EP2663946A2 - Procédé d'exploitation d'une unité de microprocesseur, notamment dans un terminal mobile - Google Patents
Procédé d'exploitation d'une unité de microprocesseur, notamment dans un terminal mobileInfo
- Publication number
- EP2663946A2 EP2663946A2 EP12711340.5A EP12711340A EP2663946A2 EP 2663946 A2 EP2663946 A2 EP 2663946A2 EP 12711340 A EP12711340 A EP 12711340A EP 2663946 A2 EP2663946 A2 EP 2663946A2
- Authority
- EP
- European Patent Office
- Prior art keywords
- operating system
- runtime environment
- microprocessor unit
- secure
- microprocessor
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/22—Microcontrol or microprogram arrangements
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2105—Dual mode as a secondary aspect
Definitions
- Verf ahren for Betrie b a microprocessor unit, especially in a mobile terminal
- the invention relates to a method for operating a microprocessor unit, in particular in a mobile terminal, and a corresponding microprocessor unit and a corresponding mobile terminal.
- a microprocessor unit in particular in a mobile terminal, and a corresponding microprocessor unit and a corresponding mobile terminal.
- Under microprocessor unit is to be understood as the entirety of the hardware used to execute the applications, in particular the actual microprocessor and corresponding memory, which are used to store data.
- the microprocessor unit is used, for example, in a mobile phone, it is desirable to protect against eavesdropping that a secure runtime environment is provided, with which the voice call functionality of the mobile phone is enabled. This can not be achieved by current operating systems used in secure runtime environments.
- the object of the invention is therefore to operate a microprocessor unit such that a secure runtime environment is provided with greater functionality than in the prior art.
- the inventive method is used to operate a microprocessor unit, which comprises a microprocessor on which a normal runtime environment with a first operating system and a secure runtime environment is implemented with a second, secure operating system.
- the microprocessor unit further includes a RAM memory outside the secure runtime environment into which the first operating system is loaded when executing the normal runtime environment.
- the first operating system is in particular a per se known operating system for a microprocessor unit, for example a mobile telephone operating system, if the microprocessor unit is used for a mobile telephone. Examples of such mobile phone operating systems are Android or Symbian, which for Smart Phones are used and provide a great feature set.
- the inventive method is characterized in that the second operating system is a secure version of the first operating system, which is loaded in the context of execution of the secure runtime environment in a portion of the RAM memory, which is provided for the secure runtime environment.
- the secure version of the first operating system in particular represents a so-called hardened operating system.
- hardening is well known in computer technology and refers to increasing the security of a system, such as a program or operating system, by using only certain software which is necessary for the operation of the system and for which it is guaranteed that it will run correctly taking into account safety aspects.
- a second operating system is thus used in addition to the original first operating system, which meets higher security requirements.
- the functionality of the GeSI cherten or hardened operating system is reduced compared to the original operating system, significantly higher than that of a conventional, provided for a secure runtime operating system (such as MobiCore ®) so that more memory is needed.
- this is taken into account by loading the second secure operating system into a RAM memory outside the secure runtime environment, since this memory can be designed substantially larger than an internal RAM memory within the secure runtime environment.
- the second operating system is loaded into a RAM in the form of an OnSoC RAM (System on a Chip).
- An OnSoC RAM is monolithically integrated in one chip together with the other components of the microprocessor unit.
- the microprocessor unit is controlled via a switch via which a user can switch between the execution of the normal and the secure runtime environment. In this way, the user can determine in which mode he can operate the microprocessor unit. If the user uses the microprocessor unit, for example in a safety-critical environment, he can switch from the first non-secure operating system to the second secure operating system.
- the second operating system provides a greater functionality than a conventional secure runtime environment, in which the operating system is loaded into an internal RAM of the secure runtime environment.
- a user is displayed via a display unit when the secure running time environment is executed, so that the user is always informed in which mode he is currently operating the micro-process unit.
- the microprocessor unit is available for a mobile telephone. and includes a baseband processor (also referred to as base-band processor) for processing communication functionalities.
- a baseband processor also referred to as base-band processor
- part of the communication functionalities of the baseband processor are implemented in the second operating system.
- the voice call function or the SMS function or both functions are implemented as communication functionalities of the baseband processor, so that the user can use at least basic functionalities of the mobile telephone.
- the secure runtime environment is realized based on per se known hardware in the form of a so-called. ARM TrustZone ®.
- a secured or hardened operating system is used now in the Trust zone instead of the conventionally used MobiCore -Betriebssystems ®, which is derived from an intended for normal runtime operating system.
- the invention further relates to a microprocessor unit, in particular for a mobile terminal, comprising a microprocessor on which a normal runtime environment with a first operating system and a secure runtime environment with a second operating system is implemented, and a RAM memory outside the secured runtime environment in which the first operating system is loaded when the normal runtime environment is executed.
- the microprocessor unit is characterized in that the second operating system is a hardened version of the first operating system and a portion of the RAM memory is provided for the second operating system. in which the second operating system is loaded as part of the execution of the secure runtime environment.
- the microprocessor unit is designed such that one or more of the above-described preferred variants of the method according to the invention can be carried out on the microprocessor unit.
- the invention furthermore relates to a mobile terminal, in particular a mobile telephone, which comprises the microprocessor unit according to the invention or one or more preferred variants of the microprocessor unit according to the invention.
- FIG. 2 shows a realization of a secure runtime environment according to a
- Embodiment of the invention is subsequently based on a
- Microprocessor unit which is provided for a mobile phone, however, the method can also be used for microprocessor units in other mobile devices.
- Fig. 1 shows the structure of a one-chip system in which a secure runtime environment is implemented in a conventional manner.
- the chip contains the actual microprocessor MP, which is an ARM microprocessor on which, in a manner known per se, a secure runtime environment in the form of a TrustZone is realized, which is designated TZ.
- MP microprocessor
- FIG. 1 and also in FIG. 2 described below regions with a secure runtime environment are always displayed hatched.
- the ® se known MobiCore operating system is used. Security-critical functions are relocated to the secure runtime environment, such as mobile payment applications or other applications that require access to personal, user-specific data.
- the trust zone TZ the MobiCore ® operating system is loaded into an internal RAM memory within the trust zone, which is designated in Fig. 1 with IR.
- the portion of the RAM memory containing the operating system MobiCore ® is thereby referenced MC.
- the numeral MC will be used below to denote the MobiCore ®.
- the microprocessor MP also contains a normal runtime environment, which is designated NZ in FIG.
- NZ the conventional operating system of the microprocessor unit is stored, which has a much larger memory footprint than the MobiCo- re ® operating system.
- This operating system is in the described embodiment, a so-called. RichOS with a large range of functions, as it For example, is used in smart phones.
- An example of such an operating system is the mobile telephone operating system Android.
- the RAM memory R is used, which is designed as OnSoC RAM on the chip and which is connected via the known AMBA bus B to the microprocessor MP ,
- the conventional richOS operating system is loaded into this RAM.
- the portion of the RAM memory in which the richOS operating system is included is designated by Bl. This reference symbol will also be used below to designate the richOS operating system.
- the microprocessor unit of FIG. 1 also contains, in addition to the microprocessor MP, a so-called baseband processor or base band processor BP, with which the communication functionalities of the mobile telephone are realized.
- the baseband processor BP therefore communicates with the SIM / USIM card of the mobile phone as well as the mobile network and possibly also with a microphone.
- a MobiCore ® driver D is provided within the normal zone NZ, which triggers the change in the secured runtime environment.
- the internal RAM memory IR is used according to FIG. 1, which has only a limited storage volume (about 128 kB).
- the functionality of the MobiCore -Betriebssystems ® MC is significantly lower than that of a ri- Chos, which is loaded into the RAM memory OnSoC R, which is designed to be much larger and usually has a plurality of MB storage capacity. Due to the limited functionality of MobiCore ® , only safety-critical tasks can be delegated to the secure runtime environment. Thus, no further functionalities of the microprocessor unit can be used when executing the secure runtime environment. This is disadvantageous, because in certain scenarios it is desirable that more functions of the conventional operating system, such as voice call functionality, are also controlled during execution of the secure runtime environment.
- FIG. 2 shows an embodiment of a microprocessor unit according to the invention, with which the above-mentioned problem is solved.
- the microprocessor unit of FIG. 2 comprises a microprocessor MP with a TrustZone TZ and a normal zone NZ.
- a baseband processor BP and the OnSoC RAM memory R is provided.
- a baseband processor BP and the OnSoC RAM memory R is provided.
- the Trust zone is now no longer performed based on the MobiCore ® operating system, but it is used a hardened variant of the conventional richOS operating system Bl this.
- the hardened operating system which is designated in Fig. 2 with B2, it has a low functionality than the operating system Bl, but now contains many more functions than the pure MobiCore ® -Betriebs- sy stem.
- the term "hardening" has already been described above and refers to the reduction of the functional scope of an operating system thereby increasing its security against attacks by unauthorized third parties.
- the hardened operating system thus provides a reduced functionality compared to the original operating system.
- this hardened operating system B2 is now used in the operation of the trust zone TZ, which, however, is no longer loaded into the internal RAM memory IR for this purpose, but into the OnSoC RAM memory R, because the internal RAM is no longer sufficient for the hardened operating system B2.
- certain communication functionalities of the baseband processor BP are also integrated in the embodiment according to FIG. 2, in particular the voice call functionality of the baseband processor BP. This is indicated by a hatched area within the baseband processor BP.
- the hardened operating system contains the corresponding drivers for communication via the baseband processor BP.
- the microprocessor unit according to FIG. 2 enables the use of both the normal operating system B1 and the hardened operating system B2.
- TrustZone protection controller TP accesses the RAM memory R via the AMBA bus and is configured so that a part of the OnSoC RAM memory R exclusively for Running the TrustZone TZ is available.
- the security of the OnSoC RAM partitioned by this Trust Zone Protection Controller is not as high as that of the internal RAM, the security is sufficient to protect a complete hardened operating system.
- the user of the mobile phone is further enabled to switch between the conventional operating system Bl and the hardened operating system B2.
- the microprocessor unit of FIG. 2 also includes a display unit L in the form of an LED, wherein the illumination of the LED signals the user of the mobile telephone that he is in the secure mode in which the hardened operating system is being executed.
- a user of the microprocessor unit or of the corresponding mobile telephone is enabled to select or change between two operating modes of the mobile telephone in one device.
- he can use the mobile phone in the insecure mode based on the operating system Bl, where he then has the opportunity to take advantage of current richOS operating systems, such as downloading applications, the use of GPS for navigation and the like.
- a secure operation of the mobile telephone is required, the user can switch to the secure mode in which the mobile telephone is operated with the hardened operating system B2. In this case, the user no longer has all the functionalities of the mobile phone available, but the mobile phone is protected against attacks by third parties.
- the functionality of the phone in secure mode is higher.
- the voice call functionality is still ensured by the mobile phone.
- a complete mobile telephone operating system such as the above-mentioned operating system Android.
- the invention is particularly suitable for applications (eg in the authorities environment in the case of monitoring attacks), which are more secure than a software Need virtualization based on MobiCore ® , but do not necessarily need to use internal RAM for security.
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Telephone Function (AREA)
- Mobile Radio Communication Systems (AREA)
- Debugging And Monitoring (AREA)
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
DE102011012226A DE102011012226A1 (de) | 2011-02-24 | 2011-02-24 | Verfahren zum Betrieb einer Mikroprozessoreinheit, insbesondere in einem mobilen Endgerät |
PCT/EP2012/000765 WO2012113547A2 (fr) | 2011-02-24 | 2012-02-22 | Procédé d'exploitation d'une unité de microprocesseur, notamment dans un terminal mobile |
Publications (1)
Publication Number | Publication Date |
---|---|
EP2663946A2 true EP2663946A2 (fr) | 2013-11-20 |
Family
ID=45922633
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP12711340.5A Withdrawn EP2663946A2 (fr) | 2011-02-24 | 2012-02-22 | Procédé d'exploitation d'une unité de microprocesseur, notamment dans un terminal mobile |
Country Status (6)
Country | Link |
---|---|
US (1) | US20140007120A1 (fr) |
EP (1) | EP2663946A2 (fr) |
KR (1) | KR20140027110A (fr) |
CN (1) | CN103477343A (fr) |
DE (1) | DE102011012226A1 (fr) |
WO (1) | WO2012113547A2 (fr) |
Families Citing this family (14)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102011018431A1 (de) | 2011-04-21 | 2012-10-25 | Giesecke & Devrient Gmbh | Verfahren zur Anzeige von Informationen auf einer Anzeigeeinrichtung eines Endgeräts |
DE102011115135A1 (de) | 2011-10-07 | 2013-04-11 | Giesecke & Devrient Gmbh | Mikroprozessorsystem mit gesicherter Laufzeitumgebung |
FR2998694B1 (fr) | 2012-11-27 | 2016-01-01 | Oberthur Technologies | Module electronique pour rendre un message accessible par un systeme d'exploitation vise |
FR2998747B1 (fr) * | 2012-11-27 | 2015-01-23 | Oberthur Technologies | Procede d'aiguillage d'un message |
US11029997B2 (en) * | 2013-07-15 | 2021-06-08 | Texas Instruments Incorporated | Entering protected pipeline mode without annulling pending instructions |
US9218508B2 (en) * | 2013-09-06 | 2015-12-22 | Getac Technology Corporation | Electronic device and protection method thereof |
DE102014001843B3 (de) * | 2014-02-11 | 2015-05-13 | Giesecke & Devrient Gmbh | Mikroprozessorsystem |
FR3019351A1 (fr) * | 2014-03-31 | 2015-10-02 | Orange | Procede de configuration securisee d'une application dans un terminal utilisateur |
CN105095765B (zh) * | 2014-05-14 | 2018-09-11 | 展讯通信(上海)有限公司 | 移动终端及其处理器系统、一种可信执行方法 |
GB201408539D0 (en) * | 2014-05-14 | 2014-06-25 | Mastercard International Inc | Improvements in mobile payment systems |
CN105787391B (zh) * | 2014-12-22 | 2019-02-01 | 中国科学院信息工程研究所 | 基于TrustZone硬件的面向任务的安全操作系统 |
CN106211144B (zh) | 2015-04-30 | 2020-06-16 | 华为技术有限公司 | 一种移动终端的通信方法及移动终端 |
CN105356998B (zh) * | 2015-09-28 | 2019-06-11 | 宇龙计算机通信科技(深圳)有限公司 | 一种基于TrustZone的域空间切换系统及方法 |
US11599375B2 (en) * | 2020-02-03 | 2023-03-07 | EMC IP Holding Company LLC | System and method virtual appliance creation |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5001742A (en) * | 1990-01-29 | 1991-03-19 | At&T Bell Laboratories | Baseband signal processing unit and method of operating the same |
US7058768B2 (en) * | 2002-04-17 | 2006-06-06 | Microsoft Corporation | Memory isolation through address translation data edit control |
JP4423206B2 (ja) * | 2002-11-18 | 2010-03-03 | エイアールエム リミテッド | 安全モードと非安全モードとを切り換えるプロセッサ |
JP2007510198A (ja) * | 2003-10-08 | 2007-04-19 | ユニシス コーポレーション | ホストシステムのパーティション内に実装されているハイパーバイザを使用したコンピュータシステムの準仮想化 |
FR2862397A1 (fr) * | 2003-11-13 | 2005-05-20 | St Microelectronics Sa | Demarrage securise d'un appareil electronique a architecture smp |
US20070079111A1 (en) * | 2005-09-30 | 2007-04-05 | Chiu-Fu Chen | Activating method of computer multimedia function |
US7950020B2 (en) * | 2006-03-16 | 2011-05-24 | Ntt Docomo, Inc. | Secure operating system switching |
GB2453518A (en) * | 2007-08-31 | 2009-04-15 | Vodafone Plc | Telecommunications device security |
-
2011
- 2011-02-24 DE DE102011012226A patent/DE102011012226A1/de not_active Withdrawn
-
2012
- 2012-02-22 EP EP12711340.5A patent/EP2663946A2/fr not_active Withdrawn
- 2012-02-22 WO PCT/EP2012/000765 patent/WO2012113547A2/fr active Application Filing
- 2012-02-22 CN CN2012800100634A patent/CN103477343A/zh active Pending
- 2012-02-22 KR KR1020137024123A patent/KR20140027110A/ko not_active Application Discontinuation
- 2012-02-22 US US14/001,361 patent/US20140007120A1/en not_active Abandoned
Non-Patent Citations (1)
Title |
---|
See references of WO2012113547A2 * |
Also Published As
Publication number | Publication date |
---|---|
CN103477343A (zh) | 2013-12-25 |
WO2012113547A2 (fr) | 2012-08-30 |
KR20140027110A (ko) | 2014-03-06 |
US20140007120A1 (en) | 2014-01-02 |
WO2012113547A3 (fr) | 2013-01-03 |
DE102011012226A1 (de) | 2012-08-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2663946A2 (fr) | Procédé d'exploitation d'une unité de microprocesseur, notamment dans un terminal mobile | |
DE102006001458B4 (de) | Mobiltelefon und tragbare Speichereinrichtung, das selbiges verwendet | |
DE112007000101C9 (de) | Verfahren zur Kommunikation mit einer Multifunktionsspeicherkarte | |
DE102009013384B4 (de) | System und Verfahren zur Bereitstellung einer sicheren Anwendungsfragmentierungsumgebung | |
EP2987350B1 (fr) | Station mobile pourvue de ressources de sécurité ayant différents niveaux de sécurité | |
DE112008001656T5 (de) | Hinzufügen virtueller Merkmale über Zubehörteile der realen Welt | |
DE102016123744A1 (de) | Ein-Chip-System mit Zugriffssteuereinheit und mobile Vorrichtung mit Ein-Chip-System | |
DE102011115135A1 (de) | Mikroprozessorsystem mit gesicherter Laufzeitumgebung | |
DE102011018431A1 (de) | Verfahren zur Anzeige von Informationen auf einer Anzeigeeinrichtung eines Endgeräts | |
DE102011012227A1 (de) | Verfahren zum Datenaustausch in einer gesicherten Laufzeitumgebung | |
DE10115729A1 (de) | Vielseitiges Boot-Verfahren für eine Anwendungs-Software eines Mikrocontrollers | |
DE10324337B4 (de) | Rechnersystem und zugehöriges Verfahren zum Durchführen eines Sicherheitsprogramms | |
EP2698678A2 (fr) | Technique de configuration pour un appareil de commande avec des applications communiquant entre elles | |
EP2795934B1 (fr) | Procédé de communication avec une application sur un support de données portable ainsi que support de données portable de ce type | |
DE10164422A1 (de) | Verfahren und Anordnung zum Beschreiben von NV-Memories in einer Controller-Architektur sowie ein entsprechendes Computerprogrammprodukt und ein entsprechendes computerlesbares Speichermedium | |
DE102012105093A1 (de) | Sicherer Datenspeicher für Fahrzeugnetzwerke | |
EP2895985B1 (fr) | Administration de contenu pour une station mobile observent la technologie d'execution fiabilisee | |
EP2284809A2 (fr) | Carte à puce et procédé de modification logicielle d'une carte à puce | |
EP2189921B1 (fr) | Appareil de diagnostic destiné à la connexion avec un véhicule automobile | |
EP2210241B1 (fr) | Dispositif de traitement de données et procédé d'utilisation d'un dispositif de traitement de données | |
EP2126711B1 (fr) | Dispositif de mémoire de données présentant une fonction supplémentaire | |
DE102013226700A1 (de) | Fahrzeugelektronikeinheit | |
DE102020209133A1 (de) | Verfahren zur abgesicherten Speicherung eines Datenelements in einem externen Speicher und Schnittstellenmodul | |
DE60116658T2 (de) | Datenträger mit zusatzvorrichtung | |
WO2006010462A1 (fr) | Procede d'acces au micrologiciel d'un ordinateur |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20130813 |
|
AK | Designated contracting states |
Kind code of ref document: A2 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN |
|
18W | Application withdrawn |
Effective date: 20140319 |