That one definitely needs a battery replacement.
Agree. But in peripherals. Which is pretty much the whole car, the certs are distributed. It’s the only what you can boot a car in under a second. If it is a big tree, it takes too long to boot.
That's precisely the problem with edge, "things" or peripherals - they are self-sufficient/reliant, in that their state includes all they need to establish trust, or authenticate themselves. Which means, in turn, that the only defense against an attacker with possession is physical/anti-tampering (and obfuscation); a determined entrepreneur could, in principle, make the car accept whichever changes, modules etc. The risk of bricking is substantial, though, and that itself is a deterrent.
This has been really interesting. I build network controllers and it self certifies the code. It’s a fair amount of HW and technology to do it. I never really thought about the ramifications of doing it in a system this big.
Excellent. We haven’t bored the pants off everybody! These are certs that bind the various optional SW pieces to the root of trust cert in the pcm. We were talking about the many other root of trust certs that we think exist in other processors in the car. One in each of those sealed boxes for the chargers, inverters, drive by wire, etc.
Who's bored? In fact, I think I'll CC @whitex just to make sure he hasn't missed this thread.
In a perfect world, yes.Who's bored? In fact, I think I'll CC @whitex just to make sure he hasn't missed this thread.
@OTPSkipper you also wrote: "how many mutable code processing systems do you think a Taycan has?"
I've no idea, but I assume it's in the dozens; in fact, I'd expect the car to have a full "digital twin", with every non-trivial subassembly (as in having a more-than-binary state) to be modeled in software, possibly run code, and likely to have its own identity (the examples you gave above are what I had in mind as well). I'd further expect the car to run 3-4 different "machines" - own OS/core, running independently/on dedicated CPU and bus, and - for our purposes - acting as security boundaries. (In fact, there is very likely a per-car PKI.) The "user experience machine" would not have any privileges in the "running systems machine", there's probably a "system" machine correlating/observing the car's operation, and acting as the trust authority.
So they'd have the means to lock it down tight, to the point where you couldn't, for example, install a Panamera/EMEA-market window regulator. But that'd make servicing extremely difficult, so some degree of intentional relaxation of trust is no doubt traded off for repairability. That is, the car's TA would "know" that a module injected in the system, whether it's code or hardware, is not the original one, and might even know if it's 1P or 3P. But it would have to tolerate it, and I'm guessing that's done simply by registering a key id (which itself would be a highly privileged operation). It's entirely possible that this degree of tolerance varies by component - for instance, I can accept a Panamera/other-market window regulator, but not a motor/battery.
You're definitely right in that refurbishing OE components would be much easier. I was more or less poking at the claim that the car's security would be impenetrable - it's just very difficult to defend against possession, especially in systems that can't afford to enforce strict integrity.
Meh. When you build something, everything has a cost so it's all about trade-offs. If Porsche bought themselves 5-8 years, job well done.
What we do in the controllers is put the FW hash residual in an immutable register that anyone can see. That is how the version and signing can be verified by a central authority. Is that what you mean by key id?
agree.
Indeed! Preferably with superior next-generation cells if those would be compatible in terms of form factor and with the support wiring and systems around it...
I think these ota update cars are a new level of security. Not in the security technology, but in the shear volume of secrets that must be hacked to do 3rd party development. Not sure it will be anything like ice car curve for 3rd party development we are used to. It’s going to be interesting.
Are you saying the Taycan is a cloud product now? If what you are saying is true, if your car is prevented from internet access (say after 3 free years you choose to not pay the monthly connectivity), the certificates even for included features will expire and the car will not be able to renew them, so all features will stop working. Did I understand you correctly?
