ASIL-B safety artifacts and SecurityAccess implementation for teams integrating EDS into an ISO 26262 or ISO 21434 development process.
The documentation set for integrators writing their own ISO 26262 safety case. Available to Professional tier customers and enterprise evaluators.
Defines the safety concept, assumptions of use, and ASIL-B requirements for EDS. The primary reference for integrators writing their own safety case.
30 ASIL-B requirements traced from safety goals through implementation and verification. Maps each requirement to its test coverage.
Zero open violations. All deviations documented, categorised, and justified with rationale and risk assessment.
Safety goals, ASIL assignment rationale, and hazard decomposition extract for EDS in ECU integration contexts.
Justification for use of the EDS codegen toolchain in an ASIL-B context, per ISO 26262-8 §11. Covers tool confidence level and validation evidence.
Unit, integration, harness, and robustness campaign coverage mapped to ASIL-B requirements. 37 unit tests + 68 integration tests + 439-case robustness campaign.
EDS is an ASIL-B candidate component (ISO 26262-6:2018). It is not independently certified by a third-party assessor. Integrators are responsible for incorporating EDS into their own safety case and having their assessor review the artifacts above.
The artifacts document design and verification evidence. They do not constitute a certificate of conformance and do not transfer safety responsibility from the integrating organisation to Xaloqi.
SecurityAccess implementation, OEM key provisioning, responsible disclosure, and ISO 21434 positioning for the diagnostic security layer.
Seed embeds an 8-byte TRNG nonce and a per-session counter. Key is AES-128-CMAC (RFC 4493) of the seed with a 16-byte OEM key. Table-free implementation, cache-timing resistant, key material scrubbed after use.
Production firmware must register a TRNG-backed callback via uds_security_algo_set_rng_cb(). Without it, the stack falls back to a 16-bit LFSR and increments a fault counter — intentional for CI and simulator builds only.
The repo ships with placeholder keys for CI use. CONFIG_DIAG_PLACEHOLDER_KEYS_ONLY=n causes a build error if placeholder keys are present — accidental deployment of debug keys into production firmware is a compile-time failure, not a runtime risk.
Failed SecurityAccess attempt counter persists across session resets and is configurable via Kconfig. Brute-force protection survives an ECUReset within the lockout window.
Step-by-step procedure for injecting per-vehicle or per-ECU AES-128 keys from OTP fuses or an HSM at production line. Delivered as part of the Professional license safety_docs ZIP.
EDS is deployed in ECU firmware. A vulnerability in the SecurityAccess implementation, ISO-TP transport, or ASIL-B chain could affect vehicle systems. Please report privately.
Email contact@xaloqi.com or open a GitHub Security Advisory (preferred for sensitive reports). See SECURITY.md for scope and full policy.
EDS provides the technical primitives and documentation substrate for the diagnostic security layer of an ECU. ISO 21434 CSMS process governance, cybersecurity case development, threat analysis (TARA), and UN R155/R156 compliance are the responsibility of the integrating OEM or Tier-1 supplier. Xaloqi provides SecurityAccess implementation, OEM key provisioning guidance, and vulnerability disclosure processes as inputs to the integrator's cybersecurity case.
Safety artifacts and OEM key provisioning guide are delivered in the Professional license ZIP. Enterprise evaluators can request access under NDA before purchase.
