METHOD, SYSTEM AND DOMAIN FOR PROVIDING A SECURITY EXECUTION ENVIRONMENT FOR SECURITY-RELEVANT APPLICATIONS

Abstract

A system, security domain and method for providing a security execution environment for security-relevant, domain-specific applications in a virtualized system.

Claims

1-11. (canceled)

12. A method for providing a security execution environment for security-relevant, domain-specific applications in a virtualized system, the method comprising: sharing by at least two virtual machines a hardware level virtualized using a hypervisor; and providing a middleware level between the hardware level and an application level, the middleware level being configured to provide the security execution environment for executing at least one security-relevant, domain-specific application of a security domain, and at least one further execution environment for executing at least one further domain-specific application of a further domain, the security domain being configured to meet safety requirements and security requirements.

13. The method as recited in claim 12, wherein a temporal execution of processes and/or tasks of the security domain is planned using scheduling.

14. The method as recited in claim 12, wherein a planning of a temporal execution of security-relevant tasks and/or security-relevant processes of the security domain takes place in a task-based and/or process-based manner.

15. The method as recited claim 12, wherein the security domain accesses both security-related hardware resources and non-security-related, performance-related, hardware resources of the hardware level.

16. The method as recited in claim 12, wherein the security domain is operated on a separate hardware platform of the hardware level, on a separate hardware chip.

17. The method as recited in claim 12, wherein the security domain is operated on a separate hardware unit of a hardware platform of the hardware level, a further domain being operated on a further hardware unit of the hardware platform.

18. The method as recited in claim 12, wherein the security domain is operated on a hardware unit of a hardware platform of the hardware level, and a further domain is operated on the same hardware unit of the hardware platform.

19. The method as recited in claim 12, wherein the security domain is provided together with at least one further domain.

20. A security domain including an operating system running in a cell of a hypervisor, the operating system providing interfaces to hardware of a hardware level virtualized using the hypervisor, drivers for security-relevant applications of the security domain, and interfaces for domain-wide applications.

21. A control system for a motor vehicle configured to provide execution environments for domain-specific applications, comprising: a virtualized system in which a plurality of virtual machines share at least one hardware level virtualized using a hypervisor; a middleware level provided between the hardware platform and an application level, the middleware level further being configured to provide a security execution environment for executing at least one security-relevant, domain-specific application of a security domain and to provide at least one further execution environment for executing at least one further domain-specific application of a further domain.

22. The system as recited in claim 21, wherein the security domain and/or the at least one further domain includes interfaces for domain-wide communication.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0034] FIG. 1 schematically shows an overview of a system according to one exemplary specific embodiment of the present invention.

[0035] FIG. 2 schematically shows a representation of a software architecture of a security domain and of one further domain of the system from FIG. 1.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS

[0036] FIG. 1 shows a system 100, in particular, a control system, in particular, for a motor vehicle.

[0037] According to the specific embodiment shown, the system includes three hardware platforms 102a, 102b, 102c, which form a hardware level 102.

[0038] Hardware platform 102a includes four hardware units 104a, 104b, 104c, 104d. These are, for example, microcontroller 104a, secure hardware resources 104b, hardware routing chips 104c, and further hardware elements 104d.

[0039] Hardware platform 102b includes six hardware units 104e, 104f, 104g, 104h, 104i, 104j. These are, for example, microprocessor 104e, secure hardware resources 104f, hardware routing chips 104g, 104h and further hardware elements 104i, 104j.

[0040] Hardware platform 102c includes a hardware unit 104k, for example, a hardware accelerator.

[0041] System 100 further includes a virtualized system 106. Hypervisor 108a, 108b virtualizes hardware platforms 102a, 102b, 102c. Multiple virtual machines 110 share virtualized hardware platforms 102a, 102b, 102c.

[0042] A middleware level 114 is provided between hardware platforms 102a, 102b, 102c and an application level 112. Middleware level 114 provides multiple execution environments 116, which run on various hardware units 104 of hardware platforms 102a, 102b, 102c.

[0043] Application level 112 includes, in particular, classic applications 112a and applications including a service-oriented architecture (SOA), SOA applications 112b.

[0044] Execution environments 116 are configured to execute domain-specific applications 112 of a respective domain 118.

[0045] Execution environments 116 are configured to execute domain-specific applications 112 of a respective domain 118.

[0046] A respective domain 118 refers to a particular area of a total functionality, which is provided by system 100.

[0047] According to the specific embodiment shown, a security execution environment 116-1 is provided for executing at least one security-relevant, domain-specific application 112-1 of a security domain 118-1. Security domain 118-1 has access to both security-related hardware resources and to non-security-related, in particular, performance-related, hardware resources of the hardware level. Security domain 118-1 is, in particular, a trusted instance of the hardware platform and includes security-relevant applications and updates, in particular, executable on a classic or adaptive AUTOSAR execution environment.

[0048] According to the specific embodiment shown, the following further domains 118 are provided by way of example:

[0049] Safety domains, in particular, defined safety 118a and flexible safety 118b, measures of quality, QM domains, in particular, defined QM 118c and dynamic QM 118d.

[0050] The safety domain “defined safety” 118a includes, in particular, applications with requirements according to ASIL x and legacy software, in particular, with hard real-time and deterministic requirements, in particular, executable on a classic AUTOSAR execution environment.

[0051] The safety domain “flexible safety” 118b includes, in particular, service applications with requirements according to ASIL x having a service-oriented architecture, SOA, in particular, with soft real-time and limitedly deterministic requirements, in particular, executable on an adaptive AUTOSAR execution environment.

[0052] The QM domain “defined QM” 118c includes, in particular, feature-rich QM service applications, for example, executable on a Linux, for example, Linux GENIVI, execution environment.

[0053] The QM domain “dynamic QM” 118d includes, in particular, QM applications, for example, executable on a Linux, for example, Apertis Linux, execution environment.

[0054] Infrastructure domains including, in particular, housekeeping domains 118e, software (SW) management domains 118g.

[0055] Housekeeping domain 118e includes applications for managing the hardware platform, in particular, ASIL x relevant, with hard real-time and deterministic requirements, in particular, executable on a classic or adaptive AUTOSAR execution environment.

[0056] SW management domain 118g includes QM applications, in particular, the provision of control unit updates, in particular, executable on a classic or adaptive AUTOSAR or Linux execution environment.

[0057] Information domains including, in particular, input/output (I/O) domain 118h and communication domain 118i.

[0058] I/O domain 118h includes the management of analog and digital I/Os and the provision of I/Os for other domains, in particular, ASIL x relevant, in particular, executable on a classic or adaptive AUTOSAR execution environment.

[0059] Communication domain 118i includes the management of communication channels and protocols and the provision of the communication to other domains, in particular, QM relevant, in particular, executable on a classic or adaptive AUTOSAR or Linux execution environment.

[0060] Domains for further purposes, in particular, including HW accelerators, HWA domain 118j and further, in particular, customer-specific or project-specific domains 118k.

[0061] HWA domain 118j includes applications, which utilize hardware accelerators, in particular, GPU, FPGS, in particular, executable on an adaptive AUTOSAR or Linux execution environment.

[0062] Further, in particular, customer-specific or project-specific domains 118k include purely customer-specific applications, for example, Android.

[0063] The instantiation of domains 118 is a function of specific project design and the particular applications of system 100.

[0064] Normally, not all cited domains 118 need to be contained in each project. Moreover, it is also possible to combine individual domains 118, for example, housekeeping domain 118e and I/O domain 118h may be instantiated on the same virtual machine 110.

[0065] Middleware level 114 supports the use of domains 118 on different hardware units 104. In this case, respective execution environments 116 and/or hardware units 104 meet domain-specific requirements, in particular, real-time requirements and/or security requirements and/or system requirements and/or functional requirements of the respective domain-specific application 112 and/or domain 118.

[0066] Middleware level 114 implements software functionalities in order to manage and coordinate the different execution environments 116, implementations and used hardware units 104. Examples for these domain-wide/hardware-wide functions are state management, over-the-air-update functions, security services and expanded function-wide diagnoses.

[0067] According to the specific embodiment shown, it is provided that a security domain 118-1 is operated on separate hardware unit 104b of hardware platform 102a of the hardware level. One further security domain 118-1 is operated on separate hardware unit 104f of hardware platform 102b of hardware level 102. Further domains 118 are operated in each case on further hardware units of respective hardware platform 102a, 102b. Security domain 118-1 is provided bound to a particular, separate hardware unit, for example, to a CPU core, with a direct connection to security-related hardware resources.

[0068] Alternative specific embodiments not shown may include the security domain being operated on a separate hardware platform of the hardware level, in particular on a separate hardware chip. It may also be provided that the security domain is operated on a hardware unit of a hardware platform of the hardware level, and a further domain is operated on the same hardware unit of the hardware platform.

[0069] It may prove to be advantageous that the security domain is provided together with at least one further domain. It may be suitable, for example, to combine the security domain with a housekeeping domain. A housekeeping domain includes applications for managing the hardware platform. The security domain may, however, also be combined with other, in particular, relevant, domains. The provision of the security domain together with at least one further domain is suitable, in particular, in systems having a limited number of available hardware units, in particular, CPU cores.

[0070] FIG. 2 schematically shows a representation of a software architecture of a security domain 118-1 and of a further domain 118 of the system from FIG. 1.

[0071] Security domain 118-1 includes an operating system 120-1, for example, POSIX-based, which runs, in particular, in a hypervisor cell 108-1. Operating system 120-1 provides interfaces to hardware resources of hardware level 102 virtualized with the aid of hypervisor 108.

[0072] Interfaces 122-1 include, for example, drivers for cryptographic primitives, in particular, asymmetrical cryptographic primitives, eFuse-drivers and crypto-drivers.

[0073] The hardware resources include security-related hardware resources 102-1, key memories, random number generators, hardware AES engine and non-security-related, in particular, performance-related, hardware resources 102-2 such as, for example, CPU cores, CPU timers, watchdog timers, eFuses.

[0074] The operating system or the middleware further provides drivers for security-relevant applications 112-1 of the security domain. Security-relevant applications include, for example, core functionalities such as crypto-backend and key management.

[0075] Operating system 120-1 or the middleware further provides interfaces 124-1 for domain-wide applications, in particular, domain-wide communication, in particular, synchronous or asynchronous coordination mechanisms.

[0076] A temporal execution of processes and/or tasks of security domain 118-1 is planned, for example, in particular, with the aid of scheduling. This takes place, for example, with the aid of, in particular, flexible resource-conscious, schedulers for planning processes and/or tasks for execution by security domain 118-1. In this way, runtime guarantees, for example, may advantageously also be provided, and security specifications and real-time specifications may be met. Processes and tasks include the processes and tasks of the security-relevant, domain-specific applications and the associated operating system-related, in particular, POSIX OS, processes of security domain 118-1. A planning of a temporal execution of security-relevant tasks and/or security-relevant processes of security domain 118-1 takes place, for example, in a task-based and/or process-based manner. The scheduling advantageously takes place in such a way that an asynchronous execution of security-relevant tasks and/or security-relevant processes is possible. In this way the real-time response capability and thus the meeting of safety requirements and/or security requirements is improved. The scheduling at the process and/or task level of the security execution environment enables a flexible use with respect to safety requirements and security requirements.

[0077] One further domain 118 is further represented in FIG. 2.

[0078] Domain 118 includes an operating system 120, for example, POSIX-based, which runs, in particular, in a hypervisor cell 108. Operating system 120 provides interfaces to hardware resources of hardware level 102 virtualized with the aid of hypervisor 108. The hardware resources include, for example, non-security-related, in particular, performance-related, hardware resources.

[0079] Domain 118 includes a security client 126, in particular, a proxy, for requesting security services. Security client 126 is adapted to the specific execution runtime environment. Runtime environments include, for example, classic/adaptive AUTOSAR, POSIX OS such as QNX, GHS, Linux. Security client 126 is connected to security domain 118-1 and provides it with the necessary services over secure communication channels. The scheduling of the security services within domains 118 is flexible and may thus support security requirements and real-time requirements. Asynchronous requests/responses are also supported, which is crucial in terms of real-time response capability and load balance of CPU cores. For security-relevant environments, the security service runs on a security-certified operating system, which ensures the scheduling and the freedom from interference at the process level.

[0080] The essential security logic is thus located within security domain 118-1. Further domains 118 request the security services of security domain 118-1.

[0081] Thus, according to the specific embodiment shown, security domain 118-1 implements means, which are required for supporting entire multi-domain middleware 114. These are the access to centralized security mechanisms belonging to security domain 118-1 and are requested by various further domains 118.

[0082] If security domain 118-1 is combined with other domains 118, for example, is integrated into a housekeeping domain, operating system 120, 120-1 and hypervisor layer 108, 108-1 are used only once. In this case, it must be ensured that security domain 118-1 is connected to a hardware trust basis, for example, for deriving keys from a secure hardware memory, in particular, HSM. The access to this root of trust is allowed only for the securing domain. This occurs via hardware mechanisms and hypervisor mechanisms and/or OS access control mechanisms.

[0083] Described system 100 and described security domain 118-1 may be used, in particular, in automotive control units, in particular, in centralized domain computers or vehicle computers, which serve as an integration platform for various types of applications. The focus may be on applications having, in particular, different, critical safety objectives and security objectives. Supported execution environments are, for example, classic/adaptive AUTOSAR, real-time (safety) POSIX (QNX, GHS, VxWorks, PikeOS) and non-real-time (for example, Linux). Typically, a combination of security-certified pC SoC such as Infineon TriCore, MPC57x/SPC58x or Renesas RH850 with application processors such as NXP S32V, S32G, Xilinix Zynq Ultrascale, Renesas R-Car family or Intel x86. In the automotive industry, the focus may be, in particular, on autonomous driving applications, chassis applications, engine control, gateway, body applications, and/or multimedia. The described system may, however, also be used in industrial automation or in transportation systems.