JP2022182838A - Information processing device and control method thereof - Google Patents

Abstract

To provide an information processing device that is configured so that attacks to a plurality of CPUs performing control of parts of a device are prevented to reduce a verification time for verifying presence or absence of tampering of firmware of the plurality of CPUs and reduce a startup time of the device; and a control method thereof.SOLUTION: An information processing device includes a secure microcontroller, a secure microcontroller ROM, a plurality of CPUs, and a plurality of nonvolatile memories. The secure microcontroller ROM stores firmware of the plurality of CPUs. The secure microcontroller verifies presence or absence of the firmware stored in the plurality of nonvolatile memories at startup; and cancels a reset of one of the CPUs that executes firmware for which it is determined that there is no tampering. On the other hand, the secure microcontroller ROM rewrites firmware for which it is determined by verification that there is tampering with corresponding firmware stored in the secure microcontroller ROM; and after that, cancels a reset of one of the CPUs that executes the rewritten firmware.SELECTED DRAWING: Figure 5

Description

The present invention relates to an information processing apparatus and its control method.

In recent years, an image forming apparatus has a network interface and provides a file server function and an e-mail transmission/reception function. When the image forming apparatus is connected to the network in this way, it is conceivable that the apparatus may be used illegally by unauthorized hacking, similar to PCs and servers. In addition, in recent years, on the premise that it is impossible to eliminate all risks from cyber-attacks, which continue to diversify, we call cyber resilience, which restores the state before the attack by the device itself even if it is attacked. Ideas are getting more attention.

Japanese Patent Application Laid-Open No. 2002-200002 describes a technique for detecting tampering with software at startup in order to prevent unauthorized use of an image forming apparatus by unauthorized hacking. Here, in order to detect tampering, a software hash value is calculated, compared with a master hash value, and whether or not there is tampering is determined based on the comparison result. In Patent Literature 1, when tampering with software is detected, the tampered software and other software that uses the software are disabled.

Further, Patent Literature 2 describes operating the device using a pre-installed program for recovery when tampering with the program is detected.

JP 2009-301429 A JP 2015-69403 A

As in Patent Document 2, if the data in the memory that is normally used is tampered with, if the device is started according to the data in the recovery ROM, it will start up, but after that, the recovery ROM will be compromised by a cyber attack or the like. If the data is tampered with, it cannot be recovered. Also, even if a secure microcomputer is installed to restore data in the memory, if the secure microcomputer is controlled by the CPU due to a cyber attack, the data cannot be restored.

In addition, when multiple CPUs are used, including CPUs that control each part of the device, such as a printer CPU and a scanner CPU, the verification time becomes longer to verify whether or not the firmware of the multiple CPUs has been tampered with. There is a problem that the startup time becomes long.

SUMMARY OF THE INVENTION An object of the present invention is to solve at least one of the problems of the prior art described above.

An object of the present invention is to provide a configuration that prevents attacks against multiple CPUs that control each part of the device, reduce the verification time for verifying whether or not the firmware of the multiple CPUs has been tampered with, and shorten the startup time of the device. be.

In order to achieve the above object, an information processing apparatus according to one aspect of the present invention has the following configuration. Namely
An information processing apparatus having a plurality of CPUs and a plurality of storage means for storing firmware of each of the plurality of CPUs,
a first storage means for storing firmware of the plurality of CPUs;
A first CPU that can access the first storage means among the plurality of CPUs,
The first CPU verifies whether or not the firmware stored in the second storage means for storing the firmware of the CPUs other than the first CPU has been tampered with at the time of startup,
releasing the reset of the CPU that executes the firmware determined to be free of tampering by the verification;
After rewriting the firmware determined to be falsified by the verification with the corresponding firmware stored in the first storage means, the reset of the CPU executing the rewritten firmware is released.

According to the present invention, it is possible to reduce the verification time for verifying whether or not the firmware of a plurality of CPUs has been tampered with, thereby shortening the startup time of the device.

Other features and advantages of the invention will become apparent from the following description with reference to the accompanying drawings. In the accompanying drawings, the same or similar configurations are given the same reference numerals.

The accompanying drawings, which are incorporated in and constitute a part of the specification, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the invention.
1 is a block diagram for explaining the configuration of an information processing system according to Embodiment 1 of the present invention; FIG. 1 is an external view of an image forming apparatus according to Embodiment 1; FIG. 2 is a block diagram for explaining the configuration of a controller of the image forming apparatus according to the first embodiment; FIG. FIG. 4 is an image diagram showing firmware memory-mapped in the ROMs and non-volatile memories 303, 332, and 342 for the secure microcomputer of the first embodiment; 4 is a diagram for explaining a bus configuration for connecting a CPU, a scanner CPU, a printer CPU, a secure microcomputer, a ROM, and each nonvolatile memory according to the first embodiment; FIG. 4 is a flowchart for explaining the operation of the secure microcomputer according to the first embodiment; 4 is a flowchart for explaining the operation of the CPU of the image forming apparatus according to the first embodiment; FIG. 11 is a diagram for explaining a bus configuration for connecting a CPU, a LAN controller, a printer CPU, a secure microcomputer, a ROM, and each nonvolatile memory according to the second embodiment; 8 is a flowchart for explaining the operation of a secure microcomputer according to the second embodiment; 8 is a flowchart for explaining the operation of the CPU 301 of the image forming apparatus according to the second embodiment; FIG. 10 is a diagram for explaining the effect of reducing the startup time of the image forming apparatus according to the embodiment;

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. It should be noted that the following embodiments do not limit the invention according to the scope of claims. Although multiple features are described in the embodiments, not all of these multiple features are essential to the invention, and multiple features may be combined arbitrarily. Furthermore, in the accompanying drawings, the same or similar configurations are denoted by the same reference numerals, and redundant description is omitted.

[Embodiment 1]
FIG. 1 is a block diagram illustrating the configuration of an information processing system according to Embodiment 1 of the present invention. In this system, host computers 40, 50 and image forming apparatuses 10, 20, 30 are connected to LAN 60, but the number of these connections is not limited in the system according to the present invention. Also, in the embodiments, LAN is applied as a connection method, but the present invention is not limited to this. For example, any network such as WAN (public network) is also applicable.

Host computers (hereinafter referred to as PCs) 40 and 50 have general personal computer functions, and in this system, these PCs 40 and 50 realize similar functions, so the PC 40 will be described here as an example. . The PC 40 can send and receive files and e-mails using FTP and SMB protocols via the LAN 60 and WAN. Also, a print command can be issued from the PC 40 to the image forming apparatuses 10, 20, 30 via the printer driver. Furthermore, the PC 40 can periodically inquire of the image forming apparatuses 10, 20, and 30 about the status of the apparatuses, and can determine whether the image forming apparatuses 10, 20, and 30 are capable of printing in response to a request from the PC 40. You can reply with information such as

The image forming apparatuses 10 and 20 are apparatuses having the same configuration. On the other hand, the image forming apparatus 30 is an image forming apparatus having only a print function and does not have the scanner 13 that the image forming apparatuses 10 and 20 have. To simplify the explanation, the image forming apparatus 10 out of the image forming apparatuses 10 and 20 will be focused on and the configuration thereof will be explained in detail.

The image forming apparatus 10 includes a scanner 13 that is an image input device, a printer 14 that is an image output device, a controller 11 that controls the operation of the entire image forming apparatus 10, and an operation unit 12 that provides a user interface (UI). there is

FIG. 2 is an external view of the image forming apparatus 10 according to the first embodiment. Scanner 13 has a plurality of CCDs. If the sensitivities of the respective CCDs are different, even if the densities of the pixels on the document are the same, the pixels are recognized as having different densities. Therefore, the scanner 13 first exposes and scans a reference white plate (uniformly white plate), converts the amount of reflected light obtained by exposure and scanning into an electric signal, and outputs the electric signal to the controller 11 . Next, a configuration for scanning the image on the document will be described.

The scanner 13 converts image information into electrical signals by inputting reflected light obtained by exposing and scanning an image on a document to a CCD. Further, the electrical signal is converted into a luminance signal of each color of R, G, and B, and the luminance signal is output to the controller 11 as image data. Documents are set on the tray 202 of the document feeder 201 . When the user gives an instruction to start reading the document from the operation unit 12 , the controller 11 gives the scanner 13 an instruction to read the document. Upon receiving this instruction, the scanner 13 feeds the documents one by one from the tray 202 of the document feeder 201 to read the documents. The document reading method may be a method of scanning the document by placing the document on a glass surface (not shown) and moving the exposure unit instead of the automatic feeding method by the document feeder 201 .

The printer 14 is an image forming device that forms an image on paper based on image data received from the controller 11 . In the first embodiment, the image forming method of the printer 14 is an electrophotographic method using a photosensitive drum or a photosensitive belt, but the present invention is not limited to this. For example, an inkjet method or the like that prints an image on paper by ejecting ink from a minute nozzle array can also be applied. The printer 14 is also provided with a plurality of paper cassettes 203, 204, 205 that allow selection of different paper sizes or different paper orientations. Printed paper is discharged to the paper discharge tray 206 .

FIG. 3 is a block diagram illustrating in more detail the configuration of the controller 11 of the image forming apparatus 10 according to the first embodiment.

The controller 11 is electrically connected to the scanner 13 and the printer 14, and is connected to the PCs 40 and 50, external devices and the like via the LAN 60 and the like. This enables input/output of image data and device information. A non-volatile memory 303 for the CPU is a non-volatile memory for the CPU 301 that stores firmware, control programs, and the like executed by the CPU 301 . The CPU 301 comprehensively controls access to various connected devices based on firmware, control programs, and the like stored in the nonvolatile memory 303 , and also comprehensively controls various processes performed by the controller 11 . A RAM 302 is a system work memory for the operation of the CPU 301 and a memory for temporarily storing image data. This RAM 302 is a RAM for the CPU 301, which is composed of SRAM and DRAM, for example. The non-volatile memory 303 also stores firmware and control programs for activating the CPU 301 . The non-volatile memory 303 is configured to be accessible from both the CPU 301 and the secure microcomputer 321 . A connection bus configuration for accessing the nonvolatile memory 303 from both the CPU 301 and the secure microcomputer 321 will be described later.

The HDD 304 is a hard disk drive and can store system software, image data, and the like. An operation unit I/F 305 is an interface for connecting the system bus 307 and the operation unit 12 . The operation unit I/F 305 receives image data to be displayed on the operation unit 12 from the system bus 307 and outputs the image data to the operation unit 12 , and outputs information input from the operation unit 12 to the system bus 307 . The LAN controller 306 controls communication between the image forming apparatus 10 and the network by connecting to the LAN 60 and the system bus 307 and inputting/outputting information. A LAN controller nonvolatile memory 315 is connected to the LAN controller 306 , and the LAN controller 306 operates according to a program stored in this nonvolatile memory 315 . Firmware and control programs for starting the LAN controller 306 are stored in the nonvolatile memory 315 . In the first embodiment, the non-volatile memory 315 is connected only to the LAN controller 306 and is not connected to the secure microcomputer 321 and cannot be accessed from the secure microcomputer 321 .

An image bus 308 is a transmission line for exchanging image data, and is configured by a PCI bus or IEEE1394. An image processing unit 309 executes image processing. An image processing unit 309 can read image data stored in the RAM 302 and perform image processing such as enlargement or reduction such as JPEG or JBIG, and color adjustment. The image-processed data is stored in the RAM 302 or HDD 304 .

A scanner image processing unit 310 corrects, processes, and edits image data received from the scanner 13 via the scanner I/F 311 . The scanner image processing unit 310 determines whether the received image data is color original image data or monochrome original image data, or whether it is character original image data or photographic original image data. Then, the determination result is attached to the image data. This accompanying information is called attribute data. The printer image processing unit 312 applies image processing to the image data while referring to attribute data attached to the image data. Image data after image processing is output to the printer 14 via the printer I/F 313 .

The power control unit 314 controls power supply control at startup and power-off, and changes in the power state of the image forming apparatus 10 such as shifting to and returning from the power saving state. The power control unit 314 is also a part that detects return factors (for example, fax reception, switch presses, etc.) when returning from the power saving state, and also performs power control when transitioning to the standby state according to each return factor. .

The secure microcomputer 321 is a hardware device that serves as a base point for trusted boot. Trusted boot refers to the ability to verify software that runs with a digital signature to ensure security when the computer boots. The secure microcomputer 321 has a key fuse inside the device, and uses the key to verify the validity of the firmware for the secure microcomputer in the ROM (read only memory) 322 for the secure microcomputer before starting. do. The secure microcomputer 321 also verifies whether or not the programs stored in the nonvolatile memory 303, the nonvolatile memory 332 for the scanner CPU, and the nonvolatile memory 342 for the printer CPU have been tampered with. Then, only when it is determined that there is no problem by these verifications, resetting of the CPU 301, the scanner CPU 331, and the printer CPU 341 that operate using each nonvolatile memory is released. Furthermore, when the secure microcomputer 321 determines that the program stored in each nonvolatile memory described above has been tampered with, it reads the program stored in the ROM 322 for the secure microcomputer described later, and rewrite the data. In the first embodiment, the secure microcomputer 321 is not connected to the CPU 301 so that the secure microcomputer 321 cannot be accessed from the CPU 301 in order to prevent the secure microcomputer 321 from being subjected to a cyber attack.

Firmware for starting the secure microcomputer 321 is stored in the ROM 322 for the secure microcomputer. The ROM 322 also stores firmware for activating the CPU 301, firmware operating in the scanner CPU 331, and firmware for recovery used to restore the firmware if the firmware operating in the printer CPU 341 is tampered with. . FIG. 4 shows an image in which each firmware is memory-mapped in the ROM 322 . This ROM 322 is configured to be accessible only from the secure microcomputer 321 .

The scanner CPU 331 controls the operation of the scanner 13 and communicates with the scanner image processing unit 310 by executing a control program stored in the non-volatile memory 332 for the scanner. The nonvolatile memory 332 stores a program that operates on the scanner CPU 331 and is configured to be accessible by both the scanner CPU 331 and the secure microcomputer 322 . The configuration of the connection bus for accessing from both the scanner CPU 331 and the secure microcomputer 322 will be described later. A scanner RAM 333 is used as a system work memory when the scanner CPU 331 executes a program. The RAM 333 also stores image data representing images read by a CCD or CIS (not shown) in the scanner 13 .

The printer CPU 341 controls the operation of the printer 14 and communicates with the printer image processing unit 312 by executing a control program stored in a printer non-volatile memory 342 . The non-volatile memory 342 stores a program that operates on the printer CPU 341 and is configured to be accessible from both the printer CPU 341 and the secure microcomputer 322 . A connection bus configuration for accessing from both the printer CPU 341 and the secure microcomputer 322 will be described later. A printer RAM 343 is used as a system work memory when the printer CPU 341 executes a program.

FIG. 4 is an image diagram showing firmware mapped in the ROM 322 and the nonvolatile memories 303, 332, and 342 for the secure microcomputer described above.

FIG. 4A is a diagram showing a memory map of the ROM 322 for the secure microcomputer. The ROM 322 stores firmware 401 for the secure microcomputer 321 , firmware 402 for the CPU 301 , firmware 403 for the scanner CPU 331 , and firmware 404 for the printer CPU 341 . Note that the firmware 402 for the CPU 301, the firmware 403 for the scanner CPU 331, and the firmware 404 for the printer CPU 341 are firmware for use during recovery.

FIG. 4B is a diagram showing a memory map of the nonvolatile memory 303 for the CPU 301. As shown in FIG. Firmware 411 for the CPU 301 is stored in the nonvolatile memory 303 .

FIG. 4C is a diagram showing a memory map of the nonvolatile memory 332 for the scanner CPU 311. As shown in FIG. Firmware 421 for the scanner CPU 331 is stored in the nonvolatile memory 332 .

FIG. 4D shows a memory map of the non-volatile memory 342 for the printer CPU 341. As shown in FIG. Firmware 431 for the printer CPU 341 is stored in the nonvolatile memory 342 .

FIG. 5 is a diagram illustrating a bus configuration for connecting the CPU 301, scanner CPU 321, printer CPU 341, secure microcomputer 321, ROM 322, and non-volatile memories according to the first embodiment. Although the SPI bus will be described as an example here, the present invention is not limited to the SPI bus.

A bus 501 is an SPI bus for connecting the secure microcomputer 321 and the ROM 322 . A bus 501 has a chip select signal (CS#), a clock signal (CLK), and a data bus signal (IO), and is used to read firmware for operating the secure microcomputer 321 . As shown in FIG. 4, the ROM 322 stores firmware for recovering to an unaltered state when the firmware operating on each CPU is tampered with. Therefore, when the secure microcomputer 321 detects that the firmware stored in the non-volatile memory corresponding to each CPU has been tampered with, it reads recovery firmware from the ROM 322 via the bus 501 .

A bus 502 is an SPI bus for connecting the secure microcomputer 321 and the nonvolatile memory 303 and connecting the CPU 301 and the nonvolatile memory 303 . Bus 502 includes a chip select signal (CS#), a clock signal (CLK), and a data bus signal (IO). The secure microcomputer 321 reads the firmware for the CPU 301 stored in the nonvolatile memory 303 via the bus 501 in order to verify that it has not been tampered with. Bus 502 is also used by CPU 301 to read firmware stored in non-volatile memory 303 . The CPU 301 reads the firmware stored in the non-volatile memory 303 in order to perform boot processing. The bus 502 is configured so that both the secure microcomputer 321 and the CPU 301 can access the nonvolatile memory 303, but actual accesses do not occur simultaneously. That is, when the secure microcomputer 321 accesses the nonvolatile memory 303, the CPU 301 does not access the nonvolatile memory 303 in the reset state. After the reset of the CPU 301 is released, the secure microcomputer 321 is prevented from accessing the nonvolatile memory 303 . Furthermore, since the bus 502 has a configuration in which each signal is branched, it is conceivable that the signals output from the secure microcomputer 321 and the CPU 301 will collide. However, when there is no access, the signals do not collide by controlling each signal output to be in high impedance. If the signal output cannot be set to high impedance, access from the secure microcomputer 321 and the access from the CPU 301 may be switched by adding a selector circuit.

A bus 503 is an SPI bus for connecting the secure microcomputer 321 and the nonvolatile memory 332 for the scanner, and for connecting the scanner CPU 331 and the nonvolatile memory 332 for the scanner. Bus 503 includes a chip select signal (CS#), a clock signal (CLK), and a data bus signal (IO). The secure microcomputer 321 reads the firmware to verify that the scanner firmware stored in the nonvolatile memory 332 has not been tampered with. The bus 503 is also used by the scanner CPU 331 to read scanner firmware stored in the nonvolatile memory 332 . The scanner CPU 331 controls the scanner 13 by reading and executing firmware stored in the nonvolatile memory 332 . The bus 503 is configured so that both the secure microcomputer 321 and the scanner CPU 331 can access the nonvolatile memory 332, but actual accesses do not occur simultaneously. That is, when the secure microcomputer 321 accesses the nonvolatile memory 332, the scanner CPU 331 does not access in the reset state. The secure microcomputer 321 does not access the non-volatile memory 332 after the reset of the scanner CPU 331 is released. Furthermore, the bus 503 is configured such that each signal is branched, and it is conceivable that the signals output from the secure microcomputer 321 and the scanner CPU 331 collide. However, by controlling each signal output to be in high impedance when not accessing, the signals do not collide. If the signal output cannot be set to high impedance, a selector circuit may be added to switch accesses from the secure microcomputer 321 and the scanner CPU 331 .

A bus 504 is an SPI bus for connecting the secure microcomputer 321 and the nonvolatile memory 342 for the printer, and for connecting the printer CPU 341 and the nonvolatile memory 342 for the printer. Bus 504 includes a chip select signal (CS#), a clock signal (CLK), and a data bus signal (IO). The secure microcomputer 321 reads the firmware to verify that the firmware for the printer CPU 341 stored in the nonvolatile memory 342 has not been tampered with. The bus 504 is also used by the printer CPU 341 to read firmware for the printer CPU 341 stored in the non-volatile memory 342 . The printer CPU 341 controls the printer 14 by reading and executing firmware stored in the nonvolatile memory 342 . The bus 504 is configured so that both the secure microcomputer 321 and the printer CPU 341 can access the nonvolatile memory 342, but actual access does not occur simultaneously. That is, when the secure microcomputer 321 is accessing, the printer CPU 341 does not access the nonvolatile memory 342 in the reset state. Also, after the reset of the printer CPU 341 is released, the secure microcomputer 321 is prevented from accessing the nonvolatile memory 342 . Furthermore, the bus 504 has a configuration in which each signal is branched, and it is conceivable that the signals output from the secure microcomputer 321 and the printer CPU 341 collide. However, by setting each signal output to high impedance when not accessing, the signals do not collide. If the signal output cannot be set to high impedance, access from the secure microcomputer 321 and printer CPU 341 may be switched by adding a selector circuit.

The secure microcomputer 321 controls resetting of the CPU 301 using the reset signal 512 . The reset signal 512 is controlled to be at low level when the CPU 301 is put into the reset state, and at high level when it is put into the reset release state (operating state). When the image forming apparatus 10 is powered on, the secure microcomputer 321 resets the CPU 301 with the reset signal 512 . After that, the secure microcomputer 321 verifies falsification of the firmware for the CPU 301 stored in the nonvolatile memory 303, and if the verification result is satisfactory, the reset signal 512 is set to high level to release the reset of the CPU 301. On the other hand, even if the secure microcomputer 321 determines that the firmware stored in the nonvolatile memory 303 has been tampered with, if the firmware stored in the nonvolatile memory 303 is recovered to a normal state, the reset signal 512 is raised to a high level. to release the reset of the CPU 301. By resetting the CPU 301 using the reset signal 512 in this manner, the firmware for the CPU 301 read from the nonvolatile memory 303 by the CPU 301 can always be correct.

Also, the secure microcomputer 321 performs reset control of the scanner CPU 331 using the reset signal 513 . The reset signal 513 is controlled to be at a low level when the scanner CPU 331 is reset, and at a high level when the reset is canceled (operating state). When the power of the image forming apparatus 10 is turned on, the secure microcomputer 321 sets the reset signal 513 to low level to keep the scanner CPU 331 in a reset state. After that, the secure microcomputer 321 verifies falsification of the firmware for the scanner CPU stored in the nonvolatile memory 332. If the verification result indicates no problem, the reset signal 513 is set to a high level to put the scanner CPU 331 into a reset release state. to Even if the secure microcomputer 321 determines that the firmware stored in the nonvolatile memory 332 has been tampered with, if the firmware stored in the nonvolatile memory 332 is recovered to a normal state, the reset signal 513 is set to high level. to bring the scanner CPU 331 into the reset release state. In this way, the secure microcomputer 321 performs reset control of the scanner CPU 331 using the reset signal 513 so that the scanner CPU firmware read by the scanner CPU 331 from the nonvolatile memory 332 is always correct. can be done.

The secure microcomputer 321 also uses the reset signal 514 to reset the printer CPU 341 . When resetting the printer CPU 341, the reset signal 514 is set to low level, and when resetting the printer CPU 341, the reset signal 514 is set to high level. When the power of the image forming apparatus 10 is turned on, the secure microcomputer 321 sets the reset signal 514 to low level to keep the printer CPU 341 in a reset state. After that, the secure microcomputer 321 verifies falsification of the firmware for the printer CPU stored in the nonvolatile memory 342, and if there is no problem in the verification result, the reset signal 514 is set to high level to put the printer CPU 341 into the reset release state. to Even if the secure microcomputer 321 determines that the firmware stored in the nonvolatile memory 342 has been tampered with, if the firmware stored in the nonvolatile memory 342 is recovered to a normal state, the reset signal 514 is set to high level. to bring the printer CPU 341 into the reset release state. By executing the reset control of the printer CPU 341 using the reset signal 514 in this way, the firmware for the printer CPU read out from the nonvolatile memory 342 by the printer CPU 341 can always be correct. In addition, the secure microcomputer 321 uses an alert signal 515 to notify the CPU 301 that the firmware 411 stored in the nonvolatile memory 303 for the CPU 301 has been tampered with. The alert signal 515 notifies the CPU 301 that the firmware 411 has been tampered with when the secure microcomputer 321 recovers the firmware 411 stored in the nonvolatile memory 303 and the CPU 301 can be started normally. It is a signal for After receiving this notification, the CPU 301 confirms the alert signal 515 after being normally started, and records in the audit log that the firmware 411 for the CPU 301 has been tampered with. The alert signal 515 is normally output at a low level by the secure microcomputer 321, and when it is determined that the firmware 411 stored in the nonvolatile memory 303 has been tampered with, the secure microcomputer 321 raises the alert signal 515 to a high level. output in levels.

The secure microcomputer 321 also uses an alert signal 516 to notify the CPU 301 that the firmware stored in the scanner non-volatile memory 332 has been tampered with. When the secure microcomputer 321 recovers the firmware stored in the nonvolatile memory 332 and the scanner CPU 331 starts up normally, the alert signal 516 notifies the CPU 301 that the scanner firmware 421 has been tampered with. is a signal to notify After receiving this notification, the CPU 301 confirms the alert signal 516 after being normally started, and records in the audit log that the firmware 421 of the scanner non-volatile memory 332 has been tampered with. The secure microcomputer 321 normally outputs the alert signal 516 at low level, and when it determines that the firmware 421 stored in the non-volatile memory 332 for the scanner has been tampered with, it outputs the alert signal 516 at high level. to output.

The secure microcomputer 321 also uses an alert signal 517 to notify the CPU 301 that the firmware 431 stored in the printer non-volatile memory 342 has been tampered with. This alert signal 517 is issued when the secure microcomputer 321 recovers the firmware 431 for the printer CPU stored in the non-volatile memory 342 and the printer CPU 331 starts normally. This is a signal for notifying the CPU 301 that the data has been tampered with. After receiving this notification, the CPU 301 confirms the alert signal 517 after normal startup, and records in the audit log that the firmware 431 of the non-volatile memory 342 for the printer has been tampered with. The secure microcomputer 321 normally outputs the alert signal 517 at low level, and outputs the alert signal 517 at high level when it determines that the firmware 431 stored in the nonvolatile memory 342 has been tampered with.

FIG. 6 is a flowchart for explaining the operation of the secure microcomputer 321 according to the first embodiment. Note that the processing shown in this flowchart is achieved by the secure microcomputer 321 executing a program stored in the ROM 322 .

This process starts when the secure microcomputer 321 is not powered on, and transitions to S602 when the power is switched on in S601. In S602, the secure microcomputer 321 executes activation processing. At this time, the secure microcomputer 321 reads the firmware 401 for the secure microcomputer from the ROM 322 for the secure microcomputer. Then, the firmware 401 is verified using the fuse-set key information inside the secure microcomputer 321, and if there is no problem with the verification, the firmware 401 is activated. When the secure microcomputer 321 starts up normally in this way, the process transitions to S603.

Verification and recovery of the firmware 411 for the CPU 301 in steps S603 to S608 will be described below. In S603, the secure microcomputer 321 reads out the CPU firmware 411 from the nonvolatile memory 303 in order to verify whether the firmware 411 for the CPU 301 stored in the nonvolatile memory 303 has been tampered with. When reading of the CPU firmware 411 is completed in this manner, the process transitions to S604. In S604, the secure microcomputer 321 verifies whether or not the read CPU firmware 411 has been tampered with. Here, the secure microcomputer 321 verifies whether the CPU firmware 411 read in S603 has been rewritten (falsified) due to a cyber attack or the like. If the secure microcomputer 321 determines that the firmware 411 has not been tampered with, the process transitions to S608, and if it determines that the firmware 411 has been tampered with, the process transitions to S605.

In S<b>605 , the secure microcomputer 321 notifies the CPU 301 with the alert signal 515 . That is, the secure microcomputer 321 changes the alert signal 515 from low level to high level, notifies the CPU 301 that the firmware 411 for the CPU 301 has been tampered with as an alert, and transitions to S606. In S<b>606 , the secure microcomputer 321 restores the CPU firmware 411 stored in the nonvolatile memory 303 . Here, the secure microcomputer 321 reads out the CPU firmware 402 to be used for recovery stored in the ROM 322 and writes the read firmware into the area of the CPU firmware 411 in the nonvolatile memory 303 for recovery. When the writing of the firmware to the nonvolatile memory 303 is completed in this manner, the process transitions to S607. In S607, the secure microcomputer 321 confirms whether the CPU firmware 411 has been successfully restored. At this time, the secure microcomputer 321 compares the CPU firmware 402 stored in the ROM 322 and used for recovery with the CPU firmware 411 stored in the nonvolatile memory 303 in S606. Then, according to the comparison result, it is determined whether or not the system has been successfully restored. Here, if the secure microcomputer 321 determines that the CPU firmware 411 has been successfully restored, the processing transitions to S608, and if it is determined that the restoration has not been performed normally, this processing ends. The secure microcomputer 321 releases the reset of the CPU 301 in S608. That is, the secure microcomputer 321 changes the reset signal 512 from low level to high level to release the reset of the CPU 301 and advances to S609.

Verification and recovery of the firmware 421 for the scanner CPU in steps S609 to S614 will now be described.

First, in S609, the secure microcomputer 321 reads the firmware 421 from the non-volatile memory 332 in order to verify whether the firmware 421 for the scanner CPU 331 stored in the non-volatile memory 332 for scanner has been tampered with. When reading of the firmware 421 is completed, the process transitions to S610. In S610, the secure microcomputer 321 verifies whether or not the read firmware 421 has been tampered with. That is, the secure microcomputer 321 verifies whether the firmware 421 read in S609 has been rewritten (falsified) by a cyber attack or the like. Here, if the secure microcomputer 321 determines that the firmware 421 has not been tampered with, the process transitions to S614, and if it determines that the firmware 421 has been tampered with, the process transitions to S611.

In S<b>611 , the secure microcomputer 321 notifies the CPU 301 with the alert signal 516 . At this time, the secure microcomputer 321 changes the alert signal 516 from low level to high level, thereby notifying the CPU 301 as an alert that the firmware 421 for the scanner CPU has been falsified. When notification of this alert is carried out, the process proceeds to S612. In S<b>612 , the secure microcomputer 321 restores the firmware 421 stored in the scanner nonvolatile memory 332 . That is, the secure microcomputer 321 reads the firmware 403 for the scanner CPU to be used for recovery stored in the ROM 322 and writes the read firmware to the firmware 421 area of the nonvolatile memory 332 . When the process of writing the firmware to the nonvolatile memory 332 is completed in this manner, the process transitions to S613. In S613, the secure microcomputer 321 confirms whether the firmware 421 has been successfully restored. At this time, the secure microcomputer 321 compares the scanner CPU firmware 403 stored in the ROM 322 and used for recovery with the firmware 421 stored in the nonvolatile memory 332 . Then, according to the comparison result, it is determined whether or not the firmware 421 has been successfully restored. Here, if the secure microcomputer 321 determines that the firmware 421 has been successfully restored, the process transitions to S614, and if it determines that the firmware 421 has not been successfully restored, the process transitions to S615. In S<b>614 , the secure microcomputer 321 cancels the reset of the scanner CPU 331 . That is, the secure microcomputer 321 changes the reset signal 513 from low level to high level to cancel the reset of the scanner CPU 331 . On the other hand, if the firmware 421 for the scanner CPU cannot be restored normally, the reset of the scanner CPU 331 is not canceled and the process proceeds to step S615.

Next, in steps S615 to S620, verification and recovery of the firmware 431 for the printer CPU are performed.

First, in S615, the secure microcomputer 321 reads the firmware 431 from the printer non-volatile memory 342 in order to verify whether the firmware 431 for the printer CPU 341 stored in the printer non-volatile memory 342 has been tampered with. When the reading of the printer CPU firmware 431 is completed, the process proceeds to S616. In S616, the secure microcomputer 321 verifies whether the printer CPU firmware 431 read in S615 has been rewritten (falsified) by a cyber attack or the like. Here, if the secure microcomputer 321 determines that the firmware 431 has not been tampered with, the process transitions to S620, and if it determines that the firmware 431 has been tampered with, the process transitions to S617.

In S617, the secure microcomputer 321 notifies the CPU 301 of an alert signal. That is, the secure microcomputer 321 changes the alert signal 517 from low level to high level to notify the CPU 301 that the printer CPU firmware 431 has been tampered with as an alert. When this alert is notified, the process transitions to S618. In S<b>618 , the secure microcomputer 321 restores the printer CPU firmware 431 stored in the printer nonvolatile memory 342 . That is, the secure microcomputer 321 reads out the printer CPU firmware 404 stored in the ROM 322 and used for recovery, and writes it into the printer CPU firmware 431 area of the printer non-volatile memory 342 . When the writing of the firmware 431 to the printer non-volatile memory 342 is completed in this manner, the process transitions to S619. In S619, the secure microcomputer 321 confirms whether the printer CPU firmware 431 has been restored normally. Here, the printer CPU firmware 404 stored in the secure microcomputer ROM 322 is compared with the printer CPU firmware 431 stored in the printer non-volatile memory 342 in S618. Then, according to the comparison result, it is determined whether or not the printer CPU firmware 431 has been successfully restored. In S<b>620 , the secure microcomputer 321 cancels the reset of the printer CPU 331 . Here, the secure microcomputer 321 changes the alert signal 514 from low level to high level to release the reset of the printer CPU 341 .

As described above, according to this process, the secure microcomputer 321 sequentially cancels the reset of the CPUs for which the firmware verification is completed. CPU firmware can be verified. This makes it possible to reduce the startup time of the image forming apparatus. Also, by verifying the firmware in order from the one with the longest startup time of each CPU, it is possible to obtain the effect of further reducing the startup time.

FIG. 7 is a flowchart for explaining the operation of the CPU 301 of the image forming apparatus 10 according to the first embodiment. Note that the processing shown in this flowchart is achieved by the CPU 301 executing a program stored in the nonvolatile memory 303 .

At the start of this process, the power of the image forming apparatus 10 is not turned on, and when the power is turned on in S701, the process proceeds to S702. When the reset state of the CPU 301 is released by the secure microcomputer 321 in S702, the process proceeds to S703. The reset of the CPU 301 is canceled by the secure microcomputer 321 canceling the reset of the CPU 301 in S608 of FIG. In S703, the CPU 301 reads out the CPU firmware 411 from the non-volatile memory 303 for the CPU 301 and activates it. At this time, since the secure microcomputer 321 guarantees that the untampered CPU firmware 411 is stored in the non-volatile memory 303, the CPU 301 can be reliably booted with the untampered CPU firmware 411. .

In S<b>704 , the CPU 301 determines whether an alert has been detected from the alert signal 515 output from the secure microcomputer 321 . This process is for determining whether or not the secure microcomputer 321 has performed the recovery process (S606) of the CPU firmware 411 stored in the nonvolatile memory 303 before the CPU 301 is reset and starts operating. be. If the generation of the alert signal is detected, the process proceeds to S705, and if the generation of the alert signal is not detected, the process proceeds to S706. In S705, the CPU 301 saves in the audit log that the recovery process of the CPU firmware 411 has occurred, and proceeds to S706. By leaving the information in the audit log in this way, it becomes possible to notify or trace that the CPU firmware 411 has been tampered with.

In S706, the CPU 301 determines whether the alert signal 516 output from the secure microcomputer 321 has been detected. As a result of this processing, the CPU 301 checks whether or not the secure microcomputer 321 has performed the recovery processing (S612) of the scanner CPU firmware 421 stored in the nonvolatile memory 332 before the scanner CPU 331 is reset and starts operating. can know. When the alert signal 516 is detected, the process proceeds to S708, and when the alert signal 516 is not detected, the process proceeds to S707. In S707, the CPU 301 determines whether communication with the scanner CPU 331 is possible. This process confirms whether the reset of the scanner CPU 331 has been released and normal operation has started. That is, the fact that the CPU 301 can communicate normally with the scanner CPU 331 is a process for the CPU 301 to know that the reset of the scanner CPU 331 has been released. This allows the CPU 301 to know that the scanner CPU firmware 421 has not been tampered with and that the secure microcomputer 321 did not need to perform recovery processing (S612). If the CPU 301 determines that communication with the scanner CPU 331 is not possible, the process shifts to S706, and if it determines that the communication is possible, the process shifts to S712.

In step S<b>708 , the CPU 301 saves in the audit log that recovery processing of the scanner CPU firmware 421 has occurred, and advances to step S<b>709 . By leaving the information in the audit log in this way, it becomes possible to notify or trace that the scanner CPU firmware 421 has been tampered with. In step S<b>709 , the CPU 301 counts the elapsed time required for restoring the scanner CPU firmware 421 . As described above, the scanner CPU firmware 421 is restored after the secure microcomputer 321 issues an alert notification using the alert signal 516 . Therefore, it is necessary to confirm communication with the CPU 301 after the time required for the secure microcomputer 321 to recover has elapsed. If the CPU 301 determines that the time required for restoration has elapsed, the process proceeds to S710, otherwise the process remains at S709. In S710, the CPU 301 determines whether communication with the scanner CPU 331 is possible. This process is for checking whether the reset of the scanner CPU 331 has been released and normal operation has started. The fact that the CPU 301 can communicate normally with the scanner CPU 331 indicates that the secure microcomputer 321 has performed recovery processing (S612) after the scanner CPU firmware 421 has been tampered with, and has been successfully recovered. . If the CPU 301 determines that communication with the scanner CPU 331 is not possible, the process shifts to S711, and if it determines that the communication is possible, the process shifts to S712. In S711, the CPU 301 notifies of a communication error with the scanner CPU 331, and advances to S712.

In S712, the CPU 301 determines whether or not the alert signal 517 output from the secure microcomputer 321 has been detected. This allows the CPU 301 to know whether or not the secure microcomputer 321 has performed the restoration process (S618) of the printer CPU firmware 431 stored in the printer non-volatile memory 342 before the printer CPU 341 is released from reset and starts operating. be able to. If the generation of the alert signal 517 is not detected, the process proceeds to S713, and if the alert signal 517 is detected, the process proceeds to S714. In S713, the CPU 301 determines whether communication with the printer CPU 341 is possible. This is to confirm whether the printer CPU 341 has been reset and has started operating normally. If it is determined here that the CPU 301 can communicate normally with the printer CPU 341, the printer CPU firmware 431 has not been tampered with, and the secure microcomputer 321 need not perform recovery processing (S618). If the CPU 301 determines in S713 that communication with the printer CPU 341 is not possible, the process proceeds to S712, and if it is determined that communication is possible, this process ends.

In S714, the CPU 301 saves in the audit log that the restoration process of the printer CPU firmware 431 has occurred, and proceeds to S715. By leaving this in the audit log, it becomes possible to notify or trace that the printer CPU firmware 431 has been tampered with. In step S<b>715 , the CPU 301 counts the elapsed time required for restoring the printer CPU firmware 431 . This is because the printer CPU firmware 431 is restored after the secure microcomputer 321 notifies the alert signal 517, so it is necessary to confirm communication with the CPU 301 after the time required for the restoration has elapsed. If the CPU 301 determines in S715 that the time required for restoration has elapsed, the process proceeds to S716, otherwise the process remains in S715. In S716, the CPU 301 determines whether communication with the printer CPU 341 is possible. Here, it is confirmed whether the reset to the printer CPU 341 has been released and the pre-CPU 341 has started operating normally. Here, the fact that the CPU 301 can communicate normally with the printer CPU 341 means that the secure microcomputer 321 has performed recovery processing (S618) after the firmware 431 for the printer CPU has been tampered with, and has been successfully recovered. can know. If the CPU 301 determines that communication with the printer CPU 341 is not possible, the process proceeds to step S717, and if it is determined that communication is possible, this process ends. In S717, the CPU 301 notifies of a communication error with the printer CPU 341, and terminates this process.

As described above, according to the first embodiment, the secure microcomputer sequentially cancels the reset of the CPUs whose firmware has been verified. firmware can be verified. This makes it possible to reduce the startup time of the image forming apparatus. Also, by verifying the firmware in order from the one with the longest startup time of each CPU, it is possible to obtain the effect of further reducing the startup time.

In addition, the main CPU can reduce the startup time of the image forming apparatus by checking alert notifications from the secure microcomputer and communication with each CPU.

[Embodiment 2]
In the second embodiment, there are a plurality of CPUs to be verified by the secure microcomputer 321, and two or more of the plurality of CPUs are related to their activation processes. Since the configuration of the information processing system and the hardware configuration of the image forming apparatus 10 according to the second embodiment are the same as those of the first embodiment, the description thereof will be omitted. In addition to the firmware shown in FIG. 4, the secure microcomputer ROM 322 according to the second embodiment stores LAN controller firmware (not shown) for restoring the firmware of the nonvolatile memory 315 for the LAN controller. there is

FIG. 8 is a diagram illustrating a bus configuration for connecting the CPU 301, LAN controller 306, printer CPU 341, secure microcomputer 321, ROM, and nonvolatile memories according to the second embodiment. Although the SPI bus will be described as an example here, the present invention is not limited to the SPI bus.

A bus 801 is an SPI bus for connecting the secure microcomputer 321 and the secure microcomputer ROM 322 . A bus 801 has a chip select signal (CS#), a clock signal (CLK), and a data bus signal (IO), and is used to read firmware for the secure microcomputer 321 to operate. Also, the ROM 322 for the secure microcomputer stores firmware for recovering to a non-tampered state when the firmware operating in each CPU is tampered with. Therefore, when the secure microcomputer 321 detects that the firmware operating in each CPU has been tampered with, the bus 801 is used to read the firmware for recovery.

A bus 802 is an SPI bus for connecting the secure microcomputer 321 and the nonvolatile memory 303 for the CPU 301 and for connecting the CPU 301 and the nonvolatile memory 303 . Bus 802 includes a chip select signal (CS#), a clock signal (CLK), and a data bus signal (IO). The secure microcomputer 321 reads the firmware 411 via the bus 802 in order to verify that the firmware 411 for the CPU stored in the nonvolatile memory 303 has not been tampered with. Bus 802 is also used by CPU 301 to read firmware 411 for CPU 301 stored in non-volatile memory 303 . The CPU 301 reads the firmware stored in the non-volatile memory 303 in order to perform boot processing. The bus 802 is configured so that both the secure microcomputer 321 and the CPU 301 can access the nonvolatile memory 303, but actual accesses do not occur at the same time. That is, when the secure microcomputer 321 is accessing, the CPU 301 does not access the nonvolatile memory 303 in the reset state. Also, after the reset of the CPU 301 is released, the secure microcomputer 321 does not access the nonvolatile memory 303 . Furthermore, the bus 802 has a configuration in which each signal is branched, and it is conceivable that the signals output from the secure microcomputer 321 and the CPU 301 may collide. However, when not accessing, by controlling each of these signal outputs to have high impedance, the signals do not collide. If the signal output cannot be set to high impedance, access from the secure microcomputer 321 and the access from the CPU 301 may be switched by adding a selector circuit.

A bus 803 is an SPI bus for connecting the secure microcomputer 321 and the LAN controller non-volatile memory 315 and connecting the LAN controller 306 and the non-volatile memory 315 . Bus 803 includes a chip select signal (CS#), a clock signal (CLK), and a data bus signal (IO). The secure microcomputer 321 reads the firmware via the bus 803 to verify that the LAN controller firmware stored in the nonvolatile memory 315 has not been tampered with. Bus 803 is also used by LAN controller 306 to read firmware stored in non-volatile memory 315 . The LAN controller 306 reads the firmware stored in the non-volatile memory 315 to control the LAN 60 . The bus 803 is configured so that both the secure microcomputer 321 and the LAN controller 306 can access the nonvolatile memory 315, but access from both the secure microcomputer 321 and the LAN controller 306 does not occur at the same time. That is, when the secure microcomputer 321 is accessing, the LAN controller 306 does not access the nonvolatile memory 315 in the reset state. Also, after the reset of the LAN controller 306 is released, the secure microcomputer 321 is prevented from accessing the bus 803 . Furthermore, the bus 803 is configured such that each signal is branched, and it is conceivable that the signals output from the secure microcomputer 321 and the LAN controller 306 may collide. However, by controlling each signal output to be high impedance when not accessing, the signals do not collide. If the signal output cannot be set to high impedance, access from the secure microcomputer 321 and the LAN controller 306 may be switched by adding a selector circuit.

A bus 804 is an SPI bus for connecting the secure microcomputer 321 and the printer nonvolatile memory 342 and for connecting the printer CPU 341 and the printer nonvolatile memory 342 . Bus 804 includes a chip select signal (CS#), a clock signal (CLK), and a data bus signal (IO). The secure microcomputer 321 reads the firmware 431 for the printer CPU via the bus 804 in order to verify that the firmware 431 stored in the nonvolatile memory 342 has not been tampered with. The bus 804 is also used by the printer CPU 341 to read the firmware stored in the non-volatile memory 342 . The printer CPU 341 controls the printer 14 using firmware 342 stored in the nonvolatile memory 342 . The bus 804 is configured so that both the secure microcomputer 321 and the printer CPU 341 can access the printer non-volatile memory 342, but access from both does not occur at the same time. That is, when the secure microcomputer 321 is accessing, the printer CPU 341 does not access the nonvolatile memory 342 in the reset state. Also, after the printer CPU 341 is released from reset, the secure microcomputer 321 is prevented from accessing the bus 804 . Furthermore, the bus 804 is configured such that each signal is branched, and it is conceivable that the signals output from the secure microcomputer 321 and the printer CPU 341 collide. However, by controlling each signal output to be high impedance when not accessing, the signals do not collide. If the signal output cannot be set to high impedance, a selector circuit may be added to switch accesses from the secure microcomputer 321 and the printer CPU 341 .

The secure microcomputer 321 uses the reset signal 812 to reset the CPU 301 and the LAN controller 306 . That is, the reset signal 812 is set to low level when resetting the CPU 301 and LAN controller 306, and is set to high level when releasing the reset state (operating state). When the image forming apparatus 10 is powered on, the secure microcomputer 321 resets the CPU 301 and the LAN controller 306 with the reset signal 812 . After that, the secure microcomputer 321 verifies falsification of the firmware stored in the nonvolatile memory 303 and the nonvolatile memory 315 . As a result of the verification, if there is no problem, the reset signal 812 is set to high level to release the reset of the CPU 301 and the LAN controller 306 .

If the secure microcomputer 321 determines that the firmware stored in the nonvolatile memory 303 or the nonvolatile memory 315 has been tampered with and successfully recovers the tampered firmware, the reset signal 812 is set to a high level to Release the reset of the controller 306 . Using the reset signal 812 in this manner, reset control of the CPU 301 and the LAN controller 306 is performed. As a result, when the CPU 301 reads the firmware 411 from the nonvolatile memory 303 and when the LAN controller 306 reads the firmware from the nonvolatile memory 315, the firmware can always be correct.

The secure microcomputer 321 performs reset control of the printer CPU 341 using the reset signal 814 . The secure microcomputer 321 sets the reset signal 814 to low level when resetting the printer CPU 341, and sets the reset signal 814 to high level when resetting the printer CPU 341 to the reset release state (operating state). When the power of the image forming apparatus 10 is turned on, the secure microcomputer 321 resets the printer CPU 341 with the reset signal 814 . After that, the secure microcomputer 321 verifies falsification of the firmware 431 stored in the nonvolatile memory 342, and if the verification result indicates no problem, the printer CPU 341 is put into a reset release state by a reset signal 814. FIG. Also, even if the secure microcomputer 321 determines that the firmware 431 stored in the nonvolatile memory 342 has been tampered with, if the firmware 431 is normally recovered, the printer CPU 341 is put into the reset release state by the reset signal 814 . By performing reset control of the printer CPU 341 using the reset signal 814 in this way, when the printer CPU 341 reads out the firmware 431 from the nonvolatile memory 342, the firmware 431 can always be correct. can.

The secure microcomputer 321 uses an alert signal 815 to notify the CPU 301 whether or not the firmware 411 stored in the nonvolatile memory 303 has been tampered with. The alert signal 815 notifies the CPU 301 that the firmware 411 has been tampered with when the secure microcomputer 321 recovers the firmware 411 stored in the nonvolatile memory 303 and the CPU 301 starts normally. It is a signal to After receiving this notification, the CPU 301 confirms the alert signal 815 and records in the audit log that the firmware 411 has been tampered with. The alert signal 815 is normally output at a low level by the secure microcomputer 321, and is output at a high level when it is determined that the firmware 411 for the CPU 301 stored in the nonvolatile memory 303 has been tampered with.

The secure microcomputer 321 uses an alert signal 816 to notify the CPU 301 whether or not the LAN controller firmware stored in the nonvolatile memory 315 has been tampered with. The alert signal 816 notifies the CPU 301 that the firmware has been tampered with when the secure microcomputer 321 recovers the firmware stored in the nonvolatile memory 315 and the LAN controller 306 can be started normally. It is a signal to After receiving this notification, the CPU 301 confirms the alert signal 816 after being normally started, and records in the audit log that the firmware for the LAN controller has been tampered with. The secure microcomputer 321 normally outputs the alert signal 816 at low level, and outputs it at high level when it determines that the LAN controller firmware stored in the nonvolatile memory 315 has been tampered with.

The secure microcomputer 312 uses an alert signal 817 to notify the CPU 301 whether or not the printer firmware 431 stored in the nonvolatile memory 342 has been tampered with. When the secure microcomputer 321 recovers the firmware 431 stored in the nonvolatile memory 342 and the printer CPU 331 starts normally, the alert signal 817 notifies the CPU 301 that the firmware 431 has been tampered with. is a signal of After receiving this notification, the CPU 301 confirms the alert signal 817 after normal startup, and records in the audit log that the firmware 431 has been tampered with. The secure microcomputer 321 normally outputs the alert signal 817 at low level, and outputs it at high level when it determines that the firmware 431 stored in the nonvolatile memory 342 has been tampered with.

FIG. 9 is a flowchart for explaining the operation of the secure microcomputer 321 according to the second embodiment. Note that the processing shown in this flowchart is achieved by the secure microcomputer 321 executing a program stored in the ROM 322 .

At the start of this process, the power of the image forming apparatus 10 is not turned on, and when the power is turned on in S901, the process proceeds to S902. In S902, the secure microcomputer 321 performs activation processing. In this activation process, the secure microcomputer 321 reads the secure microcomputer firmware 401 from the secure microcomputer ROM 322 and performs verification using the key information set in the fuse inside the secure microcomputer 321 . Then, if there is no problem in this verification, the secure microcomputer firmware 401 performs startup processing. When the secure microcomputer 321 is activated in this manner, the process transitions to S903. In S903, the secure microcomputer 321 reads the CPU firmware 411 from the nonvolatile memory 303 to verify whether the CPU firmware 411 stored in the nonvolatile memory 303 has been tampered with. When reading of the CPU firmware 411 is completed, the process transitions to S904.

In S<b>904 , the secure microcomputer 321 verifies falsification of the CPU firmware 411 . The secure microcomputer 321 verifies whether the CPU firmware 411 read in S903 has been rewritten (falsified) due to a cyber attack or the like. If the secure microcomputer 321 determines in S904 that the CPU firmware 411 has not been tampered with, the process proceeds to S908, and if it determines that the CPU firmware 411 has been tampered with, the process proceeds to S905.

In S<b>905 , the secure microcomputer 321 notifies the CPU 301 with the alert signal 815 . That is, the secure microcomputer 321 changes the alert signal 815 from low level to high level to notify the CPU 301 that the CPU firmware 411 has been tampered with. When the alert is notified in this manner, the process transitions to S906. In S<b>906 , the secure microcomputer 321 restores the CPU firmware 411 stored in the nonvolatile memory 303 . That is, the secure microcomputer 321 reads out the CPU firmware 402 stored in the ROM 322 and writes it into the area of the CPU firmware 411 in the non-volatile memory 303 for restoration. When the recovery of the firmware 411 for the non-volatile memory 303 CPU is completed in this manner, the process transitions to S907. In S907, the secure microcomputer 321 determines whether the CPU firmware 411 has been successfully restored. At this time, the secure microcomputer 321 compares the CPU firmware 402 used for recovery stored in the secure microcomputer ROM 322 with the CPU firmware 411 stored in the nonvolatile memory 303 in S905. Then, according to the comparison result, it is determined whether or not the CPU firmware 411 has been successfully restored. When the secure microcomputer 321 determines that the CPU firmware 411 has been successfully restored, the process proceeds to S908.

In S908, the secure microcomputer 321 reads the LAN controller firmware from the non-volatile memory 315 in order to verify whether the firmware stored in the LAN controller non-volatile memory 315 has been tampered with. When the reading of the LAN controller firmware is completed, the process transitions to S909. In S909, the secure microcomputer 321 verifies whether the read LAN controller firmware has been rewritten (falsified) due to a cyber attack or the like. Here, if the secure microcomputer 321 determines that the LAN controller firmware has not been tampered with, the process transitions to S913, and if it determines that the LAN controller firmware has been tampered with, the process transitions to S910. In S910, the secure microcomputer 321 changes the alert signal 816 from low level to high level, and notifies the CPU 301 as an alert that the LAN controller firmware has been tampered with. When this alert is notified, the process transitions to S911. In S<b>911 , the secure microcomputer 321 reads the LAN controller firmware (not shown) to be used for recovery stored in the secure microcomputer ROM 322 . Then, the read firmware is written in the area of the LAN controller firmware (not shown) of the nonvolatile memory 315 to restore the state, and the process transitions to 912 . In S912, the secure microcomputer 321 determines whether the LAN controller firmware in the nonvolatile memory 315 has been successfully restored. Here, the secure microcomputer 321 compares the LAN controller firmware stored in the ROM 322 and used for recovery with the LAN controller firmware stored in the LAN controller non-volatile memory 315 in S911. Then, according to the comparison result, it is determined whether or not the LAN controller firmware has been successfully restored. If it is determined that the LAN controller firmware has been successfully restored, the process proceeds to S913, and if it is determined that the LAN controller firmware has not been successfully restored, this process ends. In S913, the secure microcomputer 321 changes the alert signal 812 from low level to high level, cancels the reset of the CPU 301 and LAN controller 306, and proceeds to S914. This point is different from the first embodiment described above.

Since the processing of S914 to S919 is the same as the processing of S615 to S620 in FIG. 6, the description thereof will be omitted.

FIG. 10 is a flowchart for explaining the operation of the CPU 301 of the image forming apparatus 10 according to the second embodiment. Note that the processing shown in this flowchart is achieved by the CPU 301 executing a program stored in the nonvolatile memory 303 .

At the start of this process, the power of the image forming apparatus 10 is not turned on, and when the power is turned on in S1001, the process proceeds to S1002. In S1002, the CPU 301 is reset, and when the reset is released, the process proceeds to S1003. This is because the reset of the CPU 301 is canceled by S908 in FIG. In S1003, the CPU 301 reads out the CPU firmware 411 from the nonvolatile memory 303 and starts up. At this time, since the secure microcomputer 321 has stored the CPU firmware 411 whose tampering has been verified in the non-volatile memory 303, the CPU 301 can be booted with the CPU firmware 411 that has not been tampered with.

Next, proceeding to S<b>1004 , the CPU 301 determines whether an alert has been notified by the alert signal 815 output from the secure microcomputer 321 . This is the process of determining whether or not the secure microcomputer 321 has restored the CPU firmware 411 stored in the nonvolatile memory 303 (S906) before the reset of the CPU 301 is released and the CPU 301 starts operating. If it is determined that an alert has been notified, the process proceeds to S1005, and if it is determined that an alert has not been notified, the process proceeds to S1006. In S<b>1005 , the CPU 301 records in an audit log that the CPU firmware 411 has been restored, and proceeds to S<b>1006 . By leaving the information in the audit log in this way, it becomes possible to notify or trace that the CPU firmware 411 has been falsified.

In S<b>1006 , the CPU 301 determines whether an alert has been notified by the alert signal 816 from the secure microcomputer 321 . This is to know whether or not the LAN controller firmware stored in the LAN controller non-volatile memory 315 has been restored by the secure microcomputer 321 (S911) before the reset of the CPU 301 is released and the operation is started. is. If it is determined that the alert has been notified, the process proceeds to S1007, and if it is determined that the alert has not been notified, the process proceeds to S1008. In S1007, the CPU 301 records in an audit log that the LAN controller firmware has been restored, and proceeds to S1008. By leaving the information in the audit log in this way, it becomes possible to notify or trace that the LAN controller firmware has been falsified.

In S<b>1008 , the CPU 301 determines whether an alert has been notified by the alert signal 814 from the secure microcomputer 321 . This is because the CPU 301 knows whether or not the printer CPU firmware 431 stored in the non-volatile memory 342 has been restored by the secure microcomputer 321 (S917) before the reset of the printer CPU 341 is released and the operation is started. is. If it is determined that the alert has been notified, the process proceeds to S1010, and if it is determined that the alert has not been notified, the process proceeds to S1009. In S1009, the CPU 301 determines whether communication with the printer CPU 341 is possible. This is to confirm whether the reset to the printer CPU 341 has been released and the operation has started normally. Here, if the CPU 301 can communicate normally with the printer CPU 341, the CPU 301 can know that the printer CPU firmware 431 has not been tampered with and the secure microcomputer 321 did not need to perform recovery processing (S917). If the CPU 301 determines in S1009 that communication with the printer CPU 341 is not possible, the process proceeds to S1008, and if it is determined that communication is possible, this process ends.

In S1010, the CPU 301 records, as an audit log, that the printer CPU firmware 431 has been restored, and proceeds to S1011. By recording as an audit log in this way, it becomes possible to notify or trace that the printer CPU firmware 431 has been falsified. In step S<b>1011 , the CPU 301 counts the elapsed time required for restoring the printer CPU firmware 431 . After the secure microcomputer 321 notifies the alert with the alert signal 817, the printer CPU firmware 431 is restored, so the secure microcomputer 321 needs to confirm communication with the CPU 301 after the time required for restoration has elapsed. If the PU 301 determines in S1011 that the time required for restoration has elapsed, the process proceeds to S1012, otherwise the process remains in S1011. In S1012, the CPU 301 determines whether communication with the printer CPU 341 is possible. This process confirms whether the reset of the printer CPU 341 has been released and the printer CPU 341 is operating normally. If the CPU 301 can communicate normally with the printer CPU 341, the secure microcomputer 321 performs the recovery process (S917) after the printer CPU firmware 431 has been tampered with, and has successfully recovered. Here, if the CPU 301 determines that communication with the printer CPU 341 is not possible, the process transitions to S1013, and if it is determined that communication is possible, this process ends. In S1013, the CPU 301 notifies that a communication error has occurred with the printer CPU 341, and terminates this process.

As described above, according to the second embodiment, in addition to the effects of the first embodiment described above, by simultaneously canceling the reset of the CPU and the LAN controller whose firmware has been verified by the secure microcomputer, the image forming apparatus can be started up. You can save time. As for the CPUs that need to be activated at the same time, the simultaneous release of the reset has the effect of shortening the activation time without causing inconsistency in the activation process.

Regarding the second embodiment, when a plurality of processors and microcomputers need to be associated with each other in the boot process, and when the reset release is performed at the same timing, verification of each firmware related to the boot process is required. Do not release the reset until all are complete. Then, among the processors, the firmware of the CPU with the longest total startup time may be sequentially verified, and the reset may be released sequentially.

Also, verification may be performed from the firmware of a CPU that can be notified to the user, and if there is a problem in verification and recovery of the firmware of that CPU, verification of firmware of other CPUs may not be performed.

FIG. 11 is a diagram for explaining the effect of reducing the startup time of the image forming apparatus 10 according to the embodiment.

First, the conventional activation process shown in FIG. 11A will be described.

An operation 1101 of the secure microcomputer describes a flow in which the secure microcomputer verifies firmware for each CPU from power-on. Here, when the power is turned on, the secure microcomputer sequentially verifies CPU firmware, scanner firmware, and printer firmware. When the verification of the firmware of all CPUs is completed in this way, the reset of these CPUs is released.

A reset signal 1102 indicates a signal for canceling the reset of these CPUs when the secure microcomputer has completed verifying the firmware of all CPUs. When the reset signal level changes from low level to high level, each CPU starts activation processing.

Next, startup processing of the image forming apparatus according to the embodiment will be described with reference to FIG.

A secure microcomputer operation 1111 describes a flow in which the secure microcomputer 321 verifies firmware for each CPU from power-on. When the power is turned on, the secure microcomputer 321 first verifies the CPU firmware 411 . If the verification of the CPU firmware 411 is completed and there is no abnormality, the secure microcomputer 321 changes the CPU reset signal 512 from low level to high level to release the reset of the CPU 301 . As a result, the CPU 301 starts activation processing. A CPU status 1113 indicates the activation status of the CPU 301 .

The secure microcomputer 321 then verifies the scanner CPU firmware 421 . If the verification of the scanner CPU firmware 421 is completed and there is no abnormality, the secure microcomputer 321 changes the reset signal 513 of the scanner CPU 331 from low level to high level to release the reset of the scanner CPU 331 . As a result, the scanner CPU 331 starts activation processing. A scanner CPU state 1114 indicates the state of the scanner CPU 331 .

By doing so, the secure microcomputer 321 can verify the scanner CPU firmware 421 in parallel with the CPU 301 executing the startup process, thereby reducing the startup time of the image forming apparatus. becomes possible.

Furthermore, the secure microcomputer 321 verifies the printer CPU firmware 431 . If the verification of the printer CPU firmware 431 is completed and there is no abnormality, the secure microcomputer 321 changes the reset signal 514 of the printer CPU 341 from low level to high level. Thus, the reset of the printer CPU 341 is released, and the printer CPU 341 starts activation processing. A printer CPU state 1115 indicates the state of the printer CPU 341 .

By doing so, the secure microcomputer 321 can verify the printer CPU firmware 421 in parallel with the startup processing of the CPU 301 and the startup processing of the scanner CPU 321, so that the startup time of the image forming apparatus can be reduced. It becomes possible.

(Other embodiments)
The present invention supplies a program that implements one or more functions of the above-described embodiments to a system or apparatus via a network or a storage medium, and one or more processors in the computer of the system or apparatus reads and executes the program. It can also be realized by processing to It can also be implemented by a circuit (for example, ASIC) that implements one or more functions.

The invention is not limited to the embodiments described above, and various modifications and variations are possible without departing from the spirit and scope of the invention. Accordingly, to publicize the scope of the invention, the following claims are included.

301 CPU 303 CPU ROM 321 secure microcomputer 322 secure microcomputer ROM 331 scanner CPU 332 scanner CPU ROM 341 printer CPU 342 printer CPU ROM

Claims (11)

An information processing apparatus having a plurality of CPUs and a plurality of storage means for storing firmware of each of the plurality of CPUs,
a first storage means for storing firmware of the plurality of CPUs;
A first CPU that can access the first storage means among the plurality of CPUs,
When the first CPU is started, the first CPU verifies whether or not the firmware stored in the second storage means for storing the firmware of the CPUs other than the first CPU has been tampered with;
releasing the reset of the CPU that executes the firmware determined to be free of tampering by the verification;
After rewriting the firmware determined to be falsified by the verification with the corresponding firmware stored in the first storage means, resetting of a CPU executing the rewritten firmware is released. Device. 2. The first storage means is a non-rewritable ROM (read only memory), and the second storage means includes a non-volatile memory provided corresponding to each of the other CPUs. The information processing device according to . 3. The CPUs other than the first CPU, when the reset of the CPU is released, read firmware from a non-volatile memory provided corresponding to the CPU whose reset has been released, and start up. 3. The information processing device according to 2. 4. The information processing apparatus according to any one of claims 1 to 3, wherein the first CPU can release resetting of a plurality of CPUs simultaneously. 5. The information processing apparatus according to any one of claims 1 to 4, wherein the second CPU, which is one of the other CPUs, records, as a log, firmware determined to have been falsified by the verification. 6. The information processing apparatus according to claim 5, wherein the first CPU notifies the second CPU of the firmware determined to be falsified by the verification. The first CPU further verifies whether or not the firmware stored in the second storage means has been falsified after verifying the firmware of the first CPU using the key information set in the fuse inside the first CPU. 7. The information processing apparatus according to any one of claims 1 to 6, characterized by: 8. The information processing apparatus according to any one of claims 1 to 7, wherein the CPUs other than the first CPU are in a reset state at the start-up. 9. The information processing apparatus according to claim 1, wherein said first CPU cannot be accessed from said other CPU. When there are a plurality of CPUs other than the first CPU, the first CPU sequentially verifies firmware corresponding to each of the plurality of other CPUs, and verifies the firmware of the plurality of other CPUs according to the verification result. 10. The information processing apparatus according to any one of claims 1 to 9, wherein each reset is released sequentially. A control method for controlling an information processing apparatus having a plurality of CPUs and a plurality of storage means for storing firmware for each of the plurality of CPUs,
a verification step of verifying, by a first CPU among the plurality of CPUs, whether or not the firmware stored in a second storage means for storing firmware of other CPUs other than the first CPU has been falsified at startup;
a step of canceling the reset of a CPU executing firmware determined to be free of tampering in the verification step;
After rewriting the firmware determined to be falsified in the verification step with the corresponding firmware stored in the first storage means for storing the firmware of the plurality of CPUs, resetting the CPU that executes the rewritten firmware. and
A control method characterized by having

Images