Security protection method in in-vehicle system and device

What is claimed is: 1 . An in-vehicle system, comprising: a gateway; a domain controller coupled to the gateway; and an electronic control unit (ECU) coupled to the domain controller, wherein the ECU is configured with a first security protection module, the first security protection module is configured to provide security protection for the ECU, and a security level of the first security protection module is a first security level, wherein the domain controller is configured with a second security protection module, the second security protection module is configured to provide security protection for the domain controller, and a security level of the second security protection module is a second security level, and wherein the domain controller is configured with a third security protection module, the third security protection module is configured to provide security protection for the gateway, and a security level of the third security protection module is a third security level. 2 . The in-vehicle system according to claim 1 , wherein the third security level is higher than or equal to the second security level, and the second security level is higher than the first security level. 3 . The in-vehicle system according to claim 1 , wherein the first security protection module comprises a device identifier composition engine (DICE), wherein the second security protection module comprises a trusted platform module-thin, an embedded secure element (eSE), a chip comprising a physically isolated security processor SP system, or a chip comprising a physically isolated hardware security module (HSM), and wherein the third security protection module comprises a trusted platform module-rich, an (eSE), a chip comprising a physically isolated security processor (SP) system, or a chip comprising a physically isolated HSM. 4 . An in-vehicle security protection system, wherein the in-vehicle security protection system comprises an electronic control unit (ECU), a domain controller, and a gateway, wherein the ECU is configured to generate a public key of the ECU and a private key of the ECU by using a first security protection module, wherein the first security protection module is configured to provide security protection for the ECU, and a security level of the first security protection module is a first security level, wherein the ECU is further configured to sign a firmware digest of the ECU by using the private key of the ECU, to obtain first signature information, wherein the ECU is further configured to send the first signature information, the public key of the ECU, and the firmware digest of the ECU to the domain controller; wherein the domain controller is configured to receive the first signature information, the public key of the ECU, and the firmware digest of the ECU from the ECU, wherein the domain controller is further configured to send the first signature information, the public key of the ECU, and the firmware digest of the ECU to the gateway, wherein the gateway is configured to receive the first signature information, the public key of the ECU, and the firmware digest of the ECU from the domain controller, and wherein the gateway is further configured to send the first signature information, the public key of the ECU, and the firmware digest of the ECU to a server. 5 . The in-vehicle security protection system according to claim 4 , wherein the first security protection module comprises a device identifier composition engine (DICE). 6 . The in-vehicle security protection system according to claim 4 , wherein the domain controller stores an ECU list, and the ECU is in the ECU list. 7 . The in-vehicle security protection system according to claim 4 , wherein the firmware digest of the ECU is obtained by calculating firmware of the ECU according to a first digest function. 8 . The in-vehicle security protection system according to claim 4 , wherein the in-vehicle security protection system further comprises the server, wherein the server is configured to receive the first signature information, the public key of the ECU, and the firmware digest of the ECU from the gateway, wherein the server is further configured to perform verification on the first signature information by using the public key of the ECU, wherein the server is further configured to, when the first signature information has been verified, send first response information to the gateway, wherein the first response information is used to indicate to start the ECU, wherein the gateway is further configured to receive the first response information from the server, wherein the gateway is further configured to send the first response information to the domain controller, wherein the domain controller is further configured to receive the first response information from the gateway, wherein the domain controller is further configured to send the first response information to the ECU, and wherein the ECU is further configured to receive the first response information from the domain controller. 9 . An in-vehicle security protection system, comprising: an electronic control unit (ECU); a domain controller coupled to the ECU; and a gateway coupled to the domain controller, wherein the ECU is configured to generate a public key of the ECU and a private key of the ECU by using a first security protection module, wherein the first security protection module is configured to provide security protection for the ECU, and a security level of the first security protection module is a first security level, wherein the ECU is further configured to sign a firmware digest of the ECU by using the private key of the ECU to obtain first signature information, wherein the ECU is further configured to send the first signature information, the public key of the ECU, and the firmware digest of the ECU to the domain controller, wherein the domain controller is configured to receive the first signature information, the public key of the ECU, and the firmware digest of the ECU from the ECU, wherein the domain controller is further configured to generate a public key of the domain controller and a private key of the domain controller by using a second security protection module, wherein the second security protection module is configured to provide security protection for the domain controller, and a security level of the second security protection module is a second security level, wherein the domain controller is further configured to perform verification on the first signature information by using the public key of the ECU, wherein the domain controller is further configured to, when the first signature information has been verified, sign the firmware digest of the ECU by using the private key of the domain controller, to obtain second signature information, wherein the domain controller is further configured to send the second signature information, the public key of the domain controller, and the firmware digest of the ECU to the gateway, wherein the gateway is configured to receive the second signature information, the public key of the domain controller, and the firmware digest of the ECU from the domain controller, wherein the gateway is further configured to generate a public key of the gateway and a private key of the gateway by using a third security protection module, wherein the third security protection module is configured to provide security protection for the gateway, and a security level of the third security protection module is a third security level, wherein the gateway is further configured to perform verification on the second signature information by using the public key of the domain controller, wherein the