1. Field of the Invention
This invention relates generally to a system and method for replacing the public key that is part of a bootloader stored in a controller and, more particularly, to a system and method for replacing the public key that is part of a bootloader stored in a vehicle electronic control unit (ECU), where the method includes defining a key table that includes memory slots that are part of the bootloader memory flash segment, but are available to separately store replacement public keys.
2. Discussion of the Related Art
Most modern vehicles include electronic control units (ECUs), or controllers, that control the operation of vehicle systems, such as the powertrain, climate control system, infotainment system, body systems, chassis systems, and others. Such controllers require special purpose-designed software in order to perform the control functions. With the increasing number and complexity of these controllers, and the growing threat posed by developers of malicious software, it is more important than ever to authenticate the source and content of binary files that are loaded on automotive controllers. The consequences of using software that is not properly validated, or worse, maliciously-designed, in a vehicle controller include unintended behavior of the vehicle or its systems, loss of anti-theft features on the vehicle, potential tampering with components such as the odometer, and loss of other vehicle features and functions.
One known digital coding technique is referred to as asymmetric key cryptography that uses digital signatures for authenticating files that are programmed into controllers. As would be well understood by those skilled in the art, asymmetric key cryptography uses a pair of mathematically-related keys, known as a private key and a public key, to encrypt and decrypt a message. To create a digital signature, a signer uses his private key, which is known only to himself, to encrypt a message. The digital signature can later be decrypted by another party using the public key, which is paired to the signer's private key.
Flashing is a well known process for uploading software, calibration files and other applications into the memory of a vehicle ECU or other programmable device. A bootloader is an embedded software program loaded on the ECU that provides an interface between the ECU and a programming device that is flashing the software. The bootloader typically employs asymmetric key cryptography and stores a public key that must be used to decode the digital signature transferred by the programming device before allowing the ECU to execute the software or calibration.
If the public key in the bootloader is compromised or needs to be replaced for other reasons, it is desirable to provide a secure method by the appropriate service personnel to allow the key to be replaced. The bootloader generally uses only one flash segment of memory, which includes the public key, so the public key cannot be made a separately programmable calibration. Thus, if the public key needs to be replaced, the entire bootloader needs to be rewritten and replaced, which is undesirable as an interrupted operation could lead to an ECU that can no longer be programmed.