CN115248703A - Configuration method, device and system - Google Patents
Configuration method, device and system Download PDFInfo
- Publication number
- CN115248703A CN115248703A CN202110455520.1A CN202110455520A CN115248703A CN 115248703 A CN115248703 A CN 115248703A CN 202110455520 A CN202110455520 A CN 202110455520A CN 115248703 A CN115248703 A CN 115248703A
- Authority
- CN
- China
- Prior art keywords
- configuration
- lockstep core
- interface
- core
- lockstep
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000012544 monitoring process Methods 0.000 claims description 12
- 125000004122 cyclic group Chemical group 0.000 claims description 9
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000001514 detection method Methods 0.000 abstract 1
- 230000006854 communication Effects 0.000 description 17
- 230000002093 peripheral effect Effects 0.000 description 16
- 238000004891 communication Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 14
- 230000008569 process Effects 0.000 description 13
- 238000012795 verification Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 8
- 238000012545 processing Methods 0.000 description 6
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 238000010200 validation analysis Methods 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000002485 combustion reaction Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000012790 confirmation Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000000116 mitigating effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000037361 pathway Effects 0.000 description 1
- 230000002040 relaxant effect Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/4401—Bootstrapping
- G06F9/4403—Processor initialisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/08—Error detection or correction by redundancy in data representation, e.g. by using checking codes
- G06F11/10—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's
- G06F11/1004—Adding special bits or symbols to the coded information, e.g. parity check, casting out 9's or 11's to protect a block of data words, e.g. CRC or checksum
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Quality & Reliability (AREA)
- Hardware Redundancy (AREA)
Abstract
The application provides a configuration method, a configuration device and a configuration system, relates to the technical field of radar technology or detection, can be applied to intelligent automobiles, internet automobiles and automatic driving automobiles, and particularly can be applied to an MCU (micro control unit) on a vehicle, wherein the MCU comprises a step locking core and a step unlocking core. Wherein, the method comprises the following steps: the non-lockstep core executes interface configuration operation; the lockstep core executes a check operation to determine whether the interface configuration operation is successful. The technical scheme of the application ensures the reliability of interface configuration operation, and enables the system to reach a certain functional safety level with low cost.
Description
Technical Field
The present application relates to the field of probing technologies, and in particular, to a configuration method, apparatus, and system.
Background
The vehicle-mounted millimeter wave radar Micro Control Unit (MCU) is provided with a lockstep core and a non-lockstep core. Generally, in an MCU with fewer cores (e.g., two lockstep cores and one non-lockstep core), since the computational resources are limited, all the business processes cannot be concentrated on the lockstep core, the resources of the non-lockstep core are needed to process the business processes when necessary, and operations such as and operation and check are usually involved in the process of using the non-lockstep core. But for non-lockstep cores, the reliability of all instructions operated by a Central Processing Unit (CPU) is not high.
In the automotive field, automotive systems need to reach a certain functional safety level. If some operations such as operations and checks are performed using resources of the non-lockstep core, the system may not reach the corresponding functional security level. In the prior art, generally, on a non-lockstep core, the reliability of an instruction operated by a CPU of the non-lockstep core is improved through a high cost (for example, purchasing corresponding CPU test software) so as to enable a system to reach a corresponding functional safety level.
Therefore, how to make the system reach a certain functional security level at low cost is a technical problem which needs to be solved urgently.
Disclosure of Invention
The application provides a configuration method, a configuration device and a configuration system, which can enable the system to reach a certain functional safety level with low cost.
In a first aspect, a configuration method is provided, where the method is applied to a micro control unit MCU, where the MCU includes a lockstep core and a non-lockstep core, and the method includes: the non-lockstep core performs an interface configuration operation; the lockstep core executes a check operation to determine whether the interface configuration operation is successful.
In the embodiment of the application, the interface configuration operation is executed through the non-lockstep core, and the lockstep core executes the check operation to judge whether the interface configuration operation is successful. If configuration operation of the non-lockstep core is wrong, the lockstep core can be checked out so as to carry out reconfiguration. The reliability of interface configuration operation is ensured, so that the function safety level of the non-lockstep core is not required to be improved at high cost, and the system can reach a certain function safety level at low cost.
With reference to the first aspect, in certain implementations of the first aspect, the MCU further includes an interface, and the performing, by the non-lockstep core, an interface configuration operation includes: the non-lockstep core acquires configuration parameters from a memory; the non-lockstep core configures the configuration parameters through the interface. The memory may be a memory in the MCU, or optionally, the memory may also be a memory independent of the MCU, and the attribution of the memory and the type of the memory are not limited in the present application.
It should be understood that, in the embodiment of the present application, the interface configuration operation is mainly performed by the non-lockstep core, that is, the non-lockstep core configures the configuration parameters in the memory to the peripheral unit through the interface, so as to relieve the resources of the lockstep core.
With reference to the first aspect, in some implementations of the first aspect, the performing, by the lockstep core, a check operation to determine whether the interface configuration operation is successful includes: the lockstep core reads back the configuration parameters from the interface; the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface.
It should be understood that, in the embodiment of the present application, the lock core mainly performs the verification operation, that is, the lock core reads back the configuration parameters configured to the peripheral unit through the interface, so as to determine whether the interface configuration operation configures the configuration parameters to the corresponding peripheral unit without error.
With reference to the first aspect, in some implementations of the first aspect, the determining, by the lockstep core, whether the interface configuration operation is successful according to the configuration parameter read back from the interface includes: the lockstep core reads the configuration parameters from the memory; the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory.
With reference to the first aspect, in certain implementations of the first aspect, the configuration parameter in the memory includes a cyclic redundancy CRC field.
In the embodiment of the application, the configuration parameters in the memory comprise cyclic redundancy CRC fields, so that CRC can be performed before configuration, the configuration parameters in the memory are prevented from being damaged before configuration, and the interface configuration parameters are ensured to be error-free.
With reference to the first aspect, in certain implementations of the first aspect, the configuration parameters in the memory are stored in a redundant manner.
In the embodiment of the present application, the storage manner of the configuration parameters in the memory is a redundant storage, so that when one configuration parameter is damaged, another configuration parameter can be used to ensure that the interface configuration parameter is error-free.
With reference to the first aspect, in some implementations of the first aspect, after the non-lockstep core performs the interface configuration operation, before the lockstep core performs the check operation, the method further includes: the non-lockstep core sends an interface configuration completion notification to the lockstep core.
With reference to the first aspect, in some implementations of the first aspect, the non-lockstep core sends an interface configuration completion notification to the lockstep core, where the interface configuration completion notification includes a CRC check field.
In the embodiment of the application, a CRC (cyclic redundancy check) check field is added in the interface configuration completion notification sent by the non-lockstep core to the lockstep core to prevent notification data from being damaged.
With reference to the first aspect, in certain implementations of the first aspect, the method further includes: watchdog time-consuming monitoring is performed.
In particular, the watchdog time-consuming operation is executed in the process of executing the method.
The method aims to prevent the whole task from running overtime due to communication faults between the non-lockstep core and the lockstep core. In the process of executing the configuration method, the time consumption monitoring of the watchdog is also added,
with reference to the first aspect, in certain implementations of the first aspect, the MCU is an onboard MCU, the functional security level of the lockstep core is ASIL B and the functional security level of the non-lockstep core is QM based on an automotive security integrity level ASIL.
In the embodiment of the application, the interface configuration operation is executed through the non-lockstep core, and the lockstep core executes the check operation to judge whether the interface configuration operation is successful. If configuration operation of the non-lockstep core is wrong, the lockstep core can be checked out so as to carry out reconfiguration. The reliability of interface configuration operation is ensured, and the function safety level of the non-lockstep core is not required to be improved through high cost. That is, when the functional security level of the lockstep core is ASIL B, the functional security level of the non-lockstep core is QM, so that the functional security level of the automobile system can reach ASIL B, and the functional security level of the non-lockstep core does not need to be raised to ASIL B at a high cost.
In a second aspect, a configuration apparatus is provided, where the configuration apparatus is used for a micro control unit MCU, the MCU includes a lockstep core and a non-lockstep core, and the configuration apparatus includes a processor, where the processor is configured to: controlling the non-lockstep core to execute interface configuration operation; and controlling the lockstep core to execute a check operation so as to judge whether the interface configuration operation is successful.
With reference to the second aspect, in certain implementations of the second aspect, the MCU further includes an interface, and the processor is further configured to: controlling the non-lockstep core to obtain configuration parameters from a memory; and controlling the non-lockstep core to configure the configuration parameters through the interface.
With reference to the second aspect, in some implementations of the second aspect, the processor is further configured to: controlling the lockstep core to read the configuration parameters back from the interface; and controlling the lockstep core to judge whether the interface configuration operation is successful according to the configuration parameters read back from the interface.
With reference to the second aspect, in some implementations of the second aspect, the processor is further configured to: controlling the lockstep core to read the configuration parameters from the memory; and controlling the lockstep core to judge whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory.
With reference to the second aspect, in certain implementations of the second aspect, the configuration parameter in the memory includes a cyclic redundancy CRC field.
With reference to the second aspect, in some implementations of the second aspect, the configuration parameters in the memory are stored in a redundant manner.
With reference to the second aspect, in certain implementations of the second aspect, the processor is further configured to: and controlling the non-lockstep core to send an interface configuration completion notification to the lockstep core.
With reference to the second aspect, in some implementations of the second aspect, the non-lockstep core sends an interface configuration completion notification to the lockstep core, where the CRC field is included in the interface configuration completion notification.
With reference to the second aspect, in some implementations of the second aspect, the processor is further configured to: and controlling to perform watchdog time-consuming monitoring.
With reference to the second aspect, in some implementations of the second aspect, the MCU is an onboard MCU, the functional security level of the lockstep core is ASIL B and the functional security level of the non-lockstep core is QM based on an automotive security integrity level ASIL.
In a third aspect, a controller is provided, which includes a processor and a memory, where the memory is configured to store program instructions, and the processor is configured to call the program instructions to execute the configuration method according to the first aspect or any possible implementation manner of the first aspect.
In a fourth aspect, there is provided a control system comprising a configuration apparatus as in the second aspect or any possible implementation manner of the second aspect.
Alternatively, the control system may be a vehicle.
In a fifth aspect, a vehicle is provided, comprising a configuration apparatus as in the second aspect or any possible implementation manner of the second aspect.
In a sixth aspect, a computing device is provided, comprising: at least one processor and a memory, the at least one processor being coupled to the memory and configured to read and execute instructions in the memory to perform a configuration method as in the first aspect or any possible implementation manner of the first aspect.
In a seventh aspect, a computer program product containing instructions is provided, which when run on a computer causes the computer to perform the configuration method of the first aspect or any of the possible implementations of the first aspect.
In an eighth aspect, a computer-readable storage medium is provided that stores program code for execution by a device, the program code including instructions for performing the first aspect or the configuration method in any possible implementation manner of the first aspect.
In a ninth aspect, a chip is provided, where the chip includes a processor and a data interface, and the processor reads instructions stored in a memory through the data interface to execute the configuration method in the first aspect or any possible implementation manner of the first aspect.
Optionally, as an implementation manner, the chip may further include a memory, where instructions are stored in the memory, and the processor is configured to execute the instructions stored in the memory, and when the instructions are executed, the processor is configured to execute the first aspect or the configuration method in any possible implementation manner of the first aspect.
Drawings
Fig. 1 is a diagram illustrating an example of an interface configuration operation performed by a non-lockstep core according to an embodiment of the present application;
FIG. 2 is a diagram illustrating an example of interface configuration operations performed by another non-lockstep core according to an embodiment of the present application;
FIG. 3 is an exemplary diagram of a configuration method provided by an embodiment of the present application;
FIG. 4 is an exemplary diagram of another configuration method provided by embodiments of the present application;
FIG. 5 is an exemplary diagram of a storage method provided by an embodiment of the present application;
FIG. 6 is a diagram illustrating an example of time-consuming monitoring provided by an embodiment of the present application;
FIG. 7 is a diagram illustrating an example of a configuration device provided by an embodiment of the present application;
fig. 8 is an exemplary block diagram of a hardware structure of an apparatus according to an embodiment of the present disclosure.
Detailed Description
For ease of understanding, the background art to which the embodiments of the present application relate will first be described in detail.
The vehicle-mounted millimeter wave radar Micro Control Unit (MCU) is provided with a lockstep core and a non-lockstep core. It should be understood that one lockstep core has two cores, the two cores can respectively execute the same code, and the independent comparator compares the calculation results of the two cores and generates an alarm report when a difference occurs, so that the single core cannot be monitored when a fault occurs. Therefore, for a lockstep core, all instructions operated by a Central Processing Unit (CPU) (i.e., a core) have higher reliability, and can perform critical operation.
Generally, on an MCU with fewer cores (e.g., two lockstep cores and one non-lockstep core), since the computational resources are limited, all the business processes cannot be completely concentrated on the lockstep core, and in order to relieve the resources of the lockstep core, it is necessary to use the resources of the non-lockstep core to process the lockstep core as necessary, for example, interface configuration operation is performed through the non-lockstep core, but some operations and check operations are involved while the interface configuration operation is performed. However, for the non-lockstep core, the reliability of all instructions of the CPU operation is not high, and thus there are some security problems when the interface configuration operation is performed through the non-lockstep core.
The following describes the security problem of interface configuration operations deployed on non-lockstep cores with reference to fig. 1 and 2.
Fig. 1 is a diagram illustrating an example of an interface configuration operation performed by a non-lockstep core according to an embodiment of the present application. As shown in FIG. 1, the non-lockstep core is primarily used to perform the following operations.
S110, acquiring configuration parameters of the peripheral unit from a memory;
s120, configuring the acquired configuration parameters to an external unit through an interface;
s130, reading back the configuration parameters configured to the peripheral unit through the interface;
and S140, checking the read back configuration parameters. That is, the read-back configuration parameters are compared with the configuration parameters stored in the memory to determine whether the configuration is successful.
It can be seen that in the example of fig. 1, the interface configuration operation performed by the non-lockstep core may involve a read-back and check operation of the configuration parameters.
However, all instructions (such as fetching data, operations (addition, subtraction, multiplication, and division), and comparing sizes, etc.) of its CPU operations are unreliable for the non-lockstep core, and the CPU cannot detect such faults on the non-lockstep core. Thus, the validation operation itself is unreliable when the CPU reads back and checks on the non-lockstep core.
Illustratively, as shown in fig. 1, the configuration parameter acquired by the non-lockstep core from the memory is "10", and the interface configures "10" to "9" in the actual configuration process, and the non-lockstep core reads back "9" and then determines whether the configured parameter is correct, that is, determines whether "9=10" is correct. However, the non-lockstep core itself may determine as erroneous "9=9" and as correct "9=10", so that the confirmation operation itself is unreliable.
Fig. 2 is a diagram illustrating an example of interface configuration operations performed by another non-lockstep core according to an embodiment of the present application. As shown in FIG. 2, the non-lockstep core is primarily used to perform the following operations.
S210, acquiring configuration parameters of the peripheral unit from a memory;
s220, configuring the acquired configuration parameters to a peripheral unit through an interface;
s230, reading back the configuration parameters configured to the peripheral unit through the interface;
and S240, informing the lockstep core to judge. That is, the lockstep core is notified to perform the check operation.
It can be seen that in the example of fig. 2, the interface configuration operation performed by the non-lockstep core involves a read-back operation of the configuration parameters, and the parameter verification operation is performed by the lockstep core. Although this can avoid errors in verification, there can still be security issues. This is because the non-lockstep core itself is unreliable, and it cannot confirm whether the interface really performs the parameter configuration operation, for example: the instruction skips the configuration operation of the interface, directly returns the result and informs the lockstep core to make a judgment, namely, the non-lockstep core does not have the configuration parameter '10' at all but informs the lockstep core that the configuration is already carried out. For the non-lockstep core, because the non-lockstep core is not reliable, whether the interface really performs the parameter configuration operation or not cannot be confirmed during read back.
In summary, as can be seen from fig. 1 and 2, some read-back check operations are involved in the interface configuration operation performed by the non-lockstep core, thereby causing some security problems.
In the field of vehicle-mounted vehicles, an automobile system needs to reach a certain functional safety level, for example, an Automobile Safety Integrity Level (ASIL) B or D needs to be reached. If the resources of the non-lock-step core are used for interface configuration and read-back check operation, the system may not reach the corresponding functional security level. In the prior art, the reliability of instructions operated by a CPU of a non-lockstep core is improved at high cost on the non-lockstep core, so that the non-lockstep core reaches a corresponding functional safety level, and a system reaches the corresponding functional safety level. For example, the ASIL B level is achieved by purchasing corresponding CPU test software on the lockstep core, but the price is expensive, and tens of security mechanisms need to be additionally implemented, and the corresponding workload is very large.
Therefore, how to make the system reach a certain functional security level at low cost is a technical problem to be solved urgently.
Based on the above problem, the embodiment of the present application provides a configuration method, where the interface configuration operation is executed mainly by a non-lockstep core, and the lockstep core executes a check operation to determine whether the interface configuration operation is successful, so that the system can reach a certain functional security level at low cost on the basis of meeting performance requirements (i.e., mitigating lockstep core resources).
The technical solution in the present application will be described with reference to fig. 3.
Fig. 3 is an exemplary diagram of a configuration method provided in an embodiment of the present application. It should be understood that the method 300 shown in fig. 3 may be applied to the MCU architectures shown in fig. 1 and fig. 2, where the MCU includes a lockstep core and a non-lockstep core, and optionally the MCU further includes an interface. It should be understood that the above-mentioned interface may be a hardware interface, which may satisfy the relevant protocol. For example, the interface may be a Serial Peripheral Interface (SPI) interface or a High Speed Serial Link (HSSL) interface, which is not limited in this application. And for convenience of description, in the following embodiments, an SPI interface will be described as an example. Optionally, the MCU may further include a memory, where the memory may be a memory in the MCU (as shown in the figure) or a memory (not shown) independent from the MCU, and the attribution of the memory is not limited in this application. The Memory may be a Memory (Memory) or a flash Memory (PFLASH), the present application does not limit the kind of the Memory, and the PFLASH will be taken as an example in the following specific embodiments.
As shown in fig. 3, the method 300 includes steps S310 and S320, which are described in detail below.
S310, the non-lockstep core executes interface configuration operation.
Illustratively, the non-lockstep core performing interface configuration operations includes: the non-lockstep core obtains configuration parameters; and the non-lockstep core configures the configuration parameters through the interface. The interface configuration operation executed by the non-lockstep core is used for carrying out configuration operation on the configuration parameters in the memory through the interface without involving verification operation. Optionally, the configuration parameters obtained by the non-lockstep core may be configuration parameters obtained by the non-lockstep core from a memory.
It should be understood that the non-lockstep core configures the configuration parameters through the interface, specifically into the peripheral unit. The peripheral unit may be a Monolithic Microwave Integrated Circuit (MMIC) or a Power Management Integrated Circuit (PMIC), which is not limited in this application. And for convenience of description, in the following embodiments, MMIC will be described as an example.
Optionally, the interface configuration described herein includes an interface configuration that implements one or more of the following configurations: a calibration configuration, a Demultiplexer (DMUX) configuration, a Low Voltage Differential Signaling (LVDS) configuration, a transmit/receive (Tx/Rx) enable configuration, a mobile station transmit power (TxPower) configuration, and the like. The present application does not limit the type of configuration.
Optionally, the configuration parameters described herein may include one or more of the following: relevant parameters of calibration configuration, relevant parameters of DMUX configuration, relevant parameters of LVDS configuration, relevant parameters of Tx/Rx enable configuration, relevant parameters of TxPower configuration and the like. The configuration parameters are not limited in this application.
S320, the lockstep core executes the check operation to judge whether the interface configuration operation is successful.
Specifically, the step-locked core executes the check operation to determine whether the interface configuration operation is successful includes: the lockstep core reads back the configuration parameters from the interface; and the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface. Meaning that the validation operation performed by the lockstep core is used to validate the interface configuration. The verification process comprises read-back and verification operations, wherein the read-back operation is mainly used for verification, so that the method is classified into the verification operation.
It should be understood that the lockstep core reading back configuration parameters from the interface may also be described as the lockstep core reading back configuration parameters configured to the peripheral unit through the interface.
It should be understood that, in the embodiment of the present application, the lock core mainly performs the verification operation, that is, the lock core reads back the configuration parameters configured to the peripheral unit through the interface, so as to determine whether the interface configuration operation configures the configuration parameters to the corresponding peripheral unit without error.
It should be understood that the step-locked core determining whether the interface configuration operation was successful according to the configuration parameters read back from the interface comprises: the lockstep core reads the configuration parameters from the memory; and the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory. In other words, after the lockstep core reads back the configuration parameters configured to the peripheral unit through the interface, the lockstep core needs to obtain the stored configuration parameters from the memory, and compare the configuration parameters with the configuration parameters to determine whether the interface configuration operation is successful.
In the embodiment of the application, the interface configuration operation is executed through the non-lockstep core, and the lockstep core executes the check operation to judge whether the interface configuration operation is successful. If configuration operation of the non-lockstep core is wrong, the lockstep core can check out the configuration operation so as to carry out reconfiguration. The reliability of interface configuration operation is ensured, so that the function safety level of the non-lockstep core is not required to be improved through high cost, and the system can reach a certain function safety level at low cost.
Optionally, the configuration parameters in memory may include a cyclic redundancy CRC field. CRC can be performed before configuration, so that the configuration parameters in the memory are prevented from being damaged before configuration, and the configuration parameters of the interface are ensured to be correct, see FIG. 5.
Optionally, the configuration parameters in the memory may be stored in a redundant manner. So that when one configuration parameter is corrupted, another configuration parameter can be used to ensure that the interface configuration parameters are error free, see fig. 5.
Optionally, after the interface configuration operation is performed by the non-lockstep core and before the check operation is performed by the lockstep core, the method 300 may further include: the non-lockstep core sends an interface configuration completion notification to the lockstep core.
Optionally, the non-lockstep core may include a CRC check field in sending the interface configuration completion notification to the lockstep core to prevent the notification data from being corrupted.
Optionally, the whole task is prevented from running overtime due to communication failure between the non-lockstep core and the lockstep core. In the process of executing the configuration method of the present application, watchdog time consumption monitoring is also added, see fig. 6.
It should be understood that the MCU is an on-board MCU, and based on the safety integrity level ASIL of the vehicle, the functional safety level of the lockstep core in this embodiment is ASIL B, and the functional safety level of the non-lockstep core is QM.
In the embodiment of the application, the interface configuration operation is executed through the non-lockstep core, and the lockstep core executes the check operation to judge whether the interface configuration operation is successful. If configuration operation of the non-lockstep core is wrong, the lockstep core can be checked out so as to carry out reconfiguration. The reliability of interface configuration operation is ensured, and the function safety level of the non-lockstep core is not required to be improved through high cost. That is, when the functional security level of the lockstep core is ASIL B, the functional security level of the non-lockstep core is QM, which may make the functional security level of the automobile system reach ASIL B (i.e., ASIL B = ASIL B + QM), without increasing the functional security level of the non-lockstep core to ASIL B through a high cost.
A detailed description of one embodiment of the present application will now be given, by way of example, with reference to fig. 4. It should be understood that in this embodiment, two lockstep cores and one non-lockstep core are included in the MCU. It should be understood that in this embodiment, the memory is a PFLASH, the interface is an SPI interface, and the peripheral unit is an MMIC. It should also be understood that this embodiment is provided by way of example only and should not be construed as limiting the present application.
Fig. 4 is an exemplary diagram of another configuration method provided in an embodiment of the present application. As shown in fig. 4, the configuration method includes steps S410 to S450, which are described in detail below.
S410, the non-lockstep core obtains SPI interface configuration parameters from the PFLASH.
And, redundant storage is adopted for the configuration parameters in the PFLASH, and the CRC field is added for checking, as shown in fig. 5. Therefore, CRC (cyclic redundancy check) can be carried out on the parameters before the parameters are configured, the configuration parameters are prevented from being damaged before configuration, and the accuracy of the configuration parameters is ensured.
And S420, after the non-lockstep core obtains the configuration parameters, configuring the configuration parameters to the MMIC through the SPI interface.
And S430, after the configuration is completed, the non-lockstep core informs the lockstep core of completing the configuration. And, a CRC check field is added to the notification to prevent the notification data from being corrupted.
And S440, after receiving the configuration completion notification message of the non-lockstep core, the lockstep core reads back the SPI interface configuration. To confirm that the SPI interface configuration operation has configured the configuration parameters into the MMIC.
S450, the lockstep core reads the configuration parameters from the PFLASH, compares the configuration parameters read back from the SPI interface, and judges whether the configuration is successful.
It should be understood that successful configuration means that the parameters configured to the MMIC through the SPI interface are the same as the parameters stored in the memory.
Meanwhile, in this embodiment, as shown in fig. 6, watchdog time consumption monitoring is performed on the entire control system to prevent the entire task from running overtime due to a communication failure between the non-lockstep core and the lockstep core.
It should be appreciated that since the interface configuration operation is performed by the non-lockstep core, the lockstep core performs the check operation. If configuration operation of the non-lockstep core is wrong, the configuration operation can be found through checking of the lockstep core. When the functional security level of the lockstep core is ASIL B, the functional security level of the non-lockstep core is QM, so that the functional security level of the automobile system reaches ASIL B (i.e., ASIL B = ASIL B + QM).
It should be understood that the solution of the present embodiment enables a judgment to be made in the face of each of the following failure situations.
A first fault situation: SPI interface failure, resulting in parameter values configured into MMIC hardware that are not expected, for example: the value of the expected configuration is "10", while that of the actual configuration is "9". In this case, the checking operation of the lockstep core may check for such a failure (i.e., steps S440 and S450 described above). Specifically, the lockstep core reads back a parameter value '9' configured in MMIC hardware through the SPI interface, reads an expected configuration parameter '10' from PFLASH, and compares the '9' with the '10', and because the lockstep core has higher reliability in data acquisition and comparison operation, if the fault occurs, the fault can be detected through the verification operation of the lockstep core.
And (2) failure situation two: the non-lockstep core does not perform SPI configuration operations. If this occurs, the lockstep core may check the lockstep core during the verification operation (i.e., steps S440 and S450 described above). Specifically, if the non-lockstep core starts to perform the interface configuration operation of step S420 after the non-lockstep core performs step S410 to obtain the configuration parameter "10", as a result, in practice, the step S420 is not performed, and step S430 is directly skipped to notify that the lockstep core configuration is completed (that is, the actual non-lockstep core is not configured but tells that the lockstep core is configured), at this time, the lockstep core performs read back through step S440, the read back data is a random value, and then the verification is performed through step S450. Because the lockstep core has higher reliability in data acquisition and comparison operation, if the fault occurs, the fault can be detected through the verification operation of the lockstep core.
Failure situation three: the non-lockstep core informs the interface fault of the lockstep core, so that the informing data is damaged. In this case, the CRC check may be passed (i.e., step S430 described above).
It should be understood that, since the CRC field is added to the notification of the non-lockstep core notifying the lockstep core, when the non-lockstep core transmits data, it calculates a value of information included in the transmitted data, and after attaching the value to the transmitted data, the lockstep core performs the same calculation on the same data after receiving the value, and at this time, the same result should be obtained. However, if the data is destroyed during transmission, the two results do not match, and the destruction of the notification data can be detected.
The failure situation is four: the non-lockstep core informs the lockstep core of the interface failure, so that the non-lockstep core is not informed in time. In this case, watchdog time-consuming monitoring of the overall system software may monitor this communication timeout scenario. Specifically, time can be recorded before communication through watchdog time consumption monitoring, time can be recorded after communication is completed, and then whether the communication time consumption meets the requirement or not can be determined according to two time intervals. For example, if the whole communication process takes 10ms at most, but the non-lockstep core notifies the lockstep core that the interface of the lockstep core is failed in the actual communication process, so that the non-lockstep core does not notify in time, the watchdog time-consuming monitoring monitors that two time intervals exceed 10ms. So that such a fault can be detected if it occurs.
Optionally, the memory described in this application may be a memory in the MCU, or may be a memory independent of the MCU, and the attribution of the memory and the type of the memory are not limited in this application.
In summary, in this embodiment, the interface configuration is performed by using the non-lockstep core, and the lockstep core performs the check, so that the functional security level (ASIL B) can be satisfied and the cost can be reduced on the basis of satisfying the performance requirement (i.e., relaxing the lockstep core resource).
Fig. 7 is a diagram illustrating an example of a configuration apparatus according to an embodiment of the present application. The configuration apparatus 700 is used for an MCU, the MCU includes a lockstep core and a non-lockstep core, optionally, the MCU may further include an interface, and the configuration apparatus 700 includes a processor 710.
Wherein the processor 710 is configured to: controlling the non-lockstep core to execute interface configuration operation; and controlling the lockstep core to execute a check operation so as to judge whether the port configuration operation is successful.
Optionally, the processor 710 may be further configured to: controlling the non-lockstep core to obtain configuration parameters from the memory; and controlling the non-lockstep core to configure the configuration parameters through the interface. The memory may be a memory in the MCU (as shown in the figure) or a memory (not shown) independent of the MCU, and the attribution of the memory and the type of the memory are not limited in the present application.
Optionally, the processor 710 may be further configured to: controlling the lockstep core to read back the configuration parameters from the interface; and controlling the lockstep core to judge whether the interface configuration operation is successful according to the configuration parameters read back from the interface.
Optionally, the processor 710 may be further configured to: controlling the lockstep core to read configuration parameters from the memory; and the control lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory.
Optionally, the configuration parameters in the memory include a cyclic redundancy CRC field.
Optionally, the configuration parameters in the memory are stored in a redundant manner.
Optionally, the processor 710 may be further configured to: and controlling the non-lockstep core to send an interface configuration completion notice to the lockstep core.
Optionally, the non-lockstep core sends an interface configuration completion notification to the lockstep core, where the interface configuration completion notification includes a CRC check field.
Optionally, the processor 710 may be further configured to: and controlling to perform watchdog time-consuming monitoring.
Optionally, the MCU is a vehicle MCU, and based on the safety integrity level ASIL of the vehicle, the functional safety level of the lockstep core is ASIL B, and the functional safety level of the non-lockstep core is QM.
Fig. 8 is an exemplary block diagram of a hardware structure of an apparatus provided in an embodiment of the present application. The apparatus 800 (the apparatus 800 may be a computer device) includes a memory 810, a processor 820, a communication interface 830, and a bus 840. The memory 810, the processor 820 and the communication interface 830 are connected to each other through a bus 840.
The memory 810 may be a Read Only Memory (ROM), a static memory device, a dynamic memory device, or a Random Access Memory (RAM). The memory 810 may store a program, and the processor 820 is configured to perform the steps of the configuration method of the embodiments of the present application when the program stored in the memory 810 is executed by the processor 820.
The processor 820 may be a general-purpose Central Processing Unit (CPU), a microprocessor, an Application Specific Integrated Circuit (ASIC), a Graphics Processing Unit (GPU), or one or more integrated circuits, and is configured to execute related programs to implement the configuration method of the embodiment of the present application.
Processor 820 may also be an integrated circuit chip having signal processing capabilities. In implementation, the configuration method of the present application may be implemented by an integrated logic circuit of hardware or an instruction in the form of software in the processor 820.
The processor 820 may also be a general purpose processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, or discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software modules may be located in ram, flash, rom, prom, or eprom, registers, etc. as is well known in the art. The storage medium is located in the memory 810, and the processor 820 reads information in the memory 810, and completes, in combination with hardware of the processor, functions required to be performed by modules included in the apparatus according to the embodiment of the present application, or performs a configuration method according to the embodiment of the present application.
Communication interface 830 enables communication between apparatus 800 and other devices or communication networks using transceiver means such as, but not limited to, a transceiver.
Bus 840 may include a pathway to transfer information between various components of device 800, such as memory 810, processor 820, and communication interface 830.
The present application further provides a control system, which includes the configuration apparatus 700 described above.
It should be understood that the control system may be particularly, but not exclusively, a control system in a vehicle.
Alternatively, the vehicle referred to in the present application may be a car, a truck, a motorcycle, a bus, a boat, an airplane, a helicopter, a lawn mower, a recreational vehicle, a playground vehicle, construction equipment, a trolley, a golf cart, a train, a trolley, etc., and the embodiments of the present application are not particularly limited. The automobile can be a traditional internal combustion engine automobile, a hybrid electric automobile, a pure electric automobile, a centralized driving automobile, a distributed driving automobile and the like, and the application does not limit the automobile.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the technical solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solutions of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (24)
1. A configuration method is applied to a Micro Control Unit (MCU), the MCU comprises a lockstep core and a non-lockstep core, and the method comprises the following steps:
the non-lockstep core executes interface configuration operation;
and the lockstep core executes a checking operation to judge whether the interface configuration operation is successful.
2. The method of claim 1, wherein the MCU further comprises an interface, and wherein the non-lockstep core performing interface configuration operations comprises:
the non-lockstep core acquires configuration parameters from a memory;
and the non-lockstep core configures the configuration parameters through the interface.
3. The method of claim 2, wherein the lockstep core performing a check operation to determine whether the interface configuration operation was successful comprises:
the lockstep core reads the configuration parameters back from the interface;
and the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface.
4. The method of claim 3, wherein the step core determining whether the interface configuration operation is successful according to the configuration parameters read back from the interface comprises:
the lockstep core reads the configuration parameters from the memory;
and the lockstep core judges whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory.
5. The method according to any of claims 2 to 4, wherein the configuration parameter in the memory comprises a cyclic redundancy CRC field.
6. The method according to any one of claims 2 to 5, wherein the configuration parameters in the memory are stored in a redundant manner.
7. The method of any of claims 1 to 6, wherein after the non-lockstep core performs the interface configuration operation, and before the lockstep core performs the check operation, the method further comprises:
and the non-lockstep core sends an interface configuration completion notification to the lockstep core.
8. The method of claim 7, wherein sending an interface configuration complete notification to the lockstep core by the non-lockstep core comprises a CRC check field.
9. The method according to any one of claims 1 to 8, further comprising:
watchdog time-consuming monitoring is performed.
10. The method according to any one of claims 1 to 9, wherein the MCU is an onboard MCU, the functional security level of the lockstep core is ASIL B and the functional security level of the non-lockstep core is QM based on an automotive safety integrity level ASIL.
11. A configuration apparatus, wherein the configuration apparatus is used for a micro control unit MCU, the MCU comprises a lockstep core and a non-lockstep core, the configuration apparatus comprises a processor, and the processor is configured to:
controlling the non-lockstep core to execute interface configuration operation;
and controlling the lockstep core to execute a check operation so as to judge whether the interface configuration operation is successful.
12. The apparatus of claim 11, wherein the MCU further comprises an interface, and wherein the processor is further configured to:
controlling the non-lockstep core to acquire configuration parameters from a memory;
and controlling the non-lockstep core to configure the configuration parameters through the interface.
13. The apparatus of claim 12, wherein the processor is further configured to:
controlling the lockstep core to read the configuration parameters back from the interface;
and controlling the lockstep core to judge whether the interface configuration operation is successful according to the configuration parameters read back from the interface.
14. The apparatus of claim 13, wherein the processor is further configured to:
controlling the lockstep core to read the configuration parameters from the memory;
and controlling the lockstep core to judge whether the interface configuration operation is successful according to the configuration parameters read back from the interface and the configuration parameters read from the memory.
15. The apparatus according to any of claims 12-14, wherein the configuration parameter in the memory comprises a cyclic redundancy CRC field.
16. The apparatus according to any one of claims 12 to 15, wherein the configuration parameters in the memory are stored in a redundant manner.
17. The apparatus of any of claims 11 to 16, wherein the processor is further configured to:
and controlling the non-lockstep core to send an interface configuration completion notice to the lockstep core.
18. The apparatus of claim 17, wherein the non-lockstep core sends an interface configuration complete notification to the lockstep core including a CRC check field.
19. The apparatus of any of claims 11 to 18, wherein the processor is further configured to:
and controlling to perform watchdog time-consuming monitoring.
20. The apparatus of any of claims 11-19, wherein the MCU is an onboard MCU, and wherein the functional security level of the lockstep core is ASIL B and the functional security level of the non-lockstep core is QM based on an automotive safety integrity level ASIL.
21. A controller comprising a processor and a memory, the memory for storing program instructions, the processor for invoking the program instructions to perform the configuration method of any of claims 1 to 10.
22. A control system comprising a configuration arrangement as claimed in any one of claims 11 to 20.
23. A vehicle, characterized by comprising the arrangement of any one of claims 11 to 20.
24. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored therein program instructions which, when executed by a processor, implement the configuration method of any one of claims 1 to 10.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110455520.1A CN115248703A (en) | 2021-04-26 | 2021-04-26 | Configuration method, device and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202110455520.1A CN115248703A (en) | 2021-04-26 | 2021-04-26 | Configuration method, device and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115248703A true CN115248703A (en) | 2022-10-28 |
Family
ID=83695787
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202110455520.1A Pending CN115248703A (en) | 2021-04-26 | 2021-04-26 | Configuration method, device and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115248703A (en) |
-
2021
- 2021-04-26 CN CN202110455520.1A patent/CN115248703A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10902109B2 (en) | Misuse detection method, misuse detection electronic control unit, and misuse detection system | |
US7366597B2 (en) | Validating control system software variables | |
US10268557B2 (en) | Network monitoring device, network system, and computer program product | |
US20150210258A1 (en) | Method for carrying out a safety function of a vehicle and system for carrying out the method | |
US20150082089A1 (en) | Method and apparatus for isolating a fault in a controller area network | |
US11003153B2 (en) | Safety operation configuration for computer assisted vehicle | |
US20170180370A1 (en) | Communication system and information collection method executed in communication system | |
KR101593571B1 (en) | Black box apparatus for diagnosing error of electronic control unit for vehicle and control method thereof | |
WO2022085260A1 (en) | Abnormality detection device, abnormality detection method, and program | |
US20180375879A1 (en) | Vehicle network operating protocol and method | |
US20150178166A1 (en) | Apparatus and method for monitoring multiple micro-cores | |
KR20170120029A (en) | Method and device for preventing manipulation of a data transmission | |
US11001149B2 (en) | Master electronic control device for vehicle, slave electronic control device for vehicle, log collection system for vehicle, and storage medium | |
US20190361764A1 (en) | Redundant processor architecture | |
KR101544887B1 (en) | Apparatus And Method for diagnosing CAN communication error | |
JP6207987B2 (en) | In-vehicle electronic control unit | |
CN114170705A (en) | Vehicle data uploading method, device and equipment | |
US11444922B2 (en) | System for detecting control device security malfunctions | |
CN115248703A (en) | Configuration method, device and system | |
US11713058B2 (en) | Vehicle control system, attack judging method, and recording medium on which program is recorded | |
JP6741353B2 (en) | Control device and control device processing method at the time of failure | |
CN116320379A (en) | State monitoring method and device for vehicle camera, computer equipment and storage medium | |
CN113442849B (en) | Vehicle control system, data transmission method, and recording medium on which program is recorded | |
CN112533173B (en) | Method for ensuring data integrity to ensure operation safety and device for vehicle-to-external information interaction | |
Paulitsch et al. | Insights into the Sensitivity of the BRAIN (Braided Ring Availability Integrity Network)--On Platform Robustness in Extended Operation |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |