| 09.00 | Welcome, logistics (e.g. IT) and agenda reviewSetting up IT related stuff, getting everyone connectedAnnouncement: GENIVI Spring AMM will take place on May 12-14 in Leipzig, Germany. We will have AASIG face to face meeting(s) there
 | TODO | 
| 09:20 | Agenda Review Philippe: reminds the objective of the meeting which is to agree on a couple of design scenarios and move to detailed design and implementation, target is to have PoCs available at the end of Q2 and be able to contact GoogleGunnar: Contacting Google -> we need to prepare before the time window closesGoing though the agenda, topic by topic so that everyone is in-sync
 | 
 | 
| 09:30 | Roundtable Alexander: BMW, connectivity, now looking into boardnet abstraction and how we can use it on different platformGunnar: Genivi project, development/technical lead of GeniviPiotr: Tieto, AA for 3 years, audio routing, helping with GeniviStefan: Tieto, AA for 8 years, mobile, embedded, architecturePhilippe: Genivi 10 years, Autosar in parallel, working with German OEMs & tier1, before was managing a SW consulting company working with Continental in particular, Telecom before that and AerospaceBartosz: Tieto, wroslaw, 8+ experience with Android, multimedia domainNadim: esolutions, elektrobit, Mobis, SW developer, how Mobis can contributeJustin: hardware engineer, connectivity, audio, how Mobis can contributeKevin: CTO high mobility, data model of the car, and other topics, see where Genivi is goingGururaja: Bosch, 6 years with Genivi, connectivity, Android developmentSKYPE: Johan: Mitsubishi electric tier1, 6 years, Genivi quite new, but would like to get backSachin: Mercedes Benz Research North America
 | 
 | 
| 
 | Vehicle HAL Security design | 
 | 
| 09:45-10:45 | Access control and permissions in Android (Stefan) | 
 | 
| 
 | Stefan shows slide deck : Build connection VSS to Android permissions model.pdfStefan shows also : 
custom permissions: only one is available, it is CAR_VENDOR_EXTENSION, this is a problemwe need to invent our own version of this extension for additional permissions we might needAndroid have already a group of permissions available via API (manifest file for examples)
 How to verify permissions For verifying the permissions, there are different strategies and security conceptsEven for new applications, we can assess how harmful an application isGunnar: question on the key management and the signature verification process 
 Piotr: the playstore is considered as a trusted source of applications
Stefan: shows the verification process as set up by Google, link: https://source.android.com/security/apksigning/v2OEMs need to have a secret key service management inside their process in order to support the permission verificationthe package can be signed with the platform key and released to GooglePlaythere will be for instance different instantiations of the same code with different signing keys for the different vendors (OEMs) who want to deploy the same app 
 currently there is no shared signing key among OEMs
when Stefan says GooglePlay, this is GooglePay in GASGuru: my original thought was that both the app developer and the OEM should approve the deployment of an app with their own key 
 Stefan: this is not possible, there is only one key
Gunnar: can an App be signed by 2 different keys ? The system would check the signature of both keys 
 Stefan: Samsung, Sony do this, they use additional APIs for this purpose
Guru: This restricts how third parties can create application for our systems 
Sachin: what do you mean ? 
 Stefan: We can have our own version of stores
Gunnar: this needs more thought, the idea is to have two signing keys, developer that I made this, system that we agree to this. 
 Stefan: But it's not possible
Alex: let us assume every OEM has its own playstore, the key is developer key, but the OEM would add it or not 
 Side load an application (APK download and application)So the model is that everything that is downloaded is already accepted by the systemThe store is not the only source of applications
Gunnar: This is more a question about open/close system: it's for the user to accept the permissions and the OEM should not restrict or regulate them unless it is a sensitive permission. We don't need to sign it from the OEM 
 We already showed that the properties are available and some not (protection level), a propert can be: normal, dangerous (needs to be asked, user should agree), signed, privileged
Sachin: each display will have their permissions, for OEM how can we configure these displays 
 This might be treated in the next presentation by Piotr
Gunnar: the normal model is that the system does verify the signature 
 Each developer sign with their keys and put them on the app storeThe system checks if the signature is valid and the key format is correctThere is no cross checking (like https and playstore)Playstore is only certifying that the application was downloaded using the playstore (and not a side download).
Gunnar: We need to check the open/semi-open model, and understand how we will manage it from technical point of view. 
 Analyzing the need and the solutionsThe solutions would be too much for this groupProbably these discussions are being done already between single OEM and Google but not with GENIVIOr we need to have our own service.
Side note: The Android deficiencies come from the history of Android, from phone to car, there are gaps
 Next steps Gunnar. there is some work to figure out the different modelsSachin: Google has decided beforehand for instance that controlling the HVAC is only possible for an App signed with the platform keySachin: in a car we will have multiple displays with different permissions because displays show different things 
 Piotr: I will make a proposition for this because AFAIK this is not supported by Google
 | 
 | 
| 10:30-10:45 | Break | 
 | 
| 10:45-11:30 | External service approach - how to use Adaptive AUTOSAR Identity & Access Management (IAM)  (Alexander) | 
 | 
| 
 | Alexander had a sync with Giovanni Vergine & Stefan Wysocki on Adaptive Autosar IAM prior to the F2F but we realized there are many open issues we need to look atFirst we need a solution for accessing or exposing the data in the vehicle. 
 For example: Ambient light, you can change the color, brightness etc. During development, the application developer is directly communicating with the ECU developer to talk about the colors etc. But this does not scale.We need a system that can handle data like what are the colors enums etc
Question is: how to authorize this and how can we ensure this communication. 
 Idea: Authentication service, Data service.Data service would request the dataAuthentication would check if this App can get this data and give a token to the data serviceThe data service is then using the token to get data
Alex: yet another example 
 parking assistance data cannot be abstracted using VSS because there are too many states,
Alex: explains why we need some kind of abstractions of vehicle data to share knowledge with developers who are spread geographically (they cannot share their knowledge of the car like if they were sitting in the same room)Alex: would like to have a specific service offered by the platform to get access to the vehicle dataAlex: Autosar does not seem to be so extensibleAlex; we will need to generate tokens to enable the access to applications (token valid for an hour or one day or...)Alex: in VSS we have leaves which are the data, we will have also groups, we do not know which granularity should be shown at the application manifest levelAndroid is activity based. If we make the data service in the framework does it have an advantage ?Advantages 
 We can control better, for example not to forward the request to the data service if the authentication service stopped itAlso we would have one way to access the data
Disadvantages 
 Bottleneck for the applications always passing through the framework
Data server app authentication process have been added to the architectural concepts diagrams, look at AuthenticationMethodsWe need to think about the idea, what is better - service layer or application layer ?
 | 
 | 
| 11:30-12:30 | Users vs. permissions - presentation of the zone concept in Android 10 (Piotr) | 
 | 
| 
 | Piotr shows this Users and permissions.pptxoverview of Android account types (taken from Google documentation)Piotr explains how a user can be identified, how to recognize user 
 Primary, secondary, guest currently available on android
discussion on how to check app/user permission, connection to what was discussed earlierIn Android Automotive now, we have the following situation 
 Headless system user: main services, owner of services, etc.Secondary user: driver etc.
First example - audio 
 as a rear user I'd like to play my audio on rear headphonesthe display in the rear or audio in the rear are now solved by using a different user idHAL is not aware of the user: that's the problem
Same solution as above, application will ask the authorization service for a token and then the application can use this token in order to access graphql (i.e. the vehicle database)Other possibility is a content provider, this is the most common way in Android for the application layer to access dataMain point is that there is a single point of access for example to the HALOne example to understand more: let us assume we have one tyre monitoring application developed by BMW 
 if I log as a BMW user, I got all data (tyre temperature for instance in addition)if I log to the same application as a Mobis user, I do not get all dataThere might be that the dealer would like to know how many times the wheel over-heated, this is regardless of the user
Guru: regarding users, we have a lot cases - valet, chauffeur, kids mode, etc.Guru: can we solve this with the VSS model or with an API created for this purpose ?Do we need an application that runs differently for different users ?Kevin: it's up to the application to show the UI according to the userThis is also a point that the framework should not be deciding on behalf of the application what data is accessibleIs this needed for the boardnet data?Do we have specific examples to show that we need a different user for the same applicationDo we need to give different permissions to different users?Gunnar: can we come up with such a use case ?Gunnar: one option is to create a specific API when you need to access very finely controlled data and not embed the access control in the VSS databaseAnother example: the taxi driver's situation 
 for Mercedes Benz a taxi belongs to a specific car line (i.e. a taxi has different features than a normal car)These users are not really the Linux users but they have their own places to store the data
Sachin: what we want to achieve is to expose to the Android world the vehicle properties which we have been handling in the Linux-based infotainment systems so farAlex: can you and your wife be logged in the system at the same time?Sachin: the answer is noSachin: the control of the display is only based on its position not on whom is using itSachin: the restriction at application level does make senseEnd of long discussion on how to control access to data at the application or the service (framework) level
 wrap-up (before and after lunch) data access verification component: application permissions and user permissions need to be combinedLetting the application decide what to do is good but not for a closed system (TBC)Framework needs also to have restrictionPermission management can solve this by creating permission of groupsGunnar: we need UID (user identity) to be shared down to the low layersDiscussion about what we need to solve, what is the problem to solve ?There are different solutions of course even with Android
 | 
 | 
| 12:30-13:45 | Lunch Break | 
 | 
| 13:45-14 :50 | VSS layers | 
 | 
| 
 | Please refer to this VSS composable layers for an introduction to VSS layers conceptGunnar presents a short implementation of Android permissions in VSS (TODO Gunnar to provide link to example code) 
 New extension Apspec that links the main signal database to the permission of eachIn the standard there are signals, attribute, sensorsThe permissions are different for different systems so the permissions files need to be independent of systemsThe idea is that we can have metadata such as Android permissions in a separate file
Alex: coins the idea of a deployment file Apspec and have the permission "attribute" as a generic thing in the VSS layer and the "Apspecs" in the deployment data for Android Automotive 
 for instance in Autosar you would have a different folder with the permission
Gunnar: shows the implementation of VSS layers he has in mind 
 The ideas are written in the file fuelsystem.appspec 
 Think about generic solutionThink about groupingThink about permission levelDoes write access also give read access ?Closer to VSS and easily parse-able
Gunnar: we need to write some tooling to process the VSS layersApspec could have no include just the entire nameIs it better to keep the same structure?Opposite mapping - entity 
 Nearest to the AndroidProtection level can be includedMore user friendlyThis is preferred
There is no point of thinking of very complex scenario, because at some point we can create custom API
 Wrap-up We will investigate the following tracks 
 Track #1: do not include users, just the authentication service and application talking to directly to data server, the users will be dealt with a different custom solutionTrack #2: include the users and let the application only communicate with data server from one point of entryFor Android applications, we will have a list of permissions listed in a file, and then we have the (VSS ?) leaves listed inside each permission
 Information | 
 | 
| 
 | Vehicle HAL Security design ends | 
 | 
| 14:50-15:05 | Break | 
 | 
| 15:05-15:20 | Agenda re-shuffling | 
 | 
| 
 | Vehicle HAL Technical Proposals - further refinement | 
 | 
| 15:20-16:00 | Android internal service (Some signal-connecting library using VSS standard) (Stefan) | 
 | 
| 
 | Stefan shows this VSS to standard Vehicle HAL.pdf on the translation from VSS to VHAL propertiesLong discussion on variant III slide and content of vehicle HAL (custom HAL vs. vendor-extension)Discussion on various alternatives to implement things in Treble or the framework 
 We don't write in HAL but in HAL extensionWe have some work to do to agree on the model before having people work on implementationMapping from vehicle data to VSS and properties is neededKevin: as a third party app developer, do I choose if I want a permission of Android or a VSS permission? Are there two ways of getting data?Yes but the Google way is key/value, with a limited APIFor instance VSS has battery status, Google does not, what happens in the future ?So yes there is two ways of working 
 SOA or Data driven approachWe need to define which data are cached or which data has to be directly taken
Property value change propagation will be covered by the protocol implementation we use to communicate between the data server and the appIf we only have get/set/subscribe we don't need an API
 | 
 | 
| 16:00-16:10 | Break | 
 | 
| 16:10-17:05 | External services - SOME/IP (Gunnar) | 
 | 
| 
 | Gunnar shows the slide with Some/IP usage between the vehicle nodes (look at slide 14 Architectural proposal III (via Global SomeIP Service) of this Vehicle HAL Architectutal Architectural Design ConceptsThe idea is to mirror in the framework layer services that are outside the system,.This is related to connecting Android and non-Android systemsThe general connectivity concept in Autosar is the following 
 there is a request, followed by a send to authentication: is this request allowed? Then the request is denied or the data are sent backThe concept here is saying: any app will check in the database if the request is allowed or not
But in case of external apps/db to the system, the app will only check if the system can request data but not per applicationSo the system needs to implement a way to check if the application can access the data from the external app/dbNote: The full SomeIP specs tree is available online for more reading at https://www.autosar.org/standards/foundation/ , select Release R19-11When we have a VSS, we can better describe or know where the data is coming from exactlyThe main problem with app directly or via socket communicating with external services is that we won't have control over them, there is no check if this app is allowed to access itPiotr: what about a service that does some service discovery and tries to do the request of the API ?Johan: cannot we put the managers in the HAL ? 
 Actually we discussed it before, it's not a hardware and this is why we shouldn't officially put it in the HAL, this is not where it belongsBut we can put it in the HAL because we can make it just to say that this is another abstraction layer
interesting discussion on why to use SomeIP, how to aggregate data through an ad-hoc data server talking via someip to get the elementary data
 | 
 | 
| 17:05-17:15 | Agenda review for Day 2 We need to change the architecture diagramsWe need to decide what do we want to implementWe need to name the ideas or concepts appropriately
 | 
 | 
| 17:15 | End of Day 1 | 
 |