Many systems and features in a motor vehicle are controlled by processors, i.e., microprocessors, microcontrollers and digital signal processors, each of which executes program instructions stored in non-transitory memory devices that are coupled to the processors by a bus. (As used herein, the term “bus” refers to a set of electrically-parallel conductors that form a main transmission path between a processor and devices peripheral to the processor, including non-transitory memory devices.) Such memory devices can be located away from a processor while other non-transitory memory devices storing program instructions are resident on the same silicon die as the processor that executes the instructions.
When program instructions are changed, the processor executing the program will change the function or system that it controls accordingly. It is thus possible to change the operating characteristics of a vehicle simply by changing the program instructions executed by a processor that controls a vehicle function or system. It thus becomes important for vehicle manufacturers to maintain the integrity or authenticity of a program that controls a vehicle function. Stated another way, it is important for a vehicle manufacturer to prevent the execution or use of unauthorized modifications of the software that controls the processors within a vehicle.
Some processors that provide critical functions within a vehicle need to perform a program authenticity check in order to ensure that the processor's program has not been modified improperly, i.e., is not unauthorized (by the manufacturer). In order to quickly check a program's authenticity, some processors use a dedicated security element, which can be either external to the processor, i.e., on a different silicon die, or “internal” to the processor, i.e., on the same silicon die, an example of which would be an integrated circuit having multiple processors on the same silicon die. Regardless of where the security element might be located, it is configured (programmed) by the vehicle's manufacturer to confirm or verify the authenticity of the program executed by an associated processor.
Using a security element to verify the authenticity of a processor's program presents at least two challenges. First, the communication between a processor and a security element should not allow someone to read program instructions that might be exchanged between a processor and its associated security element during a verification process. Second, the processors used in a vehicle must start quickly. Since an authenticity check is often performed when a processor starts running, a program authenticity check must be performed quickly. In view of those two challenges, an apparatus and method to quickly authenticate the software or program executed by a vehicle processor, and either inhibit the processor executing an unauthorized program or notify a vehicle operator, would be an improvement over the prior art.