JP6461272B1 - Control device - Google Patents

Abstract

A control device capable of starting up at high speed while ensuring safety is obtained by eliminating a secure boot process that is performed every time it is started up under a predetermined condition. A state information obtaining unit for obtaining state information related to control, a first storage area for storing control data, a second storage area for storing state information, and data generated from the data in the first storage area. A third storage area 122 for storing the expected value, a verification value generating means 114 for generating a verification value from the data in the first storage area, and a first determination means for determining whether to execute the control means 110 from the expected value and the verification value 115. A second determination unit 116 for determining whether to execute the first determination unit from the state information is provided. When the control unit is stopped, the state information is obtained and stored in the second storage area. Prior to activation of the means, the state information is obtained again, and the second determination means determines whether or not the first determination means is to be executed from the state information at the time of stop and the state information at the time of activation. [Selection] Figure 1

Description

  The present invention relates to a control device that can be activated at high speed while ensuring security.

  A plurality of control devices called ECUs (Electronic Control Units) are mounted on the vehicle, and the ECU is connected to other ECUs or communication devices outside the vehicle by communication, and thus may be intruded illegally. If unauthorized entry occurs, the program data of the ECU may be altered and remotely operated.

  Secure boot is known as one of countermeasures against data alteration of the ECU. Secure boot is a technique for detecting the alteration of data by verifying the completeness of an expected value created from data in advance using a cryptographic technique and a verification value created at that time from the data. Before the process related to the control of the ECU is started, it can be determined whether the control can be started in a normal state by verifying whether the data has been tampered with since the end of the previous time.

  On the other hand, the ECU has a severe restriction on the activation time, and the secure boot processing time must be within the restriction on the activation time of the ECU (the required time until the control starts). Therefore, in order to start the ECU safely, it is required to shorten the secure boot processing time.

  In Patent Document 1, in order to solve the above problem, it is determined whether or not the target program or data is a program or data that needs to be verified by referring to the stored program list. If the target program or data is necessary, the verification of the target program or data can be performed to minimize the verification range, and the secure boot process can be started safely at high speed.

JP 2017-33248 A

  However, when the technique of Patent Document 1 is applied, there are the following problems. In the secure boot, when the verification range is kept to a minimum, the secure boot process is performed every time the boot is performed. Therefore, the processing time is increased, and the processing time is increased as compared with the case where the secure boot is not performed.

  The present invention has been made to solve the above-described problems. Under the predetermined conditions, the normal boot time in which the secure boot process is not performed by eliminating the secure boot process performed every time the boot is performed. An object of the present invention is to obtain a control device having an ECU startup time close to.

  The control device according to the present invention requires a control means for controlling a control target, a control activation means for controlling activation of the control means, a status information obtaining means for obtaining status information related to the control, and the control means required for control. A first storage area for storing data, a second storage area for storing state information obtained by the state information obtaining means, and a third storage for storing an expected value generated from the data in the first storage area A verification value generating means for generating a verification value from the data in the area, the first storage area, and an expected value stored in the third storage area and the verification value by the verification value generation means determining whether to execute the control means And a second determination unit for determining whether to implement the first determination unit from one or more pieces of state information, and when the control unit is stopped, the state information is acquired from the state information acquisition unit. Get the information in the second storage area The state information is obtained again before starting the control means, and the second determination means determines whether or not to implement the first determination means from the stop state information and the start state information. It is.

  According to the present invention, the secure boot processing time performed at the time of starting the control device is not verified under specific conditions, so that the control device boot time is made equal to the normal boot time when the secure boot processing is not performed. Therefore, the ECU can be activated safely and at high speed.

It is a block diagram which shows the structure of the control system in Embodiment 1 of this invention. It is a figure which shows the flow of a process at the time of completion | finish of the control apparatus by Embodiment 1 of this invention. It is a figure which shows the flow of a process at the time of starting of the control apparatus by Embodiment 1 of this invention. It is a block diagram which shows the structure of the control system in Embodiment 2 of this invention. It is a figure which shows the flow of a process at the time of completion | finish of the control apparatus by Embodiment 2 of this invention. It is a figure which shows the flow of a process at the time of starting of the control apparatus by Embodiment 2 of this invention.

  The control device of the present invention will be described below with reference to the drawings according to each embodiment. In each embodiment, the same or corresponding parts are denoted by the same reference numerals, and redundant description is omitted.

Embodiment 1 FIG.
FIG. 1 shows the configuration of a vehicle control system that implements a start-up method that enables safe and fast start-up as an example of a control apparatus according to Embodiment 1 of the present invention. Here, the vehicle control system includes a motor control device 100 and a drive motor 101 to be controlled. Although the vehicle control system includes components other than those shown in FIG. 1, those not directly related to the first embodiment are not shown.

  The motor control device 100 is connected to the drive motor 101 and controls it. The configuration and function of the motor control device 100 will be briefly described. The control unit 110 calculates control amounts and various processing values related to the control of the drive motor 101. The stop unit 111 ends the operation by stopping the supply of power to the motor control device 100. The status information acquisition unit 112 collects status information data indicating the status related to the control of the motor control device 100 itself. Here, the count values counted by the counting means 117 are collected. The control activation unit 113 activates the control unit 110 based on the results of the first determination unit 115 and the second determination unit 116.

  The verification value generation unit 114 generates a verification value from the data stored in the first storage area 120. The first determination unit 115 determines whether to execute the control unit 110 from the expected value stored in the third storage area 122 and the verification value generated by the verification value generation unit 114. The second determination unit 116 compares the state information (count value) stored in the second storage area 121 with the state information (count value) obtained by the state information obtaining unit 112, and the comparison result is predetermined. It is determined whether or not the first determination means 115 is to be executed depending on whether or not it is within the range. The count means 117 increments the counter value held every time the motor control device 100 is activated.

  Here, the motor control device 100 is activated when power is supplied or the control device is reset according to the state of an IG (ignition) switch of the vehicle. The activation mode confirmation unit 118 confirms the activation mode requested at the time of activation. Here, a control mode for controlling the drive motor 101 and a rewrite mode for rewriting the stored data in the first storage area 120 and the third storage area 122 are prepared as the start mode. The request for the rewrite mode is performed when a tester or the like is connected from the outside of the control device. The storage area rewriting means 119 is a means for actually rewriting data stored in the first storage area 120 and the third storage area 122.

  Next, the first storage area 120 stores data necessary for control by the control means 110. The second storage area 121 stores the state information obtained by the state information obtaining unit 112. The third storage area 122 stores an expected value generated in advance from data stored in the first storage area 120. These storage areas are preferably divided for each device, but may be defined as separate areas on one device.

  Next, the flow of processing when the motor control device 100 of the vehicle control system according to Embodiment 1 is stopped and started will be described using the flowcharts of FIGS. 2 and 3, respectively. The process at the time of stopping in FIG. 2 is executed as the last process when the motor control device 100 is stopped with the detection that the IG switch in the vehicle is turned off as a trigger. The process at the time of startup in FIG. 3 is first executed when the motor control device 100 is started by being supplied with power or reset, for example, when an IG switch in the vehicle is turned on.

First, processing when the motor control device 100 is stopped will be described with reference to FIG.
In FIG. 2, step S201 confirms whether the control means 110 has stopped the process regarding motor control. If the control is finished (Yes), the process proceeds to step S202. If the control is not finished (No), the process waits until the end. Subsequently, in step S202, the state information obtaining unit 112 collects the count values held by the counting unit 117 as the state information. In step S <b> 203, the state information acquisition unit 112 attempts to store the collected count value in the second storage area 121. Subsequently, in step S204, if the storage is completed (Yes), the process proceeds to step S205, and if the storage is not completed (No), the process returns to step S203.
In step S <b> 205, the stop unit 111 controls the power supply relay and the like to stop the power supply to the motor control device 100 and stop the motor control device 100.

Next, the process at the time of starting the motor control apparatus 100 will be described with reference to FIG.
In FIG. 3, in step S301, the counting means 117 updates the count value held by the confidence. Here, the held count value is +1.
In step S302, the activation mode confirmation unit 118 confirms the activation mode. If it is a control mode for controlling the drive motor 101, the process proceeds to step S303, and if it is a rewrite mode for rewriting data stored in the first storage area 120 and the third storage area 122, the process proceeds to step S310.

In step S303, the state information obtaining unit 112 collects the count value held by the counting unit 117 as the state information. Subsequently, in step S304, if the collection of the count value is completed (Yes), the process proceeds to step S305. If the collection of the count value is not completed (No), the process waits until completion.
In step S305, the second determination unit 116 compares the count value stored in the second storage area 121 with the count value acquired by the state information acquisition unit 112 in step S202. Subsequently, in step S306, it is determined whether or not the comparison result of the count value is within a range of +1 as a predetermined value. If it is within the range (Yes), the process proceeds to step S311. If it is not within the range (No), the process proceeds to step S307.

In step S <b> 307, the verification value generation unit 114 generates a verification value from the data stored in the first storage area 120. In step S308, the first determination unit 115 compares the expected value stored in the third storage area 122 with the verification value generated in step S307.
Subsequently, in step S309, if the comparison result between the expected value and the verification value is the same (Yes), the process proceeds to step S311. If the comparison result is different (No), the process ends without performing the control unit 110. . Note that step S307, step S308, and step S309 are portions that require processing time as secure boot processing.

In step S <b> 310, the storage area rewriting unit 119 rewrites the stored data in the first storage area 120 and writes an expected value generated in advance from the data stored in the first storage area 120 in the third storage area 122. Thereafter, the process is terminated without executing the control means 110. The storage area rewriting means 119 is not particularly limited because it does not affect the operation and effect of the embodiment.
In step S311, the control activation unit 113 activates the control unit 110.

  As described above, with the configuration of FIG. 1, the motor control device 100 stores the counter value held by itself as state information in accordance with the flow shown in FIG. 2 when stopped. Thereafter, when the motor control device 100 is started, it is checked whether the difference between the stored counter value and the collected counter value is within a predetermined range according to the flow shown in FIG. When the motor control device 100 is entered, it is determined that the motor control device 100 has not been started up until the main start-up, and a verification value generation (step S307) in which processing time occurs is performed. In step S308), the controller 110 can be activated without confirming the determination result (step S309).

  According to such a vehicle control system, by comparing the state information at the time of stopping the motor control device 100 with the state information at the time of starting, it is not started for rewriting or the like during the stop, or unintentionally starting If it can be confirmed that the verification process is not performed, the verification process at the time of activation is omitted, so that the control device can be activated at high speed while ensuring security.

  In the first embodiment, the state information is described as the counter value, but the present invention is not limited to this. Even if an analog value such as a voltage value of a battery held for backup owned by the motor control device 100 is used, it is not unintentionally started during the stop by appropriately determining the verification range used in step S306. Since it is detected that the reactivation is performed in a short time and the verification process at the time of activation is omitted, the control device can be activated safely and at high speed.

  Further, if the state information is encrypted when stored in the second storage area 121 and decrypted when the state information is compared, the possibility that the state information itself will be tampered with is reduced, and security is improved. be able to.

Embodiment 2. FIG.
Next, a control device according to Embodiment 2 of the present invention will be described with reference to FIGS.
FIG. 4 shows the configuration of a vehicle control system in which an activation method that enables safe and high-speed activation is implemented as an example of a control device according to Embodiment 2 of the present invention. The vehicle control system according to the second embodiment includes a door control device 410 in addition to the vehicle control system configured by the motor control device 100 and the drive motor 101 described in the first embodiment.
In FIG. 4, each control device 100, 410 includes components other than those shown in FIG. 4, but those not directly related to the second embodiment are omitted and the implementation shown in FIG. 1 is performed. About what was demonstrated in the form 1, the same code | symbol is attached | subjected and description is abbreviate | omitted.

In the vehicle control system according to the second embodiment, the motor control device 100 and the door control device 410 are connected to each other via a CAN (Controller Area Network) network 400 as a vehicle communication line so that they can communicate with each other.
First, the added configuration and function of the motor control device 100 according to the second embodiment will be briefly described. The data transmission / reception means 401 transmits / receives data to / from the connected door control device 410 via the CAN network 400.

  The door control device 410 is connected to the door module 411 of the vehicle and controls the lock / unlock of the door. The configuration and function of the door control device 410 will be briefly described. The second control unit 420 performs control related to the door module 411. The storage area 421 stores data necessary for control by the second control unit 420. Here, the state detection means 422 collects the number of door opening / closing of the driver's seat as the state information regarding the door. However, the status information is not limited to this. The second data transmission / reception unit 423 transmits / receives data to / from the data transmission / reception unit 401 of the motor control device 100 connected via the CAN network 400.

  Next, the flow of processing when the motor control device 100 of the vehicle control system according to Embodiment 2 is stopped and started will be described using the flowcharts of FIGS. 5 and 6 respectively. The process at the time of stopping in FIG. 5 is executed as the last process when the motor control device 100 is stopped by using, for example, detection that the IG switch in the vehicle is turned off as a trigger. The process at the time of startup in FIG. 6 is first executed when power is supplied to the motor control device 100 or the motor is started after being reset, triggered by turning on an IG switch in the vehicle.

First, processing when the motor control device 100 is stopped will be described with reference to FIG.
In FIG. 5, step S501 confirms whether the control means 110 has stopped the process which concerns on motor control. If the control is finished (Yes), the process proceeds to step S502. If the control is not finished (No), the process waits until the end.
Subsequently, in step S <b> 502, the state information obtaining unit 112 requests the door control device 410 to send the state information using the data transmission / reception unit 401. Subsequently, in step S503, if reception of the door opening / closing count is completed as state information (Yes), the process proceeds to step S504. If reception is not completed (No), the process waits until reception.

In step S <b> 504, the state information obtaining unit 112 attempts to store the received and collected door opening / closing times in the second storage area 121. Subsequently, in step S505, if the storage is completed, the process proceeds to step S506, and if the storage is not completed, the process returns to step S504.
In step S <b> 506, the stop unit 111 controls the power supply relay and the like to stop the power supply to the motor control device 100 and stop the motor control device 100.

Next, processing when the motor control device 100 is started will be described with reference to FIG.
In FIG. 6, in step S <b> 601, the motor control device 100 activates the data transmission / reception unit 401. In step S602, the activation mode confirmation unit 118 confirms the activation mode. If the start mode is a control mode for controlling the drive motor 101, the process proceeds to step S603. If the start mode is a rewrite mode for rewriting data stored in the first storage area 120 and the third storage area 122, the process proceeds to step S610. .

In step S <b> 603, the state information obtaining unit 112 requests the door control device 410 to send the state information using the data transmission / reception unit 401. Subsequently, in step S604, if reception of the door opening / closing count is completed as state information (Yes), the process proceeds to step S605. If reception is not completed (No), the process waits until reception.
In step S605, the second determination unit 116 compares the door opening / closing number stored in the second storage area 121 with the door opening / closing number obtained by the state information obtaining unit 112 in step S604. In step S606, it is determined whether the comparison result is within a range of +1 as a predetermined value. If it is within the range (Yes), the process proceeds to step S611. If it is not within the range (No), the process proceeds to step S607.

In step S <b> 607, the verification value generation unit 114 generates a verification value from the data stored in the first storage area 120. In step S608, the first determination unit 115 compares the expected value stored in the third storage area 122 with the verification value generated in step S607.
Subsequently, in step S609, if the comparison result is the same (Yes), the process ends without executing the control means 110 if the comparison result is different (No) to step S611. Note that step S607, step S608, and step S609 are portions that require processing time as secure boot processing.

In step S <b> 610, the storage area rewriting unit 119 rewrites the stored data in the first storage area 120 and writes the expected value generated in advance from the data stored in the first storage area 120 in the third storage area 122. Thereafter, the process is terminated without executing the control means 110. The rewriting means is not particularly limited because it does not affect the operation and effect of the embodiment.
In step S611, the control activation unit 113 activates the control unit 110.

  As described above, with the configuration of FIG. 4, the motor control device 100 stores the number of times the door is opened and closed received from the door control device 410 as state information according to the flow shown in FIG. Thereafter, when the motor control device 100 is started, the stored door opening / closing frequency is compared with the door opening / closing frequency received from the door control device 410 again according to the flow shown in FIG. If it is within the specified range, it is determined that no one has entered the vehicle (no access to the control device) between the end of the control device and the actual activation, and the processing time It is possible to start the control unit 110 without performing verification value generation (step S607), implementation of the first determination unit (step S608), and confirmation of the determination result (step S609).

  According to such a vehicle control system, if it can be confirmed that it has not been started for rewriting during the stop or that it has not been started unintentionally by comparing the state information at the time of stop with the state information at the time of start. Since the verification process at the time of activation is omitted, the control device can be activated at a high speed while ensuring security.

  In the second embodiment, the state information is described as the number of times the door control device 410 has the door opened and closed. However, the present invention is not limited to this. Using state information that can indicate access to the vehicle of another control device, the range at the time of verification used in step S606 is appropriately determined to detect that it has not been started unintentionally during stoppage, and verification processing at the time of startup The control device can be started safely and at high speed. In addition, using time information possessed by other control devices, it is possible to detect a restart in a short time by appropriately determining the verification range used in step S606. It is possible to start the control device safely and at high speed by omitting the verification process at the time of starting it is assumed to be secured.

In addition, if the state information is encrypted when stored in the second storage area 121 and is combined when the state information is compared, the possibility that the state information itself will be tampered is reduced, and security is improved. Can be increased.
Further, by encrypting the state information when it is transmitted and received and decrypting it after reception, the possibility that the state information is falsified on the CAN network 400 is reduced, and security can be improved.
In the second embodiment, the CAN network 400 has been described as a communication line. However, the type of network is not limited to this.

  Although the embodiments of the present invention have been described above, the present invention is not limited to the embodiments, and various design changes can be made. Within the scope of the present invention, each embodiment is described. These embodiments can be freely combined, and each embodiment can be modified or omitted as appropriate.

  The present invention can be used not only as a motor control device for a vehicle control system, but also for any control device as a means for verifying a storage area at startup as long as the system includes a control device controlled by an ECU. it can.

  DESCRIPTION OF SYMBOLS 100: Motor control apparatus, 101: Driving motor, 110: Control means, 111: Stop means, 112: Status information acquisition means, 113: Control starting means, 114: Verification value generation means, 115: First determination means, 116: second determination means, 117: counting means, 118: activation mode confirmation means, 119: storage area rewriting means, 120: first storage area, 121: second storage area, 122: third storage area 400: CAN network 401: Data transmission / reception means 410: Door control device 411: Door module 420: Second control means 421: Storage area 422: State detection means 423: Second data transmission / reception means .

Claims (4)

Control means for controlling the controlled object; control activation means for controlling activation of the control means; status information obtaining means for obtaining status information related to control; and data for storing data required for control by the control means. One storage area, a second storage area for storing the state information obtained by the state information obtaining means, a third storage area for storing an expected value generated from the data in the first storage area, A verification value generating means for generating a verification value from the data in the first storage area; and whether to execute the control means from the expected value stored in the third storage area and the verification value by the verification value generation means A first determination means for determining, and a second determination means for determining whether to implement the first determination means from one or more state information,
When stopping the control means, the state information is obtained from the state information obtaining means and stored in the second storage area, and the state information is obtained again before the control means is activated, The determination means determines whether or not to implement the first determination means from the state information at the time of stop and the state information at the time of activation.   The second determination unit of the control device determines not to implement the first determination unit when a difference between the state information at the time of stop and the state information at the time of activation is within a predetermined range. The control device according to claim 1.   The control device according to claim 1, wherein the status information acquisition unit acquires status information from information in the control device.   The control device is connected to another control device via a communication line, and includes a transmission / reception means for performing transmission / reception of data via the communication line, and the state information obtaining means receives state information from another control device by the transmission / reception means. The control device according to claim 1, wherein the control device is obtained.

Images