CN115248703A - Configuration method, device and system - Google Patents

Configuration method, device and system Download PDF

Info

Publication number
CN115248703A
CN115248703A CN202110455520.1A CN202110455520A CN115248703A CN 115248703 A CN115248703 A CN 115248703A CN 202110455520 A CN202110455520 A CN 202110455520A CN 115248703 A CN115248703 A CN 115248703A
Authority
CN
China
Prior art keywords
configuration
lockstep core
interface
core
lockstep
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110455520.1A
Other languages
Chinese (zh)
Inventor
郑勇
井营
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202110455520.1A priority Critical patent/CN115248703A/en
Publication of CN115248703A publication Critical patent/CN115248703A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/4401Bootstrapping
    • G06F9/4403Processor initialisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/08Error detection or correction by redundancy in data representation, e.g. by using checking codes
    • G06F11/10Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
    • G06F11/1004Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's to protect a block of data words, e.g. CRC or checksum

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Quality & Reliability (AREA)
  • Hardware Redundancy (AREA)

Abstract

The application provides a configuration method, a configuration device and a configuration system, relates to the technical field of radar technology or detection, can be applied to intelligent automobiles, internet automobiles and automatic driving automobiles, and particularly can be applied to an MCU (micro control unit) on a vehicle, wherein the MCU comprises a step locking core and a step unlocking core. Wherein, the method comprises the following steps: the non-lockstep core executes interface configuration operation; the lockstep core executes a check operation to determine whether the interface configuration operation is successful. The technical scheme of the application ensures the reliability of interface configuration operation, and enables the system to reach a certain functional safety level with low cost.

Description

Configuration method, device and system
Technical Field
The present application relates to the field of probing technologies, and in particular, to a configuration method, apparatus, and system.
Background
The vehicle-mounted millimeter wave radar Micro Control Unit (MCU) is provided with a lockstep core and a non-lockstep core. Generally, in an MCU with fewer cores (e.g., two lockstep cores and one non-lockstep core), since the computational resources are limited, all the business processes cannot be concentrated on the lockstep core, the resources of the non-lockstep core are needed to process the business processes when necessary, and operations such as and operation and check are usually involved in the process of using the non-lockstep core. But for non-lockstep cores, the reliability of all instructions operated by a Central Processing Unit (CPU) is not high.
In the automotive field, automotive systems need to reach a certain functional safety level. If some operations such as operations and checks are performed using resources of the non-lockstep core, the system may not reach the corresponding functional security level. In the prior art, generally, on a non-lockstep core, the reliability of an instruction operated by a CPU of the non-lockstep core is improved through a high cost (for example, purchasing corresponding CPU test software) so as to enable a system to reach a corresponding functional safety level.
Therefore, how to make the system reach a certain functional security level at low cost is a technical problem which needs to be solved urgently.
Disclosure of Invention
The application provides a configuration method, a configuration device and a configuration system, which can enable the system to reach a certain functional safety level with low cost.
In a first aspect, a configuration method is provided, where the method is applied to a micro control unit MCU, where the MCU includes a lockstep core and a non-lockstep core, and the method includes: the non-lockstep core performs an interface configuration operation; the lockstep core executes a check operation to determine whether the interface configuration operation is successful.
In the embodiment of the application, the interface configuration operation is executed through the non-lockstep core, and the lockstep core executes the check operation to judge whether the interface configuration operation is successful. If configuration operation of the non-lockstep core is wrong, the lockstep core can be checked out so as to carry out reconfiguration. The reliability of interface configuration operation is ensured, so that the function safety level of the non-lockstep core is not required to be improved at high cost, and the system can reach a certain function safety level at low cost.
With reference to the first aspect, in certain implementations of the first aspect, the MCU further includes an interface, and the performing, by the non-lockstep core, an interface configuration operation includes: the non-lockstep core acquires configuration parameters from a memory; the non-lockstep core configures the configuration parameters through the interface. The memory may be a memory in the MCU, or optionally, the memory may also be a memory independent of the MCU, and the attribution of the memory and the type of the memory are not limited in the present application.
It should be understood that, in the embodiment of the present application, the interface configuration operation is mainly performed by the non-lockstep core, that is, the non-lockstep core configures the configuration parameters in the memory to the peripheral unit through the interface, so as to relieve the resources of the lockstep core.
With reference to the first aspect, in some implementations of the first aspect, the performing, by the lockstep core, a check operation to determine whether the interface configuration operation is successful includes: the lockstep core reads back the configuration parameters from the interface; the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface.
It should be understood that, in the embodiment of the present application, the lock core mainly performs the verification operation, that is, the lock core reads back the configuration parameters configured to the peripheral unit through the interface, so as to determine whether the interface configuration operation configures the configuration parameters to the corresponding peripheral unit without error.
With reference to the first aspect, in some implementations of the first aspect, the determining, by the lockstep core, whether the interface configuration operation is successful according to the configuration parameter read back from the interface includes: the lockstep core reads the configuration parameters from the memory; the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory.
With reference to the first aspect, in certain implementations of the first aspect, the configuration parameter in the memory includes a cyclic redundancy CRC field.
In the embodiment of the application, the configuration parameters in the memory comprise cyclic redundancy CRC fields, so that CRC can be performed before configuration, the configuration parameters in the memory are prevented from being damaged before configuration, and the interface configuration parameters are ensured to be error-free.
With reference to the first aspect, in certain implementations of the first aspect, the configuration parameters in the memory are stored in a redundant manner.
In the embodiment of the present application, the storage manner of the configuration parameters in the memory is a redundant storage, so that when one configuration parameter is damaged, another configuration parameter can be used to ensure that the interface configuration parameter is error-free.
With reference to the first aspect, in some implementations of the first aspect, after the non-lockstep core performs the interface configuration operation, before the lockstep core performs the check operation, the method further includes: the non-lockstep core sends an interface configuration completion notification to the lockstep core.
With reference to the first aspect, in some implementations of the first aspect, the non-lockstep core sends an interface configuration completion notification to the lockstep core, where the interface configuration completion notification includes a CRC check field.
In the embodiment of the application, a CRC (cyclic redundancy check) check field is added in the interface configuration completion notification sent by the non-lockstep core to the lockstep core to prevent notification data from being damaged.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: watchdog time-consuming monitoring is performed.
In particular, the watchdog time-consuming operation is executed in the process of executing the method.
The method aims to prevent the whole task from running overtime due to communication faults between the non-lockstep core and the lockstep core. In the process of executing the configuration method, the time consumption monitoring of the watchdog is also added,
with reference to the first aspect, in certain implementations of the first aspect, the MCU is an onboard MCU, the functional security level of the lockstep core is ASIL B and the functional security level of the non-lockstep core is QM based on an automotive security integrity level ASIL.
In the embodiment of the application, the interface configuration operation is executed through the non-lockstep core, and the lockstep core executes the check operation to judge whether the interface configuration operation is successful. If configuration operation of the non-lockstep core is wrong, the lockstep core can be checked out so as to carry out reconfiguration. The reliability of interface configuration operation is ensured, and the function safety level of the non-lockstep core is not required to be improved through high cost. That is, when the functional security level of the lockstep core is ASIL B, the functional security level of the non-lockstep core is QM, so that the functional security level of the automobile system can reach ASIL B, and the functional security level of the non-lockstep core does not need to be raised to ASIL B at a high cost.
In a second aspect, a configuration apparatus is provided, where the configuration apparatus is used for a micro control unit MCU, the MCU includes a lockstep core and a non-lockstep core, and the configuration apparatus includes a processor, where the processor is configured to: controlling the non-lockstep core to execute interface configuration operation; and controlling the lockstep core to execute a check operation so as to judge whether the interface configuration operation is successful.
With reference to the second aspect, in certain implementations of the second aspect, the MCU further includes an interface, and the processor is further configured to: controlling the non-lockstep core to obtain configuration parameters from a memory; and controlling the non-lockstep core to configure the configuration parameters through the interface.
With reference to the second aspect, in some implementations of the second aspect, the processor is further configured to: controlling the lockstep core to read the configuration parameters back from the interface; and controlling the lockstep core to judge whether the interface configuration operation is successful according to the configuration parameters read back from the interface.
With reference to the second aspect, in some implementations of the second aspect, the processor is further configured to: controlling the lockstep core to read the configuration parameters from the memory; and controlling the lockstep core to judge whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory.
With reference to the second aspect, in certain implementations of the second aspect, the configuration parameter in the memory includes a cyclic redundancy CRC field.
With reference to the second aspect, in some implementations of the second aspect, the configuration parameters in the memory are stored in a redundant manner.
With reference to the second aspect, in certain implementations of the second aspect, the processor is further configured to: and controlling the non-lockstep core to send an interface configuration completion notification to the lockstep core.
With reference to the second aspect, in some implementations of the second aspect, the non-lockstep core sends an interface configuration completion notification to the lockstep core, where the CRC field is included in the interface configuration completion notification.
With reference to the second aspect, in some implementations of the second aspect, the processor is further configured to: and controlling to perform watchdog time-consuming monitoring.
With reference to the second aspect, in some implementations of the second aspect, the MCU is an onboard MCU, the functional security level of the lockstep core is ASIL B and the functional security level of the non-lockstep core is QM based on an automotive security integrity level ASIL.
In a third aspect, a controller is provided, which includes a processor and a memory, where the memory is configured to store program instructions, and the processor is configured to call the program instructions to execute the configuration method according to the first aspect or any possible implementation manner of the first aspect.
In a fourth aspect, there is provided a control system comprising a configuration apparatus as in the second aspect or any possible implementation manner of the second aspect.
Alternatively, the control system may be a vehicle.
In a fifth aspect, a vehicle is provided, comprising a configuration apparatus as in the second aspect or any possible implementation manner of the second aspect.
In a sixth aspect, a computing device is provided, comprising: at least one processor and a memory, the at least one processor being coupled to the memory and configured to read and execute instructions in the memory to perform a configuration method as in the first aspect or any possible implementation manner of the first aspect.
In a seventh aspect, a computer program product containing instructions is provided, which when run on a computer causes the computer to perform the configuration method of the first aspect or any of the possible implementations of the first aspect.
In an eighth aspect, a computer-readable storage medium is provided that stores program code for execution by a device, the program code including instructions for performing the first aspect or the configuration method in any possible implementation manner of the first aspect.
In a ninth aspect, a chip is provided, where the chip includes a processor and a data interface, and the processor reads instructions stored in a memory through the data interface to execute the configuration method in the first aspect or any possible implementation manner of the first aspect.
Optionally, as an implementation manner, the chip may further include a memory, where instructions are stored in the memory, and the processor is configured to execute the instructions stored in the memory, and when the instructions are executed, the processor is configured to execute the first aspect or the configuration method in any possible implementation manner of the first aspect.
Drawings
Fig. 1 is a diagram illustrating an example of an interface configuration operation performed by a non-lockstep core according to an embodiment of the present application;
FIG. 2 is a diagram illustrating an example of interface configuration operations performed by another non-lockstep core according to an embodiment of the present application;
FIG. 3 is an exemplary diagram of a configuration method provided by an embodiment of the present application;
FIG. 4 is an exemplary diagram of another configuration method provided by embodiments of the present application;
FIG. 5 is an exemplary diagram of a storage method provided by an embodiment of the present application;
FIG. 6 is a diagram illustrating an example of time-consuming monitoring provided by an embodiment of the present application;
FIG. 7 is a diagram illustrating an example of a configuration device provided by an embodiment of the present application;
fig. 8 is an exemplary block diagram of a hardware structure of an apparatus according to an embodiment of the present disclosure.
Detailed Description
For ease of understanding, the background art to which the embodiments of the present application relate will first be described in detail.
The vehicle-mounted millimeter wave radar Micro Control Unit (MCU) is provided with a lockstep core and a non-lockstep core. It should be understood that one lockstep core has two cores, the two cores can respectively execute the same code, and the independent comparator compares the calculation results of the two cores and generates an alarm report when a difference occurs, so that the single core cannot be monitored when a fault occurs. Therefore, for a lockstep core, all instructions operated by a Central Processing Unit (CPU) (i.e., a core) have higher reliability, and can perform critical operation.
Generally, on an MCU with fewer cores (e.g., two lockstep cores and one non-lockstep core), since the computational resources are limited, all the business processes cannot be completely concentrated on the lockstep core, and in order to relieve the resources of the lockstep core, it is necessary to use the resources of the non-lockstep core to process the lockstep core as necessary, for example, interface configuration operation is performed through the non-lockstep core, but some operations and check operations are involved while the interface configuration operation is performed. However, for the non-lockstep core, the reliability of all instructions of the CPU operation is not high, and thus there are some security problems when the interface configuration operation is performed through the non-lockstep core.
The following describes the security problem of interface configuration operations deployed on non-lockstep cores with reference to fig. 1 and 2.
Fig. 1 is a diagram illustrating an example of an interface configuration operation performed by a non-lockstep core according to an embodiment of the present application. As shown in FIG. 1, the non-lockstep core is primarily used to perform the following operations.
S110, acquiring configuration parameters of the peripheral unit from a memory;
s120, configuring the acquired configuration parameters to an external unit through an interface;
s130, reading back the configuration parameters configured to the peripheral unit through the interface;
and S140, checking the read back configuration parameters. That is, the read-back configuration parameters are compared with the configuration parameters stored in the memory to determine whether the configuration is successful.
It can be seen that in the example of fig. 1, the interface configuration operation performed by the non-lockstep core may involve a read-back and check operation of the configuration parameters.
However, all instructions (such as fetching data, operations (addition, subtraction, multiplication, and division), and comparing sizes, etc.) of its CPU operations are unreliable for the non-lockstep core, and the CPU cannot detect such faults on the non-lockstep core. Thus, the validation operation itself is unreliable when the CPU reads back and checks on the non-lockstep core.
Illustratively, as shown in fig. 1, the configuration parameter acquired by the non-lockstep core from the memory is "10", and the interface configures "10" to "9" in the actual configuration process, and the non-lockstep core reads back "9" and then determines whether the configured parameter is correct, that is, determines whether "9=10" is correct. However, the non-lockstep core itself may determine as erroneous "9=9" and as correct "9=10", so that the confirmation operation itself is unreliable.
Fig. 2 is a diagram illustrating an example of interface configuration operations performed by another non-lockstep core according to an embodiment of the present application. As shown in FIG. 2, the non-lockstep core is primarily used to perform the following operations.
S210, acquiring configuration parameters of the peripheral unit from a memory;
s220, configuring the acquired configuration parameters to a peripheral unit through an interface;
s230, reading back the configuration parameters configured to the peripheral unit through the interface;
and S240, informing the lockstep core to judge. That is, the lockstep core is notified to perform the check operation.
It can be seen that in the example of fig. 2, the interface configuration operation performed by the non-lockstep core involves a read-back operation of the configuration parameters, and the parameter verification operation is performed by the lockstep core. Although this can avoid errors in verification, there can still be security issues. This is because the non-lockstep core itself is unreliable, and it cannot confirm whether the interface really performs the parameter configuration operation, for example: the instruction skips the configuration operation of the interface, directly returns the result and informs the lockstep core to make a judgment, namely, the non-lockstep core does not have the configuration parameter '10' at all but informs the lockstep core that the configuration is already carried out. For the non-lockstep core, because the non-lockstep core is not reliable, whether the interface really performs the parameter configuration operation or not cannot be confirmed during read back.
In summary, as can be seen from fig. 1 and 2, some read-back check operations are involved in the interface configuration operation performed by the non-lockstep core, thereby causing some security problems.
In the field of vehicle-mounted vehicles, an automobile system needs to reach a certain functional safety level, for example, an Automobile Safety Integrity Level (ASIL) B or D needs to be reached. If the resources of the non-lock-step core are used for interface configuration and read-back check operation, the system may not reach the corresponding functional security level. In the prior art, the reliability of instructions operated by a CPU of a non-lockstep core is improved at high cost on the non-lockstep core, so that the non-lockstep core reaches a corresponding functional safety level, and a system reaches the corresponding functional safety level. For example, the ASIL B level is achieved by purchasing corresponding CPU test software on the lockstep core, but the price is expensive, and tens of security mechanisms need to be additionally implemented, and the corresponding workload is very large.
Therefore, how to make the system reach a certain functional security level at low cost is a technical problem to be solved urgently.
Based on the above problem, the embodiment of the present application provides a configuration method, where the interface configuration operation is executed mainly by a non-lockstep core, and the lockstep core executes a check operation to determine whether the interface configuration operation is successful, so that the system can reach a certain functional security level at low cost on the basis of meeting performance requirements (i.e., mitigating lockstep core resources).
The technical solution in the present application will be described with reference to fig. 3.
Fig. 3 is an exemplary diagram of a configuration method provided in an embodiment of the present application. It should be understood that the method 300 shown in fig. 3 may be applied to the MCU architectures shown in fig. 1 and fig. 2, where the MCU includes a lockstep core and a non-lockstep core, and optionally the MCU further includes an interface. It should be understood that the above-mentioned interface may be a hardware interface, which may satisfy the relevant protocol. For example, the interface may be a Serial Peripheral Interface (SPI) interface or a High Speed Serial Link (HSSL) interface, which is not limited in this application. And for convenience of description, in the following embodiments, an SPI interface will be described as an example. Optionally, the MCU may further include a memory, where the memory may be a memory in the MCU (as shown in the figure) or a memory (not shown) independent from the MCU, and the attribution of the memory is not limited in this application. The Memory may be a Memory (Memory) or a flash Memory (PFLASH), the present application does not limit the kind of the Memory, and the PFLASH will be taken as an example in the following specific embodiments.
As shown in fig. 3, the method 300 includes steps S310 and S320, which are described in detail below.
S310, the non-lockstep core executes interface configuration operation.
Illustratively, the non-lockstep core performing interface configuration operations includes: the non-lockstep core obtains configuration parameters; and the non-lockstep core configures the configuration parameters through the interface. The interface configuration operation executed by the non-lockstep core is used for carrying out configuration operation on the configuration parameters in the memory through the interface without involving verification operation. Optionally, the configuration parameters obtained by the non-lockstep core may be configuration parameters obtained by the non-lockstep core from a memory.
It should be understood that the non-lockstep core configures the configuration parameters through the interface, specifically into the peripheral unit. The peripheral unit may be a Monolithic Microwave Integrated Circuit (MMIC) or a Power Management Integrated Circuit (PMIC), which is not limited in this application. And for convenience of description, in the following embodiments, MMIC will be described as an example.
Optionally, the interface configuration described herein includes an interface configuration that implements one or more of the following configurations: a calibration configuration, a Demultiplexer (DMUX) configuration, a Low Voltage Differential Signaling (LVDS) configuration, a transmit/receive (Tx/Rx) enable configuration, a mobile station transmit power (TxPower) configuration, and the like. The present application does not limit the type of configuration.
Optionally, the configuration parameters described herein may include one or more of the following: relevant parameters of calibration configuration, relevant parameters of DMUX configuration, relevant parameters of LVDS configuration, relevant parameters of Tx/Rx enable configuration, relevant parameters of TxPower configuration and the like. The configuration parameters are not limited in this application.
S320, the lockstep core executes the check operation to judge whether the interface configuration operation is successful.
Specifically, the step-locked core executes the check operation to determine whether the interface configuration operation is successful includes: the lockstep core reads back the configuration parameters from the interface; and the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface. Meaning that the validation operation performed by the lockstep core is used to validate the interface configuration. The verification process comprises read-back and verification operations, wherein the read-back operation is mainly used for verification, so that the method is classified into the verification operation.
It should be understood that the lockstep core reading back configuration parameters from the interface may also be described as the lockstep core reading back configuration parameters configured to the peripheral unit through the interface.
It should be understood that, in the embodiment of the present application, the lock core mainly performs the verification operation, that is, the lock core reads back the configuration parameters configured to the peripheral unit through the interface, so as to determine whether the interface configuration operation configures the configuration parameters to the corresponding peripheral unit without error.
It should be understood that the step-locked core determining whether the interface configuration operation was successful according to the configuration parameters read back from the interface comprises: the lockstep core reads the configuration parameters from the memory; and the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory. In other words, after the lockstep core reads back the configuration parameters configured to the peripheral unit through the interface, the lockstep core needs to obtain the stored configuration parameters from the memory, and compare the configuration parameters with the configuration parameters to determine whether the interface configuration operation is successful.
In the embodiment of the application, the interface configuration operation is executed through the non-lockstep core, and the lockstep core executes the check operation to judge whether the interface configuration operation is successful. If configuration operation of the non-lockstep core is wrong, the lockstep core can check out the configuration operation so as to carry out reconfiguration. The reliability of interface configuration operation is ensured, so that the function safety level of the non-lockstep core is not required to be improved through high cost, and the system can reach a certain function safety level at low cost.
Optionally, the configuration parameters in memory may include a cyclic redundancy CRC field. CRC can be performed before configuration, so that the configuration parameters in the memory are prevented from being damaged before configuration, and the configuration parameters of the interface are ensured to be correct, see FIG. 5.
Optionally, the configuration parameters in the memory may be stored in a redundant manner. So that when one configuration parameter is corrupted, another configuration parameter can be used to ensure that the interface configuration parameters are error free, see fig. 5.
Optionally, after the interface configuration operation is performed by the non-lockstep core and before the check operation is performed by the lockstep core, the method 300 may further include: the non-lockstep core sends an interface configuration completion notification to the lockstep core.
Optionally, the non-lockstep core may include a CRC check field in sending the interface configuration completion notification to the lockstep core to prevent the notification data from being corrupted.
Optionally, the whole task is prevented from running overtime due to communication failure between the non-lockstep core and the lockstep core. In the process of executing the configuration method of the present application, watchdog time consumption monitoring is also added, see fig. 6.
It should be understood that the MCU is an on-board MCU, and based on the safety integrity level ASIL of the vehicle, the functional safety level of the lockstep core in this embodiment is ASIL B, and the functional safety level of the non-lockstep core is QM.
In the embodiment of the application, the interface configuration operation is executed through the non-lockstep core, and the lockstep core executes the check operation to judge whether the interface configuration operation is successful. If configuration operation of the non-lockstep core is wrong, the lockstep core can be checked out so as to carry out reconfiguration. The reliability of interface configuration operation is ensured, and the function safety level of the non-lockstep core is not required to be improved through high cost. That is, when the functional security level of the lockstep core is ASIL B, the functional security level of the non-lockstep core is QM, which may make the functional security level of the automobile system reach ASIL B (i.e., ASIL B = ASIL B + QM), without increasing the functional security level of the non-lockstep core to ASIL B through a high cost.
A detailed description of one embodiment of the present application will now be given, by way of example, with reference to fig. 4. It should be understood that in this embodiment, two lockstep cores and one non-lockstep core are included in the MCU. It should be understood that in this embodiment, the memory is a PFLASH, the interface is an SPI interface, and the peripheral unit is an MMIC. It should also be understood that this embodiment is provided by way of example only and should not be construed as limiting the present application.
Fig. 4 is an exemplary diagram of another configuration method provided in an embodiment of the present application. As shown in fig. 4, the configuration method includes steps S410 to S450, which are described in detail below.
S410, the non-lockstep core obtains SPI interface configuration parameters from the PFLASH.
And, redundant storage is adopted for the configuration parameters in the PFLASH, and the CRC field is added for checking, as shown in fig. 5. Therefore, CRC (cyclic redundancy check) can be carried out on the parameters before the parameters are configured, the configuration parameters are prevented from being damaged before configuration, and the accuracy of the configuration parameters is ensured.
And S420, after the non-lockstep core obtains the configuration parameters, configuring the configuration parameters to the MMIC through the SPI interface.
And S430, after the configuration is completed, the non-lockstep core informs the lockstep core of completing the configuration. And, a CRC check field is added to the notification to prevent the notification data from being corrupted.
And S440, after receiving the configuration completion notification message of the non-lockstep core, the lockstep core reads back the SPI interface configuration. To confirm that the SPI interface configuration operation has configured the configuration parameters into the MMIC.
S450, the lockstep core reads the configuration parameters from the PFLASH, compares the configuration parameters read back from the SPI interface, and judges whether the configuration is successful.
It should be understood that successful configuration means that the parameters configured to the MMIC through the SPI interface are the same as the parameters stored in the memory.
Meanwhile, in this embodiment, as shown in fig. 6, watchdog time consumption monitoring is performed on the entire control system to prevent the entire task from running overtime due to a communication failure between the non-lockstep core and the lockstep core.
It should be appreciated that since the interface configuration operation is performed by the non-lockstep core, the lockstep core performs the check operation. If configuration operation of the non-lockstep core is wrong, the configuration operation can be found through checking of the lockstep core. When the functional security level of the lockstep core is ASIL B, the functional security level of the non-lockstep core is QM, so that the functional security level of the automobile system reaches ASIL B (i.e., ASIL B = ASIL B + QM).
It should be understood that the solution of the present embodiment enables a judgment to be made in the face of each of the following failure situations.
A first fault situation: SPI interface failure, resulting in parameter values configured into MMIC hardware that are not expected, for example: the value of the expected configuration is "10", while that of the actual configuration is "9". In this case, the checking operation of the lockstep core may check for such a failure (i.e., steps S440 and S450 described above). Specifically, the lockstep core reads back a parameter value '9' configured in MMIC hardware through the SPI interface, reads an expected configuration parameter '10' from PFLASH, and compares the '9' with the '10', and because the lockstep core has higher reliability in data acquisition and comparison operation, if the fault occurs, the fault can be detected through the verification operation of the lockstep core.
And (2) failure situation two: the non-lockstep core does not perform SPI configuration operations. If this occurs, the lockstep core may check the lockstep core during the verification operation (i.e., steps S440 and S450 described above). Specifically, if the non-lockstep core starts to perform the interface configuration operation of step S420 after the non-lockstep core performs step S410 to obtain the configuration parameter "10", as a result, in practice, the step S420 is not performed, and step S430 is directly skipped to notify that the lockstep core configuration is completed (that is, the actual non-lockstep core is not configured but tells that the lockstep core is configured), at this time, the lockstep core performs read back through step S440, the read back data is a random value, and then the verification is performed through step S450. Because the lockstep core has higher reliability in data acquisition and comparison operation, if the fault occurs, the fault can be detected through the verification operation of the lockstep core.
Failure situation three: the non-lockstep core informs the interface fault of the lockstep core, so that the informing data is damaged. In this case, the CRC check may be passed (i.e., step S430 described above).
It should be understood that, since the CRC field is added to the notification of the non-lockstep core notifying the lockstep core, when the non-lockstep core transmits data, it calculates a value of information included in the transmitted data, and after attaching the value to the transmitted data, the lockstep core performs the same calculation on the same data after receiving the value, and at this time, the same result should be obtained. However, if the data is destroyed during transmission, the two results do not match, and the destruction of the notification data can be detected.
The failure situation is four: the non-lockstep core informs the lockstep core of the interface failure, so that the non-lockstep core is not informed in time. In this case, watchdog time-consuming monitoring of the overall system software may monitor this communication timeout scenario. Specifically, time can be recorded before communication through watchdog time consumption monitoring, time can be recorded after communication is completed, and then whether the communication time consumption meets the requirement or not can be determined according to two time intervals. For example, if the whole communication process takes 10ms at most, but the non-lockstep core notifies the lockstep core that the interface of the lockstep core is failed in the actual communication process, so that the non-lockstep core does not notify in time, the watchdog time-consuming monitoring monitors that two time intervals exceed 10ms. So that such a fault can be detected if it occurs.
Optionally, the memory described in this application may be a memory in the MCU, or may be a memory independent of the MCU, and the attribution of the memory and the type of the memory are not limited in this application.
In summary, in this embodiment, the interface configuration is performed by using the non-lockstep core, and the lockstep core performs the check, so that the functional security level (ASIL B) can be satisfied and the cost can be reduced on the basis of satisfying the performance requirement (i.e., relaxing the lockstep core resource).
Fig. 7 is a diagram illustrating an example of a configuration apparatus according to an embodiment of the present application. The configuration apparatus 700 is used for an MCU, the MCU includes a lockstep core and a non-lockstep core, optionally, the MCU may further include an interface, and the configuration apparatus 700 includes a processor 710.
Wherein the processor 710 is configured to: controlling the non-lockstep core to execute interface configuration operation; and controlling the lockstep core to execute a check operation so as to judge whether the port configuration operation is successful.
Optionally, the processor 710 may be further configured to: controlling the non-lockstep core to obtain configuration parameters from the memory; and controlling the non-lockstep core to configure the configuration parameters through the interface. The memory may be a memory in the MCU (as shown in the figure) or a memory (not shown) independent of the MCU, and the attribution of the memory and the type of the memory are not limited in the present application.
Optionally, the processor 710 may be further configured to: controlling the lockstep core to read back the configuration parameters from the interface; and controlling the lockstep core to judge whether the interface configuration operation is successful according to the configuration parameters read back from the interface.
Optionally, the processor 710 may be further configured to: controlling the lockstep core to read configuration parameters from the memory; and the control lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory.
Optionally, the configuration parameters in the memory include a cyclic redundancy CRC field.
Optionally, the configuration parameters in the memory are stored in a redundant manner.
Optionally, the processor 710 may be further configured to: and controlling the non-lockstep core to send an interface configuration completion notice to the lockstep core.
Optionally, the non-lockstep core sends an interface configuration completion notification to the lockstep core, where the interface configuration completion notification includes a CRC check field.
Optionally, the processor 710 may be further configured to: and controlling to perform watchdog time-consuming monitoring.
Optionally, the MCU is a vehicle MCU, and based on the safety integrity level ASIL of the vehicle, the functional safety level of the lockstep core is ASIL B, and the functional safety level of the non-lockstep core is QM.
Fig. 8 is an exemplary block diagram of a hardware structure of an apparatus provided in an embodiment of the present application. The apparatus 800 (the apparatus 800 may be a computer device) includes a memory 810, a processor 820, a communication interface 830, and a bus 840. The memory 810, the processor 820 and the communication interface 830 are connected to each other through a bus 840.
The memory 810 may be a Read Only Memory (ROM), a static memory device, a dynamic memory device, or a Random Access Memory (RAM). The memory 810 may store a program, and the processor 820 is configured to perform the steps of the configuration method of the embodiments of the present application when the program stored in the memory 810 is executed by the processor 820.
The processor 820 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), a Graphics Processing Unit (GPU), or one or more integrated circuits, and is configured to execute related programs to implement the configuration method of the embodiment of the present application.
Processor 820 may also be an integrated circuit chip having signal processing capabilities. In implementation, the configuration method of the present application may be implemented by an integrated logic circuit of hardware or an instruction in the form of software in the processor 820.
The processor 820 may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in ram, flash, rom, prom, or eprom, registers, etc. as is well known in the art. The storage medium is located in the memory 810, and the processor 820 reads information in the memory 810, and completes, in combination with hardware of the processor, functions required to be performed by modules included in the apparatus according to the embodiment of the present application, or performs a configuration method according to the embodiment of the present application.
Communication interface 830 enables communication between apparatus 800 and other devices or communication networks using transceiver means such as, but not limited to, a transceiver.
Bus 840 may include a pathway to transfer information between various components of device 800, such as memory 810, processor 820, and communication interface 830.
The present application further provides a control system, which includes the configuration apparatus 700 described above.
It should be understood that the control system may be particularly, but not exclusively, a control system in a vehicle.
Alternatively, the vehicle referred to in the present application may be a car, a truck, a motorcycle, a bus, a boat, an airplane, a helicopter, a lawn mower, a recreational vehicle, a playground vehicle, construction equipment, a trolley, a golf cart, a train, a trolley, etc., and the embodiments of the present application are not particularly limited. The automobile can be a traditional internal combustion engine automobile, a hybrid electric automobile, a pure electric automobile, a centralized driving automobile, a distributed driving automobile and the like, and the application does not limit the automobile.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (24)

1. A configuration method is applied to a Micro Control Unit (MCU), the MCU comprises a lockstep core and a non-lockstep core, and the method comprises the following steps:
the non-lockstep core executes interface configuration operation;
and the lockstep core executes a checking operation to judge whether the interface configuration operation is successful.
2. The method of claim 1, wherein the MCU further comprises an interface, and wherein the non-lockstep core performing interface configuration operations comprises:
the non-lockstep core acquires configuration parameters from a memory;
and the non-lockstep core configures the configuration parameters through the interface.
3. The method of claim 2, wherein the lockstep core performing a check operation to determine whether the interface configuration operation was successful comprises:
the lockstep core reads the configuration parameters back from the interface;
and the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface.
4. The method of claim 3, wherein the step core determining whether the interface configuration operation is successful according to the configuration parameters read back from the interface comprises:
the lockstep core reads the configuration parameters from the memory;
and the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory.
5. The method according to any of claims 2 to 4, wherein the configuration parameter in the memory comprises a cyclic redundancy CRC field.
6. The method according to any one of claims 2 to 5, wherein the configuration parameters in the memory are stored in a redundant manner.
7. The method of any of claims 1 to 6, wherein after the non-lockstep core performs the interface configuration operation, and before the lockstep core performs the check operation, the method further comprises:
and the non-lockstep core sends an interface configuration completion notification to the lockstep core.
8. The method of claim 7, wherein sending an interface configuration complete notification to the lockstep core by the non-lockstep core comprises a CRC check field.
9. The method according to any one of claims 1 to 8, further comprising:
watchdog time-consuming monitoring is performed.
10. The method according to any one of claims 1 to 9, wherein the MCU is an onboard MCU, the functional security level of the lockstep core is ASIL B and the functional security level of the non-lockstep core is QM based on an automotive safety integrity level ASIL.
11. A configuration apparatus, wherein the configuration apparatus is used for a micro control unit MCU, the MCU comprises a lockstep core and a non-lockstep core, the configuration apparatus comprises a processor, and the processor is configured to:
controlling the non-lockstep core to execute interface configuration operation;
and controlling the lockstep core to execute a check operation so as to judge whether the interface configuration operation is successful.
12. The apparatus of claim 11, wherein the MCU further comprises an interface, and wherein the processor is further configured to:
controlling the non-lockstep core to acquire configuration parameters from a memory;
and controlling the non-lockstep core to configure the configuration parameters through the interface.
13. The apparatus of claim 12, wherein the processor is further configured to:
controlling the lockstep core to read the configuration parameters back from the interface;
and controlling the lockstep core to judge whether the interface configuration operation is successful according to the configuration parameters read back from the interface.
14. The apparatus of claim 13, wherein the processor is further configured to:
controlling the lockstep core to read the configuration parameters from the memory;
and controlling the lockstep core to judge whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory.
15. The apparatus according to any of claims 12-14, wherein the configuration parameter in the memory comprises a cyclic redundancy CRC field.
16. The apparatus according to any one of claims 12 to 15, wherein the configuration parameters in the memory are stored in a redundant manner.
17. The apparatus of any of claims 11 to 16, wherein the processor is further configured to:
and controlling the non-lockstep core to send an interface configuration completion notice to the lockstep core.
18. The apparatus of claim 17, wherein the non-lockstep core sends an interface configuration complete notification to the lockstep core including a CRC check field.
19. The apparatus of any of claims 11 to 18, wherein the processor is further configured to:
and controlling to perform watchdog time-consuming monitoring.
20. The apparatus of any of claims 11-19, wherein the MCU is an onboard MCU, and wherein the functional security level of the lockstep core is ASIL B and the functional security level of the non-lockstep core is QM based on an automotive safety integrity level ASIL.
21. A controller comprising a processor and a memory, the memory for storing program instructions, the processor for invoking the program instructions to perform the configuration method of any of claims 1 to 10.
22. A control system comprising a configuration arrangement as claimed in any one of claims 11 to 20.
23. A vehicle, characterized by comprising the arrangement of any one of claims 11 to 20.
24. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored therein program instructions which, when executed by a processor, implement the configuration method of any one of claims 1 to 10.
CN202110455520.1A 2021-04-26 2021-04-26 Configuration method, device and system Pending CN115248703A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110455520.1A CN115248703A (en) 2021-04-26 2021-04-26 Configuration method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110455520.1A CN115248703A (en) 2021-04-26 2021-04-26 Configuration method, device and system

Publications (1)

Publication Number Publication Date
CN115248703A true CN115248703A (en) 2022-10-28

Family

ID=83695787

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110455520.1A Pending CN115248703A (en) 2021-04-26 2021-04-26 Configuration method, device and system

Country Status (1)

Country Link
CN (1) CN115248703A (en)

Similar Documents

Publication Publication Date Title
US10902109B2 (en) Misuse detection method, misuse detection electronic control unit, and misuse detection system
US7366597B2 (en) Validating control system software variables
US10268557B2 (en) Network monitoring device, network system, and computer program product
US20150210258A1 (en) Method for carrying out a safety function of a vehicle and system for carrying out the method
US20150082089A1 (en) Method and apparatus for isolating a fault in a controller area network
US11003153B2 (en) Safety operation configuration for computer assisted vehicle
US20170180370A1 (en) Communication system and information collection method executed in communication system
KR101593571B1 (en) Black box apparatus for diagnosing error of electronic control unit for vehicle and control method thereof
WO2022085260A1 (en) Abnormality detection device, abnormality detection method, and program
US20180375879A1 (en) Vehicle network operating protocol and method
US20150178166A1 (en) Apparatus and method for monitoring multiple micro-cores
KR20170120029A (en) Method and device for preventing manipulation of a data transmission
US11001149B2 (en) Master electronic control device for vehicle, slave electronic control device for vehicle, log collection system for vehicle, and storage medium
US20190361764A1 (en) Redundant processor architecture
KR101544887B1 (en) Apparatus And Method for diagnosing CAN communication error
JP6207987B2 (en) In-vehicle electronic control unit
CN114170705A (en) Vehicle data uploading method, device and equipment
US11444922B2 (en) System for detecting control device security malfunctions
CN115248703A (en) Configuration method, device and system
US11713058B2 (en) Vehicle control system, attack judging method, and recording medium on which program is recorded
JP6741353B2 (en) Control device and control device processing method at the time of failure
CN116320379A (en) State monitoring method and device for vehicle camera, computer equipment and storage medium
CN113442849B (en) Vehicle control system, data transmission method, and recording medium on which program is recorded
CN112533173B (en) Method for ensuring data integrity to ensure operation safety and device for vehicle-to-external information interaction
Paulitsch et al. Insights into the Sensitivity of the BRAIN (Braided Ring Availability Integrity Network)--On Platform Robustness in Extended Operation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination