CN114764347A - Program verification system and method of multi-core controller and storage medium - Google Patents
Program verification system and method of multi-core controller and storage medium Download PDFInfo
- Publication number
- CN114764347A CN114764347A CN202210391424.XA CN202210391424A CN114764347A CN 114764347 A CN114764347 A CN 114764347A CN 202210391424 A CN202210391424 A CN 202210391424A CN 114764347 A CN114764347 A CN 114764347A
- Authority
- CN
- China
- Prior art keywords
- module
- unit
- program
- bootstrap
- bootstrap module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 46
- 238000012795 verification Methods 0.000 claims abstract description 67
- 238000005070 sampling Methods 0.000 description 9
- 230000007123 defense Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses a program checking system, a checking method and a storage medium of a multi-core controller, wherein the checking system comprises a trusted unit, a starting enabling unit, a checking core and a plurality of starting cores; the starting core is internally provided with a first bootstrap program module and a first application program module, and the first application program module comprises a first application verification program and a plurality of first application programs; a second bootstrap program module and a second application program module are arranged in the check core, and the second application program module comprises a check unit and a second application program; the trusted unit is used for storing reference values of the first bootstrap module and the second bootstrap module; the zone bit of the start enabling unit is assigned by the trusted unit, the first and second bootstrap modules and the verification unit, and the trusted unit can verify the zone bit of the start enabling unit when being powered on. The scheme can meet the requirement of the automobile on the starting time of the controller on the basis of considering the safe starting of the controller.
Description
Technical Field
The invention relates to the technical field of information security of automotive electronics and electrical appliances, in particular to a program checking system, a checking method and a storage medium of a multi-core controller.
Background
With the rapid development of automobile intellectualization and networking, the risk of automobile information safety is increasingly intensified, an in-automobile controller is used as the last line of defense of information safety, and the legality and integrity of a program are the basis of the line of defense. In order to protect the legality of the program of the controller in the vehicle, the common practice in the industry is to carry out legality and integrity check on the program to be operated through a credible root in the power-on starting process of the controller, and only the program passing the check is operated, which is called as a safe starting technology.
The safe starting technology needs to rely on a trusted root of hardware inside a controller, can ensure that a program of the safe starting technology is not illegally tampered, adopts a general safe algorithm to check a bootstrap program and an application program step by step, and as disclosed in the invention patent application with the application number of 201510246872.0, the safe starting method of the embedded equipment and the safe starting embedded equipment are disclosed, and the embedded equipment comprises an embedded processor, a nonvolatile memory, an FPGA and an external starting ROM; the embedded processor is connected with the nonvolatile memory through a local bus; an address bus and a control bus of the embedded processor are connected with an external boot ROM through the FPGA; the data bus of the embedded processor is directly connected with the external boot ROM. The safe starting method comprises two steps: establishing a safe starting authentication environment and executing a safe starting authentication module; after resetting, the processor executes a safe starting authentication module in the external starting ROM firstly, and judges whether the starting program is safe or not according to the execution result of the safe starting authentication module; if safe, the device starts normally, otherwise, the device cannot start. The method can perform safety verification when the equipment is started to ensure the safe starting of the equipment, but for a controller on the automobile, in order to not influence the vehicle using experience of a user, the requirement of the automobile on the starting time of the controller is higher, the starting time of the controller is generally required to be less than 200ms, but with the increase of intelligent functions, the application program of the controller in the automobile is larger and larger, and if the verification is performed according to the safety starting technology, the starting time of the controller is far longer than the requirement of the automobile on the starting time of the controller.
Disclosure of Invention
Aiming at the defects in the prior art, the technical problems to be solved by the invention are as follows: how to provide a program checking system and a checking method of a multi-core controller, which can meet the requirement of an automobile on the starting time of the controller on the basis of considering the safe starting of the controller.
In order to solve the technical problem, the invention adopts the following technical scheme:
a program checking system of a multi-core controller comprises a trusted unit, a starting enabling unit, a checking core and a plurality of starting cores;
a first bootstrap program module and a first application program module are arranged in the starting core, and the first application program module comprises a first application verification program and a plurality of first application programs;
a second bootstrap program module and a second application program module are arranged in the check core, the second application program module comprises a check unit and a second application program, and the check unit is used for checking the first application program module and the second application program;
the trusted unit is a storage unit with a write-once characteristic, and reference values of the first bootstrap module and the second bootstrap module are stored in the trusted unit;
and the flag bit of the start enabling unit is assigned by the trusted unit, the first bootstrap module, the second bootstrap module and the verification unit, and the trusted unit can verify the flag bit of the start enabling unit when the controller is electrified.
A program checking method of a multi-core controller adopts the program checking system of the multi-core controller, and comprises the following steps:
step 1) electrifying a controller;
step 2) the trusted unit checks the flag bit of the starting enabling unit, if the check is passed, the step 3) is executed, and if the check is not passed, the step 10) is executed;
step 3) the trusted unit checks each of the first bootstrap module and the second bootstrap module, if both the first bootstrap module and the second bootstrap module pass the check, step 4) is executed, and if any check does not pass the check, step 10) is executed;
step 4) operating each of the first bootstrap module and the second bootstrap module;
step 5) each first bootstrap program module respectively checks the corresponding first application checking program, if the checking is passed, the first application program module is started and executes the step 6), and if the checking is not passed, the step 10 is executed after the flag bit corresponding to the starting enabling unit is assigned with 0);
step 6) the second bootstrap module checks the check unit, if the check unit passes, the step 7) is executed, and if the check unit does not pass, the step 10) is executed after 0 is assigned to the flag bit corresponding to the start enabling unit;
step 7) the checking unit checks each first application program module, if the checking is passed, the step 8) is executed, and if the checking is not passed, the step 10) is executed after the flag bit corresponding to the starting enabling unit is assigned with 0;
step 8) the checking unit checks the second application program, if the second application program passes the checking, the step 9) is executed, and if the second application program does not pass the checking, the step 10) is executed after the flag bit corresponding to the starting enabling unit is assigned with 0;
step 9) returning to execute the step 7);
and step 10), stopping starting the controller when the verification fails.
Preferably, the step 3) comprises the following steps:
step 3.1) the method for the trusted unit to check the first bootstrap module is as follows: the trusted unit obtains the hash value of the first bootstrap module by adopting an abstract algorithm, and judges whether the obtained hash value of the first bootstrap module is the same as the reference value of the first bootstrap module, if so, the step 3.3 is executed, and if not, the step 3.2 is executed);
step 3.2) whether the times of the first bootstrap module verified by the trusted unit reach the set times or not is judged, if yes, the step 10) is executed, and if not, the step 3.1) is executed;
step 3.3) the method for the trusted unit to check the second bootstrap module is as follows: the trusted unit obtains the hash value of the second bootstrap module by adopting an abstract algorithm, and judges whether the obtained hash value of the second bootstrap module is the same as the reference value of the second bootstrap module, if so, the step 4 is executed), and if not, the step 3.4 is executed);
and 3.4) whether the times of the trusted unit for verifying the second bootstrap module reach the set times or not, if so, executing the step 10), and if not, returning to execute the step 3.3).
Preferably, step 5) comprises the following steps:
step 5.1) the method for the first bootstrap module to check the first application checking program comprises the following steps: storing the signature value and the public key value of the first application verification program in the first bootstrap module, verifying the signature on the signature value through the public key value by the first bootstrap module to obtain a reference hash value of the first application verification program, calculating to obtain a calculated hash value of the first application verification program by the first bootstrap module, judging whether the reference hash value and the calculated hash value of the first application verification program are equal by the first bootstrap module, if so, executing step 6), and if not, executing step 5.2);
step 5.2) whether the times of the first bootstrap program module for verifying the first application verification program reach the set times or not, if yes, assigning 0 to the flag bit corresponding to the start enabling unit and then executing step 10), and if not, returning to execute step 5.1).
Preferably, step 6) comprises the following steps:
step 6.1) the method for the second bootstrap module to verify the verification unit is as follows: storing the signature value and the public key value of the verification unit in the second bootstrap module, verifying the signature of the signature value by the second bootstrap module through the public key value to obtain a reference hash value of the verification unit, calculating by the second bootstrap module to obtain a calculated hash value of the verification unit, judging by the second bootstrap module whether the reference hash value and the calculated hash value of the verification unit are equal, if so, executing step 7), and if not, executing step 6.2);
step 6.2) whether the times of the second bootstrap module for verifying the verification unit reaches the set times or not, if so, assigning 0 to the flag bit corresponding to the start enabling unit and then executing the step 10), and if not, returning to execute the step 6.1).
Preferably, the step 7) comprises the following steps:
step 7.1) the method for the second bootstrap module to check the first application module is as follows: storing the signature value and the public key value of the first application program module in the second bootstrap program module, verifying the signature on the signature value by the second bootstrap program module through the public key value to obtain a reference hash value of the first application program module, calculating by the second bootstrap program module to obtain a calculated hash value of the first application program module, judging by the second bootstrap program module whether the reference hash value and the calculated hash value of the first application program module are equal, if so, executing step 8), and if not, executing step 7.2);
and 7.2) whether the times of the second bootstrap module for verifying the first application program module reaches the set times or not, if so, assigning 0 to the flag bit corresponding to the start enabling unit and then executing the step 10), and if not, returning to execute the step 7.1).
Preferably, the step 8) comprises the following steps:
step 8.1) the method for the second bootstrap module to check the second application program is as follows: storing the signature value and the public key value of the second application program in the second bootstrap module, verifying the signature of the signature value by the second bootstrap module through the public key value to obtain a reference hash value of the second application program, calculating to obtain a calculated hash value of the second application program by the second bootstrap module, judging whether the reference hash value and the calculated hash value of the second application program are equal by the second bootstrap module, if so, executing the step 9), and if not, executing the step 8.2);
step 8.2) whether the number of times of verifying the second application program by the second bootstrap module reaches a set number of times, if so, assigning 0 to the flag bit corresponding to the start enabling unit and then executing step 10), and if not, returning to execute step 8.1).
Preferably, the set number of times in step 3), step 5), step 6), step 7), and step 8) is 3 times.
The present disclosure also provides a storage medium, where one or more programs are stored, and when the one or more programs are executed by a processor, the program checking method of the multi-core controller is executed.
When the program of the controller is checked, the checking core and the plurality of starting cores are arranged in the controller, the first application program module in the starting core is divided into a first application checking program and a plurality of first application programs, and the second application program module in the checking core is divided into a checking unit and a second application program, so that the first application program module can be directly started after the first application checking program passes the checking of the first bootstrap module, meanwhile, the checking unit checks all programs in the first application program module after the checking unit passes the checking of the second bootstrap module, when any program in the first application program module fails the checking, the controller stops starting, so that the controller does not need to be started after all programs are checked, the controller of the scheme is started after partial programs are checked, and after the system is started, the detection unit checks all programs, and once the programs do not pass the check, the controller stops starting, so that the starting time of the controller is greatly reduced, and the use safety of the controller is ensured.
Drawings
FIG. 1 is a system block diagram of a program checking system of a multi-core controller according to the present invention;
FIG. 2 is a flowchart of a program checking method of a multi-core controller according to the present invention;
fig. 3 is a system block diagram of a program checking system according to a specific embodiment of the multi-core controller of the present invention.
Detailed Description
The invention will be further explained with reference to the drawings and the embodiments.
As shown in fig. 1, a program checking system of a multi-core controller includes a trusted unit, a boot enabling unit, a checking core, and a plurality of boot cores;
the starting core is internally provided with a first bootstrap program module and a first application program module, and the first application program module comprises a first application verification program and a plurality of first application programs;
a second bootstrap module and a second application module are arranged in the verification core, the second application module comprises a verification unit and a second application, and the verification unit is used for verifying the first application module and the second application;
the trusted unit is a storage unit with write-once characteristics, and reference values of the first bootstrap module and the second bootstrap module are stored in the trusted unit;
the flag bit of the start enabling unit is assigned by the trusted unit, the first bootstrap module, the second bootstrap module and the verification unit, and the trusted unit can verify the flag bit of the start enabling unit when the controller is powered on.
As shown in fig. 2, a program checking method for a multi-core controller, which adopts the program checking system for a multi-core controller, includes the following steps:
step 1), electrifying a controller;
step 2) the trusted unit checks the flag bit of the starting enabling unit, if the check is passed, the step 3) is executed, and if the check is not passed, the step 10) is executed;
step 3) the trusted unit checks each first bootstrap module and each second bootstrap module, if the checks are passed, step 4) is executed, and if any check is not passed, step 10) is executed;
step 4) operating each first bootstrap module and each second bootstrap module;
step 5) each first bootstrap program module respectively checks the corresponding first application checking program, if the checking is passed, the first application program module is started and executes the step 6), and if the checking is not passed, the flag bit corresponding to the start enabling unit is assigned with 0, and then the step 10) is executed;
step 6) the second bootstrap module checks the check unit, if the check unit passes, the step 7) is executed, and if the check unit does not pass, the step 10) is executed after 0 is assigned to the flag bit corresponding to the start enabling unit;
step 7), the checking unit checks each first application program module, if the checking is passed, the step 8) is executed, and if the checking is not passed, the step 10) is executed after 0 is assigned to the flag bit corresponding to the starting enabling unit;
step 8), the verification unit verifies the second application program, if the verification is passed, the step 9) is executed, and if the verification is not passed, the step 10) is executed after 0 is assigned to the flag bit corresponding to the starting enabling unit;
step 9) returning to execute the step 7);
and step 10), stopping starting the controller when the verification fails.
In this embodiment, the step 3) includes the following steps:
step 3.1) the method for the trusted unit to check the first bootstrap module is as follows: the trusted unit obtains a hash value of the first bootstrap module by adopting an abstract algorithm, judges whether the obtained hash value of the first bootstrap module is the same as a reference value of the first bootstrap module, if so, executes the step 3.3), and otherwise, executes the step 3.2);
step 3.2) whether the times of the trusted unit for verifying the first bootstrap module reach the set times or not is judged, if yes, the step 10) is executed, and if not, the step 3.1) is executed;
step 3.3) the method for the trusted unit to check the second bootstrap module is as follows: the trusted unit obtains the hash value of the second bootstrap module by adopting an abstract algorithm, and judges whether the obtained hash value of the second bootstrap module is the same as the reference value of the second bootstrap module, if so, the step 4 is executed, and if not, the step 3.4 is executed);
and 3.4) whether the times of verifying the second bootstrap module by the trusted unit reach the set times or not, if so, executing the step 10), and if not, returning to execute the step 3.3).
In this embodiment, step 5) includes the following steps:
step 5.1) the method for the first bootstrap program module to check the first application checking program comprises the following steps: storing the signature value and the public key value of the first application verification program in the first bootstrap module, verifying the signature of the signature value through the public key value by the first bootstrap module to obtain a reference hash value of the first application verification program, calculating to obtain a calculated hash value of the first application verification program by the first bootstrap module, judging whether the reference hash value and the calculated hash value of the first application verification program are equal by the first bootstrap module, if so, executing the step 6), and if not, executing the step 5.2);
and 5.2) judging whether the times of the first bootstrap module for verifying the first application verification program reach the set times, if so, assigning 0 to the flag bit corresponding to the starting enabling unit and then executing the step 10), and if not, returning to execute the step 5.1).
In the present embodiment, step 6) includes the following steps:
step 6.1) the method for the second bootstrap module to check the check unit is as follows: storing the signature value and the public key value of the verification unit in a second bootstrap module, verifying the signature of the signature value by the second bootstrap module through the public key value to obtain a reference hash value of the verification unit, calculating by the second bootstrap module to obtain a calculated hash value of the verification unit, judging whether the reference hash value and the calculated hash value of the verification unit are equal by the second bootstrap module, if so, executing a step 7), and if not, executing a step 6.2);
and 6.2) judging whether the times of the second bootstrap module for verifying the verification unit reaches the set times, if so, assigning 0 to the flag bit corresponding to the start enabling unit and then executing the step 10), and if not, returning to execute the step 6.1).
In this embodiment, step 7) includes the following steps:
step 7.1) the method for the second bootstrap module to check the first application module is as follows: storing the signature value and the public key value of the first application program module in the second bootstrap program module, verifying and signing the signature value by the second bootstrap program module through the public key value to obtain a reference hash value of the first application program module, calculating by the second bootstrap program module to obtain a calculated hash value of the first application program module, judging by the second bootstrap program module whether the reference hash value and the calculated hash value of the first application program module are equal, if so, executing the step 8), and if not, executing the step 7.2);
and 7.2) whether the times of the second bootstrap module for checking the first application program module reaches the set times or not, if so, assigning 0 to the flag bit corresponding to the starting enabling unit and then executing the step 10), and if not, returning to execute the step 7.1).
In this embodiment, step 8) includes the following steps:
step 8.1) the method for the second bootstrap module to check the second application program is as follows: storing the signature value and the public key value of the second application program in the second bootstrap module, verifying the signature of the signature value by the second bootstrap module through the public key value to obtain a reference hash value of the second application program, calculating by the second bootstrap module to obtain a calculated hash value of the second application program, judging by the second bootstrap module whether the reference hash value and the calculated hash value of the second application program are equal, if so, executing step 9), and if not, executing step 8.2);
step 8.2) whether the times of the second bootstrap module for verifying the second application program reach the set times or not, if yes, assigning 0 to the flag bit corresponding to the start enabling unit and then executing step 10), and if not, returning to execute step 8.1).
In the present embodiment, the set number of times in step 3), step 5), step 6), step 7), and step 8) is 3 times.
The present disclosure also provides a storage medium storing one or more programs, where the one or more programs, when executed by a processor, perform the program checking method for a multi-core controller according to any one of claims 2 to 8.
The specific embodiment is as follows:
in the following, the present solution is further described in a structural form including a check core and a start core in the controller:
as shown in fig. 3, the controller includes a start core, i.e., core 1, and a check core, i.e., core 2, each of the cores operates independently, the trusted unit is a storage unit with write-once characteristics, i.e., once a program in the trusted unit is written, the program cannot be modified, and when the trusted unit is specifically executed, the trusted unit may be a storage area with write-once characteristics inside each core, or an area independent of the cores, without limitation, and the trusted unit in this scheme is an independent of storage units outside two cores.
After the controller is powered on, the trusted unit is started first, the trusted unit stores the reference values (namely, the legal SHA256 value) of the first bootstrap module and the second bootstrap module, and after the reference values are written in, the trusted unit cannot be changed. The trusted unit checks the flag bit of the start enabling unit after starting, the start enabling unit is used for identifying whether the programs of the core 1 and the core 2 before power down last time are legal, the specific identification method is not limited, and the specific identification method can be set according to specific conditions, and in the specific scheme: and 00 is used for indicating that both the two cores are not legal, 11 is used for indicating that both the two cores are legal, 01 is used for indicating that the core 1 is illegal and the core 2 is legal, and 10 is used for indicating that the core 1 is legal and the core 2 is illegal, so that the trusted unit needs to check whether the starting enabling unit is 11, if the starting enabling unit is not 11, the controller stops starting, and if the starting enabling unit is 11, the trusted unit continues to check the integrity and the legality of the first bootstrap module and the second bootstrap module when the programs of the two cores of the flag bit of the starting enabling unit are legal when the two cores are powered off last time, the checking algorithm can be an international and national secret universal signature algorithm, and is not particularly limited. Specifically, the trusted unit checks the first bootstrap module first, the trusted unit calls the digest algorithm SHA256 to calculate an SHA256 value (hash value) of the first bootstrap module, the hash value is compared with a reference value in the trusted unit, if the hash value is different, the check is repeated for 3 times, and if the hash value is still different, the controller stops starting, and if the hash value is the same, the start of the SHA256 value of the second bootstrap module is continuously checked. In the core 1, the sampling of the first application program module is divided into n parts, the sampling method can be uniform equal division, key extraction and the like, and the first bootstrap module performs integrity and legality verification on the first application verification program after the first application program module is sampled without specific limitation. Specifically, a signature value of a first application verification program and a public key value corresponding to a signature private key are stored in a first bootstrap module, the signature value is obtained by firstly calculating SHA256 for the first application verification program and then signing through a private key in a pair of RSA2048 keys, after the first application verification program runs, the calculation SHA256 for the first application verification program is calculated, meanwhile, the signature value is verified through the public key to obtain a reference SHA256 for the application program, if the signature value is different from the signature value, the verification is repeated for 3 times, and if the signature value is still different from the reference SHA256, the controller stops running, and if the signature value is the same as the reference SHA256, the verification passes, the controller enters a first application module to start running. Similarly, the core 2 divides the second application program module into a verification unit and a second application program, and the second bootstrap module performs integrity validity authentication on the verification unit. Specifically, the signature value of the verification unit and a public key value corresponding to the signature private key are stored in the second bootstrap module, the signature value is obtained by calculating SHA256 by the verification unit first, then signing is carried out through an RSA2048 private key, after the second bootstrap module runs, the calculated SHA256 of the verification unit is calculated, meanwhile, the signature value is verified through the public key to obtain the reference SHA256 of the application program, if the signature value and the signature value are different, the verification is repeated for 3 times, if the signature value and the signature private key are still different, the controller stops running, and if the signature value and the signature private key are the same, the verification unit starts. The verification unit executes the verification unit after passing the authentication, then the verification unit circularly verifies the first application program module in real time, the verification sequence is not limited, the verification algorithm comprises an international and national password universal signature algorithm without specific limitation, if the verification fails, the verification is repeated, after the verification fails for multiple times (the specific times are not limited), the core 1 program is judged to be illegally tampered, the starting enabling unit is recorded to be 01 (the core 1 is illegal), if the verification succeeds, the verification unit continuously verifies the second application program, the verification algorithm comprises the international and national password universal signature algorithm without specific limitation, if the verification fails, the verification is repeated for multiple times (the specific times are not limited), the program still fails, the program is stopped at the verification unit, and meanwhile, the starting enabling unit is recorded to be 10 (the core 2 is illegal). Specifically, the verification unit stores signature values of the first application program module and the second application program, after the verification unit is started, the first application program module and the second application program are verified in the same manner as the verification of the first application program module and the verification unit, when the verification of the first application program module fails for 3 times, the start enabling unit is assigned to be 01, and when the verification of the second application program module fails for 3 times, the start enabling unit is assigned to be 10.
When the controller is electrified again, the trusted unit is operated firstly, the start enabling unit is verified after the trusted unit is started, when the value of the start enabling unit is 10, 01 or 00, the controller stops starting, and the program stays in the trusted unit.
It should be noted that the sampling ratio of the first application verification program is not limited, and the sampling principle is that the starting time requirement is met, sampling is maximized, the sampling method may be uniform sampling, sampling in a key area, or other sampling methods, but is not limited, when a plurality of starting cores are included in the controller, for example, the controller further includes a core 3, a core 4, a core 5, and the like, the core 3, the core 4, and the core 5 are all starting cores, and the overall architecture of the core 3, the core 4, and the core 5 is similar to that of the core 1, and the verification unit in the core 2 needs to verify the first application program module in the core 3, the core 4, and the core 5, respectively. Therefore, the method of the present disclosure can be applied to similar verification of controllers of multiple cores, which is within the scope of protection of the present patent and will not be described in detail.
When the program of the controller is checked, the checking core and the plurality of starting cores are arranged in the controller, the first application program module in the starting core is divided into a first application checking program and a plurality of first application programs, and the second application program module in the checking core is divided into a checking unit and a second application program, so that the first application program module can be directly started after the first application checking program passes the checking of the first bootstrap module, meanwhile, the checking unit checks all programs in the first application program module after the checking unit passes the checking of the second bootstrap module, when any program in the first application program module fails the checking, the controller stops starting, so that the controller does not need to be started after all programs are checked, the controller of the scheme is started after partial programs are checked, after the controller is started, the detection unit checks all programs, and once the programs do not pass the check, the controller stops starting.
Finally, it should be noted that the above embodiments are only used for illustrating the technical solutions of the present invention and not for limiting the technical solutions, and those skilled in the art should understand that modifications or equivalent substitutions can be made on the technical solutions of the present invention without departing from the spirit and scope of the technical solutions, and all that should be covered by the claims of the present invention.
Claims (9)
1. The program checking system of the multi-core controller is characterized by comprising a trusted unit, a starting enabling unit, a checking core and a plurality of starting cores;
a first bootstrap program module and a first application program module are arranged in the starting core, and the first application program module comprises a first application verification program and a plurality of first application programs;
a second bootstrap module and a second application module are arranged in the verification core, the second application module comprises a verification unit and a second application, and the verification unit is used for verifying the first application module and the second application;
the trusted unit is a storage unit with a write-once characteristic, and reference values of the first bootstrap module and the second bootstrap module are stored in the trusted unit;
the flag bit of the start enabling unit is assigned by the trusted unit, the first bootstrap module, the second bootstrap module and the verification unit, and the trusted unit can verify the flag bit of the start enabling unit when the controller is powered on.
2. A program verification method for a multi-core controller, which employs the program verification system for a multi-core controller according to claim 1, comprising the steps of:
step 1) electrifying a controller;
step 2) the trusted unit checks the flag bit of the starting enabling unit, if the check is passed, the step 3) is executed, and if the check is not passed, the step 10) is executed;
step 3) the trusted unit checks each of the first bootstrap module and the second bootstrap module, if the checks pass, step 4) is executed, and if any check does not pass, step 10) is executed;
step 4) operating each of the first bootstrap module and the second bootstrap module;
step 5) each first bootstrap program module respectively checks the corresponding first application checking program, if the checking is passed, the first application program module is started and executes the step 6), and if the checking is not passed, the flag bit corresponding to the start enabling unit is assigned with 0, and then the step 10 is executed);
step 6) the second bootstrap module checks the check unit, if the check unit passes, the step 7) is executed, and if the check unit does not pass, the step 10) is executed after 0 is assigned to the flag bit corresponding to the start enabling unit;
step 7) the checking unit checks each first application program module, if the checking is passed, the step 8) is executed, and if the checking is not passed, the step 10) is executed after 0 is assigned to the flag bit corresponding to the starting enabling unit;
step 8) the checking unit checks the second application program, if the second application program passes the checking, the step 9) is executed, and if the second application program does not pass the checking, the step 10) is executed after the flag bit corresponding to the starting enabling unit is assigned with 0;
step 9) returning to execute the step 7);
and step 10), stopping starting the controller when the verification fails.
3. The program checking method for a multi-core controller according to claim 2, wherein the step 3) comprises the following steps:
step 3.1) the method for the trusted unit to check the first bootstrap module is as follows: the trusted unit obtains the hash value of the first bootstrap module by adopting an abstract algorithm, and judges whether the obtained hash value of the first bootstrap module is the same as the reference value of the first bootstrap module, if so, the step 3.3 is executed, and if not, the step 3.2 is executed);
step 3.2) whether the times of the first bootstrap module checked by the trusted unit reach the set times or not, if so, executing step 10), and if not, returning to execute step 3.1);
step 3.3) the method for the trusted unit to check the second bootstrap module is as follows: the trusted unit obtains the hash value of the second bootstrap module by adopting an abstract algorithm, and judges whether the obtained hash value of the second bootstrap module is the same as the reference value of the second bootstrap module, if so, the step 4 is executed), and if not, the step 3.4 is executed);
and 3.4) whether the times of the trusted unit for verifying the second bootstrap module reach the set times or not, if so, executing the step 10), and if not, returning to execute the step 3.3).
4. The program checking method of a multi-core controller according to claim 3, wherein the step 5) comprises the steps of:
step 5.1) the method for the first bootstrap program module to check the first application checking program is as follows: storing the signature value and the public key value of the first application verification program in the first bootstrap module, verifying the signature of the signature value by the first bootstrap module through the public key value to obtain a reference hash value of the first application verification program, calculating by the first bootstrap module to obtain a calculated hash value of the first application verification program, judging whether the reference hash value and the calculated hash value of the first application verification program are equal by the first bootstrap module, if so, executing a step 6), and if not, executing a step 5.2);
step 5.2) whether the number of times of the first bootstrap module for verifying the first application verification program reaches a set number of times or not is judged, if yes, 0 is assigned to the flag bit corresponding to the start enabling unit, and then the step 10) is executed, and if not, the step 5.1) is executed.
5. The program checking method of a multi-core controller according to claim 4, wherein the step 6) comprises the steps of:
step 6.1) the method for the second bootstrap module to verify the verification unit is as follows: storing the signature value and the public key value of the verification unit in the second bootstrap module, verifying the signature on the signature value by the second bootstrap module through the public key value to obtain a reference hash value of the verification unit, calculating to obtain a calculated hash value of the verification unit by the second bootstrap module, judging whether the reference hash value and the calculated hash value of the verification unit are equal by the second bootstrap module, if so, executing a step 7), and if not, executing a step 6.2);
step 6.2) whether the times of the second bootstrap module for verifying the verification unit reaches the set times or not, if so, assigning 0 to the flag bit corresponding to the start enabling unit and then executing the step 10), and if not, returning to execute the step 6.1).
6. The program checking method for a multi-core controller according to claim 5, wherein the step 7) comprises the steps of:
step 7.1) the method for the second bootstrap module to check the first application module is as follows: storing the signature value and the public key value of the first application program module in the second bootstrap module, verifying the signature of the signature value by the second bootstrap module through the public key value to obtain a reference hash value of the first application program module, calculating by the second bootstrap module to obtain a calculated hash value of the first application program module, judging by the second bootstrap module whether the reference hash value and the calculated hash value of the first application program module are equal, if so, executing step 8), otherwise, executing step 7.2);
step 7.2) whether the times of the second bootstrap program module for verifying the first application program module reaches the set times or not, if yes, assigning 0 to the flag bit corresponding to the start enabling unit and then executing step 10), and if not, returning to execute step 7.1).
7. The program checking method of a multi-core controller according to claim 6, wherein the step 8) comprises the steps of:
step 8.1) the method for the second bootstrap module to verify the second application program is as follows: storing the signature value and the public key value of the second application program in the second bootstrap module, verifying the signature of the signature value by the second bootstrap module through the public key value to obtain a reference hash value of the second application program, calculating to obtain a calculated hash value of the second application program by the second bootstrap module, judging whether the reference hash value and the calculated hash value of the second application program are equal by the second bootstrap module, if so, executing the step 9), and if not, executing the step 8.2);
step 8.2) whether the number of times of verifying the second application program by the second bootstrap module reaches a set number of times, if so, assigning 0 to the flag bit corresponding to the start enabling unit and then executing step 10), and if not, returning to execute step 8.1).
8. The program verification method for a multi-core controller according to claim 7, wherein the set number of times in step 3), step 5), step 6), step 7) and step 8) is 3.
9. A storage medium storing one or more programs which, when executed by a processor, perform a program checking method of a multi-core controller according to any one of claims 2 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210391424.XA CN114764347B (en) | 2022-04-14 | 2022-04-14 | Program verification system, verification method and storage medium of multi-core controller |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210391424.XA CN114764347B (en) | 2022-04-14 | 2022-04-14 | Program verification system, verification method and storage medium of multi-core controller |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114764347A true CN114764347A (en) | 2022-07-19 |
| CN114764347B CN114764347B (en) | 2024-09-27 |
Family
ID=82364936
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210391424.XA Active CN114764347B (en) | 2022-04-14 | 2022-04-14 | Program verification system, verification method and storage medium of multi-core controller |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114764347B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115658183A (en) * | 2022-12-26 | 2023-01-31 | 北京紫光芯能科技有限公司 | Method and device for controlling MCU, electronic equipment and storage medium |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0280035A2 (en) * | 1987-02-23 | 1988-08-31 | Siemens Nixdorf Informationssysteme Aktiengesellschaft | Method for the programme securing and for integrity checking of a secured programme |
| JPH1040177A (en) * | 1996-07-19 | 1998-02-13 | Nippon Denki Ido Tsushin Kk | Program check system |
| CN1428954A (en) * | 2001-12-26 | 2003-07-09 | 富士通株式会社 | Processor and guide method thereof |
| US20050144430A1 (en) * | 2003-12-25 | 2005-06-30 | Matsushita Electric Industrial Co., Ltd. | Information processing apparatus and a ROM image generation apparatus for the apparatus |
| CN101630267A (en) * | 2009-08-24 | 2010-01-20 | 中兴通讯股份有限公司 | Embedded system and control method thereof |
| CN102902530A (en) * | 2012-09-07 | 2013-01-30 | 四川长虹电器股份有限公司 | Procedure verifying device based on Linux embedded operating system |
| CN106529303A (en) * | 2016-10-25 | 2017-03-22 | 北京广利核系统工程有限公司 | Boot device and method for nuclear power plant instrument control system |
| CN111832012A (en) * | 2020-07-15 | 2020-10-27 | 北京经纬恒润科技有限公司 | ECU and starting method thereof |
| CN112711761A (en) * | 2021-01-12 | 2021-04-27 | 联合汽车电子有限公司 | Safety protection method of controller, main chip of controller and controller |
| CN112784278A (en) * | 2020-12-31 | 2021-05-11 | 科东(广州)软件科技有限公司 | Trusted starting method, device and equipment of computer system |
| CN112860741A (en) * | 2021-01-18 | 2021-05-28 | 平安科技(深圳)有限公司 | Data sampling detection method, device, equipment and storage medium |
-
2022
- 2022-04-14 CN CN202210391424.XA patent/CN114764347B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP0280035A2 (en) * | 1987-02-23 | 1988-08-31 | Siemens Nixdorf Informationssysteme Aktiengesellschaft | Method for the programme securing and for integrity checking of a secured programme |
| JPH1040177A (en) * | 1996-07-19 | 1998-02-13 | Nippon Denki Ido Tsushin Kk | Program check system |
| CN1428954A (en) * | 2001-12-26 | 2003-07-09 | 富士通株式会社 | Processor and guide method thereof |
| US20050144430A1 (en) * | 2003-12-25 | 2005-06-30 | Matsushita Electric Industrial Co., Ltd. | Information processing apparatus and a ROM image generation apparatus for the apparatus |
| CN101630267A (en) * | 2009-08-24 | 2010-01-20 | 中兴通讯股份有限公司 | Embedded system and control method thereof |
| CN102902530A (en) * | 2012-09-07 | 2013-01-30 | 四川长虹电器股份有限公司 | Procedure verifying device based on Linux embedded operating system |
| CN106529303A (en) * | 2016-10-25 | 2017-03-22 | 北京广利核系统工程有限公司 | Boot device and method for nuclear power plant instrument control system |
| CN111832012A (en) * | 2020-07-15 | 2020-10-27 | 北京经纬恒润科技有限公司 | ECU and starting method thereof |
| CN112784278A (en) * | 2020-12-31 | 2021-05-11 | 科东(广州)软件科技有限公司 | Trusted starting method, device and equipment of computer system |
| CN112711761A (en) * | 2021-01-12 | 2021-04-27 | 联合汽车电子有限公司 | Safety protection method of controller, main chip of controller and controller |
| CN112860741A (en) * | 2021-01-18 | 2021-05-28 | 平安科技(深圳)有限公司 | Data sampling detection method, device, equipment and storage medium |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115658183A (en) * | 2022-12-26 | 2023-01-31 | 北京紫光芯能科技有限公司 | Method and device for controlling MCU, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114764347B (en) | 2024-09-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9792440B1 (en) | Secure boot for vehicular systems | |
| CN111143808B (en) | System security authentication method and device, computing equipment and storage medium | |
| CN112148314B (en) | Mirror image verification method, device and equipment of embedded system and storage medium | |
| CN112651030A (en) | Trusted starting method for BMC firmware system security | |
| CN109753788B (en) | Integrity checking method and computer readable storage medium during kernel operation | |
| CN111147259B (en) | Authentication method and device | |
| CN115934194A (en) | Controller starting method and device, electronic equipment and storage medium | |
| CN114764347A (en) | Program verification system and method of multi-core controller and storage medium | |
| CN112653559B (en) | Electric control unit starting method and device and storage medium | |
| CN114338073A (en) | Protection method, system, storage medium and equipment for vehicle-mounted network | |
| JP4621732B2 (en) | Method for authenticating device outside vehicle, bus system of motor vehicle having control device, and computer program for authenticating device outside vehicle | |
| CN112861137A (en) | Secure firmware | |
| CN115357908B (en) | Network equipment kernel credibility measurement and automatic restoration method | |
| CN116707758A (en) | Authentication method, equipment and server of trusted computing equipment | |
| CN116346398A (en) | Safety automobile system | |
| CN110730079A (en) | Embedded system safe starting and credibility measuring system based on credible computing module | |
| CN116032484A (en) | Method and device for safely starting communication equipment and electronic equipment | |
| CN111723379B (en) | Trusted protection method, system, equipment and storage medium for trusted platform area intelligent terminal | |
| CN110740041B (en) | Embedded system safe starting and credibility measuring method based on credible computing module | |
| KR20230082388A (en) | Apparatus for verifying bootloader of ecu and method thereof | |
| CN117411644B (en) | Digital signature verification method and device, electronic equipment and storage medium | |
| CN111967019A (en) | TEE-based Internet of things secure startup implementation method | |
| CN117610025B (en) | Embedded operating system safety guiding method based on electric power intelligent terminal | |
| CN114615075B (en) | Software tamper-proof system and method of controller and storage medium | |
| CN116305092B (en) | Method and system for realizing trusted virtualization system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |