CN111443950A - Vehicle-mounted system safety starting method and vehicle-mounted system - Google Patents
Vehicle-mounted system safety starting method and vehicle-mounted system Download PDFInfo
- Publication number
- CN111443950A CN111443950A CN201811644673.5A CN201811644673A CN111443950A CN 111443950 A CN111443950 A CN 111443950A CN 201811644673 A CN201811644673 A CN 201811644673A CN 111443950 A CN111443950 A CN 111443950A
- Authority
- CN
- China
- Prior art keywords
- image file
- hardware security
- security unit
- boot program
- partition image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 238000005192 partition Methods 0.000 claims abstract description 130
- 238000012795 verification Methods 0.000 claims abstract description 37
- 238000012546 transfer Methods 0.000 claims description 9
- 230000000977 initiatory effect Effects 0.000 claims description 6
- 230000008569 process Effects 0.000 abstract description 23
- 238000012545 processing Methods 0.000 description 11
- 230000008901 benefit Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000004590 computer program Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
-
- B—PERFORMING OPERATIONS; TRANSPORTING
- B60—VEHICLES IN GENERAL
- B60R—VEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
- B60R16/00—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
- B60R16/02—Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Mechanical Engineering (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a vehicle-mounted system and a safe starting method thereof. The method comprises the following steps: after the boot program is started to run, the boot program is started to transmit the preset partition image file to the hardware safety unit; the hardware security unit carries out validity verification on a preset partition image file transmitted by a boot program; and if the verification is illegal, interrupting the system starting. According to the scheme, before a system kernel is started, a preset partition image file is transmitted to a hardware security unit by a starting bootstrap program, the legitimacy of the image file is determined by the hardware security unit, and the system starting is interrupted under the condition that the legitimacy is determined, so that the safety protection before the vehicle-mounted system is started can be realized, and the safety starting of the vehicle-mounted system is guaranteed; and the implementation process of the scheme is simple and easy, the protection execution efficiency is high, and the large-scale application and implementation are easy.
Description
Technical Field
The invention relates to the technical field of vehicle safety, in particular to a safe starting method and device for a vehicle-mounted system.
Background
With the continuous development of science and technology and society, the emergence of various intelligent and automatic vehicles greatly facilitates the work and life of people, but also promotes a plurality of security threats aiming at vehicles. For example, various programmable or remotely programmable systems in vehicles provide new intrusion channels for illegal intruders, thereby posing great threat to the property and life safety of people.
In order to ensure the safety of vehicles and realize the safety protection of vehicles, a plurality of safety protection measures aiming at the vehicles appear in the prior art. However, at present, safety protection measures for vehicles are usually concentrated after the vehicle-mounted system is started. At present, a measure for carrying out safety protection in the starting process of a vehicle-mounted system is still lacked.
Disclosure of Invention
In view of the above, the present invention is proposed in order to provide an in-vehicle system secure boot method and an in-vehicle system that overcome or at least partially solve the above problems.
According to one aspect of the invention, a safe starting method of an on-board system is provided, which comprises the following steps:
After the boot program is started to run, the boot program is started to transmit the preset partition image file to the hardware safety unit;
The hardware security unit carries out validity verification on a preset partition image file transmitted by a boot program;
And if the verification is illegal, interrupting the system starting.
According to another aspect of the present invention, there is provided an in-vehicle system including:
The memory is suitable for storing a starting bootstrap program, and the starting bootstrap program transmits the preset partition image file to the hardware security unit;
The hardware security unit is suitable for verifying the validity of the preset partition image file transmitted by the boot program;
And the microprocessor is suitable for interrupting the system starting if the hardware safety unit verifies that the result is illegal.
According to the vehicle-mounted system safety starting method and the vehicle-mounted system, after the bootstrap program is started to run, the bootstrap program is started to transmit the preset partition image file to the hardware safety unit; the hardware security unit carries out validity verification on a preset partition image file transmitted by a boot program; and if the verification is illegal, interrupting the system starting. According to the scheme, before a system kernel is started, a preset partition image file is transmitted to a hardware security unit by a starting bootstrap program, the legitimacy of the image file is determined by the hardware security unit, and the system starting is interrupted under the condition that the legitimacy is determined, so that the safety protection before the vehicle-mounted system is started can be realized, and the safety starting of the vehicle-mounted system is guaranteed; and the implementation process of the scheme is simple and easy, the protection execution efficiency is high, and the large-scale application and implementation are easy.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a flowchart illustrating a method for securely booting an in-vehicle system according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a method for securely booting an in-vehicle system according to another embodiment of the present invention;
Fig. 3 is a schematic structural diagram illustrating an in-vehicle system according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Fig. 1 is a flowchart illustrating a method for safely starting an in-vehicle system according to an embodiment of the present invention. As shown in fig. 1, the method includes:
Step S110, after the boot program is started to run, the boot program is started to transmit the preset partition image file to the hardware security unit.
The Vehicle-mounted system In this embodiment may be a Vehicle-mounted T-Box (Telematics Box) system, a Vehicle-mounted Infotainment system (IVI), and the like. The present embodiment does not limit the specific type of the in-vehicle system and the like. Moreover, the vehicle-mounted system may specifically be an android system or a linux system.
the Boot bootstrap program can initialize hardware equipment and establish a mapping chart of a memory space, so that the software and hardware environment of the system is brought to an appropriate state to prepare a correct environment for finally calling the kernel of the operating system.
After the boot program is started, the boot program can load a corresponding image file according to the configured image file address of the system kernel so as to boot the system kernel. In the prior art, after loading a required image file, a boot loader directly starts the image file, thereby booting a system kernel. Different from the prior art, in the process of starting the image file loaded by the bootstrap program, the embodiment loads the preset partition image file, and further transfers the loaded preset partition image file to a Hardware Security Element (HSE). The hardware security unit is a trusted platform module, data stored in the hardware security unit is not easy to be tampered and stolen, and the security is extremely high.
Step S120, the hardware security unit carries out validity verification on a preset partition image file transmitted by the boot program; if not, go to step S130.
And the hardware safety unit carries out validity verification on the preset partition image file transmitted by the boot program. The specific validity verification manner is not limited in this embodiment, for example, whether the preset partition image file transferred by the boot program is matched with the preset partition image file stored in the hardware security unit may be verified, and if not, it is determined that the preset partition image file is not legal, step S130 is further executed; if the result is determined to be legal, the boot program can be further enabled to execute subsequent boot operations.
Step S130, the system is interrupted.
And when the hardware safety unit determines that the preset partition image file transmitted by the boot program is started is illegal, a corresponding interrupt mechanism is adopted to interrupt the starting of the system. For example, when it is determined that the preset partition image file transferred by the boot program is not legal, the processor (such as a CPU) may be powered off, so as to interrupt system startup and ensure system security.
Therefore, in the embodiment, after the boot program is started to run, the boot program is started to transmit the preset partition image file to the hardware security unit; the hardware security unit carries out validity verification on a preset partition image file transmitted by the boot program; and if the verification is illegal, interrupting the system starting. Therefore, in the embodiment, in the process of loading the image file after the boot program is started to run, unlike the process of directly running the image file in the prior art, the preset partition image file is transmitted to the hardware security unit, the legitimacy of the image file is determined by the hardware security unit, and the system start is interrupted under the condition of determining the legitimacy, so that the safety protection before the vehicle-mounted system is started can be realized, and the safety start of the vehicle-mounted system is ensured; and the implementation process of the scheme is simple and easy, the protection execution efficiency is high, and the large-scale application and implementation are easy.
Fig. 2 is a flowchart illustrating a method for safely starting an in-vehicle system according to another embodiment of the present invention. As shown in fig. 2, the method includes:
Step S210, after the boot program is started to run, the boot program is started to transmit the hash value corresponding to the preset partition image file to the hardware security unit.
In actual implementation, the system usually includes a plurality of partitions, each of which stores a corresponding file. For example, the plurality of partitions may be an update partition storing updated application files, a user data partition (userdata partition), and the like. Although the partitions of the systems may be different for different systems, each system includes a partition storing important files in a kernel of the system, and a file non-root authority (root authority) user in the partition cannot change the file.
When an intruder intrudes the system, a common intrusion method is to obtain the root authority of the system through a corresponding intrusion means, so as to tamper the important files of the system kernel, thereby threatening the security of the system. For the intrusion mode, in this embodiment, the preset partition image file is stored in the hardware security unit, so that the security of the preset partition image file stored in the hardware security unit is improved, and the preset partition image file is prevented from being tampered. The preset partition is a partition for storing important files in a kernel of the system, and a non-root authority (root authority) user of a file in the partition cannot change the file, for example, the preset partition may be a system partition in an android system, or the like.
After the boot program is started to run, the loading address of the image file can be read from the partition table after the steps of global variable relocation, port initialization, platform initialization and the like are executed, and the image file is loaded according to the loading address. The image file loaded by the boot program comprises a preset partition image file.
After the boot program is started and the preset partition image file is loaded, the hash value corresponding to the preset partition image file can be obtained through a corresponding hash algorithm. For example, a hash operation may be performed according to directory information of a preset partition image file, and an obtained hash value may be determined as a hash value corresponding to the preset partition image file. Here, it should be understood by those skilled in the art that the embodiment may also perform corresponding conversion on the preset partition image file through other algorithms besides the hash operation, so as to reduce the data transmission amount in the transfer process.
Further, the boot program is started to transmit the hash value corresponding to the preset partition image file to the hardware security unit. The present embodiment does not limit the specific transmission manner.
Step S220, the hardware security unit carries out validity verification on the hash value corresponding to the preset partition image file transmitted by the boot program; if the verification is not legal, the step S230 is further executed.
As can be seen from the above explanation, the hardware security unit stores the preset partition image file, and when receiving the hash value corresponding to the preset partition image file transmitted by the boot program, the hardware security unit performs hash operation on the preset partition image file stored in the hardware security unit, and obtains the corresponding hash value.
Further, the hardware security unit matches the hash value of the preset partition image file stored in the hardware security unit with the hash value corresponding to the preset partition image file transmitted by the bootstrap, and if the hash value is not matched, the verification is illegal.
For example, an image file in a system partition in the android system or a hash value corresponding to the image file in the system partition may be stored in the hardware security unit in advance, thereby ensuring the uncorruptability of the image file in the system partition. If the illegal intruder changes the system partition file stored by the non-hardware security unit in the system after obtaining the root authority of the system through a corresponding attack means, the boot loader can obtain the loading address of the system partition image file from the partition table in the boot system kernel starting process, further loads the image file, and calculates the hash value of the image file after loading, at this time, because the system partition file stored by the non-hardware security unit is tampered, the hash value calculated by the boot loader is different from the hash value of the image file in the system partition stored by the hardware security unit, so that the hardware security unit determines that the verification is illegal, and further executes the step S230.
And step S230, performing power-off processing on the processor through the micro control unit connected with the processor.
And after the hardware security unit verifies the validity of the hash value corresponding to the preset partition image file transmitted by the boot program, if the verification is determined to be illegal, the system is interrupted from starting.
Specifically, in actual implementation, the operation of the onboard system is generally performed by a processor, wherein the processor may be a Central Processing Unit (CPU). To meet the low power consumption requirement of the vehicle-mounted system, at least one corresponding Micro Control Unit (MCU) is generally provided for the processor, and the MCU can control the power supply state of the processor. Therefore, when the interrupt system is started, the micro control unit connected with the processor performs power-off processing on the processor, so that the start of the interrupt system is interrupted.
In an optional embodiment, since there is a case that the boot program cannot transfer the pre-partition image file to the hardware security unit after the boot program is tampered, the boot program may be stored in the hardware security unit to avoid tampering of the boot program.
In yet another optional implementation manner, since there is a case that the boot loader cannot transfer the preset partition image file to the hardware security unit after the boot loader is tampered, the hardware security unit cannot perform validity verification on the preset partition image file transferred by the boot loader, and thus cannot guarantee secure startup of the vehicle-mounted system. Therefore, after the boot program is started, the hardware security unit may not receive the data transmitted by the boot program within a preset time period, and then interrupt the system start. In a specific implementation process, after the boot program is started, the hardware security unit may record the boot program starting time, and further monitor data information transmitted from the boot program to the hardware security unit within a preset time period after the boot program is started, and if the hardware security unit determines that a preset partition image file is not transmitted to the boot program within the preset time period after the boot program is started, it determines that the boot program is tampered, and further causes the microprocessor connected to the processor to perform power-off processing on the processor. By the method, the safety of the system in the starting process can be further improved, and the safety of the vehicle-mounted system is ensured. The specific time period length of the preset time period is not limited in this embodiment, and those skilled in the art can set the time period length according to actual requirements. For example, the preset time period may be determined based on an average length of time for initiating the boot execution process.
Optionally, in order to improve user experience and ensure quick repair of the vehicle-mounted system, the corresponding warning information may be triggered before the micro control unit performs power-off processing on the processor. The present embodiment does not limit the specific presentation manner of the warning information and the specific content of the warning information, and those skilled in the art can set the warning information according to actual requirements.
Further optionally, the alarm information may carry corresponding attack mode information. For example, if the hardware security unit receives a hash value of a preset partition image file transmitted by a boot program within a preset time period, but the hardware security unit determines that the hash value is illegal, it is estimated that an intruder possibly receives an attack that the current vehicle-mounted system is attacked, and the intruder obtains root authority and falsifies the important file; and if the hardware security unit does not receive the hash value of the preset partition image file transmitted by the boot program within the preset time period, estimating that the current vehicle-mounted system is possibly attacked as the boot program is tampered. Therefore, the presentation of the alarm information carrying the corresponding attack mode information can help a user or a maintenance person to quickly locate the attack possibly suffered by the current system, so that the attack behavior can be quickly blocked and repaired conveniently, and the safety performance of the vehicle can be further improved.
Further optionally, the preset recovery information (for example, the recovery information may be restart information manually triggered by a user, or the like) may be received after the micro control unit performs power-off processing on the processor, or after a preset time threshold, the steps in this embodiment may be executed again.
Therefore, in this embodiment, after the boot program is started to run, the boot program is started to transmit the hash value corresponding to the preset partition image file to the hardware security unit, and the hardware security unit performs validity verification on the hash value corresponding to the preset partition image file transmitted by the boot program; and if the verification is illegal, performing power-off processing on the processor through a micro control unit connected with the processor. In the scheme, in the process of loading the image file after the boot program is started to run, the hash value of the preset partition image file is transmitted to the hardware security unit, the legitimacy of the hash value of the image file is determined by the hardware security unit, and the system is interrupted under the condition of determining the legitimacy, so that the safety protection before the vehicle-mounted system is started can be realized, and the safety start of the vehicle-mounted system is ensured; in addition, the implementation process of the scheme is simple and easy, the protection execution efficiency is high, and the large-scale application and implementation are easy; further, in this embodiment, the hardware security unit does not receive the data transmitted by the boot program in the preset time period, and the system start is interrupted, so that the disadvantage of poor safety of the vehicle-mounted system due to tampering of the boot program is further avoided, and the safety and stability of the vehicle-mounted system are further improved.
Fig. 3 is a schematic structural diagram illustrating an in-vehicle system according to an embodiment of the present invention. As shown in fig. 3, the system includes: memory 31, hardware security unit 32, microprocessor 33, and a processor.
the memory 31 is adapted to store a boot program, where the boot program transfers the image file of the preset partition to the hardware security unit 32, and optionally, the memory may be a Random Access Memory (RAM), a non-volatile memory (non-volatile memory), such as at least one F L ASH flash memory, a disk memory, and the like.
And the hardware security unit 32 is suitable for verifying the validity of the preset partition image file transmitted by the boot program. The hardware security unit may be specifically one or more security chips. The data stored in the hardware security unit 32 is not easily tampered with, and has extremely high security. The embodiment does not limit the specific types of the hardware security units, and the like, and those skilled in the art can select the corresponding security chip according to the actual requirements.
And the microprocessor 33 is suitable for interrupting the system starting if the hardware safety unit verification result is illegal.
The processor, which may be a central processing unit CPU, or an application specific Integrated Circuit ASIC (application specific Integrated Circuit), or one or more Integrated circuits configured to implement embodiments of the present invention. In addition, the processors in this embodiment are collectively referred to as a "processor", and the onboard system may include one or more processors, and the one or more processors may be processors of the same type, such as one or more CPUs; or different types of processors, such as one or more CPUs, one or more ASICs, and the like, and the specific type and number of processors are not limited in this embodiment.
In the actual implementation process, each unit in the vehicle-mounted system carries out information interaction through the bus. The bus may be a CAN (Controller Area Network) bus. The communication between the units in the onboard system should follow the CANBus (Controller Area network-work Bus) protocol.
Optionally, the vehicle-mounted system provided in this embodiment may further include a radio frequency antenna, a bus transceiver, a network module, and/or a bluetooth module.
Optionally, the starting the boot program to transfer the image file of the preset partition to the hardware security unit 32 further includes: starting a bootstrap program to transmit a hash value corresponding to a preset partition image file to a hardware security unit;
The hardware security unit 32 is further adapted to: and carrying out validity verification on the hash value corresponding to the preset partition image file transmitted by the boot program.
Optionally, the hardware security unit 32 is further adapted to: matching the hash value of the preset partition image file with the hash value of the preset partition image file stored in the hardware security unit;
If not, the verification is illegal.
Optionally, after the boot loader is tampered, the boot loader cannot transmit the preset partition image file to the hardware security unit, so that the hardware security unit cannot perform validity verification on the preset partition image file transmitted by the boot loader, and thus cannot ensure safe starting of the vehicle-mounted system.
Therefore, the hardware security unit 32 is further adapted to: determining whether data transmitted by a boot program is received within a preset time period after the boot program is started;
The microprocessor 33 is further adapted to: and if the hardware safety unit does not receive the preset partition image file transmitted by the boot program in the preset time period after the boot program is started, interrupting the system starting.
Specifically, in this embodiment, after the boot program is started, the hardware security unit does not receive the data transmitted by the boot program within a preset time period, and the system start is interrupted. In a specific implementation process, after the boot program is started, the hardware security unit may record the boot program starting time, and further monitor data information transmitted from the boot program to the hardware security unit within a preset time period after the boot program is started, and if the hardware security unit determines that a preset partition image file is not transmitted to the boot program within the preset time period after the boot program is started, it determines that the boot program is tampered, and further causes the microprocessor connected to the processor to perform power-off processing on the processor. By the method, the safety of the system in the starting process can be further improved, and the safety of the vehicle-mounted system is ensured. The specific time period length of the preset time period is not limited in this embodiment, and those skilled in the art can set the time period length according to actual requirements.
Optionally, a micro control unit 33 is connected to the processor, said micro control unit being further adapted to: and performing power-off processing on the processor to interrupt the system startup.
Optionally, the preset partition is a system partition.
The specific implementation process of each component in the vehicle-mounted system provided in this embodiment may refer to the description of the corresponding part in the method embodiment shown in fig. 1 and/or fig. 2, which is not described herein again.
Therefore, in the embodiment, after the boot program is started to run, the boot program is started to transmit the preset partition image file to the hardware security unit; the hardware security unit carries out validity verification on a preset partition image file transmitted by the boot program; and if the verification is illegal, interrupting the system starting. Therefore, in the embodiment, in the process of loading the image file after the boot program is started to run, unlike the process of directly running the image file in the prior art, the preset partition image file is transmitted to the hardware security unit, the legitimacy of the image file is determined by the hardware security unit, and the system start is interrupted under the condition of determining the legitimacy, so that the safety protection before the vehicle-mounted system is started can be realized, and the safety start of the vehicle-mounted system is ensured; and the implementation process of the scheme is simple and easy, the protection execution efficiency is high, and the large-scale application and implementation are easy.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functionality of some or all of the components in an in-vehicle system in accordance with embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
The invention discloses: A1. a safe starting method of an on-board system comprises the following steps:
After the boot program is started to run, the boot program is started to transmit the preset partition image file to the hardware safety unit;
The hardware security unit carries out validity verification on a preset partition image file transmitted by a boot program;
And if the verification is illegal, interrupting the system starting.
A2. The method of a1, wherein the initiating the boot loader to transfer the pre-defined partition image file to the hardware security unit further comprises:
Starting a bootstrap program to transmit a hash value corresponding to a preset partition image file to a hardware security unit;
The verifying the validity of the preset partition image file transferred by the boot program by the hardware security unit further includes:
And the hardware security unit carries out validity verification on the hash value corresponding to the preset partition image file transmitted by the boot program.
A3. The method according to a2, wherein the verifying the validity of the partition image file transferred by the boot loader by the hardware security unit further comprises:
The hardware security unit matches the hash value of the preset partition image file with the hash value of the preset partition image file stored in the hardware security unit;
If not, the verification is illegal.
A4. The method of any one of a1-A3, wherein the method further comprises:
And if the hardware safety unit does not receive the preset partition image file transmitted by the boot program within a preset time period after the boot program is started, interrupting the system starting.
A5. The method of any one of a1-a4, wherein the interrupt system initiation further comprises:
And powering off the processor through a micro control unit connected with the processor.
A6. The method of any one of a1-a5, wherein the preset partition is a system partition.
The invention also discloses: B7. an in-vehicle system, comprising:
The memory is suitable for storing a starting bootstrap program, and the starting bootstrap program transmits the preset partition image file to the hardware security unit;
The hardware security unit is suitable for verifying the validity of the preset partition image file transmitted by the boot program;
And the microprocessor is suitable for interrupting the system starting if the hardware safety unit verifies that the result is illegal.
B8. The system of B7, wherein the initiating the boot loader to transfer the pre-defined partition image file to the hardware security unit further comprises:
Starting a bootstrap program to transmit a hash value corresponding to a preset partition image file to a hardware security unit;
The hardware security unit is further adapted to: and carrying out validity verification on the hash value corresponding to the preset partition image file transmitted by the boot program.
B9. The system of B8, wherein the hardware security unit is further adapted to:
Matching the hash value of the preset partition image file with the hash value of the preset partition image file stored in the hardware security unit;
If not, the verification is illegal.
B10. The system of any one of B7-B9, wherein the hardware security unit is further adapted to: determining whether data transmitted by a boot program is received within a preset time period after the boot program is started;
The microprocessor is further adapted to: and if the hardware safety unit does not receive the preset partition image file transmitted by the boot program in the preset time period after the boot program is started, interrupting the system starting.
B11. The system of any one of B7-B10, wherein the micro control unit is coupled to a processor, the micro control unit further adapted to: and performing power-off processing on the processor to interrupt the system startup.
B12. The system of any one of B7-B11, wherein the preset partition is a system partition.
Claims (10)
1. A safe starting method of an on-board system comprises the following steps:
After the boot program is started to run, the boot program is started to transmit the preset partition image file to the hardware safety unit;
The hardware security unit carries out validity verification on a preset partition image file transmitted by a boot program;
And if the verification is illegal, interrupting the system starting.
2. The method of claim 1, wherein the initiating the boot loader to transfer the pre-defined partition image file to the hardware security unit further comprises:
Starting a bootstrap program to transmit a hash value corresponding to a preset partition image file to a hardware security unit;
The verifying the validity of the preset partition image file transferred by the boot program by the hardware security unit further includes:
And the hardware security unit carries out validity verification on the hash value corresponding to the preset partition image file transmitted by the boot program.
3. The method of claim 2, wherein the hardware security unit validating the pre-defined partition image file of the boot loader transfer further comprises:
The hardware security unit matches the hash value of the preset partition image file with the hash value of the preset partition image file stored in the hardware security unit;
If not, the verification is illegal.
4. The method according to any one of claims 1-3, wherein the method further comprises:
And if the hardware safety unit does not receive the preset partition image file transmitted by the boot program within a preset time period after the boot program is started, interrupting the system starting.
5. The method of any of claims 1-4, wherein the interrupting system initiation further comprises:
And powering off the processor through a micro control unit connected with the processor.
6. The method of any of claims 1-5, wherein the preset partition is a system partition.
7. An in-vehicle system, comprising:
The memory is suitable for storing a starting bootstrap program, and the starting bootstrap program transmits the preset partition image file to the hardware security unit;
The hardware security unit is suitable for verifying the validity of the preset partition image file transmitted by the boot program;
And the microprocessor is suitable for interrupting the system starting if the hardware safety unit verifies that the result is illegal.
8. The system of claim 7, wherein the boot loader transferring the pre-defined partition image file to the hardware security unit further comprises:
Starting a bootstrap program to transmit a hash value corresponding to a preset partition image file to a hardware security unit;
The hardware security unit is further adapted to: and carrying out validity verification on the hash value corresponding to the preset partition image file transmitted by the boot program.
9. The system of claim 8, wherein the hardware security unit is further adapted to:
Matching the hash value of the preset partition image file with the hash value of the preset partition image file stored in the hardware security unit;
If not, the verification is illegal.
10. The system according to any one of claims 7-9, wherein the hardware security unit is further adapted to: determining whether data transmitted by a boot program is received within a preset time period after the boot program is started;
The microprocessor is further adapted to: and if the hardware safety unit does not receive the preset partition image file transmitted by the boot program in the preset time period after the boot program is started, interrupting the system starting.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811644673.5A CN111443950A (en) | 2018-12-29 | 2018-12-29 | Vehicle-mounted system safety starting method and vehicle-mounted system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811644673.5A CN111443950A (en) | 2018-12-29 | 2018-12-29 | Vehicle-mounted system safety starting method and vehicle-mounted system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111443950A true CN111443950A (en) | 2020-07-24 |
Family
ID=71648508
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811644673.5A Pending CN111443950A (en) | 2018-12-29 | 2018-12-29 | Vehicle-mounted system safety starting method and vehicle-mounted system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111443950A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114625427A (en) * | 2020-12-09 | 2022-06-14 | 博泰车联网科技(上海)股份有限公司 | Partition starting method, system and equipment based on hard isolation |
| CN114625424A (en) * | 2020-12-09 | 2022-06-14 | 博泰车联网科技(上海)股份有限公司 | Resource reallocation method, system and equipment based on hard isolation |
| CN117009003A (en) * | 2023-09-28 | 2023-11-07 | 飞腾信息技术有限公司 | Safe starting method and related device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104156659A (en) * | 2014-08-14 | 2014-11-19 | 电子科技大学 | Embedded system secure start method |
| CN104298913A (en) * | 2013-07-18 | 2015-01-21 | 中国科学院信息工程研究所 | Universal safe intelligent terminal starting method |
| CN104794393A (en) * | 2015-04-24 | 2015-07-22 | 杭州字节信息技术有限公司 | Embedded type partition image security certification and kernel trusted boot method and equipment thereof |
| CN106184190A (en) * | 2015-05-29 | 2016-12-07 | 通用汽车环球科技运作有限责任公司 | Startup control system and method for vehicle |
| CN107729198A (en) * | 2017-10-18 | 2018-02-23 | 深圳合纵富科技有限公司 | A kind of Android system firmware method of calibration and device |
| CN107949847A (en) * | 2015-07-16 | 2018-04-20 | Trw有限公司 | the electronic control unit of vehicle |
| CN108241798A (en) * | 2017-12-22 | 2018-07-03 | 北京车和家信息技术有限公司 | Prevent the method, apparatus and system of brush machine |
-
2018
- 2018-12-29 CN CN201811644673.5A patent/CN111443950A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104298913A (en) * | 2013-07-18 | 2015-01-21 | 中国科学院信息工程研究所 | Universal safe intelligent terminal starting method |
| CN104156659A (en) * | 2014-08-14 | 2014-11-19 | 电子科技大学 | Embedded system secure start method |
| CN104794393A (en) * | 2015-04-24 | 2015-07-22 | 杭州字节信息技术有限公司 | Embedded type partition image security certification and kernel trusted boot method and equipment thereof |
| CN106184190A (en) * | 2015-05-29 | 2016-12-07 | 通用汽车环球科技运作有限责任公司 | Startup control system and method for vehicle |
| CN107949847A (en) * | 2015-07-16 | 2018-04-20 | Trw有限公司 | the electronic control unit of vehicle |
| CN107729198A (en) * | 2017-10-18 | 2018-02-23 | 深圳合纵富科技有限公司 | A kind of Android system firmware method of calibration and device |
| CN108241798A (en) * | 2017-12-22 | 2018-07-03 | 北京车和家信息技术有限公司 | Prevent the method, apparatus and system of brush machine |
Non-Patent Citations (3)
| Title |
|---|
| 王镇道;郑荣浩;张立军;鲁辉;: "一种适用于嵌入式终端的可信安全方案", 计算机应用与软件, no. 01, 15 January 2016 (2016-01-15), pages 230 - 234 * |
| 盛志凡;王强;刘进;解伟;王东飞;郗望;徐其桓;杨滔;: "智能电视操作系统TVOS1.0安全技术方案", 广播与电视技术, no. 09, pages 41 - 49 * |
| 罗璎珞;方强;: "车载终端信息安全威胁与防范", 电信网技术, no. 06, pages 35 - 39 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114625427A (en) * | 2020-12-09 | 2022-06-14 | 博泰车联网科技(上海)股份有限公司 | Partition starting method, system and equipment based on hard isolation |
| CN114625424A (en) * | 2020-12-09 | 2022-06-14 | 博泰车联网科技(上海)股份有限公司 | Resource reallocation method, system and equipment based on hard isolation |
| CN114625424B (en) * | 2020-12-09 | 2023-09-29 | 博泰车联网科技(上海)股份有限公司 | Resource reallocation method, system and equipment based on hard isolation |
| CN114625427B (en) * | 2020-12-09 | 2023-09-29 | 博泰车联网科技(上海)股份有限公司 | Partition starting method, system and equipment based on hard isolation |
| CN117009003A (en) * | 2023-09-28 | 2023-11-07 | 飞腾信息技术有限公司 | Safe starting method and related device |
| CN117009003B (en) * | 2023-09-28 | 2024-01-09 | 飞腾信息技术有限公司 | Safe starting method and related device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10505919B2 (en) | Program, method and system for authenticating control device | |
| CN107729757B (en) | Software authentication before software update | |
| EP3522059B1 (en) | Perform security action based on inventory comparison | |
| US9792440B1 (en) | Secure boot for vehicular systems | |
| US9507604B2 (en) | Boot method and boot system | |
| US8135945B2 (en) | Flexible boot methods for multi-processor devices | |
| US11030347B2 (en) | Protect computing device using hash based on power event | |
| CN111443950A (en) | Vehicle-mounted system safety starting method and vehicle-mounted system | |
| US20200257650A1 (en) | Boot time determination of calibration parameters for a component coupled to a system-on-chip | |
| CN113407911A (en) | Validating software residing on a remote computing device | |
| US20160224806A1 (en) | Rewrite detection system, rewrite detection device and information processing device | |
| RU2481616C2 (en) | Method and device for software download | |
| TW201506788A (en) | Secure boot override in a computing device equipped with unified-extensible firmware interface (UEFI)-compliant firmware | |
| JP2017138969A (en) | Automobile correction system providing security support and fault tolerance support | |
| JP2021013122A (en) | Data storage device and data storage program | |
| US20220391192A1 (en) | Ota master, center, system, method, non-transitory storage medium, and vehicle | |
| US11956369B2 (en) | Accelerated verification of automotive software in vehicles | |
| US20230336356A1 (en) | Data storage device, data storage method, and non-transitory computer readable storage medium | |
| CN113419905A (en) | Method and device for realizing credible verification and security module | |
| CN114547618A (en) | Safe starting method and device based on Linux system, electronic equipment and storage medium | |
| CN107360167B (en) | Authentication method and device | |
| US11880273B2 (en) | Method for installing a program code packet onto a device, device, and motor vehicle | |
| JP6877388B2 (en) | Information processing equipment, mobiles, information processing methods, and programs | |
| CN115130114B (en) | Gateway secure starting method and device, electronic equipment and storage medium | |
| US20220413831A1 (en) | Center, ota master, method, non-transitory storage medium, and vehicle |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20231121 Address after: 1739, 17th Floor, 15th Floor, Building 3, No.10 Jiuxianqiao Road, Chaoyang District, Beijing, 100000 Applicant after: Anxinxing (Beijing) Technology Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Applicant before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. |