This information report identifies and evaluates isolation building blocks applicable to TA sandboxing within a HPSE. These building blocks can be used to support SAE J3101 TA requirements for sandboxing of TAs and secure communication between TAs. TAs must execute within their own trust domain to prevent compromise of the HPSE and other TAs. TA trust domain isolation strength may vary depending on the risk profile of the TA deployed, hence the requirement for isolation building blocks to match the risk profile. A multitenancy TA HPSE has a higher risk profile than multiple TAs from the same source (e.g., OEM). TA multitenancy must not compromise the security properties of the HPSE (the secure integration and execution of trusted multi-vendor code). In this report, we provide information on the following:
-
HPSE TA use cases and risk profiles
-
HPSE TA isolation building blocks for manufacturers
-
Threat analysis to determine the effectiveness of isolation security models
As the ECU E/E architecture continues to evolve, we must consider the following classification of ECUs and System on Chips (SoCs) for which isolation building blocks apply:
An ECU can be composed of a Normal Environment and Protected Environment (HPSE). Normal Environment is typically separated into user and kernel level privileges, with applications executing at the user privilege level. TAs only execute within the HPSE, and the HPSE is typically divided into user and kernel level privileges which are orthogonal to Normal Environment privileges. The TAs will execute at the same user privilege level within the HPSE; therefore, the isolation building blocks must be implemented at a higher privilege level, such as the HPSE kernel, to ensure that the sandboxing policy can be enforced. The TAs access to HPSE resources is restricted at load time by the sandbox policy which operates at a higher privilege level to the TAs.
This report also differentiates between isolation methods which are applied within the HPSE and isolation methods applied at the ECU level when there is consolidation of ECUs into domain controller or HPC, i.e., isolation abstraction.