JP7522547B2 - Information processing device and reset control method - Google Patents

Description

This disclosure relates to an information processing device and a reset control method.

A technology called a watchdog timer (WDT) is used to detect when the system is no longer operating normally due to a software hang-up or the like, and to take measures to recover, such as restarting the system (see, for example, Patent Document 1). A WDT typically uses a timer to count the elapsed time while the system is operating, and when the counter value reaches a threshold, it assumes that an abnormality has occurred in the system and forcibly resets the system. While the system is operating normally, the processor that manages the system periodically outputs a control signal to the WDT to initialize the WDT (for example, clearing the counter value to zero). As a result, the counter value of the WDT will never reach the threshold during normal operation, and the system will not be reset.

Also, a so-called secure boot technology is known in which a program for starting the system is verified to be legitimate (e.g., not tampered with) before the program is executed to start the system. Secure boot technology is being adopted not only in general-purpose computers but also in devices specialized for specific purposes such as multi-function peripherals (MFPs) and printers. By verifying the legitimacy of major programs such as the Basic Input/Output System (BIOS) at the time of system startup, the safe operation of the system can be guaranteed. If the program is determined to be invalid, the system startup is forcibly stopped. The program determined to be invalid can be restored by a method such as overwriting it with a valid program, and the system can then be restarted. Such verification of the legitimacy of the program is usually performed by an auxiliary processor, not by the processor that executes the program.

JP 2009-053952 A

When applying secure boot technology to a system with a WDT, the main processor does not start operating until program verification is successfully completed, so there is a possibility that the control to suppress a system reset will not be able to time out in time. For example, if verification or automatic recovery in the event of a verification failure takes a long time, the system may be forcibly reset due to a WDT timeout, even if the system is ultimately able to start up normally. Such a forced reset will prevent the system from starting up.

Therefore, the purpose of this disclosure is to provide a mechanism for ensuring normal system startup when WDT and secure boot technology are combined.

According to one aspect, there is provided an information processing device comprising: a verification means for verifying the validity of a program; a reset control means for issuing a system reset signal when there is no external access for a predetermined period based on a timer ; and an execution means for executing the program determined to be valid by the verification means, the execution means becoming accessible to the reset control means after the program is started, wherein the verification means outputs a clear signal to the reset control means for clearing the value of the timer before the execution means becomes accessible to the reset control means.

According to this disclosure, when WDT and secure boot technology are combined, it is possible to ensure that the system boots normally.

FIG. 1 is a block diagram showing an example of a schematic configuration of a multifunction peripheral according to an embodiment. FIG. 2 is a block diagram showing an example of a specific configuration of a main CPU according to an embodiment. FIG. 2 is a block diagram showing an example of a specific configuration of a sub-CPU according to an embodiment. FIG. 4 is an explanatory diagram showing an example of a memory map of a flash ROM according to an embodiment; FIG. 4 is a block diagram showing an example of a specific configuration of a reset control unit according to an embodiment. FIG. 11 is a sequence diagram showing an example of a schematic flow of a process at the time of starting up a system according to an embodiment. 10 is a flowchart showing an example of a flow of a process executed by a sub CPU according to an embodiment. 6 is a flowchart showing an example of a flow of processing executed by a main CPU according to an embodiment. 11 is a flowchart showing an example of a process flow executed by a WDT according to an embodiment. 1 is a flowchart showing an example of a flow of a process executed by a reset circuit according to an embodiment. 10 is a flowchart showing an example of a flow of a process executed by a WDT according to one modified example.

The following embodiments are described in detail with reference to the attached drawings. Note that the following embodiments do not limit the invention according to the claims. Although the embodiments describe multiple features, not all of these multiple features are necessarily essential to the invention, and multiple features may be combined in any manner. Furthermore, in the attached drawings, the same reference numbers are used for the same or similar configurations, and duplicate explanations are omitted.

<<1. Example of device configuration>>
<1-1. Overall structure>
In this section, an example in which the technology according to the present disclosure is applied to an MFP will be described. However, the technology according to the present disclosure is not limited to an MFP, and may be applied to any type of information processing device, such as a printer, a scanner, a facsimile, a PC (Personal Computer), a tablet device, and a smartphone. Unless otherwise specified, each of the components such as an apparatus, a device, a module, and a chip described below may be composed of a single entity, or may be composed of multiple physically different entities.

FIG. 1 is a block diagram showing an example of a schematic configuration of a multifunction device 1 according to an embodiment. Referring to FIG. 1, the multifunction device 1 includes a main CPU 101, a DRAM 102, an operation I/F 103, a network I/F 104, a printer 105, a scanner 106, a FAX 107, a HDD 108, and an image processing unit 109. These components of the multifunction device 1 are connected to each other via a signal bus 110. The operation I/F 103 is connected to an operation unit 111. The network I/F 104 is connected to a network I/F flash ROM 112.

The main CPU (Central Processing Unit) 101 is a processor that controls the overall functions of the multifunction device 1. The DRAM (Dynamic Random Access Memory) 102 is a main storage device for the main CPU 101, and temporarily stores programs executed by the main CPU 101 and related data. The operation interface (I/F) 103 is an interface for connecting the operation unit 111 to the signal bus 110. The operation unit 111 is a unit that provides a user interface for the user to operate the multifunction device 1. When the operation unit 111 receives a user operation, such as pressing a button or touching a touch panel, it transmits a corresponding operation signal to the main CPU 101 via the operation I/F 103. In addition, the operation unit 111 displays, for example, information for operation on the screen of a display (not shown). The network I/F 104 is an interface for communication between the multifunction device 1 and an external device. The network I/F 104 may be, for example, a LAN (Local Area Network) interface. The network I/F flash ROM (Read Only Memory) 112 is a non-volatile memory that stores firmware for the operation of the network I/F 104. The printer 105 is a unit that prints an image represented by image data onto a sheet. The scanner 106 is a unit that optically reads an image of an original, converts an optical signal into an electrical signal, and generates scanned image data. The facsimile (FAX) 107 is a unit that is connected to a public line and performs facsimile communication with an external facsimile device. The HDD (Hard Disk Drive) 108 is a so-called secondary storage device. The HDD 108 stores data used by various functions of the multifunction device 1 and programs executed by the main CPU 101 that do not require verification of validity. The HDD 108 may be used as a spool area for spooling print jobs and scan jobs, and as a storage area for storing scanned image data for reuse. The image processing unit 109 is a processing module that converts the image data of a print job received via the network I/F 104 into image data suitable for printing by the printer 105. The image processing unit 109 can further perform image processing such as noise removal, color space conversion, rotation, and data compression on the scanned image data read by the scanner 106. Furthermore, the image processing unit 109 may perform any type of image processing on the image data stored in the HDD 108.

Referring to FIG. 1, the multifunction device 1 further includes a flash ROM 121, a sub-CPU 122, and a power supply control unit 130. The main CPU 101, the flash ROM 121, and the sub-CPU 122 are interconnected via a Serial Peripheral Interface (SPI) bus 120.

The flash ROM 121 is a storage device that stores one or more programs executed by the main CPU 101 and default setting values for basic settings of the multifunction device 1. The programs stored in the flash ROM 121 include, for example, a BIOS program that is executed when the main CPU 101 is started. Some of the programs executed by the main CPU 101 (for example, the operating system (OS) and programs for various applications) may be stored in a storage device other than the flash ROM 121 (for example, the HDD 108 described above).

The sub-CPU 122 is an auxiliary processor that verifies the validity of the program stored in the flash ROM 121 before it is executed by the main CPU 101. If the program has been changed against the intention of the legitimate developer, the verification may determine that the program is not valid. On the other hand, if there is no such change, the program may be determined to be valid. For example, if a third party who has illegally accessed the MFP 1 tampers with the program, the program loses its validity. The program also loses its validity if bits of the program data are rewritten due to deterioration of the device over time. The method of validity verification by the sub-CPU 122 will be described later. If the sub-CPU 122 determines that the program is valid as a result of the verification, it notifies the reset control unit 131 of the power control unit 130 (described later) of the completion of the verification.

The power supply control unit 130 is a unit that controls the supply of power to the modules that make up the MFP1. In the figure, the supply of power from an external commercial AC power source is indicated by a thick arrow, and the supply of power to each module within the MFP1 is simply indicated by dashed arrows. The power supply control unit 130 is also connected to the signal bus 110, allowing access to the control registers of the power supply control unit 130 from a program running on the main CPU 101.

The power supply control unit 130 further includes a reset control unit 131 that controls the reset of the main CPU 101 and the sub-CPU 122. In this embodiment, the reset control unit 131 includes at least a reset circuit 132 and a watchdog timer (WDT) 133, and issues a system reset signal when there is no external access for a predetermined period of time. The reset circuit 132 is connected to the sub-CPU 122 via a reset signal line 134 and one or more additional control signal lines 135, and is connected to the main CPU 101 via a reset signal line 136.

The reset signal line 134 carries a reset control signal output from the reset circuit 132 to the sub-CPU 122. The reset signal line 136 carries a reset control signal output from the reset circuit 132 to the main CPU 101. As an example, the reset control signal has two signal levels, "Lo" or "Hi" (for example, "Lo" can be an electrical signal level corresponding to zero, and "Hi" can be an electrical signal level corresponding to 1). The "Lo" level of the reset control signal means that the CPU to which the signal is output should be reset (disabled), and the "Hi" level means that the CPU should perform normal operation.

For example, when the power of the MFP1 is turned on, the reset circuit 132 switches the signal level of the reset control signal output to the sub-CPU 122 from "Lo" to "Hi". The sub-CPU 122 interprets this switching as an instruction to release the reset. The sub-CPU 122 starts operating in response to the instruction to release the reset, and verifies the validity of the program to be executed by the main CPU 101. During this time, the reset circuit 132 maintains the signal level of the reset control signal output to the main CPU 101 at "Lo". When the program verification by the sub-CPU 122 is completed, the reset circuit 132 switches the signal level of the reset control signal output to the main CPU 101 from "Lo" to "Hi". The main CPU 101 interprets this switching as an instruction to release the reset. The main CPU 101 starts operating in response to the instruction to release the reset, and executes the program determined to be valid by the sub-CPU 122.

The WDT 133 continuously counts time (i.e., keeps time) while the MFP 1 is operating. When the counter value reaches a preset timeout threshold, the WDT 133 instructs the reset circuit 132 to reset the system. In response to the system reset instruction, the reset circuit 132 outputs a reset control signal with a signal level set to "Lo" to the sub-CPU 122 and the main CPU 101. This resets the sub-CPU 122 and the main CPU 101. The reset state (disabled state) of the sub-CPU 122 and the main CPU 101 is maintained for a preset period, after which the reset state of the sub-CPU 122 is released. In this specification, the reset control signal that triggers such a system reset is also referred to as a system reset signal. The reset circuit 132 may also output reset control signals to other modules that constitute the MFP 1 to reset each module.

After the start of a legitimate program verified by the sub-CPU 122, the main CPU 101 can access the WDT 133. For example, while the main CPU 101 is operating by executing a legitimate program, it periodically outputs a clear signal 137 to the reset control unit 131 to clear the counter value of the WDT 133. The output period of the clear signal 137 is shorter than the timeout threshold value for determining the system reset described above. As a result, while the main CPU 101 is operating normally, the execution of the system reset is suppressed. When an abnormality occurs in the main CPU 101, the clear signal 137 is no longer output to the reset control unit 131, and as a result, the reset control unit 131 triggers a system reset in response to a timeout. In other words, when the main CPU 101 has not been operating for a predetermined period of time, the reset control unit 131 resets the sub-CPU 122 and the main CPU 101 based on the time counting by the WDT 133. The clear signal 137 may be, for example, a write signal that writes to a specific control register of the reset control unit 131, or may be a pulse signal that indicates that the counter value should be cleared by a pulse. In response to the input of the clear signal 137 (for example, in response to detecting a write to a specific control register), the WDT 133 clears the counter value to zero and starts counting from zero again.

<1-2. Basic principles>
As described above, in this embodiment, the sub-CPU 122 verifies the validity of the main programs of the MFP 1, thereby protecting the MFP 1 from risks such as program tampering and deterioration. In addition, the MFP 1 has the WDT 133, and can automatically return to a normal state by executing a system reset when an abnormality occurs in the system. However, the main CPU 101 does not start operation and does not output the clear signal 137 to the reset control unit 131 until the program verification by the sub-CPU 122 is completed. Therefore, when it takes a long time to verify the program by the sub-CPU 122, even if the system can finally be started normally, the counter value in the WDT 133 may reach a timeout threshold value and a system reset may be executed. In this case, the program validity verification is restarted from the beginning after the system reset, so the system startup is prolonged. Moreover, a system reset may be performed again during the second verification, and the MFP 1 may not be able to start for a long time. In addition, if the sub-CPU 122 has the function of performing recovery using a recovery version of the program when verification fails, there is also a risk that the copy of the recovery version will be corrupted as a result of writing of the recovery version to the flash ROM 121 being stopped midway.

To avoid or resolve the above-mentioned problem, one possible method is to stop the timekeeping by the WDT 133 until the sub-CPU 122 has completed verifying the validity of the program. However, with this method, if an abnormality occurs in the sub-CPU 122 for some reason, a system reset is not executed, and the MFP 1 is prevented from returning to a normal state. Another possible method is to set the timeout threshold of the WDT 133 to a value large enough to include the processing time for verifying the validity of the program (and for restoring the program when verification fails). However, if the timeout threshold is extended uniformly, the reset when an abnormality occurs in the main CPU 101 will be delayed. Furthermore, if separate timeout thresholds are maintained for the sub-CPU 122 and the main CPU 101, the circuit size of the timer will increase, and the cost of the device will be high in preparation for rare events.

Therefore, in this embodiment, the sub-CPU 122 accesses the WDT 133 before the main CPU 101 can access the WDT 133. More specifically, the sub-CPU 122 outputs a clear signal 140 to the reset control unit 131 to clear the counter value of the WDT 133, for example, before the verification of the program (to be executed by the main CPU 101) is successfully completed. The clear signal 140 may be output periodically, and the output period is shorter than the timeout threshold for determining the above-mentioned system reset. The clear signal 140 may be, for example, a pulse signal having a constant period, a write signal for writing to a specified control register, or a command signal representing a specified control command. The sub-CPU 122 may use an internal counter or timer to synchronize the transmission of the pulse of the clear signal 140 with an output period shorter than the above-mentioned timeout threshold. This configuration makes it possible to prevent unintended system resets from being performed while the sub-CPU 122 is verifying (and recovering) the validity of a program before the main CPU 101 starts operating. In the next section, we will provide a detailed explanation of the configuration of each part for realizing the principles described here.

<<2. Details of each part>>
<2-1. Example of main CPU configuration>
2 is a block diagram showing an example of a specific configuration of the main CPU 101 according to this embodiment. The main CPU 101 includes a CPU core 201, an SPI I/F 202, a bus I/F 203, a reset terminal 204, and a signal bus 209.

The CPU core 201 is a processor core that executes calculations to perform the functions of the main CPU 101. The SPI I/F 202 is an interface (also called an SPI master) for communication between the main CPU 101 and other SPI devices via the SPI bus 120. The bus I/F 203 is an interface for communication between the main CPU 101 and other modules via the signal bus 110. The reset terminal 204 is a terminal that accepts a reset control signal input from the reset circuit 132 via the reset signal line 136. The signal bus 209 interconnects the CPU core 201, the SPI I/F 202, and the bus I/F 203.

In this embodiment, immediately after the power supply of the MFP1 is turned on, the level of the reset control signal received by the reset terminal 204 is "Lo", and the main CPU 101 is maintained in a reset state (disabled state). During this time, the sub-CPU 122 verifies the validity of the program. If the sub-CPU 122 determines that the program is valid, the level of the reset control signal switches to "Hi", and the CPU core 201 starts operating. At the beginning of the operation, the CPU core 201 reads the program stored at a specific address in the flash ROM 121 (determined to be valid by the sub-CPU 122) to the DRAM 102 via the SPI bus 120, and executes the read program. In this embodiment, the program executed by the main CPU 101 may include at least the BIOS program of the MFP1. For example, the main CPU 101 executes the BIOS program to initialize the input/output function of the main CPU 101, and then executes programs such as the OS, drivers for each module, and other applications to start normal operation of the MFP1. During operation, the main CPU 101 outputs a clear signal 137 to the reset control unit 131 via the signal bus 110 at an output period shorter than the timeout threshold value described above, clearing the counter value of the WDT 133. This prevents a system reset from occurring while the MFP 1 is operating normally.

<2-2. Example of sub-CPU configuration>
3 is a block diagram showing an example of a specific configuration of the sub-CPU 122 according to the present embodiment. The sub-CPU 122 includes a CPU core 301, an SPI I/F 302, a general-purpose input/output terminal 303, an OTP 304, an SRAM 305, a reset terminal 306, a cryptographic processing unit 308, a signal bus 309, a boot ROM 310, a cryptographic RAM 311, and a timer circuit 312.

The CPU core 301 is a processor core that executes calculations to perform the functions of the sub-CPU 122. The SPI I/F 302 is an interface (also called an SPI master) for communication between the sub-CPU 122 and other SPI devices via the SPI bus 120. The general-purpose input/output terminal (GPIO) 303 is a terminal to which the control signal line 135 used for communication between the sub-CPU 122 and the reset control unit 131 is connected. In the example of FIG. 3, two control signal lines 135a and 136b are shown. For example, the first control signal line 135a carries a verification completion notification signal output from the sub-CPU 122 to the reset control unit 131 when the program verification is successfully completed. The second control signal line 135b carries the above-mentioned clear signal 140. These signals may be carried by a single common signal line. The OTP (One Time Programmable) 304 is a memory area that can be written only once at the time of manufacture and cannot be rewritten. In this embodiment, an encrypted hash value (i.e., a signature) obtained by encrypting a hash value of the firmware of the sub-CPU 122 with a private key of a public key cryptosystem and an address of a tag described later can be written in advance to the OTP 304. The SRAM 305 is a so-called cache memory of the sub-CPU 122, and can be used by the CPU core 301 as a work memory for calculations. The reset terminal 306 is a terminal that receives a reset control signal input from the reset circuit 132 via a reset signal line 134. The cryptographic processing unit 308 is a processor dedicated to cryptographic processing that supports signature verification by the sub-CPU 122. For example, the cryptographic processing unit 308 restores the legitimate hash values of the firmware of the sub-CPU 122 and the program of the main CPU 101 by decrypting the signatures. The cryptographic processing unit 308 may perform a hash calculation to derive a hash value from program data. The signal bus 309 interconnects the CPU core 301, SPI I/F 302, GPIO 303, OTP 304, SRAM 305, cryptographic processing unit 308, boot ROM 310, cryptographic RAM 311, and timer circuit 312. The boot ROM 310 is a storage device that prestores a boot program (also called boot code) for the sub-CPU 122. The cryptographic RAM 311 is a memory dedicated to cryptographic processing, temporarily storing data that is processed by the cryptographic processing unit 308 and requires high confidentiality. The timer circuit 312 is a circuit that keeps time while the sub-CPU 122 is operating.

In this embodiment, when the power of the MFP1 is turned on, the level of the reset control signal received by the reset terminal 306 switches from "Lo" to "Hi", and the CPU core 301 starts operating. At the beginning of this operation, the CPU core 301 reads its own boot program from the boot ROM 310 to the SRAM 305, and executes the read boot program. The CPU core 301 further reads one or more programs to be verified for validity from the flash ROM 121, and verifies the validity of the read programs. In this embodiment, the programs to be verified for validity include at least the BIOS program of the MFP1. Furthermore, the programs to be verified for validity may include firmware for the operation of the sub-CPU 122.

Figure 4 is an explanatory diagram showing an example of a memory map of the flash ROM 121 according to this embodiment. As shown in Figure 4, the flash ROM 121 stores in advance a main CPU program 401, a signature 402, a Tag 403, a sub-CPU firmware 404, a signature 405, and a ROM-ID 406. The main CPU program 401 is, for example, a BIOS program executed when the main CPU 101 is booted. The signature 402 is a signature (for example, an RSA signature) for verifying the validity of the main CPU program 401. The signature 402 may be derived in advance by encrypting the hash value of the (legitimate) main CPU program 401 and stored in the flash ROM 121. The Tag 403 is data indicating the top address of the storage area in which the sub-CPU firmware 404 is stored. The address of the Tag 403 is stored in the OTP 304 as described above. Sub-CPU firmware 404 is firmware that includes program code executed by CPU core 301. Signature 405 is a signature (e.g., an ECDSA signature) for verifying the validity of sub-CPU firmware 404. Signature 405 may be derived in advance based on the entire (legitimate) sub-CPU firmware 404 or a specific portion at the beginning, and stored in flash ROM 121. ROM-ID 406 is data that includes the beginning address of the memory area in which main CPU program 401 is stored, the size of that memory area, and the address of signature 402.

FIG. 4 shows an example in which only one set of programs and signatures for the main CPU is stored in the flash ROM 121. However, the flash ROM 121 is not limited to this example, and may store multiple sets of programs and signatures for the main CPU. Similarly, FIG. 4 shows an example in which only one set of firmware and signatures for the sub-CPU is stored in the flash ROM 121. However, the flash ROM 121 is not limited to this example, and may store multiple sets of firmware and signatures for the sub-CPU. Also, as an example, an example in which signature 402 is an RSA signature and signature 405 is an ECDSA signature has been described here, but each signature may be based on any type of digital signature method, such as an RSA signature, a DSA signature, or an ECDSA signature.

In this embodiment, while the CPU core 301 of the sub-CPU 122 is verifying the validity of the program, it outputs the clear signal 140 to the reset control unit 131 via the GPIO 303 at an output period shorter than the above-mentioned timeout threshold. The output period of the clear signal 140 can be controlled, for example, according to the time measurement by the timer circuit 312. This suppresses system reset. The timer circuit 312 may count from zero to an upper limit value (corresponding to the output period of the clear signal) periodically without stopping, like a free-running timer. Alternatively, the timer circuit 312 may stop counting when the counter value reaches the upper limit value and resume counting after the clear signal 140 is output. Note that a software timer operating on the CPU core 301 may be used instead of the timer circuit 312.

When it is determined that all programs to be verified are valid based on the digital signature method as described with reference to FIG. 4, the CPU core 301 stops the periodic output of the clear signal 140. At the same time, the CPU core 301 outputs a verification completion notification signal to the reset control unit 131 via the GPIO 303. In response to this, the reset of the main CPU 101 can be released as described above.

<2-3. Example of the configuration of the reset control unit>
5 is a block diagram showing an example of a specific configuration of the reset control unit 131 according to the present embodiment. The reset control unit 131 includes a reset circuit 132, a timer control unit 501, a timer circuit 502, and a bus I/F 503. The timer control unit 501 and the timer circuit 502 configure the WDT 133 shown in FIG.

The timer control unit 501 is a controller that determines whether a timeout has occurred based on the time measured by the timer circuit 502, and clears the counter value of the timer circuit 502. The timer circuit 502 is a circuit that increments the counter value over time. The bus I/F 503 is an interface for communication between the reset control unit 131 and other modules via the signal bus 110.

The timer circuit 502 initializes the counter value to zero and starts timing in response to the start of power supply to the reset control unit 131 or the release of the reset. The timer control unit 501 monitors the counter value of the timer circuit 502, and determines that a timeout has occurred when the counter value reaches a preset timeout threshold. When it determines that a timeout has occurred, the timer control unit 501 outputs a timeout signal to the reset circuit 132 to instruct a system reset. After outputting the timeout signal, the timer control unit 501 clears the counter value of the timer circuit 502 to zero and causes the timer circuit 502 to resume timing.

In addition, when a clear signal is input from the main CPU 101 or the sub CPU 122, the timer control unit 501 clears the counter value of the timer circuit 502 to zero. As described above, each clear signal may be realized by any method, such as a pulse of a pulse signal or writing a control value to a predetermined control address. In this embodiment, while the sub CPU 122 is verifying the validity of the program, the sub CPU 122 may periodically input a clear signal 140 to the timer control unit 501. When the sub CPU 122 determines that the program is valid, the reset circuit 132 releases the reset of the main CPU 101 in response to the input of the verification completion notification signal. Thereafter, the input of the clear signal 140 from the sub CPU 122 is stopped, and instead, the main CPU 101 may periodically input a clear signal 137 to the timer control unit 501. If these clear signals are not input for the period represented by the above-mentioned timeout threshold, the counter value reaches the timeout threshold without being cleared. Then, the timer control unit 501 assumes that some abnormality has occurred in the system, and outputs a timeout signal to the reset circuit 132. The timer control unit 501 may start monitoring the second clear signal from the main CPU 101 (e.g., monitoring the value indicated by a specific control register) when the verification completion notification signal is input.

<<3. Processing flow>>
<3-1. Processing at system startup>
Fig. 6 is a sequence diagram showing an example of a schematic flow of processing at system startup of the MFP 1 according to this embodiment. In addition to the user who operates the MFP 1, the power supply control unit 130, the WDT 133, the reset circuit 132, the sub-CPU 122, and the main CPU 101 of the MFP 1 are involved in the processing shown in Fig. 6. In the following description, processing steps are abbreviated as S (step).

First, in S601, the power supply control unit 130 accepts a user operation to start up the MFP1 via the operation unit 111. In response to this user operation, in S602, the power supply control unit 130 starts distributing power supplied from a commercial AC power source to each module. The reset circuit 132 outputs a reset control signal indicating a "Lo" level to the sub-CPU 122 and the main CPU 101.

In S603, the WDT 133 starts timing using the timer circuit 502 in response to the start of power supply. In S604, the reset circuit 132 switches the signal level of the reset control signal output to the sub-CPU 122 to "Hi" to release the reset of the sub-CPU 122.

In S605, the sub CPU 122 starts timing using the timer circuit 312 in response to reset release. In parallel, in S606, the sub CPU 122 verifies the authenticity of the sub CPU firmware 404. Here, it is assumed that the sub CPU firmware 404 is determined to be authentic. Next, in S610, the sub CPU 122 verifies the authenticity of the main CPU program 401 (e.g., the BIOS program).

While the sub-CPU 122 is thus verifying the validity of the program, in S611, the counter value of the timer circuit 312 may reach a threshold value representing the output period of the first clear signal. Then, in S612, the sub-CPU 122 outputs the first clear signal to the WDT 133 (the counter value of the timer circuit 312 may be cleared here). In S613, in response to the input of the first clear signal, the WDT 133 clears the counter value of the timer circuit 502, and then resumes timekeeping by the timer circuit 502.

In the example of FIG. 6, the sub-CPU 122 continues to verify the validity of the main CPU program 401. At S621, the counter value of the timer circuit 312 may again reach the threshold value representing the output period of the first clear signal. Then, at S622, the sub-CPU 122 outputs the first clear signal to the WDT 133 (the counter value of the timer circuit 312 may also be cleared here). At S623, in response to the input of the first clear signal, the WDT 133 clears the counter value of the timer circuit 502, and then resumes timekeeping by the timer circuit 502.

At a certain point, the sub-CPU 122 finishes verifying the validity of the main CPU program 401. Here, it is assumed that the main CPU program 401 is also determined to be valid. Then, in S631, the sub-CPU 122 outputs a verification completion notification signal to the reset circuit 132. Then, in S632, the sub-CPU 122 transitions to a sleep state.

In S633, in response to assertion of the verification completion notification signal, the reset circuit 132 switches the signal level of the reset control signal output to the main CPU 101 to "Hi" to release the reset of the main CPU 101.

In S641, the main CPU 101 executes the main CPU program 401 (e.g., a BIOS program) read from the flash ROM 121 in response to reset release. In addition, in S642, the main CPU 101 starts timing. Here, it is assumed that the main CPU 101 uses a software timer. In S643, the main CPU 101 starts the OS by executing the OS program read from the HDD 108. Although not shown in FIG. 6, drivers and other applications for each module may also be started in response to the start of the OS.

While the main CPU 101 is executing the program in this manner, in S651, the timer counter value may reach a threshold value representing the output period of the second clear signal. Then, in S652, the main CPU 101 outputs the second clear signal to the WDT 133. In S653, in response to the input of the second clear signal, the WDT 133 clears the counter value of the timer circuit 502, and then resumes timekeeping by the timer circuit 502.

In such a sequence, for example, if an abnormality occurs in the sub-CPU 122 by S631 and the periodic output of the first clear signal stops, the timer circuit 502 of the WDT 133 may time out because the counter value is not cleared. Also, if an abnormality occurs in the main CPU 101 after S641 and the periodic output of the second clear signal stops, the timer circuit 502 of the WDT 133 may time out because the counter value is not cleared. Once a timeout occurs in the WDT 133, the timer control unit 501 of the WDT 133 instructs the reset circuit 132 to perform a system reset, and the reset circuit 132 resets the main CPU 101 and the sub-CPU 122 accordingly. For example, the main CPU 101 and the sub-CPU 122 are maintained in a reset state for a preset period, and then the reset of the sub-CPU 122 is released, and the processing steps from S604 onwards described above are executed again.

<3-2. Processing by sub-CPU>
FIG. 7 is a flowchart showing an example of the flow of processing executed by the sub-CPU 122 according to this embodiment.

First, in S701, the sub-CPU 122 reads the boot program from the boot ROM 310 immediately after starting up, and executes the read boot program. As a result, the sub-CPU firmware 404 and the signature 405 are read from the flash ROM 121 to the SRAM 305 via the SPI bus 120.

Next, in S702, the sub CPU 122 verifies the authenticity of the sub CPU firmware 404. For example, the cryptographic processing unit 308 decrypts the signature 405 with a public key pre-stored in the OTP 304 to derive a hash value of the authentic sub CPU firmware 404. The cryptographic processing unit 308 also calculates a hash value from the program data of the sub CPU firmware 404. If these hash values match, the sub CPU firmware 404 is determined to be authentic (not tampered with and not changed due to deterioration over time). On the other hand, if the hash values do not match, the sub CPU firmware 404 is determined to be invalid because it has been changed contrary to the developer's intentions.

Then, in S703, the process branches depending on the result of the verification of the validity of the sub-CPU firmware 404. If it is determined that the sub-CPU firmware 404 is valid, the process proceeds to S704. On the other hand, if it is determined that the sub-CPU firmware 404 is not valid, the process proceeds to S709.

At S704, the sub-CPU 122 reads the sub-CPU firmware 404 into the SRAM 305 and executes it. Next, at S705, the sub-CPU 122 operates according to the sub-CPU firmware 404, and reads the BIOS program 401 and the signature 402 from the flash ROM 121 into the SRAM 305 based on an address derived from the ROM-ID 406. Next, at S706, the sub-CPU 122 verifies the authenticity of the BIOS program 401. For example, the encryption processing unit 308 decrypts the signature 402 with a public key to derive a hash value of the authentic BIOS program 401. The encryption processing unit 308 also calculates a hash value from the program data of the BIOS program 401. If these hash values match, it is determined that the BIOS program 401 is authentic (has not been tampered with and has not changed due to deterioration over time). On the other hand, if the hash values do not match, the BIOS program 401 is determined to be invalid because it has been altered contrary to the developer's intentions.

The process thereafter branches depending on the result of the verification of the validity of the BIOS program 401 in S707. If it is determined that the BIOS program 401 is valid, the process proceeds to S708. In S708, the sub-CPU 122 controls the GPIO 303 to assert a verification completion notification signal, thereby notifying the reset control unit 131 of the completion of verification. Then, the process proceeds to S709. On the other hand, if it is determined that the BIOS program 401 is not valid, the process proceeds to S709 without executing S708.

While executing steps S702 to S708 described above, the sub-CPU 122 continues to periodically output a first clear signal to the reset control unit 131. Specifically, first, the sub-CPU 122 starts the timer circuit 312. The port of the GPIO 303 is initialized, and for example, the signal level of the verification completion notification signal is set to "Lo". Then, the timer circuit 312 increments the counter value, causing the timer to proceed.

For example, in response to an interrupt from the timer circuit 312, the sub-CPU 122 determines whether the output period of the first clear signal has elapsed. If the output period of the first clear signal has elapsed, the sub-CPU 122 controls the GPIO 303 to output the first clear signal to the reset control unit 131 and clears the counter value of the timer circuit 312.

In S709, the sub-CPU 122 transitions to a sleep state to conserve power. In the sleep state, the sub-CPU 122 does not output (or assert) the first clear signal. The sleep state of the sub-CPU 122 may be maintained until a system reset of the MFP 1 is executed. However, in order to reuse the sub-CPU 122 for purposes other than verifying the validity of the program, the sub-CPU 122 may not be transitioned to the sleep state, or the sub-CPU 122 that has once transitioned to the sleep state may return to the normal state (e.g., in response to an interrupt signal).

In the example shown in FIG. 7, if the sub-CPU 122 fails to verify the validity of the program, it immediately transitions to a sleep state in S709. As a result, the clear signal is no longer input to the reset control unit 131, a WDT timeout occurs, and the sub-CPU 122 and main CPU 101 are reset. With this configuration, the program code of the sub-CPU firmware 404 can be minimized. If the sub-CPU 122 transitions to a sleep state in S709 after S708, the main CPU 101 outputs a second clear signal to the reset control unit 131, so a system reset is not performed unless an abnormality occurs in the main CPU 101.

<3-3. Processing by the main CPU>
FIG. 8 is a flowchart showing an example of the flow of processing executed by the main CPU 101 according to this embodiment.

First, in S801, the main CPU 101 reads the BIOS program from the flash ROM 121 to the DRAM 102 in response to reset release. Next, in S802, the main CPU 101 executes the read BIOS program. This initializes the basic input/output functions of the main CPU 101.

Next, in S803, the main CPU 101 reads out the program that constitutes the OS from the HDD 108 to the DRAM 102. Next, in S804, the main CPU 101 executes the read out program to start up the OS of the MFP1. Next, in S805, the main CPU 101 initializes each of the modules of the MFP1 (e.g., the operation I/F 103, the network I/F 104, the printer 105, the scanner 106, the FAX 107, and the image processing unit 109) to set up the MFP1. As a result, in S806, the MFP1 is able to perform normal operation. The operation of the MFP1 continues until, for example, an instruction to end the operation of the MFP1 is given through a user operation (S807).

While executing the above-mentioned steps S802 to S806, the main CPU 101 continues to periodically output the second clear signal to the reset control unit 131. Specifically, first, the main CPU 101 starts a software timer. The software timer progresses by incrementing a counter value, which is an internal variable. When the main CPU 101 determines that the output period of the second clear signal has elapsed, it outputs a second clear signal to the reset control unit 131 and writes a predetermined value (e.g., "1") to a control register (e.g., a WDT clear register) of the reset control unit 131. At the same time, the main CPU 101 clears the counter value of the software timer. When the operation of the MFP 1 ends in S808 (or when some abnormality occurs in the main CPU 101), the output of the second clear signal stops.

<3-4. WDT Processing>
FIG. 9 is a flowchart showing an example of the flow of processing executed by the WDT 133 according to this embodiment.

First, in S901, the WDT 133 starts the timer circuit 502 in response to the start of power supply, and causes the timer circuit 502 to start timing. In S902, the timer progresses, that is, the timer circuit 502 increments the counter value. In S903, the WDT 133 waits for a notification of the completion of verification from the sub-CPU 122.

Until the sub-CPU 122 notifies the WDT 133 that verification is complete, in S904, the WDT 133 monitors the input of a first clear signal from the sub-CPU 122. If the first clear signal is input from the sub-CPU 122, in S905, the WDT 133 clears the counter value of the timer circuit 502 and restarts timing from zero. Processing then returns to S902. If the first clear signal is not input from the sub-CPU 122, in S906, the WDT 133 determines whether the counter value of the timer circuit 502 has reached the timeout threshold. If the counter value has not reached the timeout threshold, processing returns to S902. If the counter value has reached the timeout threshold, processing proceeds to S920.

When the sub-CPU 122 notifies the WDT 133 of the completion of the verification, the WDT 133 starts monitoring the clear control by the main CPU 101 in S911. In S912, the timer continues to proceed. In S913, the WDT 133 monitors the input of a second clear signal from the main CPU 101 (e.g., writing to the WDT clear register). If the second clear signal is input from the main CPU 101, the WDT 133 clears the counter value of the timer circuit 502 in S914 and restarts the time measurement from zero. Thereafter, the process returns to S912. If the second clear signal is not input from the main CPU 101, the WDT 133 determines in S915 whether the counter value of the timer circuit 502 has reached the timeout threshold. If the counter value has not reached the timeout threshold, the process returns to S912. If the counter value has reached the timeout threshold, the process proceeds to S920.

At S920, the WDT 133 determines that an abnormality has occurred in the MFP 1 (sub-CPU 122 or main CPU 101) and instructs the reset circuit 132 to perform a system reset.

<3-5. Processing by the reset circuit>
FIG. 10 is a flowchart showing an example of the flow of processing executed by the reset circuit 132 according to the present embodiment.

First, in S1001, the reset circuit 132 releases the reset of the sub-CPU 122 in response to the start of power supply. Next, in S1002, the reset circuit 132 waits for a notification of the completion of verification from the sub-CPU 122. If the sub-CPU 122 does not notify the completion of verification, in S1003, the reset circuit 132 determines whether a system reset has been instructed by the WDT 133. If a system reset has been instructed, the process proceeds to S1020. On the other hand, if a system reset has not been instructed, the process returns to S1002.

When the sub-CPU 122 notifies the main CPU 101 that the verification is complete, in S1011 the reset circuit 132 releases the reset of the main CPU 101. Next, in S1012, the reset circuit 132 waits for a system reset instruction from the WDT 133. When a system reset instruction is received, the process proceeds to S1020.

At S1020, the reset circuit 132 resets the main CPU 101 and the sub-CPU 122 (issues a system reset signal) because a system reset has been instructed from the WDT 133 (for example, a timeout signal has been input).

The reset control described using Figures 9 and 10 prevents unnecessary system resets from being performed due to a WDT timeout while the sub-CPU 122 is verifying the validity of the program. In addition, the sub-CPU 122 periodically clears the WDT counter value before the validity verification is completed, and the main CPU 101 periodically clears the WDT counter value after the verification is completed, eliminating the need to switch the timeout threshold in the WDT and maintaining the simple configuration of the WDT.

<<4. Modifications>>
The present invention is not limited to the above embodiment, and various modifications are possible. For example, in the above embodiment, the sub CPU 122 periodically outputs the first clear signal, and the WDT 133 clears the counter value of the timer circuit 502 each time the first clear signal is input. In contrast, in one modification, the sub CPU 122 may output the first clear signal only once, and the WDT 133 may stop the timer circuit 502 from timing in response to the input of the first clear signal. The timer circuit 502 may resume timing, for example, after the program validity is successfully verified. According to such a modification, the sub CPU 122 does not need to output a periodic signal, and the size of the sub CPU firmware 404 can be reduced. An example of the flow of the process executed by the WDT 133 according to this modification is shown in FIG. 11.

First, in S1101, the WDT 133 starts the timer circuit 502 in response to the start of power supply, and causes the timer circuit 502 to start timing. In S1102, the timer progresses, that is, the timer circuit 502 increments the counter value. In S1103, the WDT 133 waits for a notification of the completion of verification from the sub-CPU 122.

Until the sub-CPU 122 notifies the WDT 133 that verification is complete, the WDT 133 monitors the input of the first clear signal from the sub-CPU 122 in S1104. When the first clear signal is input from the sub-CPU 122, the WDT 133 clears the counter value of the timer circuit 502 in S1105, and stops timing in S1106. Thereafter, the WDT 133 continues to wait for the sub-CPU 122 to notify the WDT 133 that verification is complete.

If the first clear signal is not input from the sub-CPU 122, the WDT 133 determines in S1108 whether the counter value of the timer circuit 502 has reached the timeout threshold. If the counter value has not reached the timeout threshold, the process returns to S1102. If the counter value has reached the timeout threshold, the process proceeds to S1120. Note that the determination in S1108 does not need to be made if the timing has been stopped in S1106.

When the sub-CPU 122 notifies the WDT 133 of the completion of the verification, the WDT 133 starts monitoring the clear control by the main CPU 101 in S1111. If the timekeeping was stopped in S1106, the WDT 133 restarts the timekeeping in response to the notification of the completion of the verification. In S1112, the timer progresses. In S1113, the WDT 133 monitors the input of a second clear signal from the main CPU 101 (e.g., writing to the WDT clear register). If the second clear signal is input from the main CPU 101, the WDT 133 clears the counter value of the timer circuit 502 in S1114 and restarts the timekeeping from zero. The process then returns to S1112. If the second clear signal is not input from the main CPU 101, the WDT 133 determines in S1115 whether the counter value of the timer circuit 502 has reached the timeout threshold value. If the counter value has not reached the timeout threshold, processing returns to S1112. If the counter value has reached the timeout threshold, processing proceeds to S1120.

At S1120, the WDT 133 determines that an abnormality has occurred in the MFP 1 (sub-CPU 122 or main CPU 101), and instructs the reset circuit 132 to perform a system reset.

In another modified example, when the sub-CPU 122 determines that the program to be verified is not valid, the sub-CPU 122 may use a recovery version of the program to recover the program. Such a recovery version of the program is also called a golden master. The golden master is stored in advance, for example, in a protected area (unrewritable area) of a ROM accessible by the sub-CPU 122. When the program verification fails, the sub-CPU 122 overwrites the program that has failed verification with the golden master instead of going into a sleep state. After that, a system reset is performed, so that the MFP 1 can be started normally using the recovered program. In this modified example, even while the sub-CPU 122 is recovering the program, the sub-CPU 122 periodically outputs a first clear signal to the reset control unit 131 to clear the counter value of the WDT. This makes it possible to avoid a system reset being performed during the recovery of the program using the golden master, and to prevent problems such as unnecessary re-execution of the system reset and damage to the program.

In another modified example, the reset control unit 131 counts the number of times the first clear signal is input from the sub-CPU 122, and if the number of times exceeds a threshold, it is not necessary to clear the counter value of the WDT in response to the input of the first clear signal. With this configuration, if a malfunction occurs in which the first clear signal is output but verification is not completed and the system does not start due to, for example, the processing in the sub-CPU 122 falling into an infinite loop, a system reset can be forcibly executed to resolve the malfunction.

In yet another variation, the reset control unit 131 may request the sub-CPU 122 to output a first clear signal before the WDT times out. If the sub-CPU 122 itself is not abnormal, it may output the first clear signal to the reset control unit 131 in response to the request from the reset control unit 131. With this configuration, if the output of the first clear signal is delayed in the sub-CPU 122 for some reason but program verification is expected to end successfully, it is possible to avoid a system reset and help start up the system.

Note that the signal format of any of the signals mentioned above may be different from that described. For example, the polarity or signal level ("Hi" or "Lo") of each signal may be reversed from that of the described example. Also, instead of being included in the power supply control unit 130, the reset control unit 131 may be connected to the signal bus 110 as a module independent of the power supply control unit 130. Also, some of the components of the MFP1 may be integrated into a system on chip (SoC).

<<5. Summary>>
Up to this point, the embodiment of the present disclosure has been described in detail with reference to Figures 1 to 10. In the above-described embodiment, in an information processing device in which an execution means executes a program determined to be valid by a verification means, before the execution means can access a timer (WDT) for reset control, the verification means accesses the WDT and clears the counter value. When the counter value reaches a predetermined timeout threshold, the WDT resets the verification means and the execution means. With this configuration, it is possible to prevent the WDT from timing out before the auxiliary processor (verification means) completes the verification of the validity of the program before the main processor (execution means) operates. As a result, a system reset is not triggered while the verification is proceeding normally, so that it is possible to ensure normal startup of the system.

In the above-described embodiment, the verification means may periodically clear the counter value of the WDT with an output period shorter than the timeout threshold. With this configuration, it is possible to combine secure boot technology with a system having a WDT without significantly changing the configuration of an existing WDT that references a single counter value, and without impeding system startup. Furthermore, if an abnormality occurs in the verification means, the abnormality can be captured by the WDT timeout, and a system reset can be performed.

In addition, in the above-described embodiment, the verification means may stop the periodic output of a clear signal for clearing the counter value of the WDT when it is determined that the program is valid. With this configuration, the counter value of the WDT is not cleared by the verification means after the execution means starts operating, so that even an abnormality in the execution means, which is the main processor, can be properly captured by the WDT.

In addition, in the above-described embodiment, when the verification means determines that the program is valid, the verification means notifies the reset control means of the completion of verification of the program, and in response to the notification, monitoring of the clear signal from the execution means in the WDT can be started. With this configuration, the WDT only needs to monitor the clear signal from the verification means before the notification of the completion of verification, and only the clear signal from the execution means after the notification of the completion of verification, thereby making it possible to avoid an increase in the operational load of the WDT.

<<6. Other embodiments>>
The above-described embodiment can also be realized in the form of a process in which a program for realizing one or more functions is supplied to a system or device via a network or a storage medium, and one or more processors in a computer of the system or device read and execute the program. Also, the embodiment can be realized by a circuit (e.g., ASIC) for realizing one or more functions.

The present invention is not limited to the above-described embodiments, and various modifications and variations are possible without departing from the spirit and scope of the invention. Therefore, the following claims are appended to disclose the scope of the invention.

1: MFP (information processing device), 101: main CPU (execution means), 122: sub CPU (verification means), 131: reset control unit, 133: WDT (timer), 137: second clear signal, 140: first clear signal

Claims (12)

A verification means for verifying the correctness of the program;
a reset control means for issuing a system reset signal when there is no access from outside for a predetermined period based on a timer ;
an execution means for executing the program determined to be valid by the verification means, the execution means being able to access the reset control means after the program is started;
Equipped with
the verification means outputs a clear signal to the reset control means for clearing the value of the timer before the execution means becomes accessible to the reset control means.
Information processing device. 2. An information processing device according to claim 1, wherein the verification means periodically outputs the clear signal to the reset control means at an output cycle shorter than the predetermined period, causing the reset control means to clear the value of the timer. 3. The information processing apparatus according to claim 2, wherein said verification means stops the periodic output of said clear signal when said program is determined to be valid. 4. The information processing device according to claim 2,
when the verification means determines that the program is valid, the verification means notifies the reset control means of completion of the verification of the program;
the reset control means, in response to the notification of the completion of the verification from the verification means, starts monitoring a clear signal output from the execution means which is different from the clear signal from the verification means .
Information processing device. 5. An information processing device according to claim 4, wherein the execution means, during operation, outputs the different clear signal to the reset control means at an output period shorter than the predetermined period, causing the reset control means to clear the value of the timer. 6. An information processing device according to claim 2, wherein the reset control means counts the number of times the clear signal is input from the verification means, and if the number of times the input exceeds a threshold value, the reset control means does not clear the value of the timer in response to the input of the clear signal. 4. An information processing device according to claim 2 or 3, wherein the reset control means requests the verification means to output the clear signal, and issues the system reset signal when the clear signal is not input from the verification means in response to the request. 8. An information processing apparatus according to claim 1,
When the verification means determines that the program is not authentic, the verification means recovers the program using a recovery version of the program;
the verification means outputs the clear signal to the reset control means while the program is being restored.
Information processing device. 2. The information processing apparatus according to claim 1 , wherein the reset control means clears the value of the timer and stops the time measurement based on the timer in response to the input of the clear signal. The information processing device according to claim 9,
when the verification means determines that the program is valid, the verification means notifies the reset control means of completion of the verification of the program;
the reset control means restarts the timekeeping in response to the notification of the completion of the verification from the verification means.
Information processing device. An information processing device according to any one of claims 1 to 10, wherein the program includes a BIOS (Basic Input/Output System) program of the information processing device. A verification means for verifying the correctness of the program;
a reset control means for issuing a system reset signal when there is no access from outside for a predetermined period based on a timer ;
an execution means for executing the program determined to be valid by the verification means, the execution means being able to access the reset control means after the program is started;
A reset control method performed in an information processing device comprising:
said verifying means outputting a clear signal to said reset control means for clearing the value of said timer before said executing means becomes accessible to said reset control means;
A reset control method comprising:

Images