标准摘要
[中文适用范围]: 本信息报告识别并评估适用于HPSE中TA沙盒化的隔离模块。这些模块可用于支持SAE J3101中对TA沙盒化和TA之间安全通信的要求。TA必须在其自己的信任域中执行,以防止HPSE和其他TA受到侵害。TA信任域的隔离强度可能因部署的TA风险特征而有所不同,因此需要隔离模块与风险特征相匹配。多租户TA HPSE的风险特征高于来自相同来源(例如OEM)的多个TA。TA多租户功能不得损害HPSE的安全属性(即可信多供应商代码的安全集成和执行)。在本报告中,我们提供了以下信息:HPSE TA使用案例和风险特征、HPSE TA隔离模块供制造商使用、威胁分析以确定隔离安全模型的有效性。随着ECU E/E架构的不断发展,我们必须考虑以下ECU和系统芯片(SoC)的分类,这些ECU和SoC适用隔离模块:应用处理器核心、实时处理器核心、微控制器核心。一个ECU可以由普通环境和保护环境(HPSE)组成。普通环境通常分为用户和内核特权级别,应用程序在用户特权级别执行。TA仅在HPSE中执行,HPSE通常也分为用户和内核特权级别,这与普通环境的特权级别相互独立。TA在HPSE中以相同的用户特权级别执行,因此,隔离模块必须在更高的特权级别(如HPSE内核)实现,以确保沙盒策略可以实施。TA对HPSE资源的访问在加载时受到沙盒策略的限制,该策略在比TA更高的特权级别运行。本报告还区分了在HPSE内部应用的隔离方法和在ECU级别应用的隔离方法,当ECU整合到域控制器或HPC中时,即隔离抽象。 [外文原描述]: This information report identifies and evaluates isolation building blocks applicable to TA sandboxing within a HPSE. These building blocks can be used to support SAE J3101 TA requirements for sandboxing of TAs and secure communication between TAs. TAs must execute within their own trust domain to prevent compromise of the HPSE and other TAs. TA trust domain isolation strength may vary depending on the risk profile of the TA deployed, hence the requirement for isolation building blocks to match the risk profile. A multitenancy TA HPSE has a higher risk profile than multiple TAs from the same source (e.g., OEM). TA multitenancy must not compromise the security properties of the HPSE (the secure integration and execution of trusted multi-vendor code). In this report, we provide information on the following:HPSE TA use cases and risk profilesHPSE TA isolation building blocks for manufacturersThreat analysis to determine the effectiveness of isolation security modelsAs the ECU E/E architecture continues to evolve, we must consider the following classification of ECUs and System on Chips (SoCs) for which isolation building blocks apply:Application Processor Core(s)Realtime Processor Core(s)Microcontroller Core(s)An ECU can be composed of a Normal Environment and Protected Environment (HPSE). Normal Environment is typically separated into user and kernel level privileges, with applications executing at the user privilege level. TAs only execute within the HPSE, and the HPSE is typically divided into user and kernel level privileges which are orthogonal to Normal Environment privileges. The TAs will execute at the same user privilege level within the HPSE; therefore, the isolation building blocks must be implemented at a higher privilege level, such as the HPSE kernel, to ensure that the sandboxing policy can be enforced. The TAs access to HPSE resources is restricted at load time by the sandbox policy which operates at a higher privilege level to the TAs.This report also differentiates between isolation methods which are applied within the HPSE and isolation methods applied at the ECU level when there is consolidation of ECUs into domain controller or HPC, i.e., isolation abstraction.
英文名称Hardware Protected Security Environment – Trusted Application Isolation Security Models