and device for
embedded systems, in particular reconfigurable mobile radio terminals, with
loadable software modules
The invention relates to a method and apparatus for embedded
Systems (embedded systems) with loadable software modules, in particular
Reconfigurable mobile devices, but also so-called appliances
such as. MP3 players, automatic controllers etc.
These loadable software modules primarily affect the implementation
programmable transceiver, the implementation of operating software
or the modification of other parts of the functionality of this
but also the implementation of application software, if that
Impact on functioning
of the respective network.
Mobile terminals with
Software programmable transceivers, so-called "software
Defined Radio "(SDR)
Terminals allow a significant change in the operation of
Mobile networks relevant properties of these terminals. The programmability
the transceiver and the associated
Functions affect the properties of the terminal that the
Requirements of the regulatory authorities
subject and is of importance to the network management of
Operators of mobile networks. The reconfigurable transceivers
achieved flexibility allows such extensive changes,
that the proper functioning
of the device
after software changes
no longer be ensured solely by the design of the device. Especially
is compliance with the requirements of regulatory authorities and radio standards
affected, what for
the operating license of the terminals is of crucial importance
is. However, such reconfigurable terminals should be the modification
continue to share their functionality
allow the user to enjoy the significant advantage of SDR technology,
in full benefit.
within the permissible
Framework conditions, such as Conditions of the regulatory authority, can
reconfigurable terminals behaviors are programmed
which runs counter to the interests of the network operator or the service provider.
for example, when mode switching decision algorithms are used
which are not compatible with an ordered network administration.
Become in such algorithms the interests of the network operator
not or insufficiently taken into account,
efficient management of radio resources is no longer possible.
Another aspect when dealing with software modules that are on the terminal
to be used is that in conjunction with the terminal type
actually approved and meaningful software modules under certain
still can not be activated
either the behavior of the software meets the requirements of a network operator
or service providers does not comply or even counteracts or
but since the software was downloaded the terminal has changed,
e.g. by installing a new firmware version, and thereby
is no longer compatible with the software module in question.
For application software
These aspects play only a minor role, this has in the
Normally little influence on the functionality of the network. For operating software
of the terminal, e.g. Protocol stacks, decision algorithms for mode switching
or firmware updates, these issues are of paramount importance.
The object underlying the invention is now a method
and a device for
embedded systems, in particular reconfigurable mobile radio terminals, with
indicate loadable software modules such that activation
of critical software modules is possible only if all parties,
the of the functionality of the
Module, ie e.g. Network operators and device manufacturers,
have agreed and that this approval possible without lengthy processes
and manual intervention takes place.
The object is with respect to the method by the features of
Claim 1 and in terms of the device by the features
of claim 7 solved according to the invention. The
Further features relate to advantageous embodiments of the method according to the invention.
The invention consists essentially in a method and / or a device for embedded systems, in particular reconfigurable mobile radio terminals, with loadable software modules, with the aid of a system loader, an interface allocation database and authorization modules, representative of the relevant parties (device manufacturers, mobile radio operators or service provider), affected authorization modules are determined, which then each check a signature of the newly activated software module based on specified in each authorization module permission criteria a respective activation permission and at the / the system loader provides the newly activated software module interface information and it activated, provided by all concerned authority modules together have an activation permit. It is advantageous here, for example, that activation takes place on the basis of the current terminal configuration, no third instance is required for the check and the relevant parties in the software module itself need not be defined. When deciding on the activation, criteria can also be used depending on different networks, which can also take into account the requirements of network operators who are not direct contractual partners of the customers.
Invention will now be described with reference to a drawing
in the form of a mobile station
explained in more detail.
The drawing is a reconfigurable mobile device with software modules
MA..MC and a newly activated software modules MD,
wherein between the modules MA and MC, an interface S1, the
Modules MB and MC an interface S2 and the modules MD and MC a
new interface S3 exists.
Reconfigurable mobile terminal also has a device with
a so-called system loader SL, an interface mapping database
(Interface Mapping Database) DB and so-called authorization modules
so-called system loader SL controls the activation of applications / software modules and
whether a particular software module may be activated by the
Authorization modules AM1..AM3 execute.
essential criterion for
this exam are
the interfaces used by a newly activated software module
S3, z. B. Interfaces to libraries and components.
another criterion for
but also provide parameters that have the functionality of a
affect newly activated software module itself.
For every interface
S1 ... S3 is defined which authorization modules must agree. Of the
System loader can determine from the list of interfaces used
which authorization modules are to be consulted. For this exists the
Interface Assignment Database DB containing information for each interface
which authorization modules AM1, ..., AM3 have to agree.
Authorization modules can
executed several times
and each representative of particular parties, e.g.
for device manufacturers,
Mobile operators, service providers, act what is here through the
three authorization modules AM1, .., AM3 is indicated by way of example.
The security requirements to the system may be such an authorization module
be performed by a hardware module or by a software module.
Control of the authorization transmitted by the
System loader SL the interface description or the signature
of the software module MD to be loaded to a respective authorization module.
This answers with the selection of the interfaces that the system loader
to make available to the respective software module. This will be
an individual, for
Each software module specially defined selection of access to
Operating system functions and other modules created. Thus, can
a module can only access interfaces if the parties concerned
through the associated
Authorization modules have agreed.
the authorization module executed as a hardware component, so
this can be about one for the home network operator
acting SIM card
or a representative acting on behalf of the terminal manufacturer
SIM card analog hardware component (Equipment
Identity Module) act.
Parties such as service providers or even foreign network operators
executed in software
Provide authorization modules installed on the terminal as needed
and activated after appropriate authorization by the system loader
of the examining
Authorization module is, on request of the system loader SL, the consistency
Software configurations or software configurations and hardware configurations
with the demands of the party whose interests they represent,
and the result of this test
to inform the system loader SL. Between the system loader and the
or software modules must have a trust relationship (trust relationship),
through the secure exchange of authentication features
will be produced.
The authorization components can obtain the information needed for the check either from their own database DB on the device or via the mobile network from a database server to always be up to date Stand to be. It makes sense that often required data, such as data for often used software modules, held on the device to keep the test time low. Data for rarely used modules can be obtained via the mobile network as needed. In addition, the data on the device can be updated via the mobile network.
Another function of the data update via a radio interface is the following:
When logging into a new network, network-specific authorization requests are transmitted to the responsible module, which in this way can take into account the particular rules of the network used.
Authorization modules are also
able to store the information thus obtained internally,
to reduce the communication effort. Such data can with
a time limited validity
Be provided and in case of need by notifications prematurely
become. With that you can
new findings, such as the discovery of serious mistakes in one
Software module, considered
become. If authorization is denied due to such reasons,
a corresponding error message has to be provided to the user,
which points to alternatives (newer version, update etc.).
The course of the method according to the invention is typically as follows:
The system loader SL determines which interfaces S3 are to be addressed by the software module MD to be activated. This can be done, for example, with the help of a link list. On the basis of the information in the interface allocation database DB, the authorization modules concerned, here for example the authorization modules AM1 and AM2, are determined from the totality of the existing authorization modules AM1 .. AM3. The authorization modules selected in this way subsequently receive an interface description or a signature of the module MD to be activated, and make a decision as to whether the module may be activated on the basis of the criteria available to them. Only if all affected authorization modules, here z. As the authorization modules AM1 and AM2 agree, the system loader SL the software module to be activated MD information about the interfaces S3 available and activates it, in all other cases, the activation is denied.
Authorization modules can
In doing so, consider various criteria in order to assess admissibility
to decide the activation.
becomes the identity
checked by the software module,
by verifying the signature. Is the identity verified,
can check the authorization module
whether the use of the software module by the party for whom it
has been approved.
In addition, still can
other authorization rules determine whether the activation will be performed
Criteria are: device type, version
other software modules used, exclusion lists, i.
no activation with the simultaneous presence of certain others
- 1. The consistency of a configuration becomes
always when a module is activated based on the current configuration
of the terminal. Method,
of a software module only when software download check, can a
do not offer.
- 2. Participants such as network operators and terminal manufacturers can by
their deputies participate in the verification process in the form of the authorization modules
do not delegate this task to a third party. This is
Ensures that the decisions are made by one entity
who has the trust of the interested party and
whose decisions can be determined by the party concerned. The elaborate
Realization of systems that protect the interests of multiple stakeholders
consolidate, can be avoided. The task, the approval
Achieving the stakeholder will depend on the manufacturer of the software
Module, which must create the appropriate conditions.
- 3. Authorization modules entrusted with verification
Information that they have for the
either in their local store or off if necessary
to load a database on the network. In this way it is ensured
that an optimum between actuality of the information and the
Efficiency of the inspection process
can be found.
- 4. The authorization modules can be used both as hardware components (safer
Variant) as well as software components
(more flexible variant)
- 5. Authorized modules will only have access to the shared ones
Interfaces. This ensures that all relevant authorization modules are representative
respective parties without the list being more relevant
Parties must be defined in the software module itself.
- 6. When deciding on the activation of a module, a wide variety of criteria, for example, depending on different network ken, find use. In this way, the requirements of network operators who are not direct contractual partners of the customer (eg in the Visited Network) can also be taken into account.