A Trinity of Core Components Enables Digital Cockpits in Cars

By Romain Saha
Strategic Alliances Manager
Blackberry QNX

The dawn of the digital cockpit has arrived. Loosely defined, the digital cockpit combines an automobile’s digital instrument clusters and infotainment systems into a more unified user experience. More comprehensive definitions may also include heads-up displays and features such as gaze tracking.

There is nothing inherently complicated in the development of a digital cockpit. Infotainment system design is well understood, and digital instrument clusters, while a somewhat newer addition to the vehicle interior, are in production today. Heads-up displays have also been available for quite some time.

There are few digital cockpits on the market, aside from those in production luxury cars.

This rarity is because running three systems in a vehicle is a costly proposition. Mainstream adoption of the digital cockpit necessitates a different approach. It requires that we simplify the overall design, collapsing hardware onto a single System on a Chip (SoC) and board.

There are three important considerations:

1. Does the SoC have the processing capability required to run two or more subsystems simultaneously? 
2. Does the foundational software leverage the underlying hardware in a way that meets overall system requirements? 
3. How can you create a truly unified user experience?

1. The SoC

Today’s SoCs are powerful. A single chip can run infotainment systems, instrument clusters, and vehicle displays. This level of performance creates the potential for significant cost savings, not only in the number of silicon chips, but at the board level as well.  

Using a powerful SOC, a single board can replace three that were traditionally used  the car. Existing, and soon-to-be released processors, can meet the processing requirements of all but the most computationally intensive systems. At CES, BlackBerry QNX demonstrated this reality, with a digital cockpit run off a single Intel Atom A3900 series processor.

2. The Foundational Software

The fundamental challenge facing digital cockpit architecture involves meeting functional safety requirements for the digital instrument cluster. Certifying the entire cockpit is one possibility– one that is less than ideal. Such a brute force approach would increase both cost and time-to-market.

A more elegant solution would be to isolate the cluster, allowing certification of the cluster component without having to certify the rest of the system. This action can be accomplished using hypervisor software. The hypervisor software allows the cluster, infotainment, and heads up display (HUD)  system to  each run as fully-independent virtual machines.  This isolation between systems that all share the same SOC via the Hypervisor allows the cluster to be treated as a stand-alone system and certified separately. . The Hypervisor ensures that if the infotainment system or HUD system crash, for whatever reason, the cluster will not crash.

Safety is a key variable for a cluster. However, it is equally important that on-screen rendering is done properly. Imagine, for example, if the cluster renders  a P for park instead of an R for reverse. The consequences could be catastrophic. This capability is handled by QNX’s digital instrument cluster platform using a graphics monitor.

3. The Experience

All the technology in the world will not make up for a poor user experience.  It is not enough to have multiple screens in the car; those screens need to work in tandem.

Cluster, head unit, infotainment, and entertainment screens are all part of a new digital user experience. These parts cannot be discrete systems developed in isolation. Instead, the components must be viewed from an overall User Interface/User Experience (UI/UX) perspective as a single canvas - the digital cockpit.

The creative component is not the only consideration. Care must be given to address overarching safety requirements. Safety-critical elements such as brake system warnings and air bags must be rendered accurately, and certification is a priority.

The role of BlackBerry QNX in The Digital Dashboard

As described above, all three key elements, the SoC, the foundational software, and the driver experience must be carefully selected to achieve a compelling digital cockpit.

BlackBerry QNX and Rightware demonstrated how such a digital cockpit may look in reality. Using Intel’s A3900 SOC, Rightware developed a digital instrument cluster that leverages the QNX Hypervisor, Digital Instrument Cluster Platform (QPIC) and QNX Car Infotainment platform (QNX car); both platforms running on QNX operating system.. This cluster platform and the QNX CAR Infotainment Platform run on QNX Hypervisor as independent virtual machines. 

This is an exciting time in the automotive industry. The digital cockpit has arrived, bringing cost savings and a better user experience. Advances in hardware and software will further shift how drivers will interact with their cars, ultimately, in ways never imagined.

---

All Security is Personal

Bill Boldt

Business Development Manager, Security

BlackBerry

 To make any digital product secure it must have its own personality, which is crypto-speak for a unique digital identity.  This digital identity comes in the form of a cryptographic key, which is a binary number of a specified length that is assigned to and stored in a device, such as a memory or processor chip. In security operations, keys get used by mathematical algorithms to enable the three pillars of security; namely, confidentiality, data integrity, and authentication.  Crypto keys are considered valuable digital assets because a company’s brand equity is increasingly tied to the security of their products.  Product security is directly proportional to how securely the crypto keys are generated, transmitted, injected, and stored in devices. Such a process of key management and injection is called personalization (and it is also called provisioning).  The point here is that the factories where personalization happens must be made secure if the key--and the products and processes that subsequently use them--are to be secure. BlackBerry’s Certicom subsidiary offers a way to make factories secure with a product called the Asset Management System (AMS). 

AMS deploys secure equipment to remote factories to manage and inject cryptographic keys such that the keys (and thus the products they protect) remain secure from tampering, counterfeiting, and cloning.  Without AMS there would be multiple attack points in the supply chain allowing grey marketers access to valuable IP and products, particularly at various subcontractor sites. Vulnerabilities can be introduced at several points in the manufacturing flow of a semiconductor chip, including at wafer test, bonding and packaging, and chip testing. Personalization prevents subcontractors from overbuilding, copying, or cloning devices, designs, or firmware. Personalization via AMS ameliorates those vulnerabilities and thus enhances product trust and brand equity.

Certicom AMS makes it possible to add Digital Rights Management (DRM) and Conditional Access System (CAS) device personalization in a manner that  protects DRM and CAS keys at vulnerable (i.e. attackable) manufacturing stages.  Using AMS minimizes the risk from liquidated damages clauses contained in High Definition Content Protection (HDCP), Content Protection for Recordable Media (CPRM), Digital Transmission Content Protection (DTCP), Advanced Access Content System (AACS), and similar agreements. Certicom is the leading commercial solution for HDCP-enabled chip manufacturing.

Automotive Security Evolution

One of the most complex global supply chains is that of the automotive industry and all security for cars begins with securing this supply chain.  With connectivity and autonomous driving features gaining increasing traction, the main features of cars are literally being defined by software, and that software must be safe and trusted.  Therefore, it is essential to protect software in every module and system in a car— starting with secure personalization.  

Once a module is securely personalized it can be trusted to run cryptographic algorithms to provide the three pillars of security.  Arguably, the most important of the pillars is authentication which proves that the signals are being received from an authentic sender.  Authentication can be symmetric, asymmetric, or a combination of the two. 

Cryptographic security in cars is in its infancy and evidence shows that it will likely evolve over time, with symmetric authentication often being adopted initially, with asymmetric being added in later, especially as higher bandwidth buses are deployed such as Ethernet.   Symmetric authentication uses a shared secret key and is thus easier to implement, but there is a trade-off.  Shared keys must be distributed and stored beforehand.  In contrast, with asymmetric authentication there is no need to distribute and store a shared secret key.  Using shared keys presents more attack points than with asymmetric authentication, so symmetric authentication is considered relatively less secure.  Asymmetric authentication uses Public Key Cryptography, which allows a public key to be transmitted in the clear and used to perform authentication via algorithms that can mathematically prove that the sender is authentic.  Asymmetric authentication works because the sender’s private key (which is securely stored, never shared, and only signs messages) cannot be derived from knowing the public key. This discretion is made possible by the type of special mathematics and algorithms used to generate the private and public key pair that is used to sign and verify the message. 

  

With asymmetric authentication, a chain of trust between sensors, ECUs, gateways, domain/area controllers, and other nodes can be established.  That chain ultimately links back to a trusted device called a trust anchor. All nodes on the chain of trust authenticate the next node using sign-verify algorithms, so if the trust anchor is trusted, then all the nodes on the chain can also be trusted, without storing a pre-shared secret key.  This increases both security and manufacturing flexibility, which are two very important values for the automotive industry.

Both symmetric and asymmetric methods will require some type of personalization, and that must happen in a secure way at every step in the supply chain including at OEM factories, Tier 1 and Tier 2 suppliers, distributors, dealers, and aftermarket suppliers.

AMS is powerful because it assures visibility at every step in the supply chain (and is easy to implement).   

AMS enables device manufacturers and silicon foundries to:

1.     Improve the management and control of electronic serial numbers

2.     Securely inject cryptographic keys into devices

3.     Use keys and IDs for feature selection

4.     Fight cloning and counterfeiting

5.     Track yield data 

Security and control is gained by serializing (tagging) individual silicon chips with cryptographic identities.  Those tagged dice can be tracked throughout the production process as they pass across multiple outsourced contractors. AMS ensures all the touch points can be easily secured.

Secure appliances being deployed at remote sites enables visibility and control.

The diagram shows that the AMS Controller is secured in the operations headquarters. 

AMS Appliances operate in the outsourced manufacturing sites. AMS Appliances communicate with the local automated test equipment (ATE) in the production facilities. 

The AMS Agent runs inside the manufacturing test program installed in the ATEs at the manufacturing sites.

The Asset Control Core is an optional IP block built into an ASIC chip (or FPGA), which acts as a feature and key lockbox. Adding the Asset Control Core and provisioning it via the AMS system provides an extremely high level of end-to-end manufacturing and feature provisioning security.  AMS also works with a wide range of key storage methods beyond ACC, of course.

Using AMS provides many benefits to manufacturers across automotive, IoT, and other segments as noted in the chart. 

AMS anchors trust by guaranteeing that devices are secure at every step in the supply chain, and that is where end-to-end security starts.