Professional Articles

Browsing and Over-the-Air Updates peacefully united

The electronic systems such as the anti-lock braking system inside a modern car are able to take control of critical systems such as the steering and braking gears. This significantly increases functional safety during vehicle operation, but at the same time also creates the risk of unauthorized access. Consequently, the functional safety of a vehicle must be supported by IT security measures. Real-time applications require deterministic response times, which can only be achieved with the help of an underlying real-time operating system.

Turnkey-ready Development Platform and secure Gateway for Automotive Connectivity

With the Secure Automotive Connectivity Platform (SACoP), SYSGO has developed a fully integrated software framework for secure data exchange of connected vehicles. This includes vehicle-to-vehicle (V2V) and vehicle-to-infrastructure (V2X) as well as internal communication in the vehicle. The platform guarantees information Security by protecting data transfer through strict encapsulation and separation of all communication channels. This partitioning is complemented by a secure boot process, an integrated intrusion detection system and a firewall.

The platform uses SYSGO's PikeOS real-time operating system (RTOS) hypervisor technology, which allows critical and non-critical infrastructures to run simultaneously in one system. Through its resource and time partitioning, PikeOS meets all essential determinism and real-time requirements, providing the ability to build functionally safe systems. PikeOS can also safely and securely virtualize small programs up to entire operating systems separately. As a Type-1 hypervisor, PikeOS runs directly on the embedded hardware, making the overall system as powerful as possible. In addition, PikeOS supports certifiable multicore designs.

By combining real-time capability and hypervisor functionality in PikeOS to run applications in strictly separated partitions, Safety-critical applications in particular can be executed undisturbed within a specified time frame. The platform is pre-certified with the separation kernel version 4.2.3 (build S5577) according to the Common Criteria EAL3+ Safety standard and the ISO 26262 Safety standard for the automotive industry and is certifiable up to ASIL-D. This means that only one hardware system is required when planning the software architecture, which reduces development and production costs and accelerates time to market. The platform provides a flexible software framework to help customers design their software architecture to secure communication and updates.

The gateway, which supports various protocols (4G/5G), enables a wide range of applications, such as over-the-air updates without visiting an authorized garage, V2X communication, connectivity to the cloud backend or upload of maintenance data. Software and firmware components of the entire system are updated using secure communication via FIPS-certified Transport Layer Security (TLS). All update files are digitally signed to securely prevent manipulation.

Internally, a WLAN hotspot set up for passengers is protected by the platform's firewall. The vehicle's internal network (Ethernet, CAN) is separated and can only be accessed via secure and monitored channels. The gateway supports Virtual Local Area Networks (VLAN).

Security in Focus

The platform uses a secure boot mechanism. Cryptography and storage are supported by executable binaries and configuration files, which are also digitally signed and stored on a secure Certified File System (CFS). The gateway's Network Intrusion Detection System (IDS) resides in a separate partition that monitors network traffic. Isolating different applications in individual partitions not only increases Security, but also simplifies license management.

One of the great advantages of virtualization is that new functions are possible not only for model changes, but also for vehicles already in use. In this context, the list of desired functions grows from year to year. This usually requires the combination of existing software components with completely new and sometimes incompatible APIs (Application Programming Interfaces). Maintaining a stable software base while being able to follow end-user requests is a challenge. This is where virtualization comes into play. The SACoP connectivity platform is easily expandable by adding any number of partitions with guest operating systems without compromising Safety and Security. The platform supports integration of different guest systems with additional applications, including PikeOS native, POSIX, Linux (generic via hardware virtualization), AGL (Automotive Grade Linux) and ELinOS, SYSGO's robust embedded Linux distribution.

Development and Configuration Tools

Embedded application development for a partitioned system requires a powerful cross toolchain: well-designed and easy-to-use configuration tools, remote debugging with OS awareness (thread states, virtual address mappings, etc.), remote application deployment and timing analysis tools. With the Eclipse-based development environment CODEO, SYSGO provides a powerful integrated development environment (IDE) for embedded systems that already enjoys wide acceptance among developers because of its basis and covers the entire development cycle from early simulation/emulation tools to software update mechanisms for deployed systems.

A typical implementation of the SACoP platform consists, for example, of an STM Telemaco3P processor and an R-CAR H3 board from Renesas. The Renesas board implements a digital cockpit display based on Automotive Grade Linux (AGL) and an in-vehicle infotainment (IVI) system. The Telemaco 3P processor is the hardware basis for the secure gateway that connects to the outside world. It is also used to provide Internet access to passengers' tablets and smartphones. The software is based on PikeOS together with ELinOS, SYSGO's robust, long-term supported and automotive-grade Linux distribution.

More information at