CN1493972A - Product image designing method of network equipment supporting software safety on line upgrade - Google Patents
Product image designing method of network equipment supporting software safety on line upgrade Download PDFInfo
- Publication number
- CN1493972A CN1493972A CNA031602312A CN03160231A CN1493972A CN 1493972 A CN1493972 A CN 1493972A CN A031602312 A CNA031602312 A CN A031602312A CN 03160231 A CN03160231 A CN 03160231A CN 1493972 A CN1493972 A CN 1493972A
- Authority
- CN
- China
- Prior art keywords
- module
- production image
- network equipment
- map
- vxworks
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Stored Programmes (AREA)
- Information Transfer Between Computers (AREA)
Abstract
On the basis of the on-line programming power of network processor and the on-line security mechanism of software, the VxWorks product map supporting the on-line upgrade of software is configured for the network device based on network processor IXP1200 and VxWorks operating system. It can support the multi-CPU network processor and on-line upgrade of software, fully use the programming power of the network processor, and ensure the software security.
Description
Technical field
The present invention relates to the computer network communication technology field, particularly a kind of production image method for designing of the network equipment of support software safety on-line upgrade.
Background technology
Based on generic processor architectures with based on ASIC/RSIC (ASIC, ApplicationSpecific Integrated Circuit, special IC; RSIC, Reduced InstructSet Compute, reduced instruction set computer calculates) architecture is two kinds of main fluid architecture of the network equipment.The former can software programming, and dirigibility is good, but the network processes poor performance; The latter adopts the ASIC hardware technology, very flexible, but the network processes performance is good.The network equipment designing technique of processor Network Based is the core technology of next generation network.Network processing unit is a kind of special processor of network-oriented packet transaction, has software programming ability and hardware optimization performance, and compatible future network is to equipment dirigibility, high performance requirement.
Network development brings tremendous influence to network edge device: at first require the network processes performance of network edge device significantly to improve; Secondly network edge device is progressively transferred in the network service of legacy network terminal and network core enforcement, and the variation development of procotol and network application is very fast, and these factors require network edge devices to have the network service in-line upgrading ability.In this case, have only the employing network processing unit, could make up the next generation network edge device that satisfies network demand.
Vxworks operating system is a kind of embedded OS of main flow, obtains widespread use in a lot of fields.Vxworks operating system need be made corresponding module at the different hardware mainboard of user's design and revise, and combines with user application then, forms binary file, is referred to as the VxWorks production image.Design about the VxWorks production image allows the design engineer have a headache always, and typical VxWorks production image design is primarily aimed at the hardware mainboard that constitutes based on single 32 bit CPUs (CPU, Central Processing Unit, central processing unit).The hardware platform that adopts network processing unit to constitute then is distinct hardware architecture.Compare with typical VxWorks production image design based on single cpu, in VxWorks production image when design at the hardware platform of design processor Network Based, need to consider following new problem: how to allow the VxWorks production image support network processing unit based on multi-CPU structure; How to make full use of network processing unit online programming ability, make up the VxWorks production image of support software online upgrading; How to ensure the security of on-line software updating process.
The inventive method is at the network device hardware platform based on the IXPl200 network processing unit, final key sport technique segment with regard to network equipment development---VxWorks production image design proposes a kind of VxWorks production image method for designing of supporting IXP1200 network processing unit, support software online upgrading, ensureing on-line software updating safety.This method is applied in the network equipment of reality development.
Summary of the invention
The object of the present invention is to provide a kind of production image method for designing of the network equipment of support software safety on-line upgrade.
A kind of production image method for designing of the network equipment of support software safety on-line upgrade is characterized in that making full use of network processing unit online programming ability, by software safety on line security mechanism, makes up the VxWorks production image of support software online upgrading.Technical solution of the present invention is as follows:
Make full use of network processing unit online programming ability,, make up the VxWorks production image of support software online upgrading by software safety on line security mechanism.
Production image is divided into two parts, is kept at different local; Be divided into direct product map module and comprise the network equipment and use, can download the production image module of execution; Direct product map module is kept on the Flash chip, and the production image module that can download execution is kept at ftp server; To comprise the network equipment by direct product map module and use, can download the production image module process network download of execution to equipment and execution.
Comprise the secure file download module in direct product map module, this module realizes following effect: the authentication key by sharing, connect authentication between the ftp server and the network equipment, and pretend to be attack to prevent identity; After authentication, all interactive information are all carried out encipherment protection by traffic encryption key and the block encryption algorithm of sharing between the ftp server and the network equipment, prevent that the production image file transfer that can download execution from divulging a secret.
To link by compilation tool and generate an application target module with micro engine microcode map module, the StrongARM nuclear run time version module that network equipment application function is closely related, adopt the static linkage method with application target module and vxworks operating system link then, generate the production image file that to download execution; Upgrade this document by network, realize the software upgrading of networking products.
The application module that utilizes vxworks operating system to provide automatically performs DLL (dynamic link library), and the application module in the vxworks operating system core internal memory is called in programming---StrongARM nuclear run time version module and micro engine microcode map module; Utilize microcode downloader DLL (dynamic link library), realize the download and the execution of microcode map.
Call relation is as follows automatically between each software module of production image of the present invention: after the network equipment powers up, StrongARM nuclear automatically performs the direct product map that is arranged in the Flash chip, get through safe confidential corespondence channel by the secure file download module in this map, after the production image that can download execution downloads to internal memory from ftp server; Directly move this map then, automatically perform DLL (dynamic link library) by the application that provides in the OS module, call StrongARM nuclear run time version module, micro engine microcode map module downloads to micro engine and carries out the most at last.
1, general introduction
The network device architecture that the present invention relates to is as follows: select vxworks operating system for use, with the IXP1200 network processing unit is core processing unit, with Flash chip (Flash chip, can preserve the storage chip of memory contents after a kind of outage) as storage unit, the VxWorks production image of generation is kept in Flash chip and the ftp server.At this network device architecture design, propose to support IXP1200 network processing unit, the VxWorks production image method for designing of support software safety on-line upgrade.
The IXP1200 network processing unit adopts many CPU core structure, and computing unit examines (StrongARM nuclear, a kind of 32 CPU processor) by a StrongARM and six micro engines are formed, and each micro engine comprises 4 separate hardware threads.StrongARM nuclear and six micro engine shared drives and bus resource have equal opportunities.The application program of IXP1200 network processing unit is made up of two modules: StrongARM nuclear run time version module and micro engine microcode map module.StrongARM nuclear run time version module is responsible for agreement controlling layer and micro engine management.Micro engine microcode map module is responsible for the high-speed data packets of data plane and is handled.
The VxWorks production image generally includes BSP (BSP, Board Support Packet, plate support package) module, OS (OS, Operation System, operating system) module, application module.At the IXP1200 network processing unit, application module can be divided into StrongARM nuclear run time version module and micro engine microcode map module again.
2, technical essential design
2.1 VxWorks map type design
The Integrated Development Environment of vxworks operating system generates and can generate four types VxWorks map: VxWorks Boot map, VxWorks Downloadable map, ROM-Resident map, ROM-Based map.This method generates two kinds of maps (part) by the Integrated Development Environment of VxWorks: VxWorks Boot map and VxWorks Downloadable map.These two kinds of VxWorks maps are kept at different local: direct product map module piece VxWorks Boot map is kept on the Flash chip, comprise production image module VxWorks Downloadable map network equipment application function, that can download execution and be kept at (FTP on the ftp server, FileTransfer Protocol, file transfer protocol (FTP)).
After the network equipment powered up, StrongARM nuclear automatically performed the VxWorks Boot map that is arranged in the Flash chip, gets through the Network Transmission escape way by this map.By this Network Transmission escape way, VxWorks Downloadable map downloaded to Installed System Memory from ftp server after, directly move this map then.
2.2 VxWorks application module link
Micro engine microcode map module and StrongARM nuclear run time version module all belong to application module from the vxworks operating system view.Vxworks operating system provides the static linkage pattern and the dynamic link pattern of application module.This method is selected the static linkage pattern, at first micro engine microcode map module and StrongARM nuclear run time version module are generated an application target module by the compilation tool link, adopt the static linkage method that application target module, BSP module, OS Module Links are generated a VxWorks Downloadable map then.
In this manner, the invoked procedure of application target module is as follows: VxWorks Boot map downloads to internal memory with VxWorks Downloadable map from ftp server, the application module that utilizes VxWorks to provide then automatically performs DLL (dynamic link library), directly the application module in the call operation system core internal memory---StrongARM nuclear run time version module and micro engine microcode map module.
2.3 the VxWorks application module automatically performs
Be based on design of the VxWorks production image of IXP1200 network processing unit and main difference: except micro engine microcode map module being statically linked to vxworks operating system based on the typical VxWorks production image design of single 32 bit CPUs, also microcode must be downloaded to micro engine, and start execution.In the microengine code debug process, be responsible for download, the execution management work of microcode by the microcode developing instrument.In the VxWorks production image design phase, must solve the microcode operational management of micro engine.
The micro engine management DLL (dynamic link library) that provides in the StrongARM nuclear Software Development Library is provided, just can be realized the download and the execution of microcode map.The microcode operational management module of micro engine is carried out as follows: microcode downloader library initialization, micro engine initialization, microcode image file are written into internal memory, stop the micro engine thread, the microcode map writes micro engine, activate micro engine and corresponding port, release microcode object indexing.
This method proposes: the application module that utilizes VxWorks Downloadable map to provide automatically performs DLL (dynamic link library), at first call the relevant initialization function in the StrongARM nuclear run time version module, dispose the initialization context of micro engine micro code program operation, carry out the microcode operational management module of micro engine then.
2.4 on-line software updating security mechanism design
Owing to comprised micro engine microcode map module and StrongARM nuclear run time version module in the VxWorks Downloadable map; belong to the core processing software module; so during from ftp server download VxWorks Downloadable map; should take safety protecting mechanism, prevent that transmission in the network service from divulging a secret and palm off the identity upgrading.
The on-line software updating secure scheme is made up of following components:
(1) shared secret is to generating
For the unique device identification numbering of each devices allocation, generate a set of cipher key simultaneously.Comprise two keys in the set of cipher key, authentication key, traffic encryption key.The authentication key is used for ftp server verifying apparatus identity; Traffic encryption key is used for all groupings of communication process are encrypted.Corresponding one by one between set of cipher key, device identification numbering, the equipment.Authentication, transmission are encrypted and are adopted unified block encryption algorithm.
(2) authentication
When connecting between equipment and the ftp server, ftp server utilizes the three-way handshake agreement that equipment is carried out authentication.When equipment after ftp server sends authentication request, beginning three-way handshake authentication: after the ftp server authentication request, transmit a random number to equipment; Equipment is encrypted this random number with the authentication key of sharing, and will encrypt back result and device identification numbering then and send to ftp server; Ftp server is numbered according to device identification, searches the set of cipher key of equipment, checks this result with the authentication secret key decryption of sharing, and sends authentication success or failure to the client.Cryptographic algorithm adopts block encryption algorithm.
(3) VxWorks Downloadable image file is downloaded
The authentication of receiving ftp server when equipment is by after the message, and the traffic encryption key that all communications all will adopt both sides to share between equipment and the ftp server carries out encipherment protection, sets up safe confidential corespondence channel between equipment and ftp server.Should contain unencrypted device identification number information in the enciphered data message, select the traffic encryption key of relevant device that the encrypt data that equipment sends is decrypted for ftp server.VxWorks Downloadable map downloads to equipment by safety confidential corespondence channel from ftp server.
3, realize technical scheme
Technical essential realizes on the analysis foundation in front, but the inventor thinks and comprises following key element and step thereof based on IXP1200 network processing unit, VxWorks production image implementation method with safety guarantee online upgrading:
● the Integrated Development Environment by VxWorks generates two kinds of maps: VxWorks Boot map and VxWorks Downloadable map.VxWorks Boot map is kept on the Flash chip.VxWorks Downloadable map is kept on the ftp server.
● secure file download module design: generate the shared secret key in advance; The authentication key of ftp server by sharing finished the connection authentication to the network equipment, prevents that identity from pretending to be attack; After authentication, all interactive information are all carried out encipherment protection by traffic encryption key and the block encryption algorithm of sharing between the network ftp server and the network equipment, prevent that the transmission of VxWorks Downloadable map from divulging a secret.The secure file download module is included in VxWorks Boot map.
● VxWorks Downloadable map generates: at first micro engine microcode map module and StrongARM nuclear run time version module are generated the application target module by the compilation tool link, adopt the static linkage method that BSP module, the OS Module Links of application target module and VxWorks are generated a VxWorks Downloadable map then.
● utilize VxWorks to provide application module to automatically perform DLL (dynamic link library), directly call the application module in the vxworks operating system core internal memory---StrongARM nuclear run time version module and micro engine microcode map module.
● utilize microcode downloader DLL (dynamic link library), realize the download and the execution of microcode map.The microcode operational management module of micro engine is carried out as follows: microcode downloader library initialization, micro engine initialization, microcode image file are written into internal memory, stop the micro engine thread, the microcode map writes micro engine, activate micro engine and corresponding port, release microcode object indexing.
● each calling software module relation of production image of the present invention is as follows: after the network equipment powers up, StrongARM nuclear automatically performs the VxWorks Boot map that is arranged in the Flash chip, get through safe confidential corespondence channel by the secure file download module in this map, VxWorks Downloadable map is downloaded to internal memory from ftp server after; Directly move this map then.Automatically perform DLL (dynamic link library) by the application that provides in the OS module, call StrongARM nuclear run time version module, micro engine microcode map module downloads to micro engine and carries out the most at last.
4, conclusion
The present invention is a kind of support software safety on-line upgrade, based on the VxWorks production image method for designing of IXP1200 network processing unit.Typical VxWorks production image design is primarily aimed at the hardware mainboard that constitutes based on single 32 bit CPUs.The hardware platform that adopts network processing unit to constitute then is distinct hardware architecture.In VxWorks production image when design at the hardware platform of design processor Network Based, need to consider following new problem: how to allow the VxWorks production image support network processing unit based on multi-CPU structure; How to make full use of network processing unit online programming ability, make up the VxWorks production image of support software online upgrading; How to ensure the security of on-line software updating process.This method has comprehensively solved above-mentioned three technical matterss, and has been applied in real network equipment at the network equipment based on IXP1200 network processing unit and vxworks operating system.Technical field of the present invention is a computer network communication.
Claims (6)
1, a kind of production image method for designing of the network equipment of support software safety on-line upgrade, it is characterized in that, make full use of network processing unit online programming ability,, make up the VxWorks production image of support software online upgrading by software safety on line security mechanism.
2, according to the production image method for designing of the network equipment of claim 1 support software safety on-line upgrade, it is characterized in that, wherein production image is divided into two parts, be kept at different local; Be divided into direct product map module and comprise the network equipment and use, can download the production image module of execution; Direct product map module is kept on the Flash chip, and the production image module that can download execution is kept on the ftp server; To comprise the network equipment by direct product map module and use, can download the production image module process network download of execution to equipment and execution.
3, according to the production image method for designing of the network equipment of claim 1 support software safety on-line upgrade, it is characterized in that, comprise the secure file download module in direct product map module, this module realizes following effect: the authentication key of ftp server by sharing, finish connection authentication, prevent that identity from pretending to be attack the network equipment; After authentication, all interactive information are all carried out encipherment protection by traffic encryption key and the block encryption algorithm of sharing between the ftp server and the network equipment, prevent that the production image file transfer that can download execution from divulging a secret.
4, according to the production image method for designing of the network equipment of claim 1 support software safety on-line upgrade, it is characterized in that, to link by compilation tool and generate an application target module with micro engine microcode map module, the StrongARM nuclear run time version module that network equipment application function is closely related, adopt the static linkage method with application target module and vxworks operating system link then, generate the production image file that to download execution; Upgrade this document by network, realize the software upgrading of networking products.
5, according to the production image method for designing of the network equipment of claim 1 support software safety on-line upgrade, it is characterized in that, utilize vxworks operating system to provide application module to automatically perform DLL (dynamic link library), the application module in the vxworks operating system core internal memory is called in programming---StrongARM nuclear run time version module and micro engine microcode map module; Utilize microcode downloader DLL (dynamic link library), realize the download and the execution of microcode map.
6, according to the production image method for designing of the network equipment of claim 1 support software safety on-line upgrade, it is characterized in that, the automatic call relation of each intermodule of production image of the present invention is as follows: after the network equipment powers up, StrongARM nuclear automatically performs the direct product map that is arranged in the Flash chip, get through safe confidential corespondence channel by the secure file download module in this map, after the production image that can download execution downloads to internal memory from ftp server; Directly move this map then, automatically perform DLL (dynamic link library) by the application that provides in the OS module, call StrongARM nuclear run time version module, micro engine microcode map module downloads to micro engine and carries out the most at last.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03160231 CN1209705C (en) | 2003-09-28 | 2003-09-28 | Product image designing method of network equipment supporting software safety on line upgrade |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 03160231 CN1209705C (en) | 2003-09-28 | 2003-09-28 | Product image designing method of network equipment supporting software safety on line upgrade |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1493972A true CN1493972A (en) | 2004-05-05 |
| CN1209705C CN1209705C (en) | 2005-07-06 |
Family
ID=34240954
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 03160231 Expired - Fee Related CN1209705C (en) | 2003-09-28 | 2003-09-28 | Product image designing method of network equipment supporting software safety on line upgrade |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1209705C (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011020264A1 (en) * | 2009-08-21 | 2011-02-24 | 中兴通讯股份有限公司 | Method and apparatus for upgrading mirror image |
| CN101816004B (en) * | 2007-10-02 | 2013-11-20 | 国际商业机器公司 | Secure policy differentiation by secure kernel design |
-
2003
- 2003-09-28 CN CN 03160231 patent/CN1209705C/en not_active Expired - Fee Related
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101816004B (en) * | 2007-10-02 | 2013-11-20 | 国际商业机器公司 | Secure policy differentiation by secure kernel design |
| WO2011020264A1 (en) * | 2009-08-21 | 2011-02-24 | 中兴通讯股份有限公司 | Method and apparatus for upgrading mirror image |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1209705C (en) | 2005-07-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110532735B (en) | Firmware upgrading method | |
| US9589154B2 (en) | Programming on-chip non-volatile memory in a secure processor using a sequence number | |
| US11921905B2 (en) | Secure collaboration between processors and processing accelerators in enclaves | |
| EP3695587B1 (en) | Providing secure communications between a host system and a data processing accelerator | |
| US7360097B2 (en) | System providing methodology for securing interfaces of executable files | |
| CN101019369B (en) | Method of delivering direct proof private keys to devices using an on-line service | |
| US8959659B2 (en) | Software authorization system and method | |
| WO2009051471A2 (en) | Trusted computer platform method and system without trust credential | |
| CN100492248C (en) | Authentication of control units in vehicle | |
| EP1325411A2 (en) | Methods of providing java tamperproofing | |
| US11947681B2 (en) | Cryptographic secret generation and provisioning | |
| CN1863038A (en) | Method of implementing control and management of applied program in terminal apparatus | |
| CN111431718B (en) | TEE expansion-based computer universal security encryption conversion layer method and system | |
| CN111310213A (en) | Service data protection method, device, equipment and readable storage medium | |
| CN1808456A (en) | Method of adding trusted platform on portable terminal | |
| CN110138557A (en) | Data processing equipment and data processing method | |
| US7281132B2 (en) | Using token-based signing to install unsigned binaries | |
| US11432156B2 (en) | Security unit for an IoT device and method for running one or more applications for the secured exchange of data with one or more servers which provide web services | |
| CN110138556A (en) | Data processing equipment and data processing method | |
| CN1209705C (en) | Product image designing method of network equipment supporting software safety on line upgrade | |
| CN114666368B (en) | Access control method, device, equipment and storage medium of electric power Internet of things | |
| CN1808457A (en) | Portable trusted platform module supporting remote dynamic management | |
| CN115001744A (en) | Cloud platform data integrity verification method and system | |
| Pop et al. | Towards securely migrating webassembly enclaves | |
| CN111400701A (en) | Public financial system for processing data at high speed |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| EE01 | Entry into force of recordation of patent licensing contract |
Assignee: Beijing Zhongke Jingshang Technology Co., Ltd. Assignor: Institute of Computing Technology, Chinese Academy of Sciences Contract record no.: 2011110000143 Denomination of invention: Product image designing method of network equipment supporting software safety on line upgrade Granted publication date: 20050706 License type: Exclusive License Open date: 20040505 Record date: 20110823 |
|
| EC01 | Cancellation of recordation of patent licensing contract |
Assignee: Institute of Computing Technology, Chinese Academy of Sciences Assignor: Beijing Zhongke Jingshang Technology Co., Ltd. Contract record no.: 2011110000143 Date of cancellation: 20120711 |
|
| EM01 | Change of recordation of patent licensing contract | ||
| EM01 | Change of recordation of patent licensing contract |
Change date: 20181212 Contract record no.: 2011110000143 Assignee after: Beijing Zhongke Polytron Technologies Inc Assignee before: Beijing Zhongke Jingshang Technology Co., Ltd. |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20050706 Termination date: 20190928 |