logo
stripes
logo
stripes

Integrity & Authenticity of Software Updates

Under UNECE R156, every software update must be protected for integrity (untampered content) and authenticity (trusted origin). This page outlines a practical chain of trust for packaging, delivery, installation, and recording, aligned with ISO 24089 engineering practices and R155 risk treatment.

Objectives

  • Ensure only authorized and untampered packages are installed.
  • Prevent rollback to vulnerable versions and block unauthorized targets.
  • Provide verifiable records for audits and incident investigations.

End-to-End Chain of Trust

  1. Build & Package – reproducible builds (where feasible), metadata/SBOM, hashes.
  2. Sign – apply approved key and signing policy; record signer identity and time.
  3. Distribute – authenticated transport; protect at rest and in transit.
  4. Verify – on-vehicle (and backend) signature verification and hash checks.
  5. Eligibility – enforce VIN/ECU targeting, dependencies, and preconditions.
  6. Anti-Rollback – monotonic version/counter checks; secure storage for state.
  7. Record – persist outcome with timestamps, versions, and cryptographic references.

Key & PKI Management

  • Root of trust: managed by OEM; keys generated and stored in HSMs; documented custody.
  • Key tiers: root/intermediate/signing keys with explicit usage and lifetimes.
  • Rotation & revocation: defined schedules and emergency procedures; CRLs/OCSP or embedded lists.
  • Access control: dual control for sensitive operations; auditable key usage logs.
  • Supplier keys: trust delegation and approval process; scope-limited certificates.

Signing Policy & Package Metadata

  • What to sign: binaries, manifests/metadata, dependency graphs, eligibility rules, SBOM.
  • Algorithms & parameters: centrally governed; track transitions (e.g., deprecations).
  • Timestamps & provenance: capture build IDs, tool versions, commit hashes.
  • Detached vs. attached signatures: choose per transport/storage constraints; document decision.

On-Vehicle Verification

  • Secure boot validates boot chain and enforces trusted loaders.
  • Pre-install checks: signature, hash, version, and dependency validation.
  • Transactional install: A/B slots or equivalent; automatic revert on failure.
  • Key material: protect trust anchors (e.g., fuses/SE/HSM); plan for anchor rotation.

Eligibility & Anti-Rollback

  • Eligibility rules: VIN/ECU whitelist, region/market, hardware rev, prerequisite versions.
  • Anti-rollback: monotonic counters or secure versioning; store state in tamper-resistant memory.
  • Downgrade exceptions: allow only with signed, explicit waiver and additional controls.

Backend & Transport Controls

  • Mutual authentication between vehicle and backend/service tools.
  • Confidentiality where required (e.g., pre-release campaigns); rate-limit and replay protection.
  • Hardening of dealer tools: attested software, access control, and audit logs.

Threat Considerations

  • Signature forgery or key compromise → HSM, dual control, rapid revocation plan.
  • Manifest tampering → sign manifests and enforce strict parsing/verification.
  • Eligibility bypass → enforce checks on both backend and vehicle; defense-in-depth.
  • Rollback attacks → non-volatile counters and signed downgrade waivers.
  • Supply chain risk → SBOMs, provenance metadata, and supplier attestations.

Assurance & Testing

  • Static/dynamic analysis of update agent and parsers; fuzz manifests and transport layers.
  • Adversarial testing of eligibility checks, rollback logic, and failure handling.
  • Key lifecycle drills: rotation/revocation exercises; signing key disaster recovery.
  • Red-team exercises on dealer tools and backend interfaces.

Typical Outputs / Evidence

  • Key management policy, PKI hierarchy, and HSM configuration/attestations.
  • Signing policy (algorithms, parameters, validity), rotation/revocation procedures.
  • Package manifests, SBOMs, signatures, hashes, and provenance records.
  • Vehicle verification specs (secure boot, eligibility, anti-rollback) and test results.
  • Transport/authentication specs for OTA and service tools; audit logs and access records.
  • Revocation events, incident links, and lessons-learned updates to the SUMS.
Disclaimer: This page summarizes integrity and authenticity expectations under UNECE R156. For authoritative requirements, consult the regulation text and your approval authority’s guidance.