System & Security Design (Initial Views)
Generated: 2026-06-20. Initial system/security design derived from the agreed requirement baseline. Diagram source: architecture/system_security_design.mmd.
High-Level Block Diagram
Embedded Mermaid Diagram
graph TB
subgraph VEH["Vehicle / Drivetrain Environment"]
GBX["GW AMT Gearbox / Clutch"]
VNET["Vehicle Network (CAN / PWM)"]
end
subgraph ECU["ECA Control ECU"]
APP["Application Software"]
BOOT["Bootloader / Software Update Function"]
DIAG["Diagnostic Services (UDS)"]
SEC["Security Services"]
KEY["Key / Certificate Storage & Provisioning"]
end
TESTER["Diagnostic Tester"]
OEM["OEM Backend / PKI / Security Operations"]
SUP["Supplier Development / Evidence Environment"]
GBX --- APP
VNET --- APP
VNET --- DIAG
TESTER --- DIAG
DIAG --- SEC
BOOT --- SEC
APP --- SEC
SEC --- KEY
OEM -. update / PKI / SecOps .-> BOOT
OEM -. key provisioning .-> KEY
SUP -. evidence / release .-> APP
classDef oem fill:#fdecea,stroke:#b03a2e;
classDef sup fill:#eafaf1,stroke:#1e8449;
class OEM oem;
class SUP sup;
Mermaid source
graph TB
subgraph VEH["Vehicle / Drivetrain Environment"]
GBX["GW AMT Gearbox / Clutch"]
VNET["Vehicle Network (CAN / PWM)"]
end
subgraph ECU["ECA Control ECU"]
APP["Application Software"]
BOOT["Bootloader / Software Update Function"]
DIAG["Diagnostic Services (UDS)"]
SEC["Security Services"]
KEY["Key / Certificate Storage & Provisioning"]
end
TESTER["Diagnostic Tester"]
OEM["OEM Backend / PKI / Security Operations"]
SUP["Supplier Development / Evidence Environment"]
GBX --- APP
VNET --- APP
VNET --- DIAG
TESTER --- DIAG
DIAG --- SEC
BOOT --- SEC
APP --- SEC
SEC --- KEY
OEM -. update / PKI / SecOps .-> BOOT
OEM -. key provisioning .-> KEY
SUP -. evidence / release .-> APP
classDef oem fill:#fdecea,stroke:#b03a2e;
classDef sup fill:#eafaf1,stroke:#1e8449;
class OEM oem;
class SUP sup;
Interface Table
| Interface | Description | Trust Boundary | Security Treatment |
|---|
| Vehicle network (CAN/PWM) | Actuator command/status | Vehicle <-> ECU | Authenticity/integrity on allocated signals (OP-005) |
| Diagnostic (UDS) | Tester access | External <-> ECU | Authenticated session + security access (OP-002) |
| Software update | Programming/flash | OEM backend <-> ECU | Authenticated, integrity-verified update (OP-004) |
| Key/certificate provisioning | Trust material | OEM PKI <-> ECU | Secure provisioning & storage (OP-003) |
Security Function Allocation
| Security Function | Allocation |
|---|
| Secure boot / app authenticity | Supplier (ECU) + OEM signing authority |
| Secure diagnostics / RBAC | Supplier (ECU) + OEM role policy |
| Secure update | Supplier (ECU) + OEM backend |
| Key/certificate handling | Supplier (ECU storage) + OEM PKI |
| Secure communication | Supplier (ECU) + OEM signal allocation |
Trust Boundaries
- Vehicle network boundary, diagnostic boundary, update boundary, and PKI/provisioning boundary.
Data / Security Flows
- Command/status flow (vehicle<->ECU), diagnostic flow (tester<->ECU), update flow (OEM<->ECU), key flow (PKI<->ECU).
Open Design Decisions
- OP-001: ECU designation, variant and item definition for TARA (owner OEM / Customer).
- OP-002: Diagnostic security role model and service authorization (owner Shared (OEM policy / Supplier ECU)).
- OP-003: Key and certificate ownership, provisioning and lifecycle (owner OEM / Customer (PKI) + Supplier (ECU)).
- OP-004: Secure software update / backend campaign responsibility (owner Shared (OEM backend / Supplier ECU)).
- OP-005: Secure on-board communication (SecOC/SDT) signal allocation (owner OEM / Customer).
- OP-009: Cybersecurity work products, DIA and responsibility split (owner OEM / Customer + Supplier (DIA)).