NORMSERVIS s.r.o.

SAE J3101-2

Hardware Protected Security Environment – Trusted Application Isolation Security Models

NORM herausgegeben am 1.11.2025

Englisch -
Elektronische PDF (112.10 EUR)
Englisch -
Gedruckt (112.10 EUR)

The information about the standard:

Designation standards: SAE J3101-2
Publication date standards: 1.11.2025
Country: American technical standard
Kategorie: Technische Normen SAE

Annotation of standard text SAE J3101-2 :


This information report identifies and evaluates isolation building blocks applicable to TA sandboxing within a HPSE. These building blocks can be used to support SAE J3101 TA requirements for sandboxing of TAs and secure communication between TAs. TAs must execute within their own trust domain to prevent compromise of the HPSE and other TAs. TA trust domain isolation strength may vary depending on the risk profile of the TA deployed, hence the requirement for isolation building blocks to match the risk profile. A multitenancy TA HPSE has a higher risk profile than multiple TAs from the same source (e.g., OEM). TA multitenancy must not compromise the security properties of the HPSE (the secure integration and execution of trusted multi-vendor code). In this report, we provide information on the following:

HPSE TA use cases and risk profiles


HPSE TA isolation building blocks for manufacturers


Threat analysis to determine the effectiveness of isolation security models


As the ECU E/E architecture continues to evolve, we must consider the following classification of ECUs and System on Chips (SoCs) for which isolation building blocks apply:

Application Processor Core(s)


Realtime Processor Core(s)


Microcontroller Core(s)


An ECU can be composed of a Normal Environment and Protected Environment (HPSE). Normal Environment is typically separated into user and kernel level privileges, with applications executing at the user privilege level. TAs only execute within the HPSE, and the HPSE is typically divided into user and kernel level privileges which are orthogonal to Normal Environment privileges. The TAs will execute at the same user privilege level within the HPSE; therefore, the isolation building blocks must be implemented at a higher privilege level, such as the HPSE kernel, to ensure that the sandboxing policy can be enforced. The TAs access to HPSE resources is restricted at load time by the sandbox policy which operates at a higher privilege level to the TAs.

This report also differentiates between isolation methods which are applied within the HPSE and isolation methods applied at the ECU level when there is consolidation of ECUs into domain controller or HPC, i.e., isolation abstraction.

TYPE OF DOCUMENT: Ground Vehicle Standard