JP2020082441A - Image formation device, control method and program of the same - Google Patents

Abstract

To provide a mechanism for automatic restoration from a falsification state when falsification of software is detected during boot-up of an information processing device.SOLUTION: An information processing device sequentially boots a plurality of modules subsequently to boot-up of a boot program while detecting falsification of the program. The information processing device detects falsification of a module to be booted next using verification information for verifying the signature of the module to be booted next out of the plurality of modules, and boots the module to be booted next when verification of the signature succeeds. The information processing device performs automatic restoration by updating the falsified module when detecting falsification of a prescribed module, and displays a corresponding error code on an operation part when detecting falsification of the module other than the prescribed module.SELECTED DRAWING: Figure 3

Description

The present invention relates to an image forming apparatus, a control method thereof, and a program.

Attacks that exploit software by tampering with software due to vulnerability of software have become a problem. As a countermeasure against such an attack, in Patent Document 1, the tamper resistance module is used to calculate and store the hash value of the program, and the hash value of the program is recalculated and verified each time the program is booted to detect tampering. Suggested ways to do it. Also, without using a tamper resistant module that requires special hardware, when the programs are started sequentially at startup, the correct answer value of the next program is held and the correct answer values match so that each program A method of detecting falsification is also considered. In any case, if program tampering is detected during startup, the device becomes unusable until the tampered state is resolved.

Further, in the case of a device such as a digital multi-function peripheral to which a maintenance contract is made by a service person, when the device falls into an unusable state, the service person must be dispatched to solve the problem and restore the device. If the service person is dispatched every time a problem occurs, the convenience of the user is impaired and the cost of dispatching the service person is also increased. Therefore, in recent years, digital multi-function peripherals have been introduced with a mechanism to perform periodic automatic updates from an external server over the network for the purpose of correcting defects that are known to the manufacturer and updating software for adding functions. ing. When the digital multi-function peripheral is automatically updated without a serviceman, it is necessary to perform recovery as reliably as possible even if there is a problem in the update process, and perform the desired update while guaranteeing the operation of the device. For example, Patent Document 2 proposes a method of performing a desired update by executing a recovery process when there is a problem in the update process itself.

JP 2008-244992 JP JP 2016-053839 JP

However, the above-mentioned conventional techniques have the following problems. The above-mentioned recovery process of the prior art is a software download process by an update process, a write process, and a recovery of the update program itself, and cannot cope with tampering recovery of each program in the device which is not assumed by the manufacturer. Therefore, if software tampering is detected on a digital multifunction device that has a current maintenance contract, an error code is only displayed, and there is no other way to recover it than the user requesting the service person to be dispatched and requesting recovery. ..

The present invention has been made in view of at least one of the above problems, and provides a mechanism for automatically recovering from a tampered state when tampering of software is detected during activation of an information processing device. To aim.

The present invention is, for example, an information processing device that sequentially activates a plurality of modules following activation of a boot program, and uses verification information for verifying a signature of a module to be activated next among the plurality of modules, Detecting means for detecting tampering with the module to be activated next, activating means for activating the module to be activated next when the signature verification by the detecting means is successful, and tampering with a predetermined module by the detecting means Then, the tampered module is updated and automatically restored, and when tampering with a module other than the predetermined module is detected by the detection means, a control means for displaying a corresponding error code on the operation unit is provided. It is characterized by being provided.

According to the present invention, when tampering with software is detected during activation of the information processing apparatus, it is possible to automatically recover from the tampered state.

The hardware block diagram of the information processing apparatus 100 which concerns on one Embodiment. The software block diagram of the information processing apparatus 100 which concerns on one Embodiment. The flowchart which shows the process of the information processing apparatus 100 which concerns on one Embodiment. The flowchart which shows the process of the information processing apparatus 100 which concerns on one Embodiment. An example of the error screen displayed when automatic recovery at the time of tampering detection is not possible according to an embodiment.

An embodiment of the present invention will be shown below. The individual embodiments described below will be helpful in understanding various concepts such as superordinate, intermediate, and subordinate concepts of the present invention. Further, the technical scope of the present invention is established by the claims, and is not limited by the following individual embodiments. A multifunction peripheral (digital multifunction peripheral/MFP/Multi Function Peripheral) will be described as an example of the information processing apparatus according to the embodiment. However, the present invention can be applied to an electrophotographic image forming apparatus such as a laser printer or a FAX without departing from the scope of the present invention.

<First Embodiment>
<Hardware configuration of information processing device>
The first embodiment of the present invention will be described below with reference to the accompanying drawings. First, the hardware configuration of the information processing apparatus 100 according to the present embodiment will be described with reference to FIG.

The information processing device 100 includes a control unit 200, an operation unit 220, a printer engine 221, and a scanner engine 222. In addition, an external power supply 240 is connected, and power is supplied to each unit. The control unit 200 includes a CPU 210, a ROM 291, a chipset 211, a RAM 212, an SRAM 213, an LED 290, and a NIC 214. Further, the control unit 200 includes an operation unit I/F 215, a printer I/F 216, a scanner I/F 217, a HDD 218, a flash ROM 219, and an embedded controller 280. The embedded controller 280 includes a CPU 281 and a RAM 282. The chipset 211 has an RTC 270. The printer engine 221 also includes a printer engine farm 231. The scanner engine 222 includes a scanner engine farm 232.

The control unit 200 centrally controls the operation of the entire information processing apparatus 100. The CPU 210 reads the control program stored in the flash ROM 219 and executes various control processes such as read control, print control, and firmware update control. The flash ROM 219 is also used as a file storage area for firmware update, a work area, and a user data area. The ROM 291 is a read-only memory and stores a BIOS (Basic Input/Output System) of the information processing apparatus 100, fixed parameters, and the like. The RAM 212 is used as a main memory of the CPU 210 and a temporary storage area such as a work area. The SRAM 213 is a non-volatile memory that stores setting values and image adjustment values necessary for the information processing apparatus 100, and the data is not erased even when the power is turned on again. The HDD 218 stores image data, user data, and the like.

The operation unit I/F 215 connects the operation unit 220 and the control unit 200. The operation unit 220 includes a liquid crystal display unit having a touch panel function, a keyboard, and the like. The printer I/F 216 connects the printer engine 221 and the control unit 200. A printer engine firmware 231 is stored in a ROM (not shown) included in the printer engine 221. Image data to be printed by the printer engine 221 is transferred from the control unit 200 to the printer engine 221 via the printer I/F 216, and is printed on the recording medium by the printer engine 221. The scanner I/F 217 connects the scanner engine 222 and the control unit 200. A scanner engine firmware 232 is stored in a ROM (not shown) included in the scanner engine 222. The scanner engine 222 reads an image on a document to generate image data, and inputs the image data to the control unit 200 via the scanner I/F 217.

The network I/F card (NIC) 214 connects the control unit 200 (information processing device 100) to the LAN 110. The NIC 214 transmits image data and information to an external device (for example, the external server 250 or PC 260) on the LAN 110, and conversely receives update firmware and various information. In some cases, the external server 250 exists on the Internet. The information processing apparatus 100 may be operated from a web browser (not shown) existing on the PC 260.

Chipset 211 represents a series of related integrated circuits. The RTC 270 is a RealTimeClock (real-time clock) and is a chip dedicated to clocking. The RTC 270 receives power from an internal battery (not shown) even if the external power supply 240 is not connected, and thus can operate during sleep. As a result, it is possible to wake up from the sleep state when a part of the power is supplied to the chipset 211. On the contrary, the RTC 270 cannot operate in the shutdown state where power is not supplied to the chipset 211 at all.

The CPU 281 executes the software program of the embedded controller 280 and controls part of the information processing apparatus 100. The RAM 282 is a random access memory and is used for storing programs and temporary data when the CPU 281 controls the information processing device 100. The LED 290 lights up when necessary, and is used for transmitting an abnormality of software or hardware to the outside.

<Software configuration of information processing device>
Next, the configuration of the software module included in the information processing apparatus 100 according to the present embodiment will be described with reference to FIG.

The communication management unit 301 controls the NIC 214 connected to the network 110 and transmits/receives data to/from the outside via the network 110. The UI control unit 302 receives an input to the operation unit 220 via the operation unit I/F 215, and performs processing and screen output according to the input.

The boot program 303 is a program executed by the CPU 281 of the embedded controller 280 when the information processing apparatus 100 is powered on. The boot program 303 executes a process related to booting, and a BIOS falsification detection processing unit 304 that detects falsification of the BIOS 305. Have. The BIOS 305 is a program executed by the CPU 210 after the boot program 303 is executed, and has a loader tampering detection processing unit 306 that executes tampering detection of the loader 307 in addition to executing processing related to startup. The loader 307 is a program that is executed by the CPU 210 after the processing of the BIOS 305 is completed, and has a kernel tampering detection processing unit 308 that performs tampering detection of the kernel in addition to executing processing related to startup.

Reference numerals 309 and 310 denote partitions formed in the flash ROM 219. Reference numeral 309 is an std partition (first partition) that includes the std farm 311 that is a normal startup firmware, and 310 is a safe partition (second partition) that includes the safe firmware 312 that is an update startup firmware. The std firmware 311 includes a kernel 313 and a normal boot program (first program module) 315. The kernel 313 is a program that is executed by the CPU 210 after the processing of the loader 307 is completed, and has a program tampering detection processing unit 314 that performs tampering detection of the normal startup program 315 in addition to executing processing related to startup.

The normal activation program 315 is a program (first program) executed by the CPU 210, and includes a plurality of programs that provide each function in the information processing apparatus 100. For example, it is a program for controlling the scanner I/F 217 or the printer I/F 216, a startup program, or the like. The boot program is called from the normal boot program by the kernel 313 to execute the boot process. The normal boot program 315 includes a safe firmware update program 316. The safe firmware update program 316 has a function of updating the safe firmware 312.

The safe firmware 312 includes a kernel B 317 and a std firmware update program (second program module) 319. The kernel B317 is a program executed by the CPU 210 after the processing of the loader 307 is completed, and has a program tampering detection processing unit B318 that executes tampering detection of the std firmware update program 319 in addition to executing processing related to startup. The std firmware update program 319 has a function of updating the std firmware 311, the printer engine firmware 231 and the scanner engine firmware 232 described in FIG. The update is performed when the tampering with the program of the predetermined module is detected. Therefore, when tampering with a program other than a predetermined module is detected, an error code provided to a service person is displayed on the operation unit, and an update for automatic recovery is not performed, as described later. The same applies when the information processing apparatus 100 is connected to a configuration other than the scanner engine or the printer engine, such as a finisher (not shown).

The information processing apparatus 100 implements the update by switching the startup mode. The startup mode indicates the startup in the std farm 311 (normal mode) and the startup in the safe farm 312 (update mode). Each of them also has a function of switching the startup mode, and the loader 307 activates the std firmware 311 and the safe firmware 312 according to the information on the startup mode stored in the SRAM 213.

<Automatic recovery processing>
Next, with reference to FIG. 3, an automatic restoration process at the time of tampering detection of the information processing apparatus 100 according to the present embodiment will be described. In the tampering detection method according to the present embodiment, the boot program 303, the BIOS 305, the loader 307, and the kernel 313 in the std firmware 311 and the normal start-up program 315 in the case of normal start-up are activated while detecting alteration. Further, in the case of activation for update, after the loader 307, the kernel B 317 in the safe firmware 312 and the std firmware update program 319 are activated while detecting falsification. The boot program 303 includes a public key (verification information) for verifying a BIOS signature, and the BIOS 305 includes a BIOS signature (its own signature) and a public key for verifying a loader. It is assumed that the loader 307 includes the loader signature, the kernel verification public key, and the kernel B verification public key. Further, it is assumed that the kernel 313 includes the kernel signature and the public key for verifying the normal startup program, and the normal startup program 315 includes the normal startup program signature. Furthermore, it is assumed that the kernel B 317 includes the kernel B signature and the std firmware update program verification public key, and the std firmware update program 319 includes the std firmware update signature. It is assumed that these public key and signature are given to the program in advance before the information processing apparatus 100 is shipped. The verification units 304, 306, 308, 314, and 318 verify each program, and if there is no problem, the next program is started to start the information processing apparatus 100 that detects tampering. In the following description, the boot program 303 and the BIOS 305 are stored in the ROM 291, and the loader 307, the std firmware 311, and the safe firmware 312 are stored in the flash ROM 219.

When the information processing apparatus 100 is powered on, the boot program 303 is read from the ROM 291 into the RAM 212 and executed by the CPU 210. The BIOS tampering detection processing unit 304 included in the boot program 303 reads the BIOS 305, the loader verification public key, and the BIOS signature from the flash ROM 219 into the RAM 212. In step S401, the BIOS tampering detection processing unit 304 verifies the BIOS signature using the BIOS verification public key and determines whether the BIOS signature has been successful. When the verification of the signature fails, the BIOS tampering detection processing unit 304 turns on the LED 290 in S403, and ends the process. On the other hand, if the verification of the signature is successful, the BIOS tampering detection processing unit 304 energizes the CPU 210 and ends the boot program processing. When the CPU 210 is energized, in step S402, the BIOS 305 and the loader verification public key are read from the ROM 291 into the RAM 212, and the BIOS 305 is activated. It is assumed that all the subsequent processes are processed by the CPU 210.

When the BIOS 305 is activated, various initialization processes are executed, and the loader tampering detection processing unit 306 included in the BIOS 305 reads the loader 307, the kernel verification public key, and the loader signature from the flash ROM 219 into the RAM 212. After that, in step S404, the loader tampering detection processing unit 306 verifies the loader signature using the loader verification public key, and determines whether the loader signature has succeeded. If the verification of the signature fails, the process proceeds to step S410, the loader tampering detection processing unit 306 displays the error code indicated by 500 in FIG. 5 on the operation unit 220, interrupts the automatic recovery process, and ends the process.

On the other hand, if the verification of the signature is successful, the loader tampering detection processing unit 306 finishes the process, and the BIOS 305 activates the loader 307 read in the RAM 212. After that, in step S405, when the loader 307 is activated, various initialization processes are executed, and the SRAM 213 is referenced to check flags such as the activation mode. Since an example of normal startup is described here, it is assumed here that the SRAM 213 has a flag for selecting the startup mode for starting the std firmware 311 and the loader 307 includes the std firmware 311 included in the std partition 309. Start to boot. The kernel tampering detection processing unit 308 included in the loader 307 reads the kernel 313 of the std firmware 311, the normal activation program verification public key, and the kernel signature from the flash ROM 219 into the RAM 212.

Next, in step S406, the kernel tampering detection processing unit 308 verifies the kernel signature using the kernel verification public key, and determines whether or not the kernel signature was successful. A case where the signature verification fails will be described later. On the other hand, if the verification of the signature is successful, the kernel tampering detection processing unit 308 terminates the process, and in step S407, the loader 307 activates the kernel 313 loaded in the RAM 212.

When the kernel 313 is activated, various initialization processes are executed. Further, the program tampering detection processing unit 314 included in the kernel 313 reads the normal startup program 315 and the normal startup program signature from the flash ROM 219 into the RAM 212. After that, in step S408, the program tampering detection processing unit 314 verifies the normal activation program signature using the public activation program verification public key, and determines whether or not the signature has been successful. If the verification of the signature fails, it will be described later. On the other hand, if the verification of the signature is successful, the program tampering detection processing unit 314 terminates the process and activates the normal activation program 315 in S409.

When the signature verification of the kernel 313 of the std firmware 311 or the normal boot program 315 is failed in S406 or S408 and tampering is detected, the CPU 210 sets the automatic recovery flag in the SRAM 213 and reboots in S411. At the time of this reboot, the BIOS verification and activation in S401, S402, and S403 and the loader verification in S404 are performed in the same manner, but they are omitted in the flowchart of FIG.

Subsequently, in step S412, when the loader 307 is activated, it executes various initialization processes and refers to the SRAM 213 to check flags such as the activation mode. As a result, the loader 307 determines that the safe firmware 312 is activated in the automatic recovery mode. In this case, the kernel tampering detection processing unit 308 included in the loader 307 reads the kernel B 317 of the safe firmware 312, the std firmware update program verification public key, and the kernel B signature from the flash ROM 219 into the RAM 212. Thereafter, in step S413, the kernel tampering detection processing unit 308 verifies the kernel B signature using the kernel B verification public key, and determines whether or not the kernel B signature was successful. If the verification of the signature fails, the process advances to step S410, the kernel tampering detection processing unit 308 displays the error code 500 in FIG. 5 on the operation unit 220, interrupts the automatic recovery process, and ends the process. On the other hand, if the verification of the signature is successful, in step S414, the kernel tampering detection processing unit 308 activates the kernel B317 that is loaded into the RAM 212 by the loader 307 in step S414.

When booted, the kernel B317 executes various initialization processes. After that, the program tampering detection processing unit B318 included in the kernel B317 reads the std firmware update program 319 and the std firmware update program signature from the flash ROM 219 into the RAM 212. Subsequently, in step S415, the program tampering detection processing unit B318 verifies the std firmware update program signature using the std firmware update program verification public key, and determines whether the std firmware update program signature has been successful. If the verification of the signature fails, the process proceeds to step S410, the program tampering detection processing unit B318 displays the error code indicated by 500 on the operation unit 220, interrupts the automatic recovery process, and ends the process. On the other hand, if the verification of the signature is successful, the program tampering detection processing unit B318 ends the processing and starts the std firmware update program 319 in S416.

When the std firmware update program 319 is started, it refers to the automatic recovery flag of the SRAM 213. As a result, the std firmware update program 319 determines that the std firmware 311 is in the automatic recovery mode by the alteration detection. In S417, the std firmware update program 319 confirms whether the external server 250 is valid. The external server 250 being valid here means a state in which the information processing apparatus 100 can communicate with the external server 250 on the LAN 110 or the Internet, and the firmware can be downloaded from the external server 250 and updated. .. If the external server 250 is not valid, the process advances to step S418, and the std firmware update program 319 displays the error code 510 shown in FIG. 5 indicating that recovery is possible by updating the firmware, and interrupts the automatic recovery process. The process ends. In this way, when the external server 250 is not valid and there is a possibility of recovery from a tampered state due to an update, but automatic recovery is not possible, the information requested by the user to be dispatched by the serviceman is used as information for determining the recovery method. The error code 510 is displayed.

On the other hand, if the external server 250 is valid, the process advances to step S419, and the std firmware update program 319 downloads from the external server 250 a firmware of the same version as the std firmware 311 in which the current tampering is detected. Subsequently, in S420, the std firmware update program 319 determines whether or not an error has occurred during downloading of the firmware from the external server 250. If an error occurs, the process proceeds to S410, the std firmware update program 319 displays an error code of 500 on the operation unit 220, interrupts the automatic recovery process, and ends the process.

On the other hand, if the download of the firmware is completed successfully, the process proceeds to S421, and the std firmware update program 319 updates the falsified std firmware 311 to the same version of the firmware downloaded from the external server 250. Subsequently, in step S422, the std firmware update program 319 determines whether an error has occurred during the update. When an error occurs, the process proceeds to S410, the std firmware update program 319 displays an error code of 500 on the operation unit 220, interrupts the automatic recovery process, and ends the process. On the other hand, if the update of the std firmware 311 is successful, the processing proceeds to step S423, and the std firmware update program 319 reboots the device and performs normal activation.

As described above, the information processing apparatus according to the present embodiment sequentially activates a plurality of modules, following the activation of the boot program, while detecting the alteration of the program. In addition, the information processing apparatus uses the verification information for verifying the signature of the module to be activated next among the plurality of modules, detects tampering with the module to be activated next, and if the signature verification succeeds, Start the module that will be started. On the other hand, when the tampering of the predetermined module is detected, the information processing apparatus updates the tampered module and automatically restores the tampered module. When the tampering of the module other than the predetermined module is detected, the corresponding error code is detected. Is displayed on the operation unit. More specifically, in the information processing apparatus, when the kernel 313 in the std farm 311 or the normal boot program 315 (predetermined module) is tampered with at the time of booting in the normal mode, the boot in the update mode is performed. Switch. In the update mode, the std firmware of the same version is acquired from the external server 250 and updated to automatically recover from the tampered state. As described above, according to the present embodiment, it is possible to provide a mechanism for automatically recovering from the tampered state when the tampering of the software is detected during the activation of the information processing apparatus. That is, according to the present embodiment, in falsification capable of automatic restoration, automatic restoration can be performed without performing restoration processing by a service person, and user convenience can be further improved.

Further, the present invention is not limited to the above-described embodiment, and various modifications can be made. For example, in the above embodiment, the case where the information processing apparatus 100 starts normal activation and detects tampering is taken as an example, but in the present invention, even if tampering is detected by starting activation for update, tampering is similarly performed. Automatic recovery from the state is possible. In this case, when the kernel B 317 and the std firmware update program 319 in the safe firmware 312 are tampered with at the time of activation in the update mode, the activation is switched to the normal mode. Further, the safe firmware 312 can be recovered from the tampered state by updating the safe firmware 312 by a similar method using the safe firmware update program 316 which is a part of the normal startup program 315 in the std firmware 311. In this way, by providing a mechanism for performing automatic recovery when the information processing device 100 is tampered with, it is possible to improve the convenience of the user and suppress the dispatch cost of the service person.

<Second Embodiment>
Below, the 2nd Embodiment of this invention is described. The above-described first embodiment is a method in which the programs sequentially started after the power is turned on are started while verifying the signature of the next program to be started. In this case, each program needs to hold a public key, a program for verification processing, and the like. Therefore, when the same signature algorithm and public key are used, the program storage area is additionally used, which is wasteful. As a method of improving this point, when the same signature algorithm and public key are used, it is conceivable to collectively perform the signature verification processing of the subsequent program to the extent possible. In the present embodiment, an example will be described in which the BIOS 305 collectively executes the signature verification processing of the loader 307, the kernel 313 in the std firmware 311, and the kernel B317 in the safe firmware 312. In the example of FIG. 2, the part corresponding to the loader alteration detection processing unit 306 in the BIOS 305 is the signature of the loader 307, the kernel 313 in the std farm 311, and the kernel B 317 in the safe farm 312 due to the common use of the signature algorithm and the public key. Perform verification. This eliminates the need for the loader 307 to hold the kernel tampering detection processing unit 308, the kernel verification public key, and the kernel B verification public key.

<Automatic recovery processing>
With reference to FIG. 4, an automatic restoration process at the time of tampering detection of the information processing apparatus 100 according to the present embodiment will be described. Here, parts different from the flowchart of FIG. 3 described in the first embodiment will be mainly described. That is, steps S501 to S503 are the same as steps S401 to S403 in FIG.

When the BIOS 305 is activated in S502, the BIOS 305 executes various initialization processes. Further, the loader tampering detection processing unit 306 of the BIOS 305 reads the loader 307, the loader, the kernel, the verification public key common to the kernel B, the loader signature, the kernel signature, and the kernel B signature from the flash ROM 219 to the RAM 212. After that, in step S504, the loader tampering detection processing unit 306 collectively verifies the signatures of the loader, the kernel, and the kernel B by using the verification public key common to the loader, the kernel, and the kernel B. To judge.

In step S505, the loader tampering detection processing unit 306 determines whether there is a tampered program. When all the signatures of the loader 307, the kernel 313, and the kernel B 317 have been successfully verified, the loader tampering detection processing unit 306 finishes the process, and the BIOS 305 activates the loader 307 read in the RAM 212. In this case, the normal startup is performed, and the loader 307 starts the activation of the std firmware 311 included in the std partition 309. Steps S506 to S509 are the same as steps S405 to 409 of FIG. 3, respectively, and therefore description thereof will be omitted.

On the other hand, if the verification of the signature of any one of the loader 307, the kernel 313, and the kernel B 317 fails in S505, the process proceeds to S510, and the loader tampering detection processing unit 306 determines whether the automatic recovery by updating is possible. In the present embodiment, among the loader 307, the kernel 313 in the std farm 311, and the kernel B317 in the safe farm 312, the std farm 311 is automatically updated except for the case where the kernel 313 has been tampered with to recover from the tampered state. I can't. If it is determined that the automatic restoration cannot be performed, the process proceeds to S511, and the loader tampering detection processing unit 306 causes the operation unit 220 to display the error code 500 shown in FIG. 5 as in S410 of FIG. 3 described in the first embodiment. Is displayed and the process ends.

If only the kernel 313 in the std firmware 311 has been tampered with, the loader tampering detection processing unit 306 determines that automatic restoration is possible, proceeds to S512, and sets an automatic restoration flag in the SRAM 213 as in S411 of FIG. Reboot. At the time of this reboot, the BIOS verification and boot in S501 to S504 and the verification of the loader, kernel, and kernel B are performed in the same manner, but a detailed description thereof will be omitted. Note that the automatic restoration process at the time of tampering detection at the time of starting the update in S513 to S523 is the same as S412 and S414 to S423 in FIG.

As described above, according to the present embodiment, even with the tampering detection method that collectively performs the signature verification process of the subsequent program to the extent possible using the same signature algorithm and public key, automatic recovery at the time of tampering detection is possible. Is. Similar to the first embodiment, the automatic recovery from the tampered state is possible even when tampering is detected by starting the update boot.

<Other embodiments>
The present invention supplies a program that implements one or more functions of the above-described embodiments to a system or apparatus via a network or a storage medium, and one or more processors in a computer of the system or apparatus read and execute the program. It can also be realized by the processing. It can also be realized by a circuit (for example, ASIC) that realizes one or more functions.

210: CPU, 211: Chip set, 212: RAM, 213: SRAM, 214: NIC, 218: HDD, 219: Flash ROM, 220: Operation unit, 221: Printer engine, 222: Scanner engine, 240: Power supply, 250 : External server, 260: PC, 270: RTC, 280: embedded controller, 290: LED, 291: ROM

Claims (11)

An information processing device that sequentially starts a plurality of modules after starting a boot program,
Of the plurality of modules, detection means for detecting tampering with the next module to be activated using verification information for verifying the signature of the next module to be activated,
When the verification of the signature by the detection means is successful, an activation means for activating the module to be activated next,
When tampering of a predetermined module is detected by the detection unit, the tampered module is updated and automatic recovery is performed, and when tampering of a module other than the predetermined module is detected by the detection unit, a corresponding error is detected. An information processing apparatus comprising: a control unit that displays a code on an operation unit. An update that uses a first partition that stores a first program that activates the predetermined module in a normal mode and a second program that is different from the first program when tampering with the predetermined module is detected Further comprising a storage unit having a second partition storing the second program activated in the mode,
The information processing apparatus according to claim 1, wherein the control unit switches from activation in the normal mode to activation in the update mode when performing the automatic recovery. The information processing apparatus according to claim 2, wherein the control unit updates the first program with a new program in the update mode. The information processing apparatus according to claim 3, wherein the control unit acquires the new program from an external server and updates the first program. 5. The control means, if an error occurs when acquiring the new program from the external server, interrupts the automatic recovery and displays a corresponding error code on the operation unit. The information processing device described. 5. The control means, when an error occurs during updating of the first program in the update mode, interrupts automatic recovery and displays a corresponding error code on the operation unit. 5. The information processing device according to item 5. The plurality of modules include at least a BIOS (Basic Input/Output System), a loader, a first kernel, a second kernel, a first program module used in a normal mode, and a second program module used in an update mode,
7. The information processing according to claim 2, wherein each module includes the detection unit and the activation unit, and the verification information and its own signature are stored in advance. apparatus. The plurality of modules include at least a BIOS (Basic Input/Output System), a loader, a first kernel, a second kernel, a first program module used in a normal mode, and a second program module used in an update mode,
Each module includes the activation means, and stores its own signature in advance,
The BIOS further includes the detection means for detecting falsification of the loader, the first kernel, and the second kernel, and the verification information of the loader, the first kernel, and the second kernel is previously stored. Stored,
The first kernel further includes the detection means for detecting tampering of the first program module, and the verification information of the first program is stored in advance.
8. The second kernel further includes the detection unit for detecting tampering of the second program module, and the verification information of the second program is stored in advance. The information processing apparatus according to any one of 1. The information processing apparatus according to claim 7, wherein the predetermined module is the first kernel and the first program module. A method for controlling an information processing apparatus, which sequentially starts a plurality of modules after starting a boot program,
A detection step in which the detection means detects tampering with the module to be activated next time using the verification information for verifying the signature of the module to be activated next among the plurality of modules;
An activation step in which the activation means activates the module to be activated next when the signature verification in the detection step is successful;
When tampering of a predetermined module is detected in the detection step, the control means updates the tampered module and performs automatic restoration, and when tampering with a module other than the predetermined module is detected in the detection step. And a control step of displaying a corresponding error code on the operation unit. A program for causing a computer to execute each step in a control method of an information processing device, which sequentially starts a plurality of modules following activation of a boot program, the control method comprising:
A detection step in which the detection means detects tampering with the module to be activated next time using the verification information for verifying the signature of the module to be activated next among the plurality of modules;
An activation step in which the activation means activates the module to be activated next when the signature verification in the detection step is successful;
When tampering of a predetermined module is detected in the detection step, the control means updates the tampered module and performs automatic restoration, and when tampering with a module other than the predetermined module is detected in the detection step. And a control step of displaying a corresponding error code on the operation unit.

Images