D1-08 ACHARYA eSync Arch and Programming …...2017 ©Excelfore eSync Architecture and Programming...
22
2017 ©Excelfore eSync Architecture and Programming Model for OTA and Diagnostics Reaching Non-Ethernet Devices Over an Ethernet Backbone Presented by: Shrikant Acharya Chief Technology Officer, Excelfore Corp. Contributing Authors: Anoop Balakrishnan, Excelfore Corp. Rema Balaraman, Excelfore Corp.
Transcript of D1-08 ACHARYA eSync Arch and Programming …...2017 ©Excelfore eSync Architecture and Programming...
2017©Excelfore
eSync Architecture and Programming Model for OTA and Diagnostics
Reaching Non-Ethernet Devices Over an Ethernet Backbone
Presentedby: ShrikantAcharyaChiefTechnologyOfficer,ExcelforeCorp.
ContributingAuthors: AnoopBalakrishnan,ExcelforeCorp.RemaBalaraman,ExcelforeCorp.
2017©Excelfore
Agenda
1. Considerations– ObjectivesandConstraints
2. ArchitectureReview
3. Protocols,SystemRequirements,Security
4. UseCaseExamples
2017©Excelfore
eSyncSystemDesignObjectives• Reach
• FromCloudtoEndDevice– AcrossVariousAutomotiveSub-Networks
• Bi-Directional• PipelineforDataPushandDataPull
• PushOver-the-Air(OTA)UpdatestotheVehicle
• PullDiagnosticandTelematicsDatafromtheVehicle
• HighlySecure• Vehiclescannotbe“Spoofed”orCompromisedwithSpuriousUpdates
• CloudServercannotbe“Spoofed”withSpuriousVehicleData
• Scalable• ScalestoManyDevicesinOneVehicle
• ScalestoManyDifferentVehicleConfigurations
• ScalestoMillionsofVehicles
2017©Excelfore
ImportantDesignConstraints
• Downtime• FullVehicleUpdateCycleMustMinimizeVehicleDowntime
• Resilience• MustbeResilientAgainstErrors/InterruptionsinOver-the-AirTransmissions
• Efficient• MustBeFlexibleforDifferentProcessingandMemoryResourcesinLegacyECUs
• Safe• FunctionalSafetyConsiderations,asDefinedinISO26262(ASILlevels)
2017©Excelfore
ImportantConsiderationsonSafetyandRobustness
• ISO26262Requirements:1. Non-Critical:TheOTAUpdateSystemDoesNotReachCriticalElementsatAll
- or-2. AllCritical:TheOTAUpdateSystem,andtheEntireIn-VehicleNetwork,
OperateEntirelyasaCriticalSystem- or-
3. IsolateCritical:TheIn-VehicleNetworkandtheOTAUpdateSystemIsolateCriticalandNon-CriticalElementsoftheSeparateASILdomains• RequiresParallel,SeparateOTAPaths
• Robustness• DesignforModularComponentIntegration• KeepUpwithCurrentTechniquesbyUsingLatestStandardsonSecurityandNetworkProtocols
2017©Excelfore
Agenda
1. Considerations– ObjectivesandConstraints
2. ArchitectureReview
3. Protocols,SystemRequirements,Security
4. UseCaseExamples
2017©ExcelforeADASInfotainment Body/ChassisPowertrain
VehicleGateway
PowertrainController/Gateway
ADASController/Gateway
BodyController/Gateway
eSync
CAN
LIN
CAN
Ethe
rnet
TSN
Ethe
rnet
TSN
CAN
Ethe
rnet
ASILD ASILBASILD ASILB
Ethe
rnet
AVB
LVD
S
………….………….
EthernetorOBDDiagnosticPort
High-Speed Ethernet
High-Speed Ethernet
High-Speed Ethernet
RepresentativeApproachtoNext-GenVehicleNetwork CloudServer
IVIHeadUnit/Gateway
2017©Excelfore
TheeSyncSystemArchitecture
Encryption&Authentication
SecurityCheckPoint
Encryption&Authentication
2017©Excelfore
UpdateAgent
2017©ExcelforeADASInfotainment Body/ChassisPowertrain
VehicleGateway
PowertrainController/Gateway
ADASController/Gateway
BodyController/Gateway
eSync
CAN
LIN
CAN
Ethe
rnet
TSN
Ethe
rnet
TSN
CAN
Ethe
rnet
ASILD ASILBASILD ASILB
Ethe
rnet
AVB
LVD
S
………….………….
EthernetorOBDDiagnosticPort
High-Speed Ethernet
High-Speed Ethernet
High-Speed Ethernet
RepresentativeApproachtoNext-GenVehicleNetwork(SingleClient,MultipleAgents)
CloudServer
IVIHeadUnit/Gateway
eSyncClient
Agent
AgentsAgents
Agents Agents
Agent Agent Agent
2017©Excelfore
OperationalModesofOTACloudtoDMClient
DMClienttoMessageServer
MessageServertoUpdateAgentStatusAgenttoUpdateAgent
UpdateAgentRe-flashofECU
RunDiagnosticScripts
ECUUpdateAgenttoMessageServer
StatusAgenttoDMClient
DMClienttoCloud
DataPush
DataPull
2017©Excelfore
Agenda
1. Considerations– ObjectivesandConstraints
2. ArchitectureReview
3. Protocols,SystemRequirements,Security
4. UseCaseExamples
2017©Excelfore
UDSServerCommandSequences
UDSSessionsLayer1. SettheUDSserverintoprogram
mode2. Resettonewmode3. RequestSeed*4. SendKey*5. TransferData†(multipledata
transfers)6. EraseMemory†7. VerifyMemory8. SettoNormalMode9. ResettoNormalMode10. EndofProcedure
UDSApplicationLayer1. TransferData2. ReadDataID(evenreadingDTC
codes)3. WriteDataID4. UploadData5. Erase6. Verify
*MaynotbeavailableonallECUs†SequencemaydifferbetweenUDSservers
2017©Excelfore
EthernetBasedECUs
• NewerECUsMayhaveEthernetInterface
• SecurityProtocolscanbeEmbeddedintoECUs
• EndtoEndAuthenticationcanGototheECUsDirectly• PayloadcanRemainEncrypted
• SimplifiestheSecurityArchitectureandLayoutofDevices• ClearSegmentationofFunctionalDomains(usingPortsandVLAN)
• NoChangetoUDSClient/UDSServerHandshake• SameasCAN-basedECUTransactions
2017©Excelfore
SecurityConsiderations
• DMClientActsasGateKeeperforAuthentication• PreferredLocation:InTCU• CanbeinGatewaySwitch– allExternalConnectionareAuthenticated
• DMClientinaHeadUnit (InfotainmentGateway)PresentsaSecurityRisk
• ForECUslocatedonFlexRay,CAN,LIN– UpdateAgentsCanResideinGateways• EachECUAuthenticateswithitsUpdateAgent
• NewerECUsonIPNetworkscanHostUpdateAgentwithintheirCodeSpace• IsolateLegacyECUsfromDirectConnectiontoOBDPort• UseECUArbitrationtoAuthenticateLegacyECUConnections
• DMClientandeachECUhavetheirownUniqueDigitalCertificates• EstablishBi-DirectionalAuthentication• DifficultforAttackersto‘Spoof'orImpersonateAnyElement,DifficulttoGainAccesstotheSystem
• Removes“maninthemiddle”Attacks
• ImpactonCostandPerformance
2017©Excelfore
SystemResourceRequirementsforeSyncClient
• OperatingSystemwithSecureNon-VolatileFileSystem
• EnoughFileSystemMemoryfortheLargestExpectedCombinationofSoftwareUpdateImages,PlusApproximately10%
• EnoughNon-VolatileFileSystemMemorytoBufferDiagnosticandTelematicsData
• ToPreventLossofDatawhenConnectionisInterrupted
• Lessthan500KBforeSyncClientCode
• Typical:about500KBforRAM
• AdditionalRAMMaybeNeededforManyUpdate/DiagnosticAgentsintheSystem
2017©Excelfore
Agenda
1. Considerations– ObjectivesandConstraints
2. ArchitectureReview
3. Protocols,SystemRequirements,Security
4. UseCaseExamples
2017©Excelfore
DemonstratedUseCaseEnvironments
eSyncClient:
• OperatingSystems:Linux,QNX,IntegrityandAndroid
• OtherOSandFileSystemsarePossible
• Processors:IntelApolloLake;NXPi.MX6;QualcommSnapdragon820;RenesasR-Car3
eSyncAgent:AllOSsandProcessorsUsedfortheeSyncClient,Plus:
• OperatingSystems:AUTOSAR,Erika,FreeRTOS
• ProcessorsandControllers:NXPMPC5777/5648;CortexR4/CortexM
• Bus/Networks:Ethernet(Broad-RReach,AVB/TSN),CAN,LIN,FlexRay,USB
2017©Excelfore
UseCase1:BasicVehicleSystem
eSyncClient
Agent
Agent
Agent
Agent
Agent
2017©Excelfore
UseCase2:VehicleInterconnectUsingEthernetforNewVehiclePlatforms
eSyncClient
Agent
Agent
AgentAgent
Agent
Agent Agent
2017©Excelfore
UseCase3:Multi-DomaineSyncOTASystemWithSecureGatewayforCriticalDomain
eSyncClient1
Agent
Agent
Agent
eSyncClient2
SecureDomain
2017©Excelfore
SummaryofeSyncSystem
• Bi-DirectionalandTransactionBasedInformationTransfer• ModularDesignwithUpdateAgentsforAllElectronicDevices(ECUs,Sensors,etc.)• IntheDeviceforIPAddressableEthernetDevices• IntheIPAddressablePortoftheGatewaySwitchforCAN,LINDevices• EnsuresSystemReachesAllElectronicDevices
• LayeredAuthenticationandEncryptionBetweenAllModules• RobustSecurityagainstHackers
• AnyNumberofUpdateAgents,UpdateAnyNumberofECUsinParallel• MinimizesVehicleDowntimeduringUpdates
• ModularDesignforOptimalUseofLimitedCPUandMemoryResources
