JP2017004060A - Arithmetic processing system having highly reliable program check function, multi-core system, and multiprocessor system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent an unauthorized program from being executed due to a memory error, intentional alteration, or the like in an arithmetic processing system.SOLUTION: An arithmetic processing system includes: a plurality of arithmetic processing circuits each of which performs arithmetic processing; and memories in which programs that are respectively executed by the arithmetic processing circuits are stored. Each of the arithmetic processing circuits is configured to execute code error check for a storage region in one of the memories in which a program of each different other one of the arithmetic processing circuits is stored.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an arithmetic processing system including a plurality of arithmetic processing units, a multicore system, and a multiprocessor system, and in particular, can prevent an unauthorized program from being executed due to a memory error, intentional alteration, or the like. The present invention relates to an arithmetic processing system, a multi-core system, and a multi-processor system having a highly reliable program check function.

  Conventionally, in an arithmetic processing unit such as a CPU (Central Processing Unit), in order to prevent an unauthorized program from being executed due to a memory error or intentional alteration, In particular, as a technique for checking that there is no error in the stored contents in the program memory, the program storage area in the memory is divided into a plurality of blocks, and each divided block is stored in the block. The 2's complement of the sum of all data code values (that is, all data code values including code data representing a command code, etc.) is calculated and stored in advance as a check sum of the block. It has been known. Thus, every time the CPU is activated, the sum of all the data code values of each block is calculated for each block, and the sum of the calculated code values and the previously stored checksum is 0. If so, it is determined that the program is healthy (that is, there is no data code value error and is not an illegal program), and if it is not 0, the program is not healthy (that is, there is an error and the program is invalid).

  However, when there are a plurality of data codes having errors in the data code used to calculate the added value, the probability that the presence of a code error can be detected by adding the added value and the checksum is necessarily high. I can't say that. For this reason, it cannot be said that the above-mentioned conventional technique that simply uses the data code addition value for each block is necessarily reliable as an error detection method. For the same reason, it is possible to alter the program so that the addition result with the checksum becomes 0, and the resistance to intentional improvement is low.

  From the above background, it is desired to realize a configuration that can prevent an unauthorized program from being executed due to a memory error, intentional tampering, or the like in an arithmetic processing system.

One aspect of the present invention is an arithmetic processing system comprising a plurality of arithmetic processing circuits each performing arithmetic processing, and a memory storing each program executed by each of the arithmetic processing circuits, Each of the arithmetic processing circuits is configured to execute a code error check of a storage area in the memory in which a program of another different arithmetic processing circuit is stored.
According to another aspect of the present invention, each of the arithmetic processing circuits is arranged in at least two different directions with respect to a virtual array space in which data codes in the storage area are arranged so as to form a matrix of two or more dimensions. The code error check is executed using a plurality of addition values obtained by adding the data code values stored in the storage area along the line.
According to another aspect of the invention, the code error check is performed using a checksum corresponding to the added value.
According to another aspect of the present invention, the checksum is a checksum corresponding to a low-order bit of a predetermined number of two true values representing the added value.
According to another aspect of the present invention, the arithmetic processing circuit is a processor, and the arithmetic processing system is configured as a multiprocessor system.
According to another aspect of the present invention, the arithmetic processing circuit is a processor core integrated in a processor, and the arithmetic processing system is configured as a multi-core system.
Another aspect of the present invention is an electronic control device that performs vehicle control and includes any of the arithmetic processing systems described above.
According to still another aspect of the present invention, there is provided a program data code in an arithmetic processing system comprising: a plurality of arithmetic processing circuits each performing arithmetic processing; and a memory storing each program executed by each of the arithmetic processing circuits. A value error check method, wherein each of the arithmetic processing circuits sets two or more data codes in a storage area in the memory in which a program of another different arithmetic processing circuit is stored. Arranging the virtual array space by arranging so as to form a matrix of a plurality of dimensions, and each of the arithmetic processing circuits adds a plurality of data code values stored in the storage area along at least two different directions. Each of the calculation processing circuit and the arithmetic processing circuit is configured to calculate the added value and the added value. Has a step of verifying that there is no error in the program data code value by using a checksum, a to, a.

It is a block diagram which shows the structure of the multi-core system which concerns on one Embodiment of this invention. It is a flowchart which shows the procedure of the code error check process in the multi-core system which concerns on one Embodiment of this invention. It is explanatory drawing for demonstrating the structure of the virtual arrangement | sequence space of a data code used for the code error check process shown in FIG. FIG. 3 is a diagram schematically showing addition processing of data code values along the row direction and the column direction for the virtual array space shown in FIG. 3A in the code error check processing shown in FIG. 2. FIG. 4 is a diagram schematically showing an addition process of data code values along two diagonal directions for the virtual array space shown in FIG. 3A in the code error check process shown in FIG. 2.

  Embodiments of the present invention will be described below with reference to the drawings. The arithmetic processing system shown here as an embodiment of the present invention is a multi-core system including a plurality of processor cores, which are arithmetic processing units, integrated in a one-chip semiconductor, for example, in an electronic control device mounted on a vehicle Used to control at least one of the operations of the vehicle. However, the arithmetic processing system according to the present invention is not limited to a multi-core system, and can be implemented as, for example, a multi-processor system including a plurality of individual chip processors (for example, CPUs). The present invention is not limited to this and can be widely used for general electronic devices.

FIG. 1 is a block diagram showing a configuration of a multi-core system according to an embodiment of the present invention.
The multi-core system 100 is used in, for example, an electronic control device that is mounted on a vehicle and controls the operation of the vehicle, and executes a first core 102 and a second core 104 that execute calculations, and a program that the first core 102 executes. Is stored in the first memory 106 and the second memory 108 in which the program executed by the second core 104 is stored, and the third memory temporarily stores data when the first core 102 and the second core 104 perform processing. 110 and an input / output (I / O) port circuit 112 for inputting / outputting data and the like between the peripheral device and a communication interface (communication I / F) circuit for communicating with the peripheral device 114 and a bus 116 for exchanging data between these components.

  Each of the first core 102 and the second core 104 has, for example, an ALU (arithmetic unit, arithmetic logic unit) that performs arithmetic processing such as logical operation or four arithmetic operations, and performs processing according to each command described in the program. And a memory for storing a microprogram to be executed in the memory, a register for temporarily storing a data code value used for ALU arithmetic processing, and the like.

  The first memory 106 and the second memory 108 are composed of, for example, a ROM (Read Only Memory) and / or a nonvolatile memory (flash memory or the like), and programs to be executed by the first core 102 and the second core 104 are stored in advance. ing. The third memory 110 is composed of, for example, a RAM (Random Access Memory) and / or a nonvolatile memory (flash memory or the like).

  The I / O port circuit 112 includes a port 118 configured by one or a plurality of, for example, 1-bit input lines, and / or an output port 120 configured by one or a plurality of, for example, 1-bit output lines, An input from the input port 118 is output to the bus 116 and / or a signal output from the output port 120 is controlled based on data provided from the bus 116.

  The communication I / F circuit 114 is an interface circuit for performing, for example, SPI (Serial Peripheral Interface) communication.

  When power is supplied to the multi-core system 100 (or, for example, when a reset signal is given via one of the input ports 118 of the I / O port circuit 112), the first core 102 stores in the first memory 106. In accordance with the programmed program, the storage error of the data code in the storage area of the program for the second core 104 stored in the second memory 108 (hereinafter referred to as a code error) is checked, and the second core 104 In accordance with the program stored in (1), the code error in the storage area of the program for the first core 102 stored in the first memory 106 is checked. Here, the code error check in the program storage area (hereinafter also referred to as “code error check”) means that the data code stored in the storage area is changed from the original content stored in the storage area. The data code of the program storage area means all data codes stored in the storage area including code data representing the program code such as command codes and arguments. To do.

  Next, the procedure of the code error check process will be described according to the flowchart shown in FIG. 2 with reference to FIGS. The code error check process in the first core 102 and the second core 104 is performed in the same procedure for the second memory 108 and the first memory 106, respectively. In the following, in order to avoid redundant description, the code error check process in the first core 102 will be described as an example.

  When power is supplied to the multi-core system 100 or when a reset signal is given, for example, via one of the input ports 118 of the I / O port circuit 112, the first core 102 first programs the second memory 108. All the data codes stored in the storage area are virtually arranged in a matrix to form, for example, a two-dimensional virtual array space (S100). Specifically, for example, the program storage area is divided into a plurality of blocks composed of a predetermined number of data codes, and a virtual array space is formed in which the blocks are arranged in rows and arranged in the column direction. To do.

  More specifically, in this virtual array space, a two-dimensional array expression having a storage address representing a data code storage location in the program storage area as an element is described in advance in the program, for example, and 2 of the storage address is stored. It can be configured according to a dimensional array representation. In the present embodiment, the code length of each data code stored in the program storage area is 1 word (2 bytes, 16 bits). However, a data code having a length longer or shorter than one word may be used.

  FIG. 3 is an explanatory diagram for explaining a virtual array space in which data codes stored in the program storage area are arranged in a two-dimensional matrix. In FIG. 3A, for example, a program storage area composed of 100 data codes (indicated by hexadecimal values in the figure) is divided into 10 blocks composed of 10 data codes. The 10 × 10 virtual array space is configured as shown in the figure by arranging these blocks in the column direction with each of the blocks as a row. This virtual array space is described in accordance with the two-dimensional array by describing a 10 × 10 two-dimensional array having the address of the program storage area as an element as shown in FIG. It can be carried out. Note that the virtual array space shown in FIG. 3 is an example, and the number of data code values arranged in the row direction and the column direction can be arbitrarily determined and configured.

  Returning to FIG. 2, next, the first core 102 adds the data code values in the row direction in the two-dimensional virtual array space to calculate and store the sum (added value) of the data code values of each row. (S102) In the two-dimensional virtual array space, the data code values are added in the column direction, and the sum (added value) of the data code values of each column is calculated and stored (S104).

  FIG. 4 is a diagram schematically showing a data code value addition process along the row direction and the column direction in the virtual array space shown in FIG. The black solid line arrow in the figure indicates the addition direction, and an addition value for every 10 rows and an addition value for every 10 columns are calculated and stored. When the data length of the calculated added value exceeds 1 word, the data code value of the lower 1 word of the calculated value is stored as the calculation result. That is, the lower bits of a predetermined number of digits (16 bits in this embodiment) of the calculated added value are stored. Further, each calculated addition value can be stored in the third memory 110, for example.

  Returning to FIG. 2, the first core 102 further has a first diagonal direction (for example, a diagonal direction from the upper left to the lower right in FIG. 2A) in the two-dimensional virtual array space. Then, for each subset of data codes arranged in the first diagonal direction, an addition value of the data code for each subset is calculated and stored (S106), and the second diagonal direction (for example, FIG. For each subset of data codes arranged in the second diagonal direction along the diagonal direction from the upper right in the figure to the lower left in the figure), an addition value of the data code for each subset is calculated and stored ( S108).

  FIG. 5 is a diagram schematically showing an addition process of data code values along the first and second diagonal directions in the virtual array space shown in FIG. There are 19 data code subsets for each of the first and second diagonal directions, 19 additional values for each data code subset along the first diagonal direction, and a second diagonal direction. 19 added values for each data code subset along are calculated and stored. As described above, when the data length of the calculated added value exceeds 1 word, the data code value of the lower 1 word of the calculated value is used as the calculation result. Further, the added value can be stored in the third memory 110, for example.

  Returning to FIG. 2, next, the first core 102 stores the data value stored in the program storage area using the addition value stored in steps S <b> 102 to S <b> 108 and the checksum corresponding to the addition value. It is checked whether there is an error (S110). Thereby, the soundness of the program stored in the program storage area is verified. Specifically, when the program is installed in the second memory 108, the respective addition values in the row direction, the column direction, the first diagonal direction, and the second diagonal direction are calculated. Is stored as a checksum corresponding to each addition value in each direction, and each addition value calculated in steps S102 to S108 is added to the checksum corresponding to each addition value. If all the addition results with the checksum for each added value are 0, it can be determined that there is no data code storage error. The checksum can be described in a program installed in the second memory 108 or stored in a non-volatile memory that constitutes the third memory 110.

  When there is a storage error in the data code value stored in the program storage area (S110, Yes), the first core 102 performs an abnormal process (S112), and when there is no storage error (S110, No), this process ends normally.

  As described above, also in the second core 104, the same processing as this processing is performed on the program storage area in the first memory 106, and a code error in the program storage area in the first memory 106 is checked. When both the code error check process for the second memory 108 by the first core 102 and the code error check process for the first memory 106 by the second core 104 are normally completed, the code error is detected by these processes. According to the program in the first memory 106 and the second memory 108 confirmed not to exist, the first core 102 and the second core 104 respectively start operation control of the vehicle on which the multi-core system 100 is mounted.

  In the abnormal process in step S112, according to the conventional technique, for example, the data code value can be restored using a checksum, or the process can be stopped by determining that the program has been tampered with.

  Through the above-described code error check process, the multi-core system 100 follows the row direction, the column direction, and the first and second diagonal directions in the two-dimensional virtual array space in which the data code values in the program storage area are arranged in a matrix. Since the storage error of the data code in the program storage area is checked using the calculated data code addition value, the addition value for each block in the storage area (corresponding to the addition value along the row direction in FIG. 4) The reliability of error detection can be improved as compared with the prior art in which data code errors are checked using only. Also, for the same reason, it is possible to detect clever program alteration that is performed so that the data code addition value in the row direction does not change, so it is possible to effectively prevent execution of a falsified illegal program. can do.

  In the present embodiment, the first core 102 and the second core 104 are provided with two arithmetic processing circuits, and one core (102 or 104) stores the program of the other core (104 or 102). Since the code errors in the storage areas are checked, the code errors in the program storage areas can be checked simultaneously, and the program storage in the first memory 106 and the second memory 108 can be performed only by one core 102 or 104. This check can be completed more quickly than when checking the area.

  In the present embodiment, data along the row direction, the column direction, the first diagonal direction, and the second diagonal direction is obtained for the two-dimensional virtual array space in which the data codes of the program storage area are arranged in a matrix. Although the addition value of the code is calculated, the present invention is not limited to this, and the addition value of the data code along other directions may be used. For example, instead of the first and second diagonal directions, an addition value of data codes calculated along two oblique directions each forming an arbitrary angle with respect to the row direction may be used. For example, an oblique direction that forms an arbitrary angle with respect to the row direction, such as calculating an addition value for a data code sequence composed of data codes separated by two in the row direction and one in the column direction in the virtual array space. The added value can be calculated along

  In this embodiment, the data code addition value is calculated along a total of four directions of the row direction, the column direction, the first diagonal direction, and the second diagonal direction. The code error check may be performed by calculating a data code addition value along at least two directions. Even in this case, the reliability of the code error check can be improved as compared with the conventional technique in which the code error check is performed using only the addition value along the row direction.

  In this embodiment, a 10 × 10 square array is shown as the two-dimensional virtual array space. However, the present invention is not limited to this, and the two-dimensional virtual array is not a square array (for example, a non-square array such as 100 × 10). Space can also be used. Further, depending on the number of data codes stored in the program storage area, it is not always necessary to embed data codes at all positions in the virtual array space. For example, in FIG. 3A, if the number of data codes in the program storage area is 97, the three positions on the right side of the last row (the bottom row in the array shown on the right side in FIG. 3A) are shown. May not be filled with a data code. In this case, in the calculation of the added value of the data code, the position where the data code is not filled can be ignored (or the code “00” is regarded as filled).

  In this embodiment, a two-dimensional virtual array space is used. However, the present invention is not limited to this, and a virtual array space having three or more dimensions can also be used. In this case, the address array shown in FIG. 3B used for constructing the virtual array space is a three-dimensional array or more, and the data series used for the addition value calculation is an increment of each index between adjacent data or What is necessary is just to define as a decrement. For example, in the four-dimensional virtual array space, a four-dimensional address array can be defined by A ′ (α, β, γ, θ) (that is, four indexes α, β, γ, θ are used). Then, the data series used for the addition value calculation is defined by the variation (Δα, Δβ, Δγ, Δθ) of each index between adjacent data. For example, the variation (1, 2, 3, 4) is composed of data codes in which the index α is 1, β is 2, γ is 3, and θ is 4 away from each other in the four-dimensional virtual array space. This means that the added value is calculated using the data series.

  Further, in the present embodiment, the first core 102 and the second core 104 are configured to use two cores. However, the present invention is not limited to this, and three or more cores are used, and each of the cores is different. The code error check of the storage area in the memory in which the program of another one core is stored may be executed.

  In the present embodiment, the programs executed by the first core 102 and the second core 104 are stored in the first memory 106 and the second memory 108, respectively. The programs executed by each of the first core 102 and the second core 104 may be stored in different areas of the same memory (for example, the first memory).

  In the present embodiment, the multi-core system 100 integrated on one chip has been described as an example. However, the present invention is not limited to this, and the present invention is not limited to this, but as a system in which each component of the multi-core system 100 is configured as an individual circuit component. Can be implemented. For example, the present invention can be implemented as a multiprocessor system (multi-CPU system) in which two separate processors (CPUs) are used as arithmetic processing units instead of the first core 102 and the second core 104.

  DESCRIPTION OF SYMBOLS 100 ... Multi-core system, 102 ... 1st core, 104 ... 2nd core, 106 ... 1st memory, 108 ... 2nd memory, 110 ... 3rd memory, 112 ... -I / O port circuit, 114 ... Communication I / F circuit, 116 ... Bus, 118 ... Input port, 120 ... Output port.

Claims (8)

A plurality of arithmetic processing circuits each performing arithmetic processing;
A memory storing each program executed by each of the arithmetic processing circuits;
With
Each of the arithmetic processing circuits is configured to perform a code error check of a storage area in the memory in which a program of another different arithmetic processing circuit is stored.
Arithmetic processing system. Each of the arithmetic processing circuits is stored in the storage area along at least two different directions with respect to a virtual array space in which data codes in the storage area are arranged so as to form a matrix of two or more dimensions. The code error check is configured to be performed using a plurality of addition values obtained by adding data code values.
The arithmetic processing system according to claim 1. The code error check is performed using a checksum corresponding to the addition value.
The arithmetic processing system according to claim 1 or 2. The checksum is a checksum corresponding to a low-order bit of a predetermined number of two true values representing the addition value.
The arithmetic processing system according to claim 3. The arithmetic processing circuit is a processor,
The arithmetic processing system is configured as a multiprocessor system,
The arithmetic processing system as described in any one of Claims 1 thru | or 4. The arithmetic processing circuit is a processor core integrated in a processor,
The arithmetic processing system is configured as a multi-core system,
The arithmetic processing system as described in any one of Claims 1 thru | or 4.   An electronic control device that performs vehicle control, comprising the arithmetic processing system according to any one of claims 1 to 6. An error check method for a program data code value in an arithmetic processing system, comprising: a plurality of arithmetic processing circuits each performing arithmetic processing; and a memory storing each program executed by each of the arithmetic processing circuits,
Each of the arithmetic processing circuits is arranged in a virtual array space by arranging the data codes of the storage areas in the memory in which the programs of the other different arithmetic processing circuits are stored so as to form a matrix of two or more dimensions. Comprising the steps of:
Each of the arithmetic processing circuits adding a data code value stored in the storage area along at least two different directions to calculate a plurality of added values;
Each of the arithmetic processing circuits verifies that the program data code value has no error using the calculated addition value and a checksum corresponding to the addition value;
An error check method for program data code values.

Images