CN118036018A - Method for updating operating system in secure element, related device and storage medium - Google Patents
Method for updating operating system in secure element, related device and storage medium Download PDFInfo
- Publication number
- CN118036018A CN118036018A CN202410331896.5A CN202410331896A CN118036018A CN 118036018 A CN118036018 A CN 118036018A CN 202410331896 A CN202410331896 A CN 202410331896A CN 118036018 A CN118036018 A CN 118036018A
- Authority
- CN
- China
- Prior art keywords
- memory
- updated
- storage space
- component data
- data portion
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003860 storage Methods 0.000 title claims abstract description 221
- 238000000034 method Methods 0.000 title claims abstract description 57
- 230000008859 change Effects 0.000 claims abstract description 55
- 238000004891 communication Methods 0.000 claims description 8
- 238000012795 verification Methods 0.000 claims description 6
- 238000004590 computer program Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 31
- 230000008569 process Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 9
- 238000007726 management method Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000004140 cleaning Methods 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000013500 data storage Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 238000007781 pre-processing Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The present disclosure provides a method for updating an operating system in a secure element, a related apparatus, and a storage medium. The updating method comprises the following steps: acquiring an update request of an operating system in the secure element, the operating system comprising an updateable component code portion and an updateable component data portion; under the condition that enough storage space is included in the memory to store the updated component code part, whether the component data part has a change is determined, if the component data part does not have a change, the updated component code part is stored in the memory, and under the condition that the component data part also includes enough storage space to store the updated component data part, the updated component data part is stored in the memory first and then the updated component code part is stored in the memory, the scale of upgrading and updating the COS is increased, and the upgrading efficiency of the COS is improved.
Description
Technical Field
The disclosure belongs to the technical field of information security, and in particular relates to a method for updating an operating system in a secure element, a related device and a storage medium.
Background
A Secure Element (SE) is an electronic Element with tamper-resistant functionality that can be installed on a terminal device to provide a Secure, confidential data storage and execution environment. The SE includes a chip operating system (Chip Operating System, COS), a secure element application (Applet), and memory. When the service flow of the terminal equipment changes and a new service is added, especially after the SE finishes the production, certain services are added or certain functions of the COS are changed according to the requirements of customers, so that the COS in the SE needs to be upgraded. In the related art, codes in COS are set in a modularized mode, an inlet address and an outlet address of each code module are defined, and calling relations of each code module are stored in a function table mode. When the COS is upgraded, the new version of code module and related data are required to be burnt into an idle storage area in a memory, then the new version of code module and related data are analyzed and written into a storage area which is divided in advance, and a function table item is required to be newly added in the function table correspondingly when one code module is newly added. Under the condition that the code in the COS is changed greatly, the condition that an idle storage area in a memory is insufficient for storing the newly added code module and related data thereof and the function table cannot accommodate the newly added function table items can occur, so that large-scale upgrading and updating of the COS cannot be performed, and the upgrading and updating efficiency of the COS is reduced.
Disclosure of Invention
In view of the above, the present disclosure provides a method for updating an operating system in a secure element, a related device and a storage medium, which aim to update a component data portion of a COS in a memory first, and then update a component code portion of the COS in the memory after successful update, without deliberately reserving an idle storage space and maintaining a function table, thereby increasing the scale of upgrading and updating the COS and improving the efficiency of upgrading and updating the COS.
According to a first aspect of the present disclosure, there is provided a method for updating an operating system in a secure element, including:
Acquiring an update request of an operating system in a secure element, the operating system comprising an updateable component code portion and an updateable component data portion;
Determining if there is a change to the component data portion, in the event that sufficient storage space is included in memory to store the updated component code portion, storing the updated component code portion in the memory if there is no change to the component data portion,
If there is a change to the component data portion, then storing the updated component data portion in the memory before storing the updated component code portion in the memory, if there is sufficient storage space in the memory to store the updated component data portion.
Optionally, the operating system further includes a fixed portion that is not updatable, the memory includes a first storage space, the first storage space is used for storing the fixed portion, the update request includes a patch file of the operating system, and after the update request of the operating system in the secure element is obtained, the update method further includes:
And determining whether the version of the operating system is consistent with the version of the patch file or not according to the check value of the fixed part and the storage address boundary information of the first storage space, and rejecting the update request if the version of the operating system is inconsistent with the version of the patch file.
Optionally, the memory includes a second storage space, a third storage space and a fourth storage space, where the second storage space is used to store the component code portion, the third storage space is used to store the component data portion, and the fourth storage space is used to store user data, and where the memory includes enough storage space to store the updated component code portion, determining whether there is a change in the component data portion includes:
Determining if there is sufficient storage for the updated component code portion in the second storage space, and if so, determining if there is a change in the component data portion;
Said storing said updated portion of component code in said memory if no change exists to said portion of component data, comprising:
Storing the updated component code portions in the second memory space.
Optionally, if the component data portion has a change, storing the updated component data portion in the memory first and then storing the updated component code portion in the memory if there is sufficient storage space in the memory to store the updated component data portion, including:
If there is a change to the component data portion, determining if there is sufficient storage of the updated component data portion in the third storage space, if so, storing the updated component data portion in the third storage space first, then storing the updated component code portion in the second storage space,
If not, determining whether the updated component data portions are sufficient to be stored in free space of the third and fourth storage spaces, and if so, storing the updated component data portions in free space of the third and fourth storage spaces first, and then storing the updated component code portions in the second storage space, and if not, rejecting the update request.
Optionally, where the memory includes sufficient memory space to store the updated component code portions, determining whether there is a change to the component data portion further includes:
determining whether the updated component code portions are sufficient to store in the second storage space, if not, determining whether the updated component code portions are sufficient to store in free space in the second storage space and the fourth storage space, if not, rejecting the update request, and if so, determining whether there is a change in the component data portions;
Said storing said updated component code portion in said memory if no change exists to said component data portion, further comprising:
Storing updated portions of the component code in free space of the second storage space and the fourth storage space.
Optionally, if the component data portion has a change, storing the updated component data portion in the memory first and then storing the updated component code portion in the memory if there is sufficient storage space in the memory to store the updated component data portion, including:
Determining if there is a change to the component data portion, if there is enough to store the updated component data portion in the third storage space, if there is enough, storing the updated component data portion in the third storage space first, then storing the updated component code portion in free space of the second storage space and the fourth storage space,
If not, determining whether the updated component data portions are still sufficient to be stored in free space of the third and fourth storage spaces, and if so, storing the updated component data portions in free space of the third and fourth storage spaces first, and then storing the updated component code portions in free space of the second and fourth storage spaces, and if not, rejecting the update request.
Optionally, after the rejecting the update request, the communication method further includes:
prompting a user to clear the user data in the fourth storage space and then resending the update request.
Optionally, after the memory stores the updated component code portion, the updating method further includes:
calculating a verification value of the updated component code portion;
and determining whether the calculated check value is consistent with an expected check value of the component code part updated in the update request, and if so, updating the operating system successfully.
Optionally, the operating system further comprises a component scheduler stored in a fixed location of the second storage space for providing access to a desired component interface method to a non-updatable fixed portion of the operating system.
According to a second aspect of the present disclosure, there is provided an updating apparatus of an operating system in a secure element, including:
an update request acquisition unit configured to acquire an update request of an operating system in a secure element, the operating system including an updatable component code portion and an updatable component data portion;
An operating system updating unit for determining if there is a change in the component data portion if there is sufficient storage space in memory to store the updated component code portion, and if there is no change in the component data portion, storing the updated component code portion in the memory,
If there is a change to the component data portion, then storing the updated component data portion in the memory before storing the updated component code portion in the memory, if there is sufficient storage space in the memory to store the updated component data portion.
According to a third aspect of the present disclosure, there is provided an electronic device comprising: a processor, a memory and a program stored on the memory and executable on the processor, which when executed by the processor, implements the steps of the method as described above.
According to a fourth aspect of the present disclosure there is provided a storage medium having stored thereon a computer program or instructions which when executed by a processor, implement the steps of the method as described above.
The present disclosure brings the following beneficial effects:
The updating method provided by the disclosure determines whether the component data part is changed or not under the condition that the memory comprises enough storage space to store the updated component code part, if the component data part is not changed, the updated component code part is stored in the memory, if the component data part is changed, the updated component data part is stored in the memory first under the condition that the memory also comprises enough storage space to store the updated component data part, and then the updated component code part is stored in the memory, so that the memory is ensured to sufficiently store the updated component code part and the updated component data part under the condition that the memory resource is limited, and the hardware security level is ensured, and after the updating is successful, the updated component code part is stored in the memory first, and no free storage space and no maintenance function table are required to be reserved in the memory, and the to-be-updated component data part of the COS is not required to be exported (namely, the to-be-updated component data part is backed up), thereby increasing the scale of updating the COS and improving the updating efficiency of the COS.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be apparent from the description, or may be learned by practice of the disclosure. The objectives and other advantages of the disclosure will be realized and attained by the structure particularly pointed out in the written description and drawings.
The foregoing objects, features and advantages of the disclosure will be more readily apparent from the following detailed description of the preferred embodiments taken in conjunction with the accompanying drawings.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments thereof with reference to the accompanying drawings in which:
FIG. 1 is a schematic diagram of an update system for an operating system in a secure element according to one embodiment of the present disclosure;
FIG. 2 is a schematic diagram of a component architecture of a chip operating system provided in accordance with one embodiment of the present disclosure;
FIG. 3 is a schematic diagram of the composition architecture of a memory in a secure element provided in accordance with one embodiment of the present disclosure;
FIG. 4 is a flow chart of a method for updating an operating system in a secure element according to one embodiment of the present disclosure;
FIG. 5 is a flow chart of a method for updating an operating system in a secure element according to one embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a communication device provided according to an embodiment of the present disclosure;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
Various embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. The same reference numbers will be used throughout the drawings to refer to the same or like parts. For clarity, the various features of the drawings are not drawn to scale.
The following terms are used herein:
A Secure Element (SE), which is an electronic Element with tamper-proof functionality, can be installed on a terminal device to provide a Secure, confidential data storage and execution environment. SE is composed of software and tamper-resistant hardware, supports a high level of security, such as SIM card, financial IC card, smart SD card, etc., and can operate with TEE. The SE includes a chip operating system (Chip Operating System, COS), secure element applications (applets), and memory for providing secure authentication, encryption, and data protection functions. COS is the operating system in the SE that is responsible for managing and controlling the functions and resources of the SE. The COS provides a series of APIs (application program interfaces) for accessing secure element applications (applets) and data in the SE. An Applet is a secure application in the SE that runs on the COS. The Applet may provide various security functions such as authentication, encryption, digital signature, etc. The memory may be used to store codes and related data for COS and applets, as well as sensitive data such as keys and certificates. Memory typically has a high degree of security and protection mechanisms to prevent unauthorized access and data leakage.
It is easy to understand that when the service flow of the terminal device changes and a new service is added, especially when the SE finishes the production, certain services are often added or certain functions of the COS are changed according to the needs of the client, and for this purpose, the COS in the SE needs to be updated. In the related art, a user implements upgrading COS at SE by interacting with an APDU (Application Protocol Data Unit ) implemented in SE with a boot loader COSBootLoader. This makes the role of a system floor administrator without higher authority, and once power failure occurs during the process of upgrading the COS in the SE, the entire COS may not be started normally, resulting in the SE being in a logically damaged state and unable to recover.
When the program codes of the COS are designed, the codes in the COS are arranged in a modularized mode, the inlet address and the outlet address of each code module are defined, and the calling relation of each code module is stored in a function table mode. When COS upgrading is carried out, the new version of code module and related data thereof are firstly burnt into an idle storage area of a memory in SE, then the new version of code module and related data thereof are analyzed and written into a storage area which is divided in advance, and a function table item is correspondingly required to be newly added in the function table when one code module is newly added. Under the condition that the code in the COS is changed greatly, the condition that an idle storage area of a memory in the SE is insufficient for storing the newly added code module and related data thereof and the function table cannot accommodate the newly added function table items can occur, so that large-scale upgrading and updating of the COS cannot be performed, and the upgrading and updating efficiency of the COS is reduced. Under the condition that the data structure of the system data in the COS is changed, the original upgrade module may not be processed correctly, and the system data needs to be read to the external processing of the SE and then written in a new mode, so that the security of the data in the SE is reduced.
Based on the above, the embodiment of the disclosure provides a COS updating method for upgrading COS in SE, so as to realize large-scale upgrading and updating of COS and improve upgrading and updating efficiency of COS on the premise of ensuring the security level of hardware under the condition of limited storage resources.
Fig. 1 is a schematic diagram of an update system of an operating system in a secure element according to an embodiment of the present disclosure. As shown in fig. 1, an update system 1000 provided in an embodiment of the present disclosure includes: a terminal device 100 and an upgrade server 200 connected via a network. The operating environments of the terminal device 100 include a rich execution environment (Rich Execution Environment, REE) 110, a trusted execution environment (Trusted Execution Environment, TEE) 120, and a SE 130. In some embodiments, the terminal device 100 is a communication device that can be used in a mobile state. The terminal device 100 includes a mobile phone, a mobile computer, a tablet computer, a Personal digital assistant (Personal DIGITAL ASSISTANT, PDA), a media player, a smart television, a smart watch, smart glasses, a smart bracelet, a smart car, a car-mounted terminal, and the like. In one example, terminal device 100 is a smart car and SE 130 is configured to implement a digital car key for the smart car.
In some embodiments, a rich operating system (Rich Operating System, ROS) 111 and client applications (Client Application, CA) 112 are deployed in the REEs 110. A trusted operating system (Trusted Operating System, TOS) 121 and a trusted application (Trusted Application, TA) 122 corresponding to the CA 112 in the re 110 are deployed in the TEE 120. In some embodiments, a chip operating system (Chip Operating System, COS) 131, and a secure element application (Applet) 132 corresponding to TA 122 in SE 130 are deployed in SE 130. Note that the REE 110 is low in security and is vulnerable to attacks. The TEE 120 is more secure than the REE 110, for example, to support functions such as verifying a payment environment in a payment service. The security of SE 130 is highest among REEs 110, TEE 120, and SE 130. In some embodiments, TEE 120 further includes a memory 123, where memory 123 is configured to store codes and related data for TOS121 and TA 122, as well as sensitive data such as keys. In some embodiments, SE 130 also includes memory 133, where memory 133 is used to store the codes and related data of COS131 and Applet 132, as well as sensitive data such as keys. In some embodiments, rich operating system 111, trusted operating system 121, and chip operating system 131 have communication interfaces (e.g., application programming interface (Application Programming Interface, API), serial peripheral interface (SERIAL PERIPHERAL INTERFACE, SPI), and serial two-wire interface (Inter-INTEGRATED CIRCUIT, I2C)), such that while CA 112, TA 122, and secure element application 132 operate in separate environments from each other, respectively, CA 112 and TA 122 may communicate by invoking a communication interface between rich operating system 111 and trusted operating system 121, and TA 122 and secure element application 132 may communicate by invoking a communication interface between trusted operating system 121 and chip operating system 131, such that CA 112 may use secure functionality provided by TEE 120 and SE 130. The REE 110, the TEE 120 and the SE 130 cooperate with each other so as to ensure the system security of the terminal equipment 100.
Fig. 2 is a schematic diagram of a component architecture of a chip operating system according to an embodiment of the disclosure. As shown in fig. 2, COS131 includes a non-updateable fixed portion 210 and an updateable component portion 220. The non-updateable fixed portion 210 may be considered "read-only firmware" as fixed code and data (e.g., system configuration parameters and system version information) stored in the memory 133 that cannot be modified or updated by a user. In some embodiments, non-updateable fixed portion 210 may include non-updateable fixed code portion 211 and non-updateable fixed data portion 212. The non-updateable fixed code part 211 may include a device driver 213, an operating system kernel function 214, and a COS updating means 215. The device driver 213 may provide hardware driver support for upper layers for managing and operating hardware devices. For example, device driver 213 is responsible for translating instructions of the operating system into signals that can be understood by the hardware, so that SE 130 can perform the corresponding operations, such as encryption and decryption, authentication, key management, etc. Operating system kernel function 214 is the kernel of the system and provides the basic functions and services of the operating system, such as process management, memory management, file system, etc. The COS updating device 215 has the highest authority for SE operation and is responsible for managing the entire lifecycle of the COS upgrade business process. It is easy to understand that the COS updating device 215 is a role of a high-authority system bottom manager, and once power failure occurs in the process of upgrading COS in the SE, a large amount of data with a complex structure can be recovered and upgraded on the premise of having the power failure protection characteristic, so that the SE is prevented from being in a logic damage state. In the case that the data structure of the system data in the COS is changed, the COS updating device 215 can process the system data correctly, and the system data does not need to be written in a new mode after being read to the external processing of the SE, so that the security of the data in the SE is improved. It is easy to understand that the COS updating device 215 is used to replace the function of COSBootLoader, so that the multiplexing degree is improved, various communication interfaces can be better adapted, and the expenditure of hardware resources is hardly worry.
In some embodiments, the non-updatable fixed data portion 212 may include relevant data for the device driver 213, the operating system kernel function 214, and the COS updating apparatus 215. In some embodiments, updateable component portion 220 may be considered code and data in COS131 that may be updated or modified, typically for adding new functionality, repairing vulnerabilities, or improving performance. The updateable component portion 220 may include an updateable component code portion 221 and an updateable component data portion 222. The updateable component code part 221 and the updateable component data part 222 are typically stored in the memory 133, and the COS131 may be updated by updating the component code part 221 and the component data part 222 stored in the memory 133.
Fig. 3 is a schematic diagram of a composition architecture of a memory in a secure element according to one embodiment of the present disclosure. As shown in fig. 3, the memory 133 includes a first storage space 310, a second storage space 320, a third storage space 330, and a fourth storage space 340. In some embodiments, the first storage space 310 is used to store the non-updateable fixed portion 210. In some embodiments, the first storage space 310 includes a first storage space 310a and a first storage space 310b. The first storage space 310a is used to store the non-updateable fixed code portion 211 and the first storage space 310b is used to store the non-updateable fixed data portion 212. In some embodiments, the second storage space 320 is used to store the updateable component code portion 221. It will be readily appreciated that in order to facilitate upgrading of the updateable component code part 221, an upgrade space may be reserved in the second storage space 320. In some embodiments, COS131 also includes a component scheduler (not shown) that may be stored in a fixed location (e.g., a starting location of storage space) of second storage space 320 for providing entry of the desired component interface method to non-updateable fixed portion 210 of COS131, which is invoked by a token of the interface method. In some embodiments, the third storage space 330 is used to store the updateable component data portion 222. It will be readily appreciated that in order to facilitate upgrading of the updateable component data portion 222, an upgrade space may be reserved in the third storage space 330. In some embodiments, fourth storage space 340 is used to store user data. It should be noted that the user data here may be code and data of the secure element application (Applet) 132 installed by the user.
In some embodiments, the first storage space 310, the second storage space 320, the third storage space and 330 the fourth storage space 340 in the memory 133 are assigned modification rights for the corresponding storage spaces in a manner that constrains the encoding design. In some embodiments, the non-updateable fixed code portion 211 in the first storage space 310a has the highest modification authority, which may modify data of any other storage space except its own storage space which cannot be modified. While the component code portion 221 in the second memory space 320 may only modify the data of the third memory space 330 and the fourth memory space 340. Thereby ensuring data security of the COS non-updatable portion.
In some embodiments, since the storage locations of the component function interface, the component data, and the user data may be changed after the COS131 is upgraded, the component scheduler may be stored in a fixed location in the second storage space 320 by configuring the distributed file during the software build process with reference to the embedded development platform KEIL IDE. In one example, the code that divides the memory 133 into memory spaces may be:
It will be appreciated that the implementation of the component scheduler may change for the non-updateable fixed portion 210 of the COS, but its unique function entry is fixed, so that any scenario can safely access the function interface of the updated updateable component portion 220.
In some embodiments, upgrade server 200 is configured to upgrade and update COS131 of SE 130 in terminal equipment 100. In some embodiments, upgrade server 200 receives a COS patch file (i.e., a portion of COS131 that needs to be upgraded and updated) sent by a software development apparatus, and stores the patch file according to a version number of the COS patch file. The upgrade server 200 establishes a connection with the terminal equipment 100, determines an upgrade requirement of the COS131 of the SE 130 in the terminal equipment 100 through interaction with the terminal equipment 100, and transmits a COS update request of the COS131 of the SE 130 to the terminal equipment 100. In some embodiments, terminal device 100 and SE 130 perform identity authentication, and in the event that the identity authentication passes, terminal device 100 sends a COS update request to SE 130 so that SE 130 is in a COS upgraded state. In some embodiments, COS updating apparatus 215 receives COS update requests and COS patch files sent by upgrade server 200 to terminal equipment 100, and updates COS131 in SE 130 according to the update methods provided by embodiments of the present disclosure. After successful update of COS131 in SE 130, SE 130 is caused to end the COS upgrade state and the COS upgrade result is returned to upgrade server 200.
It should be noted that, if the SE 130 is in the COS upgrade state, the non-updatable fixed portion 210 of the COS131 should avoid accessing the function interface of the updatable component portion 220 as much as possible, so that it can be ensured that the non-updatable fixed portion 210 of the COS131 in the SE 130 can still normally send and receive APDU instructions, logic damage caused by upgrade does not occur, and meanwhile, better robustness of the upgrade function of the COS131 in the SE 130 can be ensured. In the COS updating process, there may be a program run-away fault in accessing the function interface of the updatable component part 220, and since the SE 130 is still in the COS upgrading state, the SE can be recovered to normal use by re-powering up at this time, and the result of the COS updating failure can be returned to the external entity, waiting for the relevant personnel to remove and locate the failure cause, and then re-performing the COS upgrading.
Fig. 4 is a flowchart of a method for updating an operating system in a secure element according to an embodiment of the present disclosure. The update method in the embodiment of the present disclosure may be performed by the COS update device 215. As shown in fig. 4, the updating method includes:
In step S410, an update request is obtained for an operating system in the secure element, the operating system comprising an updateable component code portion and an updateable component data portion.
In some embodiments, COS updating apparatus 215 receives COS update requests sent by upgrade server 200 to terminal device 100. The patch file of COS131 is included in the COS update request. In some embodiments, it may be determined whether the version of the COS131 is consistent with the version of the patch file based on the verification value of the non-updatable fixed portion 210 of the COS131 and the storage address boundary information of the first storage space 310, and if not, the COS update request is denied. In one example, if the check value of the non-updatable fixed portion 210 of the COS131 and the storage address boundary information of the first storage space 310 do not match the expected check value and the expected storage address boundary information of the non-updatable fixed portion 210 of the COS131 included in the COS update request, the COS update request is denied and the denial is returned to the COS update device 215 because the system version is inconsistent. At this time, the COS updating device 215 has three selection operations, the first selection operation is to update and upgrade the COS131 by using the same system version; the second selection operation is to forcedly upgrade the COS131, in which case, the COS updating device 215 may consider that the system versions are inconsistent, but the two are compatible, which is an option that needs to be used carefully, and in order to be safer, in some application scenarios, some stricter verification conditions may be set, and even the second selection operation is not supported directly; the third option is to download the latest version of COS131 directly, but this is not possible to recover the data and is the most careful option.
It will be appreciated that by verifying the non-updatable fixed portion 210 during a COS update, the COS version management complexity and thus the COS version management cost can be effectively reduced.
In step S420, in the case that sufficient storage space is included in the memory to store the updated component code portion, it is determined whether there is a change in the component data portion, if there is no change in the component data portion, the updated component code portion is stored in the memory, and if there is a change in the component data portion, the updated component data portion is stored in the memory first and then in the memory, if there is also sufficient storage space to store the updated component data portion.
In some embodiments, it may be determined whether there is sufficient storage of the updated component code portion 221 in the second storage space 320 and if there is sufficient storage of the updated component code portion 221 in the second storage space 320, it is determined whether there is a change in the component data portion 222. If there is no change to the component data portion 222, the updated component code portion 221 is updated directly, i.e., the updated component code portion 221 is stored in the second storage space 320. In some embodiments, if there is a change to the component data portion 222, a determination is made as to whether there is sufficient storage of the updated component data portion 222 in the third storage space 330. If the third storage space 330 is sufficient to store the updated component data portion 222, the component data portion 222 is updated first, and after the update is successful, the updated component code portion 221 is updated, i.e., the updated component data portion 222 is stored in the third storage space 330 and the updated component code portion 221 is stored in the second storage space 320. It will be appreciated that in the case of less COS modification, the updated component code portion 221 and/or the updated component data portion 222 need not be parsed and updated almost directly into the target storage space, and thus, the COS update and upgrade can be completed more efficiently. In some embodiments, if there is insufficient storage of the updated component data portion 222 in the third storage space 330, a determination is made as to whether there is sufficient storage of the updated component data portion 222 in free space in the third storage space 330 and the fourth storage space 340. If the updated component data portion 222 is sufficiently stored in the free spaces of the third memory space 330 and the fourth memory space 340, the updated component code portion 221 is updated after the updating of the component data portion 222 is successful, i.e., the updated component data portion 222 is stored in the free spaces of the third memory space 330 and the fourth memory space 340 and the updated component code portion 221 is stored in the second memory space 320. In some embodiments, if there is insufficient storage of updated component data portion 222 in the free space of third storage space 330 and fourth storage space 340, the update request is denied and the denial is returned to COS updating apparatus 215 because the free space of fourth storage space 340 is insufficient. In some embodiments, the user may be prompted to resend the COS update request after cleaning (moving) the user data in fourth storage space 340.
In some embodiments, it is determined whether there is sufficient storage of the updated component code portion 221 in the second storage space 320, and if there is insufficient storage of the updated component code portion 221 in the second storage space 320, it is determined whether there is sufficient storage of the updated component code portion 221 in free space of the second storage space 320 and the fourth storage space 340. In some embodiments, if there is insufficient storage of updated component code portion 221 in free space in second storage space 320 and fourth storage space 340, the update request is denied and the denial is returned to COS update apparatus 215 because free space in fourth storage space 340 is insufficient. In some embodiments, the user may be prompted to resend the COS update request after cleaning (moving) the user data in fourth storage space 340. In some embodiments, if there is sufficient storage of updated component code portion 221 in free space of second storage space 320 and fourth storage space 340, then a determination is made as to whether there is a change to component data portion 222. In some embodiments, if there is no change to the component data portion 222, the updated component code portion 221 is updated directly, i.e., the updated component code portion 221 is stored in free space of the second storage space 320 and the fourth storage space 340.
In some embodiments, if there is a change to the component data portion 222, a determination is made as to whether there is sufficient storage of the updated component data portion 222 in the third storage space 330. If the third memory space 330 is sufficient to store the updated component data portion 222, the component data portion 222 is updated first, and after the update is successful, the updated component code portion 221 is updated, i.e., the updated component data portion 222 is stored in the third memory space 330 and the updated component code portion 221 is stored in the free space of the second memory space 320 and the fourth memory space 340. In some embodiments, if there is insufficient storage of the updated component data portion 222 in the third storage space 330, a determination is made as to whether there is still sufficient storage of the updated component data portion 222 in free space in the third storage space 330 and the fourth storage space 340. If the updated component data portion 222 is still sufficiently stored in the free spaces of the third memory space 330 and the fourth memory space 340, the updated component code portion 221 is updated after the updating of the component data portion 222 is successful, i.e., the updated component data portion 222 is stored in the free spaces of the third memory space 330 and the fourth memory space 340, and the updated component code portion 221 is stored in the free spaces of the second memory space 320 and the fourth memory space 340. In some embodiments, if there is insufficient storage of updated component data portion 222 in the free space of third storage space 330 and fourth storage space 340, the update request is denied and the denial is returned to COS updating apparatus 215 because the free space of fourth storage space 340 is insufficient. In some embodiments, the user may be prompted to resend the COS update request after cleaning (moving) the user data in fourth storage space 340.
In some embodiments, the expected check value of the updated component code portion 221 is included in the update request. After storing the updated component code portion 221 in the memory 133 (i.e., after the COS update is completed), the check value of the updated component code portion 221 is calculated, it is determined whether the calculated check value and the expected check value in the update request agree, and if so, the COS131 update is successful.
In the case of storing the updated component data portion 222 and/or the updated component code portion 221 in the free space of the fourth storage space 340, it is necessary to ensure that information related to the storage space, such as reference data and address offset, in the fourth storage space 340 can be updated correctly after data movement.
It should be noted that, the updated component data portion 222 is stored in the memory 133, and the free space of the entire third storage space 330 and the fourth storage space 340 is available space, and the appropriate component data recovery algorithm program is used in combination with the functions of page protection and transaction protection and the backup space thereof, and the temporary RAM area is fully utilized for data preprocessing, so that the size of the required backup space can be further reduced, and therefore, the situation of insufficient backup space is not considered.
It should be noted that, in the case that the memory 133 further includes enough storage space to store the updated component data portion, the updated component data portion 222 is stored in the memory 133 first, and then the updated component code portion 221 is stored in the memory 133, because there is enough persistent storage space as a backup area, fault tolerance is increased, and the risk that the data is lost and cannot be backed up in the event of a power failure, for example, can be effectively prevented.
Fig. 5 is a flowchart of a method for updating an operating system in a secure element according to an embodiment of the present disclosure. The update method in the embodiment of the present disclosure may be performed by the COS update device 215. As shown in fig. 5, the updating method includes:
In step S501, it may be determined whether the version of the COS131 is consistent with the version of the patch file based on the verification value of the non-updatable fixed part 210 of the COS131 and the storage address boundary information of the first storage space 310, and if not, step S502 is performed, and if so, step S503 is performed.
In step S502, the COS update request is rejected, and the rejection is returned to the COS updating device 215 because the system version is inconsistent. At this time, the COS updating device 215 has three selection operations, the first selection operation is to update and upgrade the COS131 by using the same system version; the second selection operation is to forcedly upgrade the COS131, in which case, the COS updating device 215 may consider that the system versions are inconsistent, but the two are compatible, which is an option that needs to be used carefully, and in order to be safer, in some application scenarios, some stricter verification conditions may be set, and even the second selection operation is not supported directly; the third option is to download the latest version of COS131 directly, but this is not possible to recover the data and is the most careful option.
In step S503, it is determined whether or not it is sufficient to store the updated component code portion 221 in the second storage space 320, and if so, step S504 is performed, and if not, step S505 is performed.
In step S504, it is determined whether there is a change in the component data part 222. If there is no change, step S506 is executed, and if there is a change, step S507 is executed.
In step S506, the updated component code portion 221 is updated directly, i.e. the updated component code portion 221 is stored in the second storage space 320.
In step S507, it is determined whether or not it is sufficient to store the updated component data portion 222 in the third storage space 330, and if so, step S508 is performed, and if not, step S509 is performed.
In step S508, the component data portion 222 is updated, and after the updating is successful, the updated component code portion 221 is updated, that is, the updated component data portion 222 is stored in the third storage space 330, and then the updated component code portion 221 is stored in the second storage space 320.
In step S509, it is determined whether or not it is sufficient to store the updated component data portion 222 in the free spaces of the third storage space 330 and the fourth storage space 340, and if so, step S510 is performed, and if not, step S511 is performed.
In step S510, the component data portion 222 is updated, and after the updating is successful, the updated component code portion 221 is updated, that is, the updated component data portion 222 is stored in the free space of the third storage space 330 and the fourth storage space 340, and then the updated component code portion 221 is stored in the second storage space 320.
In step S511, the update request is rejected, and the rejection is returned to the COS updating device 215 because the free space of the fourth storage space 340 is insufficient. In some embodiments, the user may be prompted to resend the COS update request after cleaning (moving) the user data in fourth storage space 340.
In step S505, it is determined whether or not it is sufficient to store the updated component code portions 221 in the free spaces of the second storage space 320 and the fourth storage space 340. If not, step S511 is performed, and if so, step S512 is performed.
In step S512, it is determined whether there is a change in the component data part 222. If there is no change, step S513 is performed, and if there is a change, step S514 is performed.
In step S513, the updated component code portions 221 are updated directly, i.e. the updated component code portions 221 are stored in free space of the second storage space 320 and the fourth storage space 340.
In step S514, it is determined whether or not it is sufficient to store the updated component data portion 222 in the third storage space 330. If sufficient, step S515 is performed, and if insufficient, step S516 is performed.
In step S515, the updated component data portion 222 is updated, and after the updating is successful, the updated component code portion 221 is updated, that is, the updated component data portion 222 is stored in the third storage space 330, and then the updated component code portion 221 is stored in the free spaces of the second storage space 320 and the fourth storage space 340.
In step S516, it is determined whether it is sufficient to store the updated component data portion 222 in the free space of the third storage space 330 and the fourth storage space 340. If it is still sufficient, step S517 is performed, and if it is not sufficient, step S511 is performed.
In step S517, the component data portion 222 is updated, and after the updating is successful, the updated component code portion 221 is updated, that is, the updated component data portion 222 is stored in the free space of the third storage space 330 and the fourth storage space 340, and then the updated component code portion 221 is stored in the free space of the second storage space 320 and the fourth storage space 340.
Since the specific process of updating the COS131 in the SE 130 is described in detail above, it is not repeated here.
Fig. 6 shows a schematic structural diagram of an updating device of an operating system in a secure element according to an embodiment of the present disclosure. The updating means may be located in SE 130. As shown in fig. 6, the updating apparatus 600 includes an update request acquisition unit 610 and an operating system updating unit 620.
An update request acquiring unit 610 is configured to acquire an update request of an operating system in the secure element, where the operating system includes an updateable component code portion and an updateable component data portion.
An operating system updating unit 620, configured to determine whether there is a change in the component data portion if there is enough storage space in the memory to store the updated component code portion, store the updated component code portion in the memory if there is no change in the component data portion, and store the updated component data portion in the memory first if there is enough storage space in the memory to store the updated component data portion if there is a change in the component data portion, and store the updated component code portion in the memory.
Since the specific process of updating the COS131 in the SE 130 is described in detail above, it is not repeated here.
The embodiment of the disclosure further provides an electronic device, as shown in fig. 7, including a memory 720, a processor 710, and a program stored in the memory 720 and capable of running on the processor 710, where the program, when executed by the processor 910, can implement each process of each embodiment of the update method, and achieve the same technical effects, and for avoiding repetition, will not be repeated herein.
Those of ordinary skill in the art will appreciate that all or a portion of the steps of the various methods of the above embodiments may be performed by instructions or by controlling associated hardware, which may be stored in a computer-readable storage medium and loaded and executed by a processor. To this end, the embodiments of the present disclosure also provide a storage medium having stored thereon a computer program or instructions which, when executed by a processor, can implement the respective processes of the embodiments of the above-described updating method.
The steps in the update method provided by the embodiment of the present disclosure may be executed by the instructions stored in the storage medium, so that the beneficial effects that can be achieved by the update method provided by the embodiment of the present disclosure may be achieved, which are detailed in the previous embodiments and are not described herein. The specific implementation of each operation above may be referred to the previous embodiments, and will not be described herein.
In summary, according to the embodiments of the present disclosure, under the condition that a memory includes enough storage space to store an updated component code portion, it is determined whether the component data portion has a change, if the component data portion does not have a change, the updated component code portion is stored in the memory, if the component data portion also includes enough storage space to store an updated component data portion in the memory, the updated component data portion is stored in the memory first, and then the updated component code portion is stored in the memory, so that under the condition that storage resources are limited, it is ensured that the memory is enough to store the updated component code portion and the updated component data portion, and on the premise that a hardware security level is ensured, the updated component code portion is stored in the memory first, and after the update is successful, it is unnecessary to reserve a free storage space in advance, maintain a function table in the memory, and it is unnecessary to export the component data portion to be updated of the COS (i.e., backup the component data portion to be updated of the COS), thereby increasing the scale of updating and updating efficiency of the COS.
Finally, it should be noted that: it is apparent that the above examples are merely illustrative of the present disclosure and are not limiting of the embodiments. Other variations or modifications of the above teachings will be apparent to those of ordinary skill in the art. It is not necessary here nor is it exhaustive of all embodiments. And obvious variations or modifications thereof are contemplated as falling within the scope of the present disclosure.
Claims (12)
1. A method of updating an operating system in a secure element, comprising:
Acquiring an update request of an operating system in a secure element, the operating system comprising an updateable component code portion and an updateable component data portion;
Determining if there is a change to the component data portion, in the event that sufficient storage space is included in memory to store the updated component code portion, storing the updated component code portion in the memory if there is no change to the component data portion,
If there is a change to the component data portion, then storing the updated component data portion in the memory before storing the updated component code portion in the memory, if there is sufficient storage space in the memory to store the updated component data portion.
2. The updating method according to claim 1, wherein the operating system further includes a fixed portion that is not updatable, the memory includes a first storage space therein, the first storage space is used to store the fixed portion, the update request includes a patch file of the operating system, and after the update request of the operating system in the secure element is obtained, the updating method further includes:
And determining whether the version of the operating system is consistent with the version of the patch file or not according to the check value of the fixed part and the storage address boundary information of the first storage space, and rejecting the update request if the version of the operating system is inconsistent with the version of the patch file.
3. The updating method according to claim 1, wherein the memory includes a second memory space for storing the component code portion, a third memory space for storing the component data portion, and a fourth memory space for storing user data, and the determining whether there is a change in the component data portion in the case where the memory includes enough memory space to store the updated component code portion, includes:
Determining if there is sufficient storage for the updated component code portion in the second storage space, and if so, determining if there is a change in the component data portion;
Said storing said updated portion of component code in said memory if no change exists to said portion of component data, comprising:
Storing the updated component code portions in the second memory space.
4. A method of updating according to claim 3, wherein, if there is a change to the component data portion, storing the updated component data portion in the memory first and then storing the updated component code portion in the memory if there is sufficient storage space in the memory to store the updated component data portion, comprises:
If there is a change to the component data portion, determining if there is sufficient storage of the updated component data portion in the third storage space, if so, storing the updated component data portion in the third storage space first, then storing the updated component code portion in the second storage space,
If not, determining whether the updated component data portions are sufficient to be stored in free space of the third and fourth storage spaces, and if so, storing the updated component data portions in free space of the third and fourth storage spaces first, and then storing the updated component code portions in the second storage space, and if not, rejecting the update request.
5. The updating method according to claim 3, wherein, in a case where the memory includes enough memory space to store the updated component code portion, determining whether there is a change in the component data portion, further comprises:
determining whether the updated component code portions are sufficient to store in the second storage space, if not, determining whether the updated component code portions are sufficient to store in free space in the second storage space and the fourth storage space, if not, rejecting the update request, and if so, determining whether there is a change in the component data portions;
Said storing said updated component code portion in said memory if no change exists to said component data portion, further comprising:
Storing updated portions of the component code in free space of the second storage space and the fourth storage space.
6. The updating method according to claim 5, wherein, if there is a change in the component data portion, storing the updated component data portion in the memory first and then storing the updated component code portion in the memory if there is enough storage space in the memory to store the updated component data portion, comprises:
Determining if there is a change to the component data portion, if there is enough to store the updated component data portion in the third storage space, if there is enough, storing the updated component data portion in the third storage space first, then storing the updated component code portion in free space of the second storage space and the fourth storage space,
If not, determining whether the updated component data portions are still sufficient to be stored in free space of the third and fourth storage spaces, and if so, storing the updated component data portions in free space of the third and fourth storage spaces first, and then storing the updated component code portions in free space of the second and fourth storage spaces, and if not, rejecting the update request.
7. The updating method according to claim 4 or 6, wherein after the rejecting the updating request, the communication method further comprises:
prompting a user to clear the user data in the fourth storage space and then resending the update request.
8. The updating method according to claim 1, wherein the updating method further comprises, after the memory stores the updated component code portions:
calculating a verification value of the updated component code portion;
and determining whether the calculated check value is consistent with an expected check value of the component code part updated in the update request, and if so, updating the operating system successfully.
9. The update method of claim 3, wherein the operating system further comprises a component scheduler stored in a fixed location of the second storage space for providing access to a desired component interface method to a non-updateable fixed portion of the operating system.
10. An apparatus for updating an operating system in a secure element, comprising:
an update request acquisition unit configured to acquire an update request of an operating system in a secure element, the operating system including an updatable component code portion and an updatable component data portion;
An operating system updating unit for determining if there is a change in the component data portion if there is sufficient storage space in memory to store the updated component code portion, and if there is no change in the component data portion, storing the updated component code portion in the memory,
If there is a change to the component data portion, then storing the updated component data portion in the memory before storing the updated component code portion in the memory, if there is sufficient storage space in the memory to store the updated component data portion.
11. An electronic device, comprising: a processor, a memory and a program stored on the memory and executable on the processor, which when executed by the processor, implements the steps of the method according to any one of claims 1 to 9.
12. A storage medium having stored thereon a computer program or instructions which, when executed by a processor, implement the steps of the method of any of claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410331896.5A CN118036018A (en) | 2024-03-22 | 2024-03-22 | Method for updating operating system in secure element, related device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202410331896.5A CN118036018A (en) | 2024-03-22 | 2024-03-22 | Method for updating operating system in secure element, related device and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN118036018A true CN118036018A (en) | 2024-05-14 |
Family
ID=90984194
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202410331896.5A Pending CN118036018A (en) | 2024-03-22 | 2024-03-22 | Method for updating operating system in secure element, related device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN118036018A (en) |
-
2024
- 2024-03-22 CN CN202410331896.5A patent/CN118036018A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5475743B2 (en) | Persistence service provider | |
| JP5508502B2 (en) | Persistent service agent | |
| US7860970B2 (en) | Secure initialization of intrusion detection system | |
| US8898797B2 (en) | Secure option ROM firmware updates | |
| US20140298485A1 (en) | Persistent agent supported by processor | |
| US20060086785A1 (en) | Portable electronic apparatus and method of updating application in portable electronic apparatus | |
| CN102236764B (en) | Method and monitoring system for Android system to defend against desktop information attack | |
| EP2727040B1 (en) | A secure hosted execution architecture | |
| US20070192580A1 (en) | Secure remote management of a TPM | |
| JP2004530984A (en) | Pre-boot authentication system | |
| CN103988206A (en) | Method for the dynamic creation of an application execution environment for securing said application, and associated computer program product and computing device | |
| US20050229240A1 (en) | Information processing apparatus, authentication processing program, and authentication storage apparatus | |
| CN105122260A (en) | Context based switching to a secure operating system environment | |
| CN117616389A (en) | Substitution of executable load files in secure elements | |
| CN110990798B (en) | Application program permission configuration method and device, electronic equipment and storage medium | |
| US20090106845A1 (en) | Systems and methods for securing data in an electronic apparatus | |
| CN112015563B (en) | Message queue switching method and device, electronic equipment and storage medium | |
| US10146644B2 (en) | Integrity of transactional memory of card computing devices in case of card tear events | |
| CN118036018A (en) | Method for updating operating system in secure element, related device and storage medium | |
| KR101763184B1 (en) | File recovery method using backup | |
| EP2652661A1 (en) | Method for changing an operating mode of a mobile device | |
| CN115567218A (en) | Data processing method and device of security certificate based on block chain and server | |
| CN103052060A (en) | Method for improving information security of mobile terminal and mobile terminal | |
| US20240289116A1 (en) | Method of updating a software installed on a secure element | |
| US20240241959A1 (en) | Change and recovery of personalization data in a secure element |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |