Next-generation MachXO3D FPGA makes cars safer

As a hardware root of trust, MachXO3D is the first device to be powered on and the last to be powered off in the system. In addition, its unchangeable security engine can also implement pre-verified encryption functions such as ECDSA, ECIES, AES, SHA, HMAC, TRNG, unique security ID and public/private key generation. The unchangeable security engine and Lattice SentryTM, the latest firmware security solution collection released by Lattice, can ensure security throughout the entire life cycle of the product, including device manufacturing and transportation, platform manufacturing, installation, operation and scrapping. It also provides data security, device security, data verification, design security and brand protection to comprehensively prevent various threats and ensure system security.

Figure 3. The MachXO3D secure control FPGA is the first-powered-up and last-powered-down root-of-trust programmable logic device in the system.

According to the definition of NIST SP 800 193 standard, platform firmware protection and recovery (PFR) includes three parts: protection, detection and recovery. Protection refers to protecting the platform firmware and key data from damage and ensuring the reliability and integrity of firmware updates. Detection includes cryptographic detection of damaged platform firmware and key data when the system is first powered on and follow-up in system updates. Recovery includes executing a trusted recovery process to restore the damaged platform firmware and key data to their previous state.

MachXO3D devices provide features such as secure dual boot, fully meeting PFR requirements. MachXO3D's programmable logic, unchangeable security engine, and secure dual boot configuration module provide sufficient flexibility during design implementation and enable secure updates after the system is deployed. In addition to providing hardware trusted roots, the use of on-chip logic also greatly reduces the attack surface of cyber attacks.

Figure 4. MachXO3D's dual-boot capability fully meets the requirements of the NIST Platform Firmware Protection and Recovery Standard.

MachXO3D uses self-detection, self-recovery, and self-protection features to achieve secure real-time system updates, further meeting the requirements of NIST PFR. During self-detection, the security engine authenticates the existing on-chip configuration image using the public key securely stored on the chip before booting. Self-protection means that if the authentication of the newly downloaded image fails, the security engine automatically reverts to the existing verified "golden image". During self-protection, in addition to preventing the device from using a compromised image to self-configure, the programmable logic also controls access from the programming port. The locking strategy ensures that each flash storage has separate access rights, and when a new image file is in the transfer state (in the process of being loaded into the configuration flash), the security engine blocks all attacks from the configuration port.

Typical application cases

Three common use cases for MachXO3 and MachXO3D in automobiles are shown below: battery management, root of trust, and hardware-based secure boot.

Battery Management: Most systems today, including electric vehicles, have multiple batteries. Each battery in the battery pack needs to be charged to the proper level to ensure the battery life. Overcharging or undercharging can shorten the battery life.

The battery management system performs a variety of tasks, including preventing the battery from operating in an unsafe environment, monitoring the battery status, calculating auxiliary data, and reporting this data.

The MachXO3-based battery management system (BMS) is a controller that monitors the charging and discharging process, implements intelligent battery cell balancing, and ensures that each battery cell is charged evenly. In addition, the BMS also provides real-time battery information, such as the battery's state of charge (SOC) and state of health (SOH), thereby assisting the vehicle's application processor (AP) to provide the driver with the latest information.

Figure 5. Battery management system based on MachXO3

Using MachXO3D FPGA to implement BMS can provide additional security features for the system, preventing intrusion into the smart battery from causing the battery to exceed safety limits, causing permanent damage or serious failure to the battery or vehicle.

Chain of Trust/Root of Trust: A hardware root of trust is the first link in the chain of trust that protects the entire vehicle system, including all engine control units.

Starting with component suppliers, the automotive system supply chain also includes Tier 2 system developers, Tier 1 system integrators, OEM car manufacturers, distribution and transportation, dealers, and end customers. Throughout the supply chain, there are many attack points to penetrate the system, and it is possible to load corrupted firmware at these links.

Lattice SupplyGuard™ supply chain security service provides customers with factory-locked ICs that can only be programmed with a specific customer-developed, signed, encrypted configuration bitstream.

Figure 6. MachXO3D-based supply chain/root of trust

In addition, the dual-boot capability of the MachXO3D FPGA supports key encryption and a highly secure golden image that can be set by default. When the system is powered on, the instant-on MachXO3D, golden image and Lattice SupplyGuard together provide end-to-end supply chain protection.

Hardware-based secure boot: The MachXO3D FPGA is the first device to power up in an automotive system and the last device to power down. When the system powers up, the MachXO3D checks itself to ensure that only authenticated firmware is running. The MachXO3D also checks the associated firmware of other devices in the system.

Figure 7. Secure boot based on MachXO3D

MachXO3D FPGA's hardware security configuration module complies with NIST SP 800 193 Platform Firmware Protection and Resilience (PFR) standards, and can protect, detect and recover itself to a good state in the event of a malicious attack. In addition, the massive parallel processing capability of the programmable architecture enables MachXO3D to simultaneously protect, detect and recover multiple platform firmware.

in conclusion

MachXO3 FPGAs’ flash-based configuration provides “instant-on” capabilities, making them the first-to-power-up, last-to-power-down devices on the platform and leading the market for system control and power management functions.

Safety is the top priority in automotive applications. To combat radiation effects as well as electrically noisy environments such as those found in cars, the MachXO3LF family supports soft error detection (SED), soft error correction (SEC), and soft error injection (SEI).

MachXO3D automotive devices not only significantly increase the flash memory capacity (up to 2693 kb UFM), but also add hardware security features to bring NIST-compliant security performance to automotive systems.

MachXO3D FPGAs enhance security with hardware root of trust capabilities. OEMs and automakers can easily implement reliable, comprehensive, and flexible hardware-based security mechanisms for all system components with MachXO3D FPGAs. MachXO3D FPGAs can protect, detect, and recover themselves and other components from unauthorized firmware access while the system is running. In addition, MachXO3D FPGAs can work with SupplyGuard services to protect systems from malicious activities at all stages of the lifecycle, from manufacturing to end-of-life.

Next-generation MachXO3D FPGA makes cars safer WP0027C

In addition to the safety field, FPGAs are ideal for implementing various advanced driver assistance systems (electronic systems that help drivers achieve driving and parking functions) because of their comprehensive parallel processing capabilities. Many ADAS systems require real-time response, MCUs  are too slow, and customized SoC development is expensive and time-consuming. In addition, the hardware accelerator algorithm of the SoC is actually "frozen in the chip", which is undoubtedly inappropriate in an era where various standards and protocols are constantly evolving and changing. The ideal solution is to use FPGAs, which are extremely flexible and can be reconfigured to adapt to evolving standards, protocols, and functional requirements.

MachXO3D FPGAs provide the perfect combination of functionality and safety for today's increasingly complex and connected automotive applications.

References

1 https://www.technologyreview.com/2018/01/05/146411/at-least-3-billion-computer-chips-have-the-spectre-security-hole/

2 Full certification is expected in the first quarter of 2021