Hello,
I'm planing to develop an ISO26262-compliant module to achieve ASIL-B and also need cyber security.
I see from the AURIX safety manual (page 18, V1.5) that HSM is non-safety part.
I'm a bit puzzled about this. For example, CAN FD encrypted communication (AP32330). From Fig 11 we can see the bare data is sent to HSM to generate encrypted data, then it go to can module to send out.
I'm wondering if HSM has sorts of fault, generate an incorrect encrypted data. The data is loaded into CAN FD frame with CRC and sent out.Then the receiver could trust this data since the CRC in CAN FD protocol is correct. This could cause a safety goal violation.
Unlike CRC, I suppose e.g. AES in HSM will not generate redundant bits which can be used to check data integrity.
So it seems the HSM module should be safety related and need diagnostic during run time?
Could you tell me what is the mitigation?
