CN105159707B

CN105159707B - The firmware programming method and financial terminal of a kind of safe financial terminal

Info

Publication number: CN105159707B
Application number: CN201510500802.3A
Authority: CN
Inventors: 陆舟; 于华章
Original assignee: Feitian Technologies Co Ltd
Current assignee: Feitian Technologies Co Ltd
Priority date: 2015-08-14
Filing date: 2015-08-14
Publication date: 2018-06-29
Anticipated expiration: 2035-08-14
Also published as: CN105159707A

Abstract

The invention discloses the firmware programming methods and financial terminal of a kind of safe financial terminal, belong to financial security field.The foundation of security context, the download and update of safe boot, the download of application firmware and update and the download of secure firmware and update are completed according to the instruction that host computer issues the method includes financial terminal.The financial terminal includes communication module, security context establishes module, safe boot downloads update module, application firmware downloads update module and secure firmware downloads update module.The method have the advantage is capable of the security risks for the firmware programming method for avoiding existing financial terminal, improve the safety of financial terminal product.

Description

The firmware programming method and financial terminal of a kind of safe financial terminal

Technical field

The present invention relates to financial security field more particularly to the firmware programming methods and finance of a kind of safe financial terminal Terminal.

Background technology

Financial terminal needs to establish security context before the use, and financial terminal enters safe fortune after security context is established Row pattern can carry out the importing work of the sensitive datas such as key, password in such a mode.

Technical staff has found that the firmware programming method of existing financial terminal at least exists in the implementation of the present invention Following security risk：

1. the code for establishing security context is included in formal firmware, on the one hand so that attacker has an opportunity to make security context Establishing process performs again, mistake that on the other hand may also be due to secure firmware native codes or erroneous judgement, so as to cause safety Environment re-establishes, and causes safety problem.

2. run for the first time after formal firmware programming, i.e., security incident can be detected (i.e. financial terminal self-test), and Will detect there is security incident after be stopped, it is therefore desirable to conditional security incident inspection is performed in firmware program It surveys, i.e., when not yet establishing security context, security incident testing process is skipped according to the judgement of correlated condition, is built in security context After vertical, then by setting correlated condition, make firmware can be with operational safety event detection flow.This, which allows for attacker, has an opportunity to build The vertical correlated condition forged so as to which formal firmware be made to skip security incident testing process, and then reaches inside attack financial terminal The purpose of sensitive data.

Invention content

The defects of the purpose of the present invention is overcoming the prior art, provides a kind of firmware programming method of safe financial terminal And financial terminal.

The present invention is achieved through the following technical solutions：

On the one hand, the present invention provides a kind of firmware programming method of safe financial terminal, specifically includes：

Step S1, financial terminal receives the instruction that issues of host computer, when receive that host computer issues establishes security context During instruction, step S2 is performed；When receiving the safe boot download more new commands that host computer issues, step S3 is performed；When connecing When receiving the application firmware download more new command that host computer issues, step S4 is performed；Consolidate when receiving the safety that host computer issues When part downloads more new command, step S5 is performed；

Step S2, described financial terminal starts safety detection function, and response, return to step S1 are returned to host computer；

Step S3, described financial terminal downloads formal safe boot, by the safe boot of test in the financial terminal more It is newly the formal safe boot, response, return to step S1 is returned to host computer；

Step S4, described financial terminal downloads formal application firmware, by the test application firmware in the financial terminal more It is newly the formal application firmware, response, return to step S1 is returned to host computer；

Step S5, described financial terminal downloads formal secure firmware, by the test secure firmware in the financial terminal more It is newly the formal secure firmware, response, return to step S1 is returned to host computer；

Further, it is further included in the step S1：When receiving the startup intrusion detection function instruction that host computer issues When, the financial terminal starts intrusion detection function, and response, return to step S1 are returned to host computer；When receiving under host computer During the acquisition intrusion detection status command of hair, intrusion detection state is obtained, the intrusion detection state is returned to host computer, returns Step S1；

It is further included in the step S2：The initial chemoprevention exhaustion parameter space of financial terminal；

In the step S3, the financial terminal further includes after downloading formal safe boot：Verify the formal safety Boot continues to execute the safe boot by the financial terminal if if verification and is updated to the formal safety Boot, if verification, not if, position machine returns to response, return to step S1 directly up；

It is further included in the step S2：The financial terminal generates root key, the application to be prestored with the root key encryption Firmware more new key；In the step S4, the financial terminal further includes after downloading formal application firmware：According to the application Formal application firmware described in firmware update key verification, continues to execute if verification if according to the application firmware more new key The test application firmware by the financial terminal is updated to the formal application firmware, if verification not if directly to Host computer returns to response, return to step S1；

It is further included in the step S2：The financial terminal generates root key, the safety to be prestored with the root key encryption Firmware more new key；In the step S5, the financial terminal further includes after downloading formal secure firmware：According to the safety Formal secure firmware described in firmware update key verification, continues to execute if verification if according to the secure firmware more new key The test secure firmware by the financial terminal is updated to the formal secure firmware, if verification not if directly to Host computer returns to response, return to step S1；

The financial terminal further includes before performing the step S3：The financial terminal checks that security context establishes mark Whether it is set, the step S3 is performed if being set, returns to error message code if being not set to host computer, return to step Rapid S1；It is further included in the step S2：Security context described in the financial terminal set establishes mark；The financial terminal performs It is further included before the step S4 or step S5：The financial terminal checks whether safe boot updates mark is set, if by Set then performs the step S4 or step S5, and error message code, return to step S1 are returned to host computer if being not set；Institute It states and is further included in step S3：Safe boot updates mark described in the financial terminal set.

On the other hand, the present invention provides a kind of financial terminal, specifically includes：Communication module, security context are established module, are deposited Store up module, safe boot downloads update module, application firmware downloads update module and secure firmware downloads update module；

The communication module, for receive that host computer issues establish security context instruction, safe boot downloads update and refers to It enables, application firmware downloads more new command and secure firmware downloads more new command；

The security context establishes module, and security context is established for work as that the communication module receives that host computer issues During instruction, start safety detection function；

The memory module, for storing test application boot, test application firmware, the safe boot of test and test safety Firmware；

The safe boot downloads update module, for working as the safe boot that the communication module receives host computer and issues When downloading more new command, formal safe boot is downloaded, updating the test in the memory module with the formal safe boot pacifies Full boot；

The application firmware downloads update module, for working as the application firmware that the communication module receives host computer and issues When downloading more new command, formal application firmware is downloaded, the test updated with the formal application firmware in the memory module should Use firmware；

The secure firmware downloads update module, for working as the secure firmware that the communication module receives host computer and issues When downloading more new command, formal secure firmware is downloaded, the test updated with the formal secure firmware in the memory module is pacified Full firmware；

The communication module is additionally operable to when the security context establishes module, the safe boot downloads update module, institute When stating application firmware download update module and secure firmware download update module end of run, response is returned to host computer；

Further, intrusion detection module is further included in above-mentioned financial terminal, is received for working as the communication module During the startup intrusion detection function instruction that position machine issues, start intrusion detection function and received for working as the communication module When detecting status command to the acquisition intrusion that host computer issues, intrusion detection state is obtained；Correspondingly, the communication module is also used Intrusion, which is instructed and obtain, in the startup intrusion detection function that reception host computer issues detects status command and when the intrusion is examined When surveying module end of run, return to response to host computer or return to intrusion detection state；

The security context establishes module and is additionally operable to establish safety collar when what the communication module received that host computer issues When border instructs, initial chemoprevention exhaustion parameter space；

Above-mentioned financial terminal further includes safe boot correction verification modules, is downloaded under update module for verifying the safe boot The formal safe boot carried；Correspondingly, the safe boot downloads update module and is specifically used for receiving when the communication module When the safe boot that host computer issues downloads more new command, formal safe boot is downloaded and when the safe boot calibration modes Block check by when, the safe boot of test in the memory module is updated with the formal safe boot；

Above-mentioned financial terminal further includes application firmware correction verification module, for the application firmware in the memory module more New key verifies the application firmware and downloads the formal application firmware that update module is downloaded；Correspondingly, the memory module is also used In storage application firmware more new key；The security context establishes module and is additionally operable to receive under host computer when the communication module When establishing security context instruction of hair, generates root key, the application firmware in the memory module described in the root key encryption is more New key；The application firmware downloads update module and is specifically used for consolidating when the communication module receives the application that host computer issues When part downloads more new command, formal application firmware is downloaded and after application firmware correction verification module verification passes through, with described Formal application firmware updates the test application firmware in the memory module；

Above-mentioned financial terminal further includes secure firmware correction verification module, for the secure firmware in the memory module more New key verifies the secure firmware and downloads the formal secure firmware that update module is downloaded；Correspondingly, the memory module is also used In storage secure firmware more new key；The security context establishes module and is additionally operable to receive under host computer when the communication module When establishing security context instruction of hair, generates root key, the secure firmware in the memory module described in the root key encryption is more New key；The secure firmware downloads update module and is specifically used for consolidating when the communication module receives the safety that host computer issues When part downloads more new command, formal secure firmware is downloaded and after secure firmware correction verification module verification passes through, with described Formal secure firmware updates the test secure firmware in the memory module；

The memory module is additionally operable to storage security context and establishes mark and safe boot update marks, the security context The original state of mark and the safe boot updates mark is established to be not set, correspondingly：

The security context establishes the security context that module is additionally operable in memory module described in set and establishes mark；

The safe boot downloads update module and is specifically used for：When the communication module receives the safety that host computer issues When boot downloads more new command, check that the security context in the memory module establishes whether mark is set and when described When security context is established mark and is set, formal safe boot is downloaded, updates the memory module with the formal safe boot In the safe boot of test, the safe boot update marks in memory module described in set；

The application firmware is downloaded update module and is specifically used for：When the communication module receives the application that host computer issues When firmware downloads more new command, check whether the update marks of the safe boot in the memory module are set and when described When safe boot updates mark is set, formal application firmware is downloaded, updates the memory module with the formal application firmware In test application firmware；

The secure firmware is downloaded update module and is specifically used for：When the communication module receives the safety that host computer issues When firmware downloads more new command, check whether the update marks of the safe boot in the memory module are set and when described When safe boot updates mark is set, formal secure firmware is downloaded, updates the memory module with the formal secure firmware In test secure firmware；

The communication module is additionally operable to：When the safe boot downloads the safety in the update module inspection memory module When environment is established mark and is not set, download update module when the application firmware and check safe boot in the memory module When update mark is not set and when the secure firmware downloads the safe boot in the update module inspection memory module When update mark is not set, error message code is returned to host computer.

The advantageous effect of the method for the present invention is：It can be to avoid existing financial terminal using method provided by the invention The security risk of firmware programming method, so as to improve the safety of financial terminal product.

Description of the drawings

Illustrate the embodiment of the present invention or technical solution of the prior art in order to clearer, to embodiment or will show below There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this Some embodiments of invention, for those of ordinary skill in the art, without creative efforts, can be with Other attached drawings are obtained according to these attached drawings.

Fig. 1 is the firmware programming method flow diagram of a kind of safe financial terminal that the embodiment of the present invention 1 provides；

Fig. 2 is the download that provides of the embodiment of the present invention 1 formally safe boot and with formal safe boot replacement tests peace The flow chart of full boot；

Fig. 3 is the flow chart of the formal application firmware of download that the embodiment of the present invention 1 provides；

Fig. 4 is the flow chart of the formal application firmware replacement test application firmware of use that the embodiment of the present invention 1 provides；

Fig. 5 is the flow chart of the formal secure firmware of download that the embodiment of the present invention 1 provides；

Fig. 6 is the flow chart of the formal secure firmware replacement test secure firmware of use that the embodiment of the present invention 1 provides；

Fig. 7 is the block diagram of financial terminal that the embodiment of the present invention 2 provides.

Specific embodiment

Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on Embodiment in the present invention, the every other implementation that those skilled in the art are obtained without making creative work Example, shall fall within the protection scope of the present invention.

Application processor and safe processor are included in financial terminal in the present invention；

There is using boot and application firmware burning in application processor；Burning has safe boot and safety in safe processor Firmware；

When financial terminal after the power is turned on, application processor and safe processor are respectively started, application processor run first should With boot, application firmware first address is jumped to when application boot end of runs, runs application firmware, until under financial terminal Electricity；Safe processor operational safety boot first jumps to secure firmware first address, operation peace when safe boot end of runs Full firmware, until electricity under financial terminal；

Application firmware includes test application firmware and formal application firmware, and safe boot is including the safe boot of test and formally Safe boot, secure firmware include test secure firmware and formal secure firmware；In test application firmware and test secure firmware Comprising hardware test program and security context construction procedures, correspondingly, do not include in formal application firmware and formal secure firmware Hardware test program and security context construction procedures；It tests in safe boot and does not include the program of financial terminal self-test, correspondingly, The program of financial terminal self-test, and the formal safe boot in the present invention and finance in the prior art are included in formal safe boot The safe boot of burning is compared in terminal security processor, reduces the condition judgment of terminal self testing, so as to prevent from attacking Person forges the condition of terminal self testing, hides terminal self testing；

In the present invention, burning application boot and test application firmware first into application processor, into safe processor Safe boot and test secure firmware are tested in burning, after hardware testing and security context to be done are established, are gradually pacified test Full boot is updated to formal safe boot, by test application firmware and test secure firmware be updated to respectively formal application firmware and Formal secure firmware.

Embodiment 1

The present embodiment provides a kind of firmware programming method of safe financial terminal, as shown in Figure 1, specifically including：

Step S1, financial terminal receives the instruction that issues of host computer, when receive that host computer issues establishes security context Step S2 is performed during instruction, step S3 is performed when receiving the safe boot that host computer issues and download more new command, works as reception The application firmware issued to host computer performs step S4 when downloading more new command, when receiving under the secure firmware that host computer issues Step S5 is performed when carrying more new command；

Specifically, in the present embodiment, instruction that host computer will be sent is packaged into standard CC ID communication instructions and is handed down to gold Melt terminal.

Step S2, financial terminal starts safety detection function, and response, return to step S1 are returned to host computer；

In the present embodiment, safety detection function includes：Invade detection function, temperature detecting function and voltage detecting function Deng.

In the present embodiment, it can also include in step S2：Initial chemoprevention exhaustion parameter space.

In the present embodiment, financial terminal returns to host computer after reply data is packaged into CCID communication protocol layer datas.

Further, in the present embodiment, financial terminal further includes before performing step S2：Judge whether security context is built It is vertical, it is to perform step S2, otherwise prompts mistake, return to step S1；

In the present embodiment, generation root key is further included in step S2, with the preset application firmware of root key encryption more Xinmi City Key and secure firmware more new key；Judging the whether established method of security context can be specially：To in root key memory block Data carry out SHA-256 operations, judge whether preceding 4 bytes of operation result identical with the data in BPK RAM areas, if phase Same then security context has been established, and otherwise security context is not set up, wherein initial in the root key memory block and BPK RAM areas Data are 0；

Correspondingly, in step S2, after financial terminal generates root key, root key is saved in root key memory block, and SHA-256 operations are carried out to root key, preceding 4 bytes of operation result are saved in BPK RAM areas.

Step S3, financial terminal downloads formal safe boot, and the test replaced with formal safe boot in financial terminal is pacified Full boot returns to response, return to step S1 to host computer；

Step S4, financial terminal downloads formal application firmware, and the test replaced with formal application firmware in financial terminal should With firmware, response, return to step S1 are returned to host computer；

Step S5, financial terminal downloads formal secure firmware, and the test replaced with formal secure firmware in financial terminal is pacified Full firmware returns to response, return to step S1 to host computer.

Further, it is further included in step S1, performs step when receiving the startup intrusion detection instruction that host computer issues Rapid S6 performs step S7 when receiving the acquisition intrusion detection status command that host computer issues：

Step S6, financial terminal starts intrusion detection function, and response, return to step S1 are returned to host computer；

Specifically, financial terminal is by setting corresponding registers and sensor to start intrusion detection function.

Step S7, financial terminal inspection intrusion detection state returns to intrusion detection state, return to step S1 to host computer；

Specifically, financial terminal is by checking that corresponding registers and sensor obtain intrusion detection state.

Further, it further includes in step S1, is held when financial terminal receives the hardware testing instruction that host computer issues Row step S8：

Step S8, the hardware capability of financial terminal is tested according to command content, response, return to step are returned to host computer S1。

Further, the controlling mechanism of firmware programming flow can also be included in the above method, is specifically included：

Financial terminal further includes before performing step S3：Financial terminal checks that security context establishes whether mark is set, Step S3 is performed if being set, error message code, return to step S1 are returned if being not set to host computer；

It is further included in step S2：Financial terminal set security context establishes mark；

Financial terminal further includes before performing step S4：Financial terminal checks whether safe boot updates mark is set, Step S4 is performed if being set, error message code, return to step S1 are returned if being not set to host computer；

Financial terminal further includes before performing step S5：Financial terminal checks whether safe boot updates mark is set, Step S5 is performed if being set, error message code, return to step S1 are returned if being not set to host computer；

It is further included in step S3：The safe boot updates mark of financial terminal set；

Financial terminal further includes before performing step S2：Whether financial terminal inspection intrusion detection active flag is set, Step S2 is performed if being set, error message code, return to step S1 are returned if being not set to host computer；

Financial terminal further includes before performing step S7：Whether financial terminal inspection intrusion detection active flag is set, Step S7 is performed if being set, error message code, return to step S1 are returned if being not set to host computer；

In step S6, financial terminal further includes after starting intrusion detection function：Financial terminal inspection invades detection state, root According to intrusion detection condition adjudgement with the presence or absence of intrusion event, error condition is returned to host computer if there are intrusion event, is returned If there is no set intrusion detection active flag if intrusion event, response, return to step S1 are returned to host computer by step S1；

Financial terminal further includes before performing step S6：Financial terminal checks whether hardware capability detection mark is set, Step S6 is performed if being set, error message code, return to step S1 are returned if being not set to host computer；

In step S8, financial terminal further includes after the hardware capability of financial terminal is tested according to command content：Financial terminal Judge whether to test all hardware capabilities to be measured, set hardware capability detection mark, is returned to host computer if all testing Response is answered, return to step S1；Otherwise position machine returns to response, return to step S1 directly up.

In the present embodiment, comprising application processor and safe processor in financial terminal, refer to using boot and handled in application The boot program run in device, test application firmware refer to run in application processor comprising hardware testing relative program and peace Full ambient engine establishes the firmware program of relative program；Formal application firmware refer to run in application processor do not include hardware testing Relative program and security context establish the firmware program of relative program；Test secure firmware refers to the packet run in safe processor Relative program containing hardware testing and security context establish the firmware program of relative program；Formal secure firmware refers in safe processor The firmware program that relative program is established not comprising hardware testing relative program and security context of middle operation；Safe boot is tested to refer to The boot program of relative program for not including detection security context and whether establishing run in safe processor, formal safety Boot refers to the boot program of relative program whether established comprising detection security context run in safe processor.

In the present embodiment, the hardware capability of financial terminal is tested according to command content, response is returned to host computer, it is specific to wrap It includes：

Application processor judges the type that hardware testing instructs after receiving the hardware testing instruction that host computer issues；

If hardware testing instruction is instructed for speech play, application processor control voice chip plays sound, and tissue should Answer evidence, and return to host computer after encapsulating CCID protocol layer data to reply data；

If hardware testing instruction is obtained to obtain barcode scanning data command, application processor according to barcode scanning data command is obtained Barcode scanning gun scan data organizes reply data, and returns to host computer after reply data is packaged into CCID protocol layer data；

Otherwise, application processor instructs to safe processor according to hardware testing and issues specific test instruction；Safe handling Device is according to the corresponding hardware capability of specific test instruction testing, and to application processor return instruction response；Application processor according to The repeat-back tissue reply data that safe processor returns, it is upper to being returned to after reply data encapsulation CCID protocol layer data Machine.

Specific test instruction includes：LCD idsplay orders obtain key value instructions, buzzer control instruction, IC card management instruction With magnetic stripe card management instruction etc.；

In the present embodiment, the second of data field byte that application processor is instructed by hardware testing judges hardware testing The type of instruction；For example, when second byte of the data field of hardware testing instruction is 15, hardware testing instruction is specially language Sound play instruction；When second byte of the data field of hardware testing instruction is 16, hardware testing instruction is specially to obtain to sweep Code data command；When second byte of the data field of hardware testing instruction is 02, application processor is under safe processor Send out LCD idsplay orders；When second byte of the data field of hardware testing instruction is 01, application processor is to safe processor Issue acquisition key value instructions；When second byte of the data field of hardware testing instruction is 05, application processor is to safe place Reason device issues buzzer control instruction；When hardware testing instruction data field second byte be 03 when, application processor to Safe processor issues IC card management instruction；When second byte of the data field of hardware testing instruction is 0F, using processing Device issues magnetic stripe card management instruction to safe processor.

Further, safe processor is according to the corresponding hardware capability of specific test instruction testing, and is returned to application processor Repeat-back is returned, can be specifically included：

Step 1-1, the specific test instruction that safe processor parsing receives, step is then performed if LCD idsplay orders 1-2 then performs step 1-3 if key value instructions are obtained, step 1-4 is then performed if buzzer control instruction, if IC card pipe Reason instruction then performs step 1-5, and step 1-6 is then performed if magnetic stripe card management instruction；

Step 1-2, safe processor controls LCD to show corresponding word and figure according to LCD idsplay orders, is handled to application Device returns to LCD idsplay order responses；

Step 1-3, safe processor within a specified time obtains input through keyboard key assignments according to key value instructions are obtained, to application Processor, which returns, obtains key value instructions response；

Step 1-4, safe processor control buzzer rings return to buzzer control instruction response to application processor；

Step 1-5, safe processor within a specified time carries out IC card poll, is carried out according to IC card management instruction and IC card Communication returns to IC card management repeat-back to application processor；

Step 1-6, safe processor within a specified time obtains magnetic stripe card brushing card data, and magnetic stripe is returned to application processor Card management repeat-back.

In the present embodiment, financial terminal starts intrusion detection function, returns to response to host computer, specifically includes：

Step 201, application processor receive the startup intrusion detection instruction backward security processor hair that host computer issues Send intrusion detection enabled instruction；

Step 202, safe processor start intrusion detection function；

Specifically, safe processor is by setting corresponding registers and sensor to start intrusion detection function.

Step 203, safe processor return to intrusion detection enabled instruction response to application processor；

Step 204, application processor detect enabled instruction response tissue answer number according to the intrusion that safe processor returns According to；

Step 205, application processor return to host computer after encapsulating CCID communication protocol layer datas to reply data.

In the present embodiment, financial terminal inspection intrusion detection state returns to response to host computer, specifically includes：

Step 301, application processor receive the acquisition intrusion detection status command backward security processing that host computer issues Device sends intrusion detection state acquisition instruction；

Step 302, safe processor obtain intrusion detection state；

Specifically, safe processor is by checking that corresponding registers and sensor obtain intrusion detection state.

Step 303, safe processor return to intrusion detection state acquisition instruction response to application processor；

The intrusion detection state acquisition instruction response tissue that step 304, application processor are returned according to safe processor should Answer evidence；

Step 305, application processor return to host computer after encapsulating CCID communication protocol layer datas to reply data.

In the present embodiment, step S2 can be specifically included：

Step 401, application processor receive the security context of establishing that host computer issues and instruct under backward security processor It sends out security context and establishes instruction；

Step 402, safe processor generate root key, respectively that application firmware more new key and safety is solid using root key It is stored after the encryption of part more new key, initial chemoprevention exhaustion parameter space；

In the present embodiment, root key is specially a random number of safe processor generation；Respectively should using root key With being stored after firmware more new key and the encryption of secure firmware more new key, specially：It is solid to application respectively using the random number Part more new key and secure firmware more new key are encrypted, application firmware more new key ciphertext and the safety that storage encryption obtains Firmware more new key ciphertext.

Step 403, safe processor establish security context repeat-back to application processor return；

Step 404, application processor establish security context repeat-back tissue answer number according to what safe processor returned According to；

Step 405, application processor return to host computer after encapsulating CCID communication protocol layer datas to reply data.

As shown in Fig. 2, in the present embodiment, financial terminal downloads formal safe boot, and finance is replaced with formal safe boot The safe boot of test in terminal returns to response to host computer, specifically includes：

Step 501, application processor, which are received when the safe boot that host computer issues downloads more new command, judges safety Boot downloads the type of more new command, then performs step 502 if sign on is downloaded, step is then performed if download instruction 506, then perform step 510 if END instruction is downloaded；

Step 502, application processor send safe boot to safe processor and download sign on；

In the present embodiment, application processor is downloaded in sign on to the safe boot that safe processor is sent comprising application Safe boot that processor is obtained from the CCID communication instructions that host computer issues verification and.

Step 503, safe processor downloaded from safe boot obtained in sign on safe boot verification and, preserve safety Boot is verified and the external flash to safe processor；

Step 504, safe processor return to safe boot to application processor and download sign on response；

Step 505, application processor are downloaded sign on response tissue according to the safe boot that safe processor returns and are answered Answer evidence returns to host computer, return to step 501 after encapsulating CCID communication protocol layer datas to reply data；

Step 506, application processor send safe boot download instructions to safe processor；

In the present embodiment, application processor includes application processing into the safe boot download instructions that safe processor is sent The safe boot that device is obtained from the CCID communication instructions that host computer issues is updated the data.

Step 507, safe processor obtain safe boot from safe boot download instructions and update the data, and preserve safety Boot updates the data the external flash of safe processor；

Step 508, safe processor return to safe boot download instructions response to application processor；

The safe boot download instructions response tissue answer number that step 509, application processor are returned according to safe processor According to returning to host computer, return to step 501 after reply data encapsulation CCID communication protocol layer datas；

Step 510, application processor send safe boot to safe processor and download END instruction；

Step 511, safe processor verify according to safe boot and safe boot are updated the data and verify, if verification By then performing step 512, step 513 is not performed if if verification；

In the present embodiment, safe boot is updated the data subpackage post package and updates number comprising safe boot into several by host computer According to the standard CC ID communication instructions of packet, it is handed down to application processor successively, correspondingly, application processor receives every and includes peace During the standard CC ID communication instructions of full boot updated data packages, send one to safe processor and updated comprising corresponding safe boot The safe boot download instructions of data packet, the safe boot that safe processor is obtained in safe boot download instructions are updated the data The safe boot updated data packages got sequence is stored in the external flash of safe processor by packet, updates safe boot updates Data check and for the safe boot that the has received verification updated the data and, return to safe boot downloads to application processor and refer to Enable response；

When the safe boot that safe processor receives application processor transmission downloads END instruction, safe boot is judged Verification and the safe boot verifications with being stored in flash outside safe processor and whether identical are updated the data, is then safely Boot updates the data verification and passes through, and otherwise safe boot updates the data verification and do not pass through.

For example, safe boot is updated the data as 64k bytes, host computer updates the data safe boot subpackage and obtains 64 1k The safe boot updated data packages of byte are packaged into 64 standard CC ID communication instructions with this and are handed down to application processor successively.

The safe boot stored in the external flash of safe processor is updated the data storage by step 512, safe processor To the boot storage address of the inside flash of safe processor, the safety stored in the external flash of safe processor is wiped Boot verify and and safe boot update the data, perform step 514；

In the present embodiment, safe processor sequentially reads the safety of preset length from the external flash of safe processor Boot is updated the data, the boot storage address of the inside flash of sequential storage to safe processor.

For example, preset length is 2k bytes.

Step 513, safe processor erasing safe processor external flash in the safe boot that stores verify and and Safe boot is updated the data, and performs step 514；

Step 514, safe processor return to safe boot to application processor and download END instruction response；

Step 515, application processor are downloaded END instruction response tissue according to the safe boot that safe processor returns and are answered Answer evidence returns to host computer after encapsulating CCID protocol layer data to reply data.

Referring to Fig. 3, in the present embodiment, financial terminal downloads formal application firmware, specifically includes：

Step 601, application processor, which are received after the application firmware that host computer issues downloads more new command, judges that application is solid Part downloads the type of more new command, then performs step 602 if sign on is downloaded, step 606 is then performed if download instruction, Step 610 is then performed if END instruction is downloaded；

Step 602, application processor download sign on to safe processor sending application firmware；

In the present embodiment, application processor is downloaded in sign on to the application firmware that safe processor is sent comprising application The application firmware that processor is obtained from the CCID communication instructions that host computer issues downloads update header file.It, should in the present embodiment The information and signed data for downloading update file in update header file comprising application firmware are downloaded with firmware, wherein, application firmware Download update file information include application firmware download update file title and/or version number and/or encryption mode and/or Checking mode and/or update address space and/or address style and/or file storage purpose address and/or file size etc..

Step 603, safe processor, which are downloaded to obtain application firmware in sign on and download from application firmware, updates header file, And application firmware is downloaded into the storage of update header file to the external flash of safe processor；

Step 604, safe processor return to application firmware to application processor and download sign on response；

Step 605, application processor are downloaded sign on response tissue according to the application firmware that safe processor returns and are answered Answer evidence returns to host computer, return to step 601 after encapsulating CCID communication protocol layer datas to reply data；

Step 606, application processor issue application firmware download instruction to safe processor；

In the present embodiment, application processor includes application processing into the application firmware download instruction that safe processor issues The application firmware that device is obtained from the CCID communication instructions that host computer issues downloads update file.

Step 607, safe processor obtain application firmware from application firmware download instruction and download update file, and should The storage of update file is downloaded to the external flash of safe processor with firmware；

In the present embodiment, application firmware downloads what is made a summary in update file comprising formal application firmware and formal application firmware Signature value or the ciphertext being encrypted comprising the signature value that alignment type application firmware and formal application firmware are made a summary.

Step 608, safe processor return to application firmware download instruction response to application processor；

In the present embodiment, application firmware is downloaded update file subpackage post package into several comprising under application firmware by host computer The standard CC ID communication instructions of update file data packet are carried, are handed down to application processor successively, correspondingly, application processor receives When downloading the standard CC ID communication instructions for updating file data packet comprising application firmware to every, one is issued to safe processor The application firmware file download instructions of update file data packet are downloaded comprising respective application firmware, it is solid that safe processor obtains application Application firmware in part file download instructions downloads update file data packet, and the application firmware got is downloaded update number of files According to the external flash of packet sequence deposit safe processor, application firmware file download instructions response is returned to application processor.

The application firmware download instruction response tissue answer number that step 609, application processor are returned according to safe processor According to returning to host computer, return to step 601 after reply data encapsulation CCID communication protocol layer datas；

Step 610, application processor issue application firmware to safe processor and download END instruction；

Step 611, safe processor are downloaded application firmware update file and are verified, and step is performed if if verifying 612, step 613 is not performed if if verification；

In the present embodiment, download in update file when application firmware and make a summary comprising formal application firmware and formal application firmware Signature value when, safe processor to application firmware download update file carry out verification specifically include：Safe processor according to should It is corresponding that the checking mode information selection updated in the information of application firmware download update file that header file includes is downloaded with firmware Hash algorithm (or safe processor directly selects default hash algorithm), according to the hash algorithm of selection to safe processor The application firmware stored in external flash downloads update file and carries out Hash operation, is updated using root key decryption application firmware Key ciphertext, the firmware that is applied update key plain update key plain according to application firmware and download update to application firmware The signed data that header file includes carries out sign test, and the firmware that is applied downloads update document, judges the application that sign test obtains Firmware is downloaded update document and is carried out with downloading update file to the application firmware stored in the external flash of safe processor Whether the abstract that Hash operation obtains is consistent, is, verification passes through, and otherwise verifies and does not pass through；

In the present embodiment, download in update file when application firmware and plucked comprising alignment type application firmware and formal application firmware During the ciphertext that the signature value wanted is encrypted, safe processor carries out verification to application firmware download update file and specifically includes： Safe processor downloads the verification updated in the information of application firmware download update file that header file includes according to application firmware Pattern information selects corresponding hash algorithm (or safe processor directly selects default hash algorithm), is calculated according to the Hash of selection Method downloads update file to the application firmware stored in the external flash of safe processor and carries out Hash operation, uses root key Application firmware more new key ciphertext is decrypted, the firmware that is applied update key plain updates key plain pair according to application firmware Application firmware downloads the signed data that update header file includes and carries out sign test, and the firmware that is applied downloads update document and should Key is downloaded with firmware, judges that the application firmware that sign test obtains downloads update document and the outside to safe processor Whether the abstract that the application firmware download update file progress Hash operation stored in flash obtains is consistent, is that verification passes through, Otherwise it verifies and does not pass through.

Application firmware update mark is written into the external flash of safe processor for step 612, safe processor, performs Step 614；

It can also be shown in the present embodiment, in step 612 including safe processor control LCD and turn back on prompting.

Step 613, safe processor wipe the application firmware stored in the external flash of safe processor and download update head File and application firmware download update file, perform step 614；

It can also include safe processor control LCD in the present embodiment, in step 613 and show corresponding miscue.

Step 614, safe processor return to application firmware to application processor and download END instruction response；

Step 615, application processor are downloaded END instruction response tissue according to the application firmware that safe processor returns and are answered Answer evidence returns to host computer after encapsulating CCID communication protocol layer datas to reply data.

Referring to Fig. 4, in the present embodiment, financial terminal is replaced the test application in financial terminal with formal application firmware and is consolidated Part specifically includes：

Step 701, application processor wipe the test application firmware in the inside flash of application processor；

Specifically, the data in the firmware storage address of the inside flash of application processor erasing application processor.

Step 702, application processor, which send to obtain application firmware and download to safe processor, updates header file instruction；

Step 703, safe processor read the application firmware stored in the external flash of safe processor and download update head File；

Step 704, safe processor return to application firmware to application processor and download update header file；

Step 705, application processor download file size in update header file to safe processor according to application firmware Send the signature value instruction for obtaining formal application firmware and its abstract；

The application firmware that step 706, safe processor store in the external flash according to safe processor downloads update text Part obtains formal application firmware and its signature value of abstract；

In the present embodiment, download in update file when application firmware and make a summary comprising formal application firmware and formal application firmware Signature value when, step 706 specifically includes：Safe processor reads the application stored in the external flash of safe processor and consolidates Part downloads update file and obtains formal application firmware and its signature value of abstract.

In the present embodiment, download in update file when application firmware and plucked comprising alignment type application firmware and formal application firmware During the ciphertext that the signature value wanted is encrypted, step 706 specifically includes：Safe processor decrypts application firmware more using root key New key ciphertext, the firmware that is applied update key plain update key plain using application firmware and application firmware are downloaded more The signed data that new header file includes carries out sign test, and application firmware is obtained from sign test result and downloads key, according to application firmware It downloads the encryption mode information that the application firmware that update header file includes is downloaded in the information of update file and selects corresponding encryption and decryption Algorithm (or directly selecting default enciphering and deciphering algorithm) is downloaded key pair using application firmware according to the enciphering and deciphering algorithm of selection and is pacified The application firmware stored in the external flash of full processor downloads update file decryption, obtains formal application firmware and its abstract Signature value.

Step 707, safe processor return to formal application firmware and its signature value of abstract to application processor；

The signature value write-in of step 708, the formal application firmware that application processor returns to safe processor and its abstract The inside flash of application processor；

Specifically, the formal application firmware and its signature value write-in of abstract that application processor returns to safe processor should With the firmware storage address of the inside flash of processor.

In the present embodiment, step 705~step 708 specifically includes：If application processor is sent successively to safe processor Dry acquisition updates the data instruction, until the application firmware that application processor is got before downloads what update header file included It has got using the file size judgement in the information for downloading update file and has all updated the data；Correspondingly, safe processor It receives every to obtain when updating the data instruction, sequence obtains updating the data for preset length and returns to application processor, applies Updating the data for current preset length is sequentially written in the firmware storage address of flash inside application processor by processor.

Step 709, application processor are updated to safe processor sending application firmware completes instruction；

Step 710, safe processor wipe the application firmware stored in the external flash of safe processor and download update head File, application firmware download update file and application firmware update mark；

Step 711, safe processor return to application firmware update to application processor and complete repeat-back.

In the present embodiment, after step 711, the application firmware that application processor receives safe processor return has updated Into being further included during repeat-back：Application processor carries out the formal application firmware stored in the inside flash of application processor The signature value that the formal application firmware stored in the inside flash of application processor is made a summary is sent to safe place by Hash operation It manages device and carries out sign test；The signature value that safe processor makes a summary to the formal application firmware that application processor is sent carries out sign test, will Sign test result returns to application processor；Application processor judges Hash operation result and the sign test result that safe processor returns It is whether consistent, it is to run formal application firmware, otherwise prompts mistake.

Referring to Fig. 5, in the present embodiment, financial terminal downloads formal secure firmware, specifically includes：

Step 801, application processor, which are received after the secure firmware that host computer issues downloads more new command, judges that safety is solid Part downloads the type of more new command, then performs step 802 if sign on is downloaded, step 806 is then performed if download instruction, Step 810 is then performed if END instruction is downloaded；

Step 802, application processor send secure firmware to safe processor and download sign on；

In the present embodiment, application processor is downloaded in sign on to the secure firmware that safe processor is sent comprising application The secure firmware that processor is obtained from the CCID communication instructions that host computer issues downloads update header file.In the present embodiment, peace Full firmware downloads the information and signed data for downloading update file in update header file comprising secure firmware, wherein, secure firmware Download update file information include secure firmware download update file title and/or version number and/or encryption mode and/or Checking mode and/or update address space and/or address style and/or the letters such as file storage purpose address and/or file size Breath.

Step 803, safe processor, which are downloaded to obtain secure firmware in sign on and download from secure firmware, updates header file, And secure firmware is downloaded into the storage of update header file to the external flash of safe processor；

Step 804, safe processor return to secure firmware to application processor and download sign on response；

Step 805, application processor are downloaded sign on response tissue according to the secure firmware that safe processor returns and are answered Answer evidence returns to host computer, return to step 801 after encapsulating CCID communication protocol layer datas to reply data；

Step 806, application processor issue secure firmware download instruction to safe processor；

In the present embodiment, application processor includes application processing into the secure firmware download instruction that safe processor issues The secure firmware that device is obtained from the CCID communication instructions that host computer issues downloads update file.

Step 807, safe processor obtain secure firmware from secure firmware download instruction and download update file, and will peace Full firmware downloads the storage of update file to the external flash of safe processor；

In the present embodiment, secure firmware downloads what is made a summary in update file comprising formal secure firmware and formal secure firmware Signature value or the ciphertext being encrypted comprising the signature value that alignment type secure firmware and formal secure firmware are made a summary.

Step 808, safe processor return to secure firmware download instruction response to application processor；

In the present embodiment, secure firmware is downloaded update file subpackage post package into several comprising under secure firmware by host computer The standard CC ID communication instructions of update file data packet are carried, are handed down to application processor successively, correspondingly, application processor receives When downloading the standard CC ID communication instructions for updating file data packet comprising secure firmware to every, one is issued to safe processor The secure firmware file download instructions of update file data packet are downloaded comprising corresponding secure firmware, it is solid that safe processor obtains safety Secure firmware in part file download instructions downloads update file data packet, and the secure firmware got is downloaded update number of files According to the external flash of packet sequence deposit safe processor, secure firmware file download instructions response is returned to application processor.

The secure firmware download instruction response tissue answer number that step 809, application processor are returned according to safe processor According to returning to host computer, return to step 801 after reply data encapsulation CCID communication protocol layer datas；

Step 810, application processor issue secure firmware to safe processor and download END instruction；

Step 811, safe processor are downloaded secure firmware update file and are verified, and step is performed if if verifying 812, step 813 is not performed if if verification；

In the present embodiment, download in update file when secure firmware and make a summary comprising formal secure firmware and formal secure firmware Signature value when, safe processor to secure firmware download update file carry out verification specifically include：Safe processor is according to peace It is corresponding that full firmware downloads the checking mode information selection that the secure firmware that update header file includes is downloaded in the information of update file Hash algorithm (or safe processor directly selects default hash algorithm), according to the hash algorithm of selection to safe processor The secure firmware stored in external flash downloads update file and carries out Hash operation, is updated using root key decryption secure firmware Key ciphertext, obtains secure firmware update key plain, and update key plain according to secure firmware downloads update to secure firmware The signed data that header file includes carries out sign test, obtains secure firmware and downloads update document, judges the safety that sign test obtains Firmware is downloaded update document and is carried out with downloading update file to the secure firmware stored in the external flash of safe processor Whether the abstract that Hash operation obtains is consistent, is, verification passes through, and otherwise verifies and does not pass through；

In the present embodiment, download in update file when secure firmware and plucked comprising alignment type secure firmware and formal secure firmware During the ciphertext that the signature value wanted is encrypted, safe processor carries out verification to secure firmware download update file and specifically includes： Safe processor downloads the verification updated in the information of secure firmware download update file that header file includes according to secure firmware Pattern information selects corresponding hash algorithm (or safe processor directly selects default hash algorithm), is calculated according to the Hash of selection Method downloads update file to the secure firmware stored in the external flash of safe processor and carries out Hash operation, uses root key Secure firmware more new key ciphertext is decrypted, secure firmware update key plain is obtained, key plain pair is updated according to secure firmware Secure firmware downloads the signed data that update header file includes and carries out sign test, obtains secure firmware and downloads update document and peace Full firmware downloads key, judges that the secure firmware that sign test obtains downloads update document and the outside to safe processor Whether the abstract that the secure firmware download update file progress Hash operation stored in flash obtains is consistent, is that verification passes through, Otherwise it verifies and does not pass through.

Secure firmware update mark is written into the external flash of safe processor for step 812, safe processor, performs Step 814；

It can also be shown in the present embodiment, in step 812 including safe processor control LCD and turn back on prompting.

Step 813, safe processor wipe the secure firmware stored in the external flash of safe processor and download update head File and secure firmware download update file, perform step 814；

It can also include safe processor control LCD in the present embodiment, in step 813 and show corresponding miscue.

Step 814, safe processor return to secure firmware to application processor and download END instruction response；

Step 815, application processor are downloaded END instruction response tissue according to the secure firmware that safe processor returns and are answered Answer evidence returns to host computer after encapsulating CCID communication protocol layer datas to reply data.

Referring to Fig. 6, in the present embodiment, the test that financial terminal is replaced with formal secure firmware in financial terminal is solid safely Part specifically includes：

Step 901, safe processor verify the secure firmware stored in the external flash of safe processor and download update text Part performs step 903 if verifying if, if verification is not by performing step 902；

Step 902, safe processor wipe the secure firmware stored in the external flash of safe processor and download update head File, secure firmware download update file and secure firmware update mark, prompt mistake, terminate；

In the present embodiment, safe processor prompting mistake can be specially that safe processor control LCD shows miscue.

The secure firmware that step 903, safe processor store in the external flash according to safe processor downloads update text Part obtains the signature value of formal secure firmware and its abstract；

In the present embodiment, download in update file when secure firmware and make a summary comprising formal application firmware and formal secure firmware Signature value when, step 903 specifically includes：Safe processor reads the safety stored in the external flash of safe processor and consolidates Part downloads update file and obtains the signature value of formal secure firmware and its abstract.

In the present embodiment, download in update file when secure firmware and plucked comprising alignment type secure firmware and formal secure firmware During the ciphertext that the signature value wanted is encrypted, step 903 specifically includes：Safe processor decrypts secure firmware more using root key New key ciphertext, obtains secure firmware update key plain, and firmware update safe to use in plain text downloads secure firmware on update head The signed data that file includes carries out sign test, and secure firmware is obtained from sign test result and downloads key, is downloaded according to secure firmware The encryption mode information that the secure firmware that update header file includes is downloaded in the information of update file selects corresponding enciphering and deciphering algorithm (or directly selecting default enciphering and deciphering algorithm) downloads key pair safe place according to the enciphering and deciphering algorithm of selection firmware safe to use It manages the secure firmware stored in the external flash of device and downloads update file decryption, obtain the label of formal secure firmware and its abstract Name value.

The inside of safe processor is written in the signature value of formal secure firmware and its abstract by step 904, safe processor flash；

Specifically, the inside of safe processor is written in the signature value of formal secure firmware and its abstract by safe processor The firmware storage address of flash.

In the present embodiment, step 903~step 904 specifically includes：Safe processor is every time according to the outer of safe processor The secure firmware stored in portion flash downloads updating the data, and will currently get more for update file acquisition preset length The firmware storage address of the inside flash of new data sequence deposit safe processor, until getting all formal secure firmwares And its signature value of abstract.

Step 905, safe processor wipe the secure firmware stored in the external flash of safe processor and download update head File, secure firmware download update file and secure firmware downloads update mark.

Embodiment 2

The present embodiment provides a kind of financial terminal, as shown in fig. 7, specifically including：Communication module 11, security context establish mould Block 12, memory module 13, safe boot download update module 14, application firmware downloads update module 15 and secure firmware is downloaded more New module 16, the concrete function of above-mentioned module are as follows：

Communication module 11, for receive that host computer issues establish security context instruction, safe boot downloads more new command, Application firmware downloads more new command and secure firmware downloads more new command；It is additionally operable to establish module 12, safety when security context When boot downloads update module 14, application firmware downloads update module 15, secure firmware downloads 16 end of run of update module, to Host computer returns to response；

Security context establishes module 12, and security context instruction is established for work as that communication module 11 receives that host computer issues When, start safety detection function；

Memory module 13, it is solid for storing test application boot, test application firmware, the safe boot of test and test safety Part；

Safe boot downloads update module 14, for working as the safe boot downloads that communication module 11 receives host computer and issues During more new command, formal safe boot is downloaded, the safe boot of test in module 13 is updated storage with formal safe boot；

Application firmware downloads update module 15, for working as the application firmware download that communication module 11 receives host computer and issues During more new command, formal application firmware is downloaded, the test application firmware in module 13 is updated storage with formal application firmware；

Secure firmware downloads update module 16, for working as the secure firmware download that communication module 11 receives host computer and issues During more new command, formal secure firmware is downloaded, the test secure firmware in module 13 is updated storage with formal secure firmware.

In the present embodiment, intrusion detection module 17 can also be included in financial terminal, is received for working as communication module 11 During the startup intrusion detection function instruction that host computer issues, start intrusion detection function and when communication module 11 receives During the acquisition intrusion detection status command that position machine issues, intrusion detection state is obtained；

Correspondingly, communication module 11 is additionally operable to receive startup intrusion detection function instruction and the acquisition intrusion that host computer issues It detects status command and when invading 17 end of run of detection module, response or intrusion detection state is returned to host computer；

Further, security context is established module 12 and is specifically used for when communication module 11 receives the foundation that host computer issues When security context instructs, start-up temperature detection function and voltage detecting function.

In the present embodiment, security context establishes module 12 and is additionally operable to receive what host computer issued when the communication module 11 When establishing security context instruction, initial chemoprevention exhaustion space.

In the present embodiment, financial terminal further includes safe boot correction verification modules 18, and update is downloaded for verifying safe boot The formal safe boot that module 14 is downloaded；

Correspondingly, safe boot downloads update module 14 and is specifically used for receiving the peace that host computer issues when communication module 11 When full boot downloads more new command, formal safe boot is downloaded；And when the verification of safe boot correction verification modules 18 passes through, with just The safe boot of formula updates the safe boot of test in the memory module 13；

Further, safe boot downloads update module 14 and specifically includes the first judging unit, first acquisition unit, first Storage unit and the first updating unit, the concrete function of above-mentioned each unit are as follows：

First judging unit, for working as the safe boot downloads more new command that communication module 11 receives host computer and issues When, judge that safe boot downloads the type of more new command；

First acquisition unit, for judging that safe boot downloads more new command to download sign on when the first judging unit When, from download obtained in sign on safe boot verification and；And when the first judging unit judges that safe boot downloads update When instructing as download instruction, safe boot is obtained from download instruction and is updated the data；

First storage unit, for store safe boot verifications that first acquisition unit gets and and safe boot more New data；

First updating unit, for when safe boot correction verification modules 18 verification pass through when, with the peace in the first storage unit Full boot updates the data the safe boot of test updated storage in module 13；

Safe boot correction verification modules 18 are specifically used under the first judging unit judges that safe boot downloads more new command is When carrying END instruction, the safe boot in the first storage unit of safe boot verifications and verification in the first storage unit is more New data；

Further, safe boot downloads update module 14 and further includes clearing cell, for being transported when the first updating unit At the end of row and when safe boot correction verification modules 18 verify obstructed out-of-date, the safe boot updates in the first storage unit of removing Data and safe boot verification and.

In the present embodiment, financial terminal further includes application firmware correction verification module 19, for answering in memory module 13 The formal application firmware of the download of update module 15 is downloaded with firmware update key verification application firmware；Correspondingly：

Memory module 13 is additionally operable to storage application firmware more new key；

Security context establishes module 12 and is additionally operable to refer to when communication module 11 receives the security context of establishing that host computer issues When enabling, root key is generated, with the more new key of the application firmware in root key encryption memory module 13；

Application firmware downloads update module 15 and is specifically used for receiving the application firmware that host computer issues when communication module 11 When downloading more new command, formal application firmware is downloaded and after the verification of application firmware correction verification module 19 passes through, with formal application Firmware updates storage the test application firmware in module 13.

Further, application firmware downloads update module 15 and specifically includes the first download submodule and the first update submodule Block, wherein：

First download submodule specifically includes second judgment unit, second acquisition unit and the second storage unit, each list First concrete function is as follows：

Second judgment unit, for working as the application firmware download more new command that communication module 11 receives host computer and issues When, judge that application firmware downloads the type of more new command；

Second acquisition unit judges that application firmware downloads more new command to download sign on for working as second judgment unit When, it obtains the application firmware downloaded in sign on and downloads update header file；And when second judgment unit judges application firmware When downloading more new command as download instruction, obtain the application firmware in download instruction and download update file；

Second storage unit downloads update header file and application for storing the application firmware that second acquisition unit is got Firmware downloads update file；

First update submodule is used to after the verification of application firmware correction verification module 19 passes through, update storage the survey in module 13 Application firmware is tried, it is as follows to specifically include erasing unit, the first extraction unit and writing unit, each unit concrete function：

Wipe unit, for work as application firmware correction verification module 19 verification pass through after, wipe memory module 13 in test should Use firmware；

First extraction unit obtains formal application for being downloaded from the application firmware in the second storage unit in update file Firmware；

Memory module 13 is written in writing unit, the formal application firmware for the first extraction unit to be got；

In the present embodiment, the first extraction unit is additionally operable to download in update file from the application firmware in the second storage unit Obtain the signature value of the abstract of formal application firmware；Writing unit be additionally operable to by the first extraction unit get it is described formally should The memory module 13 is written with the signature value of the abstract of firmware；

First extraction unit is specifically used for：Using root key to encrypted application firmware more new key in memory module 13 Decryption updates the application firmware in the second storage unit of key pair according to the application firmware that decryption obtains and downloads in update header file Comprising signed data sign test, the application firmware obtained according to sign test downloads the application firmware in the second storage unit of secret key decryption Update file is downloaded, formal application firmware and the signature value of formal application firmware abstract are obtained from decrypted result.

Further, application firmware correction verification module 19 is specifically used for judging that application firmware downloads update when second judgment unit When instructing to download END instruction, answering in application firmware update the second storage unit of key verification in memory module 13 With firmware download update file and when verification not by when remove application firmware in second storage unit and download update Header file and application firmware download update file；

Further, application firmware correction verification module 19 specifically includes the first hash units, the first sign test unit and first Verification unit, the concrete function of each unit are as follows：

First hash units judge that application firmware downloads more new command to download END instruction for working as second judgment unit When, update file is downloaded to the application firmware in the second storage unit and carries out Hash operation；

First sign test unit, for using root key to the more new key solution of encrypted application firmware in memory module 13 Close, the application firmware in application firmware update the second storage unit of key pair obtained using decryption is downloaded in update header file Signed data sign test；

First verification unit, for judging Kazakhstan that the sign test result that the first sign test unit obtains is obtained with the first hash units Whether uncommon result is identical, verifies and passes through if identical, does not pass through if differing and verifying, and removes the application in the second storage unit Firmware downloads update header file and application firmware downloads update file.

In the present embodiment, financial terminal further includes secure firmware correction verification module 20, for the peace in memory module 13 Full firmware update key verification secure firmware downloads the formal secure firmware that update module 16 is downloaded；Correspondingly：

Memory module 13 is additionally operable to storage secure firmware more new key；

Security context establishes module 12 and is additionally operable to refer to when communication module 11 receives the security context of establishing that host computer issues When enabling, root key is generated, with the more new key of the secure firmware in root key encryption memory module 13；

Secure firmware downloads update module 16 and is specifically used for receiving the secure firmware that host computer issues when communication module 11 When downloading more new command, formal secure firmware is downloaded and after the verification of secure firmware correction verification module 20 passes through, with formal safety Firmware updates storage the test secure firmware in module 13.

Further, secure firmware downloads update module 16 and specifically includes the second download submodule and the second update submodule Block, wherein：

Second download submodule specifically includes third judging unit, third acquiring unit and third storage unit, each list First concrete function is as follows：

Third judging unit, for working as the secure firmware download more new command that communication module 11 receives host computer and issues When, judge that secure firmware downloads the type of more new command；

Third acquiring unit judges that secure firmware downloads more new command to download sign on for working as third judging unit When, it obtains the secure firmware downloaded in sign on and downloads update header file；And when third judging unit judges secure firmware When downloading more new command as download instruction, obtain the secure firmware in download instruction and download update file；

Third storage unit downloads update header file and safety for storing the secure firmware that third acquiring unit is got Firmware downloads update file；

Second update submodule is used to after the verification of secure firmware correction verification module 20 passes through, update storage the survey in module 13 Secure firmware is tried, specifically includes the second extraction unit and the second updating unit, each unit concrete function is as follows：

Second extraction unit, for work as secure firmware correction verification module 20 verification pass through after, from the safety of third storage unit Firmware is downloaded in update file and obtains formal secure firmware；

Second updating unit, the formal secure firmware for being obtained with the second extraction unit update storage the survey in module 13 Try secure firmware；

In the present embodiment, the second extraction unit is additionally operable to download in update file from the secure firmware in third storage unit Obtain the signature value of the abstract of formal secure firmware；Second updating unit is additionally operable to the formal peace for getting the second extraction unit The signature value write-in memory module 13 of the abstract of full firmware；

Second extraction unit is specifically used for：Using root key to encrypted secure firmware more new key in memory module 13 Decryption updates the secure firmware in key pair third storage unit according to the secure firmware that decryption obtains and downloads in update header file Comprising signed data sign test, the secure firmware obtained according to sign test downloads the secure firmware in secret key decryption third storage unit Update file is downloaded, the signature value of formal secure firmware and formal secure firmware abstract is obtained from decrypted result.

Further, secure firmware correction verification module 20 judges that secure firmware is downloaded more specifically for working as third judging unit When new command is downloads END instruction, in the secure firmware update key verification third storage unit in memory module 13 Secure firmware downloads update file；

Further, secure firmware correction verification module 20 specifically includes the second hash units, the second sign test unit and second Verification unit, the concrete function of each unit are as follows：

Second hash units judge that secure firmware downloads more new command to download END instruction for working as third judging unit When, update file is downloaded to the secure firmware in third storage unit and carries out Hash operation；

Second sign test unit, for using root key to the more new key solution of encrypted secure firmware in memory module 13 Close, the secure firmware in the secure firmware update key pair third storage unit obtained using decryption is downloaded in update header file Signed data sign test；

Second verification unit, for judging Kazakhstan that the sign test result that the second sign test unit obtains is obtained with the second hash units Whether uncommon result is identical, verifies and passes through if identical, does not pass through if differing and verifying.

Embodiment described above is the present invention more preferably specific embodiment, and those skilled in the art is in this hair The usual variations and alternatives carried out in the range of bright technical solution should all include within the scope of the present invention.

Claims

1. a kind of firmware programming method of safe financial terminal, which is characterized in that including：

Step S1, financial terminal receives the instruction that issues of host computer, when receive that host computer issues establishes security context instruction When, perform step S2；When receiving the safe boot download more new commands that host computer issues, step S3 is performed；When receiving When the application firmware that host computer issues downloads more new command, step S4 is performed；When receiving under the secure firmware that host computer issues When carrying more new command, step S5 is performed；

Step S3, described financial terminal downloads formal safe boot, and the safe boot of test in the financial terminal is updated to The formal safe boot, response, return to step S1 are returned to host computer；

Step S4, described financial terminal downloads formal application firmware, and the test application firmware in the financial terminal is updated to The formal application firmware returns to response, return to step S1 to host computer；

Step S5, described financial terminal downloads formal secure firmware, and the test secure firmware in the financial terminal is updated to The formal secure firmware returns to response, return to step S1 to host computer；

Hardware test program and security context construction procedures, institute are included in the test application firmware and the test secure firmware It states and does not include hardware test program and security context construction procedures, the survey in formal application firmware and the formal secure firmware The program for not including financial terminal self-test in safe boot is tried, the journey of financial terminal self-test is included in the formal safe boot Sequence, and do not include the condition judgment of terminal self testing in the formal safe boot.

2. the method as described in claim 1, which is characterized in that further included in the step S1：It is issued when receiving host computer Startup intrusion detection function instruction when, the financial terminal starts intrusion detection function, returns to response to host computer, returns to step Rapid S1；When receiving the acquisition intrusion detection status command that host computer issues, intrusion detection state is obtained, is returned to host computer The intrusion detection state, return to step S1.

3. method as claimed in claim 2, which is characterized in that the safety detection function includes temperature detecting function and voltage Detection function.

4. the method as described in claim 1, which is characterized in that further included in the step S2：The financial terminal initialization Anti- exhaustion parameter space.

5. the method as described in claim 1, which is characterized in that in the step S3, the financial terminal downloads formal safety It is further included after boot：Verify the formal safe boot, if verify pass through if continue to execute it is described will be in the financial terminal Safe boot be updated to the formal safe boot, if verification, not if, position machine returns to response, return to step directly up S1。

6. method as claimed in claim 5, which is characterized in that the step S3 is specifically included：

Step 1-1, when the application processor in described financial terminal receives the safe boot downloads more new command, judge institute The type that safe boot downloads more new command is stated, step 1-2 is then performed if sign on is downloaded, is then performed if download instruction Step 1-3 then performs step 1-4 if END instruction is downloaded；

Step 1-2, described application processor obtained from the download sign on safe boot verification and, by the safety The safe processor that boot is verified and is sent in the financial terminal, the external flash of storage to safe processor, and upwards Position machine returns to response；

Step 1-3, described application processor obtains safe boot from the download instruction and updates the data, by the safe boot It updates the data and is sent to the safe processor, the external flash of storage to the safe processor, and return and answer to host computer It answers；

Step 1-4, described application processor sends safe boot to the safe processor and downloads END instruction, performs step 1- 5；

Step 1-5, described safe processor verifies according to the safe boot and verifies the safe boot and updates the data, if school It tests by then updating the data the safe boot of test updated inside the safe processor in flash with the safe boot, to The application processor returns to safe boot and downloads END instruction response, performs step 1-6；It is answered if verification not if to described Safe boot is returned with processor and downloads END instruction response, performs step 1-6；

Step 1-6, described application processor downloads END instruction response according to the safe boot and returns to response to host computer.

7. method as claimed in claim 6, which is characterized in that in the step 1-5, also wrapped before the execution step 1-6 It includes：The safe boot that the safe processor removes outside the safe processor in flash is updated the data and safe boot schools Test and.

8. the method as described in claim 1, which is characterized in that further included in the step S2：The financial terminal generates root Key, the application firmware more new key to be prestored with the root key encryption；

In the step S4, the financial terminal further includes after downloading formal application firmware：It is updated according to the application firmware Formal application firmware described in key verification continues to execute described by institute if verification if according to the application firmware more new key It states the test application firmware in financial terminal and is updated to the formal application firmware, position machine returns directly up not if if verification Response is answered, return to step S1.

9. method as claimed in claim 8, which is characterized in that the financial terminal downloads formal application firmware, according to described Formal application firmware described in application firmware update key verification, specifically includes：

Step 2-1, when the application processor in described financial terminal receives the application firmware download more new command, judge institute The type that application firmware downloads more new command is stated, step 2-2 is then performed if download sign on, is then performed if download instruction Step 2-3, step 2-4 is then performed if download END instruction；

Step 2-2, described application processor obtains application firmware from the download sign on and downloads update header file, by institute Application firmware is stated to download outside the safe processor storage to safe processor that update header file is sent in the financial terminal Portion flash, and return to response to host computer；

Step 2-3, described application processor obtains application firmware from the download instruction and downloads update file, by the application Firmware downloads update file and is sent to the safe processor, the external flash of storage to safe processor, and is returned to host computer Response is answered；

Step 2-4, described application processor issues application firmware to the safe processor and downloads END instruction, performs step 2- 5；

Step 2-5, described safe processor application firmware according to the application firmware updates key verification downloads update text Part returns to application firmware download END instruction response to the application processor if if verifying, performs step 2-6；If school It tests and does not download update header file and application firmware download by then removing the application firmware outside the safe processor in flash File is updated, returning to application firmware to the application processor downloads END instruction response, performs step 2-6；

Step 2-6, described application processor downloads END instruction response according to the application firmware and returns to response to host computer.

10. method as claimed in claim 9, which is characterized in that the safe processor is according to the application firmware more Xinmi City Key verifies the application firmware and downloads update file, specifically includes：The safe processor, which downloads the application firmware, to be updated File carries out Hash operation, updates secret key decryption to encrypted application firmware using the root key, is obtained using decryption Application firmware described in application firmware update key pair downloads the signed data sign test in update header file, and judge that sign test obtains should It is whether identical with the abstract that firmware downloads update document with Hash operation obtains, it verifies and passes through if identical, if differing It then verifies and does not pass through.

11. method as claimed in claim 9, which is characterized in that the financial terminal should by the test in the financial terminal The formal application firmware is updated to firmware, is specifically included：

Step 3-1, the test application firmware inside described application processor erasing application processor in flash, to the safety Processor, which is sent, obtains formal application firmware instruction；

Step 3-2, described safe processor is downloaded in update file from the application firmware and obtains formal application firmware, to described Application processor returns to the formal application firmware；

Flash inside the application processor is written in the formal application firmware by step 3-3, described application processor.

12. method as claimed in claim 11, which is characterized in that further included in the step 3-2：The safe processor from The application firmware downloads the signature value for the abstract that formal application firmware is obtained in update file, is returned to the application processor The signature value of the abstract of the formal application firmware；

It is further included in the step 3-3：Institute is written in the signature value of the abstract of the formal application firmware by the application processor State flash inside application processor.

13. method as claimed in claim 12, which is characterized in that the safe processor is downloaded from the application firmware to be updated Formal application firmware and the safe processor is obtained in file to obtain formally from application firmware download update file The signature value of the abstract of application firmware, specifically includes：The safe processor decrypts encrypted application using the root key Firmware more new key is downloaded in update header file according to application firmware described in the application firmware update key pair that decryption obtains and is included Signed data sign test, the application firmware obtained according to sign test downloads application firmware described in secret key decryption and downloads update file, from The signature value of the abstract of formal application firmware and formal application firmware is obtained in decrypted result.

14. the method as described in claim 1, which is characterized in that further included in the step S2：The financial terminal generates root Key, the secure firmware more new key to be prestored with the root key encryption；

In the step S5, the financial terminal further includes after downloading formal secure firmware：It is updated according to the secure firmware Formal secure firmware described in key verification continues to execute described by institute if verification if according to the secure firmware more new key It states the test secure firmware in financial terminal and is updated to the formal secure firmware, position machine returns directly up not if if verification Response is answered, return to step S1.

15. method as claimed in claim 14, which is characterized in that the financial terminal downloads formal secure firmware, according to institute Formal secure firmware described in stating secure firmware update key verification, specifically includes：

Step 4-1, when the application processor in described financial terminal receives the secure firmware download more new command, judge institute The type that secure firmware downloads more new command is stated, step 4-2 is then performed if download sign on, is then performed if download instruction Step 4-3, step 4-4 is then performed if download END instruction；

Step 4-2, described application processor obtains secure firmware from the download sign on and downloads update header file, by institute Secure firmware is stated to download outside the safe processor storage to safe processor that update header file is sent in the financial terminal Portion flash, and return to response to host computer；

Step 4-3, described application processor obtains secure firmware from the download instruction and downloads update file, by the safety Firmware downloads update file and is sent to the safe processor storage to the external flash of safe processor, and is returned to host computer Response is answered；

Step 4-4, described application processor issues secure firmware to the safe processor and downloads END instruction, performs step 4- 5；

Step 4-5, described safe processor secure firmware according to the secure firmware updates key verification downloads update text Part returns to secure firmware download END instruction response to the application processor if if verifying, performs step 4-6；If school It tests and does not download update header file and secure firmware download by then removing the secure firmware outside the safe processor in flash File is updated, returning to secure firmware to the application processor downloads END instruction response, performs step 4-6；

Step 4-6, described application processor downloads END instruction response according to the secure firmware and returns to response to host computer.

16. method as claimed in claim 15, which is characterized in that the safe processor is according to the application firmware more Xinmi City Key verifies the application firmware and downloads update file, specifically includes：The safe processor, which downloads the secure firmware, to be updated File carries out Hash operation, updates secret key decryption to encrypted secure firmware using the root key, is obtained using decryption Secure firmware described in secure firmware update key pair downloads the signed data sign test in update header file, judges the peace that sign test obtains Whether the abstract that full firmware downloads update document with Hash operation obtains is identical, verifies and passes through if identical, if differing It then verifies and does not pass through.

17. method as claimed in claim 15, which is characterized in that the financial terminal pacifies the test in the financial terminal Full firmware is updated to the formal secure firmware, specifically includes：

Step 5-1, described safe processor is downloaded in update file from the secure firmware and obtains formal secure firmware；

Step 5-2, the test secure firmware inside the safe processor in flash is updated with the formal secure firmware.

18. method as claimed in claim 17, which is characterized in that further included in the step 5-1：The safe processor from The secure firmware downloads the signature value for the abstract that formal secure firmware is obtained in update file；

It is further included in the step 5-2：Institute is written in the signature value of the abstract of the formal secure firmware by the safe processor State flash inside safe processor.

19. method as claimed in claim 18, which is characterized in that the safe processor is downloaded from the secure firmware to be updated Formal secure firmware and the safe processor is obtained in file to obtain formally from secure firmware download update file The signature value of the abstract of secure firmware, specifically includes：The safe processor decrypts encrypted safety using the root key Firmware more new key is downloaded in update header file according to secure firmware described in the secure firmware update key pair that decryption obtains and is included Signed data sign test, the secure firmware obtained according to sign test downloads secure firmware described in secret key decryption and downloads update file, from The signature value of the abstract of formal secure firmware and formal secure firmware is obtained in decrypted result.

20. the method as described in claim 1, which is characterized in that the financial terminal further includes before performing the step S3： The financial terminal checks that security context establishes whether mark is set, and the step S3 is performed if being set, if not being set to Position then returns to error message code, return to step S1 to host computer；

It is further included in the step S2：Security context described in the financial terminal set establishes mark；

The financial terminal further includes before performing the step S4 or step S5：The financial terminal checks safe boot updates Whether mark is set, and the step S4 or step S5 is performed if being set, and mistake is returned if being not set to host computer Information code, return to step S1；

It is further included in the step S3：Safe boot updates mark described in the financial terminal set.

21. a kind of financial terminal, which is characterized in that including：Communication module, security context establish module, memory module, safety Boot downloads update module, application firmware downloads update module and secure firmware downloads update module；

The communication module, for receive that host computer issues establish security context instruction, safe boot downloads more new command, should More new command is downloaded with firmware and secure firmware downloads more new command；

The security context establishes module, and security context instruction is established for work as that the communication module receives that host computer issues When, start safety detection function；

The memory module, it is solid for storing test application boot, test application firmware, the safe boot of test and test safety Part；

The safe boot downloads update module, for working as the safe boot downloads that the communication module receives host computer and issues During more new command, formal safe boot is downloaded, the test safety in the memory module is updated with the formal safe boot boot；

The application firmware downloads update module, for working as the application firmware download that the communication module receives host computer and issues During more new command, formal application firmware is downloaded, updating the test application in the memory module with the formal application firmware consolidates Part；

The secure firmware downloads update module, for working as the secure firmware download that the communication module receives host computer and issues During more new command, formal secure firmware is downloaded, the test updated with the formal secure firmware in the memory module is solid safely Part；

The communication module be additionally operable to when the security context establishes module, the safe boot downloads update module, it is described should When downloading update module and secure firmware download update module end of run with firmware, response is returned to host computer；

22. financial terminal as claimed in claim 21, which is characterized in that further include intrusion detection module；

The communication module is additionally operable to receive startup intrusion detection function instruction and the acquisition intrusion detection state that host computer issues It instructs and when the intrusion detection module end of run, response is returned to host computer or returns to intrusion detection state；

The intrusion detection module, for working as the startup intrusion detection function instruction that the communication module receives host computer and issues When, start intrusion detection function and for working as the acquisition intrusion detection state that the communication module receives host computer and issues During instruction, intrusion detection state is obtained.

23. financial terminal as claimed in claim 22, which is characterized in that the security context establishes module and is specifically used for working as institute State that communication module receives that host computer issues when establishing security context instruction, start-up temperature detection function and voltage detecting work( Energy.

24. financial terminal as claimed in claim 21, which is characterized in that the security context is established module and is additionally operable to when described Communication module receive that host computer issues when establishing security context instruction, initial chemoprevention exhaustion parameter space.

25. financial terminal as claimed in claim 21, which is characterized in that safe boot correction verification modules are further included, for verifying The safe boot downloads the formal safe boot that update module is downloaded；

The safe boot downloads update module and is specifically used for receiving the safe boot that host computer issues when the communication module When downloading more new command, download formal safe boot and when the safe boot correction verification modules verification passes through, with it is described just The safe boot of formula updates the safe boot of test in the memory module.

26. financial terminal as claimed in claim 25, which is characterized in that the safe boot downloads update module and specifically wraps It includes：Judging unit, acquiring unit, storage unit and updating unit；

The judging unit is used to, when the communication module receives the safe boot download more new commands that host computer issues, sentence The disconnected safe boot downloads the type of more new command；

The acquiring unit is used to judge that the safe boot downloads more new command to download sign on when the judging unit When, obtained from the download sign on safe boot verification and；And when the judging unit judges the safe boot When downloading more new command as download instruction, safe boot is obtained from the download instruction and is updated the data；

The storage unit is used to store safe boot verifications and and the safe boot update numbers that the acquiring unit is got According to；

The updating unit is used for when the safe boot correction verification modules verification passes through, with the safety in the storage unit Boot updates the data the safe boot of test updated in the memory module；

The safe boot correction verification modules are specifically used for judging that the safe boot downloads more new command and is when the judging unit When downloading END instruction, the safe boot in the storage unit verifies and verifies the safe boot in the storage unit It updates the data.

27. financial terminal as claimed in claim 26, which is characterized in that the safe boot downloads update module and further includes clearly Except unit, for when the updating unit end of run and when safe boot correction verification modules verify obstructed out-of-date, removing institute State the safe boot in storage unit update the data with safe boot verification and.

28. financial terminal as claimed in claim 21, which is characterized in that further include application firmware correction verification module；

The memory module is additionally operable to storage application firmware more new key；

The security context establishes module and is additionally operable to refer to when the communication module receives the security context of establishing that host computer issues When enabling, root key is generated, the application firmware more new key in the memory module described in the root key encryption；

The application firmware correction verification module, for being applied described in the application firmware update key verification in the memory module Firmware downloads the formal application firmware that update module is downloaded；

The application firmware downloads update module and is specifically used for receiving the application firmware that host computer issues when the communication module Download more new command when, download formal application firmware and when the application firmware correction verification module verification pass through after, with it is described just Formula application firmware updates the test application firmware in the memory module.

29. financial terminal as claimed in claim 28, which is characterized in that the application firmware is downloaded update module and specifically wrapped It includes：Download submodule and update submodule；

The download submodule specifically includes：Judging unit, acquiring unit and storage unit；

The judging unit, for when the communication module receives the application firmware that host computer issues and downloads more new command, Judge that the application firmware downloads the type of more new command；

The acquiring unit judges that the application firmware downloads more new command to download sign on for working as the judging unit When, it obtains the application firmware downloaded in sign on and downloads update header file；And judge for working as the judging unit When the application firmware downloads more new command as download instruction, obtain the application firmware in the download instruction and download update text Part；

The storage unit downloads update header file and application firmware for storing the application firmware that the acquiring unit is got Download update file；

The update submodule for working as after application firmware correction verification module verification passes through, is updated in the memory module Test application firmware；

The application firmware correction verification module judges that the application firmware downloads more new command and is specifically for working as the judging unit When downloading END instruction, the application in storage unit described in the application firmware update key verification in the memory module is consolidated Part download update file and when verification not by when remove application firmware in the storage unit download update header file and Application firmware downloads update file.

30. financial terminal as claimed in claim 29, which is characterized in that the application firmware correction verification module specifically includes：

Hash units, for when the judging unit judges that the application firmware downloads more new command as download END instruction, Update file is downloaded to the application firmware in the storage unit and carries out Hash operation；

Sign test unit, for the root key to be used to update secret key decryption to application firmware encrypted in the memory module, Application firmware in storage unit described in the application firmware update key pair obtained using decryption downloads the label in update header file Name data sign test；

Verification unit, for judging that the Hash result that the sign test result that the sign test unit obtains is obtained with the hash units is It is no identical, it verifies and passes through if identical, do not pass through if differing and verifying, the application firmware removed in the storage unit is downloaded It updates header file and application firmware downloads update file.

31. financial terminal as claimed in claim 29, which is characterized in that the update submodule specifically includes：

Unit is wiped, for working as after application firmware correction verification module verification passes through, the test wiped in the memory module should Use firmware；

Extraction unit obtains formal application firmware for being downloaded in update file from the application firmware in the storage unit；

The memory module is written in writing unit, the formal application firmware for the extraction unit to be got.

32. financial terminal as claimed in claim 31, which is characterized in that the extraction unit is additionally operable to from the storage unit In application firmware download update file in obtain formal application firmware abstract signature value；

Said write unit is additionally operable to write the signature value of the abstract of the formal application firmware that the extraction unit is got Enter the memory module.

33. financial terminal as claimed in claim 32, which is characterized in that the extraction unit is specifically used for：Use described Encrypted application firmware update secret key decryption, the application firmware more Xinmi City obtained according to decryption in memory module described in key pair Key downloads the application firmware in the storage unit signed data sign test included in update header file, is obtained according to sign test The application firmware that application firmware is downloaded in storage unit described in secret key decryption downloads update file, is obtained from decrypted result formal The signature value of the abstract of application firmware and formal application firmware.

34. financial terminal as claimed in claim 21, which is characterized in that further include secure firmware correction verification module；

The memory module is additionally operable to storage secure firmware more new key；

The security context establishes module and is additionally operable to refer to when the communication module receives the security context of establishing that host computer issues When enabling, root key is generated, the secure firmware more new key in the memory module described in the root key encryption；

The secure firmware correction verification module, for safety described in the secure firmware update key verification in the memory module Firmware downloads the formal secure firmware that update module is downloaded；

The secure firmware downloads update module and is specifically used for receiving the secure firmware that host computer issues when the communication module Download more new command when, download formal secure firmware and when the secure firmware correction verification module verification pass through after, with it is described just Formula secure firmware updates the test secure firmware in the memory module.

35. financial terminal as claimed in claim 34, which is characterized in that the secure firmware is downloaded update module and specifically wrapped It includes：Download submodule and update submodule；

The judging unit, for when the communication module receives the secure firmware that host computer issues and downloads more new command, Judge that the secure firmware downloads the type of more new command；

The acquiring unit judges that the secure firmware downloads more new command to download sign on for working as the judging unit When, it obtains the secure firmware downloaded in sign on and downloads update header file；And described in judging when the judging unit When secure firmware downloads more new command as download instruction, obtain the secure firmware in the download instruction and download update file；

The storage unit downloads update header file and secure firmware for storing the secure firmware that the acquiring unit is got Download update file；

The update submodule for working as after secure firmware correction verification module verification passes through, is updated in the memory module Test secure firmware；

The secure firmware correction verification module judges that the secure firmware downloads more new command and is specifically for working as the judging unit When downloading END instruction, the safety in storage unit described in the secure firmware update key verification in the memory module is consolidated Part downloads update file.

36. financial terminal as claimed in claim 35, which is characterized in that the secure firmware correction verification module specifically includes：

Hash units, for when the judging unit judges that the secure firmware downloads more new command as download END instruction, Update file is downloaded to the secure firmware in the storage unit and carries out Hash operation；

Sign test unit, for the root key to be used to update secret key decryption to secure firmware encrypted in the memory module, Secure firmware in storage unit described in the secure firmware update key pair obtained using decryption downloads the label in update header file Name data sign test；

Verification unit, for judging that the Hash result that the sign test result that the sign test unit obtains is obtained with the hash units is It is no identical, it verifies and passes through if identical, do not pass through if differing and verifying.

37. financial terminal as claimed in claim 35, which is characterized in that the update submodule specifically includes：

Extraction unit, for work as secure firmware correction verification module verification pass through after, from the storage unit secure firmware download Formal secure firmware is obtained in update file；

Updating unit, the formal secure firmware for being obtained with the extraction unit update the test safety in the memory module Firmware.

38. financial terminal as claimed in claim 37, which is characterized in that the extraction unit is additionally operable to from the storage unit In secure firmware download update file in obtain formal secure firmware abstract signature value；

The updating unit is additionally operable to the signature value write-in institute for the abstract of formal secure firmware for getting the extraction unit State memory module.

39. financial terminal as claimed in claim 38, which is characterized in that the extraction unit is specifically used for：Use described Encrypted secure firmware update secret key decryption, the secure firmware more Xinmi City obtained according to decryption in memory module described in key pair Key downloads the secure firmware in the storage unit signed data sign test included in update header file, is obtained according to sign test The secure firmware that secure firmware is downloaded in storage unit described in secret key decryption downloads update file, is obtained from decrypted result formal The signature value of the abstract of secure firmware and formal secure firmware.

40. financial terminal as claimed in claim 21, which is characterized in that the memory module is additionally operable to storage security context and builds Day-mark will and safe boot update marks；The security context establishes the original state of mark and the safe boot updates mark To be not set；

The safe boot downloads update module and is specifically used for：When the communication module receives the safe boot that host computer issues When downloading more new command, check that the security context in the memory module establishes whether mark is set and when the safety When environment is established mark and is set, formal safe boot is downloaded, is updated in the memory module with the formal safe boot Test safe boot, the safe boot update marks in memory module described in set；

The application firmware is downloaded update module and is specifically used for：When the communication module receives the application firmware that host computer issues When downloading more new command, check whether the update marks of the safe boot in the memory module are set and when the safety When boot update marks are set, formal application firmware is downloaded, is updated in the memory module with the formal application firmware Test application firmware；

The secure firmware is downloaded update module and is specifically used for：When the communication module receives the secure firmware that host computer issues When downloading more new command, check whether the update marks of the safe boot in the memory module are set and when the safety When boot update marks are set, formal secure firmware is downloaded, is updated in the memory module with the formal secure firmware Test secure firmware；

The communication module is additionally operable to：When the safe boot downloads the security context in the update module inspection memory module When establishing mark and being not set, download update module when the application firmware and check safe boot updates in the memory module It when mark is not set and downloads update module when the secure firmware and checks that the safe boot in the memory module updates When mark is not set, error message code is returned to host computer.