CN113642006A - Safe starting method of dual-core relay protection system - Google Patents
Safe starting method of dual-core relay protection system Download PDFInfo
- Publication number
- CN113642006A CN113642006A CN202111007007.2A CN202111007007A CN113642006A CN 113642006 A CN113642006 A CN 113642006A CN 202111007007 A CN202111007007 A CN 202111007007A CN 113642006 A CN113642006 A CN 113642006A
- Authority
- CN
- China
- Prior art keywords
- kernel
- operating system
- core
- dual
- boot
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
Abstract
The application relates to a safe starting method of a dual-core relay protection system, which comprises the following steps: executing a first-level Boot in a first kernel; copying the secondary Boot to a memory, and performing measurement verification on the secondary Boot to obtain a secondary Boot measurement verification result; under the condition that the second-level Boot measurement verification result is passed, executing the second-level Boot to complete the copying and loading of the first kernel operating system image file and the second kernel operating system image file, and activating the second kernel; respectively executing a first kernel operating system image file and a second kernel operating system image file to complete the initialization of a corresponding operating system and the loading of a corresponding application program; and executing the corresponding application program according to the starting script to finish the starting of the dual-core relay protection system. According to the safe starting method of the dual-core relay protection system, the legality and integrity of the secondary Boot in the starting process can be guaranteed, the potential safety hazard in the starting process of the dual-core relay protection system is reduced, and the safety of the starting process of the system is improved.
Description
Technical Field
The application relates to the field of relay protection, in particular to a safe starting method of a dual-core relay protection system.
Background
The relay protection device is a common device in the power system, and the working state of the relay protection device directly affects the whole power system, and is responsible for important mission of protecting the safe and stable operation of the power system. With the continuous improvement of the functions and performance requirements of the relay protection device, the resources of the single-core processor become more and more tense, and the relay protection device comprising the dual-core processor and the dual-core relay protection system matched with the relay protection device appear.
According to the traditional dual-core relay protection system starting method, the starting of the kernel is realized by executing a boot loader. The safety of the boot loader cannot be ensured, so that a great potential safety hazard exists in the starting process of the dual-core relay protection system. Therefore, the traditional starting method of the dual-core relay protection system has the defect of poor safety.
Disclosure of Invention
Therefore, it is necessary to provide a safe starting method of a dual-core relay protection system with good operation safety in view of the above technical problems.
A safety starting method of a dual-core relay protection system comprises the following steps:
executing a first-level Boot in a first kernel;
copying the secondary Boot to a memory, and performing measurement verification on the secondary Boot to obtain a secondary Boot measurement verification result;
under the condition that the second-level Boot measurement verification result is passed, executing the second-level Boot to complete the copying and loading of the first kernel operating system image file and the second kernel operating system image file, and activating a second kernel;
respectively executing the first kernel operating system image file and the second kernel operating system image file to complete the initialization of the corresponding operating system and the loading of the corresponding application program;
and executing the corresponding application program according to the starting script to finish the starting of the dual-core relay protection system.
In one embodiment, the copying the secondary Boot to a memory, and performing measurement verification on the secondary Boot to obtain a secondary Boot measurement verification result, includes:
and copying the secondary Boot to a memory, calculating the hash value of the secondary Boot, and comparing the hash value with a preset hash value white list to obtain a secondary Boot measurement verification result.
In one embodiment, the executing the secondary Boot when the verification result of the secondary Boot measurement is that the secondary Boot measurement passes, to complete the copying and loading of the first kernel operating system image file and the second kernel operating system image file, and activate the second kernel includes:
under the condition that the verification result of the secondary Boot measurement is passed, executing a first copy script of the secondary Boot, copying a first kernel operating system image file in an external storage device and loading the first kernel operating system image file to a memory;
executing a first measurement script of the secondary Boot, and performing measurement verification on the first kernel operating system image file to obtain a first operating system measurement verification result;
under the condition that the first operating system measurement verification result is passed, executing a second copy script of the secondary Boot, copying a second kernel operating system image file in an external storage device and loading the second kernel operating system image file to a memory;
executing a second measurement script of the secondary Boot, and performing measurement verification on the second kernel operating system image file to obtain a second operating system measurement verification result;
and executing the activation script of the secondary Boot to activate a second kernel under the condition that the second operating system measurement verification result is passed.
In one embodiment, the initialization of the operating system includes peripheral initialization, interrupt initialization, network initialization, and NFS initialization.
In one embodiment, after the executing the first kernel operating system image file and the second kernel operating system image file respectively to complete initialization of the corresponding operating systems and loading of the corresponding application programs, the executing the corresponding application programs according to the start script, and before the starting of the dual-kernel relay protection system is completed, the method further includes:
and respectively carrying out measurement verification on the first kernel application program and the second kernel application program.
In one embodiment, the first core and the second core are both CK810 chips.
In one embodiment, before executing the first level Boot in the first kernel, the method further includes:
performing physical memory management on the first kernel and the second kernel;
establishing a mapping relation between a physical memory and a virtual memory;
constructing a communication mechanism between the first core and the second core.
In one embodiment, the performing physical memory management on the first kernel and the second kernel includes:
carrying out access priority ordering of the shared physical memory on the first kernel and the second kernel by the arbiter;
and partitioning the exclusive physical memory by the configuration function of the board-level support packet.
In one embodiment, the virtual memory includes a NOR Flash coupled to the first core and the second core, and an eMMC coupled to the first core.
In one embodiment, the communication mechanism is a mailbox mechanism.
According to the safe starting method of the dual-core relay protection system, before the second-level Boot is executed, the second-level Boot is measured and verified, so that a Boot loader in the starting process, namely the legality and integrity of the second-level Boot, can be ensured, the potential safety hazard in the starting process of the dual-core relay protection system is reduced, and the safety of the system in the starting process is improved.
Drawings
Fig. 1 is a flowchart of a method for safely starting a dual-core relay protection system in an embodiment;
fig. 2 is a flowchart illustrating that, in an embodiment, when the result of the verification of the second kernel measurement is passed, the second kernel is executed to complete the copy and the load of the first kernel operating system image file and the second kernel operating system image file, and activate the second kernel;
FIG. 3 is a flowchart of a method for safely starting a dual-core relay protection system in another embodiment;
fig. 4 is a schematic diagram of an application storage layout of the dual-core relay protection system in an embodiment;
fig. 5 is a schematic layout diagram of a virtual memory and a physical memory of the dual-core relay protection system in an embodiment;
FIG. 6 is a diagram illustrating a layout of a NOR Flash memory space in an embodiment;
FIG. 7 is a schematic diagram of a Mailbox-based communication mechanism in an embodiment;
fig. 8 is a schematic diagram illustrating an application initialization process of the first kernel and the second kernel in an embodiment.
Detailed Description
To facilitate an understanding of the present application, the present application will now be described more fully with reference to the accompanying drawings. Embodiments of the present application are set forth in the accompanying drawings. This application may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete.
Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used herein in the description of the present application is for the purpose of describing particular embodiments only and is not intended to be limiting of the application.
It will be understood that when an element is referred to as being "connected" to another element, it can be directly connected to the other element or be connected to the other element through intervening elements. Further, "connection" in the following embodiments is understood to mean "electrical connection", "communication connection", or the like, if there is a transfer of electrical signals or data between the connected objects.
As used herein, the singular forms "a", "an" and "the" may include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises/comprising," "includes" or "including," etc., specify the presence of stated features, integers, steps, operations, components, parts, or combinations thereof, but do not preclude the presence or addition of one or more other features, integers, steps, operations, components, parts, or combinations thereof.
The application provides a safe starting method of a dual-core relay protection system, which is used for starting the dual-core relay protection system borne by a relay protection device. The relay protection device is a relay protection SOC (System on Chip) Chip comprising two kernels. The two cores are respectively used for realizing different functions, for example, in a high-voltage protection device, the two cores are respectively used for executing different relay protection tasks; in the low-voltage protection and measurement and control device, a first kernel is used for running a protection program, and a second kernel is used for running a Human Machine Interface (HMI) program.
In one embodiment, as shown in fig. 1, the method for safely starting the dual-core relay protection system includes steps S400 to S900.
Step S400: and executing the first-level Boot in the first kernel.
The first kernel and the second kernel are both operation kernels on the relay protection device processor. The first core and the second core are not of a unique type and may be, for example, CK610 chips or CK810 chips. Specifically, in the starting process, one inner core activates the other inner core to complete the starting of the whole dual-core relay protection system. For ease of understanding, the second kernel is defined herein as an activated kernel, which is activated by the first kernel during system boot. Further, a level Boot in the first kernel is a Boot program solidified in the first kernel, and is a first code executed at power-on or reset.
Step S500: and copying the secondary Boot to a memory, and performing measurement verification on the secondary Boot to obtain a secondary Boot measurement verification result.
And the secondary Boot is a Boot loader. The memory may be an on-chip memory or an external memory. The on-chip Memory is a Memory provided on the dual-core processor, and the types of the on-chip Memory and the external Memory are not exclusive, and may be, for example, a RAM (Random Access Memory) or a DDR (Double Data Rate). Furthermore, the measurement verification of the secondary Boot refers to a verification process of data integrity, data format and the like of the secondary Boot by a certain means, so as to ensure the legality and integrity of a program file in the secondary Boot. The specific method of performing the metric verification is not unique, and the program file may be subjected to the metric verification by at least one of a digital signature, a hash value, and a hash value, for example. In one embodiment, the hash value of the secondary Boot is calculated and compared with a preset hash value white list in an on-chip memory, and on the premise of consistent comparison, a verification result that the secondary Boot measurement verification passes is obtained, otherwise, the verification fails.
Specifically, the secondary Boot may be copied from an external storage device to an on-chip memory through a bootrom (diskless Boot read only memory interface) to obtain a secondary Boot image, and in the process of forming the secondary Boot image, the secondary Boot is subjected to measurement verification to obtain a result that the secondary Boot measurement verification passes or fails. Further, the external storage device may be NOR Flash (non-volatile Flash memory) or eMMC (Embedded Multi Media Card).
Step S600: and under the condition that the second-level Boot measurement verification result is passed, executing the second-level Boot to complete the copying and loading of the first kernel operating system image file and the second kernel operating system image file, and activating the second kernel.
The operating system image file is a clone file of all data on the optical disc installed by the operating system. Specifically, a corresponding program of the secondary Boot in the memory is executed, the first kernel operating system image file and the second kernel operating system image file are respectively read from the external storage device, the corresponding files are copied and loaded to the memory, and the second kernel is activated. Further, in step S500, the second level Boot may be copied to the on-chip RAM and the external DDR at the same time, the measurement of the second level Boot is performed on the on-chip RAM, and the second level Boot is executed on the external DDR, so as to improve the operation efficiency.
It can be understood that, in the case that the second-level Boot measurement verification result obtained in step S500 is failed, the starting process of the dual-core relay protection system is terminated, and warning information is output.
Step S700: and respectively executing the first kernel operating system image file and the second kernel operating system image file to complete the initialization of the corresponding operating system and the loading of the corresponding application program.
An application is a computer program that is run in a user mode, can interact with a user, and has a visual user interface for performing one or more specific tasks. Specifically, the initialization of the image File of the first kernel operating System is executed by jumping to the image File of the first kernel operating System, and after the initialization of the image File of the first kernel operating System is completed, a first kernel application program in an external storage device is loaded into a memory, and at the same time, NFS (Network File System) initialization of the second kernel is performed. And after the second kernel completes NFS initialization, loading a second kernel application program in the external storage device into the memory through the NFS. In one embodiment, the initialization of the operating system includes peripheral initialization, interrupt initialization, network initialization, and NFS initialization to build a secure data runtime environment. The peripheral initialization refers to initialization of an external storage device such as eMMC.
Step S900: and executing the corresponding application program according to the starting script to finish the starting of the dual-core relay protection system.
Specifically, the first kernel and the second kernel execute the corresponding first kernel application program and the second kernel application program respectively according to the corresponding start scripts, and display the corresponding user interfaces, so that the user can correspond to the user interfaces to realize the required functions. Therefore, the starting of the dual-core relay protection system is completed, and the cooperative application of the dual-core operation system of the relay protection SOC chip is realized.
According to the safe starting method of the dual-core relay protection system, before the second-level Boot is executed, the second-level Boot is measured and verified, so that a Boot loader in the starting process, namely the legality and integrity of the second-level Boot, can be ensured, the potential safety hazard in the starting process of the dual-core relay protection system is reduced, and the safety of the system in the starting process is improved.
In one embodiment, as shown in fig. 2, step S600 includes steps S610 through S650.
Step S610: and under the condition that the verification result of the secondary Boot measurement is passed, executing a first copy script of the secondary Boot, copying a first kernel operating system image file in an external storage device and loading the first kernel operating system image file to a memory.
As described above, the external storage device may be NOR Flash or eMMC; the memory may be a memory of the first core or a peripheral memory, such as the first core DDR or the peripheral DDR. In one embodiment, the external storage device includes NOR Flash for storing operating system image files and secondary boots, and eMMC for storing applications.
Specifically, when the result of the verification of the measurement of the secondary Boot is passed, it is indicated that the secondary Boot is legal and complete, and at this time, a first copy script of the secondary Boot is executed, and a first kernel operating system image file in an external storage device is copied and loaded to a memory.
Step S620: and executing a first measurement script of the secondary Boot, and performing measurement verification on the image file of the first kernel operating system to obtain a measurement verification result of the first operating system.
The first measurement script is used for measuring and verifying the data integrity, the data format and the like of the first kernel operating system image file so as to ensure the legality and the integrity of the first kernel operating system image file. Specifically, the program file may be metric-verified by at least one of a digital signature, a hash value, and a hash value. In one embodiment, the hash value of the first operating system image file is calculated and compared with a preset first operating system hash value white list, and on the premise that the comparison is consistent, a verification result that the first operating system metric passes is obtained, otherwise, the verification fails.
Step S630: and under the condition that the measurement verification result of the first operating system is passed, executing a second copy script of the secondary Boot, copying a second kernel operating system image file in the external storage device and loading the second kernel operating system image file to the memory.
Specifically, when the first operating system measurement verification result is passed, it indicates that the first operating system image file is legal and complete, at this time, the subsequent Boot process is continued, the first copy script of the secondary Boot is executed, and the second kernel operating system image file in the external storage device is copied and loaded to the memory.
It can be understood that, in the case that the first operating system measurement verification result obtained in step S620 is failed, the starting process of the dual-core relay protection system is terminated, and warning information is output.
Step S640: and executing a second measurement script of the secondary Boot, and performing measurement verification on the second kernel operating system image file to obtain a second operating system measurement verification result.
The second measurement script is used for measuring and verifying the data integrity, the data format and the like of the second kernel operating system image file so as to ensure the legality and the integrity of the second kernel operating system image file. Also, the program file may be metric verified by at least one of a digital signature, a hash value, and a hash value. In one embodiment, the hash value of the second operating system image file is calculated and compared with a preset second operating system hash value white list, and on the premise that the comparison is consistent, a verification result that the second operating system measurement passes is obtained, otherwise, the verification fails.
Step S650: and under the condition that the second operating system measurement verification result is passed, executing an activation script of the secondary Boot, and activating the second kernel.
Specifically, when the second operating system measurement verification result is passed, it is indicated that the second operating system image file is legal and complete, at this time, the subsequent Boot process is continued, the activation script of the secondary Boot is executed, and the second kernel is activated.
In the above embodiment, in the copying and loading processes of the image file of the operating system, the validity and integrity of the image file of the corresponding operating system can be ensured by adopting a multi-level measurement verification mode, which is beneficial to further reducing the potential safety hazard in the starting process of the dual-core relay protection system and improving the safety of the starting process of the system.
In one embodiment, as shown in fig. 3, after step S700 and before step S900, the method further includes step S800: and respectively carrying out measurement verification on the first kernel application program and the second kernel application program.
Specifically, the program file may be metric-verified by at least one of a digital signature, a hash value, and a hash value. In one embodiment, by calculating hash values of the first kernel application program and the second kernel application program, and comparing the hash values with a preset first application program hash value white list and a preset second application program hash value white list respectively, on the premise that the comparison is consistent, a verification result that the first kernel application program and the second kernel application program measure is passed is obtained, otherwise, the verification is not passed.
It can be understood that the subsequent starting step is carried out only when the verification is passed, otherwise, the starting process of the dual-core relay protection system is stopped, and warning information is output.
In an embodiment, please continue to refer to fig. 3, before step S400, steps S100 to S300 are further included.
Step S100: and carrying out physical memory management on the first kernel and the second kernel.
The physical memory includes a shared physical memory and an exclusive physical memory. And performing physical memory management on the first kernel and the second kernel, including resource partitioning and access management on the two kernels.
Specifically, the way of performing physical Memory Management on the first kernel and the second kernel is not unique, for example, different address spaces may be allocated to the two kernels through physical Memory partitioning, and then by setting an MMU (Memory Management Unit) inside the kernels, the master kernel CORE1 and the slave kernel CORE2 are restricted from accessing only their own address spaces.
In one embodiment, step S100 includes: carrying out access priority ordering of the shared physical memory on the first kernel and the second kernel by the arbiter; and partitioning the exclusive physical memory by the configuration function of the board-level support packet.
The shared physical memory is a limited peripheral resource such as a memory and an interrupt. These peripheral resources all have certain timing requirements during access, i.e. completing function a requires uninterrupted execution of operation a in sequence1Operation A2And operation A3. Because of this timing requirement, when the peripheral resource is being accessed by an operating agent, access to the peripheral resource by all other operating agents must be blocked in some way. For two operating systems running on two independent kernels, if the two operating systems simultaneously access the same peripheral resource, the two operating systems are required to be mutually exclusive in resource access, which causes the situation that the two kernels wait for each other, and seriously affects the running efficiency of the images of the two operating systems. Therefore, resource partitioning and management need to be performed on the images of the two operating systems running in dual cores, and the situation that the two operating systems wait for each other is avoided as much as possible, so that the running efficiency of the two operating systems can be effectively improved.
Specifically, the operation of each core needs resources such as a memory and an interrupt, the memory and the interrupt are shared between the first core and the second core, and the shared memory access is subjected to priority sequencing or access queuing operation by adding an arbiter between the shared physical memory and the relay protection SOC chip internal bus, so that the condition of access errors caused by parallel physical access can be effectively avoided. Further, in order to ensure the correctness of memory sharing access, the respective memory use areas of the first kernel and the second kernel are divided into independent memory physical areas; meanwhile, a corresponding independent register is provided for the first kernel and the second kernel through the interrupt controller, and the first kernel and the second kernel access the corresponding independent registers and carry out arbitration and final operation by the interrupt controller, so that the problem caused by simultaneous access of the registers can be effectively avoided as long as the first kernel and the second kernel are provided with respective interrupt sources and the first kernel and the second kernel are ensured not to use the same shared interrupt source.
In addition, in the relay protection SOC chip, except limited resources such as a memory and an interrupt, other peripheral resources can be partitioned as an exclusive working mode, and the peripheral resources are an exclusive physical memory. Because the running relevance of the memory and the corresponding operating system is very high, the start address and the macro definition of the memory range of the two kernel operating systems are modified through the configuration function of a Board Support Package (BSP), and the physical address range of the memory used by the link script and the kernel operating system mirror image is modified simultaneously to avoid the overlapping of the physical application memory between the first kernel and the second kernel, and then two different Device Trees (DT) are respectively designed for the two kernel operating system mirror images to realize the memory partition of the exclusive resource.
It can be understood that, because the interrupt controller and the peripheral have a strong corresponding relationship, the partitioning of the interrupt controller is also naturally brought about after the peripheral partitioning is completed, that is: the method comprises the steps of designing a device tree description for an operating system mirror image corresponding to each kernel, generating a device tree binary system (DTB) by using a Device Tree Compiler (DTC), after the initialization of basic operating system services is completed, reading the device tree binary system, determining peripheral resources distributed by the operating system according to a device list in the device tree, and initializing the peripheral resources one by one to realize the partitioning of a peripheral and an interrupt controller. It should be noted that the device trees corresponding to the first core and the second core are different.
Step S200: and establishing a mapping relation between the physical memory and the virtual memory.
Among them, the virtual memory is also called virtual memory, which is a technique for managing the memory of a computer system. It allows an application to think that it has continuous available memory (a continuous complete address space), whereas in practice it is usually partitioned into multiple physical memory fragments, and some are temporarily stored on external disk storage, where data exchange takes place when needed. Virtual memory may be a combination of RAM and some space on the hard disk.
In one embodiment, the virtual memory includes a NOR Flash coupled to a first core and a second core, and an eMMC coupled to the first core. The number of NOR Flash may be one or two. The storage space size of NOR Flash and eMMC is not unique, for example, the storage space size of eMMC may be 1GB, 2GB, or 3GB, and the storage space size of NOR Flash may be 16MB, 32MB, or 64 MB.
As shown in fig. 4, the NOR Flash includes a first NOR Flash interconnected with a first Core0 and a second NOR Flash interconnected with a second Core1, and different NOR flashes are connected to corresponding cores through Local Bus or SPI (Serial Peripheral Interface). The first NOR Flash includes a first Yaffs file system (journaled file system) for storing data, and a second Boot, a first kernel operating system image file Img0, and a second kernel operating system image file Img1 that do not use the Yaffs file system. The second NOR Flash comprises a second Yaffs file system for storing data. The first Yaffs file system and the second Yaffs file system are respectively provided with a tffs and a set primary directory for program configuration storage and setting value storage.
The eMMC is interconnected with the first kernel Core0 through an SDIO (Secure Digital Input and Output), a third Yaffs file system is arranged on the eMMC driver, the first kernel Core0 can directly access the eMMC, and a data primary directory is arranged in the third Yaffs file system and used for storing data information. The second Core1 is interconnected with the first Core0 via Virtual ethernet, and the second Core1 utilizes the NFS file system and has access to a third Yaffs file system via the first Core 0.
Further, as shown in table 1, based on the tffs, the set, and the data primary directories, application file systems may be independently created in both the first kernel and the second kernel, and the program and version information storage, the parameter and setting information storage, and the data file storage are respectively completed. Meanwhile, the reliability of the files is considered, the files are divided into key files and non-key files from the aspect of influencing the application function, and the files are stored in different directories, so that the interference between file operations can be prevented.
Table 1: application file scheme table of first kernel and second kernel
Specifically, mapping the physical addresses of the different sections of the two cores to the corresponding virtual addresses through the MMU can ensure that the memory storage is accessed through the memory operation function within the set virtual memory address space range without performing storage division at the application level, as shown in fig. 5, the virtual addresses of the different cores can be set to be identical. Therefore, the condition that other program memories are illegally accessed can be avoided, the fragmentation phenomenon of the program memories can be reduced, and the performance of the dual-core relay protection system is improved.
As shown in fig. 6, if only one NOR Flash is used and shared by the first kernel and the second kernel, the second kernel operating system image file, i.e., the Core1 operating system image, is also stored in the NOR Flash.
Step S300: a communication mechanism between the first core and the second core is constructed.
Wherein the communication mechanism between the first kernel and the second kernel comprises the adopted communication protocol and communication link. Specifically, a buffer communication mechanism or a direct IO communication mechanism may be defined as a communication mechanism between the first core and the second core. After the communication mechanism is determined, a rule for data exchange between the first kernel and the second kernel is defined, which is beneficial to smooth proceeding of a subsequent starting process.
In one embodiment, the communication mechanism is a Mailbox (mail client) mechanism. Wherein, the Mailbox is a shared storage area. Specifically, data to be transmitted in one of the cores is written into the Mailbox, the interrupt controller notifies the other core after the data is received by the Mailbox, and the other core reads the data to be transmitted from the Mailbox, so that data transmission between the first core and the second core is realized. Further, as shown in fig. 7, data transmission between the first Core0 and the second Core1 is based on a Mailbox mechanism to complete link layer data transceiving, and a transport layer and an application layer are communicated on a link layer, so as to establish reliable communication between the first Core0 and the second Core 1.
Furthermore, the data to be transmitted between the first kernel and the second kernel can be subjected to priority division in a transmission layer, and the data transmission can be performed based on the priority of the data to be transmitted. Specifically, the division of the transmission data high and low priority can be realized by setting different data message buffer queues. As shown in table 2, the priorities may include a high priority, a medium priority, and a low priority. The high priority is transmission data with small data volume and high real-time requirement, and the low priority is transmission data with large data volume and high real-time requirement; the data except the high priority and the low priority are both of medium priority. In addition, the reliability guarantee mechanism can be processed in the transmission layer, such as feedback confirmation, retransmission, verification and the like, so that the reliability of data transmission among different cores is improved.
TABLE 2 Classification Table for data transfer between a first core and a second core
In the above embodiment, before executing the first-level Boot in the first kernel, the first kernel and the second kernel are physically partitioned, so that the correctness of memory access can be ensured; the mapping relation between the physical memory and the virtual memory is established so as to realize that the physical addresses of different sections of the two kernels are mapped to the corresponding virtual addresses through the MMU, thereby not only avoiding the occurrence of illegal access to other program memories, but also reducing the memory fragmentation phenomenon of the program and being beneficial to improving the performance of the dual-core relay protection system; and a communication mechanism between the first kernel and the second kernel is constructed, so that the subsequent starting process can be smoothly carried out. By matching the technical scheme, the safety of the starting process of the dual-core relay protection system can be further improved.
For the sake of understanding, the dual-core relay protection system starting process is described in detail below with reference to fig. 8. As shown in fig. 8, a first Core0 and a second Core1 are integrated on a dual Core processor, and a peripheral storage device includes NOR Flash connected to the first Core0 and the second Core1, eMMC connected to the first Core0, and DDR connected to the first Core0 and the second Core 1. And an on-chip RAM is arranged on the dual-core processor, NOR Flash is used for storing the secondary Boot and operating system images corresponding to different cores, and eMMC is used for storing application programs corresponding to different cores.
Specifically, the shared resource and the exclusive resource are functionally partitioned according to the functions of the first kernel and the second kernel; then, establishing a mapping relation between the physical memory and the virtual memory on a physical layer to realize that the physical addresses of different sections of the two kernels can be mapped to corresponding virtual addresses through the MMU; and finally, respectively starting the first kernel and the second kernel and sequentially executing the corresponding first kernel application program and the second kernel application program, so that the cooperative application of the dual-kernel operating system of the relay protection SOC chip is realized, the condition that two kernels wait for each other due to parallel physical access errors can be avoided, and the running efficiency of the mirror images of the two kernel operating systems is effectively improved.
Furthermore, the relay protection device is also provided with a DDR (double data rate) to be matched with a dual-core processor to realize the credible loading of the dual-core relay protection system. As shown in fig. 8, the trusted loading process of the dual-core relay protection system is as follows:
executing first-level Boot;
copying the secondary Boot to an on-chip RAM and a DDR;
the first-level Boot runs a measurement script, calculates a second-level Boot hash value, compares the second-level Boot hash value with a white list stored in an on-chip RAM, and if the second-level Boot hash value passes the white list, performs the next step;
jumping the program to a secondary Boot in the DDR for execution, reading a Core0 operating system mirror image from a NOR Flash memory by the secondary Boot and copying the mirror image into the DDR;
the secondary Boot runs a measurement script, calculates the mirror image hash value of the Core0 operating system in the DDR, compares the mirror image hash value with a white list stored in an on-chip RAM, and if the mirror image hash value passes the white list, performs the next step;
the secondary Boot reads a Core1 operating system mirror image from the NOR Flash memory and copies the mirror image into the DDR;
the secondary Boot runs a measurement script, calculates the mirror image hash value of the Core1 operating system in the DDR, compares the mirror image hash value with a white list stored in an on-chip RAM, and if the mirror image hash value passes the white list, performs the next step;
the secondary Boot activates Core 1;
the Core1 initializes the operating system and waits for the Core0 operating system image to initialize;
the Core0 jumps to the Core0 operating system image in the DDR to execute, and in the execution process, the initialization, interrupt initialization, network initialization, NFS initialization and other operations of various peripherals such as the eMMC are completed. Then loading the Core0 application program from the file system of the eMMC into the DDR;
the Core0 operating system loads a measurement program and measures the Core0 application program in the DDR;
the Core1 completes NFS initialization and loads a Core1 application from a file system of the eMMC into the DDR through the NFS;
the Core1 operating system loads a measurement program and measures the Core1 application program in the DDR;
the Core0 executes a corresponding Core0 application program in the DDR according to the starting script;
the Core1 executes a corresponding Core1 application program in the DDR according to the starting script; the whole start-up procedure is completed.
In the above embodiment, a multi-level measurement verification mode is adopted, so that the legality and integrity of a related program file in the starting process of the dual-core relay protection system can be ensured, the potential safety hazard in the starting process of the dual-core relay protection system can be reduced, and the safety of the starting process of the system can be improved.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A safe starting method of a dual-core relay protection system is characterized by comprising the following steps:
executing a first-level Boot in a first kernel;
copying the secondary Boot to a memory, and performing measurement verification on the secondary Boot to obtain a secondary Boot measurement verification result;
under the condition that the second-level Boot measurement verification result is passed, executing the second-level Boot to complete the copying and loading of the first kernel operating system image file and the second kernel operating system image file, and activating a second kernel;
respectively executing the first kernel operating system image file and the second kernel operating system image file to complete the initialization of the corresponding operating system and the loading of the corresponding application program;
and executing the corresponding application program according to the starting script to finish the starting of the dual-core relay protection system.
2. The dual-core relay protection system safe starting method according to claim 1, wherein the copying of the secondary Boot to a memory and the measurement verification of the secondary Boot are performed to obtain a secondary Boot measurement verification result, comprising:
and copying the secondary Boot to a memory, calculating the hash value of the secondary Boot, and comparing the hash value with a preset hash value white list to obtain a secondary Boot measurement verification result.
3. The dual-core relay protection system secure Boot method according to claim 1, wherein, in case that the secondary Boot measurement verification result is that the secondary Boot is passed, executing the secondary Boot to complete copying and loading of a first kernel operating system image file and a second kernel operating system image file, and activating a second kernel includes:
under the condition that the verification result of the secondary Boot measurement is passed, executing a first copy script of the secondary Boot, copying a first kernel operating system image file in an external storage device and loading the first kernel operating system image file to a memory;
executing a first measurement script of the secondary Boot, and performing measurement verification on the first kernel operating system image file to obtain a first operating system measurement verification result;
under the condition that the first operating system measurement verification result is passed, executing a second copy script of the secondary Boot, copying a second kernel operating system image file in an external storage device and loading the second kernel operating system image file to a memory;
executing a second measurement script of the secondary Boot, and performing measurement verification on the second kernel operating system image file to obtain a second operating system measurement verification result;
and executing the activation script of the secondary Boot to activate a second kernel under the condition that the second operating system measurement verification result is passed.
4. The dual-core relay protection system safe starting method according to claim 1, wherein the initialization of the operating system comprises peripheral initialization, interrupt initialization, network initialization and NFS initialization.
5. The dual-core relay protection system secure startup method according to claim 1, wherein after the executing the first kernel operating system image file and the second kernel operating system image file respectively to complete initialization of the corresponding operating system and loading of the corresponding application program, the executing the corresponding application program according to the startup script further comprises, before the completing startup of the dual-core relay protection system:
and respectively carrying out measurement verification on the first kernel application program and the second kernel application program.
6. The dual-core relay protection system safe starting method according to claim 1, wherein the first core and the second core are both CK810 chips.
7. The dual-core relay protection system safe starting method according to any one of claims 1 to 6, wherein before executing the first stage Boot in the first core, the method further comprises:
performing physical memory management on the first kernel and the second kernel;
establishing a mapping relation between a physical memory and a virtual memory;
constructing a communication mechanism between the first core and the second core.
8. The dual-core relay protection system safe starting method according to claim 7, wherein the performing physical memory management on the first core and the second core comprises:
carrying out access priority ordering of the shared physical memory on the first kernel and the second kernel by the arbiter;
and partitioning the exclusive physical memory by the configuration function of the board-level support packet.
9. The dual-core relay protection system secure boot method according to claim 7, wherein the virtual memory includes a NOR Flash connected to the first core and the second core, and an eMMC connected to the first core.
10. The dual-core relay protection system safe starting method according to claim 7, wherein the communication mechanism is a mailbox mechanism.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111007007.2A CN113642006A (en) | 2021-08-30 | 2021-08-30 | Safe starting method of dual-core relay protection system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111007007.2A CN113642006A (en) | 2021-08-30 | 2021-08-30 | Safe starting method of dual-core relay protection system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113642006A true CN113642006A (en) | 2021-11-12 |
Family
ID=78424512
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111007007.2A Pending CN113642006A (en) | 2021-08-30 | 2021-08-30 | Safe starting method of dual-core relay protection system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113642006A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114780152A (en) * | 2022-03-22 | 2022-07-22 | 西安广和通无线软件有限公司 | Computing equipment starting method and device |
| CN114968388A (en) * | 2022-08-01 | 2022-08-30 | 摩尔线程智能科技(北京)有限责任公司 | Booting method and system applied to microprocessor |
| CN115495159A (en) * | 2022-11-14 | 2022-12-20 | 南京芯驰半导体科技有限公司 | Chip multi-hardware domain starting method and device |
-
2021
- 2021-08-30 CN CN202111007007.2A patent/CN113642006A/en active Pending
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114780152A (en) * | 2022-03-22 | 2022-07-22 | 西安广和通无线软件有限公司 | Computing equipment starting method and device |
| CN114780152B (en) * | 2022-03-22 | 2024-03-15 | 西安广和通无线软件有限公司 | Computing device starting method and device |
| CN114968388A (en) * | 2022-08-01 | 2022-08-30 | 摩尔线程智能科技(北京)有限责任公司 | Booting method and system applied to microprocessor |
| CN115495159A (en) * | 2022-11-14 | 2022-12-20 | 南京芯驰半导体科技有限公司 | Chip multi-hardware domain starting method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113642006A (en) | Safe starting method of dual-core relay protection system | |
| US11360696B2 (en) | System startup method and apparatus, electronic device, and storage medium | |
| US8423755B2 (en) | Memory system and memory management method including the same | |
| KR101343704B1 (en) | Shared Nonvolatile Memory Architecture | |
| US6073206A (en) | Method for flashing ESCD and variables into a ROM | |
| TWI386846B (en) | Method, system and flash memory component for initializing multiple processing components utilizing a shared nonvolatile memory | |
| US10860332B2 (en) | Multicore framework for use in pre-boot environment of a system-on-chip | |
| US20060184717A1 (en) | Integrated circuit capable of flash memory storage management | |
| US7711941B2 (en) | Method and apparatus for booting independent operating systems in a multi-processor core integrated circuit | |
| US8316414B2 (en) | Reconfiguring a secure system | |
| US20150100776A1 (en) | Non-disruptive code update of a single processor in a multi-processor computing system | |
| WO2010097925A1 (en) | Information processing device | |
| CN115408707B (en) | Data transmission method, device and system, electronic equipment and storage medium | |
| CN113452666A (en) | IP independent secure firmware loading | |
| US10838861B1 (en) | Distribution of memory address resources to bus devices in a multi-processor computing system | |
| EP2643576B1 (en) | Method for enabling calibration during start-up of a micro controller unit and integrated circuit therefor | |
| CN114253749A (en) | Interaction method and device, electronic equipment and storage medium | |
| CN116881929B (en) | Safety protection method and device, electronic equipment and substrate controller chip | |
| CN116521209B (en) | Upgrading method and device of operating system, storage medium and electronic equipment | |
| CN113449283A (en) | non-ROM based IP firmware verification downloaded by host software | |
| JP2022537648A (en) | Firmware anti-rollback | |
| US11372792B1 (en) | Automatic bus resource adjustment in a multiple root bridge computing system | |
| US11204781B2 (en) | Optimizing power, memory and load time of a computing system during image loading based on image segmentation | |
| CN116610627A (en) | Dual-operating-system heterogeneous multi-core SoC chip and dual-operating-system deployment method and system | |
| JP2001034571A (en) | Information processor |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |