CN117519812A - Software starting method, controller, vehicle and storage medium - Google Patents

Software starting method, controller, vehicle and storage medium Download PDF

Info

Publication number
CN117519812A
CN117519812A CN202210907404.3A CN202210907404A CN117519812A CN 117519812 A CN117519812 A CN 117519812A CN 202210907404 A CN202210907404 A CN 202210907404A CN 117519812 A CN117519812 A CN 117519812A
Authority
CN
China
Prior art keywords
software
operating system
signature
value
certificate
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210907404.3A
Other languages
Chinese (zh)
Inventor
李华领
杨冬生
刘柯
王欢
马鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BYD Co Ltd
Original Assignee
BYD Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BYD Co Ltd filed Critical BYD Co Ltd
Priority to CN202210907404.3A priority Critical patent/CN117519812A/en
Publication of CN117519812A publication Critical patent/CN117519812A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating
    • G06F9/44505Configuring for program initiating, e.g. using registry, configuration files

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a software starting method, a controller, a vehicle and a storage medium. The method comprises the steps of loading guide software, reading first verification information aiming at the guide software from a one-time programmable storage area, verifying the legality of the guide software by utilizing the first verification information, and operating the guide software after verification is passed; controlling the boot software to load and verify the operating system software, and running the operating system software after verification is passed; and controlling the operating system software to load and verify the application software, and running the application software after verification is passed. The security problem can be identified more quickly and accurately through hierarchical loading and verification; the validity of the guide software is verified by utilizing the first verification information preset in the one-time programmable storage area, and the guide software is operated only after the verification is passed, so that the integrity and source validity verification of the guide software are realized, the guide software is prevented from being tampered, and meanwhile, the source safety of the loading and verification of the later-stage software is ensured.

Description

Software starting method, controller, vehicle and storage medium
Technical Field
The invention is applicable to the technical field of computers, and particularly relates to a software starting method, a controller, a vehicle and a storage medium.
Background
In the prior art, the multi-application safe starting of the vehicle-end embedded system equipment has a plurality of problems, and particularly for the automatic driving domain control equipment, dozens or even hundreds of application programs are installed in the device, and each application program has multiple functions, complex logic and large codes. In order to meet the time requirement of severe starting of automobiles, the currently adopted starting method is to not verify or only verify the integrity and source legitimacy of certain specific applications, so that an attacker can tamper with other applications which are not verified, or attack equipment and even the whole automobile by utilizing the loopholes of other applications, so that the equipment or the whole automobile cannot work normally or unexpected behaviors occur, and the functions of the automobile, the personnel and the property of a user are damaged.
Therefore, how to realize the safe starting of the application of the vehicle-end embedded system device is a problem to be solved.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a software starting method, a controller, a vehicle and a storage medium, so as to solve the problem of safe starting of applications of the existing vehicle-end embedded system device.
In a first aspect, a software start-up method is provided, the method comprising:
Loading the guide software, reading first verification information aiming at the guide software from a one-time programmable storage area, verifying the legality of the guide software by using the first verification information, and operating the guide software after the verification is passed;
controlling the boot software to load and verify the operating system software, and running the operating system software after verification is passed;
and controlling the operating system software to load and verify the application software, and running the application software after verification is passed.
In a second aspect, there is provided a controller comprising:
a processor, a memory, and a computer program stored in the memory and executable on the processor, the processor implementing the software start-up method of the first aspect when executing the computer program.
In a third aspect, there is provided a vehicle comprising the controller of the second aspect.
In a fourth aspect, a computer readable storage medium is provided, the computer readable storage medium storing a computer program, which when executed by a processor implements the software start-up method according to the first aspect.
Compared with the prior art, the invention has the beneficial effects that:
The guide software, the operating system software and the application software are sequentially subjected to hierarchical loading and verification, so that the safety problem can be identified more quickly and accurately; when the boot software is verified, the first verification information of the boot software is preset into the one-time programmable storage area, and the one-time programmable storage area can only be written once, so that the preset verification information can be ensured to be absolutely trusted and used as a trusted root; the legality of the guide software is verified by utilizing the first verification information, and the guide software is operated only after the verification is passed, so that the integrity and source legality verification of the guide software are realized, and the guide software is prevented from being tampered; and because the control guide software verifies the operation system software and then controls the operation system software to verify the application software, the hierarchical verification ensures the source safety of the guide software and the safety of the later-stage software.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the embodiments or the description of the prior art will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of an application environment of a software start method according to an embodiment of the present invention;
FIG. 2 is a block diagram of device software and data storage for a software start method provided in a vehicle end according to an embodiment of the present invention;
FIG. 3 is a diagram of a device software package (i.e., a secure boot method software package) downloaded by a vehicle end from a cloud platform according to an embodiment of the present invention;
FIG. 4 is a flowchart of a software start-up method according to an embodiment of the present invention;
FIG. 5 is a flow chart of loading and verifying boot software provided by an embodiment of the present invention;
FIG. 6 is a flow chart of loading and validating operating system software provided by an embodiment of the invention;
FIG. 7 is a diagram of a certificate file structure provided in one embodiment of the present invention;
FIG. 8 is a flow chart of signature certificate verification for operating system software provided in an embodiment of the present invention;
FIG. 9 is a flow chart of loading and validating application software provided by an embodiment of the present invention;
FIG. 10 is a flow chart of signature certificate verification for application software provided in one embodiment of the present invention;
FIG. 11 is a flowchart illustrating a method for creating a software package according to an embodiment of the present invention;
FIG. 12 is a schematic diagram of a software start device according to an embodiment of the present invention;
Description of the reference numerals:
101. a packaging tool; 102. a cloud platform; 103. a vehicle end; 201. a system boot area; 202. a system recovery area; 203. starting a mirror image area; 204. a system bottom program area; 205. an application area; 206. a log and data area; 207. a secure storage area; 301. a boot software; 302. operating system software; 303. configuration file 1; 304. application software; 305. configuration file 2.
Detailed Description
In the following description, for purposes of explanation and not limitation, specific details are set forth such as the particular system architecture, techniques, etc., in order to provide a thorough understanding of the embodiments of the present invention. It will be apparent, however, to one skilled in the art that the present invention may be practiced in other embodiments that depart from these specific details. In other instances, detailed descriptions of well-known systems, devices, circuits, and methods are omitted so as not to obscure the description of the present invention with unnecessary detail.
It should be understood that the terms "comprises" and/or "comprising," when used in this specification and the appended claims, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof.
It should also be understood that the term "and/or" as used in the present specification and the appended claims refers to any and all possible combinations of one or more of the associated listed items, and includes such combinations.
As used in the present description and the appended claims, the term "if" may be interpreted as "when..once" or "in response to a determination" or "in response to detection" depending on the context. Similarly, the phrase "if a determination" or "if a [ described condition or event ] is detected" may be interpreted in the context of meaning "upon determination" or "in response to determination" or "upon detection of a [ described condition or event ]" or "in response to detection of a [ described condition or event ]".
Furthermore, the terms "first," "second," "third," and the like in the description of the present specification and in the appended claims, are used for distinguishing between descriptions and not necessarily for indicating or implying a relative importance.
Reference in the specification to "one embodiment" or "some embodiments" or the like means that a particular feature, structure, or characteristic described in connection with the embodiment is included in one or more embodiments of the invention. Thus, appearances of the phrases "in one embodiment," "in some embodiments," "in other embodiments," and the like in the specification are not necessarily all referring to the same embodiment, but mean "one or more but not all embodiments" unless expressly specified otherwise. The terms "comprising," "including," "having," and variations thereof mean "including but not limited to," unless expressly specified otherwise.
It should be understood that the sequence numbers of the steps in the following embodiments do not mean the order of execution, and the execution order of the processes should be determined by the functions and the internal logic, and should not be construed as limiting the implementation process of the embodiments of the present invention.
In order to illustrate the technical scheme of the invention, the following description is made by specific examples.
The software starting method provided by the embodiment of the invention can be applied to an application environment as shown in fig. 1, wherein the application environment comprises a packaging tool 101, a cloud platform 102 and a vehicle end 103, wherein the packaging tool 101 is used for packaging and manufacturing equipment application programs and whole software packages, and uploading the manufactured software packages to a software warehouse of the cloud platform 102; the cloud platform 102 comprises a PKI (Public Key Infrastructure ) system for signing each software and returning signed certificates, and a software repository; the software repository is used to upload, store and download device software packages. The vehicle end 103 is used for installing and running equipment through software downloading and certificate downloading, and loading and verifying the whole software and application programs by utilizing a system software partition safe starting method. And, the device certificate and software can also be updated online through OTA (Over-the-Air Technology).
Referring to fig. 2, which is a device software and data storage structure diagram of a software start method provided in a vehicle end 103, a separate storage partition is provided to store various program software, and specifically, the storage areas include a system boot area 201, a system recovery area 202, a start-up mirror area 203, a system bottom program area 204, an application area 205, a log and data area 206, and a secure storage area 207. The storage contents of the respective storage areas are described below:
(1) And the system boot area 201 is used for storing boot software, and comprises an internal FLASH memory area and an external FLASH memory area of the SOC, and loading, verifying and running of the boot software, and starting of an operating system kernel, an Init process and the like.
(2) The system recovery area 202 is used for storing system recovery software in the rescue mode, and entering the rescue mode to recover the system when the system is damaged and cannot be started normally.
(3) The image area 203 is started, and is used for storing an image file, and invoking system recovery software in a rescue mode.
(4) The system bottom program area 204 is used for storing operating system software and loading application programs.
(5) An application area 205 for storing application software.
(6) The log and data area 206 is used to store logs and data generated by operating system software and application software.
(7) A secure storage area 207 for keys, root certificates, signature certificates, and user information.
Referring to fig. 3, a structure diagram of a device software package (i.e. a security start method software package) downloaded by a vehicle end 103 from a cloud platform 102 is shown, and the device software package is also made by a packaging tool 101 and uploaded to the cloud platform 102, where the specific structure of the security start method software package includes:
the boot software 301 includes two boot software of the SOC internal and external FLASH memory areas.
Operating system software 302 includes a kernel and system image files such as a file system.
Configuration file 1 (303) includes the signature certificate and signature value of the operating system software.
Application 304, including application images and application source code files, contains all applications, such as application 1, application 2, …, application N.
Profile 2 (305): including the signature certificate and signature value of the application software.
Referring to fig. 4, a flowchart of a software start-up method according to an embodiment of the present invention, the above-mentioned secure start-up method may be applied to the vehicle end 103 in fig. 1, and the software start-up method may include the following steps:
step S401, loading and verifying the boot software.
Specifically, as shown in fig. 5, loading and verifying the boot software includes:
in step S501, the device is powered on and boot software is loaded.
In this step, the device SOC (System on Chip) loads the boot software image file from the nonvolatile storage area into the memory according to the node information of the file partition, and calculates the hash function value of the boot software image file.
Step S502, first verification information aiming at the guide software is read from a one-time programmable storage area, and the validity of the guide software is verified by using the first verification information.
In this step, the device SOC reads the first verification information from the one-time programmable memory area as a first preset hash function value preset for the image file, compares the first preset hash function value with a hash function value for calculating the boot software image file, and if the two hash function values are the same, determines that the boot software verification is passed, and if the two hash function values are different, determines that the system is failed to start.
And step S402, running the boot software after the boot software passes the verification, controlling the boot software to load and verify the operating system software, and running the operating system software after the boot software passes the verification. Wherein the step of verifying the operating system software is performed by the boot software.
Specifically, as shown in fig. 6, controlling the booting software to verify the operating system software includes:
step S601, obtaining a configuration file of the operating system software, where the configuration file of the operating system software includes a signature certificate and a signature value of the operating system software, where the signature value is obtained by encrypting a mapping value of the operating system software in advance through a first private key corresponding to the signature certificate, and the mapping value is used to identify the operating system software.
The mapping value for identifying the operating system software may be obtained through a hash function, or may be determined through other functions, so long as the operating system software can be uniquely identified.
In the step, a first private key is stored in an encryptor, and a first public key is stored in a signature certificate, wherein the first private key is used for encrypting a mapping value to obtain a signature value; the first public key is used for decrypting the signature value to obtain a mapping value. The specific encryption processing algorithm and decryption processing algorithm may be an encryption and decryption algorithm in the prior art, and this step will not be described in detail.
Step S602, the signature certificate and the signature value of the operating system software are utilized to obtain the mapping value of the operating system software.
In an example, the mapping value is obtained by a hash function, and the obtaining the mapping value of the operating system software by using the signature certificate and the signature value of the operating system software includes:
step S6021, reading the first public key from the signature certificate of the operating system software.
In this step, the public key of the signature Certificate of the operating system software is resolved according to the Certificate file structure shown in fig. 7, such as a main key structure under the category tbsceptite and a signature value structure under the category certification.
And step S6022, decrypting the signature value of the operating system software by using the first public key to obtain a first hash function value of the operating system software.
Wherein the decrypted first hash function value is used for verification of the operating system software in a subsequent step.
Step S603, verifying the operating system software through the mapping value of the operating system software.
In one example, validating the operating system software through the mapped value of the operating system software includes:
step S6031, calculating a second hash function value of the operating system software.
In this step, when the system boot software passes verification and starts to run, the operating system software image file is loaded from the nonvolatile storage area into the memory according to the node information of the file partition, and the hash function value of the operating system software image file is calculated, so as to obtain the second hash function value of the operating system software.
Step S6032, if the first hash function value is the same as the second hash function value, determining that the operating system software passes the verification.
In this step, the function of comparing the decrypted first hash function value with the calculated second hash function value is to verify the validity of the operating system software, and if the two hash function values are the same, it is determined that the operating system software is valid, and the verification is passed.
Step S6033, if the first hash function value is not the same as the second hash function value, determining that the operating system software verification is not passed.
In this step, when comparing the first hash function value obtained by decryption with the second hash function value obtained by calculation, if the two hash function values are different, it is determined that the operating system software is illegal, and the verification is failed.
The above steps S602 and S603 are performed based on the fact that the signature certificate of the operating system software is legal, and if the signature certificate of the operating system software is not legal, the operating system software cannot be accurately verified. Thus, verification of the signed certificate of the operating system software is required.
Based on the above considerations, in an example, as shown in fig. 8, before reading the first public key from the signature certificate of the operating system software, the method further includes:
Step S801, a root certificate is acquired, and a second public key is read from the root certificate.
In this step, according to the certificate file structure shown in fig. 7, such as the main key structure under the type tbsceptite, the "ecPublicKey" field is found according to the asn.1 encoding format, and the public key value is read, so that the public key of the root certificate, that is, the second public key, can be resolved.
The second public key is stored in the signature certificate, and the private key paired with the second public key is stored in the encryptor, wherein the private key is used for encrypting the mapping value of the signature certificate of the operating system software to obtain the signature value in the signature certificate; the second public key is used for decryption processing of the signature value in the signature certificate of the subsequent step.
Step S802, reading a signature value from the signature certificate of the operating system software.
The signature value is generated by using a private key signature of a root certificate when the certificate is issued, and is stored in the signature certificate.
Step S803, decrypting the signature value in the signature certificate of the operating system software by using the second public key, to obtain a third hash function value of the signature certificate of the operating system software.
Wherein the decrypting results in a third hash function value of the signed certificate for verification of the signed certificate of the operating system software in a subsequent step.
Step S804, calculating a fourth hash function value of the signature certificate of the operating system software.
Step S805, if the third hash function value is the same as the fourth hash function value, determining that the signature certificate of the operating system software passes verification.
Comparing the two hash function values obtained by decryption and calculation through the step S804 and the step S805, if the two hash function values are the same, the signature certificate is legal, and entering the next step; if the signature certificates are different, the signature certificates of the operating system software are judged to be illegal, and the system is started to fail.
Correspondingly, in step S6021, reading the first public key from the signature certificate of the operating system software includes:
and reading the first public key from the signature certificate of the operating system software under the condition that the signature certificate of the operating system software passes verification.
Through the above steps S801 to S805, the purpose of verifying the signature certificate of the operating system software by using the root certificate is achieved.
And step S403, controlling the operating system software to load and verify the application software, and running the application software after verification is passed. Wherein the step of verifying the application software is performed by the operating system software.
Specifically, as shown in fig. 9, controlling the operating system software verification application software includes:
Step S901, obtaining a configuration file of the application software, where the configuration file of the application software includes a signature certificate and a signature value of the application software, where the signature value is obtained by encrypting a mapping value of the application software in advance through a second private key corresponding to the signature certificate, and the mapping value is used to identify the application software.
The mapping value for identifying the application software can be obtained through a hash function or can be determined through other functions, so long as the application software can be uniquely identified.
In the step, a group of public key and private key pairs, namely a second private key and a third public key, are stored in a signature certificate of the application software, wherein the second private key is used for carrying out encryption processing on a mapping value of the identification application software to obtain a signature value of the identification application software; and the third public key is used for decrypting the signature value of the identification application software to obtain a mapping value of the identification application software. The specific encryption processing algorithm and decryption processing algorithm may be an encryption and decryption algorithm in the prior art, and this step will not be described in detail.
In this step, after the application software is loaded, the configuration file 2 is found (305) according to the application software package file structure, and the signature certificate of the application software can be resolved and used in the subsequent steps.
And step S902, obtaining a mapping value of the application software by using the signature certificate and the signature value of the application software.
In an example, the mapping value is obtained by a hash function, and the obtaining the mapping value of the application software by using the signature certificate and the signature value of the application software includes:
step S9021 reads the third public key from the signature certificate of the application software.
And step S9022, decrypting the signature value of the application software by using the third public key to obtain a fifth hash function value of the application software.
Wherein the decrypted fifth hash function value is used for verifying the application software in the subsequent step.
Step S903, verifying the application software through the mapping value of the application software.
In an example, the verifying the application software by the mapping value of the application software includes:
step S9031, calculating a sixth hash function value of the application software.
In this step, when the operating system software passes the verification and starts to run, the operating system software finds the application program area 205 according to the node information of the file partition, loads the application software file from the nonvolatile storage area into the memory, calculates the hash function value of the application software file, and obtains the sixth hash function value of the application software.
Step S9032, if the fifth hash function value is the same as the sixth hash function value, determining that the application software passes the verification.
In this step, the function of comparing the decrypted fifth hash function value with the calculated sixth hash function value is that the validity of the application software can be verified, and if the two hash function values are the same, it is determined that the application software is valid, and the verification is passed.
Step S9033, if the fifth hash function value is different from the sixth hash function value, determining that the application software verification is not passed.
In this step, when comparing the decrypted fifth hash function value with the calculated sixth hash function value, if the two hash function values are different, it is determined that the application software is not legal and the verification is not passed.
In an example, as shown in fig. 10, before the reading of the third public key from the signature certificate of the application software, the method further includes:
step 1001, obtaining a root certificate and reading a second public key from the root certificate.
The step 1001 and the step of acquiring the second public key in step S801 are similar, and specific reference is made to the description in step S801. The second public key and the corresponding private key in the step are used for encrypting the mapping value of the signature certificate of the application software to obtain the signature value of the signature certificate of the application software; the second public key is used for decryption processing of the signature value in the signature certificate of the application software in a subsequent step.
Step 1002, reading a signature value from a signature certificate of the application software.
The signature value is generated by using a private key signature of a root certificate when the certificate is issued, and is stored in the signature certificate.
And step 1003, decrypting the signature value in the signature certificate of the application software by using the second public key to obtain a seventh hash function value of the signature certificate of the application software.
Wherein the decrypting results in a seventh hash function value of the signed certificate for verification of the signed certificate of the application software in a subsequent step.
Step 1004, calculating an eighth hash function value of the signature certificate of the application software.
Step 1005, determining that the signature certificate of the application software passes verification if the seventh hash function value is the same as the eighth hash function value.
Comparing the two hash function values obtained by decryption and calculation through the step S1004 and the step S1005, if the two hash function values are the same, the signature certificate is legal, and entering the next step; if the signature certificates are different, the signature certificates of the application software are judged to be illegal, and the system is failed to start.
Correspondingly, in step S9021, reading the third public key from the signature certificate of the application software includes:
And reading the third public key from the signature certificate of the application software under the condition that the signature certificate of the application software passes verification.
Through the above steps S1001 to S1005, the purpose of verifying the signature certificate of the application software by using the root certificate is achieved.
The verification process of the signature certificate of the operating system software in the steps S801 to S805 and the verification process of the signature certificate of the application software in the steps S1001 to S1005 are both based on the root certificate being legal, so that the verification of the signature certificates of the operating system software and the application software can be reliably performed, and if the root certificate is illegal, the signature certificates of the operating system software and the application software cannot be reliably verified.
Based on the above considerations, in an example, before the second public key is read from the root certificate in step S701 and/or step 1001, the following root certificate verification process is further included:
calculating a hash function value of the root certificate;
and reading second verification information from the one-time programmable storage area, and comparing the hash function value of the root certificate with the second verification information to verify the root certificate.
Correspondingly, reading the second public key from the root certificate in step S701 and/or step 1001 comprises:
In case the root certificate is verified, a second public key is read from the root certificate.
In this step, the boot software reads the root certificate from the secure storage area, the root certificate is programmed into the SOC secure storage area in advance, and calculates the hash function value of the root certificate, and then reads the second verification information (also the hash function value) preset for the root certificate from the one-time programmable storage area, compares the two preset hash function values, if the two preset hash function values are the same, the root certificate passes the verification, and if the two preset hash function values are different, the root certificate does not pass the verification.
Through the steps S401 to S403, it can be verified that the source of the application software package is reliable and the integrity is not damaged, so that each application program of the application software is started and operated, the whole system is started and completed, and normal operation is started.
The system software partition safe starting method of the embodiment has the following advantages:
(1) The hash function values of the boot software and the root certificate are preset to a one-time programmable storage area of the SOC, and the one-time programmable storage area can only be written once, so that the preset hash function values can be ensured to be absolutely reliable and used as a trusted root; when the boot software is verified, hash function values of the boot software and the root certificate are calculated, and compared, the boot software and the root certificate can be operated and used only when the comparison result is consistent with the trusted root, so that the integrity and source validity verification of the boot software and the root certificate are realized, the boot software and the root certificate are prevented from being tampered, and meanwhile, the source safety of the loading and verification of the later-stage software is ensured.
(2) The method has the advantages that the operating system software and the application software are separated, the decoupling of the bottom layer software and the application software is realized, the operating system software and the application software are separated and placed in different storage partitions, and the hierarchical loading and verification are carried out according to the sequence of the prior operating system software and the subsequent application software separation, so that the problem can be identified more quickly and accurately, the safety of multi-application starting is improved, and meanwhile, the separation setting also plays a role in facilitating the independent development of the two types of software and using different security technologies.
(3) When the operating system software and the application software are verified, the digital certificate is directly used for verification, and after the validity of the certificate is verified, the public key is extracted, so that the validity of the public key is ensured.
(4) Because of the partition separation design of the guide software, the operating system software and the application software, different certificates, hash function values and signature algorithms can be flexibly used for verification according to different requirements of security, package size and performance, and the defect of slow running caused by loading and verifying single small files in the prior art is avoided.
In an embodiment, before the step loading and verification of the boot software, the operating system software and the application software, the system software partition security starting method may further include:
Downloading a software package containing the boot software, the operating system software and the application software from a cloud platform, wherein the software package is manufactured through a software packaging tool, and as shown in fig. 11, the manufacturing method of the software package comprises the following steps:
step 1101, an application package source code folder is obtained, which contains an application image file and all application directory structures.
In step S1102, a digest operation is performed on the entire application package to obtain a hash function value of the entire application package.
In this step, the hash function value of the application package can be calculated by using the existing hash algorithm, such as MD5, SHA-1, SHA-256, SM3, etc.
Step S1103, the hash function value of the application software package is signed by using the second private key of the signature certificate of the application software, so as to obtain a signature value of the application software; the signature value of the application software is made as a configuration file (i.e., configuration file 305 in fig. 3) to be placed in the application software package.
In this step, signature is performed by using a public signature algorithm, such as SM2, RSA, ECC, etc. The signature certificate format is public format, such as SM2, RSA, ECC certificate in X509V 3 format.
In this step, the private key of the signature certificate of the application software is stored in the encryptor.
Step S1104, obtaining the operating system software image file, and performing abstract operation to obtain the hash function value of the operating system software image file.
In this step, the digest operation can use the existing hash algorithm, such as MD5, SHA-1, SHA-256, SM3, etc., to calculate the hash function value of the operating system software image file.
Step S1105, signing the hash function value by using a first private key of a signature certificate of the operating system software to obtain a signature value of the operating system software; the signed value of the operating system software is made as a configuration file (i.e., configuration file 303 in fig. 3) and placed into the operating system software package.
In this step, the private key of the signature certificate of the operating system software is stored in the encryptor.
And step 1106, integrally packaging the application software package, the operating system software package and the guide software, and uploading the package to the cloud platform.
In this step, the whole software package includes not only the application software package, the operating system software package and the boot software, but also each signature value and signature certificate. The software package is uploaded to a software warehouse of the cloud platform 102 for storage, and the equipment is filled or OTA upgraded in the equipment during production.
The invention divides the device software into the guide software and the system software according to the functions and the starting stage, and simultaneously uses the layered architecture to divide the system software into the operating system software and the application software, so that not only are the guide software and the operating system software mirror image files safely packaged and verified, but also the whole application software package source code file is subjected to abstract operation and signature, and is packaged with the guide software and the operating system software mirror image file integrally and then issued.
According to the overall structure diagram of the present invention, in the implementation process, when the software is released, the packaging tool 101 makes a software package according to the software package structure diagram shown in fig. 3 and uploads the software package to the software warehouse of the cloud platform 102. During the production of the device, the hash function values of the boot software and the root certificate are written into the one-time programmable storage area inside the SOC to construct a 'trusted root', and then the device software and the data storage structure diagram shown in FIG. 2 is followed, and each software and each certificate are written into the device and stored in the corresponding storage area. When the vehicle power-on equipment operates, the source legitimacy and the data integrity of the application can be ensured by performing verification and operation according to the software start-up loading and verification flow chart shown in fig. 4, and the safe start-up is realized.
In an embodiment, a controller (i.e. a computer device) is also proposed, as shown in fig. 12, the apparatus comprising:
at least one processor (only one shown in fig. 12), a memory, and a computer program stored in the memory and executable on the processor, which when executed implements the above software launch method.
The computer device may include, but is not limited to, a processor, a memory. It will be appreciated by those skilled in the art that fig. 12 is merely an example of a computer device and is not intended to be limiting, and that a computer device may include more or fewer components than shown, or may combine certain components, or different components, such as may also include a network interface, a display screen, an input device, and the like.
The processor may be a CPU, but may also be other general purpose processors, digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), off-the-shelf programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
The memory includes a readable storage medium, an internal memory, etc., where the internal memory may be the memory of the computer device, the internal memory providing an environment for the execution of an operating system and computer-readable instructions in the readable storage medium. The readable storage medium may be a hard disk of a computer device, and in other embodiments may be an external storage device of the computer device, for example, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), etc. that are provided on the computer device. Further, the memory may also include both internal storage units and external storage devices of the computer device. The memory is used to store an operating system, application programs, boot loader (BootLoader), data, and other programs such as program codes of computer programs, and the like. The memory may also be used to temporarily store data that has been output or is to be output.
The present invention may be implemented in whole or in part by a computer program which, when executed by a processor, performs the steps of the method embodiments described above, by instructing the associated hardware. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, executable files or in some intermediate form, etc. The computer readable medium may include at least: any entity or device capable of carrying computer program code, a recording medium, a computer Memory, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), an electrical carrier signal, a telecommunications signal, and a software distribution medium. Such as a U-disk, removable hard disk, magnetic or optical disk, etc. In some jurisdictions, computer readable media may not be electrical carrier signals and telecommunications signals in accordance with legislation and patent practice.
The present invention may also be implemented as a computer program product for implementing all or part of the steps of the method embodiments described above, when the computer program product is run on a computer device, causing the computer device to execute the steps of the method embodiments described above.
In an embodiment, a vehicle is also provided, which includes the controller described above, which when executing the computer program implements the above software start-up method. .
In the foregoing embodiments, the descriptions of the embodiments are emphasized, and in part, not described or illustrated in any particular embodiment, reference is made to the related descriptions of other embodiments.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the embodiments provided by the present invention, it should be understood that the disclosed apparatus/computer device and method may be implemented in other manners. For example, the apparatus/computer device embodiments described above are merely illustrative, e.g., the division of modules or units is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed may be an indirect coupling or communication connection via interfaces, devices or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention, and are intended to be included in the scope of the present invention.

Claims (12)

1. A method of software initiation, the method comprising the steps of:
loading the guide software, reading first verification information aiming at the guide software from a one-time programmable storage area, verifying the legality of the guide software by using the first verification information, and operating the guide software after the verification is passed;
controlling the boot software to load and verify the operating system software, and running the operating system software after verification is passed;
and controlling the operating system software to load and verify the application software, and running the application software after verification is passed.
2. The software start-up method of claim 1, wherein controlling the boot software to verify the operating system software comprises:
acquiring a configuration file of the operating system software, wherein the configuration file of the operating system software comprises a signature certificate and a signature value of the operating system software, the signature value is obtained by encrypting a mapping value of the operating system software in advance through a first private key corresponding to the signature certificate, and the mapping value is used for identifying the operating system software;
obtaining a mapping value of the operating system software by using the signature certificate and the signature value of the operating system software;
And verifying the operating system software through the mapping value of the operating system software.
3. The software boot method according to claim 2, wherein the mapping value is obtained by a hash function, and the obtaining the mapping value of the operating system software using the signature certificate and the signature value of the operating system software includes:
reading a first public key from a signature certificate of the operating system software;
decrypting the signature value of the operating system software by using the first public key to obtain a first hash function value of the operating system software;
the verifying the operating system software through the mapping value of the operating system software comprises the following steps:
calculating a second hash function value of the operating system software;
if the first hash function value is the same as the second hash function value, determining that the operating system software passes verification;
and if the first hash function value is different from the second hash function value, determining that the operating system software is not verified.
4. A software start-up method according to claim 3, characterized in that before said reading of the first public key from the signed certificate of the operating system software, the method comprises:
Acquiring a root certificate and reading a second public key from the root certificate;
reading a signature value from a signature certificate of the operating system software;
decrypting the signature value in the signature certificate of the operating system software by using the second public key to obtain a third hash function value of the signature certificate of the operating system software;
calculating a fourth hash function value of a signature certificate of the operating system software;
if the third hash function value is the same as the fourth hash function value, determining that the signature certificate of the operating system software passes verification;
the reading the first public key from the signed certificate of the operating system software includes:
and reading the first public key from the signature certificate of the operating system software under the condition that the signature certificate of the operating system software passes verification.
5. The software start-up method of claim 1, wherein controlling the operating system software to verify the application software comprises:
acquiring a configuration file of the application software, wherein the configuration file of the application software comprises a signature certificate and a signature value of the application software, the signature value is obtained by encrypting a mapping value of the application software in advance through a second private key corresponding to the signature certificate, and the mapping value is used for identifying the application software;
Obtaining a mapping value of the application software by using the signature certificate and the signature value of the application software;
and verifying the application software through the mapping value of the application software.
6. The software start-up method of claim 5, wherein the mapping value is obtained by a hash function, and the obtaining the mapping value of the application software using the signature certificate and the signature value of the application software comprises:
reading a third public key from a signature certificate of the application software;
decrypting the signature value of the application software by using the third public key to obtain a fifth hash function value of the application software;
the verifying the application software through the mapping value of the application software comprises the following steps:
calculating a sixth hash function value of the application software;
if the fifth hash function value is the same as the sixth hash function value, determining that the application software passes verification;
and if the fifth hash function value is not the same as the sixth hash function value, determining that the application software fails verification.
7. The software start-up method of claim 5, further comprising, prior to said reading a third public key from a signed certificate of the application software:
Acquiring a root certificate and reading a second public key from the root certificate;
reading a signature value from a signature certificate of the application software;
decrypting the signature value in the signature certificate of the application software by using the second public key to obtain a seventh hash function value of the signature certificate of the application software;
calculating an eighth hash function value of a signature certificate of the application software;
if the seventh hash function value is the same as the eighth hash function value, determining that the signature certificate of the application software passes verification;
the reading the third public key from the signature certificate of the application software comprises the following steps:
and reading the third public key from the signature certificate of the application software under the condition that the signature certificate of the application software passes verification.
8. The software start-up method according to claim 4 or 7, characterized by further comprising, before said reading the second public key from the root certificate:
calculating a hash function value of the root certificate;
reading second verification information from the one-time programmable memory area, and comparing the hash function value of the root certificate with the second verification information to verify the root certificate;
The reading of the second public key from the root certificate includes:
in case the root certificate is verified, a second public key is read from the root certificate.
9. The software start-up method of claim 1, further comprising, prior to loading the boot software:
and downloading a software package containing the guide software, the operating system software and the application software from the cloud platform.
10. A controller, the controller comprising: a processor, a memory and a computer program stored in the memory and executable on the processor, the processor implementing the software start-up method according to any one of claims 1 to 9 when the computer program is executed.
11. A vehicle comprising the controller of claim 10.
12. A computer readable storage medium storing a computer program, characterized in that the computer program when executed by a processor implements the software start-up method according to any one of claims 1 to 9.
CN202210907404.3A 2022-07-29 2022-07-29 Software starting method, controller, vehicle and storage medium Pending CN117519812A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210907404.3A CN117519812A (en) 2022-07-29 2022-07-29 Software starting method, controller, vehicle and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210907404.3A CN117519812A (en) 2022-07-29 2022-07-29 Software starting method, controller, vehicle and storage medium

Publications (1)

Publication Number Publication Date
CN117519812A true CN117519812A (en) 2024-02-06

Family

ID=89742543

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210907404.3A Pending CN117519812A (en) 2022-07-29 2022-07-29 Software starting method, controller, vehicle and storage medium

Country Status (1)

Country Link
CN (1) CN117519812A (en)

Similar Documents

Publication Publication Date Title
EP3479282B1 (en) Targeted secure software deployment
US10372914B2 (en) Validating firmware on a computing device
US8438377B2 (en) Information processing apparatus, method and computer-readable storage medium that encrypts and decrypts data using a value calculated from operating-state data
JP5864510B2 (en) Correction program checking method, correction program checking program, and information processing apparatus
EP0849657B1 (en) Secure data processing method and system
CN112699419B (en) Method for safely executing extensible firmware application program and calculator equipment
CN107045611B (en) Safe starting method and device
CN110069316B (en) Integrity verification of entities
CN106293691A (en) Automatic discovery and installation of secure boot credentials
CN108345805B (en) Method and device for verifying firmware
US7353386B2 (en) Method and device for authenticating digital data by means of an authentication extension module
WO2017005276A1 (en) Virtual machine integrity
CN112511306A (en) Safe operation environment construction method based on mixed trust model
CN111177709A (en) Execution method and device of terminal trusted component and computer equipment
CN113190880B (en) Determining whether to perform an action on a computing device based on analysis of endorsement information of a security co-processor
CN106372523B (en) Modem file security protection method and system
US20230221949A1 (en) Vehicle secure start method and apparatus, electronic control unit and storage medium
CN116707758A (en) Authentication method, equipment and server of trusted computing equipment
US20230214491A1 (en) Firmware verification system and firmware verification method
CN117519812A (en) Software starting method, controller, vehicle and storage medium
CN115357908A (en) Network equipment kernel credibility measurement and automatic restoration method
KR20230082388A (en) Apparatus for verifying bootloader of ecu and method thereof
WO2016024967A1 (en) Secure non-volatile random access memory
CN116956364B (en) Virtualized product integrity verification method, device and system and electronic equipment
EP4220461A1 (en) Accelerated secure boot for embedded controllers

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination