WO2013064540A1 - Radio module - Google Patents

Radio module Download PDF

Info

Publication number
WO2013064540A1
WO2013064540A1 PCT/EP2012/071566 EP2012071566W WO2013064540A1 WO 2013064540 A1 WO2013064540 A1 WO 2013064540A1 EP 2012071566 W EP2012071566 W EP 2012071566W WO 2013064540 A1 WO2013064540 A1 WO 2013064540A1
Authority
WO
Grant status
Application
Patent type
Prior art keywords
radio
software
module
radio transceiver
computer
Prior art date
Application number
PCT/EP2012/071566
Other languages
French (fr)
Inventor
Mats Iderup
Björn STRANDMARK
Original Assignee
Mikrodust Ab
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode

Abstract

The present application relates to radio module (33) comprising a radio transceiver (43) and a computer (36) arranged to control the radio transceiver (43), wherein the computer (36) comprises a radio transceiver driver (55), by which the computer (36) is arranged to control the radio transceiver (43); and a regulatory monitoring module (50) adapted to restrict the access to the radio transceiver driver (55) for untrusted software being executed in a user space execution state (53), by monitoring that the untrusted software does not attempt to utilize the radio transceiver (43), via the radio transceiver driver (55), in such manner that a configurable parameter of a predetermined regulatory standard is violated. The present application also relates to the use of such a radio module (33), and a method for controlling such a radio module (33).

Description

RADIO MODULE

TECHNICAL FIELD

The present application relates to the field of radio modules, and in particular to the field of controlling radio modules.

BACKGROUND OF THE INVENTION

For many years, various electronic devices with low power radio capabilities have been available to users to facilitate and simplify everyday life. Common to these devices and known technology is that they include a radio and at least one computing device with one or more software modules. The software in electronic devices with low power radio capabilities can often be divided in different software modules such as application, protocol stack, radio driver, serial drivers, platform software etc.

Unlicensed RF products are often referred to as ISM-band products in the US and SRD products in the EU. ISM is short for the Industrial, Scientific, and Medical frequency bands, and SRD is an abbreviation of Short-Range Devices. A device of this type includes several components and typically at least one computing device and one radio device.

Examples of currently existing devices comprising these components are wireless alarm systems, wireless networks for home and office, cordless phones, wireless systems for automation in the home and industry, wireless headphones, wireless metering, toys and many other products comprising radio for wireless transmission of information.

Units of the above types comply to different standards and protocol such as Bluetooth, Bluetooth low energy, ZigBee, ZigBee Pro, Wireless HART, Wi-Fi, IEEE 802.1 1 , IEEE 802.15.4, Dash-7, DLMS/COSEM,

Wireless MBUS, Z-Wave, Wireless KNX , DECT, DECT 6.0, IMS, DECT ULE, 6L0WPAN, ANT, etc. but also a variety of proprietary radio protocols exist.

Common to all above devices and all above radio protocol standards is that the units having some form of radio must meet strict regulations and laws and be approved by the appropriate regulatory authorities regarding how the radio use and exploit the non-infinite natural resource that the radio frequency spectrum is.

In order to use the frequency spectrum in an efficient way regulatory agencies place limitations on e.g. the operating frequencies, output power, spurious emissions, modulation methods, transmit duty cycles, among other things for these electronic devices.

Depending on where geographically a product is sold and used, these radio-specific directives and general essential requirements are set by local authorities and adapted to local conditions. For example, in the United States (U.S.), the "Code of Federal Regulation (FCC), Title 47, Part 5" must be followed, and in the European Community (EU), the "R&TTE Directive 1999/5/EC" and specifically Article 3.2 must be followed.

"Code of Federal Regulation (FCC), Title 47, Part 15" applies to radio frequency devices operating at unlicensed frequencies and is often

colloquially referred to as Title 47 CFR Part 15.

Title 47 CFR Part 15 consists of several sub-parts and specifies requirements such as Spurious Emission Limits and Restricted Frequency Bands, Enhanced Emission Limits for Control and Periodic Applications, Operation in the 902-928 MHz Band, Operation in the 1910 - 1930 MHz band, Operation in the 2.4 - 2.4835 GHz band, Operation in the 5.15 - 5.35 GHz band, Operation in the 5.725 - 5.825 GHz band, Compliance Testing and approval process etc. Title 47 CFR Part 15 consists of all requirements needed for defining how radio frequency devices should be operating at unlicensed frequencies to be able to follow US standards. The latest version of the Title 47 CFR Part 15 can be found at the web site: www.fcc.gov.

Every electronic device sold inside the United States must be subject to compliance testing and reviewed to comply with Title 47 CFR Part 15 before it can be advertised or sold in the US market. If the product is approved, the FCC will issue an identification number and the final product has to be marked with a FCC identification label.

How the R&TTE Directive 1999/5/EC and specifically Article 3.2 shall be interpreted in the European countries and the actual standards to follow are decided by different European standardization bodies such as CEPT and ETSI.

European Conference of Postal and Telecommunications

Administrations (CEPT), an organ for the PTT (posttelephone-telegraph) authorities, allocates frequency bands and defines for instance the maximum transmit power, limits to the duty cycle and the bandwidth of the transmitter for each allocated frequency band. This is described in the ERG

recommendation CEPT/ERC/70-03. The latest version of CEPT/ERC/70-03 can be found at the web site: www.erodocdb.dk.

Based on the ERC recommendation CEPT/ERC/70-03, the European Telecommunications Standards Institute (ETSI) composes the standards for low power wireless devices conformity testing of transmitters and receivers. Detailed specifications and testing methods are outlined and resulting in several standards covering different frequencies.

One example of a standard from ETSI is EN300220 Electromagnetic compatibility and Radio spectrum Matters (ERM) for Short Range Devices (SRD) and radio equipment to be used in the 25 MHz to 1 000 MHz frequency range with power levels ranging up to 500 mW.

Another example is the EN301406 standard Digital Enhanced Cordless Telecommunications (DECT) Harmonized EN for Digital Enhanced Cordless Telecommunications (DECT). This standard is covering the essential DECT requirements under article 3.2 of the R&TTE Directive Generic radio for operating in the allocated 1880 MHz to 1900 MHz band in Europe.

Another example is the standard for essential requirements EN300328 that covers Electromagnetic compatibility and Radio spectrum Matters (ERM) for wideband transmission systems and data transmission equipment operating in the 2.4 GHz ISM band and using wide band modulation techniques.

Another example is the standard EN301893 Broadband Radio Access Networks (BRAN) and 5 GHz high performance RLAN covering the essential requirements of article 3.2 of the R&TTE Directive.

Another example is standard for essential requirements EN300440 that covers Radio spectrum Matters (ERM) for short range devices and radio equipment to be used in the wider 1 GHz to 40 GHz frequency range. A requirement for putting radio equipment on the European market is that the product must be CE marked. For this a manufacturer can utilize a self-declaration regime where compliance is presumed when the

manufacturer issues a Declaration of Conformity (DoC) and marks the product with the CE logo. The DoC shall declare that the essential

requirements of the directives are met. The essential requirements for radio equipment can be summarized as:

The radio equipment shall effectively use the radio spectrum so as to avoid harmful interference meeting the requirements in the R&TTE Directive 1999/5/EC.

^ The radio equipment shall protect the health and safety of the user and others, including meeting the safety requirements of the Low Voltage Directive 73/23/EEC.

A The radio equipment shall be in compliance with the essential

requirements of the EMC Directive 89/336/EEC.

This means that besides radio standards additional standards for electromagnetic compatibility (EMC) and safety, such as EN300683 and EN301489 and others are also applicable. Together with the other

requirements in the standards for conformity testing of radio frequency devices can be achieved and verification that they operate at unlicensed frequencies following European standards. The latest versions of ETSI standards can be found at the web site: www.etsi.org.

In the rest of the world similar strict regulations and laws for unlicensed RF products exists. For instance in Japan the standard ARIB STD-T96 is used for the 950 MHz Band aimed for Telemeter, Telecontrol and data transmission radio equipment for specified low power radio station.

Another example of a standard in Japan covering regulations and requirements for radio equipment based on the DECT radio technology working in the 2.4 GHz band are the J-DECT standard.

Another Japanese standard ARIB STD-T66 is intended for Radio

Equipment for Second-generation Low-power Data Communications Systems Radio Stations and Wireless LAN Systems' Equipment performing radio communications primarily for data communication that use the 2.4 GHz band among radio stations for low-power data communications systems.

Another Japanese standard ARIB STD-T71 is intended for Broadband Mobile Access Communication System (CSMA) working in the 5 GHz band.

Looking at all above standards and broad range of regulations and laws it is easy to understand the complexity that awaits a manufacturer that plans to develop a unlicensed RF product. The manufacturer need to have deep knowledge and experience in how to develop such a product and how to perform the compliance testing to achieve approval. For getting a clear picture of these often complicated and local regulations and laws, the manufacturer has to make an extensive and time consuming analysis and often needs to take several contacts with local government before the development of each individual radio product even can be started.

Besides the big effort to understand above complex world of regulation for unlicensed RF products there is also the drawback that the development is associated with high costs for compliance testing at different research & test institutes to achieve approval.

For making the above described development process and approval process easier and more efficient manufacturers of unlicensed RF products use different strategies. One common way is to reuse already developed known technology and reuse already invested time and resources in compliance testing and approval by utilizing so-called pre-approved radio modules.

This approach of streamlining is recognized by regulatory authorities, and for instance in the US this is defined in the Title 47 CFR Part 15.212 Modular transmitters. In this case it means that in US approval of a

transmitter as a module is an option for manufacturers. Once a transmitter is approved as a module, it may be incorporated into a number of host devices that have been separately approved. The completed product generally is not subject to requirements for further approval. Therefore, transmitter modules save manufacturers the time and any related expenses that would be incurred if a new equipment approval were needed for the same transmitter when it is installed in a new device. As defined in Title 47 CFR Part 15.212 Modular transmitter devices that operate when installed within, or attached to, a host can be categorized in one of the following four physical configurations:

Single-modular transmitter - A complete RF transmission sub- assembly, designed to be incorporated into another device, that must demonstrate compliance with FCC rules and policies independent of any host.

Limited single-modular transmitter - A single-modular transmitter that complies with the Section 15.212(a)(1) modular rules, only when constrained to specific operating host(s) and/or associated grants condition(s).

Split-modular transmitter - An RF transmission system that complies with the requirements for a single-modular transmitter, that is separated into a radio front-end section and a control-element section, and can demonstrate compliance for a range of similar type hosts.

Limited split-modular transmitter: a split-modular transmitter that complies with the definition and technical rules for split modules only when constrained to specific operating host(s), and/or associated grant condition(s).

Single or limited-single modules and the RF front-end section of a split or limited split-module must be a separate physical assembly that can be installed into (or attached to) a host as a separate sub-assembly (daughterboard sub-assembly). The method used for input and output electrical connections to the host can be soldered, cabled, wired, or use plug-in connectors.

The approach of streamlining using so-called pre-approved radio modules is also recognized by the regulatory authorities in the European Community and is for instance described in the Technical Guidance Note on Requirements for a Final Product that Integrates an R&TTE Directive

Assessed Module (current version R&TTE CA TGN 01 Rev 4) written by R&TTE Compliance Association. In this case it means that in the European Community radio modules installed in equipment in conformance with the manufacturer's installation instructions require no further evaluation under Article 3.2 of the R&TTE Directive 999/5/EC and do not require further involvement of an R&TTE Directive Notified Body for the final product. Further guidance in assessing the application of EMC standards to combined products in the European Community, which include a radio and/or a telecommunication function is given in the ETSI technical report TR 102070- 1 Electromagnetic compatibility and Radio spectrum Matters (ERM), Guide to the application of harmonized standards to multi-radio and combined radio and non-radio equipment.

The purpose of this ETSI technical report TR 102070-1 document are to provide guidance on the application of harmonized radio product standards for combined products under article 3.2 (effective use of spectrum) of the R&TTE Directive 1999/5/EC. It also provides guidance with the testing of combined products to eliminate duplicate testing wherever possible, recommends the selection of appropriate performance assessment and performance criteria for this type of equipment and provides guidance for conformance evaluation and market surveillance.

As for the Title 47 CFR Part 15.212 Modular transmitters approach in

US and the R&TTE Directive 1999/5/EC Assessed Modules approach in the European Community similar local regulation for Modular transmitters and Assessed Modules approaches exist in the rest of the world.

Even if above known technology helps making the development process and approval process easier, there still exists limitations and disadvantages.

SUMMARY OF THE INVENTION

It has been realized that the current solution utilizing preapproved modules results in a number of disadvantages.

For instance, a Single-modular transmitter must demonstrate

compliance with FCC rules and policies independent of any host meaning that this kind of module is rather fixed, not very configurable and often limited to one or very few possible radio configurations.

In the case of a Limited single-modular transmitter the module must demonstrate compliance with FCC rules and policies to specific operating host(s) and/or associated grants condition(s). The manufacturer must demonstrate how the control over the final installation of the device is retained, such that compliance of the product is ensured by limiting the installation to a specific host or hosts. This kind of module is also rather fixed, not very configurable and often limited to one or very few possible radio configurations.

For a Split-modular transmitter module more or less of the application, the radio protocol stack, drivers etc can be included in the module. This can simplify the system solution but the limitation that the host application executes in the same CPU and memory space as the software controlling the actual radio still has to be taken into account. An error in the host software or controlling software can result in erroneous use of CPU, timers, interrupt, DMA, Input/Output etc. that ends up with critical re-configuration of the radio making the radio abuse the frequency spectrum by violating and exceeding radio parameter limits. This makes it necessary having all software present during the FCC approval and thereby again making the actual application and radio configuration and protocol very fixed, static and not upgradable without a new FCC approval.

Similar as for a Limited single-modular transmitter a Limited split- modular transmitter must demonstrate compliance with FCC rules and policies to specific operating host(s) and applicable operating conditions. The manufacturer must demonstrate how the control over the final installation of the device is retained, such that compliance of the product is ensured by limiting the installation to a specific host or hosts. An error in the host software or controlling software can also here result in erroneous use of CPU, timers, interrupt, DMA, Input/Output etc. that ends up with critical re-configuration of the radio making the radio abuse the frequency spectrum by violating and exceeding radio parameter limits. As for the Limited single-modular transmitter this makes the overall radio solution also in this case fixed and static.

The limitations for FCC and Modular transmitters when the host application executes in the same CPU and memory space as the software controlling the actual radio also applies to Assessed Modules in the European Community. An error in the host software or controlling software can also here result in erroneous use of CPU, timers, interrupt, DMA, Input/Output etc. that ends up with critical re-configuration of the radio making the radio abuse the frequency spectrum by violating and exceeding radio parameter limits.

It is also necessary in the European Community having all the software present during the approval of combined products with Assessed Modules in the European Community and thereby also here making the actual application and radio configuration and protocol for very fixed, static and not upgradable without a new approval.

The conclusion is that known technology of Modular transmitters and Assessed Modules gives manufacturers in some extent the opportunity to save time and any related expenses that would be incurred if a new

equipment approval were needed for the same assessed module when it is installed in a new device. However, important limitations and drawbacks still exists such as that Modular transmitters and Assessed Modules are closed for software upgrades without new approvals.

This means that the spare CPU and memory capacity of these Modular transmitters and Assessed Modules cannot be used for new applications in new products without a new complicated approval process. This often force manufacturers to deploy the actual host application on a separate CPU that communicates with the Modular transmitter or Assessed Module over a serial interface making the total solution more expensive and complicated than necessary.

An object of the present invention is to alleviate the above mentioned drawbacks and problems. A further object is to provide an improved radio module and a method for controlling the radio module in an improved manner while still ensuring that requirements, in particular requirements set in radio communication standards, are not exceeded or abused.

According to a first aspect of the invention, this and other objects are achieved by a radio module comprising a radio transceiver and a computer arranged to control the radio transceiver, the computer comprising: a central processing unit, CPU; and a memory, the memory being separated, by a memory protection, into at least a user memory space and a kernel memory space; wherein the user memory space is adapted to store untrusted software, and wherein the kernel memory space is adapted to store trusted software; wherein the central processing unit is adapted to execute trusted software in a kernel space execution state with full access to the computer; and wherein the central processing unit is adapted to execute untrusted software in a user space execution state with restricted access to the computer. The computer further comprises: a radio transceiver driver, by which the computer is arranged to control the radio transceiver; and a regulatory monitoring module adapted to restrict the access to the radio transceiver driver for the untrusted software being executed in the user space execution state, by monitoring that the untrusted software does not utilize the radio transceiver, via the radio transceiver driver, in such manner that a configurable parameter of a predetermined regulatory standard is violated.

The invention refers to ways and means for monitoring the behavior and limits concerning compliance with regulations and regulatory radio parameter requirements of unlicensed RF products to ensure that such requirements are not exceeded or abused.

By the present invention, the untrusted software is executed in the user execution state with restricted access to the computer. In particular, the access to the radio transceiver, via the radio transceiver driver, is restricted. The untrusted software is under certain conditions allowed to utilize the radio transceiver driver. The conditions comprises that the configuration and behavior of the radio transceiver driver must comply with a predetermined regulatory standard. The regulatory monitoring module monitors that the untrusted software does not utilize the radio transceiver outside the

conditions. Thus, the untrusted software, which is stored in the user memory space, may be exchanged while still guaranteeing that the radio transceiver is never configured or utilized such that configurable parameters of the predetermined regulatory standard is violated. Thereby, the radio module may be updated with new software, as long as it is untrusted software, without the need for new approvals. This feature shortens the development time and lowers the costs for developing and manufacturing the radio module. Further, this feature makes improvements both easier to implement in the radio module and less costly, which benefits the user of the radio module who can receive more frequent and cheaper upgrades and improvements. By that the untrusted software utilizes the radio transceiver is meant that the untrusted software configures and/or makes use of the radio transceiver, such as transmitting a particular data package on a particular frequency. The utilization of the radio transceiver may comprise a static configuration, such as a step of configuring a particular transmission frequency, and/or dynamic usage where the radio transceiver is utilized during a period of time, e.g. during a transmission of a data package.

The predetermined regulatory standard may comprise a combination of configurable parameters for the static configuration, such as transmission frequency, and for the dynamic usage of the radio transceiver, such as a maximum allowed transmission time.

The configurable parameters may be transmitter parameters or receiver parameters. Examples of transmitter parameters are average power, modulation bandwidth, and duty cycle. Examples of receiver parameters are receiver sensitivity, receiver LBT threshold, and adjacent channel selectivity.

The radio transceiver driver and the regulatory monitoring module are preferably trusted software. Thereby, they may be made inaccessible for the untrusted software being executed in the user space execution state.

Preferably, the central processing unit is adapted to allow access only to the user memory space for untrusted software being executed in the user space execution state, whereby the untrusted software is prevented from destroying the state of the trusted software.

Preferably, one of or a combination of the following resources are not accessible for the untrusted software being executed in the user space execution state: a core for the central processing unit, an interrupt controller for the central processing unit, a direct memory access (DMA), handling for the central processing unit, power management for the central processing unit, watchdog handling, reset handling, critical clock functions for a clock function provided in the radio module, and SPI/UART/parallel management for an input/output device, such as the radio transceiver, provided in the radio module. The resources are hardware resources.

However, the resources may be made conditionally accessible for the untrusted software by for example providing an indirect access. In particular, in the present invention this is used where the untrusted software has restricted access to the radio transceiver resource. The restricted access, i.e. the conditional access, is achieved by the regulatory monitoring module, which monitors the untrusted software's utilization of the radio transceiver via the radio transceiver driver.

One or more of these resources may be made inaccessible for the untrusted software by restricting the untrusted software's access to software in the computer, which controls the one or more of these resources, such that the untrusted software cannot access the controlling software, at least not without restrictions.

Preferably, the regulatory monitoring module is adapted to, if the predetermined parameter is violated, block usage of a function associated with the predetermined parameter. The parameters may be transmitter parameters or receiver parameters.

For example, if the transmitter parameter average power is violated, i.e. if the untrusted software utilizes the radio transceiver to transmit with an average power not complying with the predetermined regulatory standard, the transmitting function of the radio transceiver is blocked when the parameter is violated.

Preferably, the regulatory monitoring module is adapted to, if the configurable parameter is violated, notify the untrusted software.

The predetermined regulatory standard may be determined based on the one or more countries which the radio module is intended to be used in. The predetermined regulatory standard may for example be ERC

recommendation CEPT/ERC/70-03, European standard EN300220,

European standard EN301406, European standard EN300328, European standard EN3011893, U.S. Standards Title 47 CFR Part 15, Japanese standard ARIB STD-T96, Japanese standard J-DECT, Japanese standard ARIB STD-T66, and Japanese standard ARIB STD-T71.

The radio module may be adapted to comply with one regulatory standard, or alternatively a plurality of regulatory standards. It is also understood that the radio module may be adapted for future regulatory standards. According to a second aspect of the invention, the above mentioned and other objects are achieved by use of a radio module according to any of the above disclosed embodiments of the first aspect. The above disclosed features and corresponding advantages of the first aspect is also applicable to this second aspect. To avoid undue repetition, reference is made to the discussion above.

According to third aspect of the invention, the above mentioned and other objects are achieved by a method for controlling a radio module comprising a radio transceiver and a computer arranged to control the radio transceiver, the computer comprising: a central processing unit (CPU); a memory, the memory being separated, by a memory protection, into at least a user memory space and a kernel memory space; and wherein the user memory space is adapted to store untrusted software, and wherein the kernel memory space is adapted to store trusted software; wherein the central processing unit is adapted to execute trusted software in a kernel space execution state with full access to the computer; and wherein the central processing unit is adapted to execute untrusted software in a user space execution state with restricted access to the computer; the computer further comprising: a radio transceiver driver, by which the computer is arranged to control the radio transceiver; and a regulatory monitoring module. The method comprises restricting the access to the radio transceiver driver for the untrusted software, being executed in the user space execution state, by: providing, by the untrusted software and to the regulatory monitoring module, a radio scheme, the radio scheme comprising a configuration of at least one configurable parameters; validating, by the regulatory monitoring module, that said configuration in said radio scheme complies with limits of said at least one configurable parameters, the limits being defined in a predetermined regulatory standard; allowing, only if the configuration in said radio scheme complies with the limits defined in the regulatory standard, the untrusted software to utilize the radio transceiver via the radio transceiver driver; and monitoring, by the regulatory monitoring module, that the untrusted software does not utilize the radio transceiver, via the radio transceiver driver, in such manner that said configuration in said radio scheme is violated. By the inventive method, it is required that the untrusted software provides a radio scheme comprising the configuration of configurable parameters according to which it intends to utilize the radio transceiver. The radio scheme is validated by the regulatory monitoring module where the regulatory monitoring module checks if the configuration in the radio scheme complies with the limits of the configurable parameters being defined configuration, wherein the limits are defined in the predetermined regulatory standard. Only if the radio scheme complies, the untrusted software is allowed to utilize the radio transceiver, which is performed via the radio transceiver driver. If the radio scheme complies, the configuration radio scheme is implemented in the radio transceiver by configuring the radio transceiver accordingly. The radio scheme has thereby been committed.

Additionally, the regulatory monitoring module monitors that the untrusted software does not thereafter utilize the radio transceiver in such manner that the configuration in the radio scheme is violated. Thus, the regulatory monitoring module performs, firstly, a static check that the untrusted software intends to utilize the radio transceiver in an acceptable manner, as defined in the predetermined regulatory standard, and, secondly, dynamical checks that the untrusted software actually follows its intention when utilizing the radio transceiver. Thereby, the performance of the radio transceiver is protected regardless of how the untrusted software utilizes it. This means that the untrusted software may be exchanged in the radio module, while still guaranteeing that the function of the radio transceiver is kept within the predetermined regulatory standard.

The parameters may be transmitter parameters or receiver

parameters. Examples of transmitter parameters are average power, modulation bandwidth, and duty cycle. Examples of receiver parameters are receiver sensitivity, receiver LBT threshold, and adjacent channel selectivity.

The radio transceiver driver and the regulatory monitoring module are preferably trusted software. Thereby, they may be made inaccessible for the untrusted software being executed in the user space execution state.

Preferably, the untrusted software is allowed to provide a radio scheme only once after a reset of the radio module. By this feature, the untrusted software cannot reset any dynamic parameters of the radio scheme, such as transmission time accounting, thereby having a possibility to violate

associated parameters, such as transmission duty cycle.

In one preferred embodiment, the untrusted software provides the radio scheme at start-up of the radio module.

Preferably, the method comprises: if said configuration in said radio scheme is violated, blocking usage of a function associated with the

configurable parameter which configuration has been violated. By this feature, it is guaranteed that the violation is never executed.

Preferably, the method comprises: if the configuration in said radio scheme is violated, notifying the untrusted software. By this feature, the untrusted software is made aware of the violation and may try to utilize the radio transceiver differently or be able to keep track of any violations it causes.

The predetermined regulatory standard may be determined based on the one or more countries which the radio module is intended to be used in. The predetermined regulatory standard may for example be ERG

recommendation CEPT/ERC/70-03, European standard EN300220,

European standard EN301406, European standard EN300328, European standard EN301 1893, U.S. Standards Title 47 CFR Part 15, Japanese standard ARIB STD-T96, Japanese standard J-DECT, Japanese standard ARIB STD-T66, and Japanese standard ARIB STD-T71.

The radio module may be adapted to comply with one regulatory standard, or alternatively a plurality of regulatory standards. It is also understood that the radio module may be adapted for future regulatory standards.

Other above disclosed features and corresponding advantages of the first aspect is also applicable to this third aspect. To avoid undue repetition, reference is made to the discussion above. It is noted that the invention relates to all possible combinations of features recited in the claims. BRIEF DESCRIPTION OF THE DRAWINGS

This and other aspects of the present invention will now be described in more detail, with reference to the enclosed drawings showing embodiments of the invention.

FIG 1 is a principal block diagram of an electronic device, according to previously known technology, illustrating an RF transmission system with a radio front-end section and a control-element section in the form of a radio module that is controlled by an external host.

FIG 2 is a principal block diagram of the software in an electronic device, according to previously known technology, illustrating an RF transmission system with a radio front-end section and a control-element section in the form of a radio module that is controlled by an external host.

FIG 3 is a principal block diagram of an electronic device, according to an embodiment of the invention, illustrating an RF transmission system in the form of a radio module that comprises a control host section supporting privilege modes, memory protection and a regulatory monitoring software for securely controlling a radio front-end section.

FIG 4 is a principal block diagram of the software in an electronic device, according to an embodiment of the invention, illustrating an RF transmission system in the form of a radio module that comprises a control host section supporting privilege modes, memory protection and a regulatory monitoring software for securely controlling a radio front-end section.

DETAILED DESCRIPTION

The present invention will now be described more fully hereinafter with reference to the accompanying drawings, in which currently preferred embodiments of the invention are shown. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided for thoroughness and completeness, and for fully conveying the scope of the invention to the skilled person.

A typical previously known radio module will be disclosed in the following. FIG 1 shows an example and principal block diagram of an electronic device according to previously known technology. An electronic device of this type comprises a host Computer 1 and a Radio module 16. The host Computer 1 is controlling the Radio module 16 over the Electrical Control interface 7. This Electrical Control interface 7 is typically an electrical interface such as SPI, UART etc. and may be managed by Input/Output Devices 3. The host Computer 1 also includes a Program Memory 6 and a Data Memory 5 in which e.g. host software and information are stored. This software typically includes an operating system scheduler and one or more program modules. The Program Memory 6 and Data Memory 5 may be arranged inside the host Computer 1 in a conventional manner. Alternatively, the Program Memory 6 and Data Memory 5 may be arranged in external serial memory types which are connected to host Computer .

For clocking and handling of timers in the host Computer 1 , a Clock 2 is provided in a standard manner. Software is executed by a conventional central processing unit, CPU, 4. The CPU 4 executed software by fetching program and data from the Program Memory 6 and Data Memory 5. In the CPU 4, interrupt and DMA handling are provided in a conventional manner. The Program Memory 6 and Data Memory 5 exist in the same memory space as seen from CPU 4.

The Radio module 16 comprises a control-section in form of a radio module Computer 9 and a Radio Transceiver 15 front-end section. The radio module Computer 9 and Radio Transceiver 15 are typically based on two separate integrated circuits. Alternatively, the radio module Computer 9 and Radio Transceiver 15 are based on a single integrated circuit where the radio module Computer 9 and Radio Transceiver 15 are combined. The radio module Computer 9 communicates and controls the Radio Transceiver 15 over a radio module Control interface 14. In an embodiment comprising two separate integrated circuits, this radio module Control interface 14 is typically an electrical interface such as SPI, UART or parallel managed in the

Input/Output Devices 10. Input/Output Devices 10 usually also manage a variety of other interfaces such as GPIO, I2C, USB, TDM, I2S, PWM,

Speaker, Microphone etc. In an embodiment comprising one integrated circuit on which the radio module Computer 9 and Radio Transceiver 15 are combined, the radio module Control interface 14 typically consists of a direct memory mapped register access to/from the Radio Transceiver 15.

The radio module Computer 9 comprises a radio module Program Memory 13 and a radio module Data Memory 12, in which memories software and information of the Radio module 16 is stored. The stored software typically includes an operating system scheduler and one or more program modules. The radio module Program Memory 13 and radio module Data Memory 12 may be deployed inside the radio module Computer 9 in a conventional manner. Alternatively, the radio module Program Memory 13 and radio module Data Memory 12 may be external serial memory types which are connected to radio module Computer 9.

For clocking and handling of timers in the radio module Computer 9, a radio module Clock 8 is provided in a conventional manner. Software in the Radio module 16 is executed by a radio module CPU 1 1. The radio module CPU 1 1 fetches program and data from the Program Memory 13 and Data Memory 12 for execution. In the radio module CPU 1 1 , interrupt and DMA handling are provided in a conventional manner. The radio module Program Memory 13 and radio module Data Memory 12 exist in the same memory space seen from CPU 1 1.

An Antenna 17 that is preferably designed and adapted to the correct frequency is attached to the Radio module 16 and to the Radio Transceiver 15. The Antenna 17 may be e.g. an on-board antenna, an external antenna or be formed of combinations of on-board antennas and external antennas.

FIG 2 shows an example and principal block diagram of previously known software technology in an electronic device shown in the example and principal block diagram in FIG 1. A Host software 23 is executing in the Host computer 1 and is communicating with the Radio Module Software 29 executing in the radio module Computer 9 in the Radio Module 16. The Host software 23 typically includes a host Application 18 that interacts with a radio Protocol Stack Upper Layer 19. To be able to communicate with the Radio Module Software 29 and the Radio Module Application 28, the radio Protocol Stack Upper Layer 19 interacts with a Radio Module Driver 20 that handles the actual Radio Control + Data Protocol 24. The Radio Module Driver 20 in turn interacts with the Serial Driver 21 that depending if the Electrical Control interface 7 is SPI, UART, etc. uses a suitable Serial Protocol 25 to

communicate with the Serial Driver 26 in the Radio Module Software 29. The Serial Driver 26 then can interact with the Radio Module Application 28.

The Radio Module Application 28 interprets the Radio Control + Data Protocol 24 information and interacts with the Protocol Stack Lower Layer 30 that in turn interacts with the Radio Transceiver Driver 31 that actually controls the Radio Transceiver 15 using the Logical Control interface 32 over SPI, UART, parallel etc. or with direct memory mapped register access if radio module Computer 9 and Radio Transceiver 15 are combined in one integrated circuit.

For supporting the Host software 23 and the different software modules in Host computer 1 , a Platform Software 22 module is provided. The Platform Software 22 typically includes an operating system scheduler, timers, interrupt handling, DMA handling, input/output handling, power management, watchdog handling, reset handling, etc.

In the same way for supporting the Radio Module Software 29 and the different software modules in the radio module Computer 9 in the Radio Module 16, a Platform Software 27 module is provided. The Platform

Software 27 typically includes an operating system scheduler, timers, interrupt handling, DMA handling, input/output handling, power management, watchdog handling, reset handling etc.

An example of a preferred embodiment of the invention will now be disclosed.

FIG 3 shows an example and principal block diagram of an electronic device, according to an embodiment of the invention, in form of a Radio module 33 including an Antenna 44. In this embodiment, the Radio module 33 comprises the same type of hardware as the Radio module 16 described above, and with additional features according to the present invention. The Radio module 33 comprises a control-section in form of a radio module Computer 36 and a Radio Transceiver 43 front-end section. The radio module Computer 36 and the Radio Transceiver 43 may be based on two separate integrated circuits, or may be based on only one integrated circuit where the radio module Computer 36 and the Radio Transceiver 43 are combined in one integrated circuit.

The radio module Computer 36 may communicate and may control the Radio Transceiver 43 over the Control interface 42. In an embodiment where the radio module Computer 36 and the Radio Transceiver 43 are based on two separate integrated circuits, this Control interface 42 is typically an electrical interface such as SPI, UART or parallel managed in the

Input/Output Devices 37. In an embodiment where the radio module

Computer 36 and the Radio Transceiver 43 are combined in one integrated circuit the Control interface 42 typically consists of a direct memory mapped register access to/from the Radio Transceiver 43. Input/Output Devices 37 also manage a variety of other interfaces such as GPIO, I2C, USB, TDM, I2S, PWM, Speaker, Microphone etc. that in turn are provided as Electrical external interfaces 34 to/from other electronic devices.

The radio module Computer 36 also comprises a radio module

Program Memory 40 and a radio module Data Memory 39,which store software and information of the Radio module 33. This software typically includes an operating system scheduler and one or more program modules. According to an embodiment of the invention, one included and important program module is a control system in form of a Regulatory Monitoring 50 software module which function will be explained more in detail later. The radio module Program Memory 40 and radio module Data Memory 39 may be arranged inside the radio module Computer 36 in a conventional manner. Alternatively, the radio module Data Memory 39 and the radio module

Program Memory 40 may be external serial memory types which are connected to radio module Computer 36. For clocking and handling of timers in the radio module Computer 36, a Clock 35 is provided. The software in the Radio module 33 is executed by the radio module central processing unit, CPU, 38. The CPU 38 executed software by fetching program and data from the radio module Program Memory 40 and radio module Data Memory 39.

According to an embodiment of the invention, the radio module

Computer 36 is provided with further functions and control systems to make it possible to isolate and protect critical software and resources for controlling the Radio Transceiver 43 from untrusted application software while still having the overall software running in the same Radio module Computer 36. To achieve this effect, the radio module CPU 38 includes conventional functionality and control systems to handle different privilege modes, also known as privilege levels.

In a preferred embodiment, at least a user mode and a privileged mode are provided as privilege levels. Software executed in the user mode has restricted access to the radio module Computer 36, while software executed in the privileged mode has full access to radio module Computer 36. The privilege levels are typically implemented as execution states in the radio module CPU 38, where the privileged mode execution state provides full access to the computer and user mode execution state provides restricted access to the computer. The restricted access typically mean that software executed in the user mode execution state is prohibited from executing one or more critical system operations, such as controlling interrupts.

Further according to an embodiment of the invention, the radio module

Computer 36 is provided with functions and control systems in form of Memory Protection 41. The Memory Protection 41 separates the overall memory space, comprising the radio module Program Memory 40 and the radio module Data Memory 39, in different memory spaces. In this

embodiment, the overall memory space is separated into a user memory space and a kernel memory space. The user memory space is accessible for software executed in all modes while kernel memory space is accessible for software executed in privileged mode only. The memory Protection 41 may be provided by different conventional unit types such as Memory Protection Unit (MPU) or Memory Management Unit (MMU). Further, the same type of Antenna 44 that were described above, preferably designed and adapted to the correct frequency, is attached to the Radio module 33 and the Radio Transceiver 43. The Antenna 44 may be an on-board antenna, an external antenna or comprise combinations of on-board antennas and external antennas.

According to an embodiment of the invention, transmitter parameters and receiver parameters of the Radio module 33, including the Antenna 44, comply with the ERC recommendation CEPT/ERC/70-03 defined by European Conference of Postal and Telecommunications Administrations (CEPT). According to an embodiment of the invention, the Radio module 33 including the Antenna 44 also complies with R&TTE CA TGN 01 (Final Product that Integrates an R&TTE Directive Assessed Module) Technical Guidance Note.

Examples of transmitter parameters are average power, modulation bandwidth, duty cycle, and examples of receiver parameters are receiver sensitivity, receiver LBT threshold, adjacent channel selectivity.

According to an embodiment of the invention, transmitter parameters and receiver parameters of the Radio module 33, including the Antenna 44, comply with ETSI EN300220 or ETSI EN301406 or ETSI EN300328 or ETSI EN301893 standards. According to an embodiment of the invention, the Radio module 33, including Antenna 44, also preferably complies with R&TTE CA TGN 01 (Final Product that Integrates an R&TTE Directive Assessed Module) Technical Guidance Note.

According to an embodiment of the invention, transmitter parameters and receiver parameters of the Radio module 33, including the Antenna 44, comply with the Title 47 CFR Part 15 standard when operating in 902-928 MHz Band or 1910-1930 MHz Band or 2.4-2.4835 GHz Band or 5.15 - 5.35 GHz band or 5.725 - 5.825 GHz Band. According to an embodiment of the invention, the Radio module 33, including the Antenna 44, also preferably complies with Title 47 CFR Part 15.212 Modular transmitters standard.

According to an embodiment of the invention, transmitter parameters and receiver parameters of the Radio module 33, including Antenna 44, comply with AIRB STD-T96 or J-DECT or AIRB STD-T66 or AIRB STD-T71 standards.

FIG 4 shows principal block diagram and is an example of the software technology according to the invention in an electronic device shown in the example and principal block diagram of FIG 3. The Radio Module Software 45 is executed in the Radio module Computer 36 and is, according to this embodiment of the invention, divided into Trusted software 48 and Untrusted software 54.

Trusted software 48 is executed by the radio module CPU 38 in privileged mode with full access to the radio module Computer 36 and to the overall memory space; this execution state is referred to as Kernel space 52. Untrusted software 54 is executed in user mode with restricted access to the radio module Computer 36 and with access to user memory space only; this execution state is referred to as User space 53. This separation of access ensures that the Untrusted software 54 cannot destroy the state of the Trusted software 48 and the resources it manages.

The Untrusted software 54 executed in the User space 53 is allowed to request a service from the Trusted software 48 through a system call or supervisor call. This is a conventional way to transfer control to the Trusted software 48 in Kernel space 52. The Untrusted software 54 may thus control resources which is not directly accessible to it since the Untrusted software 54 is executed in User space 52 with restricted access to the radio module Computer 36. Thus, the trusted software 48 which the Untrusted software 54 requests the service from, utilizes a resource on behalf of Untrusted software 54 to fulfill the request. In this way, the Trusted software 48 can validate that the Untrusted software 54 intends to utilize the resource in a correct manner before fulfilling the request.

In this invention, the validation and monitoring of the requests, concerning the radio transceiver, from the Untrusted software 54 is achieved by a Regulatory monitoring module 50, which is a trusted software of the radio module. When the request is fulfilled, the control is returned to the Untrusted software 54 in the User space 53.

By providing the separation of access, the critical software that controls the Radio Transceiver 43 can be deployed in Kernel space 52 and all required memory mapped resources such as Memory Protection 41 , critical memory spaces in Program Memory 40, critical memory spaces in Data Memory 39, critical instructions and registers in CPU 38, core in CPU 38, interrupt controller in CPU 38, DMA handling in CPU 38, power management in CPU 38, watchdog handling, reset handling, critical clock functions in Clock 35, SPI/UART/Parallel management in Input/Output Devices 37 or direct memory mapped register access trough Control interface 42 for controlling Radio Transceiver 43 can be configured to be accessible only from Kernel space 52. Thus, Untrusted software, such as e.g. an untrusted application software, deployed in User space 53 cannot destroy and re-configure the Radio Transceiver 43 and making Radio module 33 including Antenna 44 abuse the frequency spectrum by violating and exceeding radio parameter limits.

Above mentioned resources, e.g. the watchdog, are all of conventional type, based on known technology. Critical instructions and registers in CPU 38 refers to instructions and special registers for controlling core resources in the CPU 38.

The Untrusted software 54 typically includes an Application 46 that interact with a radio Protocol Stack Upper layer 47. According to an

embodiment of the invention, the Application 46 and the radio Protocol Stack Upper layer 47 are configured as Untrusted software modules and thus executed in the User space 53 of the radio module Computer 36, meaning they execute in user mode and has access to user memory space only.

The Trusted software 48 that, according to an embodiment of the invention, executes in Kernel space 52 in privileged mode, with full access to the radio module Computer 36 and the whole memory space, typically includes a radio Protocol Stack Lower layer 49 that interacts with the radio Protocol Stack Upper layer 47. The Radio Protocol Stack Lower layer 49 may also interact with the Radio Transceiver Driver 55 that actually, monitored by Regulatory Monitoring 50, controls the Radio Transceiver 43 using the Logical Control interface 56 over SPI, UART, parallel etc. or with direct memory mapped register access if the radio module Computer 36 and Radio

Transceiver 43 are combined in one integrated circuit.

Thus, the Application 46 and the radio Protocol Stack Upper layer 47 in Untrusted software 54 utilize the Radio Transceiver 43 indirectly through Protocol Stack Lower layer 49 and Radio Transceiver Driver 55 in the Trusted software 48 by issuing a request through a system call. The Radio

Transceiver Driver 55 controls the Radio Transceiver 43 on behalf of the Untrusted software 54 if the request is approved after validation by

Regulatory Monitoring 50.

A complete radio protocol stack may be divided in the radio Protocol Stack Upper layer 47 and the radio Protocol Stack Lower layer 49 where more or less of the radio Protocol Stack can be implemented either in the radio Protocol Stack Upper layer 47 or the Protocol Stack Lower layer 49.

Some preferred embodiments having most or all of the radio Protocol Stack implemented in the radio Protocol Stack Upper layer 47 and executing in the User space 53 provides a more flexible solution. It is thus possible to program and upgrade the Untrusted software 54 without any need for new expensive and time consuming approvals. The programming and upgrading may preferably be performed wirelessly by utilizing an Over-the-air

programming (OTA) protocol.

Other embodiments having most or all of the radio Protocol Stack implemented in the radio Protocol Stack Lower layer 49 and executing in the Kernel space 52 makes the solution less flexible on one hand but the radio Protocol Stack less vulnerable to Untrusted software 54 on the other hand. It is still possible to program and upgrade the Application 46 and radio Protocol Stack Upper layer 47 without any need for new expensive and time

consuming approvals. The programming and upgrading may also in these embodiments be performed wirelessly by utilizing an Over-the-air

programming (OTA) protocol.

According to an embodiment of the invention, the Trusted software 48 executing in Kernel space 52 in privileged mode with full access to whole memory space includes a Platform Software 51 module. The Platform

Software 51 supports the different software modules in the radio module Computer 36 and typically includes one of or a combination of an operating system scheduler, timers, interrupt handling, DMA handling, input/output handling, Watchdog handling, reset handling, and low power supply handling.

In the radio module Computer 36 and executing in Kernel space 52 in privileged mode with full access to whole memory space and according to an embodiment of the invention, is an important software and control system in form of a Regulatory Monitoring 50 software module provided. In this software module, any part of Untrusted software 54 can provide a Radio Scheme 57 through a system call. The Radio Scheme 57 is a specific configuration of the configurable parameters that Regulatory Monitoring 50 software module provides in accordance with the regulatory standards that Radio module 33 including Antenna 44 are arranged to comply with. For different embodiment, different regulatory standards may be chosen. The Radio module 33 may be adapted to comply with one or more regulatory standards.

According to an embodiment of the invention, the Regulatory

Monitoring 50 software module only accepts a Radio Scheme 57 that keeps the Radio module 33 including Antenna 44 and it's radio transmitter parameters and radio receiver parameters within the limits defined in the regulatory standards that the Radio module 33 including Antenna 44 complies with. It should be noted that it is not necessary that all radio transmitter parameters and radio receiver parameters of a regulatory standard must be complied with. It may be predetermined which parameters of a regulatory standard that shall be complied with for a specific embodiment of the Radio module 33.

According to an embodiment of the invention, the transmitter parameters and receiver parameters of the Radio module 33, including Antenna 44, that the Regulatory Monitoring 50 together with the Radio Scheme 57 keep within limits, are one or of a combination of Frequency Band, Power/Magnetic Field, Spectrum access/mitigation requirement and Channel spacing, wherein the parameters are defined by European

Conference of Postal and Telecommunications Administrations (CEPT) and described in the ERC recommendation CEPT/ERC/70-03.

According to another embodiment of the invention , the transmitter parameters and receiver parameters of the Radio module 33 including Antenna 44, that the Regulatory Monitoring 50 together with the Radio

Scheme 57 keep within limits, are one of or a combination of Average power, Effective radiated power, Frequency Hopping Spread Spectrum devices (FHSS), Direct sequence or other spread spectrum than FHSS, Transient Power, Adjacent channel power, Modulation bandwidth, Unwanted emissions in the spurious domain, Frequency stability under low-voltage conditions, Duty cycle, Listen Before Talk (LBT), Minimum transmitter off-time, Minimum listening time, Maximum dead time, Maximum transmitter on-time, Time-out- timer, Receiver sensitivity, Receiver LBT threshold, Adjacent channel selectivity Blocking, Spurious response rejection and Spurious radiations, wherein the parameters are defined in the European standard EN300220.

According to another embodiment of the invention, the transmitter parameters and receiver parameters of the Radio module 33 including Antenna 44, that the Regulatory Monitoring 50 together with the Radio Scheme 57 keep within limits, are one or or a combination of Accuracy and stability of RF carriers, Accuracy and stability of timing parameters,

Transmission burst, Transmitted power, RF carrier modulation, Unwanted RF power radiation, Radio receiver testing, Intersystem synchronization (FP only), Equipment identity testing, Efficient use of the radio spectrum, WRS testing, Requirements for PPs with direct PP to PP communication mode, Distributed Communications and Higher level modulation options, wherein the parameters are defined in the European standard EN301406.

According to another embodiment of the invention, transmitter parameters and receiver parameters of the Radio module 33 including Antenna 44, that the Regulatory Monitoring 50 together with the Radio Scheme 57 keep within limits, are one of or a combination of Modulation FHSS or DSSS, Maximum transmit power, Maximum e.i.r.p. spectral density, Frequency range, Frequency hopping, Medium access protocol, Transmitter spurious emissions and Receiver spurious emissions, wherein the

parameters are defined in the European standard EN300328,

According to another embodiment of the invention, transmitter parameters and receiver parameters of the Radio module 33 including Antenna 44, that the Regulatory Monitoring 50 together with the Radio Scheme 57 keep within limits, are one of or a combination of Centre frequencies, Nominal Channel Bandwidth and Occupied Channel Bandwidth, RF output power, Transmit Power Control (TPC) and power density,

Transmitter unwanted emissions, Receiver spurious emissions, Dynamic Frequency Selection (DFS), Medium Access Protocol, Adaptivity (Channel Access Mechanism) and User Access Restrictions, wherein the parameters are defined in the European standard EN301893.

According to another embodiment of the invention, transmitter parameters and receiver parameters of the Radio module 33 including Antenna 44, that the Regulatory Monitoring 50 together with the Radio Scheme 57 keep within limits, subjects one of or a combination of Spurious Emission Limits and Restricted Frequency Bands, Enhanced Emission Limits for Control and Periodic Applications, Operation in the 902-928 MHz Band, Operation in the 1910-1930 MHz Band, Operation in the 2.4-2.4835 GHz Band, Operation in the 5.15-5.35 GHz band and Operation in the

5.725-5.825 GHz Band, wherein the parameters are defined in the U.S. Standards Title 47 CFR Part 15 sub-parts.

According to another embodiment of the invention, transmitter parameters and receiver parameters of the Radio module 33 including Antenna 44, that the Regulatory Monitoring 50 together with the Radio Scheme 57 keep within limits, are one of or a combination of parameters which are defined in the Japanese standards ARIB STD-T96, J-DECT, ARIB STD-T66 and ARIB STD-T71.

Similar as described above and according to another embodiment of the invention, transmitter parameters and receiver parameters of the Radio module 33 including Antenna 44, that the Regulatory Monitoring 50 together with the Radio Scheme 57 keeps within limits, are for the rest of the world defined in a standards different from those mentioned above. The standard may be set by the same or other local authorities and adapted to the same or other local conditions. It is understood that standards may be amended, and that new standards may be defined in the future, and that transmitter parameters and receiver parameters of these amended or new standards may be chosen as parameters that the radio module 33 of the present invention should comply with.

According to an embodiment of the invention, the Regulatory

Monitoring 50 software module together with Radio Scheme 57 continuously monitors and controls the Untrusted software 54 usage of Radio Transceiver 43, by access to the Radio Transceiver Driver 55, so that the transmitter parameters and receiver parameters of the Radio module 33 including Antenna 44 are kept within the limits defined in accordance with the regulatory radio-specific directives and standards that Radio module 33 including Antenna 44 is arranged to comply with. According to a preferred embodiment of the invention, the Untrusted software 54 configures a Radio Scheme 57 and commits it to Regulatory Monitoring 50 through a system call at start-up before being allowed to utilize the Radio Transceiver 43. The Radio Transceiver 43 is utilized through access to the Radio Transceiver Driver 55. By committing the Radio Scheme 57 to Regulatory Monitoring 50 is meant providing the Radio Scheme 57 to the Regulatory Monitoring 50 which validates that the Radio Scheme 57 complies with limits defined in a predetermined regulatory standard. Only after the Radio Scheme 57 has been committed, and it has been validated that the Radio Scheme 57 complies with the limits of the predetermined regulatory standard, the Untrusted software 54 is allowed to utilize the Radio Transceiver 43.

In one embodiment of the invention, it is possible to commit a Radio Scheme 57 only once after reset, preferably at start-up of the Radio module 33.

According to an embodiment of the invention, it is still possible for Untrusted software 54 to utilize the Radio Transceiver 43 dynamically, i.e. continuously, as long as the transmitter parameters and receiver parameters of the Radio module 33 including Antenna 44 are kept within the limits defined by the Radio Scheme 57, and also within limits defined in accordance with the regulatory radio-specific directives and standards that Radio module 33 including Antenna 44 are arranged to comply with.

As earlier stated and according to an embodiment of the invention, the Regulatory Monitoring 50 software module monitors the utilization of the Radio Transceiver 43, which is utilized through the Radio Transceiver Driver 55. Preferably, the monitoring is performed continuously. Should the

Untrusted software 54 violate any radio parameter limit according to current Radio Scheme 57, the Regulatory Monitoring 50 software module blocks usage of the function associated with the violated radio parameter until the radio parameter is within bounds again. For example the transmit function may be blocked if maximum transmit time has been reached within a period; when a new period starts it is possible to transmit again. Upon blocking a radio function, the Regulatory Monitoring 50 software module preferably notifies the Untrusted software 54, either through a return code or an event/callback. In one embodiment, the Regulatory Monitoring 50 software module notifies the Untrusted software 54 without blocking the usage of a radio function.

According to a preferred embodiment of the invention, isolating and protecting critical software and resources controlling the Radio Transceiver 43 from Untrusted application software and still having the overall software running in the same Radio module Computer 36, makes it possible to benefit much more from the pre-approved radio modules concept, such as Modular transmitters in United States and Assessed Modules in European Community. This because according to the invention pre-approved radio modules no longer have to be static, inflexible and only supporting a few radio

configurations. Instead, Untrusted software in Radio module 33 such as Application 46 and Protocol Stack Upper layer 47 can easily be programmed or upgraded without the need for new expensive and time consuming approvals.

Claims

1. A radio module (33) comprising a radio transceiver (43) and a computer (36) arranged to control the radio transceiver, the computer comprising: a central processing unit, CPU, (38); and
a memory, the memory being separated, by a memory protection
(41), into at least a user memory space and a kernel memory space; wherein the user memory space is adapted to store untrusted software, and wherein the kernel memory space is adapted to store trusted software;
wherein the central processing unit (38) is adapted to execute trusted software in a kernel space execution state (52) with full access to the computer (36); and
wherein the central processing unit is adapted to execute untrusted software in a user space execution state (53) with restricted access to the computer (36);
the computer (36) further comprising:
a radio transceiver driver (55), by which the computer (36) is arranged to control the radio transceiver (43); and
a regulatory monitoring module (50) adapted to restrict the access to the radio transceiver driver (55) for the untrusted software being executed in the user space execution state (53), by monitoring that the untrusted software does not utilize the radio transceiver (43), via the radio transceiver driver (55), in such manner that a configurable parameter of a predetermined regulatory standard is violated. 2. The radio module according to claim 1 , wherein the central processing unit (38) is adapted to allow access only to the user memory space for untrusted software being executed in the user space execution state, whereby the untrusted software is prevented from destroying the state of the trusted software. 3. The radio module according to claims 1 or 2, wherein one of or a
combination of the following resources are not accessible for the untrusted software being executed in the user space execution state: a core for the central processing unit, an interrupt controller for the central processing unit, a direct memory access (DMA), handling for the central processing unit, power management for the central processing unit, watchdog handling, reset handling, critical clock functions for a clock function (35) provided in the radio module, and SPI/UART/parallel management for an input/output device, such as the radio transceiver, provided in the radio module.
The radio module according to any of claims 1-3, wherein the regulatory monitoring module (50) is adapted to, if the predetermined parameter is violated, block usage of a function associated with the predetermined parameter.
The radio module according to claim 4, wherein the regulatory monitoring module (50) is adapted to, if said configurable parameter is violated, notify the untrusted software.
The radio module according to any of claims 1-5, wherein the
predetermined regulatory standard is one of the following: ERG recommendation CEPT/ERC/70-03, European standard EN300220, European standard EN301406, European standard EN300328, European standard EN301 1893, U.S. Standards Title 47 CFR Part 15, Japanese standard ARIB STD-T96, Japanese standard J-DECT, Japanese standard ARIB STD-T66, and Japanese standard ARIB STD-T71.
Use of a radio module according to any of claims 1-6.
A method for controlling a radio module (33) comprising a radio transceiver (43) and a computer (36) arranged to control the radio transceiver (43), the computer comprising:
a central processing unit, CPU, (38);
a memory, the memory being separated, by a memory protection (41 ), into at least a user memory space and a kernel memory space; and wherein the user memory space is adapted to store untrusted software, and wherein the kernel memory space is adapted to store trusted software;
wherein the central processing unit (38) is adapted to execute trusted software in a kernel space execution state (52) with full access to the computer (36); and
wherein the central processing unit is adapted to execute untrusted software in a user space execution state (53) with restricted access to the computer (36);
the computer (36) further comprising:
a radio transceiver driver (55), by which the computer (36) is arranged to control the radio transceiver (43); and
a regulatory monitoring module (50);
the method comprising restricting the access to the radio transceiver driver (55) for the untrusted software, being executed in the user space execution state (53), by:
providing, by the untrusted software and to the regulatory monitoring module (50), a radio scheme (57), the radio scheme (57) comprising a configuration of at least one configurable parameters;
validating, by the regulatory monitoring module (50), that said configuration in said radio scheme (57) complies with limits of said at least one configurable parameters, the limits being defined in a
predetermined regulatory standard;
allowing, only if the configuration in said radio scheme (57) complies with the limits defined in the regulatory standard, the untrusted software to utilize the radio transceiver (43) via the radio transceiver driver (55); and
monitoring, by the regulatory monitoring module (50), that the untrusted software does not utilize the radio transceiver (43), via the radio transceiver driver (55), in such manner that said configuration in said radio scheme (57) is violated.
9. The method according to claim 8, wherein the untrusted software is
allowed to provide a radio scheme (57) only once after a reset of the radio module (33).
10. The method according to claims 8 or 9, wherein the untrusted software provides the radio scheme (57) at start-up of the radio module (33).
1 1. The method according to any of claims 8-10, further comprising, if said configuration in said radio scheme (57) is violated, blocking usage of a function associated with the configurable parameter which configuration has been violated.
12. The method according to any of claims 8-1 1 , further comprising, if the configuration in said radio scheme (57) is violated, notifying the untrusted software. 13. The method according to any of claims 8-12, wherein the predetermined regulatory standard is one of the following: ERG recommendation CEPT/ERC 70-03, European standard EN300220, European standard EN301406, European standard EN300328, European standard
EN301 1893, U.S. Standards Title 47 CFR Part 15, Japanese standard ARIB STD-T96, Japanese standard J-DECT, Japanese standard ARIB STD-T66, and Japanese standard ARIB STD-T71.
PCT/EP2012/071566 2011-10-31 2012-10-31 Radio module WO2013064540A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
SE1100816-6 2011-10-31
SE1100816 2011-10-31
US201161555033 true 2011-11-03 2011-11-03
US61/555,033 2011-11-03

Publications (1)

Publication Number Publication Date
WO2013064540A1 true true WO2013064540A1 (en) 2013-05-10

Family

ID=48191400

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2012/071566 WO2013064540A1 (en) 2011-10-31 2012-10-31 Radio module

Country Status (1)

Country Link
WO (1) WO2013064540A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005107132A1 (en) * 2004-04-30 2005-11-10 Research In Motion Limited System and method for configuring devices for secure operations
US20110225418A1 (en) * 2010-03-10 2011-09-15 Sprint Communications Company L.P. Secure storage of protected data in a wireless communication device
EP2378454A2 (en) * 2010-04-19 2011-10-19 Apple Inc. Booting and configuring a subsystem securely from non-local storage

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005107132A1 (en) * 2004-04-30 2005-11-10 Research In Motion Limited System and method for configuring devices for secure operations
US20110225418A1 (en) * 2010-03-10 2011-09-15 Sprint Communications Company L.P. Secure storage of protected data in a wireless communication device
EP2378454A2 (en) * 2010-04-19 2011-10-19 Apple Inc. Booting and configuring a subsystem securely from non-local storage

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
None

Similar Documents

Publication Publication Date Title
US7617342B2 (en) Universal serial bus dongle device with wireless telephony transceiver and system for use therewith
US7283037B2 (en) RFID tags adjusting to different regulatory environments, and RFID readers to so adjust them and methods
US20100330919A1 (en) Method for database driven channel quality estimation in a cognitive radio network
US20020154621A1 (en) Method of scheduling regular signal transmission in a cellular wireless system
US20090006675A1 (en) Universal Serial Bus Dongle Device with Millimeter Wave Transceiver and System for use Therewith
US20030198307A1 (en) Dynamic clock control to reduce radio interference in digital equipment
US20090186646A1 (en) Cognitive radio communication method for controlling sensing operation and cognitive radio communication apparatus enabling the method
US20050271010A1 (en) Priority setting scheme for a wireless terminal
US20090247217A1 (en) Apparatus and method for wireless communications capable of bluetooth, wireless local area network (wlan) and wimax communications
Tinnirello et al. Wireless MAC processors: Programming MAC protocols on commodity hardware
US20100202416A1 (en) Data Packet Communication Scheduling in a Communication System
US7117008B2 (en) Mitigating interference among multiple radio device types
US9191522B1 (en) Billing varied service based on tier
US20110205941A1 (en) System and method for spectrum sharing among plural wireless radio networks
US20090006699A1 (en) Universal serial bus dongle device with global positioning and system for use therewith
Pawelczak et al. Cognitive radio: Ten years of experimentation and development
US20050220135A1 (en) Wireless communication method and wireless communication device
WO2007107701A2 (en) Communications device monitoring
US20110194503A1 (en) Spectrum allocation system and method
US7949812B1 (en) Priority arbitration of coexisting wireless topologies
US6876864B1 (en) Software-defined wireless communication device
US20110028102A1 (en) Methods and apparatus for using a licensed spectrum to transmit a signal when an unlicensed spectrum is congested
US20100232380A1 (en) System and method for utilizing spectrum operation modes in dynamic spectrum access systems
US6801755B2 (en) Method and apparatus for providing a radio module for a computer system
US8155482B2 (en) Selecting wider bandwidth channels in a wireless network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12790809

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase in:

Ref country code: DE

122 Ep: pct app. not ent. europ. phase

Ref document number: 12790809

Country of ref document: EP

Kind code of ref document: A1