CN105159707A

CN105159707A - Secure financial terminal firmware programming method and financial terminal

Info

Publication number: CN105159707A
Application number: CN201510500802.3A
Authority: CN
Inventors: 陆舟; 于华章
Original assignee: Feitian Technologies Co Ltd
Current assignee: Feitian Technologies Co Ltd
Priority date: 2015-08-14
Filing date: 2015-08-14
Publication date: 2015-12-16
Anticipated expiration: 2035-08-14
Also published as: CN105159707B

Abstract

The present invention discloses a secure financial terminal firmware programming method and a financial terminal and belongs to the field of financial security. The method comprises: the financial terminal, according to instructions issued by an upper computer, completes establishment of a security environment, downloading and update of a secure boot, downloading and update of application firmware and downloading and update of secure firmware. The financial terminal comprises a communication module, a security environment establishment module, a secure boot downloading and updating module, an application firmware downloading and updating module and a secure firmware downloading and updating module. The secure financial terminal firmware programming method and the financial terminal have the beneficial effects that potential safety hazards of an existing financial terminal firmware programming method can be avoided and safety of a financial terminal product can be improved.

Description

A kind of firmware programming method of safe financial terminal and financial terminal

Technical field

The present invention relates to financial security field, particularly relate to a kind of firmware programming method and financial terminal of safe financial terminal.

Background technology

Financial terminal needs to set up security context before the use, and after security context foundation, financial terminal enters security operating mode, can carry out the importing work of the sensitive data such as key, password in such a mode.

Technician is realizing finding in process of the present invention that the firmware programming method of existing financial terminal at least exists following potential safety hazard:

1. the code packages setting up security context is contained in formal firmware, assailant is made to have an opportunity security context Establishing process is performed again on the one hand, also due to the mistake of secure firmware native codes or erroneous judgement, thus re-establishing of security context may be caused on the other hand, cause safety problem.

2. when running first after formal firmware programming, namely can detect security incident (i.e. financial terminal self-inspection), and will detect there is security incident after quit work, therefore need in firmware program, perform security incident with good conditionsi to detect, namely when not yet setting up security context, security incident testing process is skipped according to the judgement of correlated condition, after security context is set up, again by arranging correlated condition, make firmware can security of operation event detection flow process.This just makes assailant have an opportunity to set up the correlated condition forged, thus makes formal firmware skip security incident testing process, and then reaches the object of attacking the inner sensitive data of financial terminal.

Summary of the invention

The object of the invention is the defect overcoming prior art, a kind of firmware programming method and financial terminal of safe financial terminal are provided.

The present invention is achieved through the following technical solutions:

On the one hand, the invention provides a kind of firmware programming method of safe financial terminal, specifically comprise:

Step S1, financial terminal receive the instruction that issues of host computer, when receive that host computer issues set up security context instruction time, perform step S2; When receiving the safe boot down loading updating instruction that host computer issues, perform step S3; When receiving the application firmware down loading updating instruction that host computer issues, perform step S4; When receiving the secure firmware down loading updating instruction that host computer issues, perform step S5;

Step S2, described financial terminal start safety detection function, return response, return step S1 to host computer;

Step S3, described financial terminal download formal safe boot, the test safety boot in described financial terminal is updated to described formal safe boot, returns response, return step S1 to host computer;

Step S4, described financial terminal download formal application firmware, the Test Application firmware in described financial terminal is updated to described formal application firmware, returns response, return step S1 to host computer;

Step S5, described financial terminal download formal secure firmware, the test safety firmware in described financial terminal is updated to described formal secure firmware, returns response, return step S1 to host computer;

Further, also comprise in described step S1: when receiving the startup intrusion measuring ability instruction that host computer issues, described financial terminal starts intrusion measuring ability, returns response, return step S1 to host computer; When receiving the acquisition intrusion detected state instruction that host computer issues, obtaining and invading detected state, returning described intrusion detected state to host computer, return step S1;

Also comprise in described step S2: the exhaustive parameter space of the initial chemoprevention of described financial terminal;

In described step S3, described financial terminal also comprises after downloading formal safe boot: verify described formal safe boot, if verify by; continue to perform and described safe boot in described financial terminal be updated to described formal safe boot, if verification not by; return response directly to host computer, return step S1;

Also comprise in described step S2: described financial terminal generates root key, the application firmware prestored with described root key encryption more new key; In described step S4, described financial terminal also comprises after downloading formal application firmware: upgrade formal application firmware described in key verification according to described application firmware, if verify by; according to described application firmware more new key continue to perform and described Test Application firmware in described financial terminal be updated to described formal application firmware, if verification not by; return response directly to host computer, return step S1;

Also comprise in described step S2: described financial terminal generates root key, the secure firmware prestored with described root key encryption more new key; In described step S5, described financial terminal also comprises after downloading formal secure firmware: upgrade formal secure firmware described in key verification according to described secure firmware, if verify by; according to described secure firmware more new key continue to perform and described test safety firmware in described financial terminal be updated to described formal secure firmware, if verification not by; return response directly to host computer, return step S1;

Described financial terminal also comprises before performing described step S3: described financial terminal checks that security context is set up mark and whether is set, if be set, performs described step S3, if be not set, return error message code, return step S1 to host computer; Also comprise in described step S2: security context described in described financial terminal set sets up mark; Described financial terminal also comprises before performing described step S4 or step S5: described financial terminal checks that safe boot upgrades mark and whether is set, if be set, perform described step S4 or step S5, if be not set, return error message code to host computer, return step S1; Also comprise in described step S3: described in described financial terminal set, safe boot upgrades mark.

On the other hand, the invention provides a kind of financial terminal, specifically comprise: communication module, security context set up module, memory module, safe boot down loading updating module, application firmware down loading updating module and secure firmware down loading updating module;

Described communication module, sets up security context instruction, the instruction of safe boot down loading updating, the instruction of application firmware down loading updating and the instruction of secure firmware down loading updating for what receive that host computer issues;

Described security context sets up module, for receive when described communication module that host computer issues set up security context instruction time, start safety detection function;

Described memory module, for On-board test application boot, Test Application firmware, test safety boot and test safety firmware;

Described safe boot down loading updating module, during for receiving safe boot down loading updating instruction that host computer issues when described communication module, downloads formal safe boot, upgrades the test safety boot in described memory module with described formal safe boot;

Described application firmware down loading updating module, during for receiving application firmware down loading updating instruction that host computer issues when described communication module, downloads formal application firmware, upgrades the Test Application firmware in described memory module by described formal application firmware;

Described secure firmware down loading updating module, during for receiving secure firmware down loading updating instruction that host computer issues when described communication module, downloads formal secure firmware, upgrades the test safety firmware in described memory module with described formal secure firmware;

Described communication module is also for setting up module, described safe boot down loading updating module, described application firmware down loading updating module and described secure firmware down loading updating module end of run during when described security context, return response to host computer;

Further, intrusion detection module is also comprised in above-mentioned financial terminal, when the startup issued for receiving host computer when described communication module invades measuring ability instruction, start and invade measuring ability, and for receive when described communication module acquisition that host computer issues invade detected state instruction time, obtain and invade detected state; Correspondingly, the startup that described communication module also issues for receiving host computer invades measuring ability instruction and obtains and invades detected state instruction, and when described intrusion detection module end of run, returns response or return intrusion detected state to host computer;

Described security context set up module also for receive when described communication module that host computer issues set up security context instruction time, the exhaustive parameter space of initial chemoprevention;

Above-mentioned financial terminal also comprises safe boot correction verification module, for verifying the formal safe boot that described safe boot down loading updating module is downloaded; Correspondingly, described safe boot down loading updating module specifically for receive host computer when described communication module and issue safe boot down loading updating instruction time, download formal safe boot, and when described safe boot correction verification module verification by time, upgrade the test safety boot in described memory module with described formal safe boot;

Above-mentioned financial terminal also comprises application firmware correction verification module, for upgrading according to the application firmware in described memory module the formal application firmware that described in key verification, application firmware down loading updating module is downloaded; Correspondingly, described memory module is also for storing application firmware more new key; Described security context set up module also for receive when described communication module that host computer issues set up security context instruction time, generate root key, by the application firmware more new key in memory module described in described root key encryption; Described application firmware down loading updating module specifically for receive host computer when described communication module and issue the instruction of application firmware down loading updating time, download formal application firmware, and when the verification of described application firmware correction verification module by after, upgrade the Test Application firmware in described memory module by described formal application firmware;

Above-mentioned financial terminal also comprises secure firmware correction verification module, for upgrading according to the secure firmware in described memory module the formal secure firmware that described in key verification, secure firmware down loading updating module is downloaded; Correspondingly, described memory module is also for storage security firmware more new key; Described security context set up module also for receive when described communication module that host computer issues set up security context instruction time, generate root key, by the secure firmware more new key in memory module described in described root key encryption; Described secure firmware down loading updating module specifically for receive host computer when described communication module and issue the instruction of secure firmware down loading updating time, download formal secure firmware, and when the verification of described secure firmware correction verification module by after, upgrade the test safety firmware in described memory module with described formal secure firmware;

Described memory module also sets up mark for storage security environment and safe boot upgrades mark, and described security context sets up mark and described safe boot upgrades the original state of mark for not to be set, correspondingly:

Described security context is set up module and is also set up mark for the security context in memory module described in set;

Described safe boot down loading updating module specifically for: when described communication module receives the safe boot down loading updating instruction that host computer issues, whether the security context checking in described memory module is set up mark and is set, and when described security context set up mark be set time, download formal safe boot, upgrade the test safety boot in described memory module with described formal safe boot, the safe boot in memory module described in set upgrades mark;

Described application firmware down loading updating module specifically for: when described communication module receives the application firmware down loading updating instruction that host computer issues, check whether the safe boot renewal mark in described memory module is set, and when described safe boot renewal mark is set, download formal application firmware, upgrade the Test Application firmware in described memory module by described formal application firmware;

Described secure firmware down loading updating module specifically for: when described communication module receives the secure firmware down loading updating instruction that host computer issues, check whether the safe boot renewal mark in described memory module is set, and when described safe boot renewal mark is set, download formal secure firmware, upgrade the test safety firmware in described memory module with described formal secure firmware;

Described communication module also for: when the security context in memory module described in the module check of described safe boot down loading updating set up mark be not set time, when the safe boot renewal mark in memory module described in the module check of described application firmware down loading updating is not set, and when the safe boot renewal mark in memory module described in the module check of described secure firmware down loading updating is not set, return error message code to host computer.

The beneficial effect of the inventive method is: use method provided by the invention can avoid the potential safety hazard of the firmware programming method of existing financial terminal, thus improves the security of financial terminal product.

Accompanying drawing explanation

In order to the clearer explanation embodiment of the present invention or technical scheme of the prior art, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.

The firmware programming method flow diagram of a kind of safe financial terminal that Fig. 1 provides for the embodiment of the present invention 1;

The formal safe boot of download that Fig. 2 provides for the embodiment of the present invention 1 and the process flow diagram with the safe boot of formal safe boot replacement test;

The process flow diagram of the formal application firmware of download that Fig. 3 provides for the embodiment of the present invention 1;

The process flow diagram of the use formal application firmware replacement test application firmware that Fig. 4 provides for the embodiment of the present invention 1;

The process flow diagram of the formal secure firmware of download that Fig. 5 provides for the embodiment of the present invention 1;

The process flow diagram of the use formal secure firmware replacement test secure firmware that Fig. 6 provides for the embodiment of the present invention 1;

The block scheme of the financial terminal that Fig. 7 provides for the embodiment of the present invention 2.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, be clearly and completely described the technical scheme in the embodiment of the present invention, obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those skilled in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.

Application processor and safe processor is comprised in financial terminal in the present invention;

In application processor, burning has application boot and application firmware; In safe processor, burning has safe boot and secure firmware;

After financial terminal powers on, application processor and safe processor start respectively, and first application processor runs application boot, jumps to application firmware first address when applying boot end of run, runs application firmware, until electricity under financial terminal; Safe processor is security of operation boot first, jumps to secure firmware first address, security of operation firmware when safe boot end of run, until electricity under financial terminal;

Application firmware comprises Test Application firmware and formal application firmware, and safe boot comprises test safety boot and formal safe boot, and secure firmware comprises test safety firmware and formal secure firmware; Comprise hardware test program and security context construction procedures in Test Application firmware and test safety firmware, correspondingly, in formal application firmware and formal secure firmware, do not comprise hardware test program and security context construction procedures; The program of financial terminal self-inspection is not comprised in test safety boot, correspondingly, the program of financial terminal self-inspection is comprised in formal safe boot, and the formal safe boot in the present invention is compared with the safe boot of burning in financial terminal safe processor in prior art, decrease the condition judgment of terminal self testing, thus can prevent assailant from forging the condition of terminal self testing, hide terminal self testing;

In the present invention, first to burning application boot in application processor and Test Application firmware, burning test safety boot and test safety firmware in safe processor, after hardware testing to be done and security context are set up, progressively test safety boot is updated to formal safe boot, Test Application firmware and test safety firmware are updated to formal application firmware and formal secure firmware respectively.

Embodiment 1

The present embodiment provides a kind of firmware programming method of safe financial terminal, as shown in Figure 1, specifically comprises:

Step S1, financial terminal receive the instruction that host computer issues, when receive that host computer issues set up security context instruction time perform step S2, step S3 is performed when receiving the safe boot down loading updating instruction that host computer issues, performing step S4 when receiving the application firmware down loading updating instruction that host computer issues, performing step S5 when receiving the secure firmware down loading updating instruction that host computer issues;

Particularly, in the present embodiment, the instruction that host computer will send is packaged into standard CC ID communication instruction and is handed down to financial terminal.

Step S2, financial terminal start safety detection function, return response, return step S1 to host computer;

In the present embodiment, safety detection function comprises: invade measuring ability, temperature detecting function and voltage detecting function etc.

In the present embodiment, can also comprise in step S2: the initial exhaustive parameter space of chemoprevention.

In the present embodiment, financial terminal returns to host computer after reply data being packaged into CCID communication protocol layer data.

Further, in the present embodiment, financial terminal also comprises before performing step S2: judge whether security context is set up, is, performs step S2, otherwise prompting mistake, return step S1;

In the present embodiment, in step S2, also comprise generation root key, application firmware more new key and the secure firmware more new key preset with root key encryption; Judge that the method whether security context has been set up can be specially: SHA-256 computing is carried out to the data in root key memory block, judge that whether front 4 bytes of operation result are identical with the data in BPKRAM district, if identical, security context is set up, otherwise security context is not set up, the primary data in wherein said root key memory block and BPKRAM district is 0;

Correspondingly, in step S2, root key is saved in root key memory block, and carries out SHA-256 computing to root key, front 4 bytes of operation result are saved in BPKRAM district after producing root key by financial terminal.

Step S3, financial terminal download formal safe boot, replace the test safety boot in financial terminal, return response, return step S1 to host computer with formal safe boot;

Step S4, financial terminal download formal application firmware, replace the Test Application firmware in financial terminal, return response, return step S1 to host computer by formal application firmware;

Step S5, financial terminal download formal secure firmware, replace the test safety firmware in financial terminal, return response, return step S1 to host computer with formal secure firmware.

Further, also comprising in step S1, performing step S6 when receiving the startup intrusion detection instruction that host computer issues, performing step S7 when receiving the acquisition intrusion detected state instruction that host computer issues:

Step S6, financial terminal start intrusion measuring ability, return response, return step S1 to host computer;

Particularly, financial terminal is by arranging corresponding registers and sensor startup intrusion measuring ability.

Step S7, financial terminal inspection invade detected state, return intrusion detected state, return step S1 to host computer;

Particularly, financial terminal invades detected state by checking that corresponding registers and sensor obtain.

Further, also comprise in step S1, perform step S8 when financial terminal receives the hardware testing instruction that host computer issues:

Step S8, according to command content test financial terminal hardware capability, return response to host computer, return step S1.

Further, the controlling mechanism of firmware programming flow process can also be comprised in said method, specifically comprise:

Financial terminal also comprises before performing step S3: financial terminal checks that security context is set up mark and whether is set, if be set, perform step S3, if be not set, return error message code, return step S1 to host computer;

Also comprise in step S2: financial terminal set security context sets up mark;

Financial terminal also comprises before performing step S4: financial terminal checks that safe boot upgrades mark and whether is set, if be set, perform step S4, if be not set, return error message code, return step S1 to host computer;

Financial terminal also comprises before performing step S5: financial terminal checks that safe boot upgrades mark and whether is set, if be set, perform step S5, if be not set, return error message code, return step S1 to host computer;

Also comprise in step S3: the safe boot of financial terminal set upgrades mark;

Financial terminal also comprises before performing step S2: whether financial terminal inspection invades detection startup mark and be set, if be set, perform step S2, if be not set, return error message code, return step S1 to host computer;

Financial terminal also comprises before performing step S7: whether financial terminal inspection invades detection startup mark and be set, if be set, perform step S7, if be not set, return error message code, return step S1 to host computer;

In step S6, financial terminal also comprises after starting intrusion measuring ability: financial terminal inspection invades detected state, judge whether to there is intrusion event according to intrusion detected state, if there is intrusion event, return error condition to host computer, return step S1, if there is not intrusion event, set invades to detect and starts mark, returns response, return step S1 to host computer;

Financial terminal also comprises before performing step S6: financial terminal checks that hardware capability detects mark and whether is set, if be set, perform step S6, if be not set, return error message code, return step S1 to host computer;

In step S8, financial terminal also comprises according to after the hardware capability of command content test financial terminal: financial terminal judges whether to test whole hardware capability to be measured, if all test, set hardware capability detects mark, returns response, return step S1 to host computer; Otherwise return response directly to host computer, return step S1.

In the present embodiment, application processor and safe processor is comprised in financial terminal, what application boot referred to that the boot program run in application processor, Test Application firmware refer to run in application processor comprise hardware testing relative program and security context set up the firmware program of relative program; What formal application firmware referred to run in application processor do not comprise hardware testing relative program and security context set up the firmware program of relative program; What test safety firmware referred to run in safe processor comprise hardware testing relative program and security context set up the firmware program of relative program; What formal secure firmware referred to run in safe processor do not comprise hardware testing relative program and security context set up the firmware program of relative program; Test safety boot refers to the boot program not comprising the relative program whether detection security context is set up run in safe processor, and formal safe boot refers to the boot program comprising the relative program whether detection security context is set up run in safe processor.

In the present embodiment, according to the hardware capability of command content test financial terminal, return response to host computer, specifically comprise:

Application processor judges the type of hardware testing instruction after receiving the hardware testing instruction that host computer issues;

If hardware testing instruction is speech play instruction, then application processor control speech chip plays sound, and organizes reply data, and returns to host computer to after reply data encapsulation CCID Protocol layer data;

If hardware testing instruction is for obtaining barcode scanning data command, then application processor obtains barcode scanning gun scan-data according to acquisition barcode scanning data command, organizes reply data, and returns to host computer after reply data is packaged into CCID Protocol layer data;

Otherwise application processor issues concrete test instruction according to hardware testing instruction to safe processor; Safe processor tests corresponding hardware capability according to concrete test instruction, and replys to application processor link order; Reply data is organized in the repeat-back that application processor returns according to safe processor, returns to host computer to after reply data encapsulation CCID Protocol layer data.

Concrete test instruction comprises: LCD idsplay order, acquisition key value instructions, hummer steering order, IC-card supervisory instruction and magnetic stripe card supervisory instruction etc.;

In the present embodiment, application processor judges the type of hardware testing instruction by second byte of the data field of hardware testing instruction; Such as, when second byte of the data field of hardware testing instruction is 15, hardware testing instruction is specially speech play instruction; When second byte of the data field of hardware testing instruction is 16, hardware testing instruction is specially and obtains barcode scanning data command; When second byte of the data field of hardware testing instruction is 02, application processor issues LCD idsplay order to safe processor; When second byte of the data field of hardware testing instruction is 01, application processor issues acquisition key value instructions to safe processor; When second byte of the data field of hardware testing instruction is 05, application processor issues hummer steering order to safe processor; When second byte of the data field of hardware testing instruction is 03, application processor issues IC-card supervisory instruction to safe processor; When second byte of the data field of hardware testing instruction is 0F, application processor issues magnetic stripe card supervisory instruction to safe processor.

Further, safe processor tests corresponding hardware capability according to concrete test instruction, and to the response of application processor link order, can specifically comprise:

Step 1-1, safe processor resolve the concrete test instruction received, if LCD idsplay order then performs step 1-2, if obtain key value instructions then perform step 1-3, if hummer steering order then performs step 1-4, if IC-card supervisory instruction then performs step 1-5, if magnetic stripe card supervisory instruction then performs step 1-6;

Step 1-2, safe processor show corresponding word and figure according to LCD idsplay order control LCD, return the response of LCD idsplay order to application processor;

Step 1-3, safe processor obtain input through keyboard key assignments according to acquisition key value instructions is at the appointed time interior, return obtain key value instructions response to application processor;

Step 1-4, safe processor control buzzer rings, return the response of hummer steering order to application processor;

Step 1-5, safe processor at the appointed time in carry out IC-card poll, communicate with IC-card according to IC-card supervisory instruction, to application processor return IC-card supervisory instruction response;

Step 1-6, safe processor are at the appointed time interior obtains magnetic stripe card brushing card data, returns the response of magnetic stripe card supervisory instruction to application processor.

In the present embodiment, financial terminal starts intrusion measuring ability, returns response, specifically comprise to host computer:

Step 201, application processor receive the startup intrusion detection instruction backward security processor transmission intrusion detection enabled instruction that host computer issues;

Step 202, safe processor start intrusion measuring ability;

Particularly, safe processor is by arranging corresponding registers and sensor startup intrusion measuring ability.

Step 203, safe processor return to invade to application processor and detect enabled instruction response;

Step 204, application processor detect enabled instruction response according to the intrusion that safe processor returns and organize reply data;

Step 205, application processor return to host computer to after reply data encapsulation CCID communication protocol layer data.

In the present embodiment, financial terminal inspection invades detected state, returns response, specifically comprise to host computer:

Step 301, application processor receive the acquisition intrusion detected state instruction backward security processor transmission intrusion detected state acquisition instruction that host computer issues;

Step 302, safe processor obtain and invade detected state;

Particularly, safe processor invades detected state by checking that corresponding registers and sensor obtain.

Step 303, safe processor return to application processor and invade detected state acquisition repeat-back;

Step 304, application processor obtain repeat-back according to the intrusion detected state that safe processor returns and organize reply data;

Step 305, application processor return to host computer to after reply data encapsulation CCID communication protocol layer data.

In the present embodiment, step S2 can specifically comprise:

What step 401, application processor received that host computer issues set up, and security context instruction backward security processor issues security context sets up instruction;

Step 402, safe processor produce root key, use root key to store after application firmware more new key and secure firmware renewal secret key encryption respectively, the exhaustive parameter space of initial chemoprevention;

In the present embodiment, root key is specially the random number that safe processor generates; Root key is used to store after application firmware more new key and secure firmware renewal secret key encryption respectively, be specially: use described random number respectively to application firmware more new key and secure firmware more new key be encrypted, the application firmware that storage encryption obtains is new key ciphertext and secure firmware more new key ciphertext more.

Step 403, safe processor return to application processor and set up security context repeat-back;

Reply data is organized in the security context repeat-back of setting up that step 404, application processor return according to safe processor;

Step 405, application processor return to host computer to after reply data encapsulation CCID communication protocol layer data.

As shown in Figure 2, in the present embodiment, financial terminal downloads formal safe boot, replaces the test safety boot in financial terminal, return response, specifically comprise to host computer with formal safe boot:

Step 501, application processor judge the type of safe boot down loading updating instruction when receiving the safe boot down loading updating instruction that host computer issues, if download sign on then perform step 502, if download instruction then performs step 506, if download END instruction then perform step 510;

Step 502, application processor send safe boot to safe processor and download sign on;

In the present embodiment, application processor downloads in sign on the safe boot School Affairs comprising application processor and obtain from the CCID communication instruction that host computer issues to the safe boot that safe processor sends.

Step 503, safe processor are downloaded sign on from safe boot and are obtained safe boot School Affairs, preserve the outside flash of safe boot School Affairs to safe processor;

Step 504, safe processor return safe boot to application processor and download sign on response;

Step 505, application processor are downloaded sign on response according to the safe boot that safe processor returns and are organized reply data, return to host computer, return step 501 to after reply data encapsulation CCID communication protocol layer data;

Step 506, application processor send safe boot download instruction to safe processor;

In the present embodiment, in the safe boot download instruction that application processor sends to safe processor, comprise the safe boot more new data that application processor obtains from the CCID communication instruction that host computer issues.

Step 507, safe processor obtain safe boot more new data from safe boot download instruction, preserve safe boot more new data to the outside flash of safe processor;

Step 508, safe processor return the response of safe boot download instruction to application processor;

Reply data is organized in the safe boot download instruction response that step 509, application processor return according to safe processor, returns to host computer, return step 501 to after reply data encapsulation CCID communication protocol layer data;

Step 510, application processor send safe boot to safe processor and download END instruction;

Step 511, safe processor according to safe boot School Affairs to safe boot more new data verify, if verification by; perform step 512, if verification by; perform step 513;

In the present embodiment, host computer will be packaged into some standard CC ID communication instructions comprising safe boot more new data packets after safe boot more new data subpackage, be handed down to application processor successively, correspondingly, application processor receives every bar when comprising the standard CC ID communication instruction of safe boot more new data packets, the safe boot download instruction that one comprises corresponding safe boot more new data packets is sent to safe processor, safe processor obtains the safe boot more new data packets in safe boot download instruction, the safe boot got is upgraded the outside flash of packet sequence stored in safe processor, upgrade safe boot and upgrade the School Affairs that check sum is the safe boot that received more new data, the response of safe boot download instruction is returned to application processor,

When the safe boot that safe processor receives application processor transmission downloads END instruction, judge that safe boot upgrades check sum whether identical with the safe boot School Affairs stored in the outside flash of safe processor, be that safe boot upgrades data check to be passed through, otherwise safe boot renewal data check does not pass through.

Such as, safe boot more new data is 64k byte, host computer to safe boot more new data subpackage obtain the safe boot more new data packets of 64 1k bytes, be packaged into 64 standard CC ID communication instructions with this and be handed down to application processor successively.

Step 512, safe processor by the safe boot stored in the outside flash of safe processor more new data be stored into the boot memory address of the inside flash of safe processor, the safe boot School Affairs stored in the outside flash of erasing safe processor and safe boot more new data, perform step 514;

In the present embodiment, safe processor sequentially reads the safe boot more new data of preset length from the outside flash of safe processor, and sequential storage is to the boot memory address of the inside flash of safe processor.

Such as, preset length is 2k byte.

The safe boot School Affairs stored in the outside flash of step 513, safe processor erasing safe processor and safe boot more new data, perform step 514;

Step 514, safe processor return safe boot to application processor and download END instruction response;

Step 515, application processor are downloaded END instruction response according to the safe boot that safe processor returns and are organized reply data, return to host computer to after reply data encapsulation CCID Protocol layer data.

See Fig. 3, in the present embodiment, financial terminal downloads formal application firmware, specifically comprises:

Step 601, application processor judge the type of application firmware down loading updating instruction after receiving the application firmware down loading updating instruction that host computer issues, if download sign on then perform step 602, if download instruction then performs step 606, if download END instruction then perform step 610;

Step 602, application processor send application firmware to safe processor and download sign on;

In the present embodiment, application processor downloads in sign on the application firmware down loading updating header file comprising application processor and obtain from the CCID communication instruction that host computer issues to the application firmware that safe processor sends.In the present embodiment, information and the signed data of application firmware down loading updating file is comprised in application firmware down loading updating header file, wherein, the information of application firmware down loading updating file comprises the title of application firmware down loading updating file and/or version number and/or encryption mode and/or checking mode and/or scheduler space and/or address style and/or file storage purpose address and/or file size etc.

Step 603, safe processor are downloaded sign on from application firmware and are obtained application firmware down loading updating header file, and application firmware down loading updating header file is stored into the outside flash of safe processor;

Step 604, safe processor return application firmware to application processor and download sign on response;

Step 605, application processor are downloaded sign on response according to the application firmware that safe processor returns and are organized reply data, return to host computer, return step 601 to after reply data encapsulation CCID communication protocol layer data;

Step 606, application processor issue application firmware download instruction to safe processor;

In the present embodiment, in the application firmware download instruction that application processor issues to safe processor, comprise the application firmware down loading updating file that application processor obtains from the CCID communication instruction that host computer issues.

Step 607, safe processor obtain application firmware down loading updating file from application firmware download instruction, and application firmware down loading updating file is stored into the outside flash of safe processor;

In the present embodiment, in application firmware down loading updating file, comprise the signature value of formal application firmware and formal application firmware summary, or the signature value comprising alignment type application firmware and formal application firmware summary is encrypted the ciphertext obtained.

Step 608, safe processor return the response of application firmware download instruction to application processor;

In the present embodiment, host computer is packaged into some standard CC ID communication instructions comprising application firmware down loading updating file data bag by after the subpackage of application firmware down loading updating file, be handed down to application processor successively, correspondingly, application processor receives every bar when comprising the standard CC ID communication instruction of application firmware down loading updating file data bag, the application firmware file download instructions that one comprises respective application firmware downloads updating file packet is issued to safe processor, safe processor obtains the application firmware down loading updating file data bag in application firmware file download instructions, by the application firmware down loading updating file data bag order that gets stored in the outside flash of safe processor, the response of application firmware file download instructions is returned to application processor.

Reply data is organized in the application firmware download instruction response that step 609, application processor return according to safe processor, returns to host computer, return step 601 to after reply data encapsulation CCID communication protocol layer data;

Step 610, application processor issue application firmware to safe processor and download END instruction;

Step 611, safe processor verify application firmware downloads updating file, if verification by; perform step 612, if verification by; perform step 613;

In the present embodiment, when comprising the signature value of formal application firmware and formal application firmware summary in application firmware down loading updating file, safe processor verifies application firmware downloads updating file and specifically comprises: the checking mode information in the information of the application firmware down loading updating file that safe processor comprises according to application firmware down loading updating header file selects corresponding hash algorithm (or safe processor directly selects default hash algorithm), hash algorithm according to selecting carries out Hash operation to the application firmware down loading updating file stored in the outside flash of safe processor, use root key deciphering application firmware more new key ciphertext, the firmware that is applied upgrades key plain, upgrade key plain according to application firmware and sign test is carried out to the signed data that application firmware downloads renewal header file comprises, the firmware downloads that is applied updating file is made a summary, judge application firmware down loading updating document that sign test obtains and whether the application firmware down loading updating file stored in the outside flash of safe processor is carried out to the summary that Hash operation obtains consistent, verify and pass through, otherwise verification is not passed through,

In the present embodiment, when the signature value comprising alignment type application firmware and formal application firmware summary in application firmware down loading updating file encrypts the ciphertext obtained, safe processor verifies application firmware downloads updating file and specifically comprises: the checking mode information in the information of the application firmware down loading updating file that safe processor comprises according to application firmware down loading updating header file selects corresponding hash algorithm (or safe processor directly selects default hash algorithm), hash algorithm according to selecting carries out Hash operation to the application firmware down loading updating file stored in the outside flash of safe processor, use root key deciphering application firmware more new key ciphertext, the firmware that is applied upgrades key plain, upgrade key plain according to application firmware and sign test is carried out to the signed data that application firmware downloads renewal header file comprises, the firmware downloads that is applied updating file summary and application firmware download key, judge application firmware down loading updating document that sign test obtains and whether the application firmware down loading updating file stored in the outside flash of safe processor is carried out to the summary that Hash operation obtains consistent, verify and pass through, otherwise verification is not passed through.

Step 612, safe processor write application firmware and upgrade mark in the outside flash of safe processor, perform step 614;

In the present embodiment, safe processor control LCD can also be comprised in step 612 and show prompting of again starting shooting.

The application firmware down loading updating header file stored in the outside flash of step 613, safe processor erasing safe processor and application firmware down loading updating file, perform step 614;

In the present embodiment, safe processor control LCD can also be comprised in step 613 and show corresponding miscue.

Step 614, safe processor return application firmware to application processor and download END instruction response;

Step 615, application processor are downloaded END instruction response according to the application firmware that safe processor returns and are organized reply data, return to host computer to after reply data encapsulation CCID communication protocol layer data.

See Fig. 4, in the present embodiment, the formal application firmware of financial terminal replaces the Test Application firmware in financial terminal, specifically comprises:

Test Application firmware in the inside flash of step 701, application processor erasing application processor;

Particularly, application processor wipes the data in the firmware stores address of the inside flash of application processor.

Step 702, application processor send to safe processor and obtain the instruction of application firmware down loading updating header file;

Step 703, safe processor read the application firmware down loading updating header file stored in the outside flash of safe processor;

Step 704, safe processor return application firmware down loading updating header file to application processor;

Step 705, application processor send the signature value instruction obtaining formal application firmware and summary thereof to safe processor according to the file size in application firmware down loading updating header file;

Step 706, safe processor are according to the signature value of the formal application firmware of application firmware down loading updating file acquisition stored in the outside flash of safe processor and summary thereof;

In the present embodiment, when comprising the signature value of formal application firmware and formal application firmware summary in application firmware down loading updating file, step 706 specifically comprises: safe processor reads the signature value that the application firmware down loading updating file stored in the outside flash of safe processor obtains formal application firmware and summary thereof.

In the present embodiment, when the signature value comprising alignment type application firmware and formal application firmware summary in application firmware down loading updating file encrypts the ciphertext obtained, step 706 specifically comprises: safe processor uses root key deciphering application firmware more new key ciphertext, the firmware that is applied upgrades key plain, use application firmware to upgrade key plain and sign test is carried out to the signed data that application firmware downloads renewal header file comprises, from sign test result, obtain application firmware download key, encryption mode information in the information of the application firmware down loading updating file comprised according to application firmware down loading updating header file selects corresponding enciphering and deciphering algorithm (or directly selecting to preset enciphering and deciphering algorithm), application firmware is used to download the application firmware down loading updating file decryption stored in the outside flash of double secret key safe processor according to the enciphering and deciphering algorithm selected, obtain the signature value of formal application firmware and summary thereof.

Step 707, safe processor return the signature value of formal application firmware and summary thereof to application processor;

The inside flash of the signature value write application processor of the formal application firmware that safe processor returns by step 708, application processor and summary thereof;

Particularly, the firmware stores address of the inside flash of the signature value write application processor of application processor formal application firmware that safe processor is returned and summary thereof.

In the present embodiment, step 705 ~ step 708 specifically comprises: application processor sends some acquisitions more new data instructions successively to safe processor, until the file size in the information of application down loading updating file that comprises according to the application firmware down loading updating header file got before of application processor judges to have got update all data; Correspondingly, safe processor receive every bar obtain more new data instructions time, the more new data that order obtains preset length returns to application processor, and application processor is by the firmware stores address of the inner flash of the renewal data sequence of current preset length write application processor.

Step 709, application processor send application firmware to safe processor and have upgraded instruction;

The application firmware down loading updating header file, application firmware down loading updating file and the application firmware that store in the outside flash of step 710, safe processor erasing safe processor upgrade mark;

Step 711, safe processor return application firmware to application processor and have upgraded repeat-back.

In the present embodiment, after step 711, application processor receives when application firmware that safe processor returns has upgraded repeat-back and also comprises: application processor carries out Hash operation to the formal application firmware stored in the inside flash of application processor, sends to safe processor to carry out sign test the signature value of the formal application firmware summary stored in the inside flash of application processor; The signature value of safe processor to the formal application firmware summary that application processor sends carries out sign test, and sign test result is returned to application processor; Application processor judges that whether the sign test result that Hash operation result and safe processor return is consistent, is run formal application firmware, otherwise prompting mistake.

See Fig. 5, in the present embodiment, financial terminal downloads formal secure firmware, specifically comprises:

Step 801, application processor judge the type of secure firmware down loading updating instruction after receiving the secure firmware down loading updating instruction that host computer issues, if download sign on then perform step 802, if download instruction then performs step 806, if download END instruction then perform step 810;

Step 802, application processor send secure firmware to safe processor and download sign on;

In the present embodiment, application processor downloads in sign on the secure firmware down loading updating header file comprising application processor and obtain from the CCID communication instruction that host computer issues to the secure firmware that safe processor sends.In the present embodiment, information and the signed data of secure firmware down loading updating file is comprised in secure firmware down loading updating header file, wherein, the information of secure firmware down loading updating file comprises the title of secure firmware down loading updating file and/or version number and/or encryption mode and/or checking mode and/or scheduler space and/or address style and/or the information such as file storage purpose address and/or file size.

Step 803, safe processor are downloaded sign on from secure firmware and are obtained secure firmware down loading updating header file, and secure firmware down loading updating header file is stored into the outside flash of safe processor;

Step 804, safe processor return secure firmware to application processor and download sign on response;

Step 805, application processor are downloaded sign on response according to the secure firmware that safe processor returns and are organized reply data, return to host computer, return step 801 to after reply data encapsulation CCID communication protocol layer data;

Step 806, application processor issue secure firmware download instruction to safe processor;

In the present embodiment, in the secure firmware download instruction that application processor issues to safe processor, comprise the secure firmware down loading updating file that application processor obtains from the CCID communication instruction that host computer issues.

Step 807, safe processor obtain secure firmware down loading updating file from secure firmware download instruction, and secure firmware down loading updating file is stored into the outside flash of safe processor;

In the present embodiment, in secure firmware down loading updating file, comprise the signature value of formal secure firmware and formal secure firmware summary, or the signature value comprising alignment type secure firmware and formal secure firmware summary is encrypted the ciphertext obtained.

Step 808, safe processor return the response of secure firmware download instruction to application processor;

In the present embodiment, host computer is packaged into some standard CC ID communication instructions comprising secure firmware down loading updating file data bag by after the subpackage of secure firmware down loading updating file, be handed down to application processor successively, correspondingly, application processor receives every bar when comprising the standard CC ID communication instruction of secure firmware down loading updating file data bag, the secure firmware file download instructions that one comprises corresponding secure firmware down loading updating file data bag is issued to safe processor, safe processor obtains the secure firmware down loading updating file data bag in secure firmware file download instructions, by the secure firmware down loading updating file data bag order that gets stored in the outside flash of safe processor, the response of secure firmware file download instructions is returned to application processor.

Reply data is organized in the secure firmware download instruction response that step 809, application processor return according to safe processor, returns to host computer, return step 801 to after reply data encapsulation CCID communication protocol layer data;

Step 810, application processor issue secure firmware to safe processor and download END instruction;

Step 811, safe processor verify secure firmware down loading updating file, and if verification by; perform step 812, if verification by; perform step 813;

In the present embodiment, when comprising the signature value of formal secure firmware and formal secure firmware summary in secure firmware down loading updating file, safe processor verifies secure firmware down loading updating file and specifically comprises: the checking mode information in the information of the secure firmware down loading updating file that safe processor comprises according to secure firmware down loading updating header file selects corresponding hash algorithm (or safe processor directly selects default hash algorithm), hash algorithm according to selecting carries out Hash operation to the secure firmware down loading updating file stored in the outside flash of safe processor, use root key decrypted secure firmware more new key ciphertext, obtain secure firmware and upgrade key plain, upgrade key plain according to secure firmware and sign test is carried out to the signed data that secure firmware down loading updating header file comprises, obtain secure firmware down loading updating document, judge secure firmware down loading updating document that sign test obtains and whether the secure firmware down loading updating file stored in the outside flash of safe processor is carried out to the summary that Hash operation obtains consistent, verify and pass through, otherwise verification is not passed through,

In the present embodiment, when the signature value comprising alignment type secure firmware and formal secure firmware summary in secure firmware down loading updating file encrypts the ciphertext obtained, safe processor verifies secure firmware down loading updating file and specifically comprises: the checking mode information in the information of the secure firmware down loading updating file that safe processor comprises according to secure firmware down loading updating header file selects corresponding hash algorithm (or safe processor directly selects default hash algorithm), hash algorithm according to selecting carries out Hash operation to the secure firmware down loading updating file stored in the outside flash of safe processor, use root key decrypted secure firmware more new key ciphertext, obtain secure firmware and upgrade key plain, upgrade key plain according to secure firmware and sign test is carried out to the signed data that secure firmware down loading updating header file comprises, obtain secure firmware down loading updating document and secure firmware download key, judge secure firmware down loading updating document that sign test obtains and whether the secure firmware down loading updating file stored in the outside flash of safe processor is carried out to the summary that Hash operation obtains consistent, verify and pass through, otherwise verification is not passed through.

Step 812, safe processor write secure firmware and upgrade mark in the outside flash of safe processor, perform step 814;

In the present embodiment, safe processor control LCD can also be comprised in step 812 and show prompting of again starting shooting.

The secure firmware down loading updating header file stored in the outside flash of step 813, safe processor erasing safe processor and secure firmware down loading updating file, perform step 814;

In the present embodiment, safe processor control LCD can also be comprised in step 813 and show corresponding miscue.

Step 814, safe processor return secure firmware to application processor and download END instruction response;

Step 815, application processor are downloaded END instruction response according to the secure firmware that safe processor returns and are organized reply data, return to host computer to after reply data encapsulation CCID communication protocol layer data.

See Fig. 6, in the present embodiment, the formal secure firmware of financial terminal replaces the test safety firmware in financial terminal, specifically comprises:

The secure firmware down loading updating file that stores in the outside flash of step 901, safe processor verification safe processor, if verification by; perform step 903, if verification by; perform step 902;

The secure firmware down loading updating header file, secure firmware down loading updating file and the secure firmware that store in the outside flash of step 902, safe processor erasing safe processor upgrade mark, and prompting mistake, terminates;

In the present embodiment, safe processor prompting mistake can be specially safe processor control LCD and show miscue.

Step 903, safe processor are according to the signature value of the formal secure firmware of secure firmware down loading updating file acquisition stored in the outside flash of safe processor and summary thereof;

In the present embodiment, when comprising the signature value of formal application firmware and formal secure firmware summary in secure firmware down loading updating file, step 903 specifically comprises: safe processor reads the signature value that the secure firmware down loading updating file stored in the outside flash of safe processor obtains formal secure firmware and summary thereof.

In the present embodiment, when the signature value comprising alignment type secure firmware and formal secure firmware summary in secure firmware down loading updating file encrypts the ciphertext obtained, step 903 specifically comprises: safe processor uses root key decrypted secure firmware more new key ciphertext, obtain secure firmware and upgrade key plain, use safety firmware upgrades and expressly carries out sign test to the signed data that secure firmware down loading updating header file comprises, from sign test result, obtain secure firmware download key, encryption mode information in the information of the secure firmware down loading updating file comprised according to secure firmware down loading updating header file selects corresponding enciphering and deciphering algorithm (or directly selecting to preset enciphering and deciphering algorithm), the secure firmware down loading updating file decryption stored in outside flash according to the enciphering and deciphering algorithm use safety firmware downloads double secret key safe processor selected, obtain the signature value of formal secure firmware and summary thereof.

Step 904, safe processor are by the inside flash of the signature value of formal secure firmware and summary thereof write safe processor;

Particularly, safe processor is by the firmware stores address of the inside flash of the signature value of formal secure firmware and summary thereof write safe processor.

In the present embodiment, step 903 ~ step 904 specifically comprises: safe processor is at every turn according to the more new data of the secure firmware down loading updating file acquisition preset length stored in the outside flash of safe processor, and by the firmware stores address of the current renewal data sequence got stored in the inside flash of safe processor, until get the signature value of all formal secure firmware and summary thereof.

The secure firmware down loading updating header file, secure firmware down loading updating file and the secure firmware down loading updating mark that store in the outside flash of step 905, safe processor erasing safe processor.

Embodiment 2

The present embodiment provides a kind of financial terminal, as shown in Figure 7, specifically comprise: communication module 11, security context set up module 12, memory module 13, safe boot down loading updating module 14, application firmware down loading updating module 15 and secure firmware down loading updating module 16, and the concrete function of above-mentioned module is as follows:

Communication module 11, sets up security context instruction, the instruction of safe boot down loading updating, the instruction of application firmware down loading updating and the instruction of secure firmware down loading updating for what receive that host computer issues; Time also for setting up module 12, safe boot down loading updating module 14, application firmware down loading updating module 15, secure firmware down loading updating module 16 end of run when security context, return response to host computer;

Security context sets up module 12, for receive when communication module 11 that host computer issues set up security context instruction time, start safety detection function;

Memory module 13, for On-board test application boot, Test Application firmware, test safety boot and test safety firmware;

Safe boot down loading updating module 14, during for receiving safe boot down loading updating instruction that host computer issues when communication module 11, downloads formal safe boot, upgrades the test safety boot in memory module 13 with formal safe boot;

Application firmware down loading updating module 15, during for receiving application firmware down loading updating instruction that host computer issues when communication module 11, downloads formal application firmware, upgrades the Test Application firmware in memory module 13 by formal application firmware;

Secure firmware down loading updating module 16, during for receiving secure firmware down loading updating instruction that host computer issues when communication module 11, downloads formal secure firmware, upgrades the test safety firmware in memory module 13 with formal secure firmware.

In the present embodiment, can also comprise in financial terminal and invade detection module 17, when the startup issued for receiving host computer when communication module 11 invades measuring ability instruction, start and invade measuring ability, and when communication module 11 receive acquisition that host computer issues invade detected state instruction time, obtain and invade detected state;

Correspondingly, the startup that communication module 11 also issues for receiving host computer invades measuring ability instruction and obtains and invades detected state instruction, and when invading detection module 17 end of run, returning response or invade detected state to host computer;

Further, security context set up module 12 specifically for receive when communication module 11 that host computer issues set up security context instruction time, start-up temperature measuring ability and voltage detecting function.

In the present embodiment, security context set up module 12 also for receive when described communication module 11 that host computer issues set up security context instruction time, the exhaustive space of initial chemoprevention.

In the present embodiment, financial terminal also comprises safe boot correction verification module 18, for verifying the formal safe boot that safe boot down loading updating module 14 is downloaded;

Correspondingly, safe boot down loading updating module 14 specifically for receive host computer when communication module 11 and issue safe boot down loading updating instruction time, download formal safe boot; And when safe boot correction verification module 18 verify by time, upgrade the test safety boot in described memory module 13 with formal safe boot;

Further, safe boot down loading updating module 14 specifically comprises the first judging unit, the first acquiring unit, the first storage unit and the first updating block, and the concrete function of above-mentioned each unit is as follows:

First judging unit, during for receiving safe boot down loading updating instruction that host computer issues when communication module 11, judges the type of safe boot down loading updating instruction;

First acquiring unit, during for judging the instruction of safe boot down loading updating when the first judging unit as downloading sign on, obtains safe boot School Affairs from download sign on; And when the first judging unit judges that the instruction of safe boot down loading updating is download instruction, from download instruction, obtain safe boot more new data;

First storage unit, for storing the safe boot School Affairs and safe boot more new data that the first acquiring unit gets;

First updating block, for verify when safe boot correction verification module 18 by time, upgrade the test safety boot in Data Update memory module 13 with the safe boot in the first storage unit;

Safe boot correction verification module 18 is specifically for judging the instruction of safe boot down loading updating as downloading END instruction during when the first judging unit, according to the safe boot more new data in safe boot check sum check first storage unit in the first storage unit;

Further, safe boot down loading updating module 14 also comprises clearing cell, for when the first updating block end of run and when safe boot correction verification module 18 verifies obstructed out-of-date, remove safe boot more new data and the safe boot School Affairs in the first storage unit.

In the present embodiment, financial terminal also comprises application firmware correction verification module 19, for upgrading the formal application firmware that key verification application firmware down loading updating module 15 is downloaded according to the application firmware in memory module 13; Correspondingly:

Memory module 13 is also for storing application firmware more new key;

Security context set up module 12 also for receive when communication module 11 that host computer issues set up security context instruction time, generate root key, by the more new key of the application firmware in root key encryption memory module 13;

Application firmware down loading updating module 15 specifically for receive host computer when communication module 11 and issue the instruction of application firmware down loading updating time, download formal application firmware, and when application firmware correction verification module 19 verify by after, upgrade the Test Application firmware in memory module 13 by formal application firmware.

Further, application firmware down loading updating module 15 specifically comprises the first download submodule and first and upgrades submodule, wherein:

First downloads submodule specifically comprises the second judging unit, second acquisition unit and the second storage unit, and its each unit concrete function is as follows:

Second judging unit, during for receiving application firmware down loading updating instruction that host computer issues when communication module 11, judges the type of application firmware down loading updating instruction;

Second acquisition unit, during for judging the instruction of application firmware down loading updating when the second judging unit as downloading sign on, obtains the application firmware down loading updating header file downloaded in sign on; And when the second judging unit judges that the instruction of application firmware down loading updating is download instruction, obtain the application firmware down loading updating file in download instruction;

Second storage unit, for storing the application firmware down loading updating header file and application firmware down loading updating file that second acquisition unit gets;

First upgrade submodule be used for when application firmware correction verification module 19 verify by after, renewal memory module 13 in Test Application firmware, specifically comprise erase unit, the first extraction unit and writing unit, its each unit concrete function is as follows:

Erase unit, for verify when application firmware correction verification module 19 by after, erasing memory module 13 in Test Application firmware;

First extraction unit, for obtaining formal application firmware from the application firmware down loading updating file in the second storage unit;

Writing unit, for the formal application firmware write memory module 13 got by the first extraction unit;

In the present embodiment, the first extraction unit also for obtaining the signature value of the summary of formal application firmware from the application firmware down loading updating file in the second storage unit; Writing unit also writes described memory module 13 for the signature value of the summary of described formal application firmware got by the first extraction unit;

First extraction unit specifically for: use root key in memory module 13 encryption after application firmware upgrade secret key decryption, according to the signed data sign test comprised in the application firmware down loading updating header file in application firmware renewal double secret key second storage unit that deciphering obtains, according to the application firmware down loading updating file in application firmware download secret key decryption second storage unit that sign test obtains, from decrypted result, obtain the signature value of formal application firmware and formal application firmware summary.

Further, application firmware correction verification module 19 is specifically for judging the instruction of application firmware down loading updating as downloading END instruction during when the second judging unit, upgrade the application firmware down loading updating file in key verification second storage unit according to the application firmware in memory module 13, and when verification not by time remove application firmware down loading updating header file in described second storage unit and application firmware down loading updating file;

Further, application firmware correction verification module 19 specifically comprises the first hash units, the first sign test unit and the first verification unit, and the concrete function of each unit is as follows:

First hash units, during for judging the instruction of application firmware down loading updating when the second judging unit as downloading END instruction, carries out Hash operation to the application firmware down loading updating file in the second storage unit;

First sign test unit, for using root key to upgrade secret key decryption to the application firmware after encryption in memory module 13, uses the signed data sign test in the application firmware down loading updating header file in application firmware renewal double secret key second storage unit of deciphering and obtaining;

First verification unit, whether identical with the Hash result that the first hash units obtains for judging the sign test result that the first sign test unit obtains, if identical, verification is passed through, if not identical, verify and do not pass through, remove the application firmware down loading updating header file in the second storage unit and application firmware down loading updating file.

In the present embodiment, financial terminal also comprises secure firmware correction verification module 20, for upgrading the formal secure firmware that key verification secure firmware down loading updating module 16 is downloaded according to the secure firmware in memory module 13; Correspondingly:

Memory module 13 is also for storage security firmware more new key;

Security context set up module 12 also for receive when communication module 11 that host computer issues set up security context instruction time, generate root key, by the more new key of the secure firmware in root key encryption memory module 13;

Secure firmware down loading updating module 16 specifically for receive host computer when communication module 11 and issue the instruction of secure firmware down loading updating time, download formal secure firmware, and when secure firmware correction verification module 20 verify by after, upgrade the test safety firmware in memory module 13 with formal secure firmware.

Further, secure firmware down loading updating module 16 specifically comprises the second download submodule and second and upgrades submodule, wherein:

Second downloads submodule specifically comprises the 3rd judging unit, the 3rd acquiring unit and the 3rd storage unit, and its each unit concrete function is as follows:

3rd judging unit, during for receiving secure firmware down loading updating instruction that host computer issues when communication module 11, judges the type of secure firmware down loading updating instruction;

3rd acquiring unit, during for judging the instruction of secure firmware down loading updating when the 3rd judging unit as downloading sign on, obtains the secure firmware down loading updating header file downloaded in sign on; And when the 3rd judging unit judges that the instruction of secure firmware down loading updating is download instruction, obtain the secure firmware down loading updating file in download instruction;

3rd storage unit, for storing the secure firmware down loading updating header file and secure firmware down loading updating file that the 3rd acquiring unit gets;

Second upgrade submodule be used for when secure firmware correction verification module 20 verify by after, renewal memory module 13 in test safety firmware, specifically comprise the second extraction unit and the second updating block, its each unit concrete function is as follows:

Second extraction unit, for verify when secure firmware correction verification module 20 by after, from the secure firmware down loading updating file of the 3rd storage unit, obtain formal secure firmware;

Second updating block, the formal secure firmware for obtaining with the second extraction unit upgrades the test safety firmware in memory module 13;

In the present embodiment, the second extraction unit also for obtaining the signature value of the summary of formal secure firmware from the secure firmware down loading updating file in the 3rd storage unit; The signature value write memory module 13 of the summary of formal secure firmware of the second updating block also for the second extraction unit is got;

Second extraction unit specifically for: use root key in memory module 13 encryption after secure firmware upgrade secret key decryption, according to the signed data sign test comprised in the secure firmware down loading updating header file in secure firmware renewal double secret key the 3rd storage unit that deciphering obtains, according to the secure firmware down loading updating file in secure firmware download secret key decryption the 3rd storage unit that sign test obtains, from decrypted result, obtain the signature value of formal secure firmware and formal secure firmware summary.

Further, secure firmware correction verification module 20, during specifically for judging the instruction of secure firmware down loading updating when the 3rd judging unit as downloading END instruction, upgrade the secure firmware down loading updating file in key verification the 3rd storage unit according to the secure firmware in memory module 13;

Further, secure firmware correction verification module 20 specifically comprises the second hash units, the second sign test unit and the second verification unit, and the concrete function of each unit is as follows:

Second hash units, during for judging the instruction of secure firmware down loading updating when the 3rd judging unit as downloading END instruction, carries out Hash operation to the secure firmware down loading updating file in the 3rd storage unit;

Second sign test unit, for using root key to upgrade secret key decryption to the secure firmware after encryption in memory module 13, uses the signed data sign test in the secure firmware down loading updating header file in secure firmware renewal double secret key the 3rd storage unit of deciphering and obtaining;

Second verification unit, whether identical with the Hash result that the second hash units obtains for judging the sign test result that the second sign test unit obtains, if identical, verification is passed through, if not identical, verify and does not pass through.

Above-described embodiment is the present invention's more preferably embodiment, and the usual change that those skilled in the art carries out within the scope of technical solution of the present invention and replacement all should be included in protection scope of the present invention.

Claims

1. a firmware programming method for the financial terminal of safety, is characterized in that, comprising:

Step S5, described financial terminal download formal secure firmware, the test safety firmware in described financial terminal is updated to described formal secure firmware, returns response, return step S1 to host computer.

2. the method for claim 1, is characterized in that, also comprises in described step S1: when receiving the startup intrusion measuring ability instruction that host computer issues, described financial terminal starts intrusion measuring ability, returns response, return step S1 to host computer; When receiving the acquisition intrusion detected state instruction that host computer issues, obtaining and invading detected state, returning described intrusion detected state to host computer, return step S1.

3. method as claimed in claim 2, it is characterized in that, described safety detection function comprises temperature detecting function and voltage detecting function.

4. the method for claim 1, is characterized in that, also comprises in described step S2: the exhaustive parameter space of the initial chemoprevention of described financial terminal.

5. the method for claim 1, it is characterized in that, in described step S3, described financial terminal also comprises after downloading formal safe boot: verify described formal safe boot, if verify by; continue to perform and described safe boot in described financial terminal be updated to described formal safe boot, if verification not by; return response directly to host computer, return step S1.

6. method as claimed in claim 5, it is characterized in that, described step S3 specifically comprises:

When application processor in step 1-1, described financial terminal receives described safe boot down loading updating instruction, judge the type of described safe boot down loading updating instruction, if download sign on then perform step 1-2, if download instruction then performs step 1-3, if download END instruction then perform step 1-4;

Step 1-2, described application processor obtain safe boot School Affairs from described download sign on, described safe boot School Affairs is sent to the safe processor in described financial terminal, be stored into the outside flash of safe processor, and return response to host computer;

Step 1-3, described application processor obtain safe boot more new data from described download instruction, by described safe boot more new data send to described safe processor, be stored into the outside flash of described safe processor, and return response to host computer;

Step 1-4, described application processor send safe boot to described safe processor and download END instruction, perform step 1-5;

Step 1-5, described safe processor be safe boot more new data according to described safe boot check sum check, if verify by; upgrade the test safety boot in the inner flash of safe processor described in Data Update with described safe boot, return safe boot to described application processor and download END instruction response, perform step 1-6; If verification not by; to described application processor return safe boot download END instruction response, execution step 1-6;

Step 1-6, described application processor are downloaded END instruction response according to described safe boot and are returned response to host computer.

7. method as claimed in claim 6, is characterized in that, in described step 1-5, also comprise before described execution step 1-6: described safe processor removes safe boot more new data and the safe boot School Affairs in the outside flash of described safe processor.

8. the method for claim 1, is characterized in that, also comprises in described step S2: described financial terminal generates root key, the application firmware prestored with described root key encryption more new key;

In described step S4, described financial terminal also comprises after downloading formal application firmware: upgrade formal application firmware described in key verification according to described application firmware, if verify by; according to described application firmware more new key continue to perform and described Test Application firmware in described financial terminal be updated to described formal application firmware, if verification not by; return response directly to host computer, return step S1.

9. method as claimed in claim 8, it is characterized in that, described financial terminal downloads formal application firmware, upgrades formal application firmware described in key verification, specifically comprise according to described application firmware:

When application processor in step 2-1, described financial terminal receives described application firmware down loading updating instruction, judge the type of described application firmware down loading updating instruction, if if if download sign on then perform step 2-2 download instruction then perform step 2-3 download END instruction then perform step 2-4;

Step 2-2, described application processor obtain application firmware down loading updating header file from described download sign on, send to the safe processor in described financial terminal to be stored into the outside flash of safe processor described application firmware down loading updating header file, and return response to host computer;

Step 2-3, described application processor obtain application firmware down loading updating file from described download instruction, described application firmware down loading updating file is sent to described safe processor, is stored into the outside flash of safe processor, and returns response to host computer;

Step 2-4, described application processor issue application firmware to described safe processor and download END instruction, perform step 2-5;

Step 2-5, described safe processor upgrade application firmware down loading updating file described in key verification according to described application firmware, if verification by; return application firmware to described application processor and download END instruction response, perform step 2-6; If verification is not passed through, remove the application firmware down loading updating header file in the outside flash of described safe processor and application firmware down loading updating file, return application firmware to described application processor and download END instruction response, perform step 2-6;

Step 2-6, described application processor are downloaded END instruction response according to described application firmware and are returned response to host computer.

10. method as claimed in claim 9, it is characterized in that, described safe processor upgrades application firmware down loading updating file described in key verification according to described application firmware, specifically comprise: described safe processor carries out Hash operation to described application firmware down loading updating file, described root key is used to upgrade secret key decryption to the application firmware after encryption, the application firmware using deciphering to obtain upgrades the signed data sign test in application firmware down loading updating header file described in double secret key, judge that whether the application firmware down loading updating document that sign test obtains is identical with the summary that Hash operation obtains, if identical, verification is passed through, if not identical, verify and do not pass through.

11. methods as claimed in claim 9, it is characterized in that, the Test Application firmware in described financial terminal is updated to described formal application firmware by described financial terminal, specifically comprises:

Test Application firmware in the inner flash of step 3-1, described application processor erasing application processor, sends to described safe processor and obtains formal application firmware instruction;

Step 3-2, described safe processor obtain formal application firmware from described application firmware down loading updating file, return described formal application firmware to described application processor;

Described formal application firmware is write the inner flash of described application processor by step 3-3, described application processor.

12. methods as claimed in claim 11, it is characterized in that, also comprise in described step 3-2: described safe processor obtains the signature value of the summary of formal application firmware from described application firmware down loading updating file, returns the signature value of the summary of described formal application firmware to described application processor;

Also comprise in described step 3-3: the signature value of the summary of described formal application firmware is write the inner flash of described application processor by described application processor.

13. methods as claimed in claim 12, it is characterized in that, described safe processor obtains formal application firmware from described application firmware down loading updating file, and described safe processor obtains the signature value of the summary of formal application firmware from described application firmware down loading updating file, specifically comprise: described safe processor uses the application firmware more new key after described root key enabling decryption of encrypted, the signed data sign test comprised in application firmware down loading updating header file described in double secret key is upgraded according to deciphering the application firmware obtained, application firmware down loading updating file described in secret key decryption is downloaded according to the application firmware that sign test obtains, the signature value of the summary of formal application firmware and formal application firmware is obtained from decrypted result.

14. the method for claim 1, is characterized in that, also comprise in described step S2: described financial terminal generates root key, the secure firmware prestored with described root key encryption more new key;

In described step S5, described financial terminal also comprises after downloading formal secure firmware: upgrade formal secure firmware described in key verification according to described secure firmware, if verify by; according to described secure firmware more new key continue to perform and described test safety firmware in described financial terminal be updated to described formal secure firmware, if verification not by; return response directly to host computer, return step S1.

15. methods as claimed in claim 14, it is characterized in that, described financial terminal downloads formal secure firmware, upgrades formal secure firmware described in key verification, specifically comprise according to described secure firmware:

When application processor in step 4-1, described financial terminal receives described secure firmware down loading updating instruction, judge the type of described secure firmware down loading updating instruction, if if if download sign on then perform step 4-2 download instruction then perform step 4-3 download END instruction then perform step 4-4;

Step 4-2, described application processor obtain secure firmware down loading updating header file from described download sign on, send to the safe processor in described financial terminal to be stored into the outside flash of safe processor described secure firmware down loading updating header file, and return response to host computer;

Step 4-3, described application processor obtain secure firmware down loading updating file from described download instruction, send to described safe processor to be stored into the outside flash of safe processor described secure firmware down loading updating file, and return response to host computer;

Step 4-4, described application processor issue secure firmware to described safe processor and download END instruction, perform step 4-5;

Step 4-5, described safe processor upgrade secure firmware down loading updating file described in key verification according to described secure firmware, if verification by; return secure firmware to described application processor and download END instruction response, perform step 4-6; If verification is not passed through, remove the secure firmware down loading updating header file in the outside flash of described safe processor and secure firmware down loading updating file, return secure firmware to described application processor and download END instruction response, perform step 4-6;

Step 4-6, described application processor are downloaded END instruction response according to described secure firmware and are returned response to host computer.

16. methods as claimed in claim 15, it is characterized in that, described safe processor upgrades application firmware down loading updating file described in key verification according to described application firmware, specifically comprise: described safe processor carries out Hash operation to described secure firmware down loading updating file, described root key is used to upgrade secret key decryption to the secure firmware after encryption, the secure firmware using deciphering to obtain upgrades the signed data sign test in secure firmware down loading updating header file described in double secret key, judge that whether the secure firmware down loading updating document that sign test obtains is identical with the summary that Hash operation obtains, if identical, verification is passed through, if not identical, verify and do not pass through.

17. methods as claimed in claim 15, it is characterized in that, the test safety firmware in described financial terminal is updated to described formal secure firmware by described financial terminal, specifically comprises:

Step 5-1, described safe processor obtain formal secure firmware from described secure firmware down loading updating file;

Step 5-2, the test safety firmware upgraded with described formal secure firmware in the inner flash of described safe processor.

18. methods as claimed in claim 17, is characterized in that, also comprise in described step 5-1: described safe processor obtains the signature value of the summary of formal secure firmware from described secure firmware down loading updating file;

Also comprise in described step 5-2: the signature value of the summary of described formal secure firmware is write the inner flash of described safe processor by described safe processor.

19. methods as claimed in claim 18, it is characterized in that, described safe processor obtains formal secure firmware from described secure firmware down loading updating file, and described safe processor obtains the signature value of the summary of formal secure firmware from described secure firmware down loading updating file, specifically comprise: described safe processor uses the secure firmware more new key after described root key enabling decryption of encrypted, the signed data sign test comprised in secure firmware down loading updating header file described in double secret key is upgraded according to deciphering the secure firmware obtained, secure firmware down loading updating file described in secret key decryption is downloaded according to the secure firmware that sign test obtains, the signature value of the summary of formal secure firmware and formal secure firmware is obtained from decrypted result.

20. the method for claim 1, it is characterized in that, described financial terminal also comprises before performing described step S3: described financial terminal checks that security context is set up mark and whether is set, if be set, perform described step S3, if be not set, return error message code to host computer, return step S1;

Also comprise in described step S2: security context described in described financial terminal set sets up mark;

Described financial terminal also comprises before performing described step S4 or step S5: described financial terminal checks that safe boot upgrades mark and whether is set, if be set, perform described step S4 or step S5, if be not set, return error message code to host computer, return step S1;

Also comprise in described step S3: described in described financial terminal set, safe boot upgrades mark.

21. 1 kinds of financial terminals, is characterized in that, comprising: communication module, security context set up module, memory module, safe boot down loading updating module, application firmware down loading updating module and secure firmware down loading updating module;

Described communication module is also for setting up module, described safe boot down loading updating module, described application firmware down loading updating module and described secure firmware down loading updating module end of run during when described security context, return response to host computer.

22. financial terminals as claimed in claim 21, is characterized in that, also comprise intrusion detection module;

The startup that described communication module also issues for receiving host computer invades measuring ability instruction and obtains and invades detected state instruction, and when described intrusion detection module end of run, returns response or return intrusion detected state to host computer;

Described intrusion detection module, when the startup issued for receiving host computer when described communication module invades measuring ability instruction, start and invade measuring ability, and when the acquisition issued for receiving host computer when described communication module invades detected state instruction, obtain and invade detected state.

23. financial terminals as claimed in claim 22, is characterized in that, described security context set up module specifically for receive when described communication module that host computer issues set up security context instruction time, start-up temperature measuring ability and voltage detecting function.

24. financial terminals as claimed in claim 21, is characterized in that, described security context set up module also for receive when described communication module that host computer issues set up security context instruction time, the exhaustive parameter space of initial chemoprevention.

25. financial terminals as claimed in claim 21, is characterized in that, also comprise safe boot correction verification module, for verifying the formal safe boot that described safe boot down loading updating module is downloaded;

Described safe boot down loading updating module specifically for receive host computer when described communication module and issue safe boot down loading updating instruction time, download formal safe boot, and when described safe boot correction verification module verification by time, upgrade the test safety boot in described memory module with described formal safe boot.

26. financial terminals as claimed in claim 25, is characterized in that, described safe boot down loading updating module specifically comprises: judging unit, acquiring unit, storage unit and updating block;

Described judging unit is used for, when described communication module receives the safe boot down loading updating instruction that host computer issues, judging the type of described safe boot down loading updating instruction;

Described acquiring unit is used for, when described judging unit judges the instruction of described safe boot down loading updating as downloading sign on, from described download sign on, obtaining safe boot School Affairs; And when described judging unit judges that the instruction of described safe boot down loading updating is download instruction, from described download instruction, obtain safe boot more new data;

Described storage unit is for the safe boot School Affairs that stores described acquiring unit and get and safe boot more new data;

Described updating block be used for when described safe boot correction verification module verification by time, with the test safety boot in memory module described in the safe boot renewal Data Update in described storage unit;

Described safe boot correction verification module is specifically for judging the instruction of described safe boot down loading updating as downloading END instruction during when described judging unit, the safe boot more new data in storage unit according to the safe boot check sum check in described storage unit.

27. financial terminals as claimed in claim 26, it is characterized in that, described safe boot down loading updating module also comprises clearing cell, for when described updating block end of run and when safe boot correction verification module verification is obstructed out-of-date, remove safe boot more new data and the safe boot School Affairs in described storage unit.

28. financial terminals as claimed in claim 21, is characterized in that, also comprise application firmware correction verification module;

Described memory module is also for storing application firmware more new key;

Described security context set up module also for receive when described communication module that host computer issues set up security context instruction time, generate root key, by the application firmware more new key in memory module described in described root key encryption;

Described application firmware correction verification module, for upgrading according to the application firmware in described memory module the formal application firmware that described in key verification, application firmware down loading updating module is downloaded;

Described application firmware down loading updating module specifically for receive host computer when described communication module and issue the instruction of application firmware down loading updating time, download formal application firmware, and when the verification of described application firmware correction verification module by after, upgrade the Test Application firmware in described memory module by described formal application firmware.

29. financial terminals as claimed in claim 28, is characterized in that, described application firmware down loading updating module specifically comprises: download submodule and upgrade submodule;

Described download submodule specifically comprises: judging unit, acquiring unit and storage unit;

Described judging unit, during for receiving application firmware down loading updating instruction that host computer issues when described communication module, judges the type of described application firmware down loading updating instruction;

Described acquiring unit, during for judging the instruction of described application firmware down loading updating when described judging unit as downloading sign on, obtains the application firmware down loading updating header file in described download sign on; And during for judging that the instruction of described application firmware down loading updating is download instruction when described judging unit, obtain the application firmware down loading updating file in described download instruction;

Described storage unit, for storing the application firmware down loading updating header file and application firmware down loading updating file that described acquiring unit gets;

Described renewal submodule, for when the verification of described application firmware correction verification module by after, upgrade the Test Application firmware in described memory module;

Described application firmware correction verification module, during specifically for judging the instruction of described application firmware down loading updating when described judging unit as downloading END instruction, upgrade the application firmware down loading updating file in storage unit described in key verification according to the application firmware in described memory module, and when verification not by time remove application firmware down loading updating header file in described storage unit and application firmware down loading updating file.

30. financial terminals as claimed in claim 29, it is characterized in that, described application firmware correction verification module specifically comprises:

Hash units, during for judging the instruction of described application firmware down loading updating when described judging unit as downloading END instruction, carries out Hash operation to the application firmware down loading updating file in described storage unit;

Sign test unit, for using described root key to upgrade secret key decryption to the application firmware after encryption in described memory module, the application firmware using deciphering to obtain upgrades the signed data sign test in the application firmware down loading updating header file in storage unit described in double secret key;

Verification unit, whether identical with the Hash result that described hash units obtains for judging the sign test result that described sign test unit obtains, if identical, verification is passed through, if not identical, verify and do not pass through, remove the application firmware down loading updating header file in described storage unit and application firmware down loading updating file.

31. financial terminals as claimed in claim 29, it is characterized in that, described renewal submodule specifically comprises:

Erase unit, for when the verification of described application firmware correction verification module by after, wipe the Test Application firmware in described memory module;

Extraction unit, for obtaining formal application firmware from the application firmware down loading updating file in described storage unit;

Writing unit, writes described memory module for the formal application firmware got by described extraction unit.

32. financial terminals as claimed in claim 31, is characterized in that, described extraction unit also for obtaining the signature value of the summary of formal application firmware from the application firmware down loading updating file in described storage unit;

Said write unit also writes described memory module for the signature value of the summary of described formal application firmware got by described extraction unit.

33. financial terminals as claimed in claim 32, it is characterized in that, described extraction unit specifically for: use described root key in described memory module encryption after application firmware upgrade secret key decryption, according to the signed data sign test comprised in the application firmware down loading updating header file in storage unit described in the application firmware renewal double secret key that deciphering obtains, according to the application firmware down loading updating file in storage unit described in the application firmware download secret key decryption that sign test obtains, from decrypted result, obtain the signature value of the summary of formal application firmware and formal application firmware.

34. financial terminals as claimed in claim 21, is characterized in that, also comprise secure firmware correction verification module;

Described memory module is also for storage security firmware more new key;

Described security context set up module also for receive when described communication module that host computer issues set up security context instruction time, generate root key, by the secure firmware more new key in memory module described in described root key encryption;

Described secure firmware correction verification module, for upgrading according to the secure firmware in described memory module the formal secure firmware that described in key verification, secure firmware down loading updating module is downloaded;

Described secure firmware down loading updating module specifically for receive host computer when described communication module and issue the instruction of secure firmware down loading updating time, download formal secure firmware, and when the verification of described secure firmware correction verification module by after, upgrade the test safety firmware in described memory module with described formal secure firmware.

35. financial terminals as claimed in claim 34, is characterized in that, described secure firmware down loading updating module specifically comprises: download submodule and upgrade submodule;

Described judging unit, during for receiving secure firmware down loading updating instruction that host computer issues when described communication module, judges the type of described secure firmware down loading updating instruction;

Described acquiring unit, during for judging the instruction of described secure firmware down loading updating when described judging unit as downloading sign on, obtains the secure firmware down loading updating header file in described download sign on; And when described judging unit judges that the instruction of described secure firmware down loading updating is download instruction, obtain the secure firmware down loading updating file in described download instruction;

Described storage unit, for storing the secure firmware down loading updating header file and secure firmware down loading updating file that described acquiring unit gets;

Described renewal submodule, for when the verification of described secure firmware correction verification module by after, upgrade the test safety firmware in described memory module;

Described secure firmware correction verification module, during specifically for judging the instruction of described secure firmware down loading updating when described judging unit as downloading END instruction, upgrade the secure firmware down loading updating file in storage unit described in key verification according to the secure firmware in described memory module.

36. financial terminals as claimed in claim 35, it is characterized in that, described secure firmware correction verification module specifically comprises:

Hash units, during for judging the instruction of described secure firmware down loading updating when described judging unit as downloading END instruction, carries out Hash operation to the secure firmware down loading updating file in described storage unit;

Sign test unit, for using described root key to upgrade secret key decryption to the secure firmware after encryption in described memory module, the secure firmware using deciphering to obtain upgrades the signed data sign test in the secure firmware down loading updating header file in storage unit described in double secret key;

Verification unit, whether identical with the Hash result that described hash units obtains for judging the sign test result that described sign test unit obtains, if identical, verification is passed through, if not identical, verify and does not pass through.

37. financial terminals as claimed in claim 35, it is characterized in that, described renewal submodule specifically comprises:

Extraction unit, for when secure firmware correction verification module verification by after, from the secure firmware down loading updating file described storage unit, obtain formal secure firmware;

Updating block, the formal secure firmware for obtaining with described extraction unit upgrades the test safety firmware in described memory module.

38. financial terminals as claimed in claim 37, is characterized in that, described extraction unit also for obtaining the signature value of the summary of formal secure firmware from the secure firmware down loading updating file in described storage unit;

Described updating block also writes described memory module for the signature value of the summary of formal secure firmware got by described extraction unit.

39. financial terminals as claimed in claim 38, it is characterized in that, described extraction unit specifically for: use described root key in described memory module encryption after secure firmware upgrade secret key decryption, according to the signed data sign test comprised in the secure firmware down loading updating header file in storage unit described in the secure firmware renewal double secret key that deciphering obtains, according to the secure firmware down loading updating file in storage unit described in the secure firmware download secret key decryption that sign test obtains, from decrypted result, obtain the signature value of the summary of formal secure firmware and formal secure firmware.

40. financial terminals as claimed in claim 21, is characterized in that, described memory module also sets up mark for storage security environment and safe boot upgrades mark; Described security context sets up mark and described safe boot upgrades the original state of mark for not to be set;