Functional safety and security basics of Infineon TC387QP on KCU GEN2
KCU GEN2 uses the Infineon AURIX TC387QP main processor, built-in multi-core Lock-Step, HSM security module and ASIL-D friendly hardware security mechanism.This article summarizes the basics of functional safety (ISO 26262) and information security (R155 / R156) application of TC387QP in KopherSAR / KopherV2G / KopherBoot.
Summary
Infineon AURIX TC387QP is the main processor used in KCU GEN2 (Phase B) and KCU GEN2 Micro. It has built-in 4 cores (TriCore) and supports Lock-Step mode (providing hardware redundancy comparison), HSM (Hardware Security Module) and ECC memory protection, which is for ASIL-D Automotive MCU designed for functional safety and automotive information security needs.KopherBit makes good use of the hardware mechanism of TC387QP in KopherSAR, KopherBoot, KopherV2G: using Lock-Step core to support functional security partition, and using HSM to protect PnC / SecOC / Secure Boot private keys.
Technical Role
TC387QP plays the following roles on KCU GEN2:
- Multi-Core Application Processor: 4 TriCore 1.6.2P cores, main clock 300 MHz, assignable to Security/General/Communications/Surveillance partitions.
- Lock-Step safety core: Some cores can operate in pairs. Differences in hardware comparison results will trigger a safety response, complying with ASIL-D requirements against single-point failure of hardware.
- HSM: independent security processor, carrying private key storage, ECDSA / RSA / AES / SHA acceleration, TRNG, used for Secure Boot, SecOC, ISO 15118 PnC, Bootloader signature verification.
- ECC memory: Flash and RAM contain ECC, and the hardware detects single-unit errors and can correct them.
- Memory Protection (MPU): Supports multi-partition memory protection, combined with OS Application partition.
- Integrated communication peripherals: CAN FD, Ethernet (KCU GEN2 Phase B through external PHY), LIN, SPI, ADC, PWM, etc.
Architecture
| Mods | Characters |
|---|---|
| 4× TriCore CPU | Application/Security/Communication Partition Processing. |
| Lock-Step Pair | Hardware redundancy security comparison. |
| HSM | Private key storage, encryption acceleration, Secure Boot root of trust. |
| Flash 10 MB / RAM 1.5 MB | Application firmware and data storage, including ECC. |
| CAN FD Controller | 4-channel CAN 2.0B/FD. |
| Ethernet MAC | Provides 1×ETH (Phase B) with external PHY. |
| LIN | LIN Master controller. |
| ADC / DSADC | Multi-channel high-precision analog input. |
| GTM (Generic Timer Module) | PWM and frequency input processing. |
| SPI / QSPI | Connect external switching IC, Flash, etc. |
| MPU | Multi-partition memory protection. |
| Watchdog | System and processor watchdog. |
Key Capabilities
- ASIL-D Friendly: Lock-Step core + ECC + MPU provides hardware-level security mechanism.
- Information Security Basics: HSM private key protection, TRNG, ECDSA / AES / SHA hardware acceleration.
- Multi-partition architecture: The combination of MPU and OS Application can safely separate ASIL-D safety functions and QM general functions.
- High bandwidth communication: 4×CAN FD + Ethernet, enough to carry ISO 15118, UDS DoIP, SOME/IP.
- Large Capacity Memory: 10 MB Flash suitable for holding Bootloader + Application + Calibration + V2G + UDS + RTE.
- ECC Memory: Fights Single Event Upset (SEU), improving overall reliability.
Engineering Inputs Required
| Input | Purpose |
|---|---|
| Safety Goals | ASIL assignment, safety response strategy after TARA / HARA. |
| Security partition planning | ASIL-D / QM Partition segmentation and core allocation. |
| Security Goals | R155 / R156 correspondence, asset classification, TARA results. |
| Secure Boot Chain | Root of Trust (HSM) → Bootloader Signature → Application Signature. |
| HSM key life cycle | Factory injection, running period update, and withdrawal process. |
| MPU configuration | Memory segments, permissions and stacking for each partition. |
| Monitoring strategy | Watchdog, Lock-Step failure response, ECC error report. |
How KopherBit Supports This
- Platform Basics: KCU GEN2 / GEN2 Micro provides TC387QP production grade boards.
- Basic software: KopherSAR Os, Csm, KeyM, WdgM fully support the TC387QP hardware mechanism.
- Bootloader / Secure Boot: KopherBoot Integrate HSM to complete Secure Boot chain and signature verification.
- V2G PnC: KopherV2G stores the ISO 15118 PnC private key in the HSM.
- Consultant: Assist customers to complete TARA/HARA/FMEDA, ASIL partition design, and HSM key life cycle planning.
FAQ
Does the TC387QP comply with ISO 26262 ASIL-D?
TC387QP is ASIL-D friendly hardware and provides mechanisms such as Lock-Step and ECC to help the system achieve ASIL-D.The final ASIL level depends on the safety analysis of the overall system and software implementation. The hardware itself does not “be ASIL-D” alone.
Does Lock-Step force the use of all cores?
Not mandatory.Customers can choose to configure some cores as Lock-Step Pair (providing hardware security guarantee) based on design needs, and the remaining cores as general application cores.KopherSAR Os supports this hybrid configuration.
What is the difference between HSM and general encryption libraries?
HSM is an independent security processor: the private key is only calculated within the HSM and is not exposed to the main MCU memory; it has TRNG, encryption acceleration, and Secure Boot root of trust.Compared with the software encryption library on the main MCU, the HSM is significantly more isolated and resistant to attacks.
Does HSM affect performance?
Some encryption operations (AES, SHA, ECDSA) are accelerated by HSM hardware and are faster than the main MCU software implementation.The impact on performance mainly comes from HSM command queuing and communication; KopherSAR Csm adopts asynchronous processes to avoid blocking the main application.
How does Secure Boot affect boot time?
Secure Boot needs to verify the Bootloader and Application signatures, which will increase the boot time from tens to hundreds of ms (depending on the signature algorithm and capacity).Can be optimized through ECDSA secp256r1 + segmented verification and other methods.
Is TC387QP compatible with AUTOSAR Adaptive?
Adaptive usually runs on POSIX platforms (Linux / QNX), TC387QP is mainly suitable for Classic.Adaptive deployment recommends using higher performance SoC (such as NXP S32G / Renesas R-Car); TC387QP can be used as a Classic child node to communicate with the Adaptive master node through SOME/IP.
JSON-LD
{
"@context": "https://schema.org",
"@type": "TechArticle",
"headline": "Functional safety and security basics of Infineon TC387QP on KCU GEN2",
"description": "TC387QP AURIX multi-core MCU's Lock-Step, HSM, ECC, MPU and other hardware security mechanisms on KCU GEN2 are integrated with KopherSAR / KopherBoot / KopherV2G.",
"url": "https://kopherbit.com/knowledge/kopherbit-tc387qp-functional-safety/",
"datePublished": "2026-05-09",
"dateModified": "2026-05-09",
"inLanguage": "zh-TW",
"keywords": ["TC387QP", "AURIX", "Functional Safety", "ISO 26262", "HSM", "Lock-Step", "ASIL-D"],
"articleSection": "Safety",
"author": { "@type": "Organization", "name": "KopherBit", "url": "https://kopherbit.com" },
"publisher": { "@type": "Organization", "name": "KopherBit", "logo": { "@type": "ImageObject", "url": "https://kopherbit.com/logo.png" } }
}