S32K ARCHITECTURE AND FOTA - NXP Community
Transcript of S32K ARCHITECTURE AND FOTA - NXP Community
PUBLIC USE
OSVALDO ROMERO / STEVE MIHALIK
APPLICATIONS ENGINEER / SENIOR FIELD APP ENGINEER
FTF-AUT-N1795
MAY 17, 2016
FTF-AUT-N1795
S32K ARCHITECTURE AND FOTA
PUBLIC USE1 #NXPFTF PUBLIC USE1 #NXPFTF
AGENDA• FOTA Overview
• S32K Portfolio
• S32K Use cases
• Secure OTA in S32K144
PUBLIC USE2 #NXPFTF
Objective
• Overview of OTA and its challenges.
• Understand how NXP handles over the air updated in their portfolio.
• Understand how to handle over the air updates in low cost edge nodes MCUs such
as S32K devices.
PUBLIC USE4 #NXPFTF
Today: 90% of Auto Innovation via electronics
#1 Auto Analog/ RF #1 Auto MCU (ex JPN) #1 Auto Merchant MEMS Sensors
#1 INFOTAINMENTTUNERS
SOFTWARE-DEFINED DIGITAL RADIO
MULTIMEDIA PROCESSORS
SOUND SYSTEM DSPs & AMPLIFIERS
NFC BT PAIRING
WIRELESS POWER CHARGING
POWER MANAGEMENT
#1 SECURE CAR ACCESSIMMOBILIZER/ SECURITY
REMOTE KEYLESS ENTRY
PASSIVE KEYLESS ENTRY/ GO
BI-DIRECTIONAL KEYS
NFC
ULTRA WIDE BAND
ADAS & SECURITY POWERTRAIN & CHASSISMICROCONTOLLERS
PRESSURE/ MOTION SENSORS
BATTERY MANAGEMENT
DRIVERS
STANDARD
PRODUCTSLOGIC
POWER
DISCRETES
#1 VEHICLE NETWORKINGCAN/LIN/ FLEXRAY
ETHERNET
CENTRAL GATEWAY CONTROLLER
SECURITY
RF
#1 SAFETYMICROCONTROLLERS AIRBAG
ANALOG AIRBAG
MICROCONTROLLERS BRAKING
ANALOG BRAKING
SENSORS BRAKING
TIRE PRESSURE MONITORING
#1 BODYMICROCONTROLLERS
POSITION/ ANGLE SENSORS
SYSTEM BASIS CHIPS
NXP is #1
PUBLIC USE5 #NXPFTF
FOTA Overview: Common Recall Process
• Done at a dealer
• A special hardware tool is used
• Engine is not running
• The target node application is halted
• Main application erased and reprogrammed
PUBLIC USE6 #NXPFTF
FOTA Overview: Motivations
• Increasing number of recalls for software
• Dealer update $
• As software complexity increases, the probability of required software updates also
increase
• User convenience vs going to dealer
• Safety can be improved with quicker updates
PUBLIC USE7 #NXPFTF
OEM
Server
FOTA Overview: MOVING DEEPER INTO THE VEHICLE
FOTA Update of Infotainment & Telematics Systems
High DensityNVM
OEM
Server
High DensityNVM
e.g. Telematics Unit
Infotainment Unit
e.g. Powertrain ECU
High DensityNVM
e.g. Telematics Unit, Gateway
High DensityNVM
Embedded NVM
Embedded NVM
Embedded NVM
Infotainment Unit
e.g. Braking ECU
e.g. Body ECU
FOTA Update of Major ECUs within the vehicle
New Challenges with this architecture:- Security throughout- Cost sensitivity of embedded ECUs- Embedded NVM vs High Density NVM- Strategy of when & what to update
Central In-vehicle FOTA Server
In-vehicle FOTAClients
Focused on updates to software on the infotainment & telematics, but not propagating further into the vehicle architecture
PUBLIC USE9 #NXPFTF
FOTA Overview: A/B Swap Use Case
Reset vectors to bootloader, which is never erased
Current
Firmware
Bootloader
Old
Firmware
Flash
prior to
updateCurrent
Firmware
Bootloader
New
Firmware
Flash
after
updateOld
Firmware
Bootloader
Current
Firmware
Flash
after next
key-on
Advantages:
• Update can be carried out while current application is actively running from flash
• Always have original firmware to roll back to in case of issue
• Vehicle is always available – guaranteed no vehicle downtime regardless of update errors
Disadvantage:
• Requires ~2x flash application storage
PUBLIC USE10 #NXPFTF
FOTA Overview: In Place Use Case
Reset vectors to bootloader, which is never erased
Current
Firmware
BootloaderFlash
before to
update New
Firmware
Bootloader Flash
after
update
Advantages:
• No need for additional flash (although 1 additional empty
flash block or ram is typically required during update process)Disadvantage:
• Requires vehicle downtime during update process
• Not possible to instantly “roll-back” if an issue occurs
PUBLIC USE11 #NXPFTF
FOTA Overview: Assumptions
• End node:
− gets partial or full image for flashing
− will have at least enough spare erased flash for a full image
− receives updated software over serial link
− has boot block which never changes with OTA updates
• Best case: update is performed while running existing software
• Before new software becomes active, application/boot software can perform:
− Security validation
− Functional validation
• New software starts on reset following the update completion
PUBLIC USE12 #NXPFTF
FOTA Overview: Challenges AT CHIP
• Additional memory for AB swap
• Remapping
• Read while write
• Security
PUBLIC USE13 #NXPFTF
General Purpose
Gateway
Infotainment
Other
FOTA Overview: Automotive FOTA MAP
Me
mo
ry S
ize
S32K144
Over the air update
S32K146
S32K148
Full
IMX
Partial
MPC5748G
MPC57xx
PUBLIC USE14 #NXPFTF
FOTA Overview: FULL FOTA DEMO
• This demo was designed to demonstrate firmware update capabilities common on many
NXP devices. The demo platform uses two MPC5748G evaluation boards:
− One will send update via CAN
− Other receives update, programs into flash and makes it the default firmware for next boot
• Key features to demonstrate:
− Flash remapping – map sections of flash to different addresses, providing a simple method to
switch between firmware
− Flash Read-While-Write (RWW) capability (Being able to erase and program a block of flash whilst
simultaneously executing from another block)
− Firmware Authentication (Confirming that the firmware is from a valid source and that it has not
been tampered with during transmission)
PUBLIC USE16 #NXPFTF
S32K Portfolio: Targeting General Purpose Applications
Battery Management Tire pressure receiverWireless chargingHuman machine interfaceBody control module
Climate control Door/Window/sunroof Near Field Communication Lighting Secure transmission / encryption in cars
Chassis systemsPMSM/BLDC motorcontrol Touch sensing Park assist
Nox reduction systems
Motorbike ECU/ABS DC/DC converters
E-shifter
Rear view camera tilt Steering wheel electronics
PUBLIC USE17 #NXPFTF
S32K Portfolio: S32K For Edge Nodes
roof
module
Door control
front left
Door control
front right
Door control
rear left
Door control
rear right
HVAC
main
Park
heating
Steering
column
module
Park
assistance
Ambient
lighting
heater
left
fan
right
fan
left
Front power
module left
front power
module right
energy
manager
HVAC
rear
TPMS
Antenna
Car Access
module
Wiper
Control
heater
right
dashboard
Seat
control
Steering sensors
angle/torque
Gateway /
Body (Domain)Control Module
Engine
control
Stability
control
Transmission
control
Damping
control
(Adaptive) Cruise
control
Headlight
control
Anti-lock
brake
Battery
management
rain light
sensor
immolighting
switch
start/stop
CAN (FD)
LIN
FlexRay
Ethernet
Diagnosis
flapper
1
flapper
...
Surround View
Cam 1
Cam 4Cam 2
Cam 3
Radar
Unit
Sens1
Sens 4Sens 2
Sens 3
ADAS Unit
Remote Tuner
Amplifier
Display Front
Display Rear
Display Rear
Telematics
Box
Window
Mirror
Powertrain/Chassis
Unit
Gateway /
Body (Domain)Control Module
BackboneHead Unit
2B NODES IN 2014
4B NODES IN 2020
OVERGROWING
AUTOMOTIVE MARKET
KEY ENABLER FOR ALL CAR
INNOVATION
COMMUNICATION, ENERGY
MANAGEMENT, SAFETY, SECURITY
PUBLIC USE18 #NXPFTF
Pin Compatibility:
• Within S32K1xx product series
• To KEA products
IP Compatibility:
• With MPC5xxx product
series:
• FlexCAN, eDMA,
QuadSPI
• With Freescale Kinetis and
KEA products:
• FlexTimer, IIC, LSPI,
UART, ADC, CRC,
FlexIO
S32K Portfolio: S32K1xx / KEA Product Series Compatibility
Flash
Pin Count
16/24 32 48 64 80 100 100 BGA 144 176
2M S32K148* S32K148 S32K148 S32K148
1M S32K146* S32K146 S32K146 S32K146
512K S32K144 S32K144 S32K144
256K S32K118S32K142 /
S32K118S32K142
128K S32K116 S32K116 KEAZ128 KEA128
64KKEAZN64 /S32K114
S32K114 KEAZ(N)64 KEAZ64
32K KEAZN32 KEAZN32
16K KEAZN16 KEAZN16
8K KEAZN8
*potential option
PUBLIC USE19 #NXPFTF
S32K Portfolio: S32K144 Block Diagram
Crossbar Switch with MPU
RAM
Up To
64KB
System
Periphera
l
Bridge Flash
Up To
512K
NV
IC
Cortex M4F
112 MHz
FPU, DSP, MPU,
4 KB I/D-Cache
EEPROM
Up To
4KB
RTC
PMC2.7 - 5.5V
FLL Clk Mult
Ext Osc (8 - 40MHz)
Fast R/C OSC(48MHz 1%)
LP OSC (128KHz 10%)
SCG
Digital
Components
5V Analogue
ComponentsMCU Core
and Memories
Operating Characteristics
• Voltage range: 2.7V to 5.5V
• Temperature (ambient): -40°C to +125°C
Packages & IO
• Open-drain for 3.3 V and hi-drive pins
• Powered ESD protection
• Packages: 100 BGA, 64 LQFP, 100 LQFP
secu
rity
Slow R/C OSC(8MHz 3%)
16ch
eDMA
LVD
WDOG EWM
Debug
SWD JTAG
Communications / I/O System
2x A
DC
16ch 1
2bit
AC
MP
W 8
-bit D
AC
4x F
lexT
ime
r8ch 1
6-B
it
3x F
lex C
AN
1 w
ith
FD
2x P
DB
3x S
PI
1x I
2C
Flex IO
I2S
UA
RT
SP
ILP
IT
CR
C
3x U
AR
T/L
IN
• High performance
• ARM Cortex M4F up to 112MHz w FPU
• eDMA from 57xxx family
• Software Friendly Architecture
• High RAM to Flash ratio
• Independent CPU and peripheral clocking
• 48MHz 1% IRC – no PLL init required in LP
• Registers maintained in all modes
• Programmable triggers for ADC no SW delay counters or extra
interrupts
• Functional safety
• ISO26262 support for ASIL B or higher
• Memory Protection Unit
• ECC on 512K Flash / 64K Dataflash and RAM
• Independent internal OSC for Watchdog
• Diversity between ADC and ACMP
• Diversity between SPI/SCI and FlexIO
• Core self test libraries
• Scalable LVD protection
• CRC
• Low power
• Low leakage technology
• Multiple VLP modes and IRC combos
• Wake-up on analog thresholds
• Security
• CSEc (SHE-spec)
PUBLIC USE20 #NXPFTF
S32K Portfolio: Flash System
256 KB 256 KB
Bank 0
Program Flash
128bits
Flash Controller
128bit Prefetch buffer
128bit Store buffer
64 KB
Bank 1
FlexNVM
64 bits
64bit Prefetch buffer
64bit Store buffer
32 bits
XBAR
4 KB
FlexRAM
S0
32bits
EEPROM
emulation
PUBLIC USE21 #NXPFTF
S32K Portfolio: Flash Arrays
FOTA relevant features:
• Sector size (= minimum erase size)
4K Bytes in Program Flash (bank 0)
2K Bytes in Data Flash (bank 1)
• Read-While-Write (RWW) features between Bank0 (Program Flash) and Bank1 (Data Flash)
Key additional flash features:
• C90TFS (Thin-Film-Storage) technology
• ECC support: Single Bit Error Correction and Double Bit Error Detection
− 32bit ECC word in data flash
− 64bit ECC word in program flash
• Access time: Flash clock is about #1/4 of the core clock
PUBLIC USE23 #NXPFTF
S32K Use Cases: S32K144 A/B Swap
S32K144
Device
• Flash driver
• Flags
• User data
64 KB
Array1
Bootloader
Image B
256 KB
New
image
Sector
to update
60KB
010110010110011001010101010
110101011110000101010101010
101010101010101010101010101
010101010101001011110000010
110010101010010101010101011
Program Flash
Bank 0Data Flash
Bank 1
SRAM
Array 0
Bootloader
Image A
256 KB
Update over CAN
Over the air update
New
firmware
image
GATEWAY
EDGE NODE
MPC5748G
Device
PUBLIC USE24 #NXPFTF
S32K144
Device
• Running:
Bootloader
• No new image
available
• Branch to image A
Update imageC
AN
BU
S
CA
N B
US
Handshake
flag
S32K144
Device
Running: Image A
• Update request
• New image flag set
S32K144
Device
Running: Bootloader
• New image request
detected
• Check program flash
array available
S32K144
Device
Running: Bootloader
• No new image
available
• Branch to image A
S32K Use Cases: A/B Swap Steps (1 of 4)
PUBLIC USE25 #NXPFTF
S32K Use Cases: A/B Swap Steps (2 of 4)
S32K144
Device
Running: Bootloader
• Download flash
driver to
Dflash/RAM
Flash
CMDs
CA
N B
US
CA
N B
US
Handshake
flag
PUBLIC USE26 #NXPFTF
CA
N B
US
S32K144
Device
Running: Bootloader
• Receive new
image segment
• Write new segment
in RAM
S32K144
Device
Running: DFLASH (or
RAM if desired)
• If necessary, erase
older image, but not
bootloader!!!
• Write new image
segment in flash
block available
• When completed
branch to bootloader
New image
segment
S32K144
Device
Running: Bootloader
• Handshake for
next segment
CA
N B
US
Request new
image
segment
Loop until completed
S32K Use Cases: A/B Swap Steps (3 of 4)
PUBLIC USE27 #NXPFTF
S32K144
Device
Running: Bootloader
• Set update flag
completed
• Issue a reset
S32K144
Device
Running: Bootloader
• New image flag
detected
• Update flag detected
• Update flash side
available
• Branch to new image
S32K144
Device
Running: Image B
Erase update status
flags
S32K Use Cases: A/B Swap Steps (4 of 4)
PUBLIC USE28 #NXPFTF
Pros/Limitations
- Pro: A-B swap allows backup immediately available
- Limitation: compared to large MCUs with multiple code partitions, updating the
image cannot be done live
S32K Use Cases: A/B Swap Summary for S32K144
PUBLIC USE29 #NXPFTF
S32K Portfolio: S32K148 Block Diagram
Digital
Components
5V Analogue
ComponentsMCU Core
and Memories
Packages & IO• Open-drain for 3.3 V and hi-drive pins
• Powered ESD protection
• Packages: 100 BGA, 144 LQFP, 176 LQFP
Operating Characteristics• Voltage range: 2.7V to 5.5V
• Temperature (ambient): -40°C to +125°C
• High performance• ARM Cortex M4F up to 112MHz w FPU
• eDMA from 57xxx family
• Software Friendly Architecture• High RAM to Flash ratio
• Independent CPU and peripheral clocking
• 48MHz 1% IRC – no PLL init required in LP
• Registers maintained in all modes
• Programmable triggers for ADC no SW delay counters or extra
interrupts
• Functional safety• ISO26262 support for ASIL B or higher
• Memory Protection Unit
• ECC on Flash/Dataflash and RAM
• Independent internal OSC for Watchdog
• Diversity between ADC and ACMP
• Diversity between SPI/SCI and FlexIO
• Core self test libraries
• Scalable LVD protection
• CRC
• Low power• Low leakage technology
• Multiple VLP modes and IRC combos
• Wake-up on analog thresholds
• Security• CSEc (SHE-spec)
Crossbar Switch with MPU
RAM
Up To
256KB
System
Periphera
l
Bridge Flash
Up To
2M
NV
IC
Cortex M4F
112 MHz
FPU, DSP, MPU,
4 KB I/D-Cache
EEPROM
Up To
4KB
RTC
PMC2.7 - 5.5V
FLL Clk Mult
Ext Osc (8 - 40MHz)
Fast R/C OSC(48MHz 1%)
LP OSC (128KHz 10%)
SCG
secu
rity
Slow R/C OSC(8MHz 3%)
16ch
eDMA
LVD
WDOG EWM
Debug
SWD JTAG
Communications / I/O System
2x A
DC
32
ch 1
2bit
AC
MP
w 8
-bit D
AC
8x F
lexT
ime
r8ch 1
6-B
it
3x F
lex C
AN
2 w
ith
FD
2x P
DB
Qu
ad
SP
I
3x S
PI
2x I
2C
Flex IO
I2S
UA
RT
SP
ILP
IT
CR
C
3x U
AR
T/L
IN SAI
I2S
AC
97
TD
M
100MBit/s
Ethernet
incl. PTP
PUBLIC USE30 #NXPFTF
• Larger program flash and data flash
• External QuadSPI (serial flash) support
− Enables option of storing current and new FW in serial flash.
Simpler recovery to prior version – no need to resend from gateway or OTA
New image can be stored “at leisure” then updated faster from local memory
S32K Use Cases: Looking forward: S32K148
PUBLIC USE32 #NXPFTF
S32K14x Security: Security – Why Worry?
• Same problem which Julius Caesar faced 2000 years ago.
• Avoid hacker attacks
• Prevent reprogramming
• Steal OEM firmware
• Use cases
- Immobilizer / Component Protection
- Mileage Protection
- Secure Boot
- Secure Communication
PUBLIC USE33 #NXPFTF
S32K14x Security: SHE – An Early Automotive Security Standards
• Background:
− Created by Audi (main driver), BMW and Escrypt
− Published as a official HIS standard(HIS => Herstellerinitiative Software, German for 'OEM software initiative')
• Key features of the SHE specification:
− A secure storage for crypto keys
− Crypto algorithm acceleration (AES-128)
− Secure Boot mechanism to verify custom firmware after reset
− Offers 19 security specific functions
− Up to 10 general and 5 special purpose crypto keys
PUBLIC USE35 #NXPFTF
S32K14x Security: Cryptographic Secure Engine (CSE) uses SHE
CSE1 CSE2CSE3
CSEc
• SHE Specification
Implementation
Support additional
customer
requirements
• More keys
• New key attributes
• More Secure Boot
features and
behavior
• New functions
• Support extern flash memory
• Encrypted key images
• Works with OTP-keys
• ISP code protection
Flash-less ready
Optimized Security for
Low-End MCU
1st Automotive
Security Module
ARM CoresPPC Cores
PUBLIC USE36 #NXPFTF
S32K14x Security: S32K Security Module (CSEc) – Overview
• SHE functionality moves from dedicated master module into the flash system
• Full SHE Specification compliant and support of all Global-B security requirements
• Secure key storage only accessible by CSEc
• True Random Number System
• Secure Boot support (root-of-trust)
• Sequential boot / parallel boot supported
Status
Register
Programm
Flash
Flex NVM
FlexRAM
SecureNVM
Memory
Controller
Control
Register
InterruptsRegister
Access
MCU
Flash Controller
Cortex-
M4FDbgConnect
CSEc
PUBLIC USE37 #NXPFTF
S32K14x Security: CSEc Details
• Crypto Keys
− Several General-Purpose keys
− Special Purpose keys
(e.g. Secret, Master and Secure-Boot Key & CMAC)
− Support of additional encrypted keys in public flash
memory.
• Support of all SHE functions like en-
/decoding, CMAC calulation and
verification, loading of key values.
• CSEc supports AES-128 with
ECB, CBC and CMAC mode
• Support of SHE functions and
Miyaguchi-Preneel (MP)
Compression
PUBLIC USE39 #NXPFTF
ATTRIBUTION STATEMENT
NXP, the NXP logo, NXP SECURE CONNECTIONS FOR A SMARTER WORLD, CoolFlux, EMBRACE, GREENCHIP, HITAG, I2C BUS, ICODE, JCOP, LIFE VIBES, MIFARE, MIFARE Classic, MIFARE
DESFire, MIFARE Plus, MIFARE FleX, MANTIS, MIFARE ULTRALIGHT, MIFARE4MOBILE, MIGLO, NTAG, ROADLINK, SMARTLX, SMARTMX, STARPLUG, TOPFET, TrenchMOS, UCODE, Freescale,
the Freescale logo, AltiVec, C 5, CodeTEST, CodeWarrior, ColdFire, ColdFire+, C Ware, the Energy Efficient Solutions logo, Kinetis, Layerscape, MagniV, mobileGT, PEG, PowerQUICC, Processor Expert,
QorIQ, QorIQ Qonverge, Ready Play, SafeAssure, the SafeAssure logo, StarCore, Symphony, VortiQa, Vybrid, Airfast, BeeKit, BeeStack, CoreNet, Flexis, MXC, Platform in a Package, QUICC Engine,
SMARTMOS, Tower, TurboLink, and UMEMS are trademarks of NXP B.V. All other product or service names are the property of their respective owners. ARM, AMBA, ARM Powered, Artisan, Cortex,
Jazelle, Keil, SecurCore, Thumb, TrustZone, and μVision are registered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. ARM7, ARM9, ARM11, big.LITTLE, CoreLink,
CoreSight, DesignStart, Mali, mbed, NEON, POP, Sensinode, Socrates, ULINK and Versatile are trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. Oracle and
Java are registered trademarks of Oracle and/or its affiliates. The Power Architecture and Power.org word marks and the Power and Power.org logos and related marks are trademarks and service marks
licensed by Power.org. © 2015–2016 NXP B.V.