EB zentur

Embedded Security Solutions for Software Infrastructure

Safeguarding your software infrastructure. Protecting vehicles from unauthorized access is critical, but doing so is not enough. As we have seen in other industries, as security measures increase, hackers' cracking techniques upgrade as well. Hardware Security Modules (HSMs) in vehicles help establish a secure platform that prevents unauthorized intruders from accessing key material and software. EB zentur is a performance- and resource-optimized solution for HSMs that can access cryptographic hardware accelerators or provide software implementation methods for selected algorithms. It can be integrated into various operating systems.

EB zentur Embedded Security HSM

Product Overview and Core Advantages

EB zentur is a microcontroller-specific software infrastructure optimized for performance and resources for automotive Hardware Security Modules (HSM) and Secure Hardware Extensions (SHE). By abstracting the underlying cryptographic hardware accelerators, it establishes a Hardware Trust Anchor for the host core Basic Software to prevent unauthorized access.

hardware

Highly Flexible Hardware Selection

Completely abstracts chip cryptographic calculations, seamlessly integrating into the AUTOSAR 4.3 CSM basic software environment.

verified_user

Hardware Trust Anchor and Security Protection

Monitors the host core, supporting Host Secure Boot and firmware updates, ensuring the integrity of the software throughout its lifecycle.

speed

High-Performance Hardware Acceleration

Deeply invokes chip hardware accelerators to achieve parallel high-density cryptographic calculations like AES-128 and ECDSA.

Cybersecurity Compliance Statement

Complies with High Standards for Automotive Cybersecurity: ISO/SAE 21434

During 'Out-of-Context Development', the EB zentur product line has strictly considered and covered the core clauses of ISO/SAE 21434:2021, including: Organizational Cybersecurity Management (Clause 5), Project-Dependent Cybersecurity Management (Clause 6), Distributed Cybersecurity Activities (Clause 7), Continual Cybersecurity Activities (Clause 8), Concept Phase (Clause 9), Product Development (Clause 10), Operations and Maintenance (Clause 13), and Methods for Risk Assessment (Clause 15).

Note:Integration Validation (Clause 11) and Production Line Assembly (Clause 12) are performed at a higher system level by the system integration client.

Deep Dive into Three Embedded Security Solution Modules

memory

Module 1: EB zentur HSM Firmware

Complete Secure Firmware Stack

Provides a resource-optimized performance solution for Hardware Security Modules (HSM), with the following core technical details:

Technical Scope Supported Specifications & Details (Based on Evita / Basic Versions)
Hardware Acceleration Algorithms

Symmetric Encryption/Decryption:AES-128 (supports ECB, CBC modes)

Message Authentication Code (MAC):CMAC (based on AES-128)

Digital Signatures:ECDSA (uses NIST chip acceleration curve P-256 / secp256r1)

Hashing and Random Numbers:SHA2-256 hash generation; 128-bit Pseudo-Random Number Generator (PRNG), seeded by a True Random Number Generator (TRNG) with seed expansion.

Pure Software Implementation Algorithms

Digital Signature Verification:Supports Ed25519ph curve, RSASSA-PSS, RSASSA-PKCS1-v1_5.

Digital Signature Generation:Supports Ed25519ph curve, RSASSA-PKCS1-v1_5.

Lightweight MAC:Supports SipHash-2-4 and SipHash-4-8 families.

Key Management

Symmetric Keys:Supports 1 Secret Key, 1 Master ECU Key, 1 Boot MAC Key, 1 RAM Key, and 20 to 50 NvM flash memory key slots (depending on the chip).

Asymmetric Keys:Maximum storage space of 800 bytes (1200 bytes for RSA), including ECDSA/EdDSA private and public keys, RSA private and public keys.

Powerful Management Functions:Supports plaintext loading of RAM Key, ciphertext container loading (compliant with SHE v1.1 M1-M3 specs), and exporting RAM Key as a ciphertext container.

Certificate Management

Establishes a Chain of Trust to verify signatures.

Supported Formats:X.509v3 ITU-T X.690 DER certificates, OTC-CVC Profile v1.0 format.

Maximum Capacity:Can store up to 9 ECC certificates or 4 RSA certificates, with a maximum chain depth of 3 levels.

Advanced Security Features

Secure Boot:Ensures the integrity of host application software; wherein BOOT_MAC Features overwrite protection against external HSM writes (more secure than traditional SHE specifications).

Firmware Update:Supports in-field signature verification updates and anomalous rollback mechanisms.

Life Cycle Management:Provides private key and root certificate locking to prevent unauthorized updates.

Parallel Flash Memory Operation:Supports concurrent PFlash operations with the host.

developer_board

Module 2: EB zentur Crypto Driver

Hardware-Specific MCAL Crypto Driver

This is specifically designed for ACG9 (AutoCore Generic 9) hardware-related MCAL drivers developed for the environment:

  • check_circle AUTOSAR 4.3 Specification Compliant:Implemented based on the AUTOSAR 4.3 Crypto Driver specification, specifically providing an access interface to the underlying cryptographic hardware for ACG9 CSM.
  • check_circle Communication Encapsulation Abstraction:If coexisting with HSM firmware, it is invoked via the HSM Bridge; if it is pure SHE hardware, it directly controls the SHE registers.
  • check_circle Multiple Operation Modes:Supports both the Streaming Approach and Single Calls. Features synchronous and asynchronous operation modes.
  • check_circle Built-in Priority Queue:Automatically sorts and schedules incoming cryptographic jobs based on task priority levels.
  • check_circle Seamless Tool Integration:Fully compatible with the EB tresos Studio for ACG9 configuration tool, providing fully graphical ECU driver configuration.
extension

Module 3: EB zentur CryShe

Secure Hardware Extension Driver Software

  • check_circle Perfectly compatible with the SHE (Secure Hardware Extension) functional specification v1.1 (rev 439).
  • check_circle Implements SHE+ Extension Requirements:In addition to the standard 10 standard key slots, it extends support to 20 general-purpose key slots (SHE+ Extended Keys).
  • check_circle Verify-only Flag:Supports key attribute settings. Once this Flag is enabled, the key is strictly limited and can only be used for MAC code Verification, not for generation, preventing the key from being repurposed.
  • check_circle Fully compatible with EB tresos Studio, it can be flexibly combined with other Elektrobit software libraries.

System Requirements and Custom OEM Extensions

computer Environment and Hardware Configuration Requirements (EB tresos Studio)

dns
Operating System

Windows 10 LTSC (64-bit) / Linux Ubuntu 16.04 LTS (CLI mode only).

memory
Basic Hardware Requirements

Dual-core processor (Quad-core recommended), 2 GB RAM (8 GB recommended), requires a network connection or USB port for network/dongle licensing.

directions_car Specific OEM Customization Support (VW Extension Case)

  • verified EB zentur HSM Firmware additionally provides Volkswagen Security Requirements exclusive OEM extension packages (Evita OEM extension - VW)。
  • verified This extension package fully supports the VKMS 2.1 (Volkswagen Key Management System) specification and VW HSM v1.4 features, supports the DLC version 2 format, and includes pre-defined default VKMS key sets (such as VKMS_KEY_ID_PSS128, VKMS_KEY_ID_AES128_01 etc.).

Supported Hardware Platforms Comparison Table

Hardware Platform Specific Derivative Bundled Hardware Security Package Version Default Compiler Version
Infineon TriCore 2xx TC23x, TC27x, TC29x Basic Package (Supports standard SHE 1.1 / SHE+ / Host Secure Boot) TASKING_TriCore-v6.2r2p4
Infineon TriCore 3xx TC37x Evita Package (Enhances asymmetric encryption, certificate management, HSM Secure Boot, and firmware updates) TASKING_TriCore-v6.2r2p4
Infineon TriCore 3xx TC38x, TC39x Evita OEM Extension - VW Package (Fully includes Evita features and fully complies with VW VKMS 2.1 specifications) TASKING_TriCore-v6.2r2p4