JP2016015020A - Microcomputer and security setting system - Google Patents

Microcomputer and security setting system Download PDF

Info

Publication number
JP2016015020A
JP2016015020A JP2014136749A JP2014136749A JP2016015020A JP 2016015020 A JP2016015020 A JP 2016015020A JP 2014136749 A JP2014136749 A JP 2014136749A JP 2014136749 A JP2014136749 A JP 2014136749A JP 2016015020 A JP2016015020 A JP 2016015020A
Authority
JP
Japan
Prior art keywords
security
software
setting flag
setting
microcomputer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
JP2014136749A
Other languages
Japanese (ja)
Other versions
JP6298732B2 (en
Inventor
上原 一浩
Kazuhiro Uehara
一浩 上原
健司 菅島
Kenji Sugashima
健司 菅島
雄三 原田
Yuzo Harada
雄三 原田
雄介 佐藤
Yusuke Sato
雄介 佐藤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Denso Corp
Toyota Motor Corp
Original Assignee
Denso Corp
Toyota Motor Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Denso Corp, Toyota Motor Corp filed Critical Denso Corp
Priority to JP2014136749A priority Critical patent/JP6298732B2/en
Publication of JP2016015020A publication Critical patent/JP2016015020A/en
Application granted granted Critical
Publication of JP6298732B2 publication Critical patent/JP6298732B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Stored Programmes (AREA)
  • Microcomputers (AREA)

Abstract

PROBLEM TO BE SOLVED: To appropriately switch over between activation and deactivation of a security function depending on a stage of reprogramming.SOLUTION: Security setting flags 5 and 6 are provided in both a rewritable area 3 and a non-rewritable area 4 of a nonvolatile memory 2 of a microcomputer 1, respectively, and a security function is switched over between activation and deactivation depending on set values of the respective security setting flags 5 and 6. At a time of reprogramming during development, the security setting flag 6 in the non-rewritable area 4 is set in an OFF-state and the security setting flag 5 in the rewritable area 3 is switched over between ON-setting and OFF-setting, thereby switching the security function over between activation and deactivation. At a time of reprogramming during mass production, the security setting flag 6 in the non-rewritable area 4 is set in an ON-state (fixed to an ON-state) so as to effectively continue to maintain the security function.

Description

本発明は、リプロ時にソフトウェアが書換えられる書換え領域と、ソフトウェアが一旦書込まれた後では書換え不可となる非書換え領域とを有する不揮発性メモリを内蔵したマイクロコンピュータ、及びマイクロコンピュータのセキュリティ機能を設定するセキュリティ設定システムに関する。   The present invention sets a microcomputer incorporating a nonvolatile memory having a rewrite area where software is rewritten at the time of repro and a non-rewrite area which cannot be rewritten after the software is once written, and a security function of the microcomputer It relates to a security setting system.

従来より、リプロ(リプログラミング、再プログラミング)時にソフトウェアが書換えられる書換え領域と、ソフトウェアが一旦書込まれた後では書換え不可となる非書換え領域とを有する不揮発性メモリを内蔵したマイクロコンピュータが供されている。この種のマイクロコンピュータでは、セキュリティ機能を設定するためのセキュリティ設定フラグを不揮発性メモリの内部に保有している。そして、そのセキュリティ設定フラグの設定値により、セキュリティ機能の有効と無効とを切替えている。セキュリティ設定フラグを書換え領域に保有するマイコンでは、ソフトウェアの書換え時にセキュリティ設定フラグをオフ設定すると、ソフトウェアの平文での書換えが可能となる。そのため、量産時のリプロではセキュリティの脆弱性が懸念される。一方、セキュリティ設定フラグを非書換え領域に保有するマイコンでは、ソフトウェアの書換え時にセキュリティ設定フラグを一旦オン設定すると、以降はオフ設定に変更不可となる。そのため、セキュリティの脆弱性が懸念されることはない。しかしながら、デバック用途でソフトウェアを頻繁に書換える開発時のリプロでは、一旦暗号文でリプロした以降では平文でのリプロ評価が不可となる。そのため、ハードウェア共通で仕向けの異なるソフトウェアの暗号文でのリプロ評価を実施する際には、仕向けに応じたハードウェアの単体数を準備する必要がある。一方、データを暗号化する技術として、特許文献1に開示されている技術がある。   Conventionally, there has been provided a microcomputer incorporating a non-volatile memory having a rewrite area where software is rewritten at the time of repro (reprogramming, reprogramming) and a non-rewrite area which cannot be rewritten after the software is once written. ing. In this kind of microcomputer, a security setting flag for setting a security function is held in the nonvolatile memory. The security function is switched between valid and invalid according to the set value of the security setting flag. In the microcomputer having the security setting flag in the rewriting area, the software can be rewritten in plain text if the security setting flag is set to OFF when the software is rewritten. For this reason, there is a concern about security vulnerabilities in repro during mass production. On the other hand, in the microcomputer having the security setting flag in the non-rewrite area, once the security setting flag is set to ON during software rewriting, it cannot be changed to OFF setting thereafter. Therefore, there is no concern about security vulnerabilities. However, with repro at the time of development that frequently rewrites software for debugging purposes, repro evaluation in plaintext becomes impossible after reprovisioning with ciphertext. For this reason, when performing repro-evaluation with ciphertexts of software that is common to different hardware and different destinations, it is necessary to prepare the number of hardware units according to the destination. On the other hand, there is a technique disclosed in Patent Document 1 as a technique for encrypting data.

特開2013−201510号公報JP 2013-201310 A

しかしながら、特許文献1に開示されている技術では、上記した量産時のリプロにおいてセキュリティの脆弱性が懸念される問題や、開発時のリプロにおいてセキュリティ機能の有効と無効とを切替不可により生じる問題を解決するには至らない。   However, with the technology disclosed in Patent Document 1, there are problems that security vulnerabilities are concerned in the above-mentioned repro at the time of mass production, and problems that arise due to the inability to switch between valid and invalid of the security function in the repro at the time of development. There is no solution.

本発明は、上記した事情に鑑みてなされたものであり、その目的は、リプロを行う段階に応じてセキュリティ機能の有効と無効とを適切に切替えることができるマイクロコンピュータ及びセキュリティ設定システムを提供することにある。   The present invention has been made in view of the above-described circumstances, and an object thereof is to provide a microcomputer and a security setting system that can appropriately switch between enabling and disabling a security function in accordance with the stage of performing repro. There is.

請求項1に記載した発明によれば、マイクロコンピュータに内蔵されている不揮発性メモリにおいて、リプロ時にソフトウェアが書換えられる書換え領域に、書換え領域用のセキュリティ設定フラグが設けられている。又、ソフトウェアが一旦書込まれた後では書換え不可となる非書換え領域に、非書換え領域用のセキュリティ設定フラグが設けられている。即ち、書換え領域と非書換え領域との双方に、それぞれセキュリティ設定フラグが設けられている。そして、書換え領域用のセキュリティ設定フラグ及び非書換え領域用のセキュリティ設定フラグのそれぞれの設定値により、セキュリティ機能の有効と無効とが切替えられる。   According to the first aspect of the present invention, in the nonvolatile memory built in the microcomputer, the security setting flag for the rewrite area is provided in the rewrite area where the software is rewritten at the time of repro. In addition, a security setting flag for a non-rewritable area is provided in a non-rewritable area that cannot be rewritten after the software is once written. That is, security setting flags are provided in both the rewrite area and the non-rewrite area. The security function is switched between valid and invalid according to the set values of the security setting flag for the rewrite area and the security setting flag for the non-rewrite area.

これにより、開発時のリプロにおいては、非書換え領域のセキュリティ設定フラグをオフ設定とし、書換え領域のセキュリティ設定フラグをオン設定とオフ設定との間で切替えることで、セキュリティ機能の有効と無効とが切替えることができる。その結果、例えば開発の初期では、書込む対象のソフトウェアが平文で与えられる場合に、書換え領域のセキュリティ設定フラグをオフ設定とし、セキュリティ機能を無効とすることで、その与えられた平文のソフトウェアをそのまま書込むことができる。又、例えば開発の後期では、書込む対象のソフトウェアが秘匿性を保つために暗号文で与えられる場合に、書換え領域のセキュリティ設定フラグをオン設定とし、セキュリティ機能を有効とすることで、その与えられた暗号文のソフトウェアを平文に復号化して書込むことができる。即ち、書換え領域のセキュリティ設定フラグをオン設定とオフ設定との間で自在に切替えることで、一旦暗号文でリプロした以降で平文でのリプロ評価が不可となることはない。又、量産時のリプロにおいては、非書換え領域のセキュリティ設定フラグをオン設定(オン固定)とすることで、書換え領域のセキュリティ設定フラグの設定値に拘らずセキュリティ機能を有効に維持し続けることができ、セキュリティの脆弱性が懸念されることがなくなる。このようにリプロを行う段階が開発時であるか量産時であるかに応じてセキュリティ機能の有効と無効とを適切に切替えることができる。   As a result, in repro during development, the security setting flag of the non-rewrite area is set to OFF, and the security function is enabled or disabled by switching the security setting flag of the rewrite area between ON setting and OFF setting. Can be switched. As a result, at the initial stage of development, for example, when the software to be written is given in plain text, the security setting flag in the rewrite area is set to OFF and the security function is disabled, so that the given plain text software is Can be written as is. Also, for example, in the latter half of development, when the software to be written is given in ciphertext to maintain confidentiality, the security setting flag of the rewrite area is set to on and the security function is enabled to The encrypted ciphertext software can be decrypted and written into plaintext. In other words, by re-switching the security setting flag of the rewrite area between ON setting and OFF setting, repro evaluation in plain text will not be disabled once it has been reproposed in ciphertext. Also, in mass production repro, by setting the security setting flag of the non-rewrite area to ON (fixed to ON), the security function can be maintained effectively regardless of the setting value of the security setting flag of the rewrite area. And there is no concern about security vulnerabilities. In this way, it is possible to appropriately switch between enabling and disabling the security function depending on whether the repro stage is during development or mass production.

本発明の一実施形態を示す機能ブロック図Functional block diagram showing an embodiment of the present invention シリアル通信用のライタとの接続を示す図Diagram showing connection to a serial communication writer CAN通信用のライタとの接続を示す図Diagram showing connection with writer for CAN communication セキュリティ機能の有効・無効を示す図Diagram showing security function enable / disable フローチャートflowchart

以下、本発明を、車両に搭載されたECU(Electronic Control Unit))に搭載されているマイクロコンピュータに適用した一実施形態について図面を参照して説明する。マイクロコンピュータ1は、フラッシュROM2(不揮発性メモリ、フラッシュメモリ)を内蔵している。フラッシュROM2は、リプロ時にソフトウェアが書換えられる書換え領域3と、ソフトウェアが一旦書込まれた後では書換え不可となる非書換え領域4とを有する。書換え領域3には、書換え領域用のセキュリティ設定フラグ5が設けられている。非書換え領域4には、非書換え領域用のセキュリティ設定フラグ6が設けられている。即ち、書換え領域3と非書換え領域4との双方に、それぞれセキュリティ設定フラグ5、6が設けられている。セキュリティ設定フラグ5、6は、それぞれの設定値をオン設定(「1」)とオフ設定(「0」)との間で切替可能である。又、非書換え領域4には、ソフトウェアを書換えるためのリプロソフト7を格納可能な領域が設けられている。   Hereinafter, an embodiment in which the present invention is applied to a microcomputer mounted on an ECU (Electronic Control Unit) mounted on a vehicle will be described with reference to the drawings. The microcomputer 1 includes a flash ROM 2 (nonvolatile memory, flash memory). The flash ROM 2 has a rewrite area 3 in which software is rewritten at the time of repro, and a non-rewrite area 4 that cannot be rewritten after the software is once written. The rewrite area 3 is provided with a security setting flag 5 for the rewrite area. The non-rewritable area 4 is provided with a security setting flag 6 for the non-rewritable area. That is, security setting flags 5 and 6 are provided in both the rewrite area 3 and the non-rewrite area 4, respectively. The security setting flags 5 and 6 can be switched between ON setting (“1”) and OFF setting (“0”). The non-rewritable area 4 is provided with an area where repro software 7 for rewriting software can be stored.

マイクロコンピュータ1は、外部との通信インタフェースとして、シリアル通信用のインタフェースを成立させるためのシリアル通信用の接続端子8と、CAN(Controller Area Network)通信用のインタフェースを成立させるためのCAN通信用の接続端子9とを有する。マイクロコンピュータ1は、図2に示すように、シリアル通信用のライタ10(第1の設定手段)を接続するシリアル通信用の通信ケーブル11がシリアル通信用の接続端子8に接続されることで、シリアル通信用のライタ10からデータ(ビット列)を入力可能となる。シリアル通信用のライタ10が接続されている状態では、作業者がリプロソフト7の書込み操作を行うと、予めフラッシュROM2に格納されているファームウェアが起動することで、リプロソフト7を構成するデータがフラッシュROM2に転送され、リプロソフト7が非書換え領域4に格納される。又、シリアル通信用のライタ10が接続されている状態では、作業者は非書換え領域4のセキュリティ設定フラグ6の設定値をオン設定又はオフ設定とする(切替える)ことが可能である。   The microcomputer 1 has a serial communication connection terminal 8 for establishing an interface for serial communication as an external communication interface and a CAN communication for establishing an interface for CAN (Controller Area Network) communication. And a connection terminal 9. As shown in FIG. 2, the microcomputer 1 has a serial communication cable 11 for connecting a serial communication writer 10 (first setting means) connected to a serial communication connection terminal 8. Data (bit string) can be input from the writer 10 for serial communication. In the state where the serial communication writer 10 is connected, when the operator performs a write operation of the repro software 7, the firmware stored in the flash ROM 2 is activated in advance, so that the data constituting the repro software 7 is stored. The data is transferred to the flash ROM 2 and the repro software 7 is stored in the non-rewrite area 4. In addition, in a state where the serial communication writer 10 is connected, the operator can set the setting value of the security setting flag 6 in the non-rewrite area 4 to ON or OFF (switch).

又、マイクロコンピュータ1は、図3に示すように、CAN通信用のライタ12(第2の設定手段)を接続するCAN通信用の通信ケーブル13がCAN通信用の接続端子9に接続されることで、CAN通信用のライタ12からデータ(ビット列)を入力可能となる。CAN通信用のライタ12が接続されている状態では、作業者がソフトウェアの書込み操作を行うと、非書換え領域4に格納されているリプロソフト7が起動することで、書込み対象のソフトウェアを構成するデータがフラッシュROM2に転送され、書込み対象のソフトウェアが書換え領域3に書込まれる。又、CAN通信用のライタ12が接続されている状態では、作業者は書換え領域3のセキュリティ設定フラグ5の設定値をオン設定又はオフ設定とする(切替える)ことが可能である。尚、マイクロコンピュータ1と、セキュリティ設定フラグ6の設定値を設定可能なシリアル通信用のライタ10と、セキュリティ設定フラグ5の設定値を設定可能なCAN通信用のライタ12とにより、セキュリティ設定システム14が構成される。   Further, in the microcomputer 1, as shown in FIG. 3, a CAN communication communication cable 13 for connecting a CAN communication writer 12 (second setting means) is connected to a CAN communication connection terminal 9. Thus, data (bit string) can be input from the writer 12 for CAN communication. In a state where the CAN communication writer 12 is connected, when the operator performs a software write operation, the repro software 7 stored in the non-rewrite area 4 is activated to configure the software to be written. Data is transferred to the flash ROM 2 and software to be written is written in the rewrite area 3. In a state where the CAN communication writer 12 is connected, the operator can set (switch) the setting value of the security setting flag 5 in the rewrite area 3 to ON or OFF. A security setting system 14 includes a microcomputer 1, a serial communication writer 10 that can set the setting value of the security setting flag 6, and a CAN communication writer 12 that can set the setting value of the security setting flag 5. Is configured.

作業者は書換え領域3のセキュリティ設定フラグ5及び非書換え領域4のセキュリティ設定フラグ6を、リプロを行う段階に応じて図4に示すように設定する。即ち、作業者は、開発(市場への出荷前)の工程(第1の期間)では非書換え領域4のセキュリティ設定フラグ6をオフ設定とすることで、書換え領域3のセキュリティ設定フラグ5をオン設定とオフ設定との間で切替可能とし、セキュリティ機能を有効と無効との間で切替可能とする。作業者は開発の初期では書換え領域3のセキュリティ設定フラグ5をオフ設定とすることで、セキュリティ機能を無効とする。又、作業者は開発の後期では書換え領域3のセキュリティ設定フラグ5をオン設定とすることで、セキュリティ機能を有効とする。一方、作業者は、開発の工程よりもソフトウェアを書換える頻度が低い量産(市場への出荷後)の工程(第2の期間)では非書換え領域4のセキュリティ設定フラグ6をオン設定(オン固定)とすることで書換え領域3のセキュリティ設定フラグ5の設定値に拘らずセキュリティ機能を有効とする。   The worker sets the security setting flag 5 in the rewrite area 3 and the security setting flag 6 in the non-rewrite area 4 as shown in FIG. That is, the worker turns on the security setting flag 5 in the rewrite area 3 by turning off the security setting flag 6 in the non-rewrite area 4 in the development (before shipment to the market) process (first period). It is possible to switch between the setting and the off setting, and the security function can be switched between enabled and disabled. The worker disables the security function by setting the security setting flag 5 in the rewrite area 3 to OFF at the initial stage of development. In addition, the worker enables the security function by turning on the security setting flag 5 in the rewrite area 3 in the later stage of development. On the other hand, the operator sets the security setting flag 6 in the non-rewrite area 4 to ON (fixed ON) in the mass production (after shipment to the market) process (second period) where the frequency of software rewriting is lower than the development process. ) Enables the security function regardless of the setting value of the security setting flag 5 in the rewrite area 3.

セキュリティ機能は、書込み対象のソフトウェアが平文及び暗号文の何れであるかを判断して書込みの可否を判断する機能である。セキュリティ機能が無効であるときには、書込み対象の平文のソフトウェアをそのまま書込み可能であり、セキュリティ機能が有効であるときには、書込み対象の暗号文のソフトウェアを平文に復号化して書込み可能である。   The security function is a function for determining whether writing is possible by determining whether the software to be written is plaintext or ciphertext. When the security function is invalid, the plaintext software to be written can be written as it is, and when the security function is valid, the ciphertext software to be written can be decrypted and written into plaintext.

作業者は、最初にシリアル通信用のライタ10をマイクロコンピュータ1に接続することで、セキュリティ設定フラグ6の設定値を設定し、リプロソフト7を書込む。作業者は、続いてCAN通信用のライタ12をマイクロコンピュータ1に接続することで、セキュリティ設定フラグ5の設定値を工程の段階に応じて切替え、書込み対象のソフトウェアを書込む。即ち、作業者は、セキュリティ設定フラグ6の設定値をオフ設定とし、且つセキュリティ設定フラグ5の設定値をオフ設定とすることで、セキュリティ機能を無効とすることができ、書込み対象の平文のソフトウェアをそのまま書込むことができる。一方、作業者は、セキュリティ設定フラグ6の設定値をオフ設定とし、且つセキュリティ設定フラグ5の設定値をオン設定とすることで、セキュリティ機能を有効とすることができ、書込み対象の暗号文のソフトウェアを平文に復号化して書込むことができる。   The operator first connects the writer 10 for serial communication to the microcomputer 1 to set the setting value of the security setting flag 6 and writes the repro software 7. Subsequently, the operator connects the writer 12 for CAN communication to the microcomputer 1 to switch the setting value of the security setting flag 5 according to the stage of the process, and writes the software to be written. That is, the operator can disable the security function by setting the setting value of the security setting flag 6 to OFF and the setting value of the security setting flag 5 to OFF, and the plaintext software to be written Can be written as is. On the other hand, the worker can enable the security function by setting the setting value of the security setting flag 6 to OFF and the setting value of the security setting flag 5 to ON, and the ciphertext to be written can be Software can be decrypted and written in plain text.

リプロソフト7は図5に示すように動作する。
リプロソフト7は、CAN通信用のライタ12から書込み対象のソフトウェアが与えられるのを待機している(S1)。リプロソフト7は、CAN通信用のライタ12から書込み対象のソフトウェアが与えられたと判定すると(S1:YES)、書換え領域3のセキュリティ設定フラグ5及び非書換え領域4のセキュリティ設定フラグ6のそれぞれの設定値を参照する(S2)。そして、リプロソフト7は、それぞれの設定値を参照した結果により、セキュリティ機能が有効であるか無効であるかを判定する(S3)。 The repro software 7 operates as shown in FIG.
The repro software 7 waits for the writing target software to be provided from the writer 12 for CAN communication (S1). If the repro software 7 determines that the software to be written has been given from the CAN communication writer 12 (S1: YES), the security setting flag 5 in the rewrite area 3 and the security setting flag 6 in the non-rewrite area 4 are set. The value is referred to (S2). Then, the repro software 7 determines whether the security function is valid or invalid based on the result of referring to each setting value (S3).

リプロソフト7は、非書換え領域4のセキュリティ設定フラグ6がオフ設定であり、且つ書換え領域3のセキュリティ設定フラグ5がオフ設定であるときには、セキュリティ機能が無効であると判定する。一方、リプロソフト7は、非書換え領域4のセキュリティ設定フラグ6がオフ設定であり、且つ書換え領域3のセキュリティ設定フラグ5がオン設定であるときには、セキュリティ機能が有効であると判定する。又、リプロソフト7は、非書換え領域4のセキュリティ設定フラグ6がオン設定であるときには、書換え領域3のセキュリティ設定フラグ5の設定値に拘らずセキュリティ機能が有効であると判定する。   The repro software 7 determines that the security function is invalid when the security setting flag 6 of the non-rewriting area 4 is set to OFF and the security setting flag 5 of the rewriting area 3 is set to OFF. On the other hand, the repro software 7 determines that the security function is valid when the security setting flag 6 of the non-rewriting area 4 is set to OFF and the security setting flag 5 of the rewriting area 3 is set to ON. Further, when the security setting flag 6 of the non-rewriting area 4 is set to ON, the repro software 7 determines that the security function is valid regardless of the setting value of the security setting flag 5 of the rewriting area 3.

リプロソフト7は、セキュリティ機能が無効であると判定すると、CAN通信用のライタ12から与えられた平文のソフトウェアをそのまま書込む(S4)。一方、リプロソフト7は、セキュリティ機能が有効であると判定すると、CAN通信用のライタ12から与えられた暗号文のソフトウェアを平文に復号化して(暗号文から平文に変換して)書込む(S5)。   When determining that the security function is invalid, the repro software 7 writes the plain text software provided from the CAN communication writer 12 as it is (S4). On the other hand, when the repro software 7 determines that the security function is valid, the ciphertext software provided from the CAN communication writer 12 is decrypted into plaintext (converted from ciphertext to plaintext) and written ( S5).

以上に説明したように本実施形態によれば、次に示す効果を得ることができる。
マイクロコンピュータ1において、不揮発性メモリ2の書換え領域3と非書換え領域4との双方に、それぞれセキュリティ設定フラグ5、6を設け、それぞれの設定値により、セキュリティ機能の有効と無効とを切替えるようにした。これにより、開発時のリプロにおいては、非書換え領域4のセキュリティ設定フラグ6をオフ設定とし、書換え領域3のセキュリティ設定フラグ5をオン設定とオフ設定との間で切替えることで、セキュリティ機能の有効と無効とを切替えることができる。その結果、例えば開発の初期では、書換え領域3のセキュリティ設定フラグ5をオフ設定とし、セキュリティ機能を無効とすることで、平文のソフトウェアをそのまま書込むことができる。又、例えば開発の後期では、書換え領域3のセキュリティ設定フラグ5をオン設定とし、セキュリティ機能を有効とすることで、暗号文のソフトウェアを平文に復号化して書込むことができる。即ち、書換え領域3のセキュリティ設定フラグ5をオン設定とオフ設定との間で切替えることで、平文のソフトウェアの書込みと暗号文のソフトウェアの書込みとを自在に切替えることができる。よって、一旦暗号文でリプロした以降で平文でのリプロ評価が不可となることはない。又、量産時のリプロにおいては、非書換え領域4のセキュリティ設定フラグ6をオン設定(オン固定)とすることで、セキュリティ機能を有効に維持し続けることができ、セキュリティの脆弱性が懸念されることがなくなる。このようにリプロを行う段階が開発時であるか量産時であるかに応じてセキュリティ機能の有効と無効とを適切に切替えることができる。 As described above, according to the present embodiment, the following effects can be obtained.
In the microcomputer 1, security setting flags 5 and 6 are provided in both the rewrite area 3 and the non-rewrite area 4 of the non-volatile memory 2, and the security function is switched between valid and invalid according to the respective set values. did. As a result, in the repro at the time of development, the security setting flag 6 in the non-rewriting area 4 is set to OFF, and the security setting flag 5 in the rewriting area 3 is switched between ON setting and OFF setting to enable the security function. And disabled. As a result, for example, in the early stage of development, plain text software can be written as it is by setting the security setting flag 5 of the rewrite area 3 to OFF and disabling the security function. Further, for example, in the later stage of development, the ciphertext software can be decrypted and written into plaintext by turning on the security setting flag 5 in the rewrite area 3 and enabling the security function. That is, by switching the security setting flag 5 of the rewrite area 3 between the on setting and the off setting, it is possible to freely switch between writing plaintext software and writing ciphertext software. Therefore, repro evaluation in plain text will not be disabled after repro processing once in cipher text. Also, in mass production repro, by setting the security setting flag 6 of the non-rewrite area 4 to ON (fixed to ON), the security function can be maintained effectively, and security vulnerability is a concern. Nothing will happen. In this way, it is possible to appropriately switch between enabling and disabling the security function depending on whether the repro stage is during development or mass production.

本発明は、上記した実施形態にのみ限定されるものではなく、以下のように変形又は拡張することができる。
ECUに搭載されているマイクロコンピュータ1に適用した構成に限らず、他の用途の機器に搭載されているマイクロコンピュータに適用しても良い。
マイクロコンピュータ1とシリアル通信用のライタ10との間のシリアル通信としては、マイクロコンピュータ1がサポートする他の通信プロトコル(UART、CSI、NEXUS等)を採用することができる。又、マイクロコンピュータ1とCAN通信用のライタ12との間のCAN通信としては、リプロソフト7がサポートする他の通信プロトコル(FlexRay(登録商標)、Ethernet(登録商標)等)を採用することができる。 The present invention is not limited to the above-described embodiment, and can be modified or expanded as follows.
The present invention is not limited to the configuration applied to the microcomputer 1 mounted on the ECU, and may be applied to a microcomputer mounted on equipment for other purposes.
As the serial communication between the microcomputer 1 and the writer 10 for serial communication, other communication protocols (UART, CSI, NEXUS, etc.) supported by the microcomputer 1 can be employed. For CAN communication between the microcomputer 1 and the CAN communication writer 12, other communication protocols (FlexRay (registered trademark), Ethernet (registered trademark), etc.) supported by the repro software 7 may be adopted. it can.

図面中、1はマイクロコンピュータ、2は不揮発性メモリ、3は書換え領域、4は非書換え領域、5は書換え領域用のセキュリティ設定フラグ、6は非書換え領域用のセキュリティ設定フラグ、7はリプロソフト、10はシリアル通信用のライタ(第1の設定手段)、12はCAN通信用のライタ(第2の設定手段)、14はセキュリティ設定システムである。   In the drawings, 1 is a microcomputer, 2 is a non-volatile memory, 3 is a rewrite area, 4 is a non-rewrite area, 5 is a security setting flag for a rewrite area, 6 is a security setting flag for a non-rewrite area, and 7 is repro software. 10 is a serial communication writer (first setting means), 12 is a CAN communication writer (second setting means), and 14 is a security setting system.

Claims (6)

リプロ時にソフトウェアが書換えられる書換え領域(3)と、ソフトウェアが一旦書込まれた後では書換え不可となる非書換え領域(4)と、を有する不揮発性メモリ(2)を内蔵したマイクロコンピュータ(1)において、
前記書換え領域に書換え領域用のセキュリティ設定フラグ(5)が設けられると共に、前記非書換え領域に非書換え領域用のセキュリティ設定フラグ(6)が設けられ、
前記書換え領域用のセキュリティ設定フラグ及び前記非書換え領域用のセキュリティ設定フラグのそれぞれの設定値により、セキュリティ機能の有効と無効とが切替えられることを特徴とするマイクロコンピュータ。 Microcomputer (1) including a non-volatile memory (2) having a rewrite area (3) in which software is rewritten at the time of repro and a non-rewrite area (4) that cannot be rewritten after the software is once written In
A security setting flag (5) for a rewrite area is provided in the rewrite area, and a security setting flag (6) for a non-rewrite area is provided in the non-rewrite area,
2. A microcomputer according to claim 1, wherein the security function is switched between enabled and disabled by setting values of the security setting flag for the rewrite area and the security setting flag for the non-rewrite area. 請求項1に記載したマイクロコンピュータにおいて、
前記非書換え領域用のセキュリティ設定フラグがオン設定とされることで、前記書換え領域用のセキュリティ設定フラグの設定値に拘らずセキュリティ機能が有効とされることを特徴とするマイクロコンピュータ。 The microcomputer according to claim 1,
A microcomputer in which a security function is enabled regardless of a setting value of the security setting flag for the rewrite area when the security setting flag for the non-rewrite area is set to ON. 請求項1又は2に記載したマイクロコンピュータにおいて、
前記非書換え領域用のセキュリティ設定フラグがオフ設定とされることで、前記書換え領域用のセキュリティ設定フラグの設定値が切替えられることに応じてセキュリティ機能の有効と無効とが切替えられることを特徴とするマイクロコンピュータ。 The microcomputer according to claim 1 or 2,
When the security setting flag for the non-rewrite area is set to OFF, the security function is switched between valid and invalid according to the setting value of the security setting flag for the rewrite area being switched. A microcomputer. 請求項1から3の何れか一項に記載したマイクロコンピュータにおいて、
第1の期間では、前記非書換え領域用のセキュリティ設定フラグがオフ設定とされ、前記第1の期間よりもソフトウェアが書換えられる頻度が低い第2の期間では、前記非書換え領域用のセキュリティ設定フラグがオン設定とされることを特徴とするマイクロコンピュータ。 In the microcomputer as described in any one of Claim 1 to 3,
In the first period, the security setting flag for the non-rewritable area is set to OFF, and in the second period when the software is rewritten less frequently than in the first period, the security setting flag for the non-rewritable area is set. A microcomputer characterized in that is set to ON. 請求項1から4の何れか一項に記載したマイクロコンピュータにおいて、
セキュリティ機能は、書込み対象のソフトウェアが平文及び暗号文の何れであるかを判断して書込みの可否を判断する機能であり、
セキュリティ機能が無効であるときには、書込み対象の平文のソフトウェアをそのまま書込み可能であり、セキュリティ機能が有効であるときには、書込み対象の暗号文のソフトウェアを平文に復号化して書込み可能であることを特徴とするマイクロコンピュータ。 The microcomputer according to any one of claims 1 to 4,
The security function is a function for judging whether writing is possible by judging whether the writing target software is plaintext or ciphertext,
When the security function is invalid, the plaintext software to be written can be written as it is, and when the security function is valid, the ciphertext software to be written can be decrypted and written to the plaintext. A microcomputer. 請求項1から5の何れか一項に記載したマイクロコンピュータと、
前記非書換え領域用のセキュリティ設定フラグの設定値を設定する第1の設定手段(10)と、
前記書換え領域用のセキュリティ設定フラグの設定値を設定する第2の設定手段(12)と、を備えたことを特徴とするセキュリティ設定システム(14)。 A microcomputer according to any one of claims 1 to 5;
First setting means (10) for setting a setting value of a security setting flag for the non-rewritable area;
A security setting system (14), comprising: second setting means (12) for setting a setting value of a security setting flag for the rewrite area.
JP2014136749A 2014-07-02 2014-07-02 Microcomputer and security setting system Active JP6298732B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2014136749A JP6298732B2 (en) 2014-07-02 2014-07-02 Microcomputer and security setting system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
JP2014136749A JP6298732B2 (en) 2014-07-02 2014-07-02 Microcomputer and security setting system

Publications (2)

Publication Number Publication Date
JP2016015020A true JP2016015020A (en) 2016-01-28
JP6298732B2 JP6298732B2 (en) 2018-03-20

Family

ID=55231153

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2014136749A Active JP6298732B2 (en) 2014-07-02 2014-07-02 Microcomputer and security setting system

Country Status (1)

Country Link
JP (1) JP6298732B2 (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11467821B2 (en) 2018-08-10 2022-10-11 Denso Corporation Vehicle master device, installation instruction determination method and computer program product
JP2023510122A (en) * 2019-12-20 2023-03-13 ローベルト ボツシユ ゲゼルシヤフト ミツト ベシユレンクテル ハフツング Device with interface and method of operating device with interface
US11604637B2 (en) 2018-08-10 2023-03-14 Denso Corporation Electronic control unit, vehicle electronic control system, difference data consistency determination method and computer program product
US11656771B2 (en) 2018-08-10 2023-05-23 Denso Corporation Electronic control unit, vehicle electronic control system, activation execution control method and computer program product
US11671498B2 (en) 2018-08-10 2023-06-06 Denso Corporation Vehicle master device, update data verification method and computer program product
US11669323B2 (en) 2018-08-10 2023-06-06 Denso Corporation Vehicle electronic control system, program update notification control method and computer program product
US11683197B2 (en) 2018-08-10 2023-06-20 Denso Corporation Vehicle master device, update data distribution control method, computer program product and data structure of specification data
US11709666B2 (en) 2018-07-25 2023-07-25 Denso Corporation Electronic control system for vehicle, program update approval determination method and program update approval determination program
US11822366B2 (en) 2018-08-10 2023-11-21 Denso Corporation Electronic control unit, vehicle electronic control system, rewrite execution method, rewrite execution program, and data structure of specification data
US11876898B2 (en) 2018-08-10 2024-01-16 Denso Corporation Vehicle master device, security access key management method, security access key management program and data structure of specification data
US11907697B2 (en) 2018-08-10 2024-02-20 Denso Corporation Vehicle electronic control system, center device, vehicle master device, display control information transmission control method, display control information reception control method, display control information transmission control program, and display control information reception control program
US11926270B2 (en) 2018-08-10 2024-03-12 Denso Corporation Display control device, rewrite progress display control method and computer program product
US11928459B2 (en) 2018-08-10 2024-03-12 Denso Corporation Electronic control unit, retry point specifying method and computer program product for specifying retry point
US11934823B2 (en) 2018-07-25 2024-03-19 Denso Corporation Electronic control system for vehicle, program update approval determination method and program update approval determination program
US11941384B2 (en) 2018-08-10 2024-03-26 Denso Corporation Vehicle master device, rewrite target group administration method, computer program product and data structure of specification data
US11947953B2 (en) 2018-08-10 2024-04-02 Denso Corporation Vehicle electronic control system, progress screen display control method and computer program product
US11999360B2 (en) 2018-08-10 2024-06-04 Denso Corporation Vehicle master device, control method for executing rollback, computer program product for executing rollback and data structure of specification data
US12030443B2 (en) 2018-08-10 2024-07-09 Denso Corporation Vehicle electronic control system, distribution package download determination method and computer program product

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5956408A (en) * 1994-09-15 1999-09-21 International Business Machines Corporation Apparatus and method for secure distribution of data
JP2000181898A (en) * 1998-12-14 2000-06-30 Nec Corp Flash memory mounted type single chip microcomputer
JP2001084134A (en) * 1999-09-16 2001-03-30 Mitsubishi Electric Corp On-vehicle electronic controller and program rewriting device
JP2004259385A (en) * 2003-02-27 2004-09-16 Fujitsu Ltd Semiconductor memory device
JP2004287541A (en) * 2003-03-19 2004-10-14 Matsushita Electric Ind Co Ltd Nonvolatile memory access control system
JP2006146583A (en) * 2004-11-19 2006-06-08 Denso Corp Electronic controller and identification code generation method thereof
JP2008203988A (en) * 2007-02-16 2008-09-04 Toshiba Lsi System Support Kk Security protection function-equipped microcomputer
JP2008239021A (en) * 2007-03-28 2008-10-09 Denso Corp Vehicle control device and data rewriting system
JP2009301571A (en) * 2009-08-21 2009-12-24 Panasonic Corp Semiconductor device and boot method therefor
US20130326207A1 (en) * 2012-05-31 2013-12-05 Marvell World Trade Ltd. Implementing security functions using rom
JP2014060618A (en) * 2012-09-18 2014-04-03 Fuji Electric Co Ltd Control equipment, control system, data storage method and program
JP2014115803A (en) * 2012-12-10 2014-06-26 Seiko Epson Corp Information processor, control method of information processor, and program

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5956408A (en) * 1994-09-15 1999-09-21 International Business Machines Corporation Apparatus and method for secure distribution of data
JP2000181898A (en) * 1998-12-14 2000-06-30 Nec Corp Flash memory mounted type single chip microcomputer
JP2001084134A (en) * 1999-09-16 2001-03-30 Mitsubishi Electric Corp On-vehicle electronic controller and program rewriting device
JP2004259385A (en) * 2003-02-27 2004-09-16 Fujitsu Ltd Semiconductor memory device
JP2004287541A (en) * 2003-03-19 2004-10-14 Matsushita Electric Ind Co Ltd Nonvolatile memory access control system
JP2006146583A (en) * 2004-11-19 2006-06-08 Denso Corp Electronic controller and identification code generation method thereof
JP2008203988A (en) * 2007-02-16 2008-09-04 Toshiba Lsi System Support Kk Security protection function-equipped microcomputer
JP2008239021A (en) * 2007-03-28 2008-10-09 Denso Corp Vehicle control device and data rewriting system
JP2009301571A (en) * 2009-08-21 2009-12-24 Panasonic Corp Semiconductor device and boot method therefor
US20130326207A1 (en) * 2012-05-31 2013-12-05 Marvell World Trade Ltd. Implementing security functions using rom
JP2014060618A (en) * 2012-09-18 2014-04-03 Fuji Electric Co Ltd Control equipment, control system, data storage method and program
JP2014115803A (en) * 2012-12-10 2014-06-26 Seiko Epson Corp Information processor, control method of information processor, and program

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11709666B2 (en) 2018-07-25 2023-07-25 Denso Corporation Electronic control system for vehicle, program update approval determination method and program update approval determination program
US11934823B2 (en) 2018-07-25 2024-03-19 Denso Corporation Electronic control system for vehicle, program update approval determination method and program update approval determination program
US11926270B2 (en) 2018-08-10 2024-03-12 Denso Corporation Display control device, rewrite progress display control method and computer program product
US11907697B2 (en) 2018-08-10 2024-02-20 Denso Corporation Vehicle electronic control system, center device, vehicle master device, display control information transmission control method, display control information reception control method, display control information transmission control program, and display control information reception control program
US11671498B2 (en) 2018-08-10 2023-06-06 Denso Corporation Vehicle master device, update data verification method and computer program product
US11669323B2 (en) 2018-08-10 2023-06-06 Denso Corporation Vehicle electronic control system, program update notification control method and computer program product
US11683197B2 (en) 2018-08-10 2023-06-20 Denso Corporation Vehicle master device, update data distribution control method, computer program product and data structure of specification data
US11604637B2 (en) 2018-08-10 2023-03-14 Denso Corporation Electronic control unit, vehicle electronic control system, difference data consistency determination method and computer program product
US12030443B2 (en) 2018-08-10 2024-07-09 Denso Corporation Vehicle electronic control system, distribution package download determination method and computer program product
US11822366B2 (en) 2018-08-10 2023-11-21 Denso Corporation Electronic control unit, vehicle electronic control system, rewrite execution method, rewrite execution program, and data structure of specification data
US11876898B2 (en) 2018-08-10 2024-01-16 Denso Corporation Vehicle master device, security access key management method, security access key management program and data structure of specification data
US11656771B2 (en) 2018-08-10 2023-05-23 Denso Corporation Electronic control unit, vehicle electronic control system, activation execution control method and computer program product
US11467821B2 (en) 2018-08-10 2022-10-11 Denso Corporation Vehicle master device, installation instruction determination method and computer program product
US11928459B2 (en) 2018-08-10 2024-03-12 Denso Corporation Electronic control unit, retry point specifying method and computer program product for specifying retry point
US11999360B2 (en) 2018-08-10 2024-06-04 Denso Corporation Vehicle master device, control method for executing rollback, computer program product for executing rollback and data structure of specification data
US11941384B2 (en) 2018-08-10 2024-03-26 Denso Corporation Vehicle master device, rewrite target group administration method, computer program product and data structure of specification data
US11947953B2 (en) 2018-08-10 2024-04-02 Denso Corporation Vehicle electronic control system, progress screen display control method and computer program product
JP2023510122A (en) * 2019-12-20 2023-03-13 ローベルト ボツシユ ゲゼルシヤフト ミツト ベシユレンクテル ハフツング Device with interface and method of operating device with interface
JP7375201B2 (en) 2019-12-20 2023-11-07 ローベルト ボツシユ ゲゼルシヤフト ミツト ベシユレンクテル ハフツング Device with an interface and method of operating the device with an interface

Also Published As

Publication number Publication date
JP6298732B2 (en) 2018-03-20

Similar Documents

Publication Publication Date Title
JP6298732B2 (en) Microcomputer and security setting system
JP6675271B2 (en) Gateway device, in-vehicle network system, and firmware update method
US11057194B2 (en) Processing system, related integrated circuit, device and method
US10045095B2 (en) Communication processing device, communication method, and communication system
JP6741559B2 (en) Evaluation device, evaluation system, and evaluation method
JP6449970B2 (en) IoT device
US10397221B2 (en) Network controller provisioned MACsec keys
US20220405392A1 (en) Secure and flexible boot firmware update for devices with a primary platform
JP2017504838A (en) Countermeasures against side-channel attacks against cryptographic algorithms
JP6916454B2 (en) Key thread ownership for hardware-accelerated cryptography
JP2017050643A (en) Repeating device
WO2019116922A1 (en) Onboard updating device, program, and method for updating program or data
US11516194B2 (en) Apparatus and method for in-vehicle network communication
JP2016118879A (en) Microcomputer
US9755953B1 (en) Multi-path routing control for an encrypted tunnel
JP6762924B2 (en) Information processing equipment, information processing methods, and programs
EP3425552B1 (en) Hardware secure module, related processing system, integrated circuit, device and method
JP2018120438A (en) Electronic control device and program rewriting system
CN109905285B (en) Network management method and network equipment
US20180262473A1 (en) Encrypted data packet
CN105939220A (en) Remote port mirroring realization method and device
JP2017130756A (en) Relay device
EP3425551B1 (en) A processing system, related integrated circuit, device and method for a hardware secure module
JP2015192216A (en) Communication device and communication method
JP6897203B2 (en) Embedded device and control method of embedded device

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20170125

A977 Report on retrieval

Free format text: JAPANESE INTERMEDIATE CODE: A971007

Effective date: 20171116

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20171128

A521 Request for written amendment filed

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20180116

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20180130

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20180226

R150 Certificate of patent or registration of utility model

Ref document number: 6298732

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250

R250 Receipt of annual fees

Free format text: JAPANESE INTERMEDIATE CODE: R250