HSM-backed secure boot and secure diagnostics for an ECU programme

Problem context

Many ECU programmes pick an HSM at silicon-selection time but defer the integration design until the cybersecurity work products are due. The result is a fragile trust chain: secure boot may use one set of keys, secure flashing another, and secure diagnostics a third — all owned by different teams. The fix is a single HSM-rooted trust design that the AUTOSAR Crypto Stack consumes.

Engineering approach

1. Select an HSM profile (EVITA Light / Medium / Full or SHE) consistent with the bus, throughput, and key-handling expectations.
2. Define the on-vehicle key hierarchy: device identity, secure-boot root, flashing keys, SecOC keys, diagnostic auth keys, and certificate trust anchors.
3. Configure AUTOSAR CSM, CryIf, and KeyM so application code and BSW services consume crypto via standardised interfaces, with HSM-backed channels behind the scenes.
4. Wire secure boot at the bootloader, secure flashing into the UDS reprogramming flow (0x34/0x36/0x37), and secure diagnostics via UDS 0x29 / 0x27 against keys held in the HSM.
5. Provision keys at end-of-line and design the field key-update flow (rotation cadence, certificate-revocation strategy, recovery on tamper detection).
6. Verify with a per-control test plan: boot-image tamper detection, downgrade resistance, diagnostic-auth bypass attempts, fault injection.

Outputs / evidence

• ECU trust-anchor architecture diagram (boot → flashing → SecOC → diagnostics)
• Key hierarchy and PKI integration design
• AUTOSAR Crypto Stack configuration (CSM / CryIf / KeyM)
• Secure-boot specification and verification plan
• Secure-flashing UDS sequence with authentication
• End-of-line provisioning and field key-update procedures

Standards touched

• ISO/SAE 21434 (Clauses 10–11)
• AUTOSAR Classic Crypto Stack
• EVITA HSM profiles
• ISO 14229 UDS (0x27, 0x29, 0x34/0x36/0x37)