CN105159707B - The firmware programming method and financial terminal of a kind of safe financial terminal - Google Patents
The firmware programming method and financial terminal of a kind of safe financial terminal Download PDFInfo
- Publication number
- CN105159707B CN105159707B CN201510500802.3A CN201510500802A CN105159707B CN 105159707 B CN105159707 B CN 105159707B CN 201510500802 A CN201510500802 A CN 201510500802A CN 105159707 B CN105159707 B CN 105159707B
- Authority
- CN
- China
- Prior art keywords
- firmware
- application
- update
- downloads
- safe
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Stored Programmes (AREA)
Abstract
The invention discloses the firmware programming methods and financial terminal of a kind of safe financial terminal, belong to financial security field.The foundation of security context, the download and update of safe boot, the download of application firmware and update and the download of secure firmware and update are completed according to the instruction that host computer issues the method includes financial terminal.The financial terminal includes communication module, security context establishes module, safe boot downloads update module, application firmware downloads update module and secure firmware downloads update module.The method have the advantage is capable of the security risks for the firmware programming method for avoiding existing financial terminal, improve the safety of financial terminal product.
Description
Technical field
The present invention relates to financial security field more particularly to the firmware programming methods and finance of a kind of safe financial terminal
Terminal.
Background technology
Financial terminal needs to establish security context before the use, and financial terminal enters safe fortune after security context is established
Row pattern can carry out the importing work of the sensitive datas such as key, password in such a mode.
Technical staff has found that the firmware programming method of existing financial terminal at least exists in the implementation of the present invention
Following security risk:
1. the code for establishing security context is included in formal firmware, on the one hand so that attacker has an opportunity to make security context
Establishing process performs again, mistake that on the other hand may also be due to secure firmware native codes or erroneous judgement, so as to cause safety
Environment re-establishes, and causes safety problem.
2. run for the first time after formal firmware programming, i.e., security incident can be detected (i.e. financial terminal self-test), and
Will detect there is security incident after be stopped, it is therefore desirable to conditional security incident inspection is performed in firmware program
It surveys, i.e., when not yet establishing security context, security incident testing process is skipped according to the judgement of correlated condition, is built in security context
After vertical, then by setting correlated condition, make firmware can be with operational safety event detection flow.This, which allows for attacker, has an opportunity to build
The vertical correlated condition forged so as to which formal firmware be made to skip security incident testing process, and then reaches inside attack financial terminal
The purpose of sensitive data.
Invention content
The defects of the purpose of the present invention is overcoming the prior art, provides a kind of firmware programming method of safe financial terminal
And financial terminal.
The present invention is achieved through the following technical solutions:
On the one hand, the present invention provides a kind of firmware programming method of safe financial terminal, specifically includes:
Step S1, financial terminal receives the instruction that issues of host computer, when receive that host computer issues establishes security context
During instruction, step S2 is performed;When receiving the safe boot download more new commands that host computer issues, step S3 is performed;When connecing
When receiving the application firmware download more new command that host computer issues, step S4 is performed;Consolidate when receiving the safety that host computer issues
When part downloads more new command, step S5 is performed;
Step S2, described financial terminal starts safety detection function, and response, return to step S1 are returned to host computer;
Step S3, described financial terminal downloads formal safe boot, by the safe boot of test in the financial terminal more
It is newly the formal safe boot, response, return to step S1 is returned to host computer;
Step S4, described financial terminal downloads formal application firmware, by the test application firmware in the financial terminal more
It is newly the formal application firmware, response, return to step S1 is returned to host computer;
Step S5, described financial terminal downloads formal secure firmware, by the test secure firmware in the financial terminal more
It is newly the formal secure firmware, response, return to step S1 is returned to host computer;
Further, it is further included in the step S1:When receiving the startup intrusion detection function instruction that host computer issues
When, the financial terminal starts intrusion detection function, and response, return to step S1 are returned to host computer;When receiving under host computer
During the acquisition intrusion detection status command of hair, intrusion detection state is obtained, the intrusion detection state is returned to host computer, returns
Step S1;
It is further included in the step S2:The initial chemoprevention exhaustion parameter space of financial terminal;
In the step S3, the financial terminal further includes after downloading formal safe boot:Verify the formal safety
Boot continues to execute the safe boot by the financial terminal if if verification and is updated to the formal safety
Boot, if verification, not if, position machine returns to response, return to step S1 directly up;
It is further included in the step S2:The financial terminal generates root key, the application to be prestored with the root key encryption
Firmware more new key;In the step S4, the financial terminal further includes after downloading formal application firmware:According to the application
Formal application firmware described in firmware update key verification, continues to execute if verification if according to the application firmware more new key
The test application firmware by the financial terminal is updated to the formal application firmware, if verification not if directly to
Host computer returns to response, return to step S1;
It is further included in the step S2:The financial terminal generates root key, the safety to be prestored with the root key encryption
Firmware more new key;In the step S5, the financial terminal further includes after downloading formal secure firmware:According to the safety
Formal secure firmware described in firmware update key verification, continues to execute if verification if according to the secure firmware more new key
The test secure firmware by the financial terminal is updated to the formal secure firmware, if verification not if directly to
Host computer returns to response, return to step S1;
The financial terminal further includes before performing the step S3:The financial terminal checks that security context establishes mark
Whether it is set, the step S3 is performed if being set, returns to error message code if being not set to host computer, return to step
Rapid S1;It is further included in the step S2:Security context described in the financial terminal set establishes mark;The financial terminal performs
It is further included before the step S4 or step S5:The financial terminal checks whether safe boot updates mark is set, if by
Set then performs the step S4 or step S5, and error message code, return to step S1 are returned to host computer if being not set;Institute
It states and is further included in step S3:Safe boot updates mark described in the financial terminal set.
On the other hand, the present invention provides a kind of financial terminal, specifically includes:Communication module, security context are established module, are deposited
Store up module, safe boot downloads update module, application firmware downloads update module and secure firmware downloads update module;
The communication module, for receive that host computer issues establish security context instruction, safe boot downloads update and refers to
It enables, application firmware downloads more new command and secure firmware downloads more new command;
The security context establishes module, and security context is established for work as that the communication module receives that host computer issues
During instruction, start safety detection function;
The memory module, for storing test application boot, test application firmware, the safe boot of test and test safety
Firmware;
The safe boot downloads update module, for working as the safe boot that the communication module receives host computer and issues
When downloading more new command, formal safe boot is downloaded, updating the test in the memory module with the formal safe boot pacifies
Full boot;
The application firmware downloads update module, for working as the application firmware that the communication module receives host computer and issues
When downloading more new command, formal application firmware is downloaded, the test updated with the formal application firmware in the memory module should
Use firmware;
The secure firmware downloads update module, for working as the secure firmware that the communication module receives host computer and issues
When downloading more new command, formal secure firmware is downloaded, the test updated with the formal secure firmware in the memory module is pacified
Full firmware;
The communication module is additionally operable to when the security context establishes module, the safe boot downloads update module, institute
When stating application firmware download update module and secure firmware download update module end of run, response is returned to host computer;
Further, intrusion detection module is further included in above-mentioned financial terminal, is received for working as the communication module
During the startup intrusion detection function instruction that position machine issues, start intrusion detection function and received for working as the communication module
When detecting status command to the acquisition intrusion that host computer issues, intrusion detection state is obtained;Correspondingly, the communication module is also used
Intrusion, which is instructed and obtain, in the startup intrusion detection function that reception host computer issues detects status command and when the intrusion is examined
When surveying module end of run, return to response to host computer or return to intrusion detection state;
The security context establishes module and is additionally operable to establish safety collar when what the communication module received that host computer issues
When border instructs, initial chemoprevention exhaustion parameter space;
Above-mentioned financial terminal further includes safe boot correction verification modules, is downloaded under update module for verifying the safe boot
The formal safe boot carried;Correspondingly, the safe boot downloads update module and is specifically used for receiving when the communication module
When the safe boot that host computer issues downloads more new command, formal safe boot is downloaded and when the safe boot calibration modes
Block check by when, the safe boot of test in the memory module is updated with the formal safe boot;
Above-mentioned financial terminal further includes application firmware correction verification module, for the application firmware in the memory module more
New key verifies the application firmware and downloads the formal application firmware that update module is downloaded;Correspondingly, the memory module is also used
In storage application firmware more new key;The security context establishes module and is additionally operable to receive under host computer when the communication module
When establishing security context instruction of hair, generates root key, the application firmware in the memory module described in the root key encryption is more
New key;The application firmware downloads update module and is specifically used for consolidating when the communication module receives the application that host computer issues
When part downloads more new command, formal application firmware is downloaded and after application firmware correction verification module verification passes through, with described
Formal application firmware updates the test application firmware in the memory module;
Above-mentioned financial terminal further includes secure firmware correction verification module, for the secure firmware in the memory module more
New key verifies the secure firmware and downloads the formal secure firmware that update module is downloaded;Correspondingly, the memory module is also used
In storage secure firmware more new key;The security context establishes module and is additionally operable to receive under host computer when the communication module
When establishing security context instruction of hair, generates root key, the secure firmware in the memory module described in the root key encryption is more
New key;The secure firmware downloads update module and is specifically used for consolidating when the communication module receives the safety that host computer issues
When part downloads more new command, formal secure firmware is downloaded and after secure firmware correction verification module verification passes through, with described
Formal secure firmware updates the test secure firmware in the memory module;
The memory module is additionally operable to storage security context and establishes mark and safe boot update marks, the security context
The original state of mark and the safe boot updates mark is established to be not set, correspondingly:
The security context establishes the security context that module is additionally operable in memory module described in set and establishes mark;
The safe boot downloads update module and is specifically used for:When the communication module receives the safety that host computer issues
When boot downloads more new command, check that the security context in the memory module establishes whether mark is set and when described
When security context is established mark and is set, formal safe boot is downloaded, updates the memory module with the formal safe boot
In the safe boot of test, the safe boot update marks in memory module described in set;
The application firmware is downloaded update module and is specifically used for:When the communication module receives the application that host computer issues
When firmware downloads more new command, check whether the update marks of the safe boot in the memory module are set and when described
When safe boot updates mark is set, formal application firmware is downloaded, updates the memory module with the formal application firmware
In test application firmware;
The secure firmware is downloaded update module and is specifically used for:When the communication module receives the safety that host computer issues
When firmware downloads more new command, check whether the update marks of the safe boot in the memory module are set and when described
When safe boot updates mark is set, formal secure firmware is downloaded, updates the memory module with the formal secure firmware
In test secure firmware;
The communication module is additionally operable to:When the safe boot downloads the safety in the update module inspection memory module
When environment is established mark and is not set, download update module when the application firmware and check safe boot in the memory module
When update mark is not set and when the secure firmware downloads the safe boot in the update module inspection memory module
When update mark is not set, error message code is returned to host computer.
The advantageous effect of the method for the present invention is:It can be to avoid existing financial terminal using method provided by the invention
The security risk of firmware programming method, so as to improve the safety of financial terminal product.
Description of the drawings
Illustrate the embodiment of the present invention or technical solution of the prior art in order to clearer, to embodiment or will show below
There is attached drawing needed in technology description to be briefly described, it should be apparent that, the accompanying drawings in the following description is only this
Some embodiments of invention, for those of ordinary skill in the art, without creative efforts, can be with
Other attached drawings are obtained according to these attached drawings.
Fig. 1 is the firmware programming method flow diagram of a kind of safe financial terminal that the embodiment of the present invention 1 provides;
Fig. 2 is the download that provides of the embodiment of the present invention 1 formally safe boot and with formal safe boot replacement tests peace
The flow chart of full boot;
Fig. 3 is the flow chart of the formal application firmware of download that the embodiment of the present invention 1 provides;
Fig. 4 is the flow chart of the formal application firmware replacement test application firmware of use that the embodiment of the present invention 1 provides;
Fig. 5 is the flow chart of the formal secure firmware of download that the embodiment of the present invention 1 provides;
Fig. 6 is the flow chart of the formal secure firmware replacement test secure firmware of use that the embodiment of the present invention 1 provides;
Fig. 7 is the block diagram of financial terminal that the embodiment of the present invention 2 provides.
Specific embodiment
Below in conjunction with the attached drawing in the embodiment of the present invention, the technical solution in the embodiment of the present invention is carried out clear, complete
Site preparation describes, it is clear that described embodiment is only part of the embodiment of the present invention, instead of all the embodiments.It is based on
Embodiment in the present invention, the every other implementation that those skilled in the art are obtained without making creative work
Example, shall fall within the protection scope of the present invention.
Application processor and safe processor are included in financial terminal in the present invention;
There is using boot and application firmware burning in application processor;Burning has safe boot and safety in safe processor
Firmware;
When financial terminal after the power is turned on, application processor and safe processor are respectively started, application processor run first should
With boot, application firmware first address is jumped to when application boot end of runs, runs application firmware, until under financial terminal
Electricity;Safe processor operational safety boot first jumps to secure firmware first address, operation peace when safe boot end of runs
Full firmware, until electricity under financial terminal;
Application firmware includes test application firmware and formal application firmware, and safe boot is including the safe boot of test and formally
Safe boot, secure firmware include test secure firmware and formal secure firmware;In test application firmware and test secure firmware
Comprising hardware test program and security context construction procedures, correspondingly, do not include in formal application firmware and formal secure firmware
Hardware test program and security context construction procedures;It tests in safe boot and does not include the program of financial terminal self-test, correspondingly,
The program of financial terminal self-test, and the formal safe boot in the present invention and finance in the prior art are included in formal safe boot
The safe boot of burning is compared in terminal security processor, reduces the condition judgment of terminal self testing, so as to prevent from attacking
Person forges the condition of terminal self testing, hides terminal self testing;
In the present invention, burning application boot and test application firmware first into application processor, into safe processor
Safe boot and test secure firmware are tested in burning, after hardware testing and security context to be done are established, are gradually pacified test
Full boot is updated to formal safe boot, by test application firmware and test secure firmware be updated to respectively formal application firmware and
Formal secure firmware.
Embodiment 1
The present embodiment provides a kind of firmware programming method of safe financial terminal, as shown in Figure 1, specifically including:
Step S1, financial terminal receives the instruction that issues of host computer, when receive that host computer issues establishes security context
Step S2 is performed during instruction, step S3 is performed when receiving the safe boot that host computer issues and download more new command, works as reception
The application firmware issued to host computer performs step S4 when downloading more new command, when receiving under the secure firmware that host computer issues
Step S5 is performed when carrying more new command;
Specifically, in the present embodiment, instruction that host computer will be sent is packaged into standard CC ID communication instructions and is handed down to gold
Melt terminal.
Step S2, financial terminal starts safety detection function, and response, return to step S1 are returned to host computer;
In the present embodiment, safety detection function includes:Invade detection function, temperature detecting function and voltage detecting function
Deng.
In the present embodiment, it can also include in step S2:Initial chemoprevention exhaustion parameter space.
In the present embodiment, financial terminal returns to host computer after reply data is packaged into CCID communication protocol layer datas.
Further, in the present embodiment, financial terminal further includes before performing step S2:Judge whether security context is built
It is vertical, it is to perform step S2, otherwise prompts mistake, return to step S1;
In the present embodiment, generation root key is further included in step S2, with the preset application firmware of root key encryption more Xinmi City
Key and secure firmware more new key;Judging the whether established method of security context can be specially:To in root key memory block
Data carry out SHA-256 operations, judge whether preceding 4 bytes of operation result identical with the data in BPK RAM areas, if phase
Same then security context has been established, and otherwise security context is not set up, wherein initial in the root key memory block and BPK RAM areas
Data are 0;
Correspondingly, in step S2, after financial terminal generates root key, root key is saved in root key memory block, and
SHA-256 operations are carried out to root key, preceding 4 bytes of operation result are saved in BPK RAM areas.
Step S3, financial terminal downloads formal safe boot, and the test replaced with formal safe boot in financial terminal is pacified
Full boot returns to response, return to step S1 to host computer;
Step S4, financial terminal downloads formal application firmware, and the test replaced with formal application firmware in financial terminal should
With firmware, response, return to step S1 are returned to host computer;
Step S5, financial terminal downloads formal secure firmware, and the test replaced with formal secure firmware in financial terminal is pacified
Full firmware returns to response, return to step S1 to host computer.
Further, it is further included in step S1, performs step when receiving the startup intrusion detection instruction that host computer issues
Rapid S6 performs step S7 when receiving the acquisition intrusion detection status command that host computer issues:
Step S6, financial terminal starts intrusion detection function, and response, return to step S1 are returned to host computer;
Specifically, financial terminal is by setting corresponding registers and sensor to start intrusion detection function.
Step S7, financial terminal inspection intrusion detection state returns to intrusion detection state, return to step S1 to host computer;
Specifically, financial terminal is by checking that corresponding registers and sensor obtain intrusion detection state.
Further, it further includes in step S1, is held when financial terminal receives the hardware testing instruction that host computer issues
Row step S8:
Step S8, the hardware capability of financial terminal is tested according to command content, response, return to step are returned to host computer
S1。
Further, the controlling mechanism of firmware programming flow can also be included in the above method, is specifically included:
Financial terminal further includes before performing step S3:Financial terminal checks that security context establishes whether mark is set,
Step S3 is performed if being set, error message code, return to step S1 are returned if being not set to host computer;
It is further included in step S2:Financial terminal set security context establishes mark;
Financial terminal further includes before performing step S4:Financial terminal checks whether safe boot updates mark is set,
Step S4 is performed if being set, error message code, return to step S1 are returned if being not set to host computer;
Financial terminal further includes before performing step S5:Financial terminal checks whether safe boot updates mark is set,
Step S5 is performed if being set, error message code, return to step S1 are returned if being not set to host computer;
It is further included in step S3:The safe boot updates mark of financial terminal set;
Financial terminal further includes before performing step S2:Whether financial terminal inspection intrusion detection active flag is set,
Step S2 is performed if being set, error message code, return to step S1 are returned if being not set to host computer;
Financial terminal further includes before performing step S7:Whether financial terminal inspection intrusion detection active flag is set,
Step S7 is performed if being set, error message code, return to step S1 are returned if being not set to host computer;
In step S6, financial terminal further includes after starting intrusion detection function:Financial terminal inspection invades detection state, root
According to intrusion detection condition adjudgement with the presence or absence of intrusion event, error condition is returned to host computer if there are intrusion event, is returned
If there is no set intrusion detection active flag if intrusion event, response, return to step S1 are returned to host computer by step S1;
Financial terminal further includes before performing step S6:Financial terminal checks whether hardware capability detection mark is set,
Step S6 is performed if being set, error message code, return to step S1 are returned if being not set to host computer;
In step S8, financial terminal further includes after the hardware capability of financial terminal is tested according to command content:Financial terminal
Judge whether to test all hardware capabilities to be measured, set hardware capability detection mark, is returned to host computer if all testing
Response is answered, return to step S1;Otherwise position machine returns to response, return to step S1 directly up.
In the present embodiment, comprising application processor and safe processor in financial terminal, refer to using boot and handled in application
The boot program run in device, test application firmware refer to run in application processor comprising hardware testing relative program and peace
Full ambient engine establishes the firmware program of relative program;Formal application firmware refer to run in application processor do not include hardware testing
Relative program and security context establish the firmware program of relative program;Test secure firmware refers to the packet run in safe processor
Relative program containing hardware testing and security context establish the firmware program of relative program;Formal secure firmware refers in safe processor
The firmware program that relative program is established not comprising hardware testing relative program and security context of middle operation;Safe boot is tested to refer to
The boot program of relative program for not including detection security context and whether establishing run in safe processor, formal safety
Boot refers to the boot program of relative program whether established comprising detection security context run in safe processor.
In the present embodiment, the hardware capability of financial terminal is tested according to command content, response is returned to host computer, it is specific to wrap
It includes:
Application processor judges the type that hardware testing instructs after receiving the hardware testing instruction that host computer issues;
If hardware testing instruction is instructed for speech play, application processor control voice chip plays sound, and tissue should
Answer evidence, and return to host computer after encapsulating CCID protocol layer data to reply data;
If hardware testing instruction is obtained to obtain barcode scanning data command, application processor according to barcode scanning data command is obtained
Barcode scanning gun scan data organizes reply data, and returns to host computer after reply data is packaged into CCID protocol layer data;
Otherwise, application processor instructs to safe processor according to hardware testing and issues specific test instruction;Safe handling
Device is according to the corresponding hardware capability of specific test instruction testing, and to application processor return instruction response;Application processor according to
The repeat-back tissue reply data that safe processor returns, it is upper to being returned to after reply data encapsulation CCID protocol layer data
Machine.
Specific test instruction includes:LCD idsplay orders obtain key value instructions, buzzer control instruction, IC card management instruction
With magnetic stripe card management instruction etc.;
In the present embodiment, the second of data field byte that application processor is instructed by hardware testing judges hardware testing
The type of instruction;For example, when second byte of the data field of hardware testing instruction is 15, hardware testing instruction is specially language
Sound play instruction;When second byte of the data field of hardware testing instruction is 16, hardware testing instruction is specially to obtain to sweep
Code data command;When second byte of the data field of hardware testing instruction is 02, application processor is under safe processor
Send out LCD idsplay orders;When second byte of the data field of hardware testing instruction is 01, application processor is to safe processor
Issue acquisition key value instructions;When second byte of the data field of hardware testing instruction is 05, application processor is to safe place
Reason device issues buzzer control instruction;When hardware testing instruction data field second byte be 03 when, application processor to
Safe processor issues IC card management instruction;When second byte of the data field of hardware testing instruction is 0F, using processing
Device issues magnetic stripe card management instruction to safe processor.
Further, safe processor is according to the corresponding hardware capability of specific test instruction testing, and is returned to application processor
Repeat-back is returned, can be specifically included:
Step 1-1, the specific test instruction that safe processor parsing receives, step is then performed if LCD idsplay orders
1-2 then performs step 1-3 if key value instructions are obtained, step 1-4 is then performed if buzzer control instruction, if IC card pipe
Reason instruction then performs step 1-5, and step 1-6 is then performed if magnetic stripe card management instruction;
Step 1-2, safe processor controls LCD to show corresponding word and figure according to LCD idsplay orders, is handled to application
Device returns to LCD idsplay order responses;
Step 1-3, safe processor within a specified time obtains input through keyboard key assignments according to key value instructions are obtained, to application
Processor, which returns, obtains key value instructions response;
Step 1-4, safe processor control buzzer rings return to buzzer control instruction response to application processor;
Step 1-5, safe processor within a specified time carries out IC card poll, is carried out according to IC card management instruction and IC card
Communication returns to IC card management repeat-back to application processor;
Step 1-6, safe processor within a specified time obtains magnetic stripe card brushing card data, and magnetic stripe is returned to application processor
Card management repeat-back.
In the present embodiment, financial terminal starts intrusion detection function, returns to response to host computer, specifically includes:
Step 201, application processor receive the startup intrusion detection instruction backward security processor hair that host computer issues
Send intrusion detection enabled instruction;
Step 202, safe processor start intrusion detection function;
Specifically, safe processor is by setting corresponding registers and sensor to start intrusion detection function.
Step 203, safe processor return to intrusion detection enabled instruction response to application processor;
Step 204, application processor detect enabled instruction response tissue answer number according to the intrusion that safe processor returns
According to;
Step 205, application processor return to host computer after encapsulating CCID communication protocol layer datas to reply data.
In the present embodiment, financial terminal inspection intrusion detection state returns to response to host computer, specifically includes:
Step 301, application processor receive the acquisition intrusion detection status command backward security processing that host computer issues
Device sends intrusion detection state acquisition instruction;
Step 302, safe processor obtain intrusion detection state;
Specifically, safe processor is by checking that corresponding registers and sensor obtain intrusion detection state.
Step 303, safe processor return to intrusion detection state acquisition instruction response to application processor;
The intrusion detection state acquisition instruction response tissue that step 304, application processor are returned according to safe processor should
Answer evidence;
Step 305, application processor return to host computer after encapsulating CCID communication protocol layer datas to reply data.
In the present embodiment, step S2 can be specifically included:
Step 401, application processor receive the security context of establishing that host computer issues and instruct under backward security processor
It sends out security context and establishes instruction;
Step 402, safe processor generate root key, respectively that application firmware more new key and safety is solid using root key
It is stored after the encryption of part more new key, initial chemoprevention exhaustion parameter space;
In the present embodiment, root key is specially a random number of safe processor generation;Respectively should using root key
With being stored after firmware more new key and the encryption of secure firmware more new key, specially:It is solid to application respectively using the random number
Part more new key and secure firmware more new key are encrypted, application firmware more new key ciphertext and the safety that storage encryption obtains
Firmware more new key ciphertext.
Step 403, safe processor establish security context repeat-back to application processor return;
Step 404, application processor establish security context repeat-back tissue answer number according to what safe processor returned
According to;
Step 405, application processor return to host computer after encapsulating CCID communication protocol layer datas to reply data.
As shown in Fig. 2, in the present embodiment, financial terminal downloads formal safe boot, and finance is replaced with formal safe boot
The safe boot of test in terminal returns to response to host computer, specifically includes:
Step 501, application processor, which are received when the safe boot that host computer issues downloads more new command, judges safety
Boot downloads the type of more new command, then performs step 502 if sign on is downloaded, step is then performed if download instruction
506, then perform step 510 if END instruction is downloaded;
Step 502, application processor send safe boot to safe processor and download sign on;
In the present embodiment, application processor is downloaded in sign on to the safe boot that safe processor is sent comprising application
Safe boot that processor is obtained from the CCID communication instructions that host computer issues verification and.
Step 503, safe processor downloaded from safe boot obtained in sign on safe boot verification and, preserve safety
Boot is verified and the external flash to safe processor;
Step 504, safe processor return to safe boot to application processor and download sign on response;
Step 505, application processor are downloaded sign on response tissue according to the safe boot that safe processor returns and are answered
Answer evidence returns to host computer, return to step 501 after encapsulating CCID communication protocol layer datas to reply data;
Step 506, application processor send safe boot download instructions to safe processor;
In the present embodiment, application processor includes application processing into the safe boot download instructions that safe processor is sent
The safe boot that device is obtained from the CCID communication instructions that host computer issues is updated the data.
Step 507, safe processor obtain safe boot from safe boot download instructions and update the data, and preserve safety
Boot updates the data the external flash of safe processor;
Step 508, safe processor return to safe boot download instructions response to application processor;
The safe boot download instructions response tissue answer number that step 509, application processor are returned according to safe processor
According to returning to host computer, return to step 501 after reply data encapsulation CCID communication protocol layer datas;
Step 510, application processor send safe boot to safe processor and download END instruction;
Step 511, safe processor verify according to safe boot and safe boot are updated the data and verify, if verification
By then performing step 512, step 513 is not performed if if verification;
In the present embodiment, safe boot is updated the data subpackage post package and updates number comprising safe boot into several by host computer
According to the standard CC ID communication instructions of packet, it is handed down to application processor successively, correspondingly, application processor receives every and includes peace
During the standard CC ID communication instructions of full boot updated data packages, send one to safe processor and updated comprising corresponding safe boot
The safe boot download instructions of data packet, the safe boot that safe processor is obtained in safe boot download instructions are updated the data
The safe boot updated data packages got sequence is stored in the external flash of safe processor by packet, updates safe boot updates
Data check and for the safe boot that the has received verification updated the data and, return to safe boot downloads to application processor and refer to
Enable response;
When the safe boot that safe processor receives application processor transmission downloads END instruction, safe boot is judged
Verification and the safe boot verifications with being stored in flash outside safe processor and whether identical are updated the data, is then safely
Boot updates the data verification and passes through, and otherwise safe boot updates the data verification and do not pass through.
For example, safe boot is updated the data as 64k bytes, host computer updates the data safe boot subpackage and obtains 64 1k
The safe boot updated data packages of byte are packaged into 64 standard CC ID communication instructions with this and are handed down to application processor successively.
The safe boot stored in the external flash of safe processor is updated the data storage by step 512, safe processor
To the boot storage address of the inside flash of safe processor, the safety stored in the external flash of safe processor is wiped
Boot verify and and safe boot update the data, perform step 514;
In the present embodiment, safe processor sequentially reads the safety of preset length from the external flash of safe processor
Boot is updated the data, the boot storage address of the inside flash of sequential storage to safe processor.
For example, preset length is 2k bytes.
Step 513, safe processor erasing safe processor external flash in the safe boot that stores verify and and
Safe boot is updated the data, and performs step 514;
Step 514, safe processor return to safe boot to application processor and download END instruction response;
Step 515, application processor are downloaded END instruction response tissue according to the safe boot that safe processor returns and are answered
Answer evidence returns to host computer after encapsulating CCID protocol layer data to reply data.
Referring to Fig. 3, in the present embodiment, financial terminal downloads formal application firmware, specifically includes:
Step 601, application processor, which are received after the application firmware that host computer issues downloads more new command, judges that application is solid
Part downloads the type of more new command, then performs step 602 if sign on is downloaded, step 606 is then performed if download instruction,
Step 610 is then performed if END instruction is downloaded;
Step 602, application processor download sign on to safe processor sending application firmware;
In the present embodiment, application processor is downloaded in sign on to the application firmware that safe processor is sent comprising application
The application firmware that processor is obtained from the CCID communication instructions that host computer issues downloads update header file.It, should in the present embodiment
The information and signed data for downloading update file in update header file comprising application firmware are downloaded with firmware, wherein, application firmware
Download update file information include application firmware download update file title and/or version number and/or encryption mode and/or
Checking mode and/or update address space and/or address style and/or file storage purpose address and/or file size etc..
Step 603, safe processor, which are downloaded to obtain application firmware in sign on and download from application firmware, updates header file,
And application firmware is downloaded into the storage of update header file to the external flash of safe processor;
Step 604, safe processor return to application firmware to application processor and download sign on response;
Step 605, application processor are downloaded sign on response tissue according to the application firmware that safe processor returns and are answered
Answer evidence returns to host computer, return to step 601 after encapsulating CCID communication protocol layer datas to reply data;
Step 606, application processor issue application firmware download instruction to safe processor;
In the present embodiment, application processor includes application processing into the application firmware download instruction that safe processor issues
The application firmware that device is obtained from the CCID communication instructions that host computer issues downloads update file.
Step 607, safe processor obtain application firmware from application firmware download instruction and download update file, and should
The storage of update file is downloaded to the external flash of safe processor with firmware;
In the present embodiment, application firmware downloads what is made a summary in update file comprising formal application firmware and formal application firmware
Signature value or the ciphertext being encrypted comprising the signature value that alignment type application firmware and formal application firmware are made a summary.
Step 608, safe processor return to application firmware download instruction response to application processor;
In the present embodiment, application firmware is downloaded update file subpackage post package into several comprising under application firmware by host computer
The standard CC ID communication instructions of update file data packet are carried, are handed down to application processor successively, correspondingly, application processor receives
When downloading the standard CC ID communication instructions for updating file data packet comprising application firmware to every, one is issued to safe processor
The application firmware file download instructions of update file data packet are downloaded comprising respective application firmware, it is solid that safe processor obtains application
Application firmware in part file download instructions downloads update file data packet, and the application firmware got is downloaded update number of files
According to the external flash of packet sequence deposit safe processor, application firmware file download instructions response is returned to application processor.
The application firmware download instruction response tissue answer number that step 609, application processor are returned according to safe processor
According to returning to host computer, return to step 601 after reply data encapsulation CCID communication protocol layer datas;
Step 610, application processor issue application firmware to safe processor and download END instruction;
Step 611, safe processor are downloaded application firmware update file and are verified, and step is performed if if verifying
612, step 613 is not performed if if verification;
In the present embodiment, download in update file when application firmware and make a summary comprising formal application firmware and formal application firmware
Signature value when, safe processor to application firmware download update file carry out verification specifically include:Safe processor according to should
It is corresponding that the checking mode information selection updated in the information of application firmware download update file that header file includes is downloaded with firmware
Hash algorithm (or safe processor directly selects default hash algorithm), according to the hash algorithm of selection to safe processor
The application firmware stored in external flash downloads update file and carries out Hash operation, is updated using root key decryption application firmware
Key ciphertext, the firmware that is applied update key plain update key plain according to application firmware and download update to application firmware
The signed data that header file includes carries out sign test, and the firmware that is applied downloads update document, judges the application that sign test obtains
Firmware is downloaded update document and is carried out with downloading update file to the application firmware stored in the external flash of safe processor
Whether the abstract that Hash operation obtains is consistent, is, verification passes through, and otherwise verifies and does not pass through;
In the present embodiment, download in update file when application firmware and plucked comprising alignment type application firmware and formal application firmware
During the ciphertext that the signature value wanted is encrypted, safe processor carries out verification to application firmware download update file and specifically includes:
Safe processor downloads the verification updated in the information of application firmware download update file that header file includes according to application firmware
Pattern information selects corresponding hash algorithm (or safe processor directly selects default hash algorithm), is calculated according to the Hash of selection
Method downloads update file to the application firmware stored in the external flash of safe processor and carries out Hash operation, uses root key
Application firmware more new key ciphertext is decrypted, the firmware that is applied update key plain updates key plain pair according to application firmware
Application firmware downloads the signed data that update header file includes and carries out sign test, and the firmware that is applied downloads update document and should
Key is downloaded with firmware, judges that the application firmware that sign test obtains downloads update document and the outside to safe processor
Whether the abstract that the application firmware download update file progress Hash operation stored in flash obtains is consistent, is that verification passes through,
Otherwise it verifies and does not pass through.
Application firmware update mark is written into the external flash of safe processor for step 612, safe processor, performs
Step 614;
It can also be shown in the present embodiment, in step 612 including safe processor control LCD and turn back on prompting.
Step 613, safe processor wipe the application firmware stored in the external flash of safe processor and download update head
File and application firmware download update file, perform step 614;
It can also include safe processor control LCD in the present embodiment, in step 613 and show corresponding miscue.
Step 614, safe processor return to application firmware to application processor and download END instruction response;
Step 615, application processor are downloaded END instruction response tissue according to the application firmware that safe processor returns and are answered
Answer evidence returns to host computer after encapsulating CCID communication protocol layer datas to reply data.
Referring to Fig. 4, in the present embodiment, financial terminal is replaced the test application in financial terminal with formal application firmware and is consolidated
Part specifically includes:
Step 701, application processor wipe the test application firmware in the inside flash of application processor;
Specifically, the data in the firmware storage address of the inside flash of application processor erasing application processor.
Step 702, application processor, which send to obtain application firmware and download to safe processor, updates header file instruction;
Step 703, safe processor read the application firmware stored in the external flash of safe processor and download update head
File;
Step 704, safe processor return to application firmware to application processor and download update header file;
Step 705, application processor download file size in update header file to safe processor according to application firmware
Send the signature value instruction for obtaining formal application firmware and its abstract;
The application firmware that step 706, safe processor store in the external flash according to safe processor downloads update text
Part obtains formal application firmware and its signature value of abstract;
In the present embodiment, download in update file when application firmware and make a summary comprising formal application firmware and formal application firmware
Signature value when, step 706 specifically includes:Safe processor reads the application stored in the external flash of safe processor and consolidates
Part downloads update file and obtains formal application firmware and its signature value of abstract.
In the present embodiment, download in update file when application firmware and plucked comprising alignment type application firmware and formal application firmware
During the ciphertext that the signature value wanted is encrypted, step 706 specifically includes:Safe processor decrypts application firmware more using root key
New key ciphertext, the firmware that is applied update key plain update key plain using application firmware and application firmware are downloaded more
The signed data that new header file includes carries out sign test, and application firmware is obtained from sign test result and downloads key, according to application firmware
It downloads the encryption mode information that the application firmware that update header file includes is downloaded in the information of update file and selects corresponding encryption and decryption
Algorithm (or directly selecting default enciphering and deciphering algorithm) is downloaded key pair using application firmware according to the enciphering and deciphering algorithm of selection and is pacified
The application firmware stored in the external flash of full processor downloads update file decryption, obtains formal application firmware and its abstract
Signature value.
Step 707, safe processor return to formal application firmware and its signature value of abstract to application processor;
The signature value write-in of step 708, the formal application firmware that application processor returns to safe processor and its abstract
The inside flash of application processor;
Specifically, the formal application firmware and its signature value write-in of abstract that application processor returns to safe processor should
With the firmware storage address of the inside flash of processor.
In the present embodiment, step 705~step 708 specifically includes:If application processor is sent successively to safe processor
Dry acquisition updates the data instruction, until the application firmware that application processor is got before downloads what update header file included
It has got using the file size judgement in the information for downloading update file and has all updated the data;Correspondingly, safe processor
It receives every to obtain when updating the data instruction, sequence obtains updating the data for preset length and returns to application processor, applies
Updating the data for current preset length is sequentially written in the firmware storage address of flash inside application processor by processor.
Step 709, application processor are updated to safe processor sending application firmware completes instruction;
Step 710, safe processor wipe the application firmware stored in the external flash of safe processor and download update head
File, application firmware download update file and application firmware update mark;
Step 711, safe processor return to application firmware update to application processor and complete repeat-back.
In the present embodiment, after step 711, the application firmware that application processor receives safe processor return has updated
Into being further included during repeat-back:Application processor carries out the formal application firmware stored in the inside flash of application processor
The signature value that the formal application firmware stored in the inside flash of application processor is made a summary is sent to safe place by Hash operation
It manages device and carries out sign test;The signature value that safe processor makes a summary to the formal application firmware that application processor is sent carries out sign test, will
Sign test result returns to application processor;Application processor judges Hash operation result and the sign test result that safe processor returns
It is whether consistent, it is to run formal application firmware, otherwise prompts mistake.
Referring to Fig. 5, in the present embodiment, financial terminal downloads formal secure firmware, specifically includes:
Step 801, application processor, which are received after the secure firmware that host computer issues downloads more new command, judges that safety is solid
Part downloads the type of more new command, then performs step 802 if sign on is downloaded, step 806 is then performed if download instruction,
Step 810 is then performed if END instruction is downloaded;
Step 802, application processor send secure firmware to safe processor and download sign on;
In the present embodiment, application processor is downloaded in sign on to the secure firmware that safe processor is sent comprising application
The secure firmware that processor is obtained from the CCID communication instructions that host computer issues downloads update header file.In the present embodiment, peace
Full firmware downloads the information and signed data for downloading update file in update header file comprising secure firmware, wherein, secure firmware
Download update file information include secure firmware download update file title and/or version number and/or encryption mode and/or
Checking mode and/or update address space and/or address style and/or the letters such as file storage purpose address and/or file size
Breath.
Step 803, safe processor, which are downloaded to obtain secure firmware in sign on and download from secure firmware, updates header file,
And secure firmware is downloaded into the storage of update header file to the external flash of safe processor;
Step 804, safe processor return to secure firmware to application processor and download sign on response;
Step 805, application processor are downloaded sign on response tissue according to the secure firmware that safe processor returns and are answered
Answer evidence returns to host computer, return to step 801 after encapsulating CCID communication protocol layer datas to reply data;
Step 806, application processor issue secure firmware download instruction to safe processor;
In the present embodiment, application processor includes application processing into the secure firmware download instruction that safe processor issues
The secure firmware that device is obtained from the CCID communication instructions that host computer issues downloads update file.
Step 807, safe processor obtain secure firmware from secure firmware download instruction and download update file, and will peace
Full firmware downloads the storage of update file to the external flash of safe processor;
In the present embodiment, secure firmware downloads what is made a summary in update file comprising formal secure firmware and formal secure firmware
Signature value or the ciphertext being encrypted comprising the signature value that alignment type secure firmware and formal secure firmware are made a summary.
Step 808, safe processor return to secure firmware download instruction response to application processor;
In the present embodiment, secure firmware is downloaded update file subpackage post package into several comprising under secure firmware by host computer
The standard CC ID communication instructions of update file data packet are carried, are handed down to application processor successively, correspondingly, application processor receives
When downloading the standard CC ID communication instructions for updating file data packet comprising secure firmware to every, one is issued to safe processor
The secure firmware file download instructions of update file data packet are downloaded comprising corresponding secure firmware, it is solid that safe processor obtains safety
Secure firmware in part file download instructions downloads update file data packet, and the secure firmware got is downloaded update number of files
According to the external flash of packet sequence deposit safe processor, secure firmware file download instructions response is returned to application processor.
The secure firmware download instruction response tissue answer number that step 809, application processor are returned according to safe processor
According to returning to host computer, return to step 801 after reply data encapsulation CCID communication protocol layer datas;
Step 810, application processor issue secure firmware to safe processor and download END instruction;
Step 811, safe processor are downloaded secure firmware update file and are verified, and step is performed if if verifying
812, step 813 is not performed if if verification;
In the present embodiment, download in update file when secure firmware and make a summary comprising formal secure firmware and formal secure firmware
Signature value when, safe processor to secure firmware download update file carry out verification specifically include:Safe processor is according to peace
It is corresponding that full firmware downloads the checking mode information selection that the secure firmware that update header file includes is downloaded in the information of update file
Hash algorithm (or safe processor directly selects default hash algorithm), according to the hash algorithm of selection to safe processor
The secure firmware stored in external flash downloads update file and carries out Hash operation, is updated using root key decryption secure firmware
Key ciphertext, obtains secure firmware update key plain, and update key plain according to secure firmware downloads update to secure firmware
The signed data that header file includes carries out sign test, obtains secure firmware and downloads update document, judges the safety that sign test obtains
Firmware is downloaded update document and is carried out with downloading update file to the secure firmware stored in the external flash of safe processor
Whether the abstract that Hash operation obtains is consistent, is, verification passes through, and otherwise verifies and does not pass through;
In the present embodiment, download in update file when secure firmware and plucked comprising alignment type secure firmware and formal secure firmware
During the ciphertext that the signature value wanted is encrypted, safe processor carries out verification to secure firmware download update file and specifically includes:
Safe processor downloads the verification updated in the information of secure firmware download update file that header file includes according to secure firmware
Pattern information selects corresponding hash algorithm (or safe processor directly selects default hash algorithm), is calculated according to the Hash of selection
Method downloads update file to the secure firmware stored in the external flash of safe processor and carries out Hash operation, uses root key
Secure firmware more new key ciphertext is decrypted, secure firmware update key plain is obtained, key plain pair is updated according to secure firmware
Secure firmware downloads the signed data that update header file includes and carries out sign test, obtains secure firmware and downloads update document and peace
Full firmware downloads key, judges that the secure firmware that sign test obtains downloads update document and the outside to safe processor
Whether the abstract that the secure firmware download update file progress Hash operation stored in flash obtains is consistent, is that verification passes through,
Otherwise it verifies and does not pass through.
Secure firmware update mark is written into the external flash of safe processor for step 812, safe processor, performs
Step 814;
It can also be shown in the present embodiment, in step 812 including safe processor control LCD and turn back on prompting.
Step 813, safe processor wipe the secure firmware stored in the external flash of safe processor and download update head
File and secure firmware download update file, perform step 814;
It can also include safe processor control LCD in the present embodiment, in step 813 and show corresponding miscue.
Step 814, safe processor return to secure firmware to application processor and download END instruction response;
Step 815, application processor are downloaded END instruction response tissue according to the secure firmware that safe processor returns and are answered
Answer evidence returns to host computer after encapsulating CCID communication protocol layer datas to reply data.
Referring to Fig. 6, in the present embodiment, the test that financial terminal is replaced with formal secure firmware in financial terminal is solid safely
Part specifically includes:
Step 901, safe processor verify the secure firmware stored in the external flash of safe processor and download update text
Part performs step 903 if verifying if, if verification is not by performing step 902;
In the present embodiment, download in update file when secure firmware and make a summary comprising formal secure firmware and formal secure firmware
Signature value when, safe processor to secure firmware download update file carry out verification specifically include:Safe processor is according to peace
It is corresponding that full firmware downloads the checking mode information selection that the secure firmware that update header file includes is downloaded in the information of update file
Hash algorithm (or safe processor directly selects default hash algorithm), according to the hash algorithm of selection to safe processor
The secure firmware stored in external flash downloads update file and carries out Hash operation, is updated using root key decryption secure firmware
Key ciphertext, obtains secure firmware update key plain, and update key plain according to secure firmware downloads update to secure firmware
The signed data that header file includes carries out sign test, obtains secure firmware and downloads update document, judges the safety that sign test obtains
Firmware is downloaded update document and is carried out with downloading update file to the secure firmware stored in the external flash of safe processor
Whether the abstract that Hash operation obtains is consistent, is, verification passes through, and otherwise verifies and does not pass through;
In the present embodiment, download in update file when secure firmware and plucked comprising alignment type secure firmware and formal secure firmware
During the ciphertext that the signature value wanted is encrypted, safe processor carries out verification to secure firmware download update file and specifically includes:
Safe processor downloads the verification updated in the information of secure firmware download update file that header file includes according to secure firmware
Pattern information selects corresponding hash algorithm (or safe processor directly selects default hash algorithm), is calculated according to the Hash of selection
Method downloads update file to the secure firmware stored in the external flash of safe processor and carries out Hash operation, uses root key
Secure firmware more new key ciphertext is decrypted, secure firmware update key plain is obtained, key plain pair is updated according to secure firmware
Secure firmware downloads the signed data that update header file includes and carries out sign test, obtains secure firmware and downloads update document and peace
Full firmware downloads key, judges that the secure firmware that sign test obtains downloads update document and the outside to safe processor
Whether the abstract that the secure firmware download update file progress Hash operation stored in flash obtains is consistent, is that verification passes through,
Otherwise it verifies and does not pass through.
Step 902, safe processor wipe the secure firmware stored in the external flash of safe processor and download update head
File, secure firmware download update file and secure firmware update mark, prompt mistake, terminate;
In the present embodiment, safe processor prompting mistake can be specially that safe processor control LCD shows miscue.
The secure firmware that step 903, safe processor store in the external flash according to safe processor downloads update text
Part obtains the signature value of formal secure firmware and its abstract;
In the present embodiment, download in update file when secure firmware and make a summary comprising formal application firmware and formal secure firmware
Signature value when, step 903 specifically includes:Safe processor reads the safety stored in the external flash of safe processor and consolidates
Part downloads update file and obtains the signature value of formal secure firmware and its abstract.
In the present embodiment, download in update file when secure firmware and plucked comprising alignment type secure firmware and formal secure firmware
During the ciphertext that the signature value wanted is encrypted, step 903 specifically includes:Safe processor decrypts secure firmware more using root key
New key ciphertext, obtains secure firmware update key plain, and firmware update safe to use in plain text downloads secure firmware on update head
The signed data that file includes carries out sign test, and secure firmware is obtained from sign test result and downloads key, is downloaded according to secure firmware
The encryption mode information that the secure firmware that update header file includes is downloaded in the information of update file selects corresponding enciphering and deciphering algorithm
(or directly selecting default enciphering and deciphering algorithm) downloads key pair safe place according to the enciphering and deciphering algorithm of selection firmware safe to use
It manages the secure firmware stored in the external flash of device and downloads update file decryption, obtain the label of formal secure firmware and its abstract
Name value.
The inside of safe processor is written in the signature value of formal secure firmware and its abstract by step 904, safe processor
flash;
Specifically, the inside of safe processor is written in the signature value of formal secure firmware and its abstract by safe processor
The firmware storage address of flash.
In the present embodiment, step 903~step 904 specifically includes:Safe processor is every time according to the outer of safe processor
The secure firmware stored in portion flash downloads updating the data, and will currently get more for update file acquisition preset length
The firmware storage address of the inside flash of new data sequence deposit safe processor, until getting all formal secure firmwares
And its signature value of abstract.
Step 905, safe processor wipe the secure firmware stored in the external flash of safe processor and download update head
File, secure firmware download update file and secure firmware downloads update mark.
Embodiment 2
The present embodiment provides a kind of financial terminal, as shown in fig. 7, specifically including:Communication module 11, security context establish mould
Block 12, memory module 13, safe boot download update module 14, application firmware downloads update module 15 and secure firmware is downloaded more
New module 16, the concrete function of above-mentioned module are as follows:
Communication module 11, for receive that host computer issues establish security context instruction, safe boot downloads more new command,
Application firmware downloads more new command and secure firmware downloads more new command;It is additionally operable to establish module 12, safety when security context
When boot downloads update module 14, application firmware downloads update module 15, secure firmware downloads 16 end of run of update module, to
Host computer returns to response;
Security context establishes module 12, and security context instruction is established for work as that communication module 11 receives that host computer issues
When, start safety detection function;
Memory module 13, it is solid for storing test application boot, test application firmware, the safe boot of test and test safety
Part;
Safe boot downloads update module 14, for working as the safe boot downloads that communication module 11 receives host computer and issues
During more new command, formal safe boot is downloaded, the safe boot of test in module 13 is updated storage with formal safe boot;
Application firmware downloads update module 15, for working as the application firmware download that communication module 11 receives host computer and issues
During more new command, formal application firmware is downloaded, the test application firmware in module 13 is updated storage with formal application firmware;
Secure firmware downloads update module 16, for working as the secure firmware download that communication module 11 receives host computer and issues
During more new command, formal secure firmware is downloaded, the test secure firmware in module 13 is updated storage with formal secure firmware.
In the present embodiment, intrusion detection module 17 can also be included in financial terminal, is received for working as communication module 11
During the startup intrusion detection function instruction that host computer issues, start intrusion detection function and when communication module 11 receives
During the acquisition intrusion detection status command that position machine issues, intrusion detection state is obtained;
Correspondingly, communication module 11 is additionally operable to receive startup intrusion detection function instruction and the acquisition intrusion that host computer issues
It detects status command and when invading 17 end of run of detection module, response or intrusion detection state is returned to host computer;
Further, security context is established module 12 and is specifically used for when communication module 11 receives the foundation that host computer issues
When security context instructs, start-up temperature detection function and voltage detecting function.
In the present embodiment, security context establishes module 12 and is additionally operable to receive what host computer issued when the communication module 11
When establishing security context instruction, initial chemoprevention exhaustion space.
In the present embodiment, financial terminal further includes safe boot correction verification modules 18, and update is downloaded for verifying safe boot
The formal safe boot that module 14 is downloaded;
Correspondingly, safe boot downloads update module 14 and is specifically used for receiving the peace that host computer issues when communication module 11
When full boot downloads more new command, formal safe boot is downloaded;And when the verification of safe boot correction verification modules 18 passes through, with just
The safe boot of formula updates the safe boot of test in the memory module 13;
Further, safe boot downloads update module 14 and specifically includes the first judging unit, first acquisition unit, first
Storage unit and the first updating unit, the concrete function of above-mentioned each unit are as follows:
First judging unit, for working as the safe boot downloads more new command that communication module 11 receives host computer and issues
When, judge that safe boot downloads the type of more new command;
First acquisition unit, for judging that safe boot downloads more new command to download sign on when the first judging unit
When, from download obtained in sign on safe boot verification and;And when the first judging unit judges that safe boot downloads update
When instructing as download instruction, safe boot is obtained from download instruction and is updated the data;
First storage unit, for store safe boot verifications that first acquisition unit gets and and safe boot more
New data;
First updating unit, for when safe boot correction verification modules 18 verification pass through when, with the peace in the first storage unit
Full boot updates the data the safe boot of test updated storage in module 13;
Safe boot correction verification modules 18 are specifically used under the first judging unit judges that safe boot downloads more new command is
When carrying END instruction, the safe boot in the first storage unit of safe boot verifications and verification in the first storage unit is more
New data;
Further, safe boot downloads update module 14 and further includes clearing cell, for being transported when the first updating unit
At the end of row and when safe boot correction verification modules 18 verify obstructed out-of-date, the safe boot updates in the first storage unit of removing
Data and safe boot verification and.
In the present embodiment, financial terminal further includes application firmware correction verification module 19, for answering in memory module 13
The formal application firmware of the download of update module 15 is downloaded with firmware update key verification application firmware;Correspondingly:
Memory module 13 is additionally operable to storage application firmware more new key;
Security context establishes module 12 and is additionally operable to refer to when communication module 11 receives the security context of establishing that host computer issues
When enabling, root key is generated, with the more new key of the application firmware in root key encryption memory module 13;
Application firmware downloads update module 15 and is specifically used for receiving the application firmware that host computer issues when communication module 11
When downloading more new command, formal application firmware is downloaded and after the verification of application firmware correction verification module 19 passes through, with formal application
Firmware updates storage the test application firmware in module 13.
Further, application firmware downloads update module 15 and specifically includes the first download submodule and the first update submodule
Block, wherein:
First download submodule specifically includes second judgment unit, second acquisition unit and the second storage unit, each list
First concrete function is as follows:
Second judgment unit, for working as the application firmware download more new command that communication module 11 receives host computer and issues
When, judge that application firmware downloads the type of more new command;
Second acquisition unit judges that application firmware downloads more new command to download sign on for working as second judgment unit
When, it obtains the application firmware downloaded in sign on and downloads update header file;And when second judgment unit judges application firmware
When downloading more new command as download instruction, obtain the application firmware in download instruction and download update file;
Second storage unit downloads update header file and application for storing the application firmware that second acquisition unit is got
Firmware downloads update file;
First update submodule is used to after the verification of application firmware correction verification module 19 passes through, update storage the survey in module 13
Application firmware is tried, it is as follows to specifically include erasing unit, the first extraction unit and writing unit, each unit concrete function:
Wipe unit, for work as application firmware correction verification module 19 verification pass through after, wipe memory module 13 in test should
Use firmware;
First extraction unit obtains formal application for being downloaded from the application firmware in the second storage unit in update file
Firmware;
Memory module 13 is written in writing unit, the formal application firmware for the first extraction unit to be got;
In the present embodiment, the first extraction unit is additionally operable to download in update file from the application firmware in the second storage unit
Obtain the signature value of the abstract of formal application firmware;Writing unit be additionally operable to by the first extraction unit get it is described formally should
The memory module 13 is written with the signature value of the abstract of firmware;
First extraction unit is specifically used for:Using root key to encrypted application firmware more new key in memory module 13
Decryption updates the application firmware in the second storage unit of key pair according to the application firmware that decryption obtains and downloads in update header file
Comprising signed data sign test, the application firmware obtained according to sign test downloads the application firmware in the second storage unit of secret key decryption
Update file is downloaded, formal application firmware and the signature value of formal application firmware abstract are obtained from decrypted result.
Further, application firmware correction verification module 19 is specifically used for judging that application firmware downloads update when second judgment unit
When instructing to download END instruction, answering in application firmware update the second storage unit of key verification in memory module 13
With firmware download update file and when verification not by when remove application firmware in second storage unit and download update
Header file and application firmware download update file;
Further, application firmware correction verification module 19 specifically includes the first hash units, the first sign test unit and first
Verification unit, the concrete function of each unit are as follows:
First hash units judge that application firmware downloads more new command to download END instruction for working as second judgment unit
When, update file is downloaded to the application firmware in the second storage unit and carries out Hash operation;
First sign test unit, for using root key to the more new key solution of encrypted application firmware in memory module 13
Close, the application firmware in application firmware update the second storage unit of key pair obtained using decryption is downloaded in update header file
Signed data sign test;
First verification unit, for judging Kazakhstan that the sign test result that the first sign test unit obtains is obtained with the first hash units
Whether uncommon result is identical, verifies and passes through if identical, does not pass through if differing and verifying, and removes the application in the second storage unit
Firmware downloads update header file and application firmware downloads update file.
In the present embodiment, financial terminal further includes secure firmware correction verification module 20, for the peace in memory module 13
Full firmware update key verification secure firmware downloads the formal secure firmware that update module 16 is downloaded;Correspondingly:
Memory module 13 is additionally operable to storage secure firmware more new key;
Security context establishes module 12 and is additionally operable to refer to when communication module 11 receives the security context of establishing that host computer issues
When enabling, root key is generated, with the more new key of the secure firmware in root key encryption memory module 13;
Secure firmware downloads update module 16 and is specifically used for receiving the secure firmware that host computer issues when communication module 11
When downloading more new command, formal secure firmware is downloaded and after the verification of secure firmware correction verification module 20 passes through, with formal safety
Firmware updates storage the test secure firmware in module 13.
Further, secure firmware downloads update module 16 and specifically includes the second download submodule and the second update submodule
Block, wherein:
Second download submodule specifically includes third judging unit, third acquiring unit and third storage unit, each list
First concrete function is as follows:
Third judging unit, for working as the secure firmware download more new command that communication module 11 receives host computer and issues
When, judge that secure firmware downloads the type of more new command;
Third acquiring unit judges that secure firmware downloads more new command to download sign on for working as third judging unit
When, it obtains the secure firmware downloaded in sign on and downloads update header file;And when third judging unit judges secure firmware
When downloading more new command as download instruction, obtain the secure firmware in download instruction and download update file;
Third storage unit downloads update header file and safety for storing the secure firmware that third acquiring unit is got
Firmware downloads update file;
Second update submodule is used to after the verification of secure firmware correction verification module 20 passes through, update storage the survey in module 13
Secure firmware is tried, specifically includes the second extraction unit and the second updating unit, each unit concrete function is as follows:
Second extraction unit, for work as secure firmware correction verification module 20 verification pass through after, from the safety of third storage unit
Firmware is downloaded in update file and obtains formal secure firmware;
Second updating unit, the formal secure firmware for being obtained with the second extraction unit update storage the survey in module 13
Try secure firmware;
In the present embodiment, the second extraction unit is additionally operable to download in update file from the secure firmware in third storage unit
Obtain the signature value of the abstract of formal secure firmware;Second updating unit is additionally operable to the formal peace for getting the second extraction unit
The signature value write-in memory module 13 of the abstract of full firmware;
Second extraction unit is specifically used for:Using root key to encrypted secure firmware more new key in memory module 13
Decryption updates the secure firmware in key pair third storage unit according to the secure firmware that decryption obtains and downloads in update header file
Comprising signed data sign test, the secure firmware obtained according to sign test downloads the secure firmware in secret key decryption third storage unit
Update file is downloaded, the signature value of formal secure firmware and formal secure firmware abstract is obtained from decrypted result.
Further, secure firmware correction verification module 20 judges that secure firmware is downloaded more specifically for working as third judging unit
When new command is downloads END instruction, in the secure firmware update key verification third storage unit in memory module 13
Secure firmware downloads update file;
Further, secure firmware correction verification module 20 specifically includes the second hash units, the second sign test unit and second
Verification unit, the concrete function of each unit are as follows:
Second hash units judge that secure firmware downloads more new command to download END instruction for working as third judging unit
When, update file is downloaded to the secure firmware in third storage unit and carries out Hash operation;
Second sign test unit, for using root key to the more new key solution of encrypted secure firmware in memory module 13
Close, the secure firmware in the secure firmware update key pair third storage unit obtained using decryption is downloaded in update header file
Signed data sign test;
Second verification unit, for judging Kazakhstan that the sign test result that the second sign test unit obtains is obtained with the second hash units
Whether uncommon result is identical, verifies and passes through if identical, does not pass through if differing and verifying.
Embodiment described above is the present invention more preferably specific embodiment, and those skilled in the art is in this hair
The usual variations and alternatives carried out in the range of bright technical solution should all include within the scope of the present invention.
Claims (40)
1. a kind of firmware programming method of safe financial terminal, which is characterized in that including:
Step S1, financial terminal receives the instruction that issues of host computer, when receive that host computer issues establishes security context instruction
When, perform step S2;When receiving the safe boot download more new commands that host computer issues, step S3 is performed;When receiving
When the application firmware that host computer issues downloads more new command, step S4 is performed;When receiving under the secure firmware that host computer issues
When carrying more new command, step S5 is performed;
Step S2, described financial terminal starts safety detection function, and response, return to step S1 are returned to host computer;
Step S3, described financial terminal downloads formal safe boot, and the safe boot of test in the financial terminal is updated to
The formal safe boot, response, return to step S1 are returned to host computer;
Step S4, described financial terminal downloads formal application firmware, and the test application firmware in the financial terminal is updated to
The formal application firmware returns to response, return to step S1 to host computer;
Step S5, described financial terminal downloads formal secure firmware, and the test secure firmware in the financial terminal is updated to
The formal secure firmware returns to response, return to step S1 to host computer;
Hardware test program and security context construction procedures, institute are included in the test application firmware and the test secure firmware
It states and does not include hardware test program and security context construction procedures, the survey in formal application firmware and the formal secure firmware
The program for not including financial terminal self-test in safe boot is tried, the journey of financial terminal self-test is included in the formal safe boot
Sequence, and do not include the condition judgment of terminal self testing in the formal safe boot.
2. the method as described in claim 1, which is characterized in that further included in the step S1:It is issued when receiving host computer
Startup intrusion detection function instruction when, the financial terminal starts intrusion detection function, returns to response to host computer, returns to step
Rapid S1;When receiving the acquisition intrusion detection status command that host computer issues, intrusion detection state is obtained, is returned to host computer
The intrusion detection state, return to step S1.
3. method as claimed in claim 2, which is characterized in that the safety detection function includes temperature detecting function and voltage
Detection function.
4. the method as described in claim 1, which is characterized in that further included in the step S2:The financial terminal initialization
Anti- exhaustion parameter space.
5. the method as described in claim 1, which is characterized in that in the step S3, the financial terminal downloads formal safety
It is further included after boot:Verify the formal safe boot, if verify pass through if continue to execute it is described will be in the financial terminal
Safe boot be updated to the formal safe boot, if verification, not if, position machine returns to response, return to step directly up
S1。
6. method as claimed in claim 5, which is characterized in that the step S3 is specifically included:
Step 1-1, when the application processor in described financial terminal receives the safe boot downloads more new command, judge institute
The type that safe boot downloads more new command is stated, step 1-2 is then performed if sign on is downloaded, is then performed if download instruction
Step 1-3 then performs step 1-4 if END instruction is downloaded;
Step 1-2, described application processor obtained from the download sign on safe boot verification and, by the safety
The safe processor that boot is verified and is sent in the financial terminal, the external flash of storage to safe processor, and upwards
Position machine returns to response;
Step 1-3, described application processor obtains safe boot from the download instruction and updates the data, by the safe boot
It updates the data and is sent to the safe processor, the external flash of storage to the safe processor, and return and answer to host computer
It answers;
Step 1-4, described application processor sends safe boot to the safe processor and downloads END instruction, performs step 1-
5;
Step 1-5, described safe processor verifies according to the safe boot and verifies the safe boot and updates the data, if school
It tests by then updating the data the safe boot of test updated inside the safe processor in flash with the safe boot, to
The application processor returns to safe boot and downloads END instruction response, performs step 1-6;It is answered if verification not if to described
Safe boot is returned with processor and downloads END instruction response, performs step 1-6;
Step 1-6, described application processor downloads END instruction response according to the safe boot and returns to response to host computer.
7. method as claimed in claim 6, which is characterized in that in the step 1-5, also wrapped before the execution step 1-6
It includes:The safe boot that the safe processor removes outside the safe processor in flash is updated the data and safe boot schools
Test and.
8. the method as described in claim 1, which is characterized in that further included in the step S2:The financial terminal generates root
Key, the application firmware more new key to be prestored with the root key encryption;
In the step S4, the financial terminal further includes after downloading formal application firmware:It is updated according to the application firmware
Formal application firmware described in key verification continues to execute described by institute if verification if according to the application firmware more new key
It states the test application firmware in financial terminal and is updated to the formal application firmware, position machine returns directly up not if if verification
Response is answered, return to step S1.
9. method as claimed in claim 8, which is characterized in that the financial terminal downloads formal application firmware, according to described
Formal application firmware described in application firmware update key verification, specifically includes:
Step 2-1, when the application processor in described financial terminal receives the application firmware download more new command, judge institute
The type that application firmware downloads more new command is stated, step 2-2 is then performed if download sign on, is then performed if download instruction
Step 2-3, step 2-4 is then performed if download END instruction;
Step 2-2, described application processor obtains application firmware from the download sign on and downloads update header file, by institute
Application firmware is stated to download outside the safe processor storage to safe processor that update header file is sent in the financial terminal
Portion flash, and return to response to host computer;
Step 2-3, described application processor obtains application firmware from the download instruction and downloads update file, by the application
Firmware downloads update file and is sent to the safe processor, the external flash of storage to safe processor, and is returned to host computer
Response is answered;
Step 2-4, described application processor issues application firmware to the safe processor and downloads END instruction, performs step 2-
5;
Step 2-5, described safe processor application firmware according to the application firmware updates key verification downloads update text
Part returns to application firmware download END instruction response to the application processor if if verifying, performs step 2-6;If school
It tests and does not download update header file and application firmware download by then removing the application firmware outside the safe processor in flash
File is updated, returning to application firmware to the application processor downloads END instruction response, performs step 2-6;
Step 2-6, described application processor downloads END instruction response according to the application firmware and returns to response to host computer.
10. method as claimed in claim 9, which is characterized in that the safe processor is according to the application firmware more Xinmi City
Key verifies the application firmware and downloads update file, specifically includes:The safe processor, which downloads the application firmware, to be updated
File carries out Hash operation, updates secret key decryption to encrypted application firmware using the root key, is obtained using decryption
Application firmware described in application firmware update key pair downloads the signed data sign test in update header file, and judge that sign test obtains should
It is whether identical with the abstract that firmware downloads update document with Hash operation obtains, it verifies and passes through if identical, if differing
It then verifies and does not pass through.
11. method as claimed in claim 9, which is characterized in that the financial terminal should by the test in the financial terminal
The formal application firmware is updated to firmware, is specifically included:
Step 3-1, the test application firmware inside described application processor erasing application processor in flash, to the safety
Processor, which is sent, obtains formal application firmware instruction;
Step 3-2, described safe processor is downloaded in update file from the application firmware and obtains formal application firmware, to described
Application processor returns to the formal application firmware;
Flash inside the application processor is written in the formal application firmware by step 3-3, described application processor.
12. method as claimed in claim 11, which is characterized in that further included in the step 3-2:The safe processor from
The application firmware downloads the signature value for the abstract that formal application firmware is obtained in update file, is returned to the application processor
The signature value of the abstract of the formal application firmware;
It is further included in the step 3-3:Institute is written in the signature value of the abstract of the formal application firmware by the application processor
State flash inside application processor.
13. method as claimed in claim 12, which is characterized in that the safe processor is downloaded from the application firmware to be updated
Formal application firmware and the safe processor is obtained in file to obtain formally from application firmware download update file
The signature value of the abstract of application firmware, specifically includes:The safe processor decrypts encrypted application using the root key
Firmware more new key is downloaded in update header file according to application firmware described in the application firmware update key pair that decryption obtains and is included
Signed data sign test, the application firmware obtained according to sign test downloads application firmware described in secret key decryption and downloads update file, from
The signature value of the abstract of formal application firmware and formal application firmware is obtained in decrypted result.
14. the method as described in claim 1, which is characterized in that further included in the step S2:The financial terminal generates root
Key, the secure firmware more new key to be prestored with the root key encryption;
In the step S5, the financial terminal further includes after downloading formal secure firmware:It is updated according to the secure firmware
Formal secure firmware described in key verification continues to execute described by institute if verification if according to the secure firmware more new key
It states the test secure firmware in financial terminal and is updated to the formal secure firmware, position machine returns directly up not if if verification
Response is answered, return to step S1.
15. method as claimed in claim 14, which is characterized in that the financial terminal downloads formal secure firmware, according to institute
Formal secure firmware described in stating secure firmware update key verification, specifically includes:
Step 4-1, when the application processor in described financial terminal receives the secure firmware download more new command, judge institute
The type that secure firmware downloads more new command is stated, step 4-2 is then performed if download sign on, is then performed if download instruction
Step 4-3, step 4-4 is then performed if download END instruction;
Step 4-2, described application processor obtains secure firmware from the download sign on and downloads update header file, by institute
Secure firmware is stated to download outside the safe processor storage to safe processor that update header file is sent in the financial terminal
Portion flash, and return to response to host computer;
Step 4-3, described application processor obtains secure firmware from the download instruction and downloads update file, by the safety
Firmware downloads update file and is sent to the safe processor storage to the external flash of safe processor, and is returned to host computer
Response is answered;
Step 4-4, described application processor issues secure firmware to the safe processor and downloads END instruction, performs step 4-
5;
Step 4-5, described safe processor secure firmware according to the secure firmware updates key verification downloads update text
Part returns to secure firmware download END instruction response to the application processor if if verifying, performs step 4-6;If school
It tests and does not download update header file and secure firmware download by then removing the secure firmware outside the safe processor in flash
File is updated, returning to secure firmware to the application processor downloads END instruction response, performs step 4-6;
Step 4-6, described application processor downloads END instruction response according to the secure firmware and returns to response to host computer.
16. method as claimed in claim 15, which is characterized in that the safe processor is according to the application firmware more Xinmi City
Key verifies the application firmware and downloads update file, specifically includes:The safe processor, which downloads the secure firmware, to be updated
File carries out Hash operation, updates secret key decryption to encrypted secure firmware using the root key, is obtained using decryption
Secure firmware described in secure firmware update key pair downloads the signed data sign test in update header file, judges the peace that sign test obtains
Whether the abstract that full firmware downloads update document with Hash operation obtains is identical, verifies and passes through if identical, if differing
It then verifies and does not pass through.
17. method as claimed in claim 15, which is characterized in that the financial terminal pacifies the test in the financial terminal
Full firmware is updated to the formal secure firmware, specifically includes:
Step 5-1, described safe processor is downloaded in update file from the secure firmware and obtains formal secure firmware;
Step 5-2, the test secure firmware inside the safe processor in flash is updated with the formal secure firmware.
18. method as claimed in claim 17, which is characterized in that further included in the step 5-1:The safe processor from
The secure firmware downloads the signature value for the abstract that formal secure firmware is obtained in update file;
It is further included in the step 5-2:Institute is written in the signature value of the abstract of the formal secure firmware by the safe processor
State flash inside safe processor.
19. method as claimed in claim 18, which is characterized in that the safe processor is downloaded from the secure firmware to be updated
Formal secure firmware and the safe processor is obtained in file to obtain formally from secure firmware download update file
The signature value of the abstract of secure firmware, specifically includes:The safe processor decrypts encrypted safety using the root key
Firmware more new key is downloaded in update header file according to secure firmware described in the secure firmware update key pair that decryption obtains and is included
Signed data sign test, the secure firmware obtained according to sign test downloads secure firmware described in secret key decryption and downloads update file, from
The signature value of the abstract of formal secure firmware and formal secure firmware is obtained in decrypted result.
20. the method as described in claim 1, which is characterized in that the financial terminal further includes before performing the step S3:
The financial terminal checks that security context establishes whether mark is set, and the step S3 is performed if being set, if not being set to
Position then returns to error message code, return to step S1 to host computer;
It is further included in the step S2:Security context described in the financial terminal set establishes mark;
The financial terminal further includes before performing the step S4 or step S5:The financial terminal checks safe boot updates
Whether mark is set, and the step S4 or step S5 is performed if being set, and mistake is returned if being not set to host computer
Information code, return to step S1;
It is further included in the step S3:Safe boot updates mark described in the financial terminal set.
21. a kind of financial terminal, which is characterized in that including:Communication module, security context establish module, memory module, safety
Boot downloads update module, application firmware downloads update module and secure firmware downloads update module;
The communication module, for receive that host computer issues establish security context instruction, safe boot downloads more new command, should
More new command is downloaded with firmware and secure firmware downloads more new command;
The security context establishes module, and security context instruction is established for work as that the communication module receives that host computer issues
When, start safety detection function;
The memory module, it is solid for storing test application boot, test application firmware, the safe boot of test and test safety
Part;
The safe boot downloads update module, for working as the safe boot downloads that the communication module receives host computer and issues
During more new command, formal safe boot is downloaded, the test safety in the memory module is updated with the formal safe boot
boot;
The application firmware downloads update module, for working as the application firmware download that the communication module receives host computer and issues
During more new command, formal application firmware is downloaded, updating the test application in the memory module with the formal application firmware consolidates
Part;
The secure firmware downloads update module, for working as the secure firmware download that the communication module receives host computer and issues
During more new command, formal secure firmware is downloaded, the test updated with the formal secure firmware in the memory module is solid safely
Part;
The communication module be additionally operable to when the security context establishes module, the safe boot downloads update module, it is described should
When downloading update module and secure firmware download update module end of run with firmware, response is returned to host computer;
Hardware test program and security context construction procedures, institute are included in the test application firmware and the test secure firmware
It states and does not include hardware test program and security context construction procedures, the survey in formal application firmware and the formal secure firmware
The program for not including financial terminal self-test in safe boot is tried, the journey of financial terminal self-test is included in the formal safe boot
Sequence, and do not include the condition judgment of terminal self testing in the formal safe boot.
22. financial terminal as claimed in claim 21, which is characterized in that further include intrusion detection module;
The communication module is additionally operable to receive startup intrusion detection function instruction and the acquisition intrusion detection state that host computer issues
It instructs and when the intrusion detection module end of run, response is returned to host computer or returns to intrusion detection state;
The intrusion detection module, for working as the startup intrusion detection function instruction that the communication module receives host computer and issues
When, start intrusion detection function and for working as the acquisition intrusion detection state that the communication module receives host computer and issues
During instruction, intrusion detection state is obtained.
23. financial terminal as claimed in claim 22, which is characterized in that the security context establishes module and is specifically used for working as institute
State that communication module receives that host computer issues when establishing security context instruction, start-up temperature detection function and voltage detecting work(
Energy.
24. financial terminal as claimed in claim 21, which is characterized in that the security context is established module and is additionally operable to when described
Communication module receive that host computer issues when establishing security context instruction, initial chemoprevention exhaustion parameter space.
25. financial terminal as claimed in claim 21, which is characterized in that safe boot correction verification modules are further included, for verifying
The safe boot downloads the formal safe boot that update module is downloaded;
The safe boot downloads update module and is specifically used for receiving the safe boot that host computer issues when the communication module
When downloading more new command, download formal safe boot and when the safe boot correction verification modules verification passes through, with it is described just
The safe boot of formula updates the safe boot of test in the memory module.
26. financial terminal as claimed in claim 25, which is characterized in that the safe boot downloads update module and specifically wraps
It includes:Judging unit, acquiring unit, storage unit and updating unit;
The judging unit is used to, when the communication module receives the safe boot download more new commands that host computer issues, sentence
The disconnected safe boot downloads the type of more new command;
The acquiring unit is used to judge that the safe boot downloads more new command to download sign on when the judging unit
When, obtained from the download sign on safe boot verification and;And when the judging unit judges the safe boot
When downloading more new command as download instruction, safe boot is obtained from the download instruction and is updated the data;
The storage unit is used to store safe boot verifications and and the safe boot update numbers that the acquiring unit is got
According to;
The updating unit is used for when the safe boot correction verification modules verification passes through, with the safety in the storage unit
Boot updates the data the safe boot of test updated in the memory module;
The safe boot correction verification modules are specifically used for judging that the safe boot downloads more new command and is when the judging unit
When downloading END instruction, the safe boot in the storage unit verifies and verifies the safe boot in the storage unit
It updates the data.
27. financial terminal as claimed in claim 26, which is characterized in that the safe boot downloads update module and further includes clearly
Except unit, for when the updating unit end of run and when safe boot correction verification modules verify obstructed out-of-date, removing institute
State the safe boot in storage unit update the data with safe boot verification and.
28. financial terminal as claimed in claim 21, which is characterized in that further include application firmware correction verification module;
The memory module is additionally operable to storage application firmware more new key;
The security context establishes module and is additionally operable to refer to when the communication module receives the security context of establishing that host computer issues
When enabling, root key is generated, the application firmware more new key in the memory module described in the root key encryption;
The application firmware correction verification module, for being applied described in the application firmware update key verification in the memory module
Firmware downloads the formal application firmware that update module is downloaded;
The application firmware downloads update module and is specifically used for receiving the application firmware that host computer issues when the communication module
Download more new command when, download formal application firmware and when the application firmware correction verification module verification pass through after, with it is described just
Formula application firmware updates the test application firmware in the memory module.
29. financial terminal as claimed in claim 28, which is characterized in that the application firmware is downloaded update module and specifically wrapped
It includes:Download submodule and update submodule;
The download submodule specifically includes:Judging unit, acquiring unit and storage unit;
The judging unit, for when the communication module receives the application firmware that host computer issues and downloads more new command,
Judge that the application firmware downloads the type of more new command;
The acquiring unit judges that the application firmware downloads more new command to download sign on for working as the judging unit
When, it obtains the application firmware downloaded in sign on and downloads update header file;And judge for working as the judging unit
When the application firmware downloads more new command as download instruction, obtain the application firmware in the download instruction and download update text
Part;
The storage unit downloads update header file and application firmware for storing the application firmware that the acquiring unit is got
Download update file;
The update submodule for working as after application firmware correction verification module verification passes through, is updated in the memory module
Test application firmware;
The application firmware correction verification module judges that the application firmware downloads more new command and is specifically for working as the judging unit
When downloading END instruction, the application in storage unit described in the application firmware update key verification in the memory module is consolidated
Part download update file and when verification not by when remove application firmware in the storage unit download update header file and
Application firmware downloads update file.
30. financial terminal as claimed in claim 29, which is characterized in that the application firmware correction verification module specifically includes:
Hash units, for when the judging unit judges that the application firmware downloads more new command as download END instruction,
Update file is downloaded to the application firmware in the storage unit and carries out Hash operation;
Sign test unit, for the root key to be used to update secret key decryption to application firmware encrypted in the memory module,
Application firmware in storage unit described in the application firmware update key pair obtained using decryption downloads the label in update header file
Name data sign test;
Verification unit, for judging that the Hash result that the sign test result that the sign test unit obtains is obtained with the hash units is
It is no identical, it verifies and passes through if identical, do not pass through if differing and verifying, the application firmware removed in the storage unit is downloaded
It updates header file and application firmware downloads update file.
31. financial terminal as claimed in claim 29, which is characterized in that the update submodule specifically includes:
Unit is wiped, for working as after application firmware correction verification module verification passes through, the test wiped in the memory module should
Use firmware;
Extraction unit obtains formal application firmware for being downloaded in update file from the application firmware in the storage unit;
The memory module is written in writing unit, the formal application firmware for the extraction unit to be got.
32. financial terminal as claimed in claim 31, which is characterized in that the extraction unit is additionally operable to from the storage unit
In application firmware download update file in obtain formal application firmware abstract signature value;
Said write unit is additionally operable to write the signature value of the abstract of the formal application firmware that the extraction unit is got
Enter the memory module.
33. financial terminal as claimed in claim 32, which is characterized in that the extraction unit is specifically used for:Use described
Encrypted application firmware update secret key decryption, the application firmware more Xinmi City obtained according to decryption in memory module described in key pair
Key downloads the application firmware in the storage unit signed data sign test included in update header file, is obtained according to sign test
The application firmware that application firmware is downloaded in storage unit described in secret key decryption downloads update file, is obtained from decrypted result formal
The signature value of the abstract of application firmware and formal application firmware.
34. financial terminal as claimed in claim 21, which is characterized in that further include secure firmware correction verification module;
The memory module is additionally operable to storage secure firmware more new key;
The security context establishes module and is additionally operable to refer to when the communication module receives the security context of establishing that host computer issues
When enabling, root key is generated, the secure firmware more new key in the memory module described in the root key encryption;
The secure firmware correction verification module, for safety described in the secure firmware update key verification in the memory module
Firmware downloads the formal secure firmware that update module is downloaded;
The secure firmware downloads update module and is specifically used for receiving the secure firmware that host computer issues when the communication module
Download more new command when, download formal secure firmware and when the secure firmware correction verification module verification pass through after, with it is described just
Formula secure firmware updates the test secure firmware in the memory module.
35. financial terminal as claimed in claim 34, which is characterized in that the secure firmware is downloaded update module and specifically wrapped
It includes:Download submodule and update submodule;
The download submodule specifically includes:Judging unit, acquiring unit and storage unit;
The judging unit, for when the communication module receives the secure firmware that host computer issues and downloads more new command,
Judge that the secure firmware downloads the type of more new command;
The acquiring unit judges that the secure firmware downloads more new command to download sign on for working as the judging unit
When, it obtains the secure firmware downloaded in sign on and downloads update header file;And described in judging when the judging unit
When secure firmware downloads more new command as download instruction, obtain the secure firmware in the download instruction and download update file;
The storage unit downloads update header file and secure firmware for storing the secure firmware that the acquiring unit is got
Download update file;
The update submodule for working as after secure firmware correction verification module verification passes through, is updated in the memory module
Test secure firmware;
The secure firmware correction verification module judges that the secure firmware downloads more new command and is specifically for working as the judging unit
When downloading END instruction, the safety in storage unit described in the secure firmware update key verification in the memory module is consolidated
Part downloads update file.
36. financial terminal as claimed in claim 35, which is characterized in that the secure firmware correction verification module specifically includes:
Hash units, for when the judging unit judges that the secure firmware downloads more new command as download END instruction,
Update file is downloaded to the secure firmware in the storage unit and carries out Hash operation;
Sign test unit, for the root key to be used to update secret key decryption to secure firmware encrypted in the memory module,
Secure firmware in storage unit described in the secure firmware update key pair obtained using decryption downloads the label in update header file
Name data sign test;
Verification unit, for judging that the Hash result that the sign test result that the sign test unit obtains is obtained with the hash units is
It is no identical, it verifies and passes through if identical, do not pass through if differing and verifying.
37. financial terminal as claimed in claim 35, which is characterized in that the update submodule specifically includes:
Extraction unit, for work as secure firmware correction verification module verification pass through after, from the storage unit secure firmware download
Formal secure firmware is obtained in update file;
Updating unit, the formal secure firmware for being obtained with the extraction unit update the test safety in the memory module
Firmware.
38. financial terminal as claimed in claim 37, which is characterized in that the extraction unit is additionally operable to from the storage unit
In secure firmware download update file in obtain formal secure firmware abstract signature value;
The updating unit is additionally operable to the signature value write-in institute for the abstract of formal secure firmware for getting the extraction unit
State memory module.
39. financial terminal as claimed in claim 38, which is characterized in that the extraction unit is specifically used for:Use described
Encrypted secure firmware update secret key decryption, the secure firmware more Xinmi City obtained according to decryption in memory module described in key pair
Key downloads the secure firmware in the storage unit signed data sign test included in update header file, is obtained according to sign test
The secure firmware that secure firmware is downloaded in storage unit described in secret key decryption downloads update file, is obtained from decrypted result formal
The signature value of the abstract of secure firmware and formal secure firmware.
40. financial terminal as claimed in claim 21, which is characterized in that the memory module is additionally operable to storage security context and builds
Day-mark will and safe boot update marks;The security context establishes the original state of mark and the safe boot updates mark
To be not set;
The security context establishes the security context that module is additionally operable in memory module described in set and establishes mark;
The safe boot downloads update module and is specifically used for:When the communication module receives the safe boot that host computer issues
When downloading more new command, check that the security context in the memory module establishes whether mark is set and when the safety
When environment is established mark and is set, formal safe boot is downloaded, is updated in the memory module with the formal safe boot
Test safe boot, the safe boot update marks in memory module described in set;
The application firmware is downloaded update module and is specifically used for:When the communication module receives the application firmware that host computer issues
When downloading more new command, check whether the update marks of the safe boot in the memory module are set and when the safety
When boot update marks are set, formal application firmware is downloaded, is updated in the memory module with the formal application firmware
Test application firmware;
The secure firmware is downloaded update module and is specifically used for:When the communication module receives the secure firmware that host computer issues
When downloading more new command, check whether the update marks of the safe boot in the memory module are set and when the safety
When boot update marks are set, formal secure firmware is downloaded, is updated in the memory module with the formal secure firmware
Test secure firmware;
The communication module is additionally operable to:When the safe boot downloads the security context in the update module inspection memory module
When establishing mark and being not set, download update module when the application firmware and check safe boot updates in the memory module
It when mark is not set and downloads update module when the secure firmware and checks that the safe boot in the memory module updates
When mark is not set, error message code is returned to host computer.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510500802.3A CN105159707B (en) | 2015-08-14 | 2015-08-14 | The firmware programming method and financial terminal of a kind of safe financial terminal |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201510500802.3A CN105159707B (en) | 2015-08-14 | 2015-08-14 | The firmware programming method and financial terminal of a kind of safe financial terminal |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105159707A CN105159707A (en) | 2015-12-16 |
CN105159707B true CN105159707B (en) | 2018-06-29 |
Family
ID=54800572
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201510500802.3A Active CN105159707B (en) | 2015-08-14 | 2015-08-14 | The firmware programming method and financial terminal of a kind of safe financial terminal |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105159707B (en) |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN106372538A (en) * | 2016-08-30 | 2017-02-01 | 苏州国芯科技有限公司 | Firmware protection method based on SoC (System on Chip) |
CN107273150B (en) * | 2017-05-10 | 2020-10-02 | 深圳市金百锐通信科技有限公司 | Preloading firmware downloading and writing method and device |
CN107634859B (en) * | 2017-09-30 | 2021-07-02 | 飞天诚信科技股份有限公司 | Firmware upgrading method and device |
EP3489853B1 (en) * | 2017-11-27 | 2021-02-24 | Schneider Electric Industries SAS | A method for providing a firmware update of a device |
CN108418893A (en) * | 2018-03-20 | 2018-08-17 | 深圳市闪联信息技术有限公司 | A kind of method of smart machine firmware safety upgrade |
CN108804325B (en) * | 2018-06-08 | 2021-10-22 | 郑州云海信息技术有限公司 | Method for testing Secure Boot |
CN109240721A (en) * | 2018-08-24 | 2019-01-18 | 江苏恒宝智能系统技术有限公司 | A kind of method of MCU online upgrading |
CN109446815B (en) * | 2018-09-30 | 2020-12-25 | 华为技术有限公司 | Management method and device for basic input/output system firmware and server |
CN110941819B (en) * | 2019-11-14 | 2021-09-21 | 艾体威尔电子技术(北京)有限公司 | double-CPU safety protection method for Android intelligent device |
CN113434161A (en) * | 2020-03-23 | 2021-09-24 | 成都鼎桥通信技术有限公司 | Software version update control method and device |
CN112035146B (en) * | 2020-09-11 | 2023-10-24 | 百富计算机技术(深圳)有限公司 | Firmware updating method, security apparatus, and computer-readable storage medium |
CN113177422B (en) * | 2020-09-30 | 2024-02-20 | 深圳华智融科技股份有限公司 | Card detection method, computer device, and computer-readable storage medium |
CN112699345B (en) * | 2020-12-30 | 2022-12-09 | 合肥市芯海电子科技有限公司 | Method, system, equipment and storage medium for safe operation of firmware |
CN114785503B (en) * | 2022-06-16 | 2022-09-23 | 北京智芯半导体科技有限公司 | Cipher card, root key protection method thereof and computer readable storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101763272A (en) * | 2008-11-05 | 2010-06-30 | 环旭电子股份有限公司 | Electronic device firmware updating method and system |
CN104090790A (en) * | 2014-06-30 | 2014-10-08 | 飞天诚信科技股份有限公司 | Two-chip scheme firmware updating method for safety terminal |
CN104408370A (en) * | 2014-12-25 | 2015-03-11 | 珠海全志科技股份有限公司 | Android system security verification method and verification device thereof |
CN104603792A (en) * | 2012-08-29 | 2015-05-06 | 微软公司 | Secure firmware updates |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7974416B2 (en) * | 2002-11-27 | 2011-07-05 | Intel Corporation | Providing a secure execution mode in a pre-boot environment |
-
2015
- 2015-08-14 CN CN201510500802.3A patent/CN105159707B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101763272A (en) * | 2008-11-05 | 2010-06-30 | 环旭电子股份有限公司 | Electronic device firmware updating method and system |
CN104603792A (en) * | 2012-08-29 | 2015-05-06 | 微软公司 | Secure firmware updates |
CN104090790A (en) * | 2014-06-30 | 2014-10-08 | 飞天诚信科技股份有限公司 | Two-chip scheme firmware updating method for safety terminal |
CN104408370A (en) * | 2014-12-25 | 2015-03-11 | 珠海全志科技股份有限公司 | Android system security verification method and verification device thereof |
Also Published As
Publication number | Publication date |
---|---|
CN105159707A (en) | 2015-12-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105159707B (en) | The firmware programming method and financial terminal of a kind of safe financial terminal | |
KR101229521B1 (en) | Method and apparatus for remotely verifying memory integrity of a device | |
CN103729597B (en) | System starts method of calibration, system starts calibration equipment and terminal | |
CN104462965B (en) | Application integrity verification method and the network equipment | |
CN108196863A (en) | A kind of upgrade method of firmware, device, terminal and storage medium | |
KR20150008546A (en) | Method and apparatus for executing secure download and function | |
CN104318160B (en) | The method and apparatus of killing rogue program | |
CN107743115B (en) | Identity authentication method, device and system for terminal application | |
CN106055341A (en) | Application installation package checking method and device | |
CN106331009A (en) | Application program downloading method, device and system | |
CN107330320A (en) | The method and apparatus of application process monitoring | |
CN106919859A (en) | Basic input output system guard method and device | |
EP2187314B1 (en) | Download security system | |
CN113315767A (en) | Electric power Internet of things equipment safety detection system and method | |
CN112346904A (en) | Smart electric meter calibration method and device, smart electric meter and storage medium | |
CN107688756B (en) | Hard disk control method, equipment and readable storage medium storing program for executing | |
CN107229958A (en) | A kind of intellective IC card data detection method and device | |
CN109753793A (en) | A kind of hot patch method and hot patch device | |
CN112417422B (en) | Security chip upgrading method and computer readable storage medium | |
CN107038540A (en) | Physical distribution delivery method and device based on intelligent bar code | |
CN111125039A (en) | Method and device for generating operation log | |
CN108734014A (en) | Cryptographic data authentication method and apparatus, code data guard method and device | |
CN115357274A (en) | Remote IO equipment firmware upgrading method and system | |
KR20140082542A (en) | Method and apparatus for supporting dynamic change of authentication means for secure booting | |
CN112948819B (en) | Application file shelling method and device and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |