CN113778553A - High-reliability start loading method for embedded avionic device - Google Patents
High-reliability start loading method for embedded avionic device Download PDFInfo
- Publication number
- CN113778553A CN113778553A CN202110994705.XA CN202110994705A CN113778553A CN 113778553 A CN113778553 A CN 113778553A CN 202110994705 A CN202110994705 A CN 202110994705A CN 113778553 A CN113778553 A CN 113778553A
- Authority
- CN
- China
- Prior art keywords
- vxworks653
- image
- loading
- ram
- embedded
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000011068 loading method Methods 0.000 title claims abstract description 42
- 238000000034 method Methods 0.000 claims abstract description 16
- 239000000284 extract Substances 0.000 claims description 5
- 238000010586 diagram Methods 0.000 description 7
- 238000013461 design Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000002245 particle Substances 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44521—Dynamic linking or loading; Link editing at or after load time, e.g. Java class loading
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0706—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment
- G06F11/0736—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function
- G06F11/0739—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation the processing taking place on a specific hardware platform or in a specific software environment in functional embedded systems, i.e. in a data processing system designed as a combination of hardware and software dedicated to performing a certain function in a data processing system embedded in automotive or aircraft systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/14—Error detection or correction of the data by redundancy in operation
- G06F11/1402—Saving, restoring, recovering or retrying
- G06F11/1415—Saving, restoring, recovering or retrying at system level
- G06F11/1433—Saving, restoring, recovering or retrying at system level during software upgrading
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/61—Installation
- G06F8/63—Image based installation; Cloning; Build to order
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/65—Updates
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Quality & Reliability (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a high-reliability starting and loading method of embedded avionic equipment, which comprises the following steps: step 1, electrifying and starting embedded avionic equipment to complete hardware initialization; and step 2, copying the VxWorks653 image from the ROM to the reference address of the RAM, and moving the VxWorks653 image from the reference address of the RAM to the executable address in the RAM again to start running. The invention realizes that the VxWorks653 image can be burned in any address space of the ROM, thereby realizing the redundancy backup technology, avoiding the situation that the system function cannot be recovered once the online loading fails, and having the reliability requirement in the upgrading process and needing good user experience.
Description
Technical Field
The invention belongs to the field of airborne computers of avionic systems, and particularly relates to a high-reliability starting and loading method of embedded avionic equipment based on VxWorks 653.
Background
The Real-Time Operation System (RTOS) is a key component of the onboard software of the aircraft, and is responsible for unified management of hardware and scheduling and execution of software. ARINC 653 is an industry standard in the field of international on-board real-time operating systems, and both civilian and military aircraft use RTOS that meets the ARINC 653 standard. Particularly, the local side has strict approval on the operating system for civil aircraft airworthiness evidence obtaining. VxWorks653 RTOS of the Wind River company is widely used in the embedded and airborne fields, strictly follows ARINC 653 standard, supports the system to integrate a plurality of applications with different security levels and does not affect each other.
Referring to the block diagram of the architecture of a typical embedded avionics device shown in fig. 1, from bottom to top, a hardware platform, a Board Support Package (BSP), a real-time operating system (RTOS, typically VxWorks 653), and a partitioned application software layer are sequentially arranged.
Referring to the conventional boot process of the embedded avionic device shown in fig. 2, when the device is powered on and started, the device first runs a boot program stored in a ROM, then copies a VxWorks image from the ROM to a RAM, then transfers control right to an image entry code in the RAM, and finally runs the complete functions of the system in the RAM.
Disclosure of Invention
The invention aims to provide a high-reliability starting and loading method for embedded avionic equipment, which can detect image damage caused by overturning of components or high-altitude particles during starting and running of the embedded avionic equipment and avoid influencing flight safety and causing flight accidents. Meanwhile, the invention realizes the image redundancy backup and address-independent burning technology on the VxWorks653, and even if the system is failed to be upgraded, the equipment can be restarted again, thereby avoiding the factory return processing and improving the user experience.
The invention aims to be realized by the following technical scheme:
a high-reliability starting and loading method for embedded avionic equipment comprises the following steps:
and step 2, copying the VxWorks653 image from the ROM to the reference address of the RAM, and moving the VxWorks653 image from the reference address of the RAM to the executable address in the RAM again to start running.
Further, the step 2 also comprises the step of carrying out integrity check on the VxWorks653 image copied to the RAM base address, and moving the VxWorks653 image from the RAM base address to the executable address in the RAM again after the check is passed.
Preferably, the integrity check is: when a VxWorks653 image is burnt on the ROM, a check code is added at the tail part of the VxWorks653 image, and the check code is obtained by carrying out encryption operation on the VxWorks653 image through an encryption algorithm; when the equipment is started, after the VxWorks653 image is copied to the RAM, the same encryption algorithm is used for operating the VxWorks653 image text, and then the operation is compared with the check code stored at the tail part of the VxWorks653 image, if the operation is consistent, the VxWorks653 image is correct in integrity, and if the operation is inconsistent, the VxWorks653 image is damaged.
Further, the high-reliability startup loading method of the embedded avionic device further comprises the following steps:
step 3, judging whether an online loading upgrading requirement exists, if not, operating a normal system function, and if loading upgrading is required, entering the next step;
and 4, backing up the current VxWorks653 image, starting up loading upgrade, restarting the equipment by using the new VxWorks653 image if the loading upgrade is successful, and restarting the equipment by using the backup VxWorks653 image if the loading upgrade is failed.
Preferably, A, B areas are opened on the ROM for storing the current version and the historical version of each VxWorks653 image, and two slot areas are designed in the program for storing the A/B area marks of each VxWorks653 image;
when the method enters the step 4, firstly, which slot position area is the main slot position area and which slot position area is the backup slot position area are judged, and then the A/B area mark of each VxWorks653 image on the main slot position area is copied to the backup slot position area; sequentially loading and upgrading VxWorks653 images to be updated, and updating the marks of the A/B areas of the VxWorks653 images in the main slot area; if the loading and upgrading process is successfully completed, the equipment still extracts the A/B zone mark on the main slot zone to start, otherwise, extracts the A/B zone mark from the backup slot zone to start.
The invention has the beneficial effects that:
a) as Integrity Check (Integrity Check) is adopted, when the VxWorks653 image is burnt into the ROM, the VxWorks image is encrypted by using a high-security SHA-1Hash algorithm, and then a Check code is added at the tail part of the VxWorks image; when the equipment is started, after the VxWorks653 image is copied to the RAM, the same SHA-1 is used for calculating a Hash value for the VxWorks653 image, and the Hash value is compared with a check code at the tail part; therefore, the integrity of the VxWorks653 image copied to the RAM is ensured to be correct, the system function is controlled, and the flight safety is not influenced.
b) Because the VxWorks653 image is designed for address independent compilation and redundant backup technology is used. The situation that the system function cannot be recovered once online loading fails is avoided. Since there is often a need for frequent system updates (online loading) after the device is delivered to the customer (airline, military user), the upgrade process has both reliability requirements and a good user experience.
Drawings
Fig. 1 is an architectural block diagram of an embedded avionics device.
Fig. 2 is a conventional start-up procedure of an embedded avionics device.
Fig. 3 is a flowchart of a high-reliability boot loading method for an embedded avionic device according to the present invention.
FIG. 4 is a schematic diagram of the A/B region.
FIG. 5 is a flow diagram of online loading and redundant backup of images.
FIG. 6 is a diagram illustrating image shifting.
FIG. 7 is a diagram of a structure of a map on a ROM.
FIG. 8 is a schematic diagram showing the A/B region information of the slot site region.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples.
Referring to fig. 3, the high-reliability start-up loading method for embedded avionic devices according to the embodiment includes the following steps:
And step 2, copying the VxWorks653 image from the ROM to the bound RAM reference address, and then checking the integrity of the VxWorks653 image. And (5) failing to verify, and automatically shutting down. And when the verification is successful, the VxWorks653 image starts to run after being moved from the reference address of the RAM to the executable address in the RAM again. The RAM executable address is specified by an operating system when software is compiled, and the reference address of the RAM is specified in a configuration file of a program by a developer.
And 3, judging whether an online loading upgrading requirement exists or not, and if not, operating the normal system function. And if the loading upgrade is needed, entering the next step.
And 4, backing up the current VxWorks653 image, and then starting up loading and upgrading. And if the loading and upgrading are successful, restarting the equipment by using the new VxWorks653 image. And if the loading upgrading fails, restarting the equipment by using the backup VxWorks653 image.
The key technology in this embodiment has the following points.
Arbitrary address space burning
The key technical point in the method is that VxWorks653 images can be burned in any address space of the ROM. When the VxWorks653 is compiled, the default VxWorks653 image is bound with the fixed address of the ROM, and only the bound address can be burned. To implement redundant backup, the same VxWorks653 image needs to be compiled twice, binding two ROM addresses. The two-time compiling mode is troublesome to maintain and not flexible enough when software is developed and released. The embodiment provides an image double-moving technology, and the VxWorks653 image is designed to be irrelevant to the address of a ROM and can be burnt in any address space of the ROM. Fig. 6 illustrates a VxWorks653 image double-pass design implemented in this embodiment. The VxWorks653 RTOS image is bound to the base address of the RAM during compilation, so that offsets of data segments, code segments, read-only segments and the like of the VxWorks653 image are based on the RAM address. FIG. 2 above describes that the VxWorks653 image starts to run after being moved from ROM to RAM, actually to the executable address of the program in RAM. The VxWorks653 image in FIG. 6 is moved from ROM to RAM for the first time, but unlike FIG. 2, the RAM address is the base address bound at the time of program compilation. Immediately thereafter, the VxWorks653 image starts to run after being moved from the base address of the RAM to the executable address in the RAM again. The two-shift technique shown in fig. 6 enables the VxWorks653 image to be burned in any ROM address space, thereby implementing the image redundancy backup technique described below.
Image integrity checking
The VxWorks653 image does not have a checking function, and the embodiment provides a method for checking the image by way of illustration. When the VxWorks653 image is burnt into the ROM, a check code is added to the tail of the VxWorks653 image, and as shown in FIG. 7, the check code is obtained by performing encryption operation on the VxWorks653 image by using a high-security encryption algorithm, such as the SHA-1Hash algorithm. Then, when the equipment is started, after the VxWorks653 image is copied to the RAM, the 20-byte Hash value is calculated by using the same SHA-1 for the text of the VxWorks653 image, and then the 20-byte Hash value is compared with the check code stored at the tail part of the VxWorks653 image, if the 20-byte Hash value is consistent with the check code, the integrity of the VxWorks653 image is correct, and if the 20-byte Hash value is inconsistent with the check code, the VxWorks653 image is damaged.
Image redundancy backup technique
The key for recovering and restarting the equipment when the online loading fails is to realize redundant backup of VxWorks653 images. Two areas A, B are opened up on the device ROM to store the current version and the historical version of each VxWorks653 image, as shown in FIG. 4.
Two slot regions are designed in the program: slot1 and Slot2, hold respective VxWorks653 image A/B zone markers. FIG. 5 depicts the flow of image redundancy backup at online load. The equipment enters an online loading upgrading mode, firstly, which Slot zone is a main Slot zone and which Slot zone is a backup Slot zone are judged, in the embodiment, a Slot1 is assumed to be the main Slot zone, a Slot2 is assumed to be the backup Slot zone, and each VxWorks653 image A/B zone on the Slot1 is copied to be marked on the Slot 2. The VxWorks653 image that needs to be updated for upgrading is then sequentially loaded, and the A/B zone label of the image on the Slot1 is updated. If the upgrading process is successfully completed, the equipment still extracts the Slot1 information to start, otherwise, the VxWorks653 image A/B area mark is extracted from the backup Slot2 to start, and the function of recovering and restarting when the online loading fails is realized. A plot of the Slot VxWorks653 map A/B area markers is shown in FIG. 8.
The high-reliability starting and loading method for the embedded avionic device provided by the embodiment realizes the high-reliability starting and online upgrading functions of the embedded airborne avionic device. The design method greatly enriches the online loading and high-reliability starting design method under the VxWorks653 RTOS, and can be used for reference in the development of other operating systems. The application of the patent is independent of a hardware platform, the application range is wide, and the patent has obvious market prospect and economic benefit.
In summary, the present invention is only a preferred embodiment, and is not intended to limit the scope of the present invention, and all equivalent changes and modifications of the shapes, structures, characteristics, and spirit described in the scope of the claims of the present invention should be included in the scope of the present invention.
Claims (5)
1. A high-reliability starting and loading method for embedded avionic equipment is characterized by comprising the following steps:
step 1, electrifying and starting embedded avionic equipment to complete hardware initialization;
and step 2, copying the VxWorks653 image from the ROM to the reference address of the RAM, and moving the VxWorks653 image from the reference address of the RAM to the executable address of the RAM again to start running.
2. The high-reliability boot loading method for the embedded avionics device according to claim 1, wherein the step 2 further comprises performing integrity check on the VxWorks653 image copied to the RAM base address, and moving the VxWorks653 image from the RAM base address to the executable address in the RAM again after the check is passed.
3. The high-reliability startup loading method for embedded avionics equipment according to claim 2, characterized in that the integrity check is: when a VxWorks653 image is burnt on the ROM, a check code is added at the tail part of the VxWorks653 image, and the check code is obtained by carrying out encryption operation on the VxWorks653 image through an encryption algorithm; when the equipment is started, after the VxWorks653 image is copied to the RAM, the same encryption algorithm is used for operating the VxWorks653 image text, and then the operation is compared with the check code stored at the tail part of the VxWorks653 image, if the operation is consistent, the VxWorks653 image is correct in integrity, and if the operation is inconsistent, the VxWorks653 image is damaged.
4. The high-reliability startup loading method for the embedded avionics device according to claim 1, characterized by further comprising:
step 3, judging whether an online loading upgrading requirement exists, if not, operating a normal system function, and if loading upgrading is required, entering the next step;
and 4, backing up the current VxWorks653 image, starting up loading upgrade, restarting the equipment by using the new VxWorks653 image if the loading upgrade is successful, and restarting the equipment by using the backup VxWorks653 image if the loading upgrade is failed.
5. The high-reliability startup loading method of the embedded avionics device according to claim 4, characterized in that A, B two areas are opened up on the ROM for storing the current version and the historical version of each VxWorks653 image, and two slot regions are designed in the program for storing the A/B region mark of each VxWorks653 image;
when the method enters the step 4, firstly, which slot position area is the main slot position area and which slot position area is the backup slot position area are judged, and then the A/B area mark of each VxWorks653 image on the main slot position area is copied to the backup slot position area; sequentially loading and upgrading VxWorks653 images to be updated, and updating the marks of the A/B areas of the VxWorks653 images in the main slot area; if the loading and upgrading process is successfully completed, the equipment still extracts the A/B zone mark on the main slot zone to start, otherwise, extracts the A/B zone mark from the backup slot zone to start.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110994705.XA CN113778553A (en) | 2021-08-27 | 2021-08-27 | High-reliability start loading method for embedded avionic device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110994705.XA CN113778553A (en) | 2021-08-27 | 2021-08-27 | High-reliability start loading method for embedded avionic device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113778553A true CN113778553A (en) | 2021-12-10 |
Family
ID=78839810
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110994705.XA Pending CN113778553A (en) | 2021-08-27 | 2021-08-27 | High-reliability start loading method for embedded avionic device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113778553A (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1632756A (en) * | 2003-12-24 | 2005-06-29 | 英业达股份有限公司 | Method for implementing automatic fault-tolerance of image file in Linux operating system booting process |
| CN103617095A (en) * | 2013-11-15 | 2014-03-05 | 中国航空无线电电子研究所 | VxWorks mapping file accuracy checking method |
| CN109634781A (en) * | 2018-12-06 | 2019-04-16 | 中国航空工业集团公司洛阳电光设备研究所 | One kind is based on embedded program two-region Backup Images system and starting method |
-
2021
- 2021-08-27 CN CN202110994705.XA patent/CN113778553A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1632756A (en) * | 2003-12-24 | 2005-06-29 | 英业达股份有限公司 | Method for implementing automatic fault-tolerance of image file in Linux operating system booting process |
| CN103617095A (en) * | 2013-11-15 | 2014-03-05 | 中国航空无线电电子研究所 | VxWorks mapping file accuracy checking method |
| CN109634781A (en) * | 2018-12-06 | 2019-04-16 | 中国航空工业集团公司洛阳电光设备研究所 | One kind is based on embedded program two-region Backup Images system and starting method |
Non-Patent Citations (2)
| Title |
|---|
| 佚名: "风河增强VxWorks 653集成模块航空电子系统硬件支持", 《中国新通信》, vol. 12, no. 7, 5 April 2010 (2010-04-05), pages 90 * |
| 编辑: "vxworks启动详解", pages 1 - 7, Retrieved from the Internet <URL:《uml.org.cn/embeded/201806294.asp》> * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US6907602B2 (en) | Method for updating firmware of computer device | |
| US20050085222A1 (en) | Software updating process for mobile devices | |
| US7313792B2 (en) | Method and system for servicing software | |
| CN109062598B (en) | Safe OTA (over the air) upgrading method and system | |
| US6711675B1 (en) | Protected boot flow | |
| US6928579B2 (en) | Crash recovery system | |
| CN105354063B (en) | Program on-line upgrading method and system | |
| CN109062594A (en) | A kind of method that automobile ECU program automatic safe upgrades under embedded QNX/Linux | |
| US8826080B2 (en) | Methods and systems for preboot data verification | |
| US8910145B2 (en) | Method and device for installing/uninstalling software modules, with centralized resolution of constraints, in aircraft equipment items | |
| CN105389187B (en) | System updating method | |
| CN112416406A (en) | Terminal equipment upgrading method and device, terminal equipment and medium | |
| CN113821235A (en) | Operating system data updating method, operating system data updating apparatus, storage medium, and program product | |
| CN106325916A (en) | System upgrading method of GNSS (Global Navigation Satellite System) receiver | |
| CN113157303A (en) | Upgrading method, embedded system, terminal and computer storage medium | |
| CN113778553A (en) | High-reliability start loading method for embedded avionic device | |
| JP2005284902A (en) | Terminal device, control method and control program thereof, host device, control method and control program thereof, and method, system, and program for remote updating | |
| CN111090443A (en) | Method, equipment and storage medium for guaranteeing safe upgrade of linux system | |
| CN110474673B (en) | Dynamic on-orbit thermal updating method supporting breakpoint continuous transmission | |
| CN110659052B (en) | Method and system for updating system software in network equipment and readable storage medium | |
| CN112579338B (en) | Starting method and system of equipment and storage medium | |
| CN101470657A (en) | Verification method for BIOS refreshing content | |
| KR102423056B1 (en) | Method and system for swapping booting disk | |
| JPH11134178A (en) | Interrelated check system by information on number of versions of load module and program storage medium | |
| CN112214249A (en) | Cross-platform self-starting program method based on USB device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |