JP2018116669A - On-vehicle device, relay device, and computer programs - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a compact and inexpensive on-vehicle device having a first on-vehicle unit and a second on-vehicle unit, a compact and inexpensive relay device having a first relay unit and a second relay unit, and computer programs to be executed respectively in the on-vehicle device and the relay device.SOLUTION: A relay device 11 includes: a first relay unit 21 for executing processing in response to a first control program; and a second relay unit 22 for executing processing in response to a second control program. A HSM (Hardware Security Module) of the first relay unit 21 verifies the second control program. The second on-vehicle unit calculates related data related to the second control program. The HSM verifies the second control program by determining whether related data calculated by the second relay unit 22 coincides with reference data.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an in-vehicle device, a relay device that relays communication between communication devices, and a computer program that is executed in each of the in-vehicle device and the relay device.

  As a communication system mounted on a vehicle, there is a communication system in which a relay device relays communication between a plurality of ECUs (Electronic Control Units) that control the operation of an electric device. In this communication system, each of a plurality of ECUs functions as a communication device, and one ECU communicates with another ECU via a relay device. A plurality of ECUs can cause a plurality of electric devices to perform a cooperative operation by communicating with each other. The relay device transmits data received from one ECU to another ECU.

  A control program is stored in the relay device. In the relay device, a CPU (Central Processing Unit) executes a relay process for relaying communication by executing a control program. When the control program stored in the relay device is tampered with, the relay device does not transmit data properly, and thus there is a risk that the electrical device will not operate properly. Therefore, it is necessary to verify that the control program is appropriate when the relay device is activated.

  Patent Document 1 discloses a technique for verifying that a control program is appropriate. In this technique, related data related to the control program is calculated, and it is determined whether the calculated related data matches one of a plurality of predetermined data stored in advance. When the calculated related data matches one of a plurality of predetermined data, it is determined that the control program is appropriate.

JP 2009-259160 A

  A plurality of protocols are used for communication in vehicles. For this reason, a relay device provided with the 1st relay machine which relays communication between a plurality of 1st communication devices and the 2nd relay machine which relays communication between a plurality of 2nd communication devices can be considered as a relay device.

  In this relay device, for example, communication according to the first protocol is performed between the plurality of first communication devices, and communication according to the second protocol is performed between the plurality of second communication devices. The first repeater is connected to the second repeater, and the first repeater and the second repeater relay communication between the first communication device and the second communication device.

In the relay apparatus including the first relay machine and the second relay machine, the first relay machine and the second relay machine are each equipped with a CPU, and the control program executed by the CPU of the first relay machine is the second relay machine. This is different from the control program executed by the CPU. In this case, it is necessary to verify each of these control programs. As a relay device that verifies the control program of each of the first relay device and the second relay device, the relay device that each of the first relay device and the second relay device has a verification function that verifies that the control program is appropriate is considered. It is done.
However, when each of the first repeater and the second repeater has a verification function, there is a problem that the size of the repeater is large and the manufacturing cost increases.

  The in-vehicle device having such a problem is not limited to the relay device. A vehicle-mounted device including a first vehicle-mounted device that executes processing according to the first control program and a second vehicle-mounted device that executes processing according to a second control program different from the first control program has the same problem.

  The present invention has been made in view of such circumstances, and an object thereof is to provide a small and inexpensive on-vehicle device including a first in-vehicle device and a second in-vehicle device, and a first repeater and a second repeater. And a small and inexpensive relay device, and a computer program executed by each of the in-vehicle device and the relay device.

  The in-vehicle device according to the present invention includes a first processing unit that executes processing according to a first control program, and verification that verifies the first control program by using different hardware than the hardware that configures the first processing unit. In a vehicle-mounted device including a first vehicle-mounted device having a device, a second vehicle-mounted device having a second processing unit that executes processing according to a second control program, and related data for calculating related data related to the second control program And a verification unit, wherein the verification unit includes a determination unit that determines whether the related data calculated by the related data calculation unit matches reference data.

  In the present invention, the verifier of the first in-vehicle device determines whether or not the related data related to the second control program of the second in-vehicle device matches the reference data. Validate. For this reason, since the 2nd vehicle equipment does not need to have the verification function of a 2nd control program, an apparatus is small and manufacturing cost is cheap.

  The in-vehicle device according to the present invention is characterized in that, in the verification device, the first control program is verified by the other hardware executing the verification program.

  In the present invention, the first control program is verified by executing the verification program by other hardware different from the hardware configuring the first processing unit.

  In the in-vehicle apparatus according to the present invention, the verifier of the first in-vehicle apparatus includes the related data calculation unit, a random number generation unit that generates random number data, random number data generated by the random number generation unit, and predetermined data. And a reference data calculation unit for calculating the reference data, and the second in-vehicle device calculates calculation data for calculating the related data based on the second control program and random number data. And the related data calculation unit of the verifier calculates the related data based on the calculation data calculated by the calculation unit.

  In the present invention, the verifier of the first in-vehicle device generates random number data, and calculates reference data based on the generated random number data and predetermined data. The second in-vehicle device acquires the random number data generated by the verifier, and calculates calculation data based on the acquired random number data and the second control program. The verifier acquires the calculation data calculated by the second in-vehicle device, calculates related data based on the acquired calculation data, and determines whether the related data matches the reference data.

  When the random number data generated by the verifier is changed, the calculation data calculated by the second in-vehicle device is also changed. For example, assume that the random number data is changed each time the verifier verifies the second control program. In this case, since the calculation data is changed every time the verifier verifies the second control program, the reliability of the verification result of the second control program is high.

  In the in-vehicle device according to the present invention, the verifier of the first in-vehicle device has a storage unit in which key data is stored, and the reference data calculation unit includes key data stored in the storage unit. The reference data is calculated based on the random number data and the predetermined data, and the related data calculation unit calculates the related data based on the calculated data and key data.

  In the present invention, the verifier of the first in-vehicle device calculates the reference data based on the key data, the random number data, and the predetermined data, and based on the operation data calculated by the second in-vehicle device and the key data. Since the related data is calculated, the reliability of the verification result of the second control program is higher.

  In the in-vehicle device according to the present invention, the verifier of the first in-vehicle device includes the random number generator that generates random number data, the random number data generated by the random number generator, and the reference data based on predetermined data. A reference data calculation unit for calculating the second data, the second vehicle-mounted device has the related data calculation unit, and the related data calculation unit calculates the related data based on the second control program and random number data. It is characterized by doing.

  In the present invention, the verifier of the first in-vehicle device generates random number data, and calculates reference data based on the generated random number data and predetermined data. The second in-vehicle device acquires the random number data generated by the verifier, and calculates related data based on the acquired random number data and the second control program. The verifier acquires related data calculated by the second in-vehicle device, and determines whether or not the acquired related data matches the reference data.

  When the random number data generated by the verifier is changed, the related data calculated by the second in-vehicle device is also changed. For example, assume that the random number data is changed each time the verifier verifies the second control program. In this case, each time the verifier verifies the second control program, the related data acquired by the verifier from the second in-vehicle device is changed, so the reliability of the verification result of the second control program is high.

  The in-vehicle device according to the present invention includes an operation control unit that stops the operation of the second in-vehicle device when the determination unit of the verifier determines that the related data does not match the reference data. It is characterized by that.

  In the present invention, when the verifier of the first in-vehicle device determines that the related data does not match the predetermined data, the second in-vehicle device operates with the possibility that the second control program has been falsified. To stop.

  A relay device according to the present invention includes a first relay that relays communication between a plurality of first communication devices, and a second relay that performs processing according to a control program and relays communication between the plurality of second communication devices. The first relay and the second relay are relay devices for vehicles that relay communication between the first communication device and the second communication device, and the first relay has key data A stored storage unit, a calculation unit that calculates related data related to the control program of the second repeater using the key data, and the related data calculated by the calculation unit match predetermined data And a determination unit for determining whether or not.

  In the present invention, in the second repeater, processing is executed according to the control program. The first relay uses the key data to calculate related data related to the control program of the second relay, and determines whether the calculated related data matches the predetermined data. When the related data matches the predetermined data, for example, the first repeater notifies the second repeater that the control program is appropriate, and the second repeater starts processing according to the control program.

  As described above, since the first repeater verifies that the control program for the second repeater is appropriate, each of the first repeater and the second repeater need not have a control program verification function. For this reason, the apparatus is small and the manufacturing cost is low.

  The relay device according to the present invention includes an operation control unit that stops the operation of the second repeater when the determination unit of the first repeater determines that the related data does not match the predetermined data. It is characterized by providing.

  In the present invention, when it is determined by the first repeater that the related data does not match the predetermined data, the second repeater operates with the possibility that the control program of the second repeater has been falsified. To stop.

  In the relay device according to the present invention, the second relay has a calculation unit that calculates calculation data for calculating the related data, and the first relay transmits the calculation data calculated by the calculation unit. It has an acquisition part to acquire, The calculation part of the 1st repeater calculates the related data using the key data and the calculation data which the acquisition part acquired.

  In the present invention, the second repeater calculates calculation data for calculating related data. The first repeater obtains calculation data from the second repeater and calculates related data using the key data and the calculation data. For example, when the amount of operation data is smaller than the amount of data in the control program, the amount of data transferred from the second repeater to the first repeater is small in order to verify that the control program is appropriate . In this case, the time required for performing the verification is short.

  In the relay device according to the present invention, the first repeater includes a processing unit that executes processing according to a second control program, a second storage unit that stores second key data, and the second relay unit. A second calculation unit that calculates second related data related to the second control program using the key data, and the second related data calculated by the second calculation unit is the second predetermined data. And a second determination unit that determines whether or not they match.

  In the present invention, the first repeater executes processing according to the second control program. The first repeater verifies that the control program of the second repeater is appropriate by calculating the associated data using the key data, and uses the second key data to obtain the second associated data. It is also verified by calculation that the second control program of the own device is appropriate.

  The relay device according to the present invention converts data corresponding to a first protocol used in communication between a plurality of first communication devices into data corresponding to a second protocol used in communication between the plurality of second communication devices. And a conversion unit for converting data corresponding to the second protocol into data corresponding to the first protocol.

  In the present invention, the first protocol is used for communication between the plurality of first communication devices, and the second protocol is used for communication between the plurality of second communication devices. When communication is performed between the first communication device and the second communication device, data corresponding to the first protocol is converted into data corresponding to the second protocol, and data corresponding to the second protocol is corresponded to the first protocol. Convert to data.

  A computer program according to the present invention includes a first processing unit that executes processing according to a first control program, and verification that verifies the first control program by using hardware other than the hardware that constitutes the first processing unit. A computer program that is executed by the verifier of the in-vehicle device that includes a first in-vehicle device that includes a first in-vehicle device and a second in-vehicle device that executes processing according to the second control program, and is related to the second control program The related data is calculated, and the computer is caused to execute processing for determining whether or not the calculated related data matches the reference data.

  In the present invention, the verifier of the first in-vehicle device determines whether or not the related data related to the second control program of the second in-vehicle device matches the reference data. Validate. For this reason, since the 2nd vehicle equipment does not need to have the verification function of the 2nd control program, a vehicle equipment is small and the manufacturing cost of a vehicle equipment is cheap.

  A computer program according to the present invention includes a first processing unit that executes processing according to a first control program, and verification that verifies the first control program by using hardware other than the hardware that constitutes the first processing unit. A computer program that is executed by the verifier of the in-vehicle device that includes a first in-vehicle device that includes a first in-vehicle device and a second in-vehicle device that executes processing according to the second control program, and is related to the second control program Relevant data is acquired, and the computer is caused to execute a process for determining whether or not the acquired related data matches the reference data.

  In the present invention, the verifier of the first in-vehicle device determines whether or not the related data related to the second control program of the second in-vehicle device matches the reference data. Validate. For this reason, since the 2nd vehicle equipment does not need to have the verification function of the 2nd control program, a vehicle equipment is small and the manufacturing cost of a vehicle equipment is cheap.

  A computer program according to the present invention includes a first relay that relays communication between a plurality of first communication devices, and a second relay that performs processing according to a control program and relays communication between the plurality of second communication devices. And the first repeater and the second repeater are computer programs executed by the first repeater in a vehicle relay device that relays communication between the first communication device and the second communication device. The computer calculates the related data related to the control program of the second repeater using the key data stored in advance, and determines whether or not the calculated related data matches the predetermined data It is made to perform.

  In the present invention, the first repeater verifies the control program of the second repeater by determining whether the related data related to the control program of the second repeater matches the reference data. . For this reason, since it is not necessary for the second repeater to have a control program verification function, the relay device is small and the manufacturing cost of the relay device is low.

  According to the present invention, a small and inexpensive device can be realized.

1 is a block diagram showing a main part configuration of a communication system according to Embodiment 1. FIG. It is a block diagram which shows the principal part structure of a 1st repeater. It is a block diagram which shows the principal part structure of a 2nd relay machine. It is a flowchart which shows the procedure of a 1st relay process. It is a flowchart which shows the procedure of a 2nd relay process. It is a flowchart which shows the procedure of a verification process. It is a flowchart which shows the procedure of a starting process. 6 is a block diagram showing a main configuration of a communication system according to Embodiment 2. FIG. It is a block diagram which shows the principal part structure of a 2nd relay machine. It is a flowchart which shows the procedure of a starting process. 12 is a flowchart illustrating a procedure of verification processing according to the third embodiment. 12 is a flowchart illustrating a procedure of verification processing according to the third embodiment. It is a flowchart which shows the procedure of a starting process. It is explanatory drawing of verification of a 2nd control program. 15 is a flowchart illustrating a verification process procedure according to the fourth embodiment. 15 is a flowchart illustrating a verification process procedure according to the fourth embodiment. It is a flowchart which shows the procedure of a starting process. It is explanatory drawing of verification of a 2nd control program.

Hereinafter, the present invention will be described in detail with reference to the drawings illustrating embodiments thereof.
(Embodiment 1)
FIG. 1 is a block diagram illustrating a main configuration of a communication system 1 according to the first embodiment. The communication system 1 is suitably mounted on the vehicle 100, and includes a relay device 11, ECUs 12a, 12a, 12b, 12b, in-vehicle devices 13a, 13b, 13c, and communication lines La, Lb. The relay device 11 includes a first relay machine 21 and a second relay machine 22.
Each of the relay device 11, the first relay device 21, and the second relay device 22 functions as an in-vehicle device, a first in-vehicle device, and a second in-vehicle device.

  Two communication lines La and Lb are connected to the first repeater 21 of the relay device 11 separately. Two ECUs 12a and 12a are connected to the communication line La. Two ECUs 12b and 12b are connected to the communication line Lb. In the relay device 11, the first repeater 21 is connected to the second repeater 22. Three in-vehicle devices 13a, 13b, and 13c are connected to the second repeater 22 separately.

  Communication according to the CAN (Controller Area Network) protocol is performed via the communication lines La and Lb. Each of the communication lines La and Lb is a twisted pair line. The ECU data corresponding to the CAN protocol and including identification information is transmitted via the communication lines La and Lb. The identification information is information for identifying ECU data in which the identification information is included.

  Each of the ECUs 12a, 12a and the first repeater 21 transmits ECU data via the communication line La. ECU data transmitted by one of the ECUs 12a, 12a and the first repeater 21 is received by all other devices. For example, ECU data transmitted by one ECU 12 a is received by the other ECU 12 a and the first relay 21.

  Similarly, ECU12b, 12b and the 1st relay machine 21 each transmit ECU data via the communication line Lb. ECU data transmitted by one of the ECUs 12b, 12b and the first repeater 21 is received by all other devices. For example, ECU data transmitted by one ECU 12b is received by the other ECU 12b and the first relay 21.

  When each of the ECUs 12a and 12a receives the ECU data, the ECUs 12a and 12a each determine whether or not the process related to the ECU data should be executed based on the identification information included in the received ECU data. When it is determined that the process related to the received ECU data should be executed, the ECUs 12a and 12a execute the process related to the received ECU data. When each of the ECUs 12a and 12a determines that the processing related to the received ECU data should not be executed, the ECU 12a or 12a performs leaving or deletion of the received ECU data.

  Similarly, when each of the ECUs 12b and 12b receives ECU data, the ECUs 12b and 12b determine whether or not to execute the process related to the ECU data based on the identification information included in the received ECU data. When each of the ECUs 12b and 12b determines that the process related to the received ECU data should be executed, the ECU 12b and 12b execute the process related to the received ECU data. When each of the ECUs 12b and 12b determines that the processing related to the received ECU data should not be executed, the ECU 12b or 12b performs leaving or deletion of the received ECU data.

  An electric device (not shown) is connected to each of the ECUs 12a, 12a, 12b, 12b. Each of the ECUs 12a, 12a, 12b, and 12b executes, for example, a process for controlling the operation of the electrical device connected to the own apparatus based on the content indicated by the received ECU data, as a process related to the received ECU data. .

  Each of the ECUs 12a, 12a, 12b, and 12b transmits ECU data indicating a detection value detected by the sensor, for example, when the sensor is connected to the own device. Further, each of the ECUs 12a, 12a, 12b, and 12b transmits ECU data indicating the content of the instruction received by the receiving unit when, for example, a receiving unit that receives an instruction from the user is connected to the own device. For example, when a window motor that opens and closes the power window of the vehicle is connected to one ECU 12a, the other ECU 12a transmits ECU data that instructs opening of the power window. When the ECU 12a receives this ECU data, the ECU 12a causes the window motor to open the power window.

  The first repeater 21 relays communication between one of the ECUs 12a and 12a and one of the ECUs 12b and 12b. Specifically, the first repeater 21 transmits the ECU data received via the communication line La via the communication line Lb, and the ECU data received via the communication line Lb via the communication line La. To send. Each of the ECUs 12a, 12a, 12b, 12b functions as a first communication device. The CAN protocol is used for communication between one of the ECUs 12a and 12a and one of the ECUs 12b and 12b.

  Each of the in-vehicle devices 13a, 13b, and 13c communicates with the second repeater 22 on a one-to-one basis. For example, communication conforming to the Ethernet (registered trademark) standard is performed between the in-vehicle devices 13a, 13b, and 13c and the second repeater 22. Each of the in-vehicle devices 13a, 13b, and 13c transmits device data including transmission destination information indicating a transmission destination to the second repeater 22. The 2nd relay machine 22 relays communication performed between two in vehicle equipment 13a, 13b, and 13c. Each of the in-vehicle devices 13a, 13b, and 13c functions as a second communication device. In communication between the two in-vehicle devices 13a, 13b, and 13c, for example, TCP (Transmission Control Protocol) / IP (Internet Protocol) which is one of protocols corresponding to Ethernet (registered trademark) is used.

  It is assumed that each of the in-vehicle devices 13a and 13b is a camera and a display. In this case, the in-vehicle device 13 a transmits device data including image data captured by the camera to the second relay device 22. This device data includes transmission destination information indicating the in-vehicle device 13b as a transmission destination. The second relay 22 transmits device data including image data to the in-vehicle device 13b. The in-vehicle device 13b displays an image based on the image data included in the device data received from the second repeater 22.

  The first repeater 21 and the second repeater 22 relay communication between one of the ECUs 12a, 12a, 12b, and 12b and one of the in-vehicle devices 13a, 13b, and 13c.

As described above, the ECU data is data corresponding to the CAN protocol, and corresponds to data corresponding to the first protocol. The device data is data corresponding to a protocol used for communication between the two in-vehicle devices 13a, 13b, and 13c, and corresponds to data corresponding to the second protocol.
The first repeater 21 converts ECU data received via one of the communication lines La and Lb into device data. The second repeater 22 transmits the device data converted by the first repeater 21 to one of the in-vehicle devices 13a, 13b, and 13c. The second relay 22 receives device data from one of the in-vehicle devices 13a, 13b, and 13c. The first repeater 21 converts the device data received by the second repeater 22 into ECU data, and transmits the converted ECU data via at least one of the communication lines La and Lb.

  FIG. 2 is a block diagram showing a main configuration of the first repeater 21. The first repeater 21 includes a ROM (Read Only Memory) 31, a CPU 32, communication units 33 a and 33 b, an HSM (Hardware Security Module) 34, a RAM (Random Access Memory) 35, and a power supply circuit 36. These are connected to the bus 37. In addition to the bus 37, the communication units 33a and 33b are connected to communication lines La and Lb, respectively. The RAM 35 is connected to the second repeater 22 in addition to the bus 37.

  The ROM 31 stores a first control program P1. The CPU 32 executes the first relay process according to the first control program P1. The first relay process includes communication between one of the ECUs 12a and 12a and one of the ECUs 12b and 12b, and between one of the ECUs 12a, 12a, 12b and 12b and one of the in-vehicle devices 13a, 13b and 13c. This is a process for relaying the communication. The first control program P1 corresponds to a second control program, and the CPU 32 functions as a processing unit. Furthermore, the CPU 32 functions as a first processing unit and is hardware that constitutes the first processing unit.

The communication unit 33a receives ECU data from one of the ECUs 12a and 12a via the communication line La. The communication part 33a transmits ECU data via the communication line La according to the instruction | indication of CPU32. The ECU data transmitted by the communication unit 33a is received by the ECUs 12a and 12a.
The communication unit 33b receives ECU data from one of the ECUs 12b and 12b via the communication line Lb. The communication part 33b transmits ECU data via the communication line Lb according to the instruction | indication of CPU32. The ECU data transmitted by the communication unit 33b is received by the ECUs 12b and 12b.

The second repeater 22 stores a second control program P2 (see FIG. 3). The HSM 34 verifies that the first control program P1 is appropriate and verifies that the second control program P2 is appropriate. The HSM 34 functions as a verifier that verifies the first control program P1 and the second control program P2.
Each of the CPU 32, the HSM 34, and the second repeater 22 writes various data to the RAM 35 and reads data from the RAM 35. Therefore, for example, the data written in the RAM 35 by the second repeater 22 can be read from the RAM 35 by the CPU 32.

  The power supply circuit 36 is connected to a battery (not shown) of the vehicle 100 via a power line (not shown). The power supply circuit 36 is further connected to the ROM 31, CPU 32, communication units 33a and 33b, HSM 34, and RAM 35 by a power line (not shown). The power supply circuit 36 transforms the voltage output from the battery to a predetermined first voltage. The power supply circuit 36 outputs the first voltage to the ROM 31, the CPU 32, the communication units 33a and 33b, the HSM 34, and the RAM 35, and supplies power thereto.

  For example, when an ignition switch (not shown) of the vehicle 100 is turned on, the power supply circuit 36 supplies power to the ROM 31, the CPU 32, the communication units 33a and 33b, the HSM 34, and the RAM 35 to operate them. The power supply circuit 36 stops power supply to the ROM 31, the CPU 32, the communication units 33 a and 33 b, the HSM 34, and the RAM 35 in accordance with an instruction from the HSM 34. As a result, they stop operating, and the data stored in the RAM 35 is erased.

  The HSM 34 has a ROM 41, a CPU 42 and an interface 43. These are connected to the bus 44. The interface 43 is connected to the bus 37 in addition to the bus 44.

The ROM 41 stores a verification program Ph. The CPU 42 executes the verification program Ph in the first repeater 21. Thereby, a verification process for verifying that the first control program P1 and the second control program P2 are appropriate is executed. The verification program Ph is a computer program for causing the CPU 42 to execute verification processing. The ROM 41 further stores first key data K1, first reference data R1, second key data K2, and second reference data R2. These are predetermined data and are used in the verification process. The ROM 41 functions as a storage unit and a second storage unit.
The CPU 42 is hardware for verifying the first control program P1 and the second control program P2, and is different from the CPU 32.

  The verification program Ph may be stored in the storage medium E1 so that the computer (CPU 42) can read it. In this case, the verification program Ph read from the storage medium E1 by a reading device (not shown) is stored in a storage unit (not shown) of the HSM 34. The storage medium E1 is an optical disk, a flexible disk, a magnetic disk, a magnetic optical disk, a semiconductor memory, or the like. The optical disc is a CD (Compact Disc) -ROM (Read Only Memory), a DVD (Digital Versatile Disc) -ROM, or a BD (Blu-ray (registered trademark) Disc). The magnetic disk is, for example, a hard disk. Alternatively, the verification program Ph may be downloaded from an external device (not shown) connected to a communication network (not shown), and the verification program Ph may be stored in the storage unit described above.

  The CPU 42 accesses the ROM 31 and the RAM 35 of the first repeater 21 via the interface 43. Specifically, the CPU 42 reads the first control program P1 from the ROM 31. The CPU 42 writes various data to the RAM 35 and reads data from the RAM 35. Further, the CPU 42 instructs the power supply circuit 36 to stop power supply. As described above, the interface 43 allows the CPU 42 to access the ROM 31, RAM 35, and power supply circuit 36. On the other hand, the interface 43 prevents the CPU 32 from accessing the ROM 41. Therefore, the CPU 32 cannot read the contents stored in the ROM 41.

  When power supply from the power supply circuit 36 to the HSM 34 is started, the CPU 42 executes a verification process. While the CPU 42 is executing the verification process, the CPU 32 of the first repeater 21 stops operating. For example, the CPU 32 operates when the voltage of a terminal (not shown) of the CPU 32 is a high level voltage, and stops operating when the voltage of the terminal of the CPU 32 is a low level voltage. In this case, while the CPU 42 executes the verification process, the voltage of the terminal of the CPU 32 is maintained at the low level voltage by the HSM 34. When the CPU 42 completes the verification process, the HSM 34 switches the voltage at the terminal of the CPU 32 to a high level voltage.

  FIG. 3 is a block diagram showing a main configuration of the second repeater 22. The second repeater 22 includes a ROM 51, a CPU 52, communication units 53 a, 53 b, 53 c and a power supply circuit 54. These are connected to the bus 55. The bus 55 is further connected to the RAM 35 of the first repeater 21. In addition to the bus 55, the communication units 53a, 53b, and 53c are connected to the in-vehicle devices 13a, 13b, and 13c.

  The ROM 51 stores a startup program Pb and a second control program P2. The CPU 52 executes a startup process according to the startup program Pb. The startup process is a process that is first executed by the CPU 52 after the power supply to the CPU 52 is started and the CPU 52 is activated.

  Further, the CPU 52 executes the second relay process according to the second control program P2. The second relay process includes communication between two of the in-vehicle devices 13a, 13b, and 13c, and communication between one of the ECUs 12a, 12a, 12b, and 12b and one of the in-vehicle devices 13a, 13b, and 13c. It is a process for relaying. The CPU 52 functions as a second processing unit.

  The communication units 53a, 53b, and 53c receive device data from the in-vehicle devices 13a, 13b, and 13c, respectively. Further, each of the communication units 53a, 53b, and 53c transmits device data to the in-vehicle devices 13a, 13b, and 13c in accordance with an instruction from the CPU 52.

  The power supply circuit 54 is connected to the battery of the vehicle 100 by a power line (not shown). The power supply circuit 54 is further connected to the ROM 51, the CPU 52, and the communication units 53a, 53b, and 53c by a power line (not shown). The power supply circuit 54 transforms the voltage output from the battery to a predetermined second voltage. The power supply circuit 54 outputs a predetermined second voltage to the ROM 31, the CPU 32, the communication units 33a and 33b, the HSM 34, and the RAM 35, and supplies power thereto.

  For example, when an ignition switch (not shown) of the vehicle 100 is turned on, the power supply circuit 54 supplies power to the ROM 51, the CPU 52, and the communication units 53a, 53b, and 53c, and operates them. The power supply circuit 54 stops the power supply to the ROM 51, the CPU 52, and the communication units 53a, 53b, and 53c in accordance with an instruction from the CPU 52. Thereby, they stop operating.

  In each of the startup process and the second relay process, the CPU 52 writes various data in the RAM 35 of the first relay machine 21 and reads the data from the RAM 35.

  FIG. 4 is a flowchart showing the procedure of the first relay process. The CPU 32 of the first repeater 21 periodically executes the first relay process. First, the CPU 32 determines whether one of the communication units 33a and 33b has received ECU data (step S1). When it is determined that one of the communication units 33a and 33b has received the ECU data (S1: YES), the CPU 32 transmits the ECU data to at least one of the ECUs 12a, 12a, 12b, and 12b and the in-vehicle devices 13a, 13b, and 13c. It is determined whether or not to transmit to one (step S2).

  The ROM 31 stores a plurality of identification information. One or more of the identification information stored in the ROM 31 is associated with one of the communication units 33a and 33b. The destination information is associated with each of the remaining pieces of identification information stored in the ROM 31. As described above, the transmission destination information indicates at least one of the in-vehicle devices 13a, 13b, and 13c.

  In step S <b> 2, when the identification information included in the received ECU data is one of the plurality of identification information stored in the ROM 31, the CPU 32 determines that the ECU data should be transmitted. In step S2, CPU 32 determines that the ECU data should not be transmitted when the identification information included in the received ECU data is stored in ROM 31 and does not match any of the plurality of identification information. .

  When determining that the ECU data should be transmitted (S2: YES), the CPU 32 determines whether or not the first repeater 21 transmits the received ECU data (step S3). Here, when one of the communication units 33a and 33b is associated with the identification information included in the received ECU data in the ROM 31, the CPU 32 converts the received ECU data into the first repeater 21. Is determined to be transmitted. In addition, when the destination information is associated with the identification information included in the received ECU data in the ROM 31, the CPU 32 determines that the first repeater 21 does not transmit the received ECU data.

  When it is determined that the first repeater 21 transmits the received ECU data (S3: YES), the CPU 32 corresponds to the identification information included in the received ECU data in the communication units 33a and 33b. The communication unit is instructed to transmit the received ECU data (step S4). Thereby, the communication unit instructed to transmit in the communication units 33a and 33b transmits the received ECU data.

For example, when the communication unit 33a receives ECU data from one of the ECUs 12a and 12a, when the identification information included in the ECU data received by the communication unit 33a is associated with the communication unit 33b, the CPU 32 Instructs the communication unit 33b to transmit the ECU data received by the communication unit 33a. This ECU data is received by the ECUs 12b and 12b.
As described above, the first repeater 21 relays communication between one of the ECUs 12a and 12a and one of the ECUs 12b and 12b.

  When the CPU 32 determines that the first relay machine 21 does not transmit the received ECU data, that is, the second relay machine 22 transmits the received ECU data (S3: NO), the CPU 32 receives the received ECU data. Data is converted (step S5). The device data converted in step S5 includes transmission destination information corresponding to the identification information included in the received ECU data. The transmission destination information indicates at least one of the in-vehicle devices 13a, 13b, and 13c. Next, the CPU 32 writes the device data converted in step S5 in the RAM 35 (step S6). As described above, the CPU 52 of the second repeater 22 can read out the device data from the RAM 35.

  The CPU 32 determines that neither of the communication units 33a and 33b has received the ECU data (S1: NO), determines that the ECU data should not be transmitted (S2: NO), or step S4. , S6, one of the communication units 33a, 33b determines whether or not the device data stored in the RAM 35 should be transmitted (step S7). Here, when the device data whose transmission destination information indicates at least one of the ECUs 12a, 12a, 12b, and 12b is stored in the RAM 35, one of the communication units 33a and 33b should transmit the device data. Is determined. When the device data indicating that the destination information indicates at least one of the ECUs 12a, 12a, 12b, and 12b is not stored in the RAM 35, the CPU 32 should not transmit any device data in the communication units 33a and 33b. judge.

  When it is determined that the device data should be transmitted (S7: YES), the CPU 32 converts the device data to be transmitted into ECU data (step S8). The ECU data converted in step S8 includes identification information corresponding to the destination information. For example, identification information is stored in the ROM 31 in association with each of a plurality of pieces of transmission destination information, and identification information corresponding to the transmission destination information is included in the ECU data. For example, one identification information corresponds to transmission destination information indicating one of the ECUs 12a and 12a, and other identification information corresponds to transmission destination information indicating one of the ECUs 12a and 12a and one of the ECUs 12b and 12b. Yes. The CPU 32 also functions as a conversion unit.

  Next, the CPU 32 instructs at least one of the communication units 33a and 33b to transmit the ECU data converted in step S8 (step S9). Accordingly, at least one of the communication units 33a and 33b transmits the ECU data converted by the CPU 32 in step S8. For example, when device data whose destination is one of the ECUs 12a and 12a is converted in step S8, the CPU 32 instructs the communication unit 33a to transmit the ECU data converted in step S8.

  When it is determined that neither the communication unit 33a or 33b should transmit device data (S7: NO) or after executing step S9, the CPU 32 ends the first relay process.

  FIG. 5 is a flowchart showing the procedure of the second relay process. The CPU 52 of the second repeater 22 periodically executes the second relay process. First, the CPU 52 determines whether one of the communication units 53a, 53b, and 53c has received device data (step S21). If the CPU 52 determines that one of the communication units 53a, 53b, 53c has received the device data (S21: YES), should the received device data be transmitted to at least one of the in-vehicle devices 13a, 13b, 13c? It is determined whether or not (step S22).

  Here, when the transmission destination information included in the received device data indicates at least one of the in-vehicle devices 13a, 13b, and 13c, the CPU 52 stores the received device data in the in-vehicle devices 13a, 13b, and 13c. It is determined that it should be transmitted to at least one of the above. On the other hand, when the destination information included in the received device data does not indicate any of the in-vehicle devices 13a, 13b, 13c, the CPU 52 transfers the received device data to any of the in-vehicle devices 13a, 13b, 13c. It is determined that it should not be transmitted.

  When the CPU 52 determines that the received device data should be transmitted to at least one of the in-vehicle devices 13a, 13b, and 13c (S22: YES), the device data is stored in at least one of the communication units 53a, 53b, and 53c. Transmission is instructed (step S23). The in-vehicle devices 13a, 13b, and 13c correspond to the communication units 53a, 53b, and 53c, respectively. In step S23, a communication unit instructing transmission is determined according to the transmission destination indicated by the transmission destination information included in the received device data. For example, when the transmission destination information indicates the in-vehicle devices 13b and 13c, the CPU 52 instructs the communication units 53b and 53c to transmit the received device data. When the CPU 53 executes Step S23, the communication unit instructed to transmit among the communication units 53a, 53b, and 53c transmits the device data.

For example, when the communication unit 53a receives device data and the transmission destination information included in the device data received by the communication unit 53a indicates the in-vehicle device 13b, the CPU 52 instructs the communication unit 53b to perform communication. The device data received by the unit 53a is transmitted.
As described above, the second repeater 22 relays communication between the two in-vehicle devices 13a, 13b, and 13c.

  The CPU 52 should not transmit the received device data to any of the in-vehicle devices 13a, 13b, and 13c. That is, the CPU 52 should transmit the received device data to at least one of the ECUs 12a, 12a, 12b, and 12b. (S22: NO), the received device data is written in the RAM 35 of the first repeater 21 (step S24).

  The CPU 52 determines that none of the communication units 53a, 53b, 53c has received the device data (S21: NO), or after executing steps S23, S24, the in-vehicle devices 13a, 13b, 13c It is determined whether device data to be transmitted to at least one is stored in the RAM 35 (step S25). Here, when the device data whose transmission destination information indicates at least one of the in-vehicle devices 13a, 13b, and 13c is stored in the RAM 35, the CPU 52 determines that the device data to be transmitted is stored. CPU52 determines with the apparatus data which should be transmitted not memorize | stored, when the apparatus data whose transmission destination information shows at least one in vehicle equipment 13a, 13b, 13c is not memorize | stored in RAM35.

When it is determined that device data to be transmitted is stored (S25: YES), the CPU 52 instructs at least one of the communication units 53a, 53b, and 53c to transmit device data (step S26). In step S26, as in step S23, a communication unit that instructs transmission is determined according to the transmission destination indicated by the transmission destination information included in the device data to be transmitted.
CPU52 complete | finishes a 2nd relay process, when it determines with the apparatus data which should be transmitted not memorize | stored (S25: NO) or after performing step S26.

  In the relay device 11 configured as described above, ECU data transmitted by one of the ECUs 12a, 12a, 12b, and 12b is converted into device data, and the converted device data is transmitted to the in-vehicle devices 13a, 13b, and 13c. To at least one of the In addition, device data transmitted by one of the in-vehicle devices 13a, 13b, and 13c is converted into ECU data, and the converted ECU data is transmitted to at least one of the ECUs 12a, 12a, 12b, and 12b.

  FIG. 6 is a flowchart showing the procedure of the verification process. The CPU 42 of the HSM 34 included in the first repeater 21 executes the verification process before executing the first relay process when the power supply circuit 54 starts supplying power to the CPU 42. As described above, while the CPU 42 executes the verification process, the CPU 32 stops operating. In the verification process, first, the CPU 42 reads the first control program P1 from the ROM 31 (step S31). Next, the CPU 42 calculates calculation data for calculating related data related to the first control program P1 using, for example, a hash function (step S32). In step S32, the CPU 42 calculates calculation data based on the control program P1 read in step S31.

Next, the CPU 42 calculates related data related to the first control program P1 using the calculation data calculated in step S32 and the first key data K1 stored in the ROM 41 (step S33). The first key data K1 corresponds to second key data, and the CPU 42 functions as a second arithmetic unit.
Next, the CPU 42 determines whether or not the related data calculated in step S33 matches the first reference data R1 stored in advance in the ROM 41 (step S34). The CPU 42 also functions as a second determination unit.

  The CPU 42 verifies that the first control program P1 is appropriate by executing step S34. The fact that the related data related to the first control program P1 matches the first reference data R1 indicates that the first control program P1 is appropriate. The fact that the related data related to the first control program P1 does not match the first reference data R1 means that the first control program P1 is not appropriate, that is, the first control program P1 may be falsified. Indicates high.

  If the CPU 42 determines that the related data does not match the first reference data R1 (S34: NO), the CPU 42 writes stop data instructing to stop the power supply performed by the power supply circuit 54 of the second repeater 22 to the RAM 35 (step S34). S35). As a result, the CPU 52 of the second repeater 22 can be notified that the first control program P1 is not appropriate. Thereafter, the CPU 42 instructs the power supply circuit 36 to stop power supply (step S36). Thereby, the power supply circuit 36 stops the power supply to the ROM 31, the CPU 32, the communication units 33a and 33b, the HSM 34, and the RAM 35, and the first repeater 21 stops its operation. After executing step S36, the CPU 42 ends the verification process.

  As described above, when the power supply circuit 36 stops supplying power to the RAM 35, the data stored in the RAM 35 is erased. In order to secure the time for the CPU 52 of the second repeater 22 to read out the stop data stored in the RAM 35, the CPU 42 has performed a predetermined time sufficient for the CPU 52 to read out the stop data after executing step S35. Then, step S36 is performed.

  When determining that the related data matches the first reference data R1 (S34: YES), the CPU 42 determines whether or not the operation data of the second control program P2 of the second repeater 22 is stored in the RAM 35 ( Step S37). The calculation data of the second control program P2 is data for calculating related data related to the second control program P2. When determining that the calculation data is not stored (S37: NO), the CPU 42 executes step S37 again and waits until the calculation data is written in the RAM 35. In the startup process, the CPU 52 of the second repeater 22 calculates calculation data of the second control program P2, and writes the calculated calculation data in the RAM 35.

  If the CPU 42 determines that the calculation data is stored (S37: YES), the CPU 42 reads the calculation data of the second control program P2 from the RAM 35 (step S38), and the read calculation data and the first data stored in the ROM 41 are stored. Using the two-key data K2, related data related to the second control program P2 is calculated (step S39). The CPU 42 also functions as a calculation unit and a related data calculation unit.

Next, the CPU 42 determines whether or not the related data calculated in step S39 matches the second reference data R2 stored in advance in the ROM 41 (step S40). The CPU 42 also functions as a determination unit.
The CPU 42 also verifies that the second control program P2 is appropriate by executing step S40. When determining that the related data matches the second reference data R2 (S40: YES), the CPU 42 writes normal data indicating that the second control program P2 is appropriate to the RAM 35 (step S41). As a result, the CPU 52 of the second repeater 22 can be notified that the second control program P2 is appropriate.

  When the CPU 42 determines that the related data does not match the second reference data R2 (S40: NO), the second control program P2 is not appropriate, that is, the second control program P2 may be falsified. Is written to the RAM 35 (step S42). As a result, the CPU 52 of the second repeater 22 can be notified that the second control program P2 is not appropriate.

  After executing one of steps S41 and S42, the CPU 42 ends the verification process. After completing the verification process, the CPU 42 stops the operation until the power supply circuit 36 temporarily stops the power supply and restarts the power supply. After the CPU 42 finishes the verification process, the CPU 32 executes the appropriate first control program P1. As described above, the interface 43 prevents the CPU 32 from accessing the ROM 41. Therefore, the verification program Ph, the first key data K1, the first reference data R1, the second key data K2, and the second reference data R2 are not taken out of the HSM 34.

  FIG. 7 is a flowchart showing the procedure of the starting process. When the power supply circuit 54 starts to supply power to the CPU 52, the CPU 52 of the second repeater 22 executes the startup process according to the startup program Pb before executing the second relay process. In the startup process, first, the CPU 52 reads the second control program P2 from the ROM 51 (step S51). Next, the CPU 52 calculates calculation data for calculating related data related to the second control program P2 using, for example, a hash function (step S52). The CPU 52 functions as a calculation unit. In step S52, the CPU 52 calculates calculation data based on the second control program P2 read in step S51.

Next, the CPU 52 writes the calculation data calculated in step S52 into the RAM 35 of the first repeater 21 (step S53). As described above, the CPU 42 of the HSM 34 included in the first repeater 21 reads the calculation data stored in the RAM 35, calculates the related data related to the second control program P2 using the read calculation data, 2 Verify whether the control program P2 is appropriate. In the verification process, the CPU 42 writes stop data, abnormal data, or normal data in the RAM 35.
Reading the relevant data from the RAM 35 corresponds to obtaining the relevant data. Therefore, the CPU 42 also functions as an acquisition unit.

  The power supply circuit 36 of the first repeater 21 and the power supply circuit 54 of the second repeater 22 start supplying power almost simultaneously, and the CPU 52 starts the power supply of the power supply circuit 36 of the first repeater 21. Thereafter, Step S53 is executed. For this reason, the CPU 52 can reliably write the calculation data in the RAM 35.

  After executing step S53, the CPU 52 determines whether stop data is stored in the RAM 35 of the first repeater 21 (step S54). When determining that stop data is not stored (S54: NO), the CPU 52 determines whether abnormal data is stored in the RAM 35 (step S55). When it is determined that stop data is stored (S54: YES), or when it is determined that abnormal data is stored (S55: YES), the CPU 52 instructs the power supply circuit 54 to stop power supply. (Step S56). Thereby, the power supply circuit 54 stops the power supply, and the ROM 51, the CPU 52, and the communication units 53a, 53b, and 53c stop operating. CPU52 complete | finishes a starting process, after performing step S56.

As described above, the CPU 42 of the HSM 34 included in the first relay 21 stops the operation of the CPU 42, that is, the operation of the second relay 22 by writing stop data or abnormal data to the RAM 35. The CPU 42 also functions as an operation control unit.
As described above, when the CPU 42 determines that the related data related to the first control program P1 does not match the first reference data R1, it is highly likely that the first control program P1 has been tampered with. Stop data is written to the RAM 35.
On the other hand, if the CPU 42 determines that the related data related to the second control program P2 does not match the second reference data R2, the CPU 42 determines that the second control program P2 is likely to be falsified, and outputs abnormal data. Write to RAM 35. Thereby, the operation of the second repeater 22 is stopped.

  When the CPU 52 determines that the abnormal data is stored in step S55 and executes step S56, the power supply circuit 36 of the first repeater 21 does not stop the power supply, and the CPU 32 of the first repeater 21 has the first function. Perform relay processing. For this reason, the operation of the second repeater 22 stops, but the first repeater 21 relays communication between one of the ECUs 12a and 12a and one of the ECUs 12b and 12b.

  For example, each of the ECUs 12 a, 12 a, 12 b, and 12 b controls an electric device such as a headlight or a wiper motor that has a minimum necessary function for driving the vehicle 100, and each of the in-vehicle devices 13 a, 13 b, and 13 c operates the vehicle 100. It is assumed that the camera or the display is not always necessary. In this case, if the first control program P1 is appropriate, the driver can drive the vehicle 100 even if the second control program P2 is not appropriate.

  When determining that abnormal data is not stored (S55: NO), the CPU 52 determines whether normal data is stored in the RAM 35 of the first repeater 21 (step S57). If the CPU 52 determines that normal data is not stored (S57: NO), it executes step S54 and waits until stop data, abnormal data, or normal data is stored in the RAM 35.

  If the CPU 42 of the HSM 34 included in the first repeater 21 executes step S36 of the verification process before the CPU 52 executes step S54, the data is not stored in the RAM 35. , S57 is repeated indefinitely. Therefore, in the startup process, when the time during which the determinations of steps S54, S55, and S57 are repeated exceeds the second predetermined time, the CPU 52 determines that the first control program P1 is not appropriate and executes step S56. May be.

  When it is determined that normal data is stored (S57: YES), the CPU 52 ends the activation process. Thereafter, the CPU 52 executes a second relay process.

  In the relay device 11 configured as described above, the CPU 32 of the HSM 34 included in the first repeater 21 verifies that the second control program P2 is appropriate. For this reason, it is not necessary to provide the 2nd repeater 22 with the structure part similar to HSM34 which has a verification function. As a result, the relay device 11 is small, and the manufacturing cost of the relay device 11 is low.

  Further, the CPU 52 of the second repeater 22 calculates the calculation data of the second control program P2, and writes the calculated calculation data in the RAM 35 of the first repeater 21. The data amount of the operation data of the second control program P2 is smaller than the data amount of the second control program P2. For this reason, in order to verify that the second control program P2 is appropriate, the amount of data transferred from the second repeater 22 to the first repeater 21 is small. As a result, the time required for verification is short.

(Embodiment 2)
FIG. 8 is a block diagram illustrating a main configuration of the communication system 1 according to the second embodiment.
In the following, the differences between the second embodiment and the first embodiment will be described. Since the configuration other than the configuration described later is the same as that in the first embodiment, the same reference numerals as those in the first embodiment are given to the components common to the first embodiment, and the description thereof is omitted. To do.

  In the communication system 1 in the second embodiment, the configuration of the relay device 11 is different from that in the communication system 1 in the first embodiment. The relay apparatus 11 according to the second embodiment includes a memory 23 in addition to the first relay machine 21 and the second relay machine 22. The memory 23 is connected to the second repeater 22. The memory 23 is a nonvolatile memory. The memory 23 stores a second control program P2. The second control program P2 is read from the memory 23 by the second relay 22.

  FIG. 9 is a block diagram showing a main configuration of the second repeater 22. The second repeater 22 in the second embodiment includes an interface 61 and a RAM 62 in addition to the components included in the second repeater 22 in the first embodiment. The interface 61 and the RAM 62 are also connected to the bus 55. The interface 61 is further connected to the memory 23.

The CPU 52 reads the second control program P2 from the memory 23 via the interface 61. Further, the CPU 52 writes various data to the RAM 62 and reads data from the RAM 62.
Note that the second control program P2 is not stored in the ROM 51 in the second embodiment.

  The power supply circuit 54 supplies power to the interface 61 and the RAM 62 in addition to the ROM 51, the CPU 52, and the communication units 53a, 53b, and 53c. Each of the interface 61 and the RAM 62 operates while power is supplied from the power supply circuit 54. When the power supply circuit 54 stops supplying power, the data stored in the RAM 62 is erased.

  FIG. 10 is a flowchart showing the procedure of the startup process. Also in the second embodiment, when the power supply circuit 54 starts supplying power to the CPU 52, the CPU 52 of the second repeater 22 executes the startup process according to the startup program Pb before executing the second relay process. . Steps S65 to S68 of the activation process in the second embodiment are the same as steps S54 to S57 of the activation process in the first embodiment. For this reason, detailed description of steps S65 to S68 is omitted.

  In the startup process according to the second embodiment, first, the CPU 52 reads the second control program P2 from the memory 23 via the interface 61 (step S61), and writes the read second control program P2 to the RAM 62 (step S62). ). Next, the CPU 52 calculates calculation data for calculating related data related to the second control program P2 using, for example, a hash function (step S63).

  Next, the CPU 52 writes the calculation data calculated in step S64 into the RAM 35 of the first repeater 21 (step S64), and executes step S65.

As in the second embodiment, when the CPU 52 determines that normal data is stored in the RAM 35 of the first repeater 21 in step S68 and ends the activation process, the CPU 52 stores the normal data in the RAM 62 of the second repeater 22. The second relay process is executed in accordance with the second control program P2.
The relay device 11 according to the second embodiment configured as described above has the same effect as the relay device 11 according to the first embodiment.

(Embodiment 3)
11 and 12 are flowcharts showing the procedure of the verification process according to the third embodiment.
In the following, the differences between the third embodiment and the first embodiment will be described. Since the configuration other than the configuration described later is the same as that in the first embodiment, the same reference numerals as those in the first embodiment are given to the components common to the first embodiment, and the description thereof is omitted. To do.

  In the communication system 1 according to the third embodiment, as compared with the communication system 1 according to the first embodiment, the contents of the verification process executed by the CPU 42 of the HSM 34 included in the first repeater 21 and the CPU 52 of the second repeater 22 are different. The contents of the startup process to be executed are different.

  As in the first embodiment, the CPU 42 of the HSM 34 executes the verification process before executing the first relay process when the power supply circuit 54 starts to supply power to the CPU 42. While the CPU 42 executes the verification process, the CPU 32 stops operating. Steps S75, S76, S87, and S88 of the verification process in the third embodiment are the same as steps S35, S36, S41, and S42 of the verification process in the first embodiment. For this reason, detailed description of steps S75, S76, S87, and S88 is omitted.

  In the verification process in the third embodiment, first, the CPU 42 reads the first control program P1 from the ROM 31 (step S71), and based on the read first control program P1, the first relation related to the first control program P1. First calculation data for calculating data is calculated (step S72). In step S72, the CPU 42 calculates the first calculation data using, for example, a hash function.

  Next, the CPU 42 calculates the first related data related to the first control program P1 based on the first calculation data calculated in Step S72 and the first key data K1 stored in the ROM 41 (Step S72). In step S73, it is determined whether or not the calculated first related data matches the first reference data R1 (step S74). The CPU 42 verifies that the first control program P1 is appropriate by executing step S74. The fact that the first related data matches the first reference data R1 indicates that the first control program P1 is appropriate. The fact that the first related data does not match the first reference data R1 indicates that the first control program P1 is not appropriate, that is, the possibility that the first control program P1 has been tampered with is high.

  If the CPU 42 determines that the first related data does not match the first reference data R1 (S74: NO), the CPU 42 sequentially executes steps S75 and S76. Thereby, the power supply circuit 36 stops the power supply to the ROM 31, the CPU 32, the communication units 33a and 33b, the HSM 34, and the RAM 35, and the first repeater 21 stops its operation. After executing step S76, the CPU 42 ends the verification process.

  When it is determined that the first related data matches the first reference data R1 (S74: YES), the CPU 42 generates random number data (step S77). The random number data is, for example, an enumeration of numerical values represented by “1” or “0”, and indicates a random number. In step S77, the CPU 42 determines an initial value and generates random number data based on the determined initial value. For example, the CPU 42 determines the initial value based on the time when step S77 is executed. In this case, when the time at which step S77 is executed is different, the content of the random number data generated at step S77 is changed. The time also includes the date.

  As described above, each time the power supply circuit 54 starts supplying power to the CPU 42, the verification process is executed. In the verification process that is repeatedly executed, the time at which step S77 is executed differs from each other. For this reason, the initial values determined based on these times are also different from each other. As a result, when the initial value is determined based on the time when step S77 is executed, the content of the random number data generated in step S77 is different from any of the content of the random number data generated in the past step S77. The CPU 42 also functions as a random number generator.

  Next, the CPU 42 writes the random number data generated in step S77 into the RAM 35 (step S78). In the activation process in the third embodiment, the CPU 52 of the second repeater 22 uses the second related data related to the second control program P2 based on the random number data written in step S78 and the second control program P2. The second calculation data for calculating is calculated, and the calculated second calculation data is written in the RAM 35.

  After executing Step S78, the CPU 42 of the HSM 34 determines whether or not the second calculation data is stored in the RAM 35 (Step S79). When the CPU 42 determines that the second calculation data is not stored (S79: NO), the CPU 42 executes step S79 again and waits until the CPU 52 of the second relay 22 writes the second calculation data in the RAM 35.

  When the CPU 42 determines that the second calculation data is stored (S79: YES), the CPU 42 reads the second calculation data from the RAM 35 (step S80), and the read second calculation data and the second calculation data stored in the ROM 41 are stored. Based on the two-key data K2, the second related data is calculated (step S81).

  Next, the CPU 42 reads the second reference data R2 from the ROM 41 (step S82), and generates the first combined data by combining the read second reference data R2 and the random number data generated in step S77. (Step S83). In step S83, the CPU 42 generates first composite data by adding random number data to the tail of the second reference data R2, for example. Next, the CPU 42 calculates first intermediate data based on the first composite data generated in step S83 (step S84). In step S84, the CPU 42 calculates the first intermediate data using, for example, a hash function.

Next, the CPU 42 calculates third reference data based on the first intermediate data calculated in step S84 and the second key data K2 stored in the ROM 41 (step S85).
As described above, the CPU 42 calculates the third reference data based on the random number data, the second reference data R2, and the second key data K2. The CPU 42 functions as a reference data calculation unit.

  Next, the CPU 42 determines whether or not the second related data calculated in step S81 matches the third reference data calculated in step S86 (step S86). The CPU 42 also verifies that the second control program P2 is appropriate by executing step S86. If the CPU 42 determines that the second related data matches the third reference data (S86: YES), the CPU 42 executes step S87, assuming that the second control program P2 is appropriate. When the CPU 42 determines that the second related data does not match the third reference data (S86: NO), the second control program P2 is not appropriate, that is, the second control program P2 may be falsified. As high, step S88 is executed. After executing one of steps S87 and S88, the CPU 42 ends the verification process. After completing the verification process, the CPU 42 of the HSM 34 stops operating until the power supply circuit 36 temporarily stops power supply and restarts power supply. After the CPU 42 finishes the verification process, the CPU 32 executes the appropriate first control program P1.

  FIG. 13 is a flowchart showing the procedure of the startup process. As in the first embodiment, the CPU 52 of the second repeater 22 executes the startup process according to the startup program Pb before executing the second relay process when the power supply circuit 54 starts supplying power to the CPU 52. To do. In the activation process, first, the CPU 52 determines whether stop data is stored in the RAM 35 (step S91). When determining that stop data is not stored (S91: NO), the CPU 52 determines whether random number data is stored in the RAM 35 (step S92).

If it is determined that random number data is not stored (S92: NO), the CPU 52 executes step S91 and waits until the CPU 42 of the HSM 34 writes stop data or random number data to the RAM 35.
In addition, when CPU42 of HSM34 performs step S76 of a verification process before CPU52 performs step S91, since data is not memorize | stored in RAM35, CPU52 repeats the determination of step S91, S92 infinitely. For this reason, in the startup process, the CPU 52 determines that the first control program P1 is not appropriate when the time during which the determinations of steps S91 and S92 are repeated exceeds the third predetermined time, and executes step S99. Good.

  When it is determined that random number data is stored (S92: YES), the CPU 52 reads the second control program P2 from the ROM 51 (step S93), and calculates the second intermediate data based on the read second control program P2. (Step S94). In step S94, the CPU 52 calculates the second intermediate data using, for example, a hash function.

Next, the CPU 52 generates second synthesized data by synthesizing the second intermediate data calculated in step S94 and the random number data stored in the RAM 35 (step S95). In step S95, for example, the CPU 52 generates second composite data by adding random number data to the end of the second intermediate data. Next, the CPU 52 calculates second calculation data for calculating second related data based on the second composite data generated in step S95 (step S96). In step S96, the CPU 52 calculates the second calculation data using, for example, a hash function.
As described above, the CPU 52 calculates the second calculation data based on the second control program P2, the random number data, and the second key data K2.

  Next, the CPU 52 writes the second calculation data calculated in step S96 into the RAM 35 (step S97). As described above, the CPU 42 of the HSM 34 reads the second calculation data stored in the RAM 35, calculates the second related data based on the read second calculation data, and whether the second control program P2 is appropriate. Verify whether or not. The CPU 42 writes normal data or abnormal data in the RAM 35 based on the verification result.

  After executing step S97, the CPU 52 determines whether abnormal data is stored in the RAM 35 (step S98). If the CPU 52 determines that stop data is stored (S91: YES) or determines that abnormal data is stored (S98: YES), the CPU 52 instructs the power supply circuit 54 to stop power supply. (Step S99). Thereby, the power supply circuit 54 stops the power supply, and the ROM 51, the CPU 52, and the communication units 53a, 53b, and 53c stop operating. CPU52 complete | finishes a starting process, after performing step S99.

As described above, the CPU 42 of the HSM 34 stops the operation of the CPU 42, that is, the operation of the second repeater 22 by writing stop data or abnormal data in the RAM 35.
As described above, when the CPU 42 determines that the first related data related to the first control program P1 does not match the first reference data R1, it is highly likely that the first control program P1 has been tampered with. The stop data is written in the RAM 35.
On the other hand, if the CPU 42 determines that the second related data related to the second control program P2 does not match the third reference data, the CPU 42 determines that the second control program P2 is likely to be falsified, and abnormal data. Is written into the RAM 35. Thereby, the operation of the second repeater 22 is stopped.

  When the CPU 52 determines that the abnormal data is stored in step S98 and executes step S99, the power circuit 36 of the first repeater 21 does not stop the power supply, and the CPU 32 of the first repeater 21 does not stop the first. Perform relay processing. For this reason, the operation of the second repeater 22 stops, but the first repeater 21 relays communication between one of the ECUs 12a and 12a and one of the ECUs 12b and 12b.

  When determining that abnormal data is not stored (S98: NO), the CPU 52 determines whether normal data is stored in the RAM 35 (step S100). When determining that normal data is not stored (S100: NO), the CPU 52 executes step S98 and waits until the CPU 42 of the HSM 34 writes normal data or abnormal data into the RAM 35. When it is determined that normal data is stored (S100: YES), the CPU 52 ends the activation process. Thereafter, the CPU 52 executes a second relay process.

  FIG. 14 is an explanatory diagram of verification of the second control program P2. As described above, the CPU 52 of the second repeater 22 calculates the second intermediate data based on the second control program P2. Next, the CPU 52 generates the second combined data by combining the calculated second intermediate data and the random number data generated by the CPU 42 of the HSM 34. The CPU 52 calculates second calculation data based on the generated second composite data, and writes the calculated second calculation data in the RAM 35 of the first repeater 21.

The CPU 42 of the HSM 34 calculates the second related data based on the second calculation data stored in the RAM 35 and the second key data K2.
Further, the CPU 42 generates the first combined data by combining the second reference data R2 and the random number data. The CPU 42 calculates first intermediate data based on the generated first composite data. The CPU 42 calculates third reference data based on the calculated first intermediate data and the second key data K2. The CPU 42 verifies the second control program P2 by determining whether or not the second related data matches the third calculation data.

  The method of generating the second combined data by combining the second intermediate data and the random number data is the same as the method of generating the first combined data by combining the second reference data and the random number data. . The method of calculating the second calculation data based on the second composite data is the same as the method of calculating the first intermediate data based on the first composite data. The method of calculating the second related data based on the second calculation data and the second key data K2 is the same as the method of calculating the third reference data based on the first intermediate data and the second key data K2. It is.

When the second control program P2 is appropriate, the second reference data R2 matches the second intermediate data. In this case, the second composite data, the second calculation data, and the second related data are identical to the first composite data, the first intermediate data, and the third reference data, and normal data is written into the RAM 35.
As described above, every time the verification process is executed, the content of the random number data is changed. For this reason, in the current verification process, when the second calculation data calculated in the previous verification process is written in the RAM 35, the second related data does not match the third reference data, so the second control program P2 is not appropriate. It is determined that there is no.

  The following method can be considered as a method of falsifying the second control program P2. After the calculation data calculated in the past verification process is stored, the second control program P2 is falsified, and in the subsequent verification process, the stored calculation data is written in the RAM 35. Even if this method is used in the relay apparatus in the third embodiment, since the alteration of the second control program P2 is detected, the reliability of the verification result of the second control program P2 is high.

  Further, the CPU 42 of the HSM 34 calculates the third reference data based on the second key data K2, the random number data, and the second reference data R2, and the CPU 52 of the second repeater 22 stores the second calculation data and the second key. Since the second related data is calculated based on the data K2, the reliability of the verification result of the second control program P2 is higher.

  In the relay apparatus 11 configured as described above, the CPU 32 of the HSM 34 included in the first repeater 21 verifies the second control program P2. For this reason, since the 2nd relay machine 22 does not need to have the verification function of the 2nd control program P2, the relay apparatus 11 is small and the manufacturing cost of the relay apparatus 11 is cheap.

The CPU 52 of the second repeater 22 calculates the second calculation data of the second control program P2, and writes the calculated second calculation data into the RAM 35 of the first repeater 21. The data amount of the second calculation data is smaller than the data amount of the second control program P2. For this reason, in order to verify that the second control program P2 is appropriate, the amount of data transferred from the second repeater 22 to the first repeater 21 is small. As a result, the time required for verification is short.
Moreover, the relay apparatus 11 in Embodiment 3 has the same effect as the relay apparatus 11 in Embodiment 1.

  In the second embodiment, the CPU 52 of the second repeater 22 may execute the startup process in the third embodiment. In this case, in the startup process, the CPU 52 executes steps S61 and S62 in the second embodiment instead of step S93. In step S94, second intermediate data is calculated based on the second control program P2 read in step S61.

(Embodiment 4)
In the relay device 11 according to the third embodiment, the CPU 42 of the HSM 34 calculates the first related data based on the first key data K1, and calculates the second related data and the third reference data based on the second key data K2. ing. However, the CPU 42 does not have to perform calculations based on the first key data K1 and K2.
Hereinafter, the differences between the fourth embodiment and the third embodiment will be described. Since the configuration other than the configuration described later is the same as that of the third embodiment, the same reference numerals as those of the third embodiment are assigned to the same components as those of the third embodiment, and the description thereof is omitted. To do.

  In the communication system 1 according to the fourth embodiment, compared to the communication system 1 according to the third embodiment, the contents of the verification process executed by the CPU 42 of the HSM 34 included in the first relay 21 and the CPU 52 of the second relay 22 are different. The contents of the startup process to be executed are different.

  15 and 16 are flowcharts showing the procedure of the verification process in the fourth embodiment. Similarly to the third embodiment, the CPU 42 of the HSM 34 executes the verification process before executing the first relay process when the power supply circuit 54 starts supplying power to the CPU 42. While the CPU 42 executes the verification process, the CPU 32 stops operating. Steps S111, S113 to S117, S119, S120, S124, and S125 of the verification process in the fourth embodiment are the same as steps S71, S74 to S78, S82, S83, S87, and S88 of the verification process in the third embodiment. is there. For this reason, detailed description of steps S111, S113 to S117, S119, S120, S124, and S125 is omitted.

  In the verification process, after executing Step S111, the CPU 42 of the HSM 34 calculates first related data related to the first control program P1 based on the first control program P1 read in Step S111 (Step S112). In step S112, the CPU 42 calculates the first related data using, for example, a hash function. After executing step S112, the CPU executes step S113.

  In step S117, the CPU 42 writes random number data in the RAM 35 as in the third embodiment. In the activation process according to the fourth embodiment, the CPU 52 of the second repeater 22 uses the second related data related to the second control program P2 based on the random number data written in step S117 and the second control program P2. And the calculated second related data is written in the RAM 35.

  After executing step S117, the CPU 42 determines whether or not the second related data is stored in the RAM 35 (step S118). When determining that the second related data is not stored (S118: NO), the CPU 42 executes step S118 again and waits until the CPU 52 of the second relay 22 writes the second related data in the RAM 35.

CPU42 performs step S119, S120, when it determines with 2nd relevant data being memorize | stored (S118: YES). Next, the CPU 42 calculates third reference data based on the first composite data generated in step S120 (step S121). In step S121, the CPU 42 calculates the third reference data using, for example, a hash function.
As described above, the CPU 42 calculates the third reference data based on the random number data and the second reference data R2.

  Next, the CPU 42 reads second related data from the RAM 35 (step S122). Thereby, CPU42 acquires the 2nd relevant data which CPU52 of the 2nd repeater 22 computed. Next, the CPU 42 determines whether or not the second related data read in step S122 matches the third reference data calculated in step S121 (step S123). The CPU 42 also verifies that the second control program P2 is appropriate by executing step S123.

  When the CPU 42 determines that the second related data matches the third reference data (S123: YES), the CPU 42 executes step S124 on the assumption that the second control program P2 is appropriate. When the CPU 42 determines that the second related data does not match the third reference data (S123: NO), the second control program P2 is not appropriate, that is, the second control program P2 may be falsified. If it is higher, step S125 is executed. After executing one of steps S124 and S125, the CPU 42 ends the verification process. After completing the verification process, the CPU 42 of the HSM 34 stops operating until the power supply circuit 36 temporarily stops power supply and restarts power supply. After the CPU 42 finishes the verification process, the CPU 32 executes the appropriate first control program P1.

  FIG. 17 is a flowchart showing the procedure of the starting process. As in the third embodiment, the CPU 52 of the second repeater 22 executes the startup process according to the startup program Pb before executing the second relay process when the power supply circuit 54 starts supplying power to the CPU 52. To do. Steps S131 to S135 and S138 to S140 of the activation process in the fourth embodiment are the same as steps S91 to S95 and S98 to S100, respectively. For this reason, detailed description of steps S131 to S135 and S138 to S140 is omitted.

In the activation process, the CPU 52 of the second repeater 22 calculates the second related data based on the second composite data generated in step S135 after executing step S135 (step S136). In step S136, the CPU 52 calculates the second related data using, for example, a hash function.
As described above, the CPU 52 calculates the second calculation data based on the second control program P2 and the random number data. In the fourth embodiment, not the CPU 42 of the HSM 34 but the CPU 52 of the second repeater 22 functions as a related data calculation unit.

  Next, the CPU 52 writes the second related data calculated in step S136 into the RAM 35 (step S137), and executes step S138.

  FIG. 18 is an explanatory diagram of the verification of the second control program P2. As in the third embodiment, the CPU 52 of the second repeater 22 calculates second intermediate data based on the second control program P2. Next, the CPU 52 generates the second combined data by combining the calculated second intermediate data and the random number data generated by the CPU 42 of the HSM 34. The CPU 52 calculates the second related data based on the generated second composite data, and writes the calculated second related data in the RAM 35 of the first repeater 21.

  As in the third embodiment, the CPU 42 of the HSM 34 generates the first combined data by combining the second reference data R2 and the random number data. The CPU 42 calculates third reference data based on the generated first composite data. The CPU 42 verifies the second control program P2 by determining whether or not the second related data calculated by the CPU 52 of the second repeater 22 matches the third reference data.

  The method of generating the second combined data by combining the second intermediate data and the random number data is the same as the method of generating the first combined data by combining the second reference data and the random number data. . The method of calculating the second related data based on the second composite data is the same as the method of calculating the third reference data based on the first composite data.

When the second control program P2 is appropriate, the second reference data R2 matches the second intermediate data. In this case, the second combined data and the second related data respectively match the first combined data and the third reference data, and normal data is written in the RAM 35.
As described above, every time the verification process is executed, the content of the random number data is changed. For this reason, every time the verification process is executed, the second related data read from the RAM 35 is changed. In the current activation process, when the second related data calculated in the previous activation process is written in the RAM 35, the second related data does not match the third reference data, so it is determined that the second control program P2 is not appropriate. Is done. As a result, as in the third embodiment, the reliability of the verification result of the second control program P2 is high.

  In the verification process and the activation process in the fourth embodiment, the first key data K1 and the second key data K2 are not used. For this reason, it is not necessary to store the first key data K1 and the second key data K2 in the ROM 41 of the HSM 34.

Further, the CPU 52 of the second repeater 22 calculates second related data related to the second control program P2, and writes the calculated second related data in the RAM 35 of the first repeater 21. The data amount of the second related data is smaller than the data amount of the second control program P2. For this reason, in order to verify that the second control program P2 is appropriate, the amount of data transferred from the second repeater 22 to the first repeater 21 is small. As a result, the time required for verification is short.
The relay device 11 according to the fourth embodiment obtains the third reference data based on the effect obtained by calculating the calculation data and the second key data K2 among the effects exhibited by the relay device 11 according to the third embodiment. Other effects are obtained in the same manner except for the effect obtained by the calculation.

  In the second embodiment, the CPU 52 of the second repeater 22 may execute the startup process in the fourth embodiment. In this case, in the startup processing, the CPU 52 needs to execute steps S61 and S62 in the second embodiment instead of step S133, and the first key data K1 and the second key data K2 are stored in the ROM 41 of the HSM 34. There is no. In step S134, second intermediate data is calculated based on the second control program P2 read in step S61.

  In the third embodiment, the second calculation data calculated based on the second synthesized data generated by synthesizing the second intermediate data and the random number data synthesizes the second control program P2 and the random number data. If the data is the same as the data calculated based on the data generated by this, the calculation of the second intermediate data may be omitted. In this case, the CPU 52 of the second repeater 22 generates the second combined data based on the second control program P2 and the random number data in the startup process.

  Similarly, in the fourth embodiment, the second related data calculated based on the second synthesized data generated by synthesizing the second intermediate data and the random number data synthesizes the second control program P2 and the random number data. When the data is the same as the data calculated based on the data generated by doing so, the calculation of the second intermediate data may be omitted. In this case, the CPU 52 of the second repeater 22 generates the second combined data based on the second control program P2 and the random number data in the startup process.

  Moreover, in Embodiment 1-4, the structure which stops operation | movement of the 2nd relay machine 22 is not limited to the structure which stops the power supply to the power supply circuit 54 of the 2nd relay machine 22, For example, a battery and a power supply circuit 54 may be configured to turn off a switch provided in the middle of the power line that connects to 54. In this case, when the switch is turned off, the power supply circuit 54 stops operating. As a result, the power supply circuit 54 stops the power supply.

Similarly, the configuration for stopping the operation of the first repeater 21 is not limited to the configuration for stopping the power supply to the power supply circuit 36 of the first repeater 21, for example, the power line connecting the battery and the power supply circuit 36. A configuration may be adopted in which a switch provided in the middle is turned off. In this case, when the switch is turned off, the power supply circuit 36 stops operating. As a result, the power supply circuit 36 stops supplying power.
Furthermore, when the CPU 42 of the HSM 34 included in the first repeater 21 determines that the second control program P2 is not appropriate, not only the operation of the second repeater 22 but also the operation of the first repeater 21 is stopped. May be.

  Further, the communication protocol used in the communication relayed by the first repeater 21 is not limited to the CAN protocol. Furthermore, the communication protocol used in the communication relayed by the first relay 21 may be the same as the communication protocol used in the communication relayed by the second relay 21.

  In the first, second, and third embodiments, the calculation data or the second calculation data of the second control program P2 is calculated not by the CPU 52 of the second repeater 22 but by the CPU 42 of the HSM 34 that the first repeater 21 has. May be. In this case, the CPU 52 of the second repeater 22 writes the second control program P2 in the RAM 35 of the first repeater 21 in the startup process.

  In the first to fourth embodiments, the number of communication lines connected to the first repeater 21 is not limited to 2, and may be 3 or more. Furthermore, the number of ECUs connected to each communication line is not limited to 2, and may be 1 or 3 or more. Further, the number of ECUs connected to each communication line may be different from the number of ECUs connected to other communication lines. A plurality of ECUs may be directly connected to the first repeater 21 similarly to the in-vehicle devices 13a, 13b, and 13c.

Further, the number of in-vehicle devices connected to the second repeater 22 is not limited to 3, and may be 2 or 4 or more. Furthermore, a plurality of communication lines may be connected to the second repeater 22, and one or a plurality of in-vehicle devices may be connected to each communication line. In this case, the second relay 22 relays communication between one in-vehicle device connected to one communication line and one in-vehicle device connected to another communication line.
Further, the conversion from the ECU data to the device data and the conversion from the device data to the ECU data may be performed by the CPU 52 of the second repeater 22.

  The disclosed first to fourth embodiments are examples in all respects and should be considered not to be restrictive. The scope of the present invention is defined by the terms of the claims, rather than the meanings described above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.

11 Relay device (on-vehicle device)
12a, 12b ECU (first communication device)
13a, 13b, 13c In-vehicle device (second communication device)
21 First repeater (first in-vehicle device)
22 Second repeater (second in-vehicle device)
32 CPU (first processing unit, processing unit, conversion unit)
34 HSM (Verifier)
41 ROM (storage unit, second storage unit)
42 CPU (related data calculation unit, determination unit, random number generation unit, reference data calculation unit, operation control unit, calculation unit, second calculation unit, second determination unit, acquisition unit)
52 CPU (second processing unit, related data calculation unit, calculation unit)
100 vehicle K1 key data (second key data)
K2 key data P1 first control program (second control program)
P2 Second control program Ph verification program

FIG. 6 is a flowchart showing the procedure of the verification process. The CPU 42 of the HSM 34 included in the first repeater 21 executes the verification process before executing the first relay process when the power supply circuit 54 starts supplying power to the CPU 42. As described above, while the CPU 42 executes the verification process, the CPU 32 stops operating. In the verification process, first, the CPU 42 reads the first control program P1 from the ROM 31 (step S31). Next, the CPU 42 calculates calculation data for calculating related data related to the first control program P1 using, for example, a hash function (step S32). In step S32, the CPU 42 calculates calculation data based on the first control program P1 read in step S31.

Similar to the first embodiment, CPU 52, when normal data in step S68 is completed activation processing is determined to have been stored in the RAM35 of the first relay device 21, are stored in the RAM62 of the second relay apparatus 22 The second relay process is executed in accordance with the second control program P2.
The relay device 11 according to the second embodiment configured as described above has the same effect as the relay device 11 according to the first embodiment.

Next, the CPU 42 determines whether or not the second related data calculated in step S81 matches the third reference data calculated in step S85 (step S86). The CPU 42 also verifies that the second control program P2 is appropriate by executing step S86. If the CPU 42 determines that the second related data matches the third reference data (S86: YES), the CPU 42 executes step S87, assuming that the second control program P2 is appropriate. When the CPU 42 determines that the second related data does not match the third reference data (S86: NO), the second control program P2 is not appropriate, that is, the second control program P2 may be falsified. As high, step S88 is executed. After executing one of steps S87 and S88, the CPU 42 ends the verification process. After completing the verification process, the CPU 42 of the HSM 34 stops operating until the power supply circuit 36 temporarily stops power supply and restarts power supply. After the CPU 42 finishes the verification process, the CPU 32 executes the appropriate first control program P1.

The CPU 42 of the HSM 34 calculates the second related data based on the second calculation data stored in the RAM 35 and the second key data K2.
Further, the CPU 42 generates the first combined data by combining the second reference data R2 and the random number data. The CPU 42 calculates first intermediate data based on the generated first composite data. The CPU 42 calculates third reference data based on the calculated first intermediate data and the second key data K2. The CPU 42 verifies the second control program P2 by determining whether or not the second related data matches the third reference data.

(Embodiment 4)
In the relay device 11 according to the third embodiment, the CPU 42 of the HSM 34 calculates the first related data based on the first key data K1, and calculates the second related data and the third reference data based on the second key data K2. ing. However, the CPU 42 does not have to perform a calculation based on the first key data K1 and the second key data K2.
Hereinafter, the differences between the fourth embodiment and the third embodiment will be described. Since the configuration other than the configuration described later is the same as that of the third embodiment, the same reference numerals as those of the third embodiment are assigned to the same components as those of the third embodiment, and the description thereof is omitted. To do.

Further, the communication protocol used in the communication relayed by the first repeater 21 is not limited to the CAN protocol. Furthermore, the communication protocol used in the communication relayed by the first relay 21 may be the same as the communication protocol used in the communication relayed by the second relay 22 .

11 Relay device (on-vehicle device)
12a, 12b ECU (first communication device)
13a, 13b, 13c In-vehicle device (second communication device)
21 First repeater (first in-vehicle device)
22 Second repeater (second in-vehicle device)
32 CPU (first processing unit, processing unit, conversion unit)
34 HSM (Verifier)
41 ROM (storage unit, second storage unit)
42 CPU (related data calculation unit, determination unit, random number generation unit, reference data calculation unit, operation control unit, calculation unit, second calculation unit, second determination unit, acquisition unit)
52 CPU (second processing unit, related data calculation unit, calculation unit)
100 vehicle K1 first key data (second key data)
K2 second key data P1 first control program (second control program)
P2 Second control program Ph verification program

Claims (14)

A first in-vehicle device comprising: a first processing unit that executes processing according to a first control program; and a verifier that verifies the first control program using other hardware different from the hardware constituting the first processing unit In-vehicle device comprising:
A second in-vehicle device having a second processing unit for executing processing according to the second control program;
A related data calculation unit for calculating related data related to the second control program,
The in-vehicle device, wherein the verifier includes a determination unit that determines whether or not the related data calculated by the related data calculation unit matches reference data. The in-vehicle device according to claim 1, wherein the first control program is verified by the verification device when the other hardware executes the verification program. The verifier of the first in-vehicle device is
The related data calculation unit;
A random number generator for generating random number data;
A random number data generated by the random number generation unit, and a reference data calculation unit that calculates the reference data based on predetermined data;
The second vehicle-mounted device has a calculation unit that calculates calculation data for calculating the related data based on the second control program and random number data,
The in-vehicle device according to claim 1, wherein the related data calculation unit of the verifier calculates the related data based on the calculation data calculated by the calculation unit. The verifier of the first vehicle-mounted device has a storage unit in which key data is stored,
The reference data calculation unit calculates the reference data based on the key data stored in the storage unit, the random number data, and the predetermined data,
The in-vehicle device according to claim 3, wherein the related data calculation unit calculates the related data based on the calculation data and key data. The verifier of the first in-vehicle device is
A random number generator for generating random number data;
A random number data generated by the random number generation unit, and a reference data calculation unit that calculates the reference data based on predetermined data;
The second in-vehicle device has the related data calculation unit,
The in-vehicle device according to claim 1, wherein the related data calculation unit calculates the related data based on the second control program and random number data. The operation control unit that stops the operation of the second onboard device when the determination unit of the verifier determines that the related data does not match the reference data. The in-vehicle device according to claim 5. A first relay that relays communication between a plurality of first communication devices; and a second relay that executes processing according to a control program and relays communication between the plurality of second communication devices. The machine and the second relay machine are vehicle relay devices that relay communication between the first communication device and the second communication device,
The first repeater is
A storage unit storing key data; and
A calculation unit that calculates related data related to the control program of the second relay using the key data;
And a determination unit that determines whether or not the related data calculated by the calculation unit matches predetermined data. The operation control unit for stopping the operation of the second repeater when the determination unit of the first repeater determines that the related data does not match the predetermined data. 8. The relay device according to 7. The second relay has a calculation unit for calculating calculation data for calculating the related data,
The first repeater has an acquisition unit that acquires calculation data calculated by the calculation unit;
The relay according to claim 7 or 8, wherein the calculation unit of the first repeater calculates the related data using the key data and the calculation data acquired by the acquisition unit. apparatus. The first repeater is
A processing unit that executes processing according to the second control program;
A second storage unit storing second key data;
A second computing unit that computes second related data related to the second control program using the second key data;
The second determination unit that determines whether or not the second related data calculated by the second calculation unit matches the second predetermined data. The relay apparatus as described in any one. Data corresponding to the first protocol used in communication between the plurality of first communication devices is converted into data corresponding to the second protocol used in communication between the plurality of second communication devices, and the second protocol is supported The relay device according to claim 7, further comprising: a conversion unit that converts data to be converted into data corresponding to the first protocol. A first in-vehicle device comprising: a first processing unit that executes processing according to a first control program; and a verifier that verifies the first control program using other hardware different from the hardware constituting the first processing unit And a computer program executed by the verifier of the in-vehicle device comprising a second in-vehicle device that executes processing according to the second control program,
Calculating related data related to the second control program;
A computer program for causing a computer to execute a process of determining whether or not the calculated related data matches the reference data. A first in-vehicle device comprising: a first processing unit that executes processing according to a first control program; and a verifier that verifies the first control program using other hardware different from the hardware constituting the first processing unit And a computer program executed by the verifier of the in-vehicle device comprising a second in-vehicle device that executes processing according to the second control program,
Obtaining related data relating to the second control program;
A computer program that causes a computer to execute a process of determining whether or not acquired related data matches reference data. A first relay that relays communication between a plurality of first communication devices; and a second relay that executes processing according to a control program and relays communication between the plurality of second communication devices. The machine and the second relay machine are computer programs executed by the first relay machine in the vehicle relay device that relays communication between the first communication device and the second communication device,
Using the key data stored in advance, calculate related data related to the control program of the second repeater,
A computer program for causing a computer to execute a process of determining whether or not the calculated related data matches predetermined data.

Images