Help us improve the Power & Sensing Selection Guide. Share feedback

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
Level 1
Level 1
First question asked First reply posted Welcome!

I'm planing to develop an ISO26262-compliant module to achieve ASIL-B and also need cyber security.

I see from the AURIX safety manual (page 18, V1.5) that HSM is non-safety part.
I'm a bit puzzled about this. For example, CAN FD encrypted communication (AP32330). From Fig 11 we can see the bare data is sent to HSM to generate encrypted data, then it go to can module to send out.
I'm wondering if HSM has sorts of fault, generate an incorrect encrypted data. The data is loaded into CAN FD frame with CRC and sent out.Then the receiver could trust this data since the CRC in CAN FD protocol is correct. This could cause a safety goal violation.
Unlike CRC, I suppose e.g. AES in HSM will not generate redundant bits which can be used to check data integrity.
So it seems the HSM module should be safety related and need diagnostic during run time?
Could you tell me what is the mitigation?
2 Replies
Level 6
Level 6
10 likes received 10 solutions authored 5 solutions authored
The argument is generally that if an error were to occur in the HSM, the odds of incorrectly authenticating an incoming message are very very small. Similarly, for outgoing messages, any errors would be rejected by the (remote) receiving side.

Thanks for reply.

I think you are correct when considering authentication, e.g. by generating MAC.

But what about encryption? The oringinal data could be corrupted, if the HSM is not safety related.