1.? What is E2E?
2.? Why do you want to go to E2E?
3.? How, E2E?
4.? What are the common forms of protection?
5.? E2E state machine and configuration parameters
1.? What is E2E?
First of all, it should be clear that E2E is not only used in the automobile field, but also in any communication field. Only AutoSAR has standardized this protocol/mechanism.
E2E, end of full name? Where to? End stands for end-to-end communication protection in Chinese, which is a kind of protection for security-related data to prevent possible failures (hardware/software) in communication links. Are you online? Communication node? Between? Executed? Data protection protocols/mechanisms. It is suitable for a variety of network structures: CAN,? CANFD, FlexRay, Ethernet, etc.
As shown in the following figure, suppose there are two ecus:? ECU 1 and ECU2 communicate with each other through CAN bus. ECU 1 needs to send certain safety signals to ECU2. What if E2E is adopted? Profile 1 protection protocol (AutoSAR? E2E? Library), ECU 1 not only transmits necessary information and data, but also supplements CRC and counter information to ECU2. After receiving this frame of data, ECU2 will calculate CRC and compare it with the received data. ECU2 will perform the next action according to the inspection results (this involves fault handling, which has been briefly summarized before. Please refer to the article? The power system of electric vehicles "see, listen and ask"? |? Fault diagnosis? 》)。
I don't know if I have noticed that the so-called E2E actually protects two key pairs of behaviors: the sender and the receiver. Definitions in the standard are as follows:
All protection mechanisms involved in E2E revolve around these two behaviors.
2.? Why do you want to go to E2E?
From the above introduction, we can draw the conclusion that the core of E2E protection concept is aimed at security-related data exchange, which needs to be protected during operation to eliminate the influence of possible failures of communication links, which is the essential reason for doing E2E. In addition, E2E has also realized ASIL for automotive powertrain. Necessary means.
So, what are the possible failure modes during data exchange? What are there? ISO26262 on this issue? To sum up, as follows:
●? Send messages repeatedly? (repeat? Yes? The same message has been received many times.
●? Lost information? (loss? Yes? Information), all or part of the information is lost in the process of transmission.
●? Information delay? (delay? Yes? Information), the time of receiving information is different from the expected time.
●? Insert information? (insert? Yes? Information), and redundant content is inserted into the information.
●? Fake or incorrect address? A masquerade ball? Or? Incorrect? Addressing? Yes? Information), the unauthenticated information sent by the fake sender is accepted by the receiver, or the correct information is accepted by the wrong receiver.
●? Wrong information sequence? (incorrect? Sequence? Yes? Information), the information in the data stream is in the wrong order.
●? Information corruption? (corruption? Yes? Information), the information content has been tampered with.
●? Send asymmetric information to multiple recipients? (Asymmetric? Information? Sent it? From where? Answer? Sender? Where to? How much? The receiver), the data received by the receiver is inconsistent.
●? Only part of the receiver received the sender's message? (information? From where? Answer? Sender? Copy that? By who? Only? Answer? Subset? Yes? receiver
●? Block communication channels? (blocking? Visit? Where to? Communication? Channel)
Data exchange scenarios where these failures may occur include communication with I/O peripherals, communication based on data bus, and so on. Causes of failure include system failures and random failures, such as errors in code generation, errors introduced by manual coding, errors in network protocol stack, etc. Hardware end face, such as processor failure, network hardware failure, electromagnetic radiation and so on.
3.? How, E2E?
Does AutoSAR have a pair of E2E? Library? It provides a variety of functions for E2E protection to choose from. Each profile has its own specific mechanism, parameters and data format, which users can choose according to their needs. Regardless of the configuration file, it can basically be divided into the following two steps:
Step 1:? The sender extends the data structure by adding control fields, which generally include: checksum, counter, etc. Extended fields are sent by RTE, as shown in the following figure:
Step two:? The receiver verifies the data in the whole field, and if it passes, deletes the control field and hands over the application data to SWCs for processing; What if not? Through, the security protection mechanism is realized.
So, what are the common forms of protection when configuring profile?
4.? What are the common forms of protection?
Some protection mechanisms mentioned in the introduction are explained here.
Cyclic redundancy test
Cyclic redundancy check (CRC) is a fast algorithm, which is used to check codes with short fixed digits according to data such as network packets or files. It is mainly used to detect or check possible errors after data transmission or storage, using the principle of division and remainder.
In addition, ISO26262-5? It is clear that the coverage of CRC mainly depends on message length, CRC field size and polynomial form. Please refer to ISO26262 document for details.
Especially when we are used to saying "CRC? Checksum and verification ",in fact, there are two verification methods involved here.
Checksum
As the name implies, checksum is the sum of a set of data items used for verification purposes in the fields of data processing and data communication. These data items can be numbers or other strings that are treated as numbers in the process of calculating the checksum. There are many kinds: XOR? Checksum,? 1 Supplement? Checksum,? 2? Supplement? Checksum, etc.
counter
4 digits in the message, ranging from 0 to 14? (profile 1), used for counting. The sender counts+1 every frame of message, and ECU 1 sends the counted value to ECU2, and ECU 2 compares the received counter to confirm whether it is received in time, and restarts counting when it reaches 14.
overrun the time
Counters are used to evaluate whether messages are lost, delayed, etc.
Data? Proof of identity
Generally 2 bytes, it is a special field preset between ECU 1 and ECU2. AutoSAR? Profile 1 defines several modes for e2e _ p 0 1 Data mode: both, ALT, LOW, NIBBLE, data? ID is used for message checksum, but it is important to note that this DID is not put on the bus as a part of message transmission data, but only as a message key, similar to a spy connector. Before starting to talk about the text, be sure to confirm the secret code privately to prove that "the instructions I received are indeed from the expected sender."
Specifically, add data? How to calculate the checksum of the message in the ID field:
Like Autosar? E2E? Introduction? 1? Do you need CRC-8-SAE? J 1850? , the corresponding polynomial is 0x 1D? (x8? +? x4? +? x3? +? x2? +? 1), and the message data field is usually Byte0? Store the checksum of the message? Data, bytes? 1~byte7? Store other data of the message, and the message data field stores the data as shown in the figure below.
The specific steps are as follows.
Step 1: calculate data? CRC value in ID field? (Note: The actual initial value is the inversion of the initial value).
Step 2: Calculate the CRC value of Byte 1~Byte7 field (note: the actual initial value is the inversion of the last check value).
Step 3:? Reverse the check value in the previous step to get the final value.
The following is the original definition of profile 1 protection mechanism in AutoSAR for reference:
5.? E2E state machine and configuration parameters
The reception of E2E data is periodic. In each cycle, the receiver calls the detection interface of the corresponding profile to detect the received data, verify whether the data received in this cycle is correct, and provide additional information to explain the detected fault form. The following figure shows the description of state and migration, from which we can see that whether the data is useful is judged according to the number of errors and ok in the window period.
So, what configuration parameters are needed for E2E protection?
With AUTOSAR? E2E? Agreement? Specification 1.3.0? For example, the setting information of E2E system support configuration is shown in the following figure:
The above is a brief introduction to the concept and protection logic of E2E, which is the realization of ASIL of automobile powertrain. D. For more information, you can directly check the standard "AutoSAR? E2E? Agreement? Specifications.
refer to
《AutoSAR 》? E2E? Agreement? Specification "
International Organization for Standardization? 26262? -? "Road? Vehicle? -? Functional? Safety "
Finally, to make a statistic, the laboratories of the two heads tentatively hold a training exchange meeting before the end of the year, the form is to be determined, and the training theme is:? Standard interpretation and experimental development of three-in-one electric drive system for electric vehicles. ? The following aspects are tentative:
1) Combines the project experience, combs the test standard of the three-in-one system from the perspective of vehicle demand, and establishes the test standard mind map;
2) Understand the correlation between FMEA and test;
3) Explain how the tests in different stages of project development are distributed;
4) Collection and conversion of road spectrum and its influence on three-in-one system and components;
5) Explain the key points and difficulties of system fatigue durability, environmental adaptability and high and low voltage electrical load adaptability.
The detailed information exchange follow-up meeting will be officially pushed to everyone. Interested parties can write privately.
Finally, thank you for your continuous support, thank you!
This article comes from car home, the author of the car manufacturer, and does not represent car home's position.