We have previously evaluated the main differences between a Trusted Execution Environment (TEE) and a Hardware Security Module (HSM) but could a combined TEE hosted virtual HSM solution be the most compelling option for next generation vehicle designs?
As the automotive industry continues to evolve, the need for enhanced automotive cybersecurity also increases. OEMs are looking to develop new vehicle architectures that are not just capable of meeting the challenges of today but those of 10 years from now.
This presents many new challenges and new solutions need to be investigated to meet them.
Historically, a Hardware Security Module was used to provide key management and cryptographic functionality for other applications. This use of dedicated hardware was viewed as providing enhanced protection, through the related tamper protection mechanisms, and a performance benefit by off-loading from the main processor the overhead of executing cryptographic algorithms.
Although it may intuitively seem that ‘dedicated’ hardware will perform better than general purpose CPUs, the reality is that the latter are extremely performant and run at higher clock speeds. This coupled with the removal of the penalty of shuffling data back and forth to an external unit. In practice, this means that a CPU can perform all the functions of a HSM using only 1-2% of a single core.
Another advantage is latent power consumption. When a TEE is not in use, its CPU resources are being used by the main system, rather than sitting idle wasting standby power. Additionally, it doesn’t require a second set of (power consuming) hardware components managing its interfaces and power states. While this power consumption may be low when multiplied across multiple HSMs, in an electric vehicle every Watt counts.
If the CPU is using a TEE, especially one with an advanced level of EAL certification, then advanced counter measures will be implemented in software to protect the keys against attack. Additionally, the TEE will benefit from the hardware anti-tamper mechanisms that the chipset and RAM vendors provide for their solutions.
So, let’s take a look at the reasons why an OEM may consider using a TEE instead of a traditional HSM.
Enhanced architecture design flexibility options
Today modern vehicles are being designed to protect their users and owners in an everchanging landscape. The move towards greater use of software and the need to maintain the security and protection levels of the vehicle throughout its lifetime, poses many new challenges.
Unlike a fixed-purpose hardware HSM, a TEE hosted software solution can be leveraged to run a broad range of Trusted Applications that can provide enhanced protection to applications and services running in the normal world.
In addition, moving to a TEE-based virtual HSM solution reduces the number of physical parts that need to be included in hardware designs. This can also lead to cost savings for the hardware bill of materials.
Re-useability
By using a TEE based virtual HSM, existing software interfaces and APIs can be reused (always a big positive) but the same HSM code can be deployed in many domains within the vehicle such as the IVI, Network Gateway, ADAS systems etc.
With modern vehicles having 100s millions of lines of code the reuse of trusted code will become an important part of the software architecture strategy both reducing project risk, development time and enhancing overall manageability of the software environment.
Updatability
Perhaps one of the most important benefits is the ability to securely update, over the air, a TEE and its related Trusted Applications. Traditional HSMs can only be updated by an authorised service center or on the production line due to the need to connect them to specific management and update tools.
The ability to remotely update over the air can potentially avoid the need for recalls for purely software-based issues. These enhancements can improve an OEMs ability to comply with new cybersecurity regulations – regulations that require the ability to provide updates to guarantee the protection level of the vehicle throughout its lifecycle.
The ability to change not only the keys, but also the crypto-algorithms used, offers flexible protection against cyber-attacks and future challenges such as currently undiscovered algorithmic vulnerabilities, or even quantum crypto death.
Reduced lifetime support and maintenance costs
Linked to the point above, the ability to reduce or remove the need to recall a vehicle can provide significant cost savings to an OEM. While, as previously highlighted, there can be cost savings from the reduction in hardware costs the real benefits are removing the costs of recalls. The potential inconvenience for vehicle owners and the related disruption that recalls can have for ongoing development / manufacturing activities can be significant.
Conclusion
Embracing new approaches to traditional architecture will become increasingly important to ensuring that the protection levels of a vehicle are maintained over time. Moving from a physical to a virtual HSM solution, within the TEE, is one approach that can provide a wide range of benefits at launch and which can be further extended throughout the lifetime of the vehicle.
At Trustonic, we understand that this is a critical issue for many of our customers and hence we are focused on providing new innovative ways of leveraging our Kinibi TEE Platform. The support for virtual HSM solutions has already generated significant industry interest within the industry with initial deployments already underway.
