元件

查看更多

授权代理品牌:加工与定制

世强和原厂的技术专家将在一个工作日内解答,帮助您快速完成研发及采购。
我要提问

954668/400-830-1766(工作日 9:00-18:00)

service@sekorm.com

研发客服
商务客服
服务热线

联系我们

954668/400-830-1766(工作日 9:00-18:00)

service@sekorm.com

投诉与建议

E-mail:claim@sekorm.com

商务合作

E-mail:contact@sekorm.com

收藏
收藏当前页面