Next-generation MachXO3D FPGA makes cars safer

We live in a highly connected world that is vulnerable to cyberattacks from a variety of sources. In 2018 alone, hardware attacks exposed more than 3 billion systems to data theft, illegal operations, and other security risks1.

In the automotive field, today's smart connected cars have exacerbated such safety issues. If a cyber attack causes a car to lose control, it will not only cause harm to the people in the target vehicle, but is also likely to endanger nearby vehicles, pedestrians and property.

As a result, automotive designers and manufacturers are scrambling to find ways to make their systems safer. As this article shows, one solution is to use MachXO3D™ FPGAs from Lattice Semiconductor.

The era of vintage cars is over

The automotive market is constantly evolving, and the changes in recent years have been particularly dramatic and rapid.

Computing devices, primarily microprocessor units ( MPUs ) and microcontroller units ( MCUs ), began to be used in automobiles in the late 1970s and 1980s. Initially, these chips were used for complex engine control systems and were only found in high-end vehicles. By the mid-1990s, all cars had processors to monitor sensors, control the engine, and manage the interaction between various vehicle systems.

By 2020, an average car will have about 50 computing units, while a high-end car will have more than 100. Today's cars are not only equipped with GPS, Bluetooth, Wi-Fi, mobile data communications, but also have high-end safety systems such as lane departure and collision warning. Many automotive applications use sensor aggregation to implement radar, lidar, and machine vision systems with artificial intelligence and machine learning capabilities. Some cars can also park at the touch of a button, and there are more and more such functions.

There is a lot of interest in electric cars. The world's major automakers are investing heavily in electric cars. There is also a lot of enthusiasm for hydrogen fuel cell cars, with at least three such models on the market and several companies developing new models.

Not feeling safe enough?

In addition to having 50-100+ computing units, today’s cars are increasingly connected to the outside world. In this context, “connected” means that the vehicle can communicate bidirectionally with other systems outside of itself. This allows the vehicle to share network connections and data with devices inside and outside of it.

GM was the first automaker to bring connected features to market, launching the OnStar system in 1996. Remote diagnostics followed in 2001. In 2003, connected car services included vehicle health reports, turn-by-turn navigation, and web access devices. Telematics services followed in 2007. And in 2017, fleet operators began to see the first deployments of predictive intelligence capabilities.

In the context of software, “attack surface” refers to the sum of all entry points through which an unauthorized user can enter data or extract data from the environment. The problem is that connected cars with 50-100+ computing units present a large attack surface for hackers and malicious attackers.

According to the National Institute of Standards and Technology, a key consideration for security solutions is establishing a root of trust:

Modern computing devices consist of various hardware, firmware, and software components at multiple levels of abstraction. Currently, many security and protection mechanisms are rooted in software, and the software and all underlying components must be reliable to ensure security. Because the security mechanisms rely on these components, any vulnerability in the components may compromise the reliability of these mechanisms. Security can be further guaranteed by basing security mechanisms on a root of trust. A root of trust is a highly reliable hardware, firmware, and software component that can perform specific, critical security functions. Because the roots of trust themselves are trusted, they must be secure by design. Many roots of trust are implemented in hardware, so malicious software cannot tamper with the functions they provide. The root of trust provides a solid foundation for establishing security and trust.

Unprotected systems can lead to data and design theft, product cloning, and overproduction. Worse, systems without adequate security features are vulnerable to device tampering and hijacking.

There are only a few FPGA vendors on the market, and most of them focus on providing devices with a lot of resources, functions, and high performance. These devices are mainly used in large communication infrastructure, server farms, and data centers. In contrast, Lattice Semiconductor is the only vendor that focuses on small and medium-sized FPGAs, which are very suitable for many automotive applications. In addition, Lattice also provides the only FPGA on the market with less than 10K lookup tables and a NIST-certified, unchangeable security engine.

MachXO3 FPGA Family FPGA Introduction

Lattice offers a wide range of FPGA technologies. One FPGA that is well suited for deployment in automotive applications is the MachXO family.

The first generation of the MachXO family was launched in 2005. The MachXO2/ZE™ family was introduced in 2010, followed by the MachXO3L/LF™ in 2013 and the MachXO3D™ family in 2019. Throughout the product evolution, each new generation not only inherits the features of the previous generation that were designed for customer needs, but also expands resources and capabilities.

Similar to previous generations of MachXO FPGA products, MachXO3™ devices have low power consumption, a large number of LUT resources, and a large number of input/output (I/O). In addition, the device also supports instant startup and hot-swap functions, has a background programmable internal flash configuration memory, and supports field logic updates. Therefore, MachXO3 devices are ideal for bonding logic, bus bridging, bus interface, motor control, power-on control, and other types of control logic applications. In addition, because MachXO3 FPGAs have hundreds of I/Os, they are also very suitable for various applications that require general-purpose I/O expansion, interface bridging, and power-on management functions.

Figure 1. The MachXO3 FPGA takes control of the platform and is the first device to power up and the last to power down in the system.

The MachXO3LF series of devices has up to 9400 LUTs and 384 I/Os, providing a variety of functions required for various design scenarios. This series of devices can be selected with 3.3/2.5 V or low-power 1.2 V cores, provide multiple I/O banks (up to 6), support hot plugging and various signal standards and voltages, and program each pin. The extended temperature (junction temperature) range of -40°C to +125°C can cope with harsh automotive environments, and AEC-Q100 Grade 2 certification ensures that the device meets existing automotive quality industry standards.

In addition to providing Flash-based configuration memory, the MachXO3LF family also provides up to 448 Kb of User Flash Memory (UFM). In addition, at power-up, the configuration data is copied from the Flash configuration memory into SRAM-based configuration cells (not to be confused with the storage blocks for the user SRAM memory). This operation is performed in a massively parallel manner and can be completed in less than 5 milliseconds. The huge advantage of this approach is that the device can continue to operate using its SRAM-based configuration while the new configuration is loaded into the Flash configuration memory. After the new configuration has been loaded, the device operation can be halted under program control, the outputs locked, the new configuration copied into the SRAM configuration cells, and then the device released to continue operation. .

As process technology continues to develop, the structure of integrated circuits is getting smaller and smaller, and a common problem affecting all electronic devices today is radiation. A common effect caused by radiation is single event upset (SEU), that is, high-energy radioactive particles hit sensitive nodes in the circuit, thereby changing its state. For example, a register bit or storage cell flips from 0 to 1 or from 1 to 0. Since SEU can be corrected, it is considered a "soft error". Because FPGA has configuration units, its SEU problem cannot be underestimated.

Safety performance in automotive applications is undoubtedly critical. To combat radiation effects and electrically noisy environments such as those found in automobiles, the MachXO3LF family supports soft error detection (SED), soft error correction (SEC), and soft error injection (SEI).

Figure 2. Simplified block diagram of the MachXO3LF showing the soft error detection and correction process.

The SED module is a hard core built on the chip that calculates the cyclic redundancy check (CRC) of the SRAM configuration bits, compares the calculated CRC with the existing CRC associated with the current configuration, and flags an error when a mismatch occurs. The SEC soft core implemented in the programmable logic responds to the flag and triggers the background reconfiguration core to call the initial configuration stored in the configuration flash to update the SRAM configuration cells (reconfiguration does not interrupt any unaffected processes).

Finally, the user can use the SEI feature to emulate soft error events by injecting errors directly into the target SRAM configuration cells via JTAG, I2C, or SPI without modifying the CRC.

MachXO3D FPGA  Family Overview

The automotive industry is currently adopting security strategies similar to those of the server industry, including supply chain security, secure boot (ensuring that the code started by the firmware is trusted), and Platform Firmware Recovery (PFR).

As mentioned earlier, MachXO3LF automotive FPGAs are industry-leading programmable logic devices that enable flexible deployment of reliable automotive applications. MachXO3D automotive devices not only significantly increase flash memory capacity (up to 2693 Kb UFM), but also add hardware security features to bring NIST-compliant security performance to automotive systems. In fact, MachXO3D is the only device under 10K LUTs with a NIST-certified, unchangeable security engine.