MIPI Security Framework
Providing end-to-end security to applications that leverage MIPI specifications
Initial focus on protection of automotive CSI-2 data streams
The MIPI Security Framework defines a flexible approach to add end-to-end security to applications that leverage MIPI specifications. The framework enables key security functionality including authentication of system components, data integrity protection and data encryption. It provides implementors with a choice of protocols, cryptographic algorithms, integrity tag modes and security protection levels.
The security framework focuses on securing long-reach wired in-vehicle network connections between MIPI CSI-2®-based image sensors and their related processing ECUs. While acknowledging this initial focus, the framework can be applicable to virtually any other use case that leverages MIPI CSI-2-based image sensors for machine vision applications.
Protecting Automotive CSI-2 Image Data from Cybersecurity Risks
Virtually every modern passenger and commercial vehicle relies on MIPI specifications to support a wide variety of applications that leverage image sensors, displays and other key components. More specifically, image sensors are essential to the latest advanced driver-assistance systems (ADAS) and autonomous driving systems (ADS). Both the number and significance of these image sensors being deployed in these safety-critical applications will continue to increase with each new generation of automotive architecture, and MIPI CSI-2 is quickly becoming the de facto image sensor interface within these architectures.
Within this context, automotive system designers understand the need to protect image sensor data from security risks such as installation of illegitimate substandard components, malicious manipulation of sensor data and potential privacy violations from unauthorized access to location-revealing images. To mitigate these threats, the MIPI Alliance has developed a security framework that protects MIPI CSI-2 image data (and any associated command and control data) “end-to-end” between image sensor components and their related electronic control units (ECUs). As described in more detail below, the security framework is uniquely effective in both its security extent and implementation flexibility.
Supporting MIPI Automotive SerDes Solutions
The MIPI Security Framework is a key component of MIPI Automotive SerDes Solutions (MASS), an end-to-end, full stack of connectivity solutions for the growing number of cameras, sensors and displays that enable automotive applications. The initial release of security specifications complement the MASS image sensor "stack" by adding security into both the Camera Service Extensions layer and Command and Control Interface.
The security framework consists of the following specifications:
- MIPI Security v1.0 — Baseline specification defines a system security management suite (based on the DMTF SPDM standard) and data service protocols to authenticate and establish secure sessions between system components and manage security contexts.
- MIPI Camera Service Extensions (MIPI CSE) v2.0 — Adds security service extensions to apply data integrity protection and optional encryption to CSI-2 data.
- MIPI Command and Control Interface Service Extensions (MIPI CCISE) v1.0 — Defines security extensions to apply data integrity protection and optional encryption to I2C based command and control interfaces.
- MIPI Security Profiles v1.0 — Defines a set of common security profiles to enable interoperability.
It should be noted that the security services defined within these new security specifications are fully complementary to the functional safety services already provided within MASS.
Figure 1. MIPI image sensor stack incorporating the security framework
End-to-End Security Extent
Whereas other sensor security methods protect only the link layer, the MIPI Security Framework delivers application-level protection across all physical attack points. In this way it is “end-to-end,” or “silicon to silicon,” in that the security transcends all link layer components to provide security from the source of sensor data in sensor silicon to the ultimate sink of that data in system-on-chip (SoC) silicon. Security is applied to both data streams, and command and control data.
Further, this end-to-end protection is guaranteed irrespective of the underlying communication network topology (e.g., unicast, multicast, daisy-chain topology), providing complete flexibility for the developer to leverage any combination of underlying network components (such as bridges, aggregators and forwarding elements) to achieve the most efficient solution for their application.
Figure 2. The MIPI Security Framework provides both end-to-end security extent and a high degree of implementation flexibility.
High Scalability Provides Implementation Flexibility
The MIPI Security Framework is highly scalable, providing a high degree of implementation flexibility for sensor application developers to balance required security levels against processing efficiency, implementation complexity, thermal regulation and/or power consumption in the sensor system. The framework provides this flexibility in three primary ways:
- Choice of implementing protocol. The framework allows the implementer to choose between two data service protocols for the desired security level. It is these protocols that embed the necessary Message Authentication Code (MAC) for integrity protection into a CSI-2 data stream. The two data service protocols are called Service Extensions Packet (SEP) and Frame-Based Service Extensions Data (FSED). SEP-based security is provided by adding SEP headers and footers to each CSI-2 packet (or frame), whereas FSED security is provided via the addition of (up to) three additional CSI-2-based packets to an image frame. Both protocols can be implemented with a high level of commonality to enable dual-protocol implementations if required.
- Choice of ciphersuites. The framework defines two ciphersuites, one for efficiency and one for performance. The "efficiency" ciphersuite provides AES-CMAC data integrity only (no encryption) and is targeted toward sensors with limited hardware resources. The "performance" ciphersuite provides AES-GMAC data integrity and optional AES-CTR encryption and is targeted at sensors with dedicated hardware support for these security protocols. Both ciphersuites support use of AES with 128- and 256-bit key lengths.
- Choice of tag modes. The framework offers multiple tag mode options when using the SEP and FSED data service protocols. This allows the implementor to choose how often the tag is computed and transmitted. For example, when using SEP, the implementor has the choice to send the Message Authentication Code (MAC) tag on a per-message, per-data-type or per-frame basis.
- Highly granular security controls. A new security paradigm provides highly granular security controls over the different segments of the CSI-2 image frame to enable a “sliding scale” of security levels to be implemented. This scale includes: at the highest security level, applying full data integrity and encryption to the whole image frame; to partial security levels, where source selective integrity protection is applied to a subset of data within an image frame; to applying no data integrity at the lowest security level. The level of security is configurable on a frame-by-frame basis with camera stream data being augmented with packets/messages containing the relevant security information.
Security Framework Release Date
The initial release of the security framework, targeted at MIPI CSI-2 image sensor applications, is being developed by the Security Working Group in collaboration with the Camera Working Group. The suite of four specifications is expected to enter the member review process in early 2023 with official release expected in mid-2023.
Future additions to the security framework, such as to add security to MIPI display applications, are planned for subsequent phases.