JP2018010471A - Start-up control system as well as start-up control program and start-up control program group - Google Patents

Abstract

PROBLEM TO BE SOLVED: To avoid that at least one arithmetic processing unit of a plurality of arithmetic processing units may be activated by a tampered program even when it is not assured that a program stored in at least one storage device is not tampered.SOLUTION: A start-up control system comprises a first diagnostic means that diagnoses a first arithmetic processing unit 101-1 by comparing an actual value of a first result obtained by executing a first operation based on a first program and a first random number by a first arithmetic processing unit 101-1 with an expectation value of the first result based on first reference data and the first random number which can be referred from a second arithmetic processing unit 101-2, the expectation value of the first result of a first operation based on a first program 105-1 being executed the first arithmetic processing unit 101-1, a second diagnostic means 119-2 that is symmetric to the first diagnostic means, and pieces of start-up control means 153, 155 that controls each start-up of the first arithmetic processing unit 101-1 and the second arithmetic processing unit 101-2 based on diagnostic results by these pieces of diagnostic means.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an activation control system, an activation control program, and an activation control program group for controlling activation of a plurality of arithmetic processing devices.

  With the recent miniaturization of LSI (Large Scale Integration) processes, the scale of circuits that can be mounted on LSIs has been increasing, and the functions and performance that LSIs are processing have improved at an accelerated pace. Depending on the circuit scale, the semiconductor integrated circuit may be referred to as VLSI (Very LSI), ULSI (Ultra-LSI), or the like.

  As one function improvement, when a processor function is incorporated into an LSI, a processor inside the LSI can control the entire LSI from the inside, and a single system can be constructed inside the LSI. Thus, a device that is a semiconductor integrated circuit and has a processor built therein to construct a system is called SoC (System on a Chip).

  There are various devices in a semiconductor integrated circuit called SoC. A device with a very high-performance processor that can manage all devices connected to the outside of the SoC, a device that incorporates multiple processors, and that has increased processing and computing capabilities. The device control is left to other processors, and the device itself performs various controls such as only SoC internal control.

  By the way, in SoC, it is very important to start up a processor such as a CPU (Central Processing Unit) safely. In particular, in a product that emphasizes security, a processor (hereinafter referred to as a CPU) is surely obtained from reliable program data. Must be started. If the program is allowed to start in a state where it has been replaced by a malicious person, it will be erased because there is a risk that the data stored encrypted inside and outside the SoC will be read, or that the encrypted data could not be decrypted There is also a risk. Further, if the user uses the program without noticing that the program has been replaced, the data generated after the replacement is stolen by a malicious person.

  In order to eliminate such danger, it is important to start up the CPU safely and reliably. As an implementation method, for example, program data is encrypted and stored in a storage device, decrypted at startup, and then expanded on a RAM (Random Access Memory) and started, TPM (Trusted Platform Module), etc. In addition to the SoC, there is a method of using a security device externally.

  In addition, program data is not stored in general-purpose storage devices such as HDD (Hard Disk Drive), SD card, USB (Universal Serial Bus) memory, etc. Saving to a type of storage device is another way to increase security. There are also methods of adopting a device that operates with an original I / F (Interface) protocol or a device that is generally difficult for a user to obtain such as a flash DIMM (Dual Inline Memory Module). In the case of an on-board type device or a device that is difficult for the user to obtain, it is difficult not only to replace the device by a third party, but also to rewrite it from the outside while it is mounted on the board requires very specialized knowledge Therefore, security is increased.

  A specific description will be given by taking a multifunction peripheral (MFP) as an example. When there are two types: general model (product) and security-oriented model, the security-oriented model has security functions such as data encryption, memory data temporarily saved during operation, and HDD data erasure. Added. An example of a threat here is to replace a security model model device with a general model program data storage device. If the CPU can be started after the replacement, the data stored up to that point will not be erased, and the data generated for future use will not be encrypted, making it extremely dangerous. End up. Therefore, starting the CPU safely is a very important factor in terms of security.

  On the other hand, in recent years, not only MFPs but various systems have been increasingly controlled by a plurality of CPUs as the scale and complexity of the systems increases. For example, Patent Document 1 discloses a semiconductor device in which two or more semiconductor integrated circuits represented by SoC as described above are mounted on the same circuit board or the like. This semiconductor device also has a plurality of CPUs.

  And in the case of a semiconductor device having a plurality of CPUs mounted in this way, it is required to safely start all the CPUs. In order to eliminate the threat of replacement of the program storage device, it is necessary to make all the storage devices safe without replacement risk. Accordingly, the two external storage devices connected to the two SoCs as program storage devices need to employ high security devices.

  However, in general, storage devices with high security tend to be higher in cost due to technically advanced and low sales volume compared to the general-purpose storage devices listed above such as HDDs. .

  The invention disclosed in Patent Document 2 has been made in view of the above situation, and each program storage device connected to each semiconductor integrated circuit in a semiconductor device on which two or more semiconductor integrated circuits are mounted. By making only a part of the storage devices (storage devices) high security, it is possible to eliminate the threat of replacement of storage devices at a high security level for all of these storage devices.

  A first technical means of the invention disclosed in Patent Document 2 is a semiconductor device on which two or more semiconductor integrated circuits are mounted, and at least one semiconductor integrated circuit is more reliable than a startup program of another semiconductor integrated circuit. This is characterized in that it is started by a startup program that ensures the reliability, and the startup program of another semiconductor integrated circuit is authenticated by the started startup program.

JP 2001-13215 A JP 2012-252667 A

  However, in the invention of Patent Document 2, it is assumed that at least one of the storage devices in which the program is stored is a highly secure storage device, and the highly secure storage device is activated on the assumption that tampering and replacement threats are eliminated. The processor side program authenticates the program stored in the low-secure storage device, thereby ensuring the security of the MFP. In the prior art, the types of start-up devices are limited, and when the device that is currently highly secure can be tampered with due to technological advancement, security cannot be guaranteed.

  Therefore, the present invention starts up at least one arithmetic processing device of a plurality of arithmetic processing devices by a falsified program without guaranteeing that the program stored in at least one storage device is not falsified. It is an object of the present invention to provide an activation control system, an activation control program, and an activation control program group that can prevent the occurrence of such an event.

According to the present invention,
An activation control system for controlling activation of the first arithmetic processing unit and activation of the second arithmetic processing unit,
The first reference data and the first random number, which are expected values of the first result of the first calculation based on the first program executed by the first arithmetic processing unit and can be referred to from the second arithmetic processing unit Obtained by executing the first calculation based on the first calculation based on the first calculation based on the first value based on the first program and the first random number on the first calculation processing unit. First diagnostic means for diagnosing the first arithmetic processing unit by comparing the actual value of the first result;
Second reference data and a second random number that are expected values of the second result of the second calculation based on the second program executed by the second arithmetic processing unit and can be referred to from the first arithmetic processing unit The expected value of the second result calculated by the first arithmetic processing unit based on the second arithmetic processing unit and the second arithmetic operation based on the second program and the second random number obtained by the second arithmetic processing unit. A second diagnostic means for diagnosing the second arithmetic processing unit by comparing the actual value of the second result;
Control activation of the first program and the second program by the first arithmetic processing unit and the second arithmetic processing unit, respectively, based on at least the diagnostic result by the first diagnostic unit and the diagnostic result by the second diagnostic unit. Starting control means to
An activation control system is provided.
In addition, according to the present invention, there is provided an activation control program group for causing the first arithmetic processing device, the second arithmetic processing device, and the third computer to function as the above-described activation control system.
Furthermore, according to the present invention, there is provided a startup control program for causing an arithmetic processing unit to function as a part of the startup control system.
Furthermore, according to the present invention,
An activation control system for controlling activation of a plurality of arithmetic processing devices,
The plurality of arithmetic processing units are first to Nth,
If i = N, then i + 1 = 1.
The i th arithmetic processing unit is
The i-th reference data and the i-th random number that are expected values of the i-th result of the i-th operation based on the i-th program executed by the i-th arithmetic processing device and can be referred to from the (i + 1) -th arithmetic processing device The i-th arithmetic processing unit executes the i-th arithmetic based on the expected value of the i-th result calculated by the (i + 1) -th arithmetic processing unit and the i-th program and the i-th random number. I-th diagnostic means for diagnosing the i-th arithmetic processing unit by comparing the obtained actual value of the i-th result;
Activation control means for controlling the activation of the i-th program by each of the i-th arithmetic processing units based at least on the i-th diagnosis result by the i-th diagnosis means;
An activation control system is provided.
Furthermore, according to the present invention,
An electronic apparatus having a first arithmetic processing device, a second arithmetic processing device, and a management device,
The first arithmetic processing unit and the second arithmetic processing unit are valid for the first program executed by the first arithmetic processing unit and the second program executed by the second arithmetic processing unit. A means to carry out a process of confirming sex
An electronic apparatus is provided, wherein the monitoring device includes means for monitoring the confirmation process.
Furthermore, according to the present invention,
An electronic apparatus having a first arithmetic processing device, a second arithmetic processing device, and a management device,
The first arithmetic processing unit includes means for executing a process for confirming the validity of a program executed by the second arithmetic processing unit,
An electronic apparatus is provided, wherein the monitoring device includes means for monitoring the confirmation process.

  According to the present invention, even if there is no guarantee that a program stored in at least one storage device will not be falsified, at least one arithmetic processing device of the plurality of arithmetic processing devices is activated by the falsified program. Can be avoided.

It is a block diagram which shows the structure of the starting control system by the 1st Embodiment of this invention. It is a flowchart (1/2) for demonstrating operation | movement of the starting control system by the 1st Embodiment of this invention. It is a flowchart (2/2) for demonstrating operation | movement of the starting control system by the 1st Embodiment of this invention. It is a schematic diagram (1/2) of the 1st Embodiment of this invention. It is a schematic diagram (2/2) of the 1st Embodiment of this invention. It is a schematic diagram (1/2) of the 2nd Embodiment of this invention. It is a schematic diagram (2/2) of the 2nd Embodiment of this invention. It is a schematic diagram (1/2) of the 3rd Embodiment of this invention. It is a schematic diagram (2/2) of the 3rd Embodiment of this invention. It is a schematic diagram (1/2) of the 4th Embodiment of this invention. It is a schematic diagram (2/2) of the 4th Embodiment of this invention. It is a block diagram which shows the structure of the 1st and 2nd program execution apparatus by the 9th Embodiment of this invention. It is a block diagram which shows the structure of the multifunctional machine containing the starting control apparatus by the 10th Embodiment of this invention. It is sectional drawing which shows the structure of the multifunctional device by the 11th Embodiment of this invention.

DESCRIPTION OF EMBODIMENTS Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the drawings.
[First Embodiment]
FIG. 1 is a block diagram showing the configuration of the activation control system according to the first embodiment.
Referring to FIG. 1, the activation control system includes a first program execution device 101-1, a second program execution device 101-2, and a monitoring device 151.

  The first program execution device 101-1 includes a first CPU 103-1, a first random number generation unit 109-1, a first calculation unit 111-1, a reference second latter calculation unit 117-1, and a first external interface 121-1. including. The first calculation unit 111-1 includes a first actual first half calculation unit 113-1 and a first actual second half calculation unit 115-1.

  Similarly, the second program execution device 101-2 includes a second CPU 103-2, a second random number generation unit 109-2, a second calculation unit 111-2, a reference second latter second calculation unit 117-2, and a second external interface. 121-2 included. The second calculation unit 111-2 includes a second actual first half calculation unit 113-2 and a second actual second half calculation unit 115-2.

  The monitoring device 151 includes a monitoring unit 153 and an activation control unit 155.

  The first random number generator 109-1 generates a first random number RAND-soc1. Similarly, the second random number generator 109-2 generates a second random number RAND-soc2.

  The first CPU 103-1 executes the first program 105-1 Program stored in the first external storage device 163-1 (FIG. 8).

  The second CPU 103-2 executes the second program 105-1 MainProgram stored in the second external storage device 163-1 (FIG. 8).

The first actual first half calculation unit 113-1 calculates the first actual intermediate hash value HASH-soc1, real of the first program 105-1. For example, when the data of the first program 105-1 is Program and the error that may be added to the program is Δ1, the first actual intermediate hash value HASH-soc1, real is represented by the following expression HASH-soc1. , Real
= SHA-256 (Program + Δ1)
Calculated by Here, when the error Δ is not zero, for example, the program may be falsified.

The first real second half calculation unit 115-1 combines the first real hash values HASH-soc1, real and the second random number RAND-soc2 calculated by the first real first half calculation unit 113-1 to obtain the first real The final hash value HASH-soc1 ′, real is expressed by the following expression HASH-soc1 ′, real
= SHA-256 (cat (RAND-soc2, HASH-soc1, real)
Calculated by

The reference first second half calculation unit 117-2 includes the first reference intermediate hash value 107-2 HASH-soc1, ref and the second random number RAND-soc2 stored in the second external storage device 163-2 (FIG. 8). , And the first reference final hash value HASH-soc1 ′, ref is expressed by the following expression HASH-soc1 ′, ref
= SHA-256 (cat (RAND-soc2, HASH-soc1, ref)
Calculated by

Here, the first reference intermediate hash value HASH-soc1, ref is expressed by the following expression HASH-soc1, ref
= SHA-256 (Program)
Based on the above. As shown in the above equation, when this calculation is performed, no error is added to the program.

  The second diagnosis unit 119-2 compares the first actual final hash value HASH-soc1 ', real and the first reference final hash value HASH-soc1', ref. Determines that no error has been added. If they are different, it is determined that an error is added to the current program.

  The second CPU 103-2 executes the second program 105-2 stored in the second external storage device 163-2 (FIG. 8).

The second actual first half calculation unit 113-2 calculates the second actual intermediate hash value HASH-soc2, real of the second program 105-2. For example, when the data of the second program 105-2 is MainProgram and an error that may be added to the program is Δ2, the second actual intermediate hash value HASH-soc2, real is represented by the following expression HASH-soc2 , Real
= SHA-256 (Program + Δ2)
Calculated by Here, when the error Δ2 is not zero, for example, the program may be falsified.

The second real second half calculation unit 115-2 combines the second real hash value HASH-soc2, real calculated by the second real first half calculation unit 113-2 and the first random number RAND-soc1 to obtain the second real The final hash value HASH-soc2 ′, real is expressed by the following expression HASH-soc2 ′, real
= SHA-256 (cat (RAND-soc1, HASH-soc2, real)
Calculated by

The second second half calculation unit 117-1 for reference uses the second reference intermediate hash value 107-1 HASH-soc2, ref and the first random number RAND-soc1 stored in the first external storage device 163-1 (FIG. 8). , And the second reference final hash value HASH-soc2 ′, ref is expressed by the following expression HASH-soc2 ′, ref
= SHA-256 (cat (RAND-soc1, HASH-soc2, ref)
Calculated by

Here, the second reference intermediate hash value HASH-soc2, ref is expressed by the following expression HASH-soc2, ref
= SHA-256 (MainProgram)
Based on the above. As shown in the above equation, when this calculation is performed, no error is added to the program.

  The first diagnosis unit 119-1 compares the second actual final hash value HASH-soc2 ', real and the second reference final hash value HASH-soc2', ref. Determines that no error has been added. If they are different, it is determined that an error is added to the current program.

  The first external interface 121-1 and the second external interface 121-2 are used for transmitting and receiving the above various hash values and random numbers between the first program execution device 101-1 and the second program execution device 101-2. Is.

  The monitoring unit 153 monitors whether various hash values and random numbers are transmitted and received between the first external interface 121-1 and the second external interface 121-2 before a predetermined time elapses.

  The activation control unit 155 includes the first program execution device 101-1 and the second program based on the diagnosis result by the first diagnosis unit 119-1, the diagnosis result by the second diagnosis unit 119-2, and the monitoring result by the monitoring unit 153. Controls the activation of the program in the execution device 101-2.

Next, the operation of the activation control system according to the first embodiment will be described with reference to FIGS.
Referring to FIG. 2, first, when the power is turned on (step S201), the first program execution apparatus 101-1 develops the first program 105-1 Program (step S203-1), and the first random number generation unit 109. −1 generates the first random number RAND-soc1 (step S205-1), and the first random number RAND-soc1 is notified to the monitoring unit 153 (step S207-1).

  Similarly, in the second program execution device 101-2, the second program 105-2 MainProgram is expanded (step S203-2), and the second random number generator 109-2 generates the second random number RAND-soc2 ( In step S205-2), the second random number RAND-soc2 is notified to the monitoring device 151 (step S207-2).

  In the period from when the power is turned on until now, the monitoring device 151 first completes startup (step S231), and the variable BOOT_STEP is initialized to zero (step S233).

  When there is a notification in step S207-1 and step S207-2, the monitoring device 151 changes the variable BOOT_STEP to 1 (step S235).

  If the variable BOOT_STEP is changed to 1 (YES in step S209-1), the first program execution device 101-1 reads the second random number RAND-soc2 from the monitoring unit 151 (step S211-1), and first The first practical half calculation unit 113-1 calculates the first practical intermediate hash value HASH-soc1, real of the first program 105-1 Program developed in step S203-1, and then the first practical second half calculation (step S213-1). The unit 115-1 combines the second random number RAND-soc2 read in step 211-1 and the first real intermediate hash value HASH-soc1, real calculated in step S213-1, One actual final hash value HASH-soc1 ′, real is calculated (step S215-1). The first actual final hash value HASH-soc1 ', real is notified to the monitoring unit 153 (step S217-1).

  Similarly, if the variable BOOT_STEP is changed to 1 (YES in step S209-2), the second program execution device 101-2 reads the first random number RAND-soc1 from the monitoring unit 151 (step S211-2). The second actual first half calculation unit 113-2 calculates the second actual intermediate hash value HASH-soc2, real of the second program 105-1 MainProgram expanded in step S203-2 (step S213-2), and the second The real second half calculation unit 115-2 combines the first random number RAND-soc1 read in Step 211-2 and the second real intermediate hash value HASH-soc2, real calculated in Step S213-2, The second actual final hash value HASH-soc2 ′, real is calculated (step S2 5-2). The second actual final hash value HASH-soc2 ', real is notified to the monitoring unit 153 (step S217-2).

  When there is a notification in step S217-1 and step S217-2, the monitoring device 151 changes the variable BOOT_STEP to 2 (step S237).

  If the variable BOOT_STEP is changed to 2 (YES in step S219-1), the first program execution device 101-1 reads the second actual final hash value HASH-soc2 ′, real from the monitoring unit 151 (step S221). -1), the second second reference calculation unit 117-1 for reference calculates the second reference final hash value HASH-soc2 ', ref (step S223-1), and the first diagnosis unit 119-1 calculates the second actual value. Based on the final hash value HASH-soc2 ′, real and the second reference final hash value HASH-soc2 ′, ref, it is verified whether or not an error is added to the second program 105-2 (step S225-). 1). The verification result is notified to the monitoring device 151 (step S227-1).

  If the variable BOOT_STEP is changed to 2 (YES in step S219-2), the second program execution device 101-2 reads the first actual final hash value HASH-soc1 ′, real from the monitoring unit 151 (step S221). -2), the reference first second half calculation unit 117-2 calculates the first reference final hash value HASH-soc1 ′, ref (step S223-2), and the second diagnosis unit 119-2 receives the first actual value. Based on the final hash value HASH-soc1 ′, real and the first reference final hash value HASH-soc1 ′, ref, it is verified whether an error is added to the first program 105-2 (step S225-). 2). The verification result is notified to the monitoring device 151 (step S227-2).

  When there are notifications in steps S227-1 and S227-2, the monitoring device 151 changes the variable BOOT_STEP to 3 (step S239).

  Next, the monitoring device 151 makes a determination based on the verification result notified in step S227-1 and the verification result notified in step S227-2. Specifically, when both the verification results indicate normality (no error is added to the program), the activation is permitted, and otherwise the activation is not permitted (step S241).

  If it is determined that activation is possible, the activation control unit 155 causes the first program execution device 101-1 to activate the first program 105-1 Program, and causes the second program execution device 101-2 to perform the second operation. The program 105-2 MainProgram is started (step S251).

  If it is determined that the activation is impossible, the activation control unit 155 displays an error code on the first program execution device 101-1, and displays an error code on the second program execution device 101-2 ( In step S253), the monitoring device 151 ends abnormally (step S257). In response to this, the first program execution device 101-1 displays an error code (step S255-1), and the second program execution device 101-2 also displays an error code (step S255-2).

  In addition, notifications in steps S207-1, S207-2, S211-1, S211-2, S217-1, S217-2, S221-1, S221-2, S227-1, and S227-2 corresponded to each. If it is not within the period, the above-described progress in the first program execution device 101-1 and the second program execution device 101-2 is stopped, and the monitoring device 151 abnormally ends after step S253 (step S253). S257).

  4 and 5 schematically summarize the present embodiment.

[Second Embodiment]
The second embodiment differs from the first embodiment in that the first real second half calculation unit 115-1 calculates the first real hash value HASH-soc1 calculated by the first real first half calculation unit 113-1. , Real and the first random number RAND-soc1 are combined, and the first actual final hash value HASH-soc1 ′, real is expressed by the following expression HASH-soc1 ′, real
= SHA-256 (cat (RAND-soc1, HASH-soc1, real)
And the reference first second half operation unit 117-2 calculates the first reference intermediate hash value 107-2 HASH-soc1, ref stored in the second external storage device 163-2 (FIG. 8). The first random number RAND-soc1 is combined, and the first reference final hash value HASH-soc1 ′, ref is expressed by the following expression HASH-soc1 ′, ref
= SHA-256 (cat (RAND-soc1, HASH-soc1, ref)
It is a point to calculate by.

The second embodiment is further different from the first embodiment in that the second real second half calculation unit 115-2 is calculated by the second real second hash value HASH calculated by the second real first half calculation unit 113-2. -Soc2, real and the second random number RAND-soc2 are combined, and the second actual final hash value HASH-soc2 ', real is obtained by the following expression HASH-soc2', real
= SHA-256 (cat (RAND-soc2, HASH-soc2, real)
And the second second-half computation unit 117-1 for reference uses the second reference intermediate hash value 107-1 HASH-soc2, ref stored in the first external storage device 163-1 (FIG. 8). The second random number RAND-soc2 is combined, and the second reference final hash value HASH-soc2 ′, ref is expressed by the following expression HASH-soc2 ′, ref
= SHA-256 (cat (RAND-soc2, HASH-soc2, ref)
It is a point to calculate by.

  6 and 7 schematically summarize the present embodiment.

[Third Embodiment]
The third embodiment is different from the first embodiment in that the first diagnosis unit 119-1 is configured such that the first actual final hash value HASH-soc1 ', real and the first reference final hash value HASH- soc1 ′ and ref are compared, and if they are equal, it is determined that no error is added to the current program, and if they are different, an error is added to the current program. The second diagnosis unit 119-2 compares the determination point and the second actual final hash value HASH-soc2 ′, real with the second reference final hash value HASH-soc2 ′, ref. It is determined that no error is added to the current program, and if both are different, it is determined that an error is added to the current program.

  8 and 9 schematically summarize the present embodiment.

[Fourth Embodiment]
The fourth embodiment differs from the second embodiment in that the first diagnosis unit 119-1 is configured such that the first actual final hash value HASH-soc1 ', real and the first reference final hash value HASH- soc1 ′ and ref are compared, and if they are equal, it is determined that no error is added to the current program, and if they are different, an error is added to the current program. The second diagnosis unit 119-2 compares the determination point and the second actual final hash value HASH-soc2 ′, real with the second reference final hash value HASH-soc2 ′, ref. It is determined that no error is added to the current program, and if both are different, it is determined that an error is added to the current program.

  10 and 11 schematically summarize the present embodiment.

[Fifth Embodiment]
In the fifth embodiment, the number of arithmetic processing units is three or more. In FIG. 4, the arithmetic processing unit on the left side uses the arithmetic processing unit on the right side to verify the program corresponding to the own arithmetic processing unit, and each arithmetic processing unit is circulated through the portion related to this embodiment. Connect.
For example, when the number of arithmetic processing devices is 3, the first arithmetic processing device uses the second arithmetic processing device to verify the program corresponding to the first arithmetic processing device, and the second arithmetic processing device. Verifies the program corresponding to the second arithmetic processing unit using the third arithmetic processing unit, and the third arithmetic processing unit corresponds to the third arithmetic processing unit using the first arithmetic processing unit. Verify the program.
Then, the monitoring device monitors communication between processing units adjacent to each other in an annular connection, acquires verification results from all the processing units, and thereby controls activation of all the processing units.
Instead of using the right arithmetic processing device as shown in FIG. 4, the left arithmetic processing device may use the right arithmetic processing device as shown in FIG. 7, FIG. 9, or FIG.

[Sixth Embodiment]
When calculating the final hash value from the intermediate hash value, the first random number RAND-soc1 and the second random number RAND-soc2 may be combined with the intermediate hash value.

[Seventh Embodiment]
In steps S241 and S251, the first program execution device 101-1 and the second program execution device 101-2 may be handled independently, and a program with a normal verification result may be started.

[Eighth Embodiment]
As a hash function, SHA-224, SHA-256, SHA-384, or SHA-512 may be used instead of SHA-256.

[Ninth Embodiment]
FIG. 12 is a block diagram showing a configuration including a part not related to the activation control of the first program execution device 101-1 and the second program execution device 101-2.

  Referring to FIG. 12, the first program execution device 101-1 includes a first CPU 103-1, a first external interface 121-1, a first timer 131-1, a first memory control 133-1, and a first external storage device interface. 135-1.

  The first CPU 103-1 accesses the first external storage device 163-1 via the first external storage device interface 135-1, and accesses the first memory 161-1 via the first memory control 133-1. To do. Further, the first CPU 103-1 functions by using the first program execution device 101-1 as the first activation control device by reading and executing the activation control program stored in the first external storage device interface 135-1. Let At this time, the first CPU 103-1 may access the first memory 161-1. The first activation control device includes a first calculation unit 111-1, a first random number generation unit 109-1, a second reference second half calculation unit 117-1 and a first diagnosis unit 119-1 as shown in FIG. .

  The second program execution device 101-2 includes a second CPU 103-2, a second external interface 121-2, a second timer 131-2, a second memory control 133-2, and a second external storage device interface 135-2.

  The second CPU 103-2 accesses the second external storage device 163-2 and the third external storage device 163-3 via the second external storage device interface 135-2, and via the second memory control 133-2. The second memory 161-2 is accessed. The second CPU 103-2 functions by using the second program execution device 101-2 as a second activation control device by reading and executing the activation control program stored in the second external storage device interface 135-2. Let At this time, the second CPU 103-2 may access the second memory 161-2. The second activation control device includes a second calculation unit 111-2, a second random number generation unit 109-2, a first reference second half calculation unit 117-2, and a second diagnosis unit 119-2 as shown in FIG. .

[Tenth embodiment]
FIG. 13 is a functional block diagram showing the configuration of the multifunction machine when the first program execution device 101-1 and the second program execution device 101-2 are used for the multifunction machine. 12 includes a print engine control block 171 and a scanner control block 173, and the second program execution device 101-2 is connected to these components.

[Eleventh embodiment]
FIG. 14 is a cross-sectional view showing the configuration of the multifunction machine according to the eleventh embodiment.
Referring to FIG. 14, the multi-function device 800 forms multi-color and single-color images on a predetermined sheet (recording paper) according to image data transmitted from the outside. And a document processing device 820. The apparatus main body 810 includes an exposure unit 1, a developing device 2, a photosensitive drum 3, a cleaner unit 4, a charger 5, an intermediate transfer belt unit 6, a fixing unit 7, a paper feed cassette 81, a paper discharge tray 91, and the like. It is configured.

  A document placing table 92 made of transparent glass on which a document is placed is provided on the upper portion of the apparatus main body 810, and an automatic document processing device 820 is attached to the upper side of the document placing table 92. The automatic document processor 820 automatically conveys the document onto the document table 92. The document processing device 820 is configured to be rotatable in the direction of the arrow M, and the document can be placed manually by opening the document table 92.

  The image data handled in this multifunction device is in accordance with a color image using each color of black (K), cyan (C), magenta (M), and yellow (Y). Accordingly, four developing devices 2, photosensitive drums 3, charging devices 5, and cleaner units 4 are provided to form four types of latent images corresponding to the respective colors, and are respectively provided in black, cyan, magenta, and yellow. These are set to form four image stations.

  The charger 5 is a charging means for uniformly charging the surface of the photosensitive drum 3 to a predetermined potential. In addition to the charger type as shown in FIG. 1, a contact type roller type or brush type charger is used. Sometimes used.

  The exposure unit 1 corresponds to an image writing apparatus according to the present invention, and is configured as a laser scanning unit (LSU) including a laser emitting unit, a reflection mirror, and the like. The exposure unit 1 includes a polygon mirror that scans a laser beam and optical elements such as a lens and a mirror for guiding the laser beam reflected by the polygon mirror to the photosensitive drum 3. The configuration of the optical scanning device constituting the exposure unit 1 will be specifically described later. As the exposure unit 1, for example, a technique using an EL or LED writing head in which other light emitting elements are arranged in an array can be employed.

  The exposure unit 1 has a function of forming an electrostatic latent image corresponding to the image data on the surface thereof by exposing the charged photosensitive drum 3 according to the input image data. The developing unit 2 visualizes the electrostatic latent images formed on the respective photosensitive drums 3 with toner of four colors (YMCK). The cleaner unit 4 removes and collects toner remaining on the surface of the photosensitive drum 3 after development and image transfer.

  The intermediate transfer belt unit 6 disposed above the photosensitive drum 3 includes an intermediate transfer belt 61, an intermediate transfer belt driving roller 62, an intermediate transfer belt driven roller 63, an intermediate transfer roller 64, and an intermediate transfer belt cleaning unit 65. I have. Four intermediate transfer rollers 64 are provided corresponding to each color for YMCK.

  The intermediate transfer belt driving roller 62, the intermediate transfer belt driven roller 63, and the intermediate transfer roller 64 are driven to rotate while the intermediate transfer belt 61 is stretched. Each intermediate transfer roller 64 provides a transfer bias for transferring the toner image on the photosensitive drum 3 onto the intermediate transfer belt 61.

  The intermediate transfer belt 61 is provided so as to be in contact with each photoconductor drum 3, and the toner images of the respective colors formed on the photoconductor drum 3 are sequentially transferred to the intermediate transfer belt 61 and transferred. Further, it has a function of forming a color toner image (multicolor toner image) on the intermediate transfer belt 61. The intermediate transfer belt 61 is formed in an endless shape using, for example, a film having a thickness of about 100 μm to 150 μm.

  Transfer of the toner image from the photosensitive drum 3 to the intermediate transfer belt 61 is performed by an intermediate transfer roller 64 that is in contact with the back side of the intermediate transfer belt 61. A high-voltage transfer bias (a high voltage having a polarity (+) opposite to the toner charging polarity (−)) is applied to the intermediate transfer roller 64 in order to transfer the toner image. The intermediate transfer roller 64 is a roller whose base is a metal (for example, stainless steel) shaft having a diameter of 8 to 10 mm and whose surface is covered with a conductive elastic material (for example, EPDM, urethane foam, or the like). With this conductive elastic material, a high voltage can be uniformly applied to the intermediate transfer belt 61. In this embodiment, a roller shape is used as the transfer electrode, but a brush or the like can also be used.

  As described above, the electrostatic images visualized on the respective photosensitive drums 3 according to the respective hues are stacked on the intermediate transfer belt 61. As described above, the laminated image information is transferred onto the sheet by the transfer roller 10 disposed at a contact position between the sheet and the intermediate transfer belt 61 described later by the rotation of the intermediate transfer belt 61.

  At this time, the intermediate transfer belt 61 and the transfer roller 10 are pressed against each other at a predetermined nip, and a voltage for transferring the toner onto the sheet is applied to the transfer roller 10 (the polarity opposite to the toner charging polarity (−)). (+) High voltage). Further, in order to obtain the nip constantly, the transfer roller 10 uses either the transfer roller 10 or the intermediate transfer belt drive roller 62 as a hard material (metal or the like), and the other as a soft material (elasticity such as an elastic roller). A rubber roller, a foaming resin roller, or the like) is used.

  Further, as described above, the toner attached to the intermediate transfer belt 61 by contacting the photosensitive drum 3 or the toner remaining on the intermediate transfer belt 61 without being transferred onto the sheet by the transfer roller 10 is used in the next step. Therefore, the intermediate transfer belt cleaning unit 65 is configured to remove and collect the toner. The intermediate transfer belt cleaning unit 65 includes a cleaning blade as a cleaning member that comes into contact with the intermediate transfer belt 61. The intermediate transfer belt 61 that comes into contact with the cleaning blade is supported by an intermediate transfer belt driven roller 63 from the back side. ing.

  The paper feed cassette 81 is a tray for storing sheets (recording paper) used for image formation, and is provided below the exposure unit 1 of the apparatus main body 810. A sheet used for image formation can also be placed in the manual paper feed cassette 82. A paper discharge tray 91 provided above the apparatus main body 810 is a tray for collecting printed sheets face down.

  The apparatus main body 810 is provided with a substantially vertical sheet conveyance path S for sending the sheets of the sheet feeding cassette 81 and the manual sheet feeding cassette 82 to the sheet discharge tray 91 via the transfer roller 10 and the fixing unit 7. It has been. In the vicinity of the paper transport path S from the paper feed cassette 81 or the manual paper feed cassette 82 to the paper discharge tray 91, pickup rollers 11a and 11b, a plurality of transport rollers 12a to 12d, a registration roller 13, a transfer roller 10, and a fixing unit. 7 etc. are arranged.

  The conveyance rollers 12 a to 12 d are small rollers for promoting and assisting conveyance of the sheet, and a plurality of conveyance rollers 12 a to 12 d are provided along the sheet conveyance path S. The pickup roller 11 a is provided near the end of the paper feed cassette 81, picks up sheets one by one from the paper feed cassette 81, and supplies them to the paper transport path S. Similarly, the pickup roller 11 b is provided near the end of the manual paper feed cassette 82, picks up one sheet at a time from the manual paper feed cassette 82, and supplies it to the paper transport path S.

  Further, the registration roller 13 temporarily holds the sheet being conveyed through the sheet conveyance path S. The sheet has a function of conveying the sheet to the transfer roller 10 at the timing when the leading edge of the toner image on the photosensitive drum 3 and the leading edge of the sheet are aligned.

  The fixing unit 7 includes a heat roller 71 and a pressure roller 72, and the heat roller 71 and the pressure roller 72 rotate with the sheet interposed therebetween. The heat roller 71 is set so as to reach a predetermined fixing temperature by a control unit based on a signal from a temperature detector (not shown), and the toner is thermocompression bonded to the sheet together with the pressure roller 72. It has the function of fusing, mixing, and pressing the transferred multicolor toner image and thermally fixing the sheet. Further, an external heating belt 73 for heating the heat roller 71 from the outside is provided.

  Next, the sheet conveyance path will be described in detail. As described above, the multifunction peripheral is provided with the sheet feeding cassette 81 for storing sheets and the manual sheet feeding cassette 82 in advance. Pickup rollers 11a and 11b are arranged to feed sheets from the sheet feeding cassettes 81 and 82, respectively, and guide the sheets one by one to the conveyance path S.

  The sheet conveyed from each of the sheet feeding cassettes 81 and 82 is conveyed to the registration roller 13 by the conveying roller 12a in the sheet conveying path S, and the transfer roller is aligned at a timing when the leading edge of the sheet and the leading edge of the image information on the intermediate transfer belt 61 are aligned. 10 and image information is written on the sheet. Thereafter, the sheet passes through the fixing unit 7, whereby the unfixed toner on the sheet is melted and fixed by heat, and then discharged onto the paper discharge tray 91 through the conveying roller 12 b disposed thereafter.

  The above-mentioned conveyance path is for a single-sided printing request for a sheet. On the other hand, when a double-sided printing request is made, the trailing edge of the sheet that has finished single-sided printing and has passed through the fixing unit 7 as described above. When the sheet is held by the final conveying roller 12b, the conveying roller 12b rotates backward to guide the sheet to the conveying rollers 12c and 12d. Then, after printing is performed on the back surface of the sheet through the registration roller 13, the sheet is discharged to the discharge tray 91.

  Note that the activation control system described above can be realized by hardware, software, or a combination thereof. The activation control method performed by the activation control system can also be realized by hardware, software, or a combination thereof. Here, “realized by software” means realized by a computer reading and executing a program.

  The program may be stored using various types of non-transitory computer readable media and supplied to the computer. Non-transitory computer readable media include various types of tangible storage media. Examples of non-transitory computer readable media include magnetic recording media (for example, flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (for example, magneto-optical disks), CD-ROMs (Read Only Memory), CD- R, CD-R / W, semiconductor memory (for example, mask ROM, PROM (Programmable ROM), EPROM (Erasable PROM), flash ROM, RAM (random access memory)). The program may also be supplied to the computer by various types of transitory computer readable media. Examples of transitory computer readable media include electrical signals, optical signals, and electromagnetic waves. The temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.

  The present invention can be used to control activation of an arithmetic processing unit.

101-1 First Program Execution Device 101-2 Second Program Execution Device 151 Monitoring Device 103-1 First CPU
109-1 1st random number generation part 111-1 1st operation part 117-1 2nd second half operation part for reference 121-1 1st external interface 113-1 1st actual first half operation part 115-1 1st actual second half operation part 103-2 Second CPU
109-2 Second random number generator 111-2 Second arithmetic unit 117-2 Reference second second half arithmetic unit 121-2 Second external interface 113-2 Second real first half arithmetic unit 115-2 Second real second half arithmetic unit 153 Monitoring unit 155 Activation control unit

Claims (13)

An activation control system for controlling activation of the first arithmetic processing unit and activation of the second arithmetic processing unit,
The first reference data and the first random number, which are expected values of the first result of the first calculation based on the first program executed by the first arithmetic processing unit and can be referred to from the second arithmetic processing unit Obtained by executing the first calculation based on the first calculation based on the first calculation based on the first value based on the first program and the first random number on the first calculation processing unit. First diagnostic means for diagnosing the first arithmetic processing unit by comparing the actual value of the first result;
Second reference data and a second random number that are expected values of the second result of the second calculation based on the second program executed by the second arithmetic processing unit and can be referred to from the first arithmetic processing unit The expected value of the second result calculated by the first arithmetic processing unit based on the second arithmetic processing unit and the second arithmetic operation based on the second program and the second random number obtained by the second arithmetic processing unit. A second diagnostic means for diagnosing the second arithmetic processing unit by comparing the actual value of the second result;
Control activation of the first program and the second program by the first arithmetic processing unit and the second arithmetic processing unit, respectively, based on at least the diagnostic result by the first diagnostic unit and the diagnostic result by the second diagnostic unit. Starting control means to
An activation control system comprising: The activation control system according to claim 1,
The first arithmetic processing unit includes:
The first calculation includes a first calculation means for calculating the actual value of the first result based on the first program and the first random number,
The second arithmetic processing unit includes:
A first second-half calculation means for reference for calculating an expected value of the first result based on the first reference data and the first random number;
The second arithmetic processing unit includes:
The second calculation comprises a second calculation means for calculating the actual value of the second result based on the second program and the second random number,
The first arithmetic processing unit includes:
An activation control system comprising: a second second-half calculation unit for reference for calculating an expected value of the second result based on the second reference data and the second random number. The activation control system according to claim 2,
The first calculation means includes
First actual first half calculation means for calculating a first intermediate calculation result corresponding to the first reference data based on the first program;
First actual second half calculation means for calculating the actual value of the first result based on the first intermediate calculation result and the first random number;
With
The second calculation means includes
Second actual first half calculation means for calculating a second intermediate calculation result corresponding to the second reference data based on the second program;
Second actual second half calculation means for calculating the actual value of the second result based on the second intermediate calculation result and the second random number;
An activation control system comprising: The activation control system according to claim 2 or 3,
A monitoring device for monitoring communication between the first processing unit and the second processing unit;
The monitoring device
Transmission of the first random number from the first arithmetic unit to the second arithmetic unit;
Transmission of the second random number from the second arithmetic unit to the first arithmetic unit;
Transmission of the actual value of the first result from the first arithmetic unit to the second arithmetic unit, or
Transmission of the expected value of the first result from the second arithmetic unit to the first arithmetic unit, and transmission of the actual value of the second result from the second arithmetic unit to the first arithmetic unit, or
Transmission of the expected value of the second result from the first arithmetic unit to the second arithmetic unit;
An activation control system for monitoring at least one of the transmissions. The activation control system according to claim 4,
The activation control unit controls activation of the first program and the second program by the first arithmetic processing unit and the second arithmetic processing unit, respectively, based on a monitoring result of the transmission by the monitoring unit. A start control system characterized by The activation control system according to any one of claims 1 to 5,
The activation control system according to claim 1, wherein the first random number is generated by a first arithmetic processing unit, and the second random number is generated by a second arithmetic processing unit. The activation control system according to any one of claims 1 to 5,
The activation control system according to claim 1, wherein the first random number is generated by a second arithmetic processing unit, and the second random number is generated by the first arithmetic processing unit. The activation control system according to any one of claims 1 to 7,
An activation control system, wherein the first diagnostic means is provided in the first arithmetic processing unit, and the second diagnostic means is provided in the second arithmetic processing unit. The activation control system according to any one of claims 1 to 7,
An activation control system, wherein the first diagnostic means is provided in the second arithmetic processing unit, and the second diagnostic means is provided in the first arithmetic processing unit.   A startup control program group for causing the first arithmetic processing unit, the second arithmetic processing unit, and the third computer to function as the startup control system according to any one of claims 1 to 9. An activation control system for controlling activation of a plurality of arithmetic processing devices,
The plurality of arithmetic processing units are first to Nth,
If i = N, then i + 1 = 1.
The i th arithmetic processing unit is
The i-th reference data and the i-th random number that are expected values of the i-th result of the i-th operation based on the i-th program executed by the i-th arithmetic processing device and can be referred to from the (i + 1) -th arithmetic processing device The i-th arithmetic processing unit executes the i-th arithmetic based on the expected value of the i-th result calculated by the (i + 1) -th arithmetic processing unit and the i-th program and the i-th random number. I-th diagnostic means for diagnosing the i-th arithmetic processing unit by comparing the obtained actual value of the i-th result;
Activation control means for controlling the activation of the i-th program by each of the i-th arithmetic processing units based at least on the i-th diagnosis result by the i-th diagnosis means;
An activation control system comprising: An electronic apparatus having a first arithmetic processing device, a second arithmetic processing device, and a management device,
The first arithmetic processing unit and the second arithmetic processing unit are valid for the first program executed by the first arithmetic processing unit and the second program executed by the second arithmetic processing unit. A means to carry out a process of confirming sex
The electronic apparatus according to claim 1, wherein the monitoring device includes means for monitoring the confirmation process. An electronic apparatus having a first arithmetic processing device, a second arithmetic processing device, and a management device,
The first arithmetic processing unit includes means for executing a process for confirming the validity of a program executed by the second arithmetic processing unit,
The electronic apparatus according to claim 1, wherein the monitoring device includes means for monitoring the confirmation process.

Images