JP2011034130A - Information processor, information processing method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To much more safely update an operating system without restarting or stopping a system. <P>SOLUTION: A non-open source operating system whose alteration is difficult determines whether or not the update of the kernel of the open source operating system is valid, and when it is determined that the update of the kernel of the open source operating system is valid, the kernel of the open source operating system is updated. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an information processing apparatus and the like in a multi-OS environment.

Conventionally, there is a technique for improving the performance of an information processing apparatus by installing a plurality of processors for controlling the information processing apparatus or using a processor equipped with a plurality of processor cores called a multi-core processor. For example, a real-time operating system excellent in real-time response is mounted on one of the plurality of processors to control the device. In addition, there is a so-called multi-operating system technique in which a general-purpose operating system is mounted on another processor and applications such as a user interface and a network service are executed.
The operating system can perform all operations on the computer on which it operates. Therefore, when a vulnerability related to security or the like is found in the OS, when a bug is found, or when an update is performed by adding a function, the OS may need to be updated. When updating the OS, the information processing apparatus needs to be restarted for the update operation. At this time, if the OS is tampered with and executed, the information processing apparatus (computer) and all programs operating on the computer are affected.
In recent years, as a method for detecting such falsification of data, there is a technique for introducing a mechanism for detecting that an execution object is original and not replaced (see Patent Document 1).

JP 2005-182509 A

  However, even with the technique described in Patent Document 1, there is a possibility that the OS is falsified by an attacker and updated and executed by the falsified OS by replacing the OS with an ICE after the boot loader.

  The present invention has been made in view of such problems, and an object thereof is to more safely update the kernel.

  Accordingly, the present invention provides an information processing apparatus in which a plurality of operating systems operate, a determination unit that determines whether a kernel update of the operating system is valid, and the determination unit that includes the operating system. And updating means for updating the kernel when it is determined that the updating of the kernel is valid.

  According to the present invention, the kernel can be updated more safely.

It is a figure which shows an example of information processing apparatus. It is a figure which shows an example of information processing apparatus. It is a figure which shows an example of the information processing apparatus which concerns on 2nd Embodiment. It is a figure which shows the content of the non-volatile memory which concerns on 2nd Embodiment. It is a flowchart which shows the outline which concerns on 2nd Embodiment. It is a flowchart which shows the update process which concerns on 2nd Embodiment. It is a figure which shows an example of the information processing apparatus which concerns on 3rd Embodiment. It is a figure which shows an example of the information processing apparatus which concerns on 3rd Embodiment. It is a flowchart which shows the update process which concerns on 3rd Embodiment. It is a flowchart which shows the update process which concerns on 4th Embodiment. It is a figure which shows an example of the information processing apparatus which concerns on 5th Embodiment. It is a flowchart which shows the outline which concerns on 5th Embodiment. It is a flowchart which shows the update process which concerns on 5th Embodiment. It is a flowchart which shows the falsification detection process which concerns on 5th Embodiment. It is a flowchart which shows the update process which concerns on 6th Embodiment. It is a figure which shows an example of the information processing apparatus which concerns on 7th Embodiment. It is a figure which shows an example of the information processing apparatus which concerns on 7th Embodiment. It is a flowchart which shows the outline which concerns on 7th Embodiment. It is a flowchart which shows the update process which concerns on 7th Embodiment. It is a flowchart which shows the falsification detection process which concerns on 7th Embodiment. It is a flowchart which shows the update process which concerns on 7th Embodiment. It is a flowchart which shows the falsification detection process which concerns on 7th Embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(First embodiment)
A configuration of the information processing apparatus 100 according to the present embodiment will be described with reference to FIGS. 1 and 2.
In FIG. 1, a CPU A 101 and a CPU B 102 are central processing units (hereinafter referred to as CPUs) that control the information processing apparatus 100 as a whole. The RAM 104 is a random access memory (hereinafter referred to as “RAM”) that temporarily stores programs and data. The flash ROM 105 is a rewritable storage medium (hereinafter referred to as “flash ROM”) that stores an OS (operating system) image. The bus 106 is a system bus (hereinafter referred to as a bus) that connects the units so that they can communicate with each other. The information processing apparatus 100 operates by sharing the RAM 104.
The configuration of the RAM 104 and the Flash ROM 105 will be described with reference to FIG. The flash ROM 105 stores a boot loader 211, an OS • A kernel 212, an OS • B kernel 213, and an OS • A kernel version number 214. In this embodiment, the OS • A kernel 212 is a kernel image of an open source OS, and the OS • B kernel 213 is a kernel image of a non-open source OS that is difficult to falsify.
The boot loader 211 expands the OS • A kernel 212 in the area 201 of the RAM 104 and expands the OS • B kernel 213 in the area 202. As a result, OS • A operates on CPU • A101 and OS • B operates on CPU • B102.

(Second Embodiment)
In the second embodiment, as illustrated in FIG. 3, the information processing apparatus 100 includes a nonvolatile memory 111. As shown in FIG. 4, the nonvolatile memory 111 includes an OS • A kernel 112 to be updated, an encrypted checksum 113 related to the OS • A kernel to be updated, and a version number of the OS • A kernel. 114 is stored. Further, the OS • B has a means for decrypting the encrypted checksum 113 and an updating means for updating the OS • A kernel 212 with the OS • A kernel 112 to be updated. As an encryption / decryption method, an electronic certificate is used. Moreover, about the same structure as the structure which concerns on 1st Embodiment, the same code | symbol is used and description is abbreviate | omitted.

The main processing according to this embodiment is shown in FIGS. First, the boot loader 211 expands the OS • A kernel 212 and the OS • B kernel 213 to predetermined positions in the RAM 104 (step S102, step S106), and starts the execution of each OS (step S103, step S107). . The OS • A and OS • B executed by the boot loader 211 proceed independently of each other.
Here, it is assumed that the nonvolatile memory 111 is configured by a portable memory such as a memory card and a device that can read the portable memory. The portable memory stores in advance the OS • A kernel 112 to be updated, the encrypted OS • A checksum 113, and the OS • A kernel version number 114 to be updated. Assume that a portable memory is inserted in the device.

FIG. 6 is a flowchart showing the update process according to the present embodiment. First, the OS • B confirms the contents of the nonvolatile memory 111 and confirms whether the OS • A kernel 112 exists (step S <b> 112). When the OS / A kernel 112 is not stored in the nonvolatile memory 111, the OS / B ends the update process (step S118). When the OS • A kernel 112 is stored in the nonvolatile memory 111, the OS • B compares the OS • A kernel version number 114 on the nonvolatile memory 111 with the kernel version number 214 on the flash ROM 105. (Step S113). That is, the OS • B determines whether the OS • A kernel 112 is newer than the current one and needs to be updated. When the kernel update is not necessary, the OS B finishes the update process (step S118). On the other hand, when it is determined that the OS • A kernel 112 is newer than the current one and needs to be updated, the OS • B performs the process of step S <b> 114.
In step S <b> 114, the OS • B acquires the OS • A kernel checksum 113 stored in the nonvolatile memory 111 in order to confirm whether the OS • A kernel 112 is illegal. . The checksum 113 is encrypted to prove that it is legitimate, and the OS • B has this decryption key, and only the OS • B can decrypt it.
Next, the OS • B calculates a checksum of the OS • A kernel 112 on the nonvolatile memory 111 (step S <b> 115). Next, the OS • B compares the calculated checksum with the decrypted OS • A checksum (step S <b> 116). If they do not match, the OS • A kernel 112 on the nonvolatile memory 111 is valid. The update process is interrupted (step S118). On the other hand, if the checksums match, OS · B performs the process of step S117.
In step S <b> 117, the OS • B updates the OS • A kernel 212. For example, the OS • B updates the OS • A kernel 212 of the flash ROM 105 with the OS • A kernel 112. As described above, the update of the OS · A is completed, and the updated OS · A is activated at the next activation.

In general, when it is detected that there is a new OS on an external medium such as a memory card or on the network, the device must be restarted and the update process must be entered in order to perform the update process. It took a few minutes to complete. Meanwhile, the user could not use the device.
However, the information processing apparatus 100 detects the update of the kernel of the other OS • A by the OS • B that is difficult to modify, detects the tampering, and updates the OS when it determines that the OS kernel has been tampered with. Stop processing. On the other hand, if no falsification has been made, one OS • B can update the OS without stopping or restarting the OS by performing the update processing of the other OS • A.
Therefore, according to the information processing apparatus 100, the kernel can be updated more safely without restarting the own apparatus when updating the OS.

(Third embodiment)
In the information processing apparatus 100 according to the third embodiment, in addition to the configuration according to the first embodiment, a network device 121 is connected to the bus 106 as shown in FIG. In the third embodiment, as illustrated in FIG. 8, the information processing apparatus 100 is configured to be connected to the outside via a network.
In this embodiment, as shown in FIG. 8, it is assumed that OS / A update information is distributed from an external update server 131, and OS / B receives it to perform update processing. Note that the startup operations of OS · A and OS · B are the same as the processing shown in FIG.

FIG. 9 is a flowchart showing the update processing according to the present embodiment. When the OS / A of the information processing apparatus 100 needs to be updated, the update server 131 transmits the OS / A kernel version number to be updated to the information processing apparatus 100. The OS / B of the information processing apparatus 100 compares the delivered OS · A kernel version number with the OS · A kernel version number 214 on the flash ROM 105 (step S212), and the delivered one is newer. Update processing is started.
Next, the update server 131 distributes the encrypted OS · A kernel checksum to the information processing apparatus 100. The OS • B confirms that it has received the encrypted OS • A checksum and decrypts it (steps S213 and S214). Finally, the update server 131 distributes the OS / A kernel body to the information processing apparatus 100. The OS • B confirms that the OS • A kernel body has been received (step S215), calculates the OS • A kernel checksum (step S216), and the calculated checksum and the previously delivered update. The OS / A checksum is compared (step S217). If the two checksums match, the OS • B rewrites the OS • A kernel 212 and the OS • A kernel version number 214 on the flash ROM 105 with new ones (step S <b> 218). On the other hand, if they do not match, the OS / B ends the update process (step S219).

(Fourth embodiment)
The information processing apparatus 100 according to the fourth embodiment has the configuration illustrated in FIG. 8 and describes a case where the OS / B of the information processing apparatus 100 performs the update process according to the flowchart illustrated in FIG. 10 at regular intervals. . The OS / B may check whether the OS / A kernel has been updated by performing the update process shown in FIG. 10 every time it starts, or monitors the CPU timer, etc. In addition, it may be confirmed whether or not the OS / A kernel has been updated.
In the present embodiment, OS • B refers to the version number of the OS • A kernel in the external update server 131, and if the version of the update server 131 is newer, OS • B updates the OS • A kernel 212. Shall be performed. The startup operations of OS • A and OS • B are the same as the processing shown in FIG. Note that the update processing shown in FIG.

The OS • B checks whether the OS • A kernel version number on the update server 131 is newer than the OS • A kernel version number 214 written in the flash ROM 105 of the information processing apparatus 100 at regular intervals. (Step S312). The OS / B does nothing if the version number of the update server 131 is old or the same (step S319). On the other hand, when the version number on the update server 131 is new, the OS / B performs the process of step S313.
In step S <b> 313, the OS • B receives the encrypted OS • A checksum prepared in the update server 131. Next, the OS • B decrypts the checksum (step S314). Next, the OS • B receives the OS • A kernel to be updated from the update server 131 (step S <b> 315). When the reception is completed, the OS · B calculates the checksum of the received OS · A kernel (step S316) and compares it with the OS · A checksum decrypted in step S314 (step S317). If the two checksums match, the OS • B writes the updated OS • A kernel and the OS • A kernel version number to the flash ROM 105 to update (step S <b> 318). On the other hand, if the checksums do not match, the OS / B ends the process without updating (step S319).

(Fifth embodiment)
The information processing apparatus 100 according to the fifth embodiment has the configuration shown in FIGS. 3 and 4 and stores the OS · A checksum 215 encrypted in the flash ROM 105 as shown in FIG. In the fifth embodiment, a case will be described in which it is detected whether the OS / A kernel has been tampered with during update and during startup.
12, 13, and 14 are flowcharts showing main processing according to the present embodiment. Note that steps S401 to S406 shown in FIG. Steps S407 to S410 and the steps shown in FIGS. 13 and 14 are processes related to OS · B.

  OS • A and OS • B are started by the boot loader 211, respectively. The OS / A confirms the OS / A management information 217 written in the shared memory 216 on the RAM 104 at regular intervals after startup (step S403), and if it is “START”, the execution is continued (step S404). . On the other hand, if “STOP” is written in the OS / A management information 217, the execution of OS / A is stopped (step S405).

Here, the processing from step S412 to S416 shown in FIG. 13 is the same as the processing from step S112 to step S116 in the second embodiment.
When the decrypted checksum and the calculated checksum of the OS • A kernel 112 on the nonvolatile memory 111 match, OS • B indicates that the OS • A kernel 112 is valid. Judgment is made and the process of step S417 is performed.
In step S417, the OS • B writes the OS • A kernel 112 on the nonvolatile memory 111, the encrypted OS • A checksum 113, and the OS • A kernel version number 114 to the flash ROM 105, respectively. In other words, the OS • B updates the OS • A kernel 212, the OS • A kernel version number 214, and the encrypted OS • A checksum 215. The OS / B performs the process of step S511 after performing the update process.

The process from step S511 to step S516 shown in FIG. 14 is a process that is repeatedly performed, and may be executed at the time of startup, or may be executed at regular intervals by acquiring the startup time from the CPU. Further, it may be performed when the application is executed.
First, the OS • B decrypts the encrypted OS • A checksum 215 of the flash ROM 105 (step S <b> 512). Next, the OS • B calculates the checksum of the OS • A kernel 212 of the FlashROM 105 (step S <b> 513). Next, OS · B compares these two checksums (step S514). If the two checksums match, the OS • B determines that the OS • A kernel 212 is valid and ends the detection process (step S <b> 516). On the other hand, if the two checksums do not match, the OS • B determines that the OS • A kernel 212 is not valid, writes “STOP” in the OS • A management information 217 on the shared memory 216, and A stop request is transmitted to A (step S515). The OS / A periodically checks the OS / A management information 217 in step S403, and if “STOP” is written, the execution of the OS / A is stopped.

(Sixth embodiment)
The information processing apparatus 100 according to the sixth embodiment has the configuration shown in FIG. 7, and includes the OS • A kernel 112, the OS • A kernel version number 114, and the encrypted OS according to the fifth embodiment. A case where the checksum 113 of A is on the network will be described.
The processing related to the activation of OS · A and OS · B is the same as the flowchart shown in FIG. FIG. 15 is a flowchart showing the update process according to the present embodiment. The processing shown in this flowchart is performed by the OS · B.

In step S <b> 612, the OS • B determines whether the version number 114 of the OS • A kernel exists in the database on the network. If there is a version number 114 of the OS • A kernel, the OS • B compares it with the version number 214 of the currently operating OS • A kernel on the FlashROM 105 (step S613). If the version of OS • A on the database is newer, OS • B is assumed to be updated with OS • A. When the OS / A is updated, the OS / B downloads the encrypted OS / A checksum 113 from the database and decrypts it to obtain the OS / A checksum (step S614). . Next, the OS • B downloads the OS • A kernel 112 on the database, and calculates the checksum of the OS • A kernel 112 (step S <b> 615).
Next, the OS • B determines whether or not both checksums match (step S616). If the two checksums match, the flash ROM 105 is updated with the OS • A kernel 112 to be updated, the encrypted OS • A checksum 113, and the OS • A kernel version number 114 (step S <b> 617). On the other hand, if the two checksums do not match, the OS • B ends the update process (step S618). In the present embodiment, the processing from step S511 to step S516 is similarly performed.

(Seventh embodiment)
In the information processing apparatus 100 according to the seventh embodiment, as illustrated in FIG. 16, a ROM 107 is connected to the bus 106 in addition to the configuration illustrated in FIG. 3. In this embodiment, a case will be described in which a plurality of OSs (in this embodiment, three OSs, OS • A, OS • B, and OS • C) are started as shown in FIG. 17.
The information processing apparatus 100 expands the OS • A kernel 212, the OS • C kernel 223 in the flash ROM 105, and the OS • B kernel 213 in the ROM 107 on the RAM 104, and executes each OS. The flash ROM 105 stores an encrypted OS · A kernel checksum 215 and an encrypted OS · C kernel checksum 219. In this embodiment, a case will be described in which the OS • B detects whether the OS • A kernel 212 and the OS • C kernel 223 are valid at the time of update and during startup.

  FIG. 18 is a flowchart showing a startup process and the like according to the present embodiment. The processing from step S701 to step S706 is processing related to OS / A, the processing from step S707 to step S710 is processing related to OS / B, and the processing from step S711 to step S716 is related to OS / C. It is processing. Since the contents of the processing related to OS · A and the processing related to OS · C are the same, the processing of OS · A will be described. The OS / A confirms the OS / A management information 217 written on the shared memory 216 on the RAM 104 at regular intervals after startup, and if it is “START”, the execution continues as it is (step S704). On the other hand, if “STOP” is written in the OS / A management information 217, the execution of OS / A is stopped (step S705).

  FIG. 19 and FIG. 20 show processing performed on OS / A in processing after OS / B is started. The processing from step S811 to step S818 is the same as the processing from step S411 to step S418 in the fifth embodiment. The processing from step S821 to step S826 is the same as the processing from step S511 to step S516 in the fifth embodiment.

FIG. 21 and FIG. 22 show the main processing performed by OS • B on OS • C in the processing after OS • B is started.
The OS • B confirms the contents of the nonvolatile memory 111, and confirms whether the OS • C kernel exists (step S912). If the OS / C kernel is not stored in the nonvolatile memory 111, the OS / B ends the update process (step S918). On the other hand, when the OS / C kernel is stored in the non-volatile memory 111, the OS / B is the version number of the OS / C kernel on the non-volatile memory 111 and the version number of the OS / C kernel on the flash ROM 105. 218 is compared (step S913). That is, the OS • B determines whether the OS • C kernel on the nonvolatile memory 111 is newer than the current one and needs to be updated. If it is not necessary to update the OS / C kernel 223, the OS / B ends the update process (step S918). On the other hand, when the OS / C kernel to be updated on the nonvolatile memory 111 is newer than the current one and it is determined that the update is necessary, the OS / B performs the process of step S914.

In step S <b> 914, the OS • B checks whether the OS • C kernel to be updated on the nonvolatile memory 111 is valid, so that the OS • C kernel checksum stored in the nonvolatile memory 111 is checked. To get. The checksum is encrypted in order to prove that it is valid, and the OS · B has this decryption key so that it can be decrypted.
Next, the OS • B calculates a checksum of the OS • C kernel on the nonvolatile memory 111 (step S <b> 915). Next, the OS • B compares the calculated checksum with the decrypted OS • C checksum (step S <b> 916). If the checksums do not match, the OS • B determines that the OS • C kernel on the nonvolatile memory 111 is not valid, and interrupts the update process (step S <b> 918). On the other hand, if the checksums match, OS · B performs the process of step S917. In step S <b> 917, the OS • B updates the OS • C kernel 223. For example, the OS • B updates the OS • C kernel 223 of the flash ROM 105 with the OS • C kernel on the nonvolatile memory 111.

The process from step S921 to step S926 shown in FIG. 22 is a process that is repeatedly performed, and may be executed at the time of start-up, or may be executed at regular intervals after obtaining the start-up time from the CPU. Further, it may be performed when the application is executed.
First, the OS • B decrypts the encrypted OS • C checksum 219 of the flash ROM 105 (step S <b> 922). Next, the OS · B calculates the checksum of the OS · C kernel 223 of the FlashROM 105 (step S923). Next, OS · B compares these two checksums (step S924). If the two checksums match, the OS • B determines that the OS • C kernel 223 is valid and ends the detection process (step S926). On the other hand, if the two checksums do not match, the OS • B determines that the OS • C kernel 223 is not valid, and performs the process of step S925.

In step S 925, the OS • B writes “STOP” in the OS • C management information 220 on the shared memory 216 and transmits a stop request to the OS • C. The OS / C periodically checks the OS / C management information 220, and if “STOP” information is written, the execution of the OS / C is stopped.
In this embodiment, it is detected whether OS • B is a valid update of OS • A and OS • C, or whether it is a valid kernel. However, the OSs may detect each other.
Note that, for example, the functions of the information processing apparatus 100 and the processes according to the above-described flowcharts can also be realized by the CPU performing the process according to the procedure of the program stored in the storage device.

<Other embodiments>
The present invention can also be realized by executing the following processing. That is, software (program) that realizes the functions of the above-described embodiments is supplied to a system or apparatus via a network or various storage media, and a computer (or CPU, MPU, or the like) of the system or apparatus reads the program. It is a process to be executed.

  The preferred embodiments of the present invention have been described in detail above, but the present invention is not limited to such specific embodiments, and various modifications can be made within the scope of the gist of the present invention described in the claims.・ Change is possible.

  100 devices, 101 CPU A, 102 CPU B, 104 RAM, 105 FlashROM, 106 bus

Claims (8)

An information processing apparatus that operates a plurality of operating systems,
Determining means for determining whether or not the operating system kernel update is valid;
An information processing apparatus comprising: an update unit configured to update the kernel when the determination unit determines that the kernel update of the operating system is valid.   The determination unit detects whether there is an updated kernel of the plurality of operating systems, and when the updated operating system kernel is detected, the update of the operating system kernel is an unauthorized update. The information processing apparatus according to claim 1, wherein:   The determination means is one operating system, confirms a kernel of another operating system different from the one operating system, and determines whether or not the kernel of the other operating system is falsified. The information processing apparatus according to claim 1.   The information processing apparatus according to claim 1, wherein the update unit is one operating system and updates a kernel of another operating system different from the one operating system. An information processing apparatus that operates a plurality of operating systems,
Determining means for determining whether or not the operating system kernel update is valid;
An update means for updating a kernel of the operating system when the determination means determines that the update of the operating system is valid;
Execution means for periodically detecting whether the kernel of the operating system is valid;
An information processing apparatus comprising: stop means for stopping execution of the operating system when the execution means detects that the kernel of the operating system is not valid.   6. The execution unit is one operating system, and detects whether a kernel of another operating system different from the one operating system is valid at regular time intervals. Information processing device. An information processing method in an information processing apparatus that operates a plurality of operating systems,
A determination step of determining whether or not a kernel update of the operating system is valid;
An information processing method comprising: an update step of updating the kernel when it is determined that the update of the kernel of the operating system is valid in the determination step. A computer of an information processing apparatus that operates a plurality of operating systems,
Determining means for determining whether or not the operating system kernel update is valid;
A program that functions as an updating unit that updates the kernel when the determination unit determines that the kernel update of the operating system is valid.

Images