WO2020090418A1 - Electronic control device, and reprogramming method for electronic control device - Google Patents

Electronic control device, and reprogramming method for electronic control device Download PDF

Info

Publication number
WO2020090418A1
WO2020090418A1 PCT/JP2019/040168 JP2019040168W WO2020090418A1 WO 2020090418 A1 WO2020090418 A1 WO 2020090418A1 JP 2019040168 W JP2019040168 W JP 2019040168W WO 2020090418 A1 WO2020090418 A1 WO 2020090418A1
Authority
WO
WIPO (PCT)
Prior art keywords
secure
information
main
code
repro
Prior art date
Application number
PCT/JP2019/040168
Other languages
French (fr)
Japanese (ja)
Inventor
裕紀 山▲崎▼
尚幸 山本
矢野 正
伸義 森田
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Priority to JP2020553737A priority Critical patent/JPWO2020090418A1/en
Publication of WO2020090418A1 publication Critical patent/WO2020090418A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Definitions

  • the present invention relates to an electronic control device and a reprogramming method for the electronic control device.
  • a security module is mounted on the in-vehicle device (electronic control device).
  • Patent Document 1 discloses a method of applying update data to a vehicle-mounted device.
  • the control code of the in-vehicle device needs to be updated appropriately to ensure security.
  • the secure control code in the secure area such as HSM (Hardware Security Module) installed in the in-vehicle device can be updated when the vulnerability of the encryption algorithm is detected, when the encryption method is changed, or when the function is updated. Is desirable.
  • Patent Document 1 does not disclose a method for updating the secure control code.
  • the present invention is intended to solve the above problems, and an object thereof is to provide a technique capable of increasing the flexibility of reprogramming the secure area.
  • an electronic control device mounted on a moving body, the electronic control device including a plurality of CPUs and a plurality of memories, and one of the plurality of CPUs. And one of the plurality of memories form a main area, and the other CPU of the plurality of CPUs and the other memory of the plurality of memories form a secure area.
  • the memory stores secure control information for operating the other CPU, and secure writing software for updating the secure control information, and the secure control information is stored in one area in the other memory.
  • the first secure control information and the second secure control information stored in another area in the other memory, and the other CPU is controlled by the first secure control information.
  • the block diagram of the reprogramming data which concerns on 1st Embodiment. 6 is a flowchart showing a reprogramming process according to the first embodiment. 6 is a flowchart showing secure boot processing according to the first embodiment. The flowchart which shows the reprogramming process which concerns on 2nd Embodiment. The flowchart which shows the reprogramming process which concerns on 3rd Embodiment.
  • FIG. 1 is a block diagram showing a configuration example of the vehicle information system according to the first embodiment.
  • the vehicle information system includes a vehicle 900 as an example of a “moving body” and a repro device 800 that can communicate with each other.
  • the repro device 800 includes a diagnostic machine 800A, an in-vehicle repro master 800B1, a communication device 800B2, and an OTA server 800B3.
  • the vehicle 900 includes an ECU 901 that is a repro target, an in-vehicle repro master 800B1, and a communication device 800B2.
  • the vehicle-mounted repro master 800B1 may include a communication device 800B2.
  • the repro device 800 if it is not necessary to distinguish the diagnostic device 800A, the in-vehicle repro master 800B1, the communication device 800B2, and the OTA server 800B3, these are simply referred to as the repro device 800.
  • the vehicle 900 is an automobile including an ECU 901 of an in-vehicle device that is a repro target.
  • the vehicle 900 may include at least one of the vehicle-mounted repro master 800B1 and the communication device 800B2.
  • the vehicle 900 includes a plurality of ECUs, which are in-vehicle devices, and each ECU is connected by an in-vehicle network.
  • the repro device 800 is a device that reproscopes the ECU 901.
  • the repro device 800 will be described by taking the diagnostic machine 800A, the vehicle-mounted repro master 800B1, the communication device 800B2, and the OTA server 800B3 as examples.
  • the diagnostic machine 800A is a device for writing the repro data of the ECU 901 into the ECU 901.
  • the diagnostic device 800A is connected to the in-vehicle network through the OBD-II port.
  • the diagnostic device 800A receives commands and data relating to diagnostics and repro of the ECU 901 via CAN (Control Area Network), CAN FD, Ethernet (registered trademark, the same applies hereinafter), or FlexRay (registered trademark, apply the same below).
  • a gateway (not shown) may be interposed between the diagnostic device 800A and the ECU 901. Further, the diagnostic machine 800A may communicate with the OTA server 800B3. Further, the diagnostic machine 800A may receive commands and data via the vehicle-mounted repro master 800B1.
  • the in-vehicle repro master 800B1 is an in-vehicle device for writing repro data in the ECU 901.
  • the in-vehicle repro master 800B1 is connected to an in-vehicle network such as CAN, CAN FD, Ethernet, and FlexRay, and transmits / receives commands and data relating to diagnosis and repro of the ECU 901.
  • a gateway (not shown) may be interposed between the in-vehicle repro master 800B1 and the ECU 901, and the in-vehicle repro master 800B1 may be the same device as the gateway.
  • the in-vehicle repro master 800B1 may be a repro target, that is, the same device as the ECU 901.
  • the in-vehicle repro master 800B1 may communicate with the OTA server 800B3 via the communication device 800B2 to receive the repro data and the command.
  • the in-vehicle repro master 800B1 may be the same device as the communication device 800B2.
  • the communication device 800B2 is a device for the vehicle 900 to communicate with the outside of the vehicle.
  • the communication device 800B2 communicates with the outside of the vehicle by wireless communication, wired LAN, the Internet, or wired communication using a dedicated line.
  • the wireless communication may be LTE (Long Term Evolution), 3G (3rd Generation), WiMAX (Worldwide Interoperability for Microwave Access), wireless LAN (Local Area Network), or WAN (Wide Area Network), C2X, V2X.
  • the communication device 800B2 acquires, from the OTA server 800B3, repro data and commands for the in-vehicle repro master 800B1 to write in the ECU 901.
  • the communication device 800B2 is connected to an in-vehicle network such as CAN, CAN FD, Ethernet, and FlexRay, and transmits / receives commands and data to / from the in-vehicle repro master 800B1.
  • the communication device 800B2 may be the same device as the vehicle-mounted repro master 800B1.
  • a gateway (not shown) may be interposed between the communication device 800B2 and the vehicle-mounted repro master 800B1, and the communication device 800B2 may be the same device as the gateway.
  • the communication device 800B2 may be a repro target, that is, the same device as the ECU 901.
  • the OTA server 800B3 is a server that communicates with the vehicle 900 via a network.
  • the OTA server 800B3 may communicate with the diagnostic machine 800A.
  • the OTA server 800B3 delivers the repro data of the ECU 901.
  • the repro data is encrypted and tampering detection processing code is added by the OTA server 800B3 or other components (not shown).
  • the repro data distributed from the OTA server 800B3 is decrypted by the ECU 901.
  • the OTA server 800B3 may be a service server having a distribution function other than the update program.
  • the OTA server 800B3 may be a server that distributes map information or a server that generally executes key management and incident management.
  • the OTA server 800B3 may have a function of receiving an instruction to register repro data from the outside.
  • the instruction from the outside may be via the network or may be operated on the screen.
  • the repro device 800 includes the functions of the diagnostic device 800A, the in-vehicle repro master 800B1, the communication device 800B2, and the OTA server 800B3, or a combination thereof, and delivers the repro data of the ECU 901.
  • the illustrated configuration is an example, and the repro data may be distributed by a route not shown in the figure.
  • FIG. 2 is a block diagram showing a configuration example of the ECU according to the first embodiment.
  • the ECU 901 includes a communication unit 19, a main control unit 10 as an example of “one CPU”, a main code storage unit 11 as an example of “one memory”, and a “one of” that are connected to each other by a bus line.
  • the main data storage unit 12 as an example of a “memory”. Further, the bus line can be accessed from the secure control unit 20 described later. An area to which these constituent elements belong and a connection to a secure area described later are referred to as a main area 1 for convenience.
  • the communication unit 19 is a component for the ECU 901 to communicate with other components of the vehicle 900.
  • the communication unit 19 is a module for communicating by CAN, CAN FD, Ethernet, or FlexRay.
  • the ECU 901 may include a plurality of communication units 19 depending on the application and the communication method. Furthermore, the communication unit 19 may be shared with a module that performs other communication. Note that the communication unit 19 may include an antenna and a modulation / demodulation circuit when performing wireless communication.
  • the communication unit 19 may include a connector and a modulation / demodulation circuit when performing wired communication.
  • the ECU 901 includes a secure control unit 20 as an example of “another CPU”, a secure code storage unit 21 as an example of “another memory”, and a “other memory” that are connected to each other by a bus line.
  • the secure data storage part 22 as an example is provided.
  • the area and connection to which the secure control unit 20, the secure code storage unit 21, and the secure data storage unit 22 belong are referred to as the secure area 2 for convenience.
  • the main area 1 is a part of the ECU 901 excluding the secure area 2.
  • the bus line in the main area 1 and the bus line in the secure area 2 are not directly connected to each other for security reasons. Commands and data are transferred between the areas 1 and 2 via the secure control unit 20.
  • the main control unit 10 has a processor (CPU, MPU, or DSP) and executes the program stored in the main code storage unit 11.
  • processor CPU, MPU, or DSP
  • the main code storage unit 11 stores a program executed by the main control unit 10.
  • the main code storage unit 11 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM (registered trademark, the same applies hereinafter), or a magnetic disk.
  • the main code storage unit 11 may be composed of a plurality of storage devices, and each program may be distributed and stored in the plurality of storage devices.
  • the main data storage unit 12 stores data used when the main control unit 10 executes a program.
  • the main data storage unit 12 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM, or a magnetic disk.
  • the data storage unit 11 may be composed of a plurality of storage devices, and each data may be distributed and stored in the plurality of storage devices.
  • the main code storage unit 11 and the main data storage unit 12 may be memories having a ROM that is a non-volatile storage element and a RAM that is a volatile storage element.
  • the ROM stores an immutable program.
  • the RAM is a high-speed and volatile storage element such as a DRAM (Dynamic Random Access Memory), and temporarily stores a program executed by the main control unit 10 and data used when the program is executed.
  • the main code storage unit 11 and the main data storage unit 12 may have some or all of them as constituent elements of each other. Even if there is no clear distinction as a device, the main code storage unit 11 indicates a portion storing a code, and the main data storage unit 12 indicates a portion storing data.
  • the main code storage unit 11 includes a main control code 110 as an example of “main control information” and main writing software (hereinafter, main writing software) 111.
  • the main control code 110 is a program executed by the main control unit 10 and is a program for realizing the function of the ECU 901 as an in-vehicle device.
  • the main control code 110A and the main control code 110B have a relationship between the old and new programs before and after the update.
  • the main writing software 111 is a program executed by the main control unit 10 and is a program for rewriting (reproposing) the main control code 110.
  • the main writing software 111 writes the new program (repro data) received by the ECU 901 in the main code storage unit 11 as a new main control code 110.
  • the main writing software 111 cooperates with the communication unit 19 and the secure control unit 20 according to a sequence described below to securely reprovision the secure control code 210 as an example of “secure control information” in the secure code storage unit 21 described later. Give a trigger to control the sequence.
  • main writing software 111 or the secure writing software 211 to be described later will rewrite one of the main control code 110A and the main control code 110B that is not used by the main control unit 10 for operation.
  • main writing software 111 rewrites the main control code 110B.
  • main writing software 111 rewrites the main control code 110A.
  • the main control unit 10 when the main control unit 10 does not use either the main control code 110A or the main control code 110B for the operation, either the main control code 110A or the main control code 110B may be rewritten, or both of them may be rewritten. You may. These repro processings are applicable even when there is only one main control code 110. In this case, the main control unit 10 rewrites the main control code 110 while using the main writing software 111 for the operation and not using the main control code 110 for the operation.
  • the main data storage unit 12 includes main control data 120 as an example of “main control information” and a repro data storage unit 121 as an example of “shared memory”.
  • the main control data 120 is data used by the main control code 110 executed by the main control unit 10 for processing, and is data for realizing the function of the ECU 901 as an in-vehicle device. There may be a plurality of main control data 120 depending on the application.
  • the repro data storage unit 121 is an area for storing the repro data received by the main writing software 111 from the communication device 19.
  • the stored repro data includes the secure control code 210, the main control code 110, or both new control programs. The contents of the repro data will be described later with reference to FIG.
  • the repro data may be encrypted, tampering detection code added, and signature added, and decrypted and verified in the sequence described below.
  • the secure control unit 20 is configured by a processor (CPU, MPU, or DSP) called HSM, SHE, TPM, other secure microcomputer, or secure core.
  • the secure control unit 20 executes the program stored in the secure code storage unit 21.
  • the secure control unit 20 may have tamper resistance.
  • the HSM, SHE, or TPM shown as an example of the secure control unit 20 may include a secure code storage unit 21 and a secure data storage unit 22 described later.
  • the secure code storage unit 21 stores the program executed by the secure control unit 20.
  • the secure code storage unit 21 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM, or a magnetic disk.
  • the secure code storage unit 21 may have tamper resistance.
  • the secure code storage unit 21 may be composed of a plurality of storage devices, and each program may be distributed and stored in the plurality of storage devices.
  • the secure data storage unit 22 stores data used when the secure control unit 20 executes a program.
  • the secure data storage unit 22 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM, or a magnetic disk.
  • the secure data storage unit 22 may have tamper resistance.
  • the secure code storage unit 21 and the secure data storage unit 22 may be memories having a ROM that is a nonvolatile storage element and a RAM that is a volatile storage element.
  • the ROM stores an immutable program.
  • the RAM is a high-speed and volatile storage element such as a DRAM (Dynamic Random Access Memory), and temporarily stores a program executed by the secure control unit 20 and data used when the program is executed.
  • the secure code storage unit 21 and the secure data storage unit 22 may have some or all of them as constituent elements of each other. Even if there is no clear distinction as a device, the secure code storage unit 21 shows the portion storing the code in the secure area 2, and the secure data storage unit 22 displays the portion storing the data in the secure area 2. Shall be shown.
  • the secure code storage unit 21 includes a secure control code 210 and secure writing software (hereinafter, secure writing software) 211.
  • the secure control code 210 is a program executed by the secure control unit 20, and is a program for realizing the security function of the ECU 901 as an in-vehicle device.
  • FIG. 2 two secure control codes 210A, which is an example of "first secure control information" and a control code 210B which is an example of "second secure control information", are provided. Is shown.
  • the secure control code 210A and the secure control code 210B have a relationship between the old and new programs before and after the update.
  • the secure writing software 211 is a program executed by the secure control unit 20 and is a program for rewriting (reprovisioning) the secure control code 210.
  • the secure writing software 211 writes the new program (repro data) received by the ECU 901 in the secure code storage unit 21 as a new secure control code 210.
  • the secure writing software 211 cooperates with the main control unit 10 and the main writing software 111 according to a sequence described later to securely reprovision the secure control code 210 in the secure code storage unit 21.
  • the secure writing software 221 uses a main area key 225 and a secure area key 226, which will be described later, when decrypting the repro data, falsification detection code verification, and signature verification.
  • the secure writing software 211 rewrites either the secure control code 210A or the secure control code 210B that is not used by the secure control unit 20 for operation.
  • the secure writing software 211 rewrites the secure control code 210B.
  • the secure writing software 211 rewrites the secure control code 210A.
  • the secure control unit 20 when the secure control unit 20 does not use either the secure control code 210A or the secure control code 210B for operation, either the secure control code 210A or the secure control code 210B may be rewritten, or both may be rewritten. You may. These repro processings are applicable even when there is only one secure control code 210. In this case, the secure control unit 20 rewrites the secure control code 210 while using the secure writing software 211 for the operation and not using the secure control code 210 for the operation.
  • the secure data storage unit 22 includes secure control data 220, a main area key 225, a secure area key 226, and operation code selection information 229.
  • the secure control data 220 is an example of “secure control information”.
  • the main area key 225 is an example of a “third decryption key”.
  • the secure area key 226 is an example of a “first decryption key” and a “verification key”.
  • the operation code selection information 229 is an example of “operation information selection information”.
  • the secure data storage unit 22 may include a repro data storage unit.
  • the secure control data 220 is data used by the secure control code 210 executed by the secure control unit 20 for processing, and is data for realizing a security function as an in-vehicle device of the ECU 901. There may be a plurality of secure control data 220 depending on the application.
  • the main area key 225 is a key for the secure writing software 211 executed by the secure control unit 20 to detect the decryption or tampering of the repro data stored in the repro data storage unit 121.
  • the main area key 225 may be a symmetric encryption key such as AES or an asymmetric encryption key such as RSA or elliptic curve encryption.
  • the main area key 225 may have a plurality of mutually different keys used when performing both decryption and tampering detection. Further, when the falsification detection is performed by using the asymmetric key signature, the main writing software 111 may perform the verification process.
  • the secure area key 226 is a key for the secure writing software 211 executed by the secure control unit 20 to detect the repro data stored in the repro data storage unit 121.
  • the secure area key 226 is used for decrypting or tampering detection of a portion of the repro data, which is particularly related to the secure control code 210.
  • the secure area key 226 may be a symmetric encryption key such as AES or an asymmetric encryption key such as RSA or elliptic curve encryption. When performing both decryption and tampering detection, a plurality of mutually different keys may be used. Note that the secure area key 226 and the main area key 225 may be configured so that there is no particular distinction.
  • the operation code selection information 229 is information for the main control unit 10 or the secure control unit 20 to select a code to be read and executed after starting when there are a plurality of main control unit codes 110 and secure control codes 210.
  • the operation code selection information 229 may be a flag and data that are rewritten when the replacement of the old and new programs is determined by a repro sequence described later. Further, the operation code selection information 229 may include a plurality of pieces of information so that the main control code 110 and the secure control code 210 respectively indicate separate selection information. Further, the operation code selection information 229 may be replaced with information such as whether or not the code is being rewritten.
  • FIG. 3 is a configuration diagram of reprogramming data according to the first embodiment.
  • the repro data is stored in the repro data storage unit 121.
  • the repro data includes, for example, main control code repro data 601, signature 602, secure control code repro data 603, and tampering detection code 604.
  • the main control code repro data 601 includes a new program of the main control code 110.
  • the main control code repro data 601 may be encrypted data that is decrypted with a key belonging to the main area key 225.
  • the encryption method of the main control code repro data 601 may be a symmetric key or an asymmetric key.
  • the main control code repro data 601 may not be encrypted depending on the use.
  • the signature 602 is information for detecting alteration of the repro data.
  • the signature 602 may be the electronic title of the main control code repro data 601, the secure control code repro data 603, and the tampering detection code 604 as verification targets.
  • the main writing software 111 or the secure writing software 211 can verify the signature 602 with the key belonging to the main area key 225 and confirm that the repro data has not been tampered with.
  • the secure control code repro data 603 includes a new program of the secure control code 210.
  • the secure control code repro data 603 may be encrypted data that is decrypted with a key belonging to the secure area key 226.
  • the encryption method of the secure control code repro data 603 may be a symmetric key or an asymmetric key.
  • the falsification detection code 604 is information for detecting falsification of the secure control code repro data 603.
  • the tampering detection code 604 may be a MAC (Message Authentication Code) whose verification target is the secure control code repro data 603.
  • the secure writing software 211 can verify the tampering detection code 604 with the key belonging to the secure area key 226 and confirm that the secure control code repro data 603 has not been tampered with.
  • the repro data may lack some of the components shown in FIG. 3, and may lack either the main control code repro data 601 or the secure control code repro data 603.
  • the verification range of the signature 602 is not limited to the exemplified one.
  • the verification range of the signature 602 may be only the main control code repro data 601, only the secure control code repro data 603, or only the secure control code repro data 603 and the falsification detection code 604.
  • the verification algorithm of the signature 602 need not be based on an asymmetric key as long as it is a method capable of detecting falsification, and as shown in the example of the falsification detection code 604, a MAC using a target key may be used. Further, the signature 602 may be omitted when the main control code repro data 601 is included in the verification range of the falsification detection code 604.
  • the verification algorithm of the tampering detection code 604 need not be a symmetric key as long as it is a method capable of tampering detection, and as shown in the example of the signature 602, an electronic signature using an asymmetric key may be used. ..
  • FIG. 4 is a flowchart showing the reprogramming process according to the first embodiment.
  • the repro device 800 (diagnostic device 800A, vehicle-mounted repro master 800B1, communication device 800B2, OTA center 800B3) and the components of the ECU 901 transfer commands and data to securely repro the secure control code 210.
  • the repro device 800 is any one or combination of the diagnostic device 800A, the vehicle-mounted repro master 800B1, the communication device 800B2, and the OTA center 800B3, and each device relays the communication path to the ECU 901 as necessary. I shall. Further, the communication between the ECU 901 and the outside shall be relayed by the communication unit 19 as necessary.
  • the main control unit 10 executes the program. Further, when the description in which the program in the secure code storage unit 21 is the execution subject is made, the secure control unit 20 executes the program.
  • arrows in the following figures show the conceptual flow of commands and data, and do not limit the communication direction and instruction direction. There may be processing instructions and data flows not shown by arrows.
  • the illustrated sequence starts with the repro device 800 having repro data.
  • the repro device 800 notifies the main writing software 111 of the start of repro (S101). Then, the main writing software 111 receives the repro data from the repro device 800 (S102). The received repro data is stored in the repro data storage unit 121 for tampering detection (S103).
  • the main writing software 111 may receive the public key belonging to the main area key 225 from the secure writing software 211 and verify the signature 602.
  • the main writing software 111 notifies the secure writing software 211 of the start of repro (S104).
  • the secure writing software 211 that has received the repro start notification notifies the alteration detection code 604 of the repro data stored in the repro data storage unit 121 with the key belonging to the secure area key 226 (S105).
  • the signature 602 may be verified using a key belonging to the main area key.
  • the main writing software 111 may be notified of the abnormality and the subsequent repro processing may be stopped.
  • the secure writing software 211 acquires the repro data from the repro data storage unit 121 (S106), and executes the decryption process using the decryption key belonging to the secure area key 226 (S107). Then, the secure writing software 211 updates the secure control code 210 by writing the decrypted repro data to a predetermined location in the secure code storage unit 21 (S108). The processing from S106 to S108 may be repeatedly executed depending on the capacity of the work memory area that the secure area 2 can secure for these processing. Note that, in S108, the secure control code 210 not used by the secure control unit 20 for rewriting is as described in FIG.
  • the secure writing software 211 verifies whether or not the writing in S108 is normally executed, and if the verification result is correct, the operation code selection information 229 is changed to information indicating that the new written program is selected.
  • Rewrite (S109).
  • the verification may be performed by comparing the tampering detection code calculated from the target area with the tampering detection code 604, and when the tampering detection code 604 is an electronic signature, the verification may be performed. The verification may be determined based on the calculation of another error detection code or error correction code.
  • the main writing software 111 is notified of the abnormality and the subsequent repro processing does not have to be continued. Further, the verification or the switching of the operation code may be judged or executed by receiving the instruction from the main writing software 111 as a trigger after a predetermined notification is given to the main writing software 111.
  • the secure writing software 211 notifies the main writing software 111 that the repro- duction of the secure code storage unit 21 has been completed normally (S110).
  • the main writing software 111 Upon receiving the completion notification, the main writing software 111 deletes the repro data stored in the repro data storage unit 121 (S111).
  • the deletion of the repro data may be determined or executed after receiving the instruction from the repro device 800 as a trigger after S112 described below.
  • the main writing software 111 notifies the repro device 800 that the repro has been completed normally (S112). If the main writing software 111 detects any abnormality during a series of processes, the repro device 800 may be notified of the abnormality and the subsequent repro process may be stopped.
  • the secure writing software 211 performs data authentication and decryption processing, and controls the secure control code 210 to be rewritten, whereby flexibility of reprogramming can be increased while maintaining security strength. ..
  • FIG. 5 is a flowchart showing the secure boot process according to the first embodiment.
  • the secure boot process is executed when the ECU 901 starts up with a new program as a result of the repro process shown in the sequence of FIG.
  • the secure control unit 20 When the ECU 901 is activated (S401), the secure control unit 20 starts secure boot processing (S402).
  • the secure control unit 20 executes self-verification of the secure control code 210 used by itself by a boot code (not shown) (S403).
  • the verification method may be MAC verification by a symmetric key method or signature verification by an asymmetric key method. If an abnormality is detected during the self-verification in S403, the secure control unit 20 may execute a predetermined error process. In the error processing, the log is saved and the secure boot processing is stopped. Then, the secure control unit 20 selects an operation code verified to be correct, and transfers the processing subject to the selected secure control code 210 (S404).
  • the secure control code 210 verifies the main control code 110, which is the operation code of the main control unit 10 (S405), and determines whether the verification result is normal (S406).
  • S406 determination result of S406
  • operation permission is given to the boot code (not shown) of the main control unit 10 (S408).
  • S407 a predetermined error process is executed (S407). In the error processing of S407, the log may be saved and the secure boot processing may be stopped.
  • the main control unit 10 that has obtained the operation permission starts the boot process using a boot code (not shown) (S409). If it is necessary to select the operation code, the secure control unit 20 is inquired about the operation code selection information 229 (S410), and the secure control code 210 presents the operation code selection information 229 to the main control unit 10 (S411). .. Subsequently, the main control unit 10 shifts the processing subject to a predetermined main control code 110 according to the operation code selection information 229 acquired in S410 (S412).
  • the main control unit 10 can operate with a correct control code by using the operation code selection information 229 that is securely managed and updated.
  • the error may be notified to the control unit of each component of the vehicle information system.
  • each program included in the main writing software 111, the secure writing software 211, the main control code 110, and the secure control code 210 displays information indicating the processing being executed on the display device as necessary. Good. It is desirable for each of these programs to display information indicating the completion of a series of processing and the occurrence of branch processing on the display device. Further, the determination in the branching process may be performed by the user via the input device.
  • the exchange of information between each step may be omitted. However, in reality, it may form a response pair for a command. Further, even when the exchange of information between steps is indicated by a set of bidirectional arrows, a plurality of commands and responses may be included in this exchange. Further, even when the content of transmitting and receiving data between the entities is described, one entity may act as a client and the other entity may act as a server in actual communication. In this case, the actual communication may be carried out via commands and responses, resulting in the transmission of the aforementioned data.
  • the reprogramming process according to the second embodiment will be described.
  • the reprogramming process according to the second embodiment is different from the reprogramming process according to the first embodiment only in the configuration for transmitting and receiving repro data, and other configurations are the reprogramming process according to the first embodiment. It is similar to the processing. Therefore, the differences from the first embodiment will be mainly described.
  • FIG. 6 is a flowchart showing a reprogramming process according to the second embodiment.
  • the rewriting data is sent from the main writing software 111 to the secure writing software 211.
  • This embodiment is an effective method when a work memory for data reception can be sufficiently secured in the secure area 2, and is a feasible method even when the secure writing software 211 cannot directly refer to the main data storage unit 12. is there.
  • the main writing software 111 notifies the secure writing software 211 of the start of the rewriting in S104 (S104), then acquires the repro data from the repro data storage unit 121, and transmits it to the secure writing software 211.
  • the secure writing software 211 holds the received repro data in an appropriate work memory (not shown) such as the secure data storage unit 22 (S202).
  • S201 and S202 may be repeatedly performed by a predetermined amount according to the communication band between the components.
  • the secure writing software 211 executes tampering detection on the repro data received in S202 in S105, and after S107, executes the same processing as the flow shown in FIG.
  • the secure writing software 211 when sufficient work memory can be secured in the secure area 2, even if the secure writing software 211 cannot directly refer to the main data storage unit 12, the secure writing software 211 performs the data authentication and decryption processing. Can be executed. That is, by controlling the secure control code 210 to be rewritten, the flexibility of reprogramming can be increased while maintaining the strength of security.
  • the reprogramming process according to the third embodiment will be described.
  • the reprogramming process according to the third embodiment is different from the reprogramming process according to the first embodiment only in the configuration of the reprod target, and other configurations are the same as the reprogramming process according to the first embodiment. It is the same. Therefore, the differences from the first embodiment will be mainly described.
  • FIG. 7 is a flowchart showing a reprogramming process according to the third embodiment.
  • FIG. 7 shows a method of rewriting the main code storage unit 11 of the main area 1 from the secure writing software 211 before or after S104 to S111 of FIG. 4 (an example of the previous case is shown).
  • the main writing software 111 delegates the repro process to the secure writing software 211. Therefore, by performing all security judgments regarding the repro process in the secure area 2, more secure repro is possible. ..
  • the main writing software 111 executes a repro start request to the secure writing software 211 (S301).
  • S301 of the repro start request and S104 of the repro start notification may be one command including both meanings.
  • the secure writing software 211 that has received the request to start the repro verification verifies the signature 602 of the repro data stored in the repro data storage unit 121 with the key belonging to the main area key 226 (S302). If the verification of tampering detection fails, the secure writing software 211 may notify the main writing software 111 of an abnormality after performing a predetermined retry and stop the subsequent repro processing.
  • the secure writing software 211 acquires the repro data from the repro data storage unit 121 (S303), executes the decryption process using the decryption key belonging to the main area key 225 (S304),
  • the main control code 110 is updated by writing in a predetermined location of the code storage unit 11 (S305).
  • the processes of S303 to S305 may be repeatedly executed by a predetermined amount according to the capacity of the work memory area that the secure area 2 can secure for these processing. Note that, in S305, the main control unit 10 rewrites the main control code 110 that is not used for the operation as described in FIG.
  • the secure writing software 211 verifies whether or not the writing in S305 has been normally executed, and if the verification result is correct, the operation code selection information 229 is information indicating that a new written program is selected. (S306).
  • the verification may be performed by comparing the hash value extracted from the signature 602 with the hash value calculated from the target area, or when the signature 602 is a MAC, the verification may be performed. Furthermore, the determination may be made based on the calculation of another error detection code or error correction code. Further, if the writing has failed, after performing a predetermined retry, the main writing software 111 may be notified of the abnormality and the subsequent repro processing may be stopped. Further, the verification or the switching of the operation code may be judged or executed by receiving the instruction from the main writing software 111 as a trigger after a predetermined notification is given to the main writing software 111.
  • the secure writing software 211 notifies the main writing software 111 that the repro- duction of the main code storage unit 11 has been completed normally (S307).
  • the operation code switching of S306 and the operation code switching of S109 may be executed as a single step after the rewriting processing of both the main code storage unit 11 and the secure code storage unit 21 is completed.
  • the completion notifications in S307 and S110 may be one notification including both meanings.
  • S301 to S307 were executed before S104 to S110. However, S301 to S307 may be executed after S104 to S110. Further, the processes of S104 to S110 may be omitted, and only the repro of the main code storage unit 11 may be executed.
  • the main writing software 111 may transmit the repro data to the secure writing software 211 as in the example shown in FIG.
  • the secure writing software 211 can perform control for rewriting the main control code 110, the secure control code 210, or both by executing data authentication and decryption processing.
  • the flexibility of reprogramming can be enhanced while maintaining the strength of security.
  • the present invention is not limited to the above-described embodiments, and various modifications are included.
  • the above-described embodiments have been described in detail for the purpose of explaining the present invention in an easy-to-understand manner, and are not necessarily limited to those having all the configurations described.
  • a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and further, the configuration of another embodiment can be added to the configuration of one embodiment.
  • the secure writing software 211 may have a smaller code amount than the secure control code 210A. According to this configuration, even if the capacity is small, the secure control code 210A can be written.
  • each of the above-mentioned configurations, functions, processing units, and processing means may be realized by hardware by designing a part or all of them with an integrated circuit. Further, each of the above configurations and functions may be realized by software by a processor interpreting and executing a program that realizes each function. Information such as a program, a table, and a file that realizes each function may be stored in a recording device such as a memory, a hard disk, or an SSD, or a recording medium such as an IC card, an SD card, or a DVD.
  • a recording device such as a memory, a hard disk, or an SSD, or a recording medium such as an IC card, an SD card, or a DVD.
  • control lines and information lines are shown to be necessary for explanation, and not all control lines and information lines are shown on the product. In practice, almost all configurations may be connected together.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Mechanical Engineering (AREA)
  • Stored Programmes (AREA)

Abstract

The present invention allows an increase in the flexibility of reprogramming a secure area. A secure area 2 stores a secure control code 210 and secure control data 220 for operating a secure control unit 20, and secure writing software 211 for updating the secure control code and the secure control data. The secure control code and the secure control data have a secure control code 210A stored on the operation surface in a secure code storage unit 21 and a secure data storage unit 22, and a secure control code 210B stored on the non-operation surface in a main code storage unit and a main data storage unit. The secure control unit operates the secure writing software according to the secure control information 210A and updates the secure control information 210B with the update information received from outside via the main area.

Description

電子制御装置、電子制御装置のリプログラミング方法Electronic control device and electronic controller reprogramming method
 本発明は、電子制御装置、電子制御装置のリプログラミング方法に関する。 The present invention relates to an electronic control device and a reprogramming method for the electronic control device.
 近年、安全運転支援及び自動運転技術の進展によって、車両がサーバまたはクラウドのような車外システムと繋がるようになっている。車内外の通信セキュリティを確保するために、車載装置(電子制御装置)には、セキュリティモジュールが搭載されている。 In recent years, with the progress of safe driving support and autonomous driving technology, vehicles are becoming connected to outside systems such as servers or clouds. In order to ensure communication security inside and outside the vehicle, a security module is mounted on the in-vehicle device (electronic control device).
 特許文献1には、車搭載装置に更新データを適用する方法が開示されている。 Patent Document 1 discloses a method of applying update data to a vehicle-mounted device.
特開2018-58582号公報JP, 2018-58582, A
 車載装置の制御コードは、セキュリティを確保するために、適宜更新される必要がある。車載装置に搭載されるHSM(Hardware Security Module)のようなセキュア領域のセキュア制御コードも、暗号アルゴリズムの脆弱性が発覚した場合、暗号化方法を変更する場合、または機能をアップデートする場合、更新できることが望ましい。 -The control code of the in-vehicle device needs to be updated appropriately to ensure security. The secure control code in the secure area such as HSM (Hardware Security Module) installed in the in-vehicle device can be updated when the vulnerability of the encryption algorithm is detected, when the encryption method is changed, or when the function is updated. Is desirable.
 一方、セキュア領域のセキュア制御コードは、自由に書換え可能であると、セキュア領域の信頼性が損なわれてしまうため、メイン領域の書込ソフトから直接書き換えることが禁止されている。このようにメイン領域からの書き換えが禁止された車載装置は、セキュア制御コードを書き換えることができないという課題がある。しかし、セキュア制御コードを更新する方法は、特許文献1には開示されていない。 On the other hand, if the secure control code in the secure area can be freely rewritten, the reliability of the secure area will be impaired, so it is prohibited to rewrite directly from the writing software in the main area. As described above, the in-vehicle device in which the rewriting from the main area is prohibited has a problem that the secure control code cannot be rewritten. However, Patent Document 1 does not disclose a method for updating the secure control code.
 本発明は、上記課題を解決するためのものであり、その目的は、セキュア領域のリプログラミングの柔軟性を高めることができる技術を提供することにある。 The present invention is intended to solve the above problems, and an object thereof is to provide a technique capable of increasing the flexibility of reprogramming the secure area.
 上記課題を解決するため、本発明に従う電子制御装置は、移動体に搭載される電子制御装置であって、複数のCPUと、複数のメモリと、を備え、複数のCPUのうちの一のCPUと、複数のメモリのうちの一のメモリとによってメイン領域が構成され、複数のCPUのうちの他のCPUと、複数のメモリのうちの他のメモリとによってセキュア領域が構成され、前記他のメモリは、前記他のCPUを動作させるセキュア制御情報と、該セキュア制御情報を更新するセキュア書込ソフトウェアと、を格納し、前記セキュア制御情報は、前記他のメモリ内の一の領域に格納された第一セキュア制御情報と、前記他のメモリ内の他の領域に格納された第二セキュア制御情報と、を有し、前記他のCPUは、前記第一セキュア制御情報によって前記セキュア書込ソフトウェアを動作させて、外部から前記メイン領域を介して受信した更新情報によって前記第二セキュア制御情報を更新する。 In order to solve the above problems, an electronic control device according to the present invention is an electronic control device mounted on a moving body, the electronic control device including a plurality of CPUs and a plurality of memories, and one of the plurality of CPUs. And one of the plurality of memories form a main area, and the other CPU of the plurality of CPUs and the other memory of the plurality of memories form a secure area. The memory stores secure control information for operating the other CPU, and secure writing software for updating the secure control information, and the secure control information is stored in one area in the other memory. The first secure control information and the second secure control information stored in another area in the other memory, and the other CPU is controlled by the first secure control information. By operating the secure writing software, updating the second secure control information by the update information received via the main area from the outside.
 本発明によれば、セキュリティのリプログラミングの柔軟性を高めることができる。 According to the present invention, flexibility of security reprogramming can be enhanced.
第1実施形態に係る車両情報システムを示すブロック図。The block diagram which shows the vehicle information system which concerns on 1st Embodiment. 第1実施形態に係るECUを示すブロック図。The block diagram which shows ECU which concerns on 1st Embodiment. 第1実施形態に係るリプログラミングデータの構成図。The block diagram of the reprogramming data which concerns on 1st Embodiment. 第1実施形態に係るリプログラミング処理を示すフローチャート。6 is a flowchart showing a reprogramming process according to the first embodiment. 第1実施形態に係るセキュアブート処理を示すフローチャート。6 is a flowchart showing secure boot processing according to the first embodiment. 第2実施形態に係るリプログラミング処理を示すフローチャート。The flowchart which shows the reprogramming process which concerns on 2nd Embodiment. 第3実施形態に係るリプログラミング処理を示すフローチャート。The flowchart which shows the reprogramming process which concerns on 3rd Embodiment.
 以下、添付図面を参照して幾つかの実施形態について説明する。本実施形態は、本発明を実現するための一例に過ぎず、本発明の技術的範囲を限定するものではないことに注意すべきである。各図において共通の構成については、同一の参照符号が付されている。 Hereinafter, some embodiments will be described with reference to the accompanying drawings. It should be noted that the present embodiment is merely an example for realizing the present invention and does not limit the technical scope of the present invention. In each figure, the same reference numerals are attached to the common configurations.
 本実施形態では、電子制御装置(Electronic Control Unit。以下、ECU)のリプログラミング(以下、リプロまたは更新とも呼ぶ)処理を実行する車両情報システムの一例を説明する。
 <第1実施形態> In this embodiment, an example of a vehicle information system that executes reprogramming (hereinafter, also referred to as repro or update) processing of an electronic control unit (hereinafter, ECU) will be described.
<First Embodiment>
 図1は、第1実施形態に係る車両情報システムの構成例を示すブロック図である。 FIG. 1 is a block diagram showing a configuration example of the vehicle information system according to the first embodiment.
 車両情報システムは、相互に通信可能な、「移動体」の一例としての車両900と、リプロ装置800を有する。リプロ装置800は、診断機800Aと、車載リプロマスター800B1と、通信装置800B2と、OTAサーバ800B3とから構成されている。
  車両900は、リプロ対象となるECU901と、車載リプロマスター800B1と、通信装置800B2とを有する。 The vehicle information system includes a vehicle 900 as an example of a “moving body” and a repro device 800 that can communicate with each other. The repro device 800 includes a diagnostic machine 800A, an in-vehicle repro master 800B1, a communication device 800B2, and an OTA server 800B3.
The vehicle 900 includes an ECU 901 that is a repro target, an in-vehicle repro master 800B1, and a communication device 800B2.
 なお、車両情報システムに含まれる各構成要素は、図1で示していない経路によって接続されてよい。さらに、車両情報システム内のある構成要素は、他の構成要素を含んでよい。車載リプロマスター800B1は、通信装置800B2を含んでよい。 Note that each component included in the vehicle information system may be connected by a route not shown in FIG. Moreover, certain components within the vehicle information system may include other components. The vehicle-mounted repro master 800B1 may include a communication device 800B2.
 以降、診断機800A、車載リプロマスター800B1、通信装置800B2、及びOTAサーバ800B3を区別する必要がない場合、これらを単にリプロ装置800と記述する。 Hereinafter, if it is not necessary to distinguish the diagnostic device 800A, the in-vehicle repro master 800B1, the communication device 800B2, and the OTA server 800B3, these are simply referred to as the repro device 800.
 車両900は、リプロ対象となる車載装置のECU901を備える自動車である。車両900は、車載リプロマスター800B1と、通信装置800B2との少なくとも何れか一方を含んでよい。車両900は、車載機器である複数のECUを備え、各ECUは、車内のネットワークで接続されている。 The vehicle 900 is an automobile including an ECU 901 of an in-vehicle device that is a repro target. The vehicle 900 may include at least one of the vehicle-mounted repro master 800B1 and the communication device 800B2. The vehicle 900 includes a plurality of ECUs, which are in-vehicle devices, and each ECU is connected by an in-vehicle network.
 リプロ装置800は、ECU901をリプロする装置である。リプロ装置800は、診断機800A、車載リプロマスター800B1、通信装置800B2、及びOTAサーバ800B3を例に説明する。 The repro device 800 is a device that reproscopes the ECU 901. The repro device 800 will be described by taking the diagnostic machine 800A, the vehicle-mounted repro master 800B1, the communication device 800B2, and the OTA server 800B3 as examples.
 診断機800Aは、ECU901のリプロデータをECU901に書き込むための装置である。診断機800Aは、OBD-IIポートを通して、車内ネットワークに接続されている。診断機800Aは、CAN(Control Area Network)、CAN FD、Ethernet(登録商標、以下同じ)、またはFlexRay(登録商標、以下同じ)を介して、ECU901の診断及びリプロに関するコマンド及びデータを受信する。診断機800AとECU901との間には、図示しないゲートウェイが介在してよい。さらに、診断機800Aは、OTAサーバ800B3と通信してよい。さらに、診断機800Aは、車載リプロマスター800B1を経由して、コマンド及びデータを受信してよい。 The diagnostic machine 800A is a device for writing the repro data of the ECU 901 into the ECU 901. The diagnostic device 800A is connected to the in-vehicle network through the OBD-II port. The diagnostic device 800A receives commands and data relating to diagnostics and repro of the ECU 901 via CAN (Control Area Network), CAN FD, Ethernet (registered trademark, the same applies hereinafter), or FlexRay (registered trademark, apply the same below). A gateway (not shown) may be interposed between the diagnostic device 800A and the ECU 901. Further, the diagnostic machine 800A may communicate with the OTA server 800B3. Further, the diagnostic machine 800A may receive commands and data via the vehicle-mounted repro master 800B1.
 車載リプロマスター800B1は、ECU901にリプロデータを書き込むための車載装置である。車載リプロマスター800B1は、CAN、CAN FD、Ethernet、FlexRayのような車内ネットワークに接続されており、ECU901の診断及びリプロに関するコマンド及びデータを送受信する。車載リプロマスター800B1とECU901との間には、図示しないゲートウェイが介在してよいし、車載リプロマスター800B1は、ゲートウェイと同一の装置でよい。さらに、車載リプロマスター800B1は、リプロ対象、すなわちECU901と同一の装置でよい。 The in-vehicle repro master 800B1 is an in-vehicle device for writing repro data in the ECU 901. The in-vehicle repro master 800B1 is connected to an in-vehicle network such as CAN, CAN FD, Ethernet, and FlexRay, and transmits / receives commands and data relating to diagnosis and repro of the ECU 901. A gateway (not shown) may be interposed between the in-vehicle repro master 800B1 and the ECU 901, and the in-vehicle repro master 800B1 may be the same device as the gateway. Further, the in-vehicle repro master 800B1 may be a repro target, that is, the same device as the ECU 901.
 さらに、車載リプロマスター800B1は、リプロデータ及びコマンドを受信するために、通信装置800B2を介してOTAサーバ800B3と通信してよい。車載リプロマスター800B1は、通信装置800B2と同一の装置でよい。 Further, the in-vehicle repro master 800B1 may communicate with the OTA server 800B3 via the communication device 800B2 to receive the repro data and the command. The in-vehicle repro master 800B1 may be the same device as the communication device 800B2.
 通信装置800B2は、車両900が車外と通信するための装置である。通信装置800B2は、無線通信、または有線LAN、インターネット、若しくは専用回線を用いた有線通信によって、車外と通信する。無線通信は、LTE(Long Term Evolution)、3G(3rd Generation)、WiMAX(Worldwide Interoperability for Microwave Access)、無線LAN(Local Area Network)、またはWAN(Wide Area Network)、C2X、V2Xでよい。通信装置800B2は、車載リプロマスター800B1がECU901に書き込むためのリプロデータ及びコマンドを、OTAサーバ800B3から取得する。 The communication device 800B2 is a device for the vehicle 900 to communicate with the outside of the vehicle. The communication device 800B2 communicates with the outside of the vehicle by wireless communication, wired LAN, the Internet, or wired communication using a dedicated line. The wireless communication may be LTE (Long Term Evolution), 3G (3rd Generation), WiMAX (Worldwide Interoperability for Microwave Access), wireless LAN (Local Area Network), or WAN (Wide Area Network), C2X, V2X. The communication device 800B2 acquires, from the OTA server 800B3, repro data and commands for the in-vehicle repro master 800B1 to write in the ECU 901.
 通信装置800B2は、CAN、CAN FD、Ethernet、FlexRayのような車内ネットワークに接続され、車載リプロマスター800B1に対してコマンド及びデータを送受信する。通信装置800B2は、車載リプロマスター800B1と同一の装置でよい。さらに、通信装置800B2と車載リプロマスター800B1との間には、図示しないゲートウェイが介在してよいし、通信装置800B2は、ゲートウェイと同一の装置でよい。さらに、通信装置800B2は、リプロ対象、すなわちECU901と同一の装置でよい。 The communication device 800B2 is connected to an in-vehicle network such as CAN, CAN FD, Ethernet, and FlexRay, and transmits / receives commands and data to / from the in-vehicle repro master 800B1. The communication device 800B2 may be the same device as the vehicle-mounted repro master 800B1. Further, a gateway (not shown) may be interposed between the communication device 800B2 and the vehicle-mounted repro master 800B1, and the communication device 800B2 may be the same device as the gateway. Further, the communication device 800B2 may be a repro target, that is, the same device as the ECU 901.
 OTAサーバ800B3は、ネットワークを通じて車両900と通信するサーバである。なお、OTAサーバ800B3は、診断機800Aと通信してよい。 The OTA server 800B3 is a server that communicates with the vehicle 900 via a network. The OTA server 800B3 may communicate with the diagnostic machine 800A.
 OTAサーバ800B3は、ECU901のリプロデータを配信する。リプロデータは、OTAサーバ800B3若しくは図示していない他の構成要素によって暗号化及び改竄検知処コード付与が施される。OTAサーバ800B3から配信されたリプロデータは、ECU901によって復号化される。OTAサーバ800B3は、更新プログラム以外の配信機能を備えたサービスサーバでよい。OTAサーバ800B3は、地図情報を配信するサーバ、或いは一般に鍵管理、及びインシデント管理を実行するサーバでよい。 The OTA server 800B3 delivers the repro data of the ECU 901. The repro data is encrypted and tampering detection processing code is added by the OTA server 800B3 or other components (not shown). The repro data distributed from the OTA server 800B3 is decrypted by the ECU 901. The OTA server 800B3 may be a service server having a distribution function other than the update program. The OTA server 800B3 may be a server that distributes map information or a server that generally executes key management and incident management.
 さらに、OTAサーバ800B3は、リプロデータの登録の指示を外部から受ける機能を備えてよい。外部からの指示は、ネットワーク経由でよいし、画面の操作でよい。 Further, the OTA server 800B3 may have a function of receiving an instruction to register repro data from the outside. The instruction from the outside may be via the network or may be operated on the screen.
 リプロ装置800は、診断機800A、車載リプロマスター800B1、通信装置800B2、及びOTAサーバ800B3が有する機能またはその組み合わせから成り、ECU901のリプロデータを配信する。図示した構成は一例であり、リプロデータは、図に繋がりを示していない経路によって配信されてよい。 The repro device 800 includes the functions of the diagnostic device 800A, the in-vehicle repro master 800B1, the communication device 800B2, and the OTA server 800B3, or a combination thereof, and delivers the repro data of the ECU 901. The illustrated configuration is an example, and the repro data may be distributed by a route not shown in the figure.
 図2は、第1実施形態に係るECUの構成例を示すブロック図である。 FIG. 2 is a block diagram showing a configuration example of the ECU according to the first embodiment.
 ECU901は、互いにバス線で結線された、通信部19と、「一のCPU」の一例としてのメイン制御部10と、「一のメモリ」の一例としてのメインコード記憶部11と、「一のメモリ」の一例としてのメインデータ記憶部12とを備える。さらに、バス線は、後述するセキュア制御部20からアクセスすることができる。後述するセキュア領域に対し、これらの構成要素が所属する領域及び結線を、便宜的にメイン領域1と呼称する。 The ECU 901 includes a communication unit 19, a main control unit 10 as an example of “one CPU”, a main code storage unit 11 as an example of “one memory”, and a “one of” that are connected to each other by a bus line. The main data storage unit 12 as an example of a “memory”. Further, the bus line can be accessed from the secure control unit 20 described later. An area to which these constituent elements belong and a connection to a secure area described later are referred to as a main area 1 for convenience.
 通信部19は、ECU901が車両900の他の構成要素と通信するための構成要素である。通信部19は、CAN、CAN FD、Ethernet、またはFlexRayによって通信するためのモジュールである。ECU901は、用途及び通信方式に応じて複数の通信部19を含んでよい。さらに、通信部19は、他の通信を実施するモジュールと共用でよい。なお、通信部19は、無線通信する場合、アンテナ及び変復調回路を含んでよい。通信部19は、有線通信する場合、コネクタ及び変復調回路を含んでよい。 The communication unit 19 is a component for the ECU 901 to communicate with other components of the vehicle 900. The communication unit 19 is a module for communicating by CAN, CAN FD, Ethernet, or FlexRay. The ECU 901 may include a plurality of communication units 19 depending on the application and the communication method. Furthermore, the communication unit 19 may be shared with a module that performs other communication. Note that the communication unit 19 may include an antenna and a modulation / demodulation circuit when performing wireless communication. The communication unit 19 may include a connector and a modulation / demodulation circuit when performing wired communication.
 さらに、ECU901は、互いにバス線で結線された、「他のCPU」の一例としてのセキュア制御部20と、「他のメモリ」の一例としてのセキュアコード記憶部21と、「他のメモリ」の一例としてのセキュアデータ記憶部22とを備える。セキュア制御部20、セキュアコード記憶部21、及びセキュアデータ記憶部22が所属する領域及び結線を、便宜的にセキュア領域2と呼称する。前記メイン領域1は、ECU901において、セキュア領域2を除く部分である。 Further, the ECU 901 includes a secure control unit 20 as an example of “another CPU”, a secure code storage unit 21 as an example of “another memory”, and a “other memory” that are connected to each other by a bus line. The secure data storage part 22 as an example is provided. The area and connection to which the secure control unit 20, the secure code storage unit 21, and the secure data storage unit 22 belong are referred to as the secure area 2 for convenience. The main area 1 is a part of the ECU 901 excluding the secure area 2.
 メイン領域1のバス線と、セキュア領域2のバス線とは、セキュリティ確保の理由から、直接接続されていない。両領域1,2間のコマンド及びデータの転送は、セキュア制御部20を介して行われる。 -The bus line in the main area 1 and the bus line in the secure area 2 are not directly connected to each other for security reasons. Commands and data are transferred between the areas 1 and 2 via the secure control unit 20.
 メイン制御部10は、プロセッサ(CPU、MPU、またはDSP)を有しており、メインコード記憶部11に格納されたプログラムを実行する。 The main control unit 10 has a processor (CPU, MPU, or DSP) and executes the program stored in the main code storage unit 11.
 メインコード記憶部11は、メイン制御部10が実行するプログラムを格納する。メインコード記憶部11は、フラッシュメモリ、EEPROM、SSD、FRAM(登録商標、以下同じ)、または磁気ディスクのような不揮発性の記憶装置でよい。メインコード記憶部11は、複数の記憶装置から構成されてよく、各プログラムは、複数の記憶装置に分散して格納されてよい。 The main code storage unit 11 stores a program executed by the main control unit 10. The main code storage unit 11 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM (registered trademark, the same applies hereinafter), or a magnetic disk. The main code storage unit 11 may be composed of a plurality of storage devices, and each program may be distributed and stored in the plurality of storage devices.
 メインデータ記憶部12は、メイン制御部10がプログラムを実行するときに使用されるデータを格納する。メインデータ記憶部12は、フラッシュメモリ、EEPROM、SSD、FRAM、または磁気ディスクのような不揮発性の記憶装置でよい。データ記憶部11は、複数の記憶装置から構成されてよく、各データは、複数の記憶装置に分散して格納されてよい。 The main data storage unit 12 stores data used when the main control unit 10 executes a program. The main data storage unit 12 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM, or a magnetic disk. The data storage unit 11 may be composed of a plurality of storage devices, and each data may be distributed and stored in the plurality of storage devices.
 メインコード記憶部11及びメインデータ記憶部12は、不揮発性の記憶素子であるROMと、揮発性の記憶素子であるRAMとを有するメモリでよい。ROMは、不変のプログラムを格納する。RAMは、DRAM(Dynamic Random Access Memory)のような高速かつ揮発性の記憶素子であり、メイン制御部10が実行するプログラムと、プログラムの実行時に使用されるデータとを一時的に格納する。 The main code storage unit 11 and the main data storage unit 12 may be memories having a ROM that is a non-volatile storage element and a RAM that is a volatile storage element. The ROM stores an immutable program. The RAM is a high-speed and volatile storage element such as a DRAM (Dynamic Random Access Memory), and temporarily stores a program executed by the main control unit 10 and data used when the program is executed.
 なお、メインコード記憶部11及びメインデータ記憶部12は、その一部または全部を互いの構成要素として有してよい。デバイスとして明確な区別が無くても、メインコード記憶部11は、コードを記憶している部分を示し、メインデータ記憶部12は、データを記憶している部分を示すものとする。 The main code storage unit 11 and the main data storage unit 12 may have some or all of them as constituent elements of each other. Even if there is no clear distinction as a device, the main code storage unit 11 indicates a portion storing a code, and the main data storage unit 12 indicates a portion storing data.
 メインコード記憶部11は、「メイン制御情報」の一例としてのメイン制御コード110と、メイン書込ソフトウェア(以下、メイン書込ソフト)111とを備える。メイン制御コード110は、メイン制御部10が実行するプログラムであり、ECU901の車載装置としての機能を実現させるためのプログラムである。メイン制御コード110は、複数でよく、図2においては、メイン制御コード110Aと、メイン制御コード110Bとの2つを図示している。以降の説明では、メイン制御コード110Aと、メイン制御コード110Bとは、更新前後の新旧プログラムの関係とする。 The main code storage unit 11 includes a main control code 110 as an example of “main control information” and main writing software (hereinafter, main writing software) 111. The main control code 110 is a program executed by the main control unit 10 and is a program for realizing the function of the ECU 901 as an in-vehicle device. There may be a plurality of main control codes 110, and in FIG. 2, two main control codes 110A and 110B are shown. In the following description, the main control code 110A and the main control code 110B have a relationship between the old and new programs before and after the update.
 メイン書込ソフト111は、メイン制御部10に実行されるプログラムであり、メイン制御コード110を書き換える(リプロする)ためのプログラムである。メイン書込ソフト111は、ECU901が受け取った新しいプログラム(リプロデータ)を、新たなメイン制御コード110としてメインコード記憶部11に書き込む。 The main writing software 111 is a program executed by the main control unit 10 and is a program for rewriting (reproposing) the main control code 110. The main writing software 111 writes the new program (repro data) received by the ECU 901 in the main code storage unit 11 as a new main control code 110.
 メイン書込ソフト111は、後述するシーケンスによって、通信部19及びセキュア制御部20と連携し、後述するセキュアコード記憶部21の「セキュア制御情報」の一例としてのセキュア制御コード210をセキュアにリプロするトリガを与えて、シーケンスをコントロールする。 The main writing software 111 cooperates with the communication unit 19 and the secure control unit 20 according to a sequence described below to securely reprovision the secure control code 210 as an example of “secure control information” in the secure code storage unit 21 described later. Give a trigger to control the sequence.
 なお、メイン書込ソフト111、または後述するセキュア書込ソフト211は、メイン制御コード110Aまたはメイン制御コード110Bのうち、メイン制御部10が動作に用いていない何れか一方を書換えの対象とする。メイン制御部10がメイン制御コード110Aを動作に用いている場合、メイン書込ソフト111は、メイン制御コード110Bを書き換える。一方、メイン制御部10がメイン制御コード110Bを動作に用いている場合、メイン書込ソフト111は、メイン制御コード110Aを書き換える。 Note that the main writing software 111 or the secure writing software 211 to be described later will rewrite one of the main control code 110A and the main control code 110B that is not used by the main control unit 10 for operation. When the main control unit 10 uses the main control code 110A for the operation, the main writing software 111 rewrites the main control code 110B. On the other hand, when the main control unit 10 uses the main control code 110B for the operation, the main writing software 111 rewrites the main control code 110A.
 さらに、メイン制御部10がメイン制御コード110Aとメイン制御コード110Bとの何れも動作に使用していない場合、メイン制御コード110Aとメイン制御コード110Bとの何れかを書き換えてよいし、両方を書き換えてよい。これらリプロ処理は、メイン制御コード110が1つのみの場合にも当て嵌る。この場合、メイン制御部10は、メイン書込ソフト111を動作に用い、メイン制御コード110を動作に用いない状態でメイン制御コード110を書き換える。 Furthermore, when the main control unit 10 does not use either the main control code 110A or the main control code 110B for the operation, either the main control code 110A or the main control code 110B may be rewritten, or both of them may be rewritten. You may. These repro processings are applicable even when there is only one main control code 110. In this case, the main control unit 10 rewrites the main control code 110 while using the main writing software 111 for the operation and not using the main control code 110 for the operation.
 メインデータ記憶部12は、「メイン制御情報」の一例としてのメイン制御データ120と、「共有メモリ」の一例としてのリプロデータ格納部121とを備える。メイン制御データ120は、メイン制御部10に実行されるメイン制御コード110が処理に使用するデータであり、ECU901の車載装置としての機能を実現させるためのデータである。メイン制御データ120は、用途に応じて複数でよい。 The main data storage unit 12 includes main control data 120 as an example of “main control information” and a repro data storage unit 121 as an example of “shared memory”. The main control data 120 is data used by the main control code 110 executed by the main control unit 10 for processing, and is data for realizing the function of the ECU 901 as an in-vehicle device. There may be a plurality of main control data 120 depending on the application.
 リプロデータ格納部121は、メイン書込ソフト111が通信装置19から受信したリプロデータを格納するための領域である。格納されるリプロデータには、セキュア制御コード210、メイン制御コード110、またはそれらの両方の新たな制御プログラムが含まれている。リプロデータの内容は、図3で後述する。リプロデータは、暗号化、改竄検知コード付与、及び署名付与が成されていることがあり、後述のシーケンスで復号及び検証される。 The repro data storage unit 121 is an area for storing the repro data received by the main writing software 111 from the communication device 19. The stored repro data includes the secure control code 210, the main control code 110, or both new control programs. The contents of the repro data will be described later with reference to FIG. The repro data may be encrypted, tampering detection code added, and signature added, and decrypted and verified in the sequence described below.
 セキュア制御部20は、HSM、SHE、TPM、その他セキュアマイコン、またはセキュアコアと呼ばれるプロセッサ(CPU、MPU、またはDSP)から構成される。セキュア制御部20は、セキュアコード記憶部21に格納されたプログラムを実行する。セキュア制御部20には、耐タンパ性を有してよい。なお、セキュア制御部20の例として示したHSM,SHE、またはTPMは、後述のセキュアコード記憶部21、及びセキュアデータ記憶部22を包含してよい。 The secure control unit 20 is configured by a processor (CPU, MPU, or DSP) called HSM, SHE, TPM, other secure microcomputer, or secure core. The secure control unit 20 executes the program stored in the secure code storage unit 21. The secure control unit 20 may have tamper resistance. The HSM, SHE, or TPM shown as an example of the secure control unit 20 may include a secure code storage unit 21 and a secure data storage unit 22 described later.
 セキュアコード記憶部21は、セキュア制御部20が実行するプログラムを格納する。セキュアコード記憶部21は、フラッシュメモリ、EEPROM、SSD、FRAM、または磁気ディスクのような不揮発性の記憶装置でよい。セキュアコード記憶部21は、耐タンパ性を有してよい。セキュアコード記憶部21は、複数の記憶装置から構成されてよく、各プログラムは、複数の記憶装置に分散して格納されてよい。 The secure code storage unit 21 stores the program executed by the secure control unit 20. The secure code storage unit 21 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM, or a magnetic disk. The secure code storage unit 21 may have tamper resistance. The secure code storage unit 21 may be composed of a plurality of storage devices, and each program may be distributed and stored in the plurality of storage devices.
 セキュアデータ記憶部22は、セキュア制御部20がプログラムを実行するときに使用されるデータを格納する。セキュアデータ記憶部22は、フラッシュメモリ、EEPROM、SSD、FRAM、または磁気ディスクのような不揮発性の記憶装置でよい。セキュアデータ記憶部22は、耐タンパ性を有してよい。 The secure data storage unit 22 stores data used when the secure control unit 20 executes a program. The secure data storage unit 22 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM, or a magnetic disk. The secure data storage unit 22 may have tamper resistance.
 セキュアコード記憶部21及びセキュアデータ記憶部22は、不揮発性の記憶素子であるROMと、揮発性の記憶素子であるRAMとを有するメモリでよい。ROMは、不変のプログラムを格納する。RAMは、DRAM(Dynamic Random Access Memory)のような高速かつ揮発性の記憶素子であり、セキュア制御部20が実行するプログラム及びプログラムの実行時に使用されるデータを一時的に格納する。 The secure code storage unit 21 and the secure data storage unit 22 may be memories having a ROM that is a nonvolatile storage element and a RAM that is a volatile storage element. The ROM stores an immutable program. The RAM is a high-speed and volatile storage element such as a DRAM (Dynamic Random Access Memory), and temporarily stores a program executed by the secure control unit 20 and data used when the program is executed.
 さらに、セキュアコード記憶部21及びセキュアデータ記憶部22は、その一部または全部を互いの構成要素として有してよい。デバイスとして明確な区別が無くても、セキュアコード記憶部21は、セキュア領域2においてコードを記憶している部分を示し、セキュアデータ記憶部22は、セキュア領域2においてデータを記憶している部分を示すものとする。 Furthermore, the secure code storage unit 21 and the secure data storage unit 22 may have some or all of them as constituent elements of each other. Even if there is no clear distinction as a device, the secure code storage unit 21 shows the portion storing the code in the secure area 2, and the secure data storage unit 22 displays the portion storing the data in the secure area 2. Shall be shown.
 セキュアコード記憶部21は、セキュア制御コード210と、セキュア書込ソフト(以下、セキュア書込ソフト)211とを備える。セキュア制御コード210は、セキュア制御部20で実行されるプログラムであり、ECU901の車載装置としてのセキュリティ機能を実現させるためのプログラムである。セキュア制御コード210は、複数でよく、図2においては、「第一セキュア制御情報」の一例としてのセキュア制御コード210Aと、「第二セキュア制御情報」の一例としての制御コード210Bとの2つを図示している。以降の説明では、セキュア制御コード210Aと、セキュア制御コード210Bとは、更新前後の新旧プログラムの関係とする。 The secure code storage unit 21 includes a secure control code 210 and secure writing software (hereinafter, secure writing software) 211. The secure control code 210 is a program executed by the secure control unit 20, and is a program for realizing the security function of the ECU 901 as an in-vehicle device. There may be a plurality of secure control codes 210. In FIG. 2, two secure control codes 210A, which is an example of "first secure control information" and a control code 210B which is an example of "second secure control information", are provided. Is shown. In the following description, the secure control code 210A and the secure control code 210B have a relationship between the old and new programs before and after the update.
 セキュア書込ソフト211は、セキュア制御部20に実行されるプログラムであり、セキュア制御コード210を書き換える(リプロする)ためのプログラムである。セキュア書込ソフト211は、ECU901が受け取った新しいプログラム(リプロデータ)を、新たなセキュア制御コード210としてセキュアコード記憶部21に書き込む。 The secure writing software 211 is a program executed by the secure control unit 20 and is a program for rewriting (reprovisioning) the secure control code 210. The secure writing software 211 writes the new program (repro data) received by the ECU 901 in the secure code storage unit 21 as a new secure control code 210.
 セキュア書込ソフト211は、後述するシーケンスによって、メイン制御部10及びメイン書込ソフト111と連携し、セキュアコード記憶部21のセキュア制御コード210をセキュアにリプロする。このとき、セキュア書込ソフト221は、リプロデータの復号、改竄検知コード検証、及び署名検証するときに、後述するメイン領域用鍵225及びセキュア領域用鍵226を使用する。 The secure writing software 211 cooperates with the main control unit 10 and the main writing software 111 according to a sequence described later to securely reprovision the secure control code 210 in the secure code storage unit 21. At this time, the secure writing software 221 uses a main area key 225 and a secure area key 226, which will be described later, when decrypting the repro data, falsification detection code verification, and signature verification.
 なお、セキュア書込ソフト211は、セキュア制御コード210Aまたはセキュア制御コード210Bのうち、セキュア制御部20が動作に使用していない何れか一方を書換えの対象とする。セキュア制御部20がセキュア制御コード210Aを動作に使用している場合、セキュア書込ソフト211は、セキュア制御コード210Bを書き換える。一方、セキュア制御部20がセキュア制御コード210Bを動作に使用している場合、セキュア書込ソフト211は、セキュア制御コード210Aを書き換える。 The secure writing software 211 rewrites either the secure control code 210A or the secure control code 210B that is not used by the secure control unit 20 for operation. When the secure control unit 20 uses the secure control code 210A for operation, the secure writing software 211 rewrites the secure control code 210B. On the other hand, when the secure control unit 20 uses the secure control code 210B for operation, the secure writing software 211 rewrites the secure control code 210A.
 さらに、セキュア制御部20がセキュア制御コード210Aとセキュア制御コード210Bとの何れも動作に使用していない場合、セキュア制御コード210Aとセキュア制御コード210Bとの何れかを書き換えてよいし、両方を書き換えてよい。これらリプロ処理は、セキュア制御コード210が1つのみの場合にも当て嵌る。この場合、セキュア制御部20は、セキュア書込ソフト211を動作に使用し、セキュア制御コード210を動作に使用しない状態でセキュア制御コード210を書き換える。 Furthermore, when the secure control unit 20 does not use either the secure control code 210A or the secure control code 210B for operation, either the secure control code 210A or the secure control code 210B may be rewritten, or both may be rewritten. You may. These repro processings are applicable even when there is only one secure control code 210. In this case, the secure control unit 20 rewrites the secure control code 210 while using the secure writing software 211 for the operation and not using the secure control code 210 for the operation.
 セキュアデータ記憶部22は、セキュア制御データ220と、メイン領域用鍵225と、セキュア領域用鍵226と、動作コード選択情報229とを備える。セキュア制御データ220は、「セキュア制御情報」の一例である。メイン領域用鍵225は、「第三復号鍵」の一例である。セキュア領域用鍵226は、「第一復号鍵」及び「検証鍵」の一例である。動作コード選択情報229は、「動作情報選択情報」の一例である。セキュアデータ記憶部22は、メインデータ記憶部12と同様に、リプロデータ格納部を備えてもよい。 The secure data storage unit 22 includes secure control data 220, a main area key 225, a secure area key 226, and operation code selection information 229. The secure control data 220 is an example of “secure control information”. The main area key 225 is an example of a “third decryption key”. The secure area key 226 is an example of a “first decryption key” and a “verification key”. The operation code selection information 229 is an example of “operation information selection information”. Like the main data storage unit 12, the secure data storage unit 22 may include a repro data storage unit.
 セキュア制御データ220は、セキュア制御部20に実行されるセキュア制御コード210が処理に使用するデータであり、ECU901の車載装置としてのセキュリティ機能を実現させるためのデータである。セキュア制御データ220は、用途に応じて複数でよい。 The secure control data 220 is data used by the secure control code 210 executed by the secure control unit 20 for processing, and is data for realizing a security function as an in-vehicle device of the ECU 901. There may be a plurality of secure control data 220 depending on the application.
 メイン領域用鍵225は、セキュア制御部20に実行されるセキュア書込ソフト211が、リプロデータ格納部121に格納されたリプロデータを復号または改竄検知するための鍵である。メイン領域用鍵225は、AESのような対称暗号の鍵でも、RSAまたは楕円曲線暗号のような非対称暗号の鍵でもよい。メイン領域用鍵225は、復号と改竄検知との両方を実行する場合、それぞれで使用する互いに異なる鍵を複数有してよい。さらに、改竄検知を非対称鍵の署名によって実行する場合、メイン書込ソフト111が検証処理を実行してよい。 The main area key 225 is a key for the secure writing software 211 executed by the secure control unit 20 to detect the decryption or tampering of the repro data stored in the repro data storage unit 121. The main area key 225 may be a symmetric encryption key such as AES or an asymmetric encryption key such as RSA or elliptic curve encryption. The main area key 225 may have a plurality of mutually different keys used when performing both decryption and tampering detection. Further, when the falsification detection is performed by using the asymmetric key signature, the main writing software 111 may perform the verification process.
 セキュア領域用鍵226は、セキュア制御部20に実行されるセキュア書込ソフト211が、リプロデータ格納部121に格納されたリプロデータを復号または改竄検知するための鍵である。セキュア領域用鍵226は、リプロデータのうち、特にセキュア制御コード210に関する部分を復号または改竄検知するために使用される。セキュア領域用鍵226は、AESのような対称暗号の鍵でも、RSA、楕円曲線暗号のような非対称暗号の鍵でもよい。復号と改竄検知との両方を実行する場合、それぞれで使用する互いに異なる鍵を複数有してよい。なお、セキュア領域用鍵226と、メイン領域用鍵225との区別が特にない構成でもよい。 The secure area key 226 is a key for the secure writing software 211 executed by the secure control unit 20 to detect the repro data stored in the repro data storage unit 121. The secure area key 226 is used for decrypting or tampering detection of a portion of the repro data, which is particularly related to the secure control code 210. The secure area key 226 may be a symmetric encryption key such as AES or an asymmetric encryption key such as RSA or elliptic curve encryption. When performing both decryption and tampering detection, a plurality of mutually different keys may be used. Note that the secure area key 226 and the main area key 225 may be configured so that there is no particular distinction.
 動作コード選択情報229は、メイン制御部コード110及びセキュア制御コード210が複数ある場合に、メイン制御部10またはセキュア制御部20が、起動後に読み込んで実行するコードを選択するための情報である。動作コード選択情報229は、後述するリプロシーケンスによって、新旧プログラムの入れ替えを決定付けるときに書き換わる、フラグ及びデータでよい。さらに、動作コード選択情報229は、メイン制御コード110と、セキュア制御コード210とで、それぞれ別個の選択情報を示すように、複数の情報を含んでよい。さらに、動作コード選択情報229は、コードが書き換え途中か否かのような情報によって置き換えられてよい。 The operation code selection information 229 is information for the main control unit 10 or the secure control unit 20 to select a code to be read and executed after starting when there are a plurality of main control unit codes 110 and secure control codes 210. The operation code selection information 229 may be a flag and data that are rewritten when the replacement of the old and new programs is determined by a repro sequence described later. Further, the operation code selection information 229 may include a plurality of pieces of information so that the main control code 110 and the secure control code 210 respectively indicate separate selection information. Further, the operation code selection information 229 may be replaced with information such as whether or not the code is being rewritten.
 図3は、第1実施形態に係るリプログラミングデータの構成図である。 FIG. 3 is a configuration diagram of reprogramming data according to the first embodiment.
 リプロデータは、リプロデータ格納部121に格納される。リプロデータは、一例として、メイン制御コード用リプロデータ601と、署名602と、セキュア制御コード用リプロデータ603と、改竄検知コード604とを含む。 The repro data is stored in the repro data storage unit 121. The repro data includes, for example, main control code repro data 601, signature 602, secure control code repro data 603, and tampering detection code 604.
 メイン制御コード用リプロデータ601は、メイン制御コード110の新しいプログラムを含む。メイン制御コード用リプロデータ601は、メイン領域用鍵225に属する鍵で復号される暗号化データでよい。メイン制御コード用リプロデータ601の暗号方式は、対称鍵でも、非対称鍵でもよい。メイン制御コード用リプロデータ601は、用途によっては、暗号化されなくてよい。 The main control code repro data 601 includes a new program of the main control code 110. The main control code repro data 601 may be encrypted data that is decrypted with a key belonging to the main area key 225. The encryption method of the main control code repro data 601 may be a symmetric key or an asymmetric key. The main control code repro data 601 may not be encrypted depending on the use.
 署名602は、リプロデータを改竄検知するための情報である。署名602は、メイン制御コード用リプロデータ601、セキュア制御コード用リプロデータ603及び改竄検知コード604を検証対象とした電子書名でよい。メイン書込ソフト111またはセキュア書込ソフト211は、メイン領域用鍵225に属する鍵によって、署名602を検証し、リプロデータが改竄されていないことを確認することができる。 The signature 602 is information for detecting alteration of the repro data. The signature 602 may be the electronic title of the main control code repro data 601, the secure control code repro data 603, and the tampering detection code 604 as verification targets. The main writing software 111 or the secure writing software 211 can verify the signature 602 with the key belonging to the main area key 225 and confirm that the repro data has not been tampered with.
 セキュア制御コード用リプロデータ603は、セキュア制御コード210の新しいプログラムを含む。セキュア制御コード用リプロデータ603は、セキュア領域用鍵226に属する鍵で復号される暗号化データでよい。セキュア制御コード用リプロデータ603の暗号方式は、対称鍵でも、非対称鍵でもよい。 The secure control code repro data 603 includes a new program of the secure control code 210. The secure control code repro data 603 may be encrypted data that is decrypted with a key belonging to the secure area key 226. The encryption method of the secure control code repro data 603 may be a symmetric key or an asymmetric key.
 改竄検知コード604は、セキュア制御コード用リプロデータ603を改竄検知するための情報である。改竄検知コード604は、セキュア制御コード用リプロデータ603を検証対象としたMAC(Message Authentication Code)でよい。セキュア書込ソフト211は、セキュア領域用鍵226に属する鍵によって、改竄検知コード604を検証し、セキュア制御コード用リプロデータ603が改竄されていなことを確認することができる。 The falsification detection code 604 is information for detecting falsification of the secure control code repro data 603. The tampering detection code 604 may be a MAC (Message Authentication Code) whose verification target is the secure control code repro data 603. The secure writing software 211 can verify the tampering detection code 604 with the key belonging to the secure area key 226 and confirm that the secure control code repro data 603 has not been tampered with.
 リプロデータは、図3で示した構成要素の一部を欠いてよく、メイン制御コード用リプロデータ601と、セキュア制御コード用リプロデータ603との何れか一方を欠いてよい。 The repro data may lack some of the components shown in FIG. 3, and may lack either the main control code repro data 601 or the secure control code repro data 603.
 さらに、署名602の検証範囲は、例示したものに限定するものではない。署名602の検証範囲は、メイン制御コード用リプロデータ601のみ、セキュア制御コード用リプロデータ603のみ、または、セキュア制御コード用リプロデータ603及び改竄検知コード604のみでもよい。 Furthermore, the verification range of the signature 602 is not limited to the exemplified one. The verification range of the signature 602 may be only the main control code repro data 601, only the secure control code repro data 603, or only the secure control code repro data 603 and the falsification detection code 604.
 さらに、署名602の検証アルゴリズムは、改竄検知が可能な方法であれば、非対称鍵によるものでなくてよく、改竄検知コード604の例で示したように、対象鍵を使用したMACでもよい。さらに、署名602は、改竄検知コード604の検証範囲にメイン制御コード用リプロデータ601を含めた場合、省略してよい。 Further, the verification algorithm of the signature 602 need not be based on an asymmetric key as long as it is a method capable of detecting falsification, and as shown in the example of the falsification detection code 604, a MAC using a target key may be used. Further, the signature 602 may be omitted when the main control code repro data 601 is included in the verification range of the falsification detection code 604.
 さらに、改竄検知コード604の検証アルゴリズムは、改竄検知が可能な方法であれば、対称鍵によるものでなくてよく、署名602の例で示したように、非対象鍵を使用した電子署名でもよい。 Further, the verification algorithm of the tampering detection code 604 need not be a symmetric key as long as it is a method capable of tampering detection, and as shown in the example of the signature 602, an electronic signature using an asymmetric key may be used. ..
 以下、図4を参照しながら車両情報システムの処理の一例を説明する。 An example of processing of the vehicle information system will be described below with reference to FIG.
 図4は、第1実施形態に係るリプログラミング処理を示すフローチャートである。 FIG. 4 is a flowchart showing the reprogramming process according to the first embodiment.
 リプロ装置800(診断機800A、車載リプロマスター800B1、通信装置800B2、OTAセンタ800B3)と、ECU901の構成要素とが、コマンド及びデータを転送することによって、セキュア制御コード210をセキュアにリプロする。以下、リプロ装置800は、診断機800A、車載リプロマスター800B1、通信装置800B2、及びOTAセンタ800B3のうちの何れかまたはその組み合わせであり、各機器が必要に応じてECU901までの通信経路を中継するものとする。さらに、ECU901と外部との通信は、必要に応じて通信部19が中継するものとする。 The repro device 800 (diagnostic device 800A, vehicle-mounted repro master 800B1, communication device 800B2, OTA center 800B3) and the components of the ECU 901 transfer commands and data to securely repro the secure control code 210. Hereinafter, the repro device 800 is any one or combination of the diagnostic device 800A, the vehicle-mounted repro master 800B1, the communication device 800B2, and the OTA center 800B3, and each device relays the communication path to the ECU 901 as necessary. I shall. Further, the communication between the ECU 901 and the outside shall be relayed by the communication unit 19 as necessary.
 以下、メインコード記憶部11のプログラムが実行主体となる記述をした場合、メイン制御部10によって当該プログラムが実行されるものとする。さらに、セキュアコード記憶部21のプログラムが実行主体となる記述をした場合、セキュア制御部20によって当該プログラムが実行されるものとする。 In the following, if the program in the main code storage unit 11 is described as the execution subject, the main control unit 10 executes the program. Further, when the description in which the program in the secure code storage unit 21 is the execution subject is made, the secure control unit 20 executes the program.
 さらに、以下の図中の矢印は、概念的なコマンド及びデータの流れを示したものであって、通信方向及び指示方向を限定するものではない。矢印で図示されていない処理指示及びデータの流れがあってよい。 Furthermore, the arrows in the following figures show the conceptual flow of commands and data, and do not limit the communication direction and instruction direction. There may be processing instructions and data flows not shown by arrows.
 図示したシーケンスは、リプロ装置800が、リプロデータを所持した状態から開始する。 The illustrated sequence starts with the repro device 800 having repro data.
 まず、リプロ装置800は、リプロ開始をメイン書込ソフト111に通知する(S101)。続いて、メイン書込ソフト111は、リプロ装置800からリプロデータを受信する(S102)。受信したリプロデータは、改竄検知のために、リプロデータ格納部121に格納される(S103)。ここで、署名602が非対称鍵による署名の場合、メイン書込ソフト111は、セキュア書込ソフト211から、メイン領域用鍵225に属する公開鍵を受け取って、署名602を検証してよい。 First, the repro device 800 notifies the main writing software 111 of the start of repro (S101). Then, the main writing software 111 receives the repro data from the repro device 800 (S102). The received repro data is stored in the repro data storage unit 121 for tampering detection (S103). Here, when the signature 602 is a signature with an asymmetric key, the main writing software 111 may receive the public key belonging to the main area key 225 from the secure writing software 211 and verify the signature 602.
 続いて、メイン書込ソフト111は、リプロ開始をセキュア書込ソフト211に通知する(S104)。リプロ開始の通知を受けたセキュア書込ソフト211は、リプロデータ格納部121に格納されたリプロデータの改竄検知コード604を、セキュア領域用鍵226に属する鍵によって検証する(S105)。ここで、メイン領域用鍵に属する鍵を使用して、署名602を検証してよい。さらに、改竄検知の検証が失敗した場合、所定のリトライを行った後、メイン書込ソフト111に異常を通知し、以降のリプロ処理を中止してよい。 Subsequently, the main writing software 111 notifies the secure writing software 211 of the start of repro (S104). The secure writing software 211 that has received the repro start notification notifies the alteration detection code 604 of the repro data stored in the repro data storage unit 121 with the key belonging to the secure area key 226 (S105). Here, the signature 602 may be verified using a key belonging to the main area key. Further, when the verification of the falsification detection fails, after performing a predetermined retry, the main writing software 111 may be notified of the abnormality and the subsequent repro processing may be stopped.
 続いて、セキュア書込ソフト211は、リプロデータをリプロデータ格納部121から取得し(S106)、セキュア領域用鍵226に属する復号用の鍵を使用して復号処理を実行する(S107)。そして、セキュア書込ソフト211は、復号化されたリプロデータをセキュアコード記憶部21の所定の箇所に書き込むことによって、セキュア制御コード210を更新する(S108)。S106からS108の処理は、セキュア領域2がこれらの処理のために確保できるワークメモリ領域の容量に応じて、繰り返し実行してもよい。なお、S108において、セキュア制御部20が動作に使用していないセキュア制御コード210を書き換えることは、図2で説明した通りである。 Subsequently, the secure writing software 211 acquires the repro data from the repro data storage unit 121 (S106), and executes the decryption process using the decryption key belonging to the secure area key 226 (S107). Then, the secure writing software 211 updates the secure control code 210 by writing the decrypted repro data to a predetermined location in the secure code storage unit 21 (S108). The processing from S106 to S108 may be repeatedly executed depending on the capacity of the work memory area that the secure area 2 can secure for these processing. Note that, in S108, the secure control code 210 not used by the secure control unit 20 for rewriting is as described in FIG.
 続いて、セキュア書込ソフト211は、S108の書き込みが正常に実行されたか否かを検証し、検証結果が正しい場合、動作コード選択情報229を、書き込んだ新しいプログラムを選択することを示す情報に書き換える(S109)。検証は、対象領域から計算した改竄検知コードと、改竄検知コード604とを比較してよいし、改竄検知コード604が電子署名の場合、その検証でよい。検証は、他の誤り検知符号または誤り訂正符号の計算に基づいて判断してよい。さらに、S108の書き込みが失敗した場合、所定のリトライを実行した後、メイン書込ソフト111に異常を通知し、以降のリプロ処理を継続しなくてよい。さらに、検証または動作コードの切り替えは、メイン書込ソフト111に所定の通知を行った後に、メイン書込ソフト111からの指示を受けたことをトリガに判断または実行してよい。 Subsequently, the secure writing software 211 verifies whether or not the writing in S108 is normally executed, and if the verification result is correct, the operation code selection information 229 is changed to information indicating that the new written program is selected. Rewrite (S109). The verification may be performed by comparing the tampering detection code calculated from the target area with the tampering detection code 604, and when the tampering detection code 604 is an electronic signature, the verification may be performed. The verification may be determined based on the calculation of another error detection code or error correction code. Further, when the writing in S108 fails, after performing a predetermined retry, the main writing software 111 is notified of the abnormality and the subsequent repro processing does not have to be continued. Further, the verification or the switching of the operation code may be judged or executed by receiving the instruction from the main writing software 111 as a trigger after a predetermined notification is given to the main writing software 111.
 続いて、セキュア書込ソフト211は、セキュアコード記憶部21のリプロが正常に終了したことを、メイン書込ソフト111に通知する(S110)。 Subsequently, the secure writing software 211 notifies the main writing software 111 that the repro- duction of the secure code storage unit 21 has been completed normally (S110).
 完了通知を受けたメイン書込ソフト111は、リプロデータ格納部121に格納されていたリプロデータを削除する(S111)。リプロデータの削除は、後述のS112の後に、リプロ装置800からの指示を受けたことをトリガに判断または実行してよい。 Upon receiving the completion notification, the main writing software 111 deletes the repro data stored in the repro data storage unit 121 (S111). The deletion of the repro data may be determined or executed after receiving the instruction from the repro device 800 as a trigger after S112 described below.
 続いて、メイン書込ソフト111は、リプロが正常に終了したことを、リプロ装置800に通知する(S112)。なお、一連の処理中にメイン書込ソフト111が何らかの異常を検知した場合、リプロ装置800に異常を通知し、以降のリプロ処理を中止してよい。 Subsequently, the main writing software 111 notifies the repro device 800 that the repro has been completed normally (S112). If the main writing software 111 detects any abnormality during a series of processes, the repro device 800 may be notified of the abnormality and the subsequent repro process may be stopped.
 この構成によれば、セキュア書込ソフト211がデータ認証及び復号処理を実行し、セキュア制御コード210を書き換えるように制御することによって、セキュリティの強度を保ちつつリプログラミングの柔軟性を高めることができる。 According to this configuration, the secure writing software 211 performs data authentication and decryption processing, and controls the secure control code 210 to be rewritten, whereby flexibility of reprogramming can be increased while maintaining security strength. ..
 図5は、第1実施形態に係るセキュアブート処理を示すフローチャートである。セキュアブート処理は、図4のシーケンスで示したリプロ処理の結果として、ECU901が新しいプログラムで起動するときに実行される。 FIG. 5 is a flowchart showing the secure boot process according to the first embodiment. The secure boot process is executed when the ECU 901 starts up with a new program as a result of the repro process shown in the sequence of FIG.
 ECU901が起動すると(S401)、セキュア制御部20は、セキュアブート処理を開始する(S402)。セキュア制御部20は、ブートコード(図示なし)によって、自己が動作に使用するセキュア制御コード210の自己検証を実行する(S403)。検証方法は、対称鍵方式によるMACの検証、または非対称鍵方式による署名の検証でよい。S403の自己検証のときに異常を検知した場合、セキュア制御部20は、所定のエラー処理を実行してよい。エラー処理では、ログを保存して、セキュアブート処理を中止する。続いて、セキュア制御部20は、正しいことが検証された動作コードを選択し、処理主体を選択したセキュア制御コード210に移す(S404)。 When the ECU 901 is activated (S401), the secure control unit 20 starts secure boot processing (S402). The secure control unit 20 executes self-verification of the secure control code 210 used by itself by a boot code (not shown) (S403). The verification method may be MAC verification by a symmetric key method or signature verification by an asymmetric key method. If an abnormality is detected during the self-verification in S403, the secure control unit 20 may execute a predetermined error process. In the error processing, the log is saved and the secure boot processing is stopped. Then, the secure control unit 20 selects an operation code verified to be correct, and transfers the processing subject to the selected secure control code 210 (S404).
 続いて、セキュア制御コード210は、メイン制御部10の動作コードであるメイン制御コード110を検証し(S405)、検証結果が正常か否かを判定する(S406)。S406の判定結果が真の場合(S406:YES)、動作許可をメイン制御部10のブートコード(図示なし)に与える(S408)。S406の判定結果が偽の場合(S406:NO)、所定のエラー処理を実行する(S407)。S407のエラー処理では、ログを保存し、セキュアブート処理を中止してよい。 Subsequently, the secure control code 210 verifies the main control code 110, which is the operation code of the main control unit 10 (S405), and determines whether the verification result is normal (S406). When the determination result of S406 is true (S406: YES), operation permission is given to the boot code (not shown) of the main control unit 10 (S408). If the determination result of S406 is false (S406: NO), a predetermined error process is executed (S407). In the error processing of S407, the log may be saved and the secure boot processing may be stopped.
 動作許可を得たメイン制御部10は、ブートコード(図示なし)によってブート処理を開始する(S409)。ここで、動作コードの選択が必要な場合、セキュア制御部20に動作コード選択情報229を問い合わせ(S410)、セキュア制御コード210は、動作コード選択情報229をメイン制御部10に提示する(S411)。続いて、メイン制御部10は、S410で取得した動作コード選択情報229に応じて、処理主体を所定のメイン制御コード110に移す(S412)。 The main control unit 10 that has obtained the operation permission starts the boot process using a boot code (not shown) (S409). If it is necessary to select the operation code, the secure control unit 20 is inquired about the operation code selection information 229 (S410), and the secure control code 210 presents the operation code selection information 229 to the main control unit 10 (S411). .. Subsequently, the main control unit 10 shifts the processing subject to a predetermined main control code 110 according to the operation code selection information 229 acquired in S410 (S412).
 この構成によれば、セキュアに管理及び更新される動作コード選択情報229を使用して、メイン制御部10は、正しい制御コードで動作することが可能となる。 With this configuration, the main control unit 10 can operate with a correct control code by using the operation code selection information 229 that is securely managed and updated.
 なお、本実施形態において説明したステップが、実施されている最中に、何らかのエラーが発生した場合、そのエラーが車両情報システムの各構成要素の制御部に通知されてよい。 If any error occurs while the steps described in this embodiment are being performed, the error may be notified to the control unit of each component of the vehicle information system.
 また、メイン書込ソフト111、セキュア書込ソフト211、メイン制御コード110、及びセキュア制御コード210に含まれる各プログラムは、必要に応じて、実行中の処理を示す情報を表示装置に表示してよい。これら各プログラムは、特に一連の処理の完了や、分岐処理の発生を示す情報を表示装置に表示することが望ましい。さらに、分岐処理における判定を、入力装置を介してユーザが実行してよい。 Further, each program included in the main writing software 111, the secure writing software 211, the main control code 110, and the secure control code 210 displays information indicating the processing being executed on the display device as necessary. Good. It is desirable for each of these programs to display information indicating the completion of a series of processing and the occurrence of branch processing on the display device. Further, the determination in the branching process may be performed by the user via the input device.
 さらに、本実施形態において、各ステップ間の情報のやり取りを省略していることがある。しかし、実際には、コマンドに対するレスポンスのペアを成していることがある。さらに、各ステップ間の情報のやり取りを一組の双方向矢印で示している場合でも、このやり取りにおいて複数のコマンド及びレスポンスを含んでよい。さらに、エンティティ間でデータを送受信する内容を記述している場合でも、実際の通信は、一方のエンティティがクライアント役、他方のエンティティがサーバ役となることがある。この場合、実際の通信は、コマンド及びレスポンスを通じて実施され、その結果として前述のデータを送信してよい。
 <第2実施形態> Further, in the present embodiment, the exchange of information between each step may be omitted. However, in reality, it may form a response pair for a command. Further, even when the exchange of information between steps is indicated by a set of bidirectional arrows, a plurality of commands and responses may be included in this exchange. Further, even when the content of transmitting and receiving data between the entities is described, one entity may act as a client and the other entity may act as a server in actual communication. In this case, the actual communication may be carried out via commands and responses, resulting in the transmission of the aforementioned data.
<Second Embodiment>
 第2実施形態に係るリプログラミング処理について説明する。尚、第2実施形態に係るリプログラミング処理は、第1実施形態に係るリプログラミング処理とは、リプロデータの送受信の構成が異なるだけであり、その他の構成は、第1実施形態に係るリプログラミング処理と同様である。したがって、第1実施形態との相違点を中心に述べる。 The reprogramming process according to the second embodiment will be described. The reprogramming process according to the second embodiment is different from the reprogramming process according to the first embodiment only in the configuration for transmitting and receiving repro data, and other configurations are the reprogramming process according to the first embodiment. It is similar to the processing. Therefore, the differences from the first embodiment will be mainly described.
 図6は、第2実施形態に係るリプログラミング処理を示すフローチャートである。 FIG. 6 is a flowchart showing a reprogramming process according to the second embodiment.
 図6では、図4のS106に変わり、メイン書込ソフト111からセキュア書込ソフト211にリプロデータを送付する。この実施形態は、セキュア領域2にデータ受信用のワークメモリを十分確保できる場合に有効な方法であり、セキュア書込ソフト211がメインデータ記憶部12を直接参照できない場合でも、実現可能な方式である。 In FIG. 6, instead of S106 in FIG. 4, the rewriting data is sent from the main writing software 111 to the secure writing software 211. This embodiment is an effective method when a work memory for data reception can be sufficiently secured in the secure area 2, and is a feasible method even when the secure writing software 211 cannot directly refer to the main data storage unit 12. is there.
 具体的には、メイン書込ソフト111は、S104でリプロ開始をセキュア書込ソフト211に通知した後(S104)、リプロデータをリプロデータ格納部121から取得し、セキュア書込ソフト211に送信する(S201)。セキュア書込ソフト211は、受信したリプロデータをセキュアデータ記憶部22のような適当なワークメモリ(図示なし)に保持する(S202)。S201及びS202は、構成要素間の通信帯域に応じて、所定量ずつ繰り返し行われてもよい。 Specifically, the main writing software 111 notifies the secure writing software 211 of the start of the rewriting in S104 (S104), then acquires the repro data from the repro data storage unit 121, and transmits it to the secure writing software 211. (S201). The secure writing software 211 holds the received repro data in an appropriate work memory (not shown) such as the secure data storage unit 22 (S202). S201 and S202 may be repeatedly performed by a predetermined amount according to the communication band between the components.
 セキュア書込ソフト211は、S202で受信したリプロデータに対して、S105で改竄検知を実行し、S107以降、図4で示したフローと同様の処理を実行する。 The secure writing software 211 executes tampering detection on the repro data received in S202 in S105, and after S107, executes the same processing as the flow shown in FIG.
 この構成によれば、セキュア領域2に十分なワークメモリを確保できる場合に、セキュア書込ソフト211がメインデータ記憶部12を直接参照できない場合でも、セキュア書込ソフト211によってデータ認証及び復号処理を実行することができる。即ち、セキュア制御コード210を書き換えるように制御することによって、セキュリティの強度を保ちつつリプログラミングの柔軟性を高めることができる。
 <第3実施形態> According to this configuration, when sufficient work memory can be secured in the secure area 2, even if the secure writing software 211 cannot directly refer to the main data storage unit 12, the secure writing software 211 performs the data authentication and decryption processing. Can be executed. That is, by controlling the secure control code 210 to be rewritten, the flexibility of reprogramming can be increased while maintaining the strength of security.
<Third Embodiment>
 第3実施形態に係るリプログラミング処理について説明する。尚、第3実施形態に係るリプログラミング処理は、第1実施形態に係るリプログラミング処理とは、リプロデ対象の構成が異なるだけであり、その他の構成は、第1実施形態に係るリプログラミング処理と同様である。したがって、第1実施形態との相違点を中心に述べる。 The reprogramming process according to the third embodiment will be described. The reprogramming process according to the third embodiment is different from the reprogramming process according to the first embodiment only in the configuration of the reprod target, and other configurations are the same as the reprogramming process according to the first embodiment. It is the same. Therefore, the differences from the first embodiment will be mainly described.
 図7は、第3実施形態に係るリプログラミング処理を示すフローチャートである。 FIG. 7 is a flowchart showing a reprogramming process according to the third embodiment.
 図7では、図4のS104~S111の前または後に(前の場合の例を図示)、メイン領域1のメインコード記憶部11をセキュア書込ソフト211から書き換える方法を示す。図6の処理では、メイン書込ソフト111は、リプロ処理をセキュア書込ソフト211に委譲するため、リプロ処理に関するセキュリティ判定を全てセキュア領域2で実施することによって、よりセキュアなリプロが可能となる。 FIG. 7 shows a method of rewriting the main code storage unit 11 of the main area 1 from the secure writing software 211 before or after S104 to S111 of FIG. 4 (an example of the previous case is shown). In the process of FIG. 6, the main writing software 111 delegates the repro process to the secure writing software 211. Therefore, by performing all security judgments regarding the repro process in the secure area 2, more secure repro is possible. ..
 メイン書込ソフト111は、S103の後、リプロ開始の要求を、セキュア書込ソフト211に対して実行する(S301)。なお、リプロ開始要求のS301と、リプロ開始通知のS104とは、両方の意味を含む一つのコマンドでよい。 After S103, the main writing software 111 executes a repro start request to the secure writing software 211 (S301). In addition, S301 of the repro start request and S104 of the repro start notification may be one command including both meanings.
 リプロ開始の要求を受けたセキュア書込ソフト211は、リプロデータ格納部121に格納されたリプロデータの署名602を、メイン領域用鍵226に属する鍵によって検証する(S302)。セキュア書込ソフト211は、改竄検知の検証が失敗した場合、所定のリトライを行った後、メイン書込ソフト111に異常を通知し、以降のリプロ処理を中止してもよい。 The secure writing software 211 that has received the request to start the repro verification verifies the signature 602 of the repro data stored in the repro data storage unit 121 with the key belonging to the main area key 226 (S302). If the verification of tampering detection fails, the secure writing software 211 may notify the main writing software 111 of an abnormality after performing a predetermined retry and stop the subsequent repro processing.
 続いて、セキュア書込ソフト211は、リプロデータをリプロデータ格納部121から取得し(S303)、メイン領域用鍵225に属する復号用の鍵を使用して復号処理を実行し(S304)、メインコード記憶部11の所定の箇所に書き込むことによってメイン制御コード110を更新する(S305)。S303からS305の処理は、セキュア領域2がこれら処理のために確保できるワークメモリ領域の容量に応じて、所定量ずつ繰り返し実行してよい。なお、S305において、メイン制御部10が動作に使用していないメイン制御コード110を書き換えることは、図2で説明した通りである。 Subsequently, the secure writing software 211 acquires the repro data from the repro data storage unit 121 (S303), executes the decryption process using the decryption key belonging to the main area key 225 (S304), The main control code 110 is updated by writing in a predetermined location of the code storage unit 11 (S305). The processes of S303 to S305 may be repeatedly executed by a predetermined amount according to the capacity of the work memory area that the secure area 2 can secure for these processing. Note that, in S305, the main control unit 10 rewrites the main control code 110 that is not used for the operation as described in FIG.
 続いて、セキュア書込ソフト211は、S305での書き込みが正常に実行されたか否かを検証し、検証結果が正しければ、動作コード選択情報229を、書き込んだ新しいプログラムを選択することを示す情報に書き換える(S306)。検証は、署名602から抽出したハッシュ値と、対象領域から計算したハッシュ値とを比較してよいし、署名602がMACの場合、その検証でよい。さらに、他の誤り検知符号または誤り訂正符号の計算に基づいて判断してよい。さらに、書き込みが失敗した場合、所定のリトライを行った後、メイン書込ソフト111に異常を通知し、以降のリプロ処理を中止してもよい。さらに、検証または動作コードの切り替えは、メイン書込ソフト111に所定の通知を行った後に、メイン書込ソフト111からの指示を受けたことをトリガに判断または実行してよい。 Subsequently, the secure writing software 211 verifies whether or not the writing in S305 has been normally executed, and if the verification result is correct, the operation code selection information 229 is information indicating that a new written program is selected. (S306). The verification may be performed by comparing the hash value extracted from the signature 602 with the hash value calculated from the target area, or when the signature 602 is a MAC, the verification may be performed. Furthermore, the determination may be made based on the calculation of another error detection code or error correction code. Further, if the writing has failed, after performing a predetermined retry, the main writing software 111 may be notified of the abnormality and the subsequent repro processing may be stopped. Further, the verification or the switching of the operation code may be judged or executed by receiving the instruction from the main writing software 111 as a trigger after a predetermined notification is given to the main writing software 111.
 続いて、セキュア書込ソフト211は、メインコード記憶部11のリプロが正常に終了したことを、メイン書込ソフト111に通知する(S307)。 Next, the secure writing software 211 notifies the main writing software 111 that the repro- duction of the main code storage unit 11 has been completed normally (S307).
 ここで、S306の動作コード切り替えと、S109の動作コード切り替えとは、メインコード記憶部11と、セキュアコード記憶部21との両方の書き換え処理が完了した後に、一纏めのステップとして実行されてよい。そのとき、S307及びS110の完了通知は、両方の意味を含む一つの通知でよい。 Here, the operation code switching of S306 and the operation code switching of S109 may be executed as a single step after the rewriting processing of both the main code storage unit 11 and the secure code storage unit 21 is completed. At that time, the completion notifications in S307 and S110 may be one notification including both meanings.
 図7では、S301~S307は、S104~S110の前に実行した。しかし、S301~S307は、S104~S110の後に実行してよい。さらに、S104~S110の処理を省略し、メインコード記憶部11のリプロのみを実行してよい。 In FIG. 7, S301 to S307 were executed before S104 to S110. However, S301 to S307 may be executed after S104 to S110. Further, the processes of S104 to S110 may be omitted, and only the repro of the main code storage unit 11 may be executed.
 図7に示した処理におけるS107、S303では、図6で示した例のように、メイン書込ソフト111がセキュア書込ソフト211にリプロデータを送信してよい。 In S107 and S303 in the process shown in FIG. 7, the main writing software 111 may transmit the repro data to the secure writing software 211 as in the example shown in FIG.
 この構成によれば、セキュア書込ソフト211がデータ認証及び復号処理を実行し、メイン制御コード110、セキュア制御コード210、またはそれらの両方を書き換えるように制御することができる。この結果、セキュリティの強度を保ちつつリプログラミングの柔軟性を高めることができる。 With this configuration, the secure writing software 211 can perform control for rewriting the main control code 110, the secure control code 210, or both by executing data authentication and decryption processing. As a result, the flexibility of reprogramming can be enhanced while maintaining the strength of security.
 なお、本発明は上記した各実施形態に限定されるものではなく、様々な変形例が含まれる。上記した各実施形態は本発明を分かりやすく説明するために詳細に説明されたものであり、必ずしも説明した全ての構成を備えるものに限定されるものではない。さらに、ある実施形態の構成の一部を他の実施形態の構成に置き換えることが可能であり、さらに、ある実施形態の構成に他の実施形態の構成を加えることも可能である。さらに、各実施形態の構成の一部について、他の構成の追加・削除・置換をすることが可能である。 The present invention is not limited to the above-described embodiments, and various modifications are included. The above-described embodiments have been described in detail for the purpose of explaining the present invention in an easy-to-understand manner, and are not necessarily limited to those having all the configurations described. Furthermore, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and further, the configuration of another embodiment can be added to the configuration of one embodiment. Furthermore, it is possible to add / delete / replace other configurations with respect to a part of the configurations of the respective embodiments.
 例えば、セキュア書込ソフト211は、セキュア制御コード210Aよりもコード量が少なくてよい。この構成によれば、容量が少ない場合でも、セキュア制御コード210Aに書込みすることができる。 For example, the secure writing software 211 may have a smaller code amount than the secure control code 210A. According to this configuration, even if the capacity is small, the secure control code 210A can be written.
 さらに、上記の各構成、機能、処理部、処理手段は、それらの一部または全部を、集積回路で設計することによって、ハードウェアで実現してよい。さらに、上記の各構成、機能は、プロセッサがそれぞれの機能を実現するプログラムを解釈及び実行することによって、ソフトウェアで実現してもよい。各機能を実現するプログラム、テーブル、及びファイルのような情報は、メモリ、ハードディスク、若しくはSSDの記録装置、または、ICカード、SDカード、若しくはDVDのような記録媒体に格納されてよい。 Further, each of the above-mentioned configurations, functions, processing units, and processing means may be realized by hardware by designing a part or all of them with an integrated circuit. Further, each of the above configurations and functions may be realized by software by a processor interpreting and executing a program that realizes each function. Information such as a program, a table, and a file that realizes each function may be stored in a recording device such as a memory, a hard disk, or an SSD, or a recording medium such as an IC card, an SD card, or a DVD.
 さらに、制御線や情報線は説明上必要と考えられるものを示しており、製品上必ずしも全ての制御線や情報線を示しているとは限らない。実際には、殆ど全ての構成が相互に接続されてよい。 Furthermore, the control lines and information lines are shown to be necessary for explanation, and not all control lines and information lines are shown on the product. In practice, almost all configurations may be connected together.
 1…メイン領域、2…セキュア領域、10…メイン制御部、11…メインコード記憶部、12…メインデータ記憶部、20…セキュア制御部、21…セキュアコード記憶部、22…セキュアデータ記憶部、110A…メイン制御コード、110B…メイン制御コード、121…リプロデータ格納部、210A…セキュア制御コード、210B…セキュア制御コード、211…セキュア書込ソフト、225…メイン領域用鍵、226…セキュア領域用鍵、229…動作コード選択情報、901…ECU 1 ... Main area, 2 ... Secure area, 10 ... Main control section, 11 ... Main code storage section, 12 ... Main data storage section, 20 ... Secure control section, 21 ... Secure code storage section, 22 ... Secure data storage section, 110A ... Main control code, 110B ... Main control code, 121 ... Repro data storage section, 210A ... Secure control code, 210B ... Secure control code, 211 ... Secure writing software, 225 ... Main area key, 226 ... Secure area Key, 229 ... Operation code selection information, 901 ... ECU

Claims (9)

  1.  移動体に搭載される電子制御装置であって、
     複数のCPUと、
     複数のメモリと、を備え、
     複数のCPUのうちの一のCPUと、複数のメモリのうちの一のメモリとによってメイン領域が構成され、
     複数のCPUのうちの他のCPUと、複数のメモリのうちの他のメモリとによってセキュア領域が構成され、
     前記他のメモリは、前記他のCPUを動作させるセキュア制御情報と、当該セキュア制御情報を更新するセキュア書込ソフトウェアと、を格納し、
     前記セキュア制御情報は、前記他のメモリ内の一の領域に格納された第一セキュア制御情報と、前記他のメモリ内の他の領域に格納された第二セキュア制御情報と、を有し、
     前記他のCPUは、前記第一セキュア制御情報によって前記セキュア書込ソフトウェアを動作させて、外部から前記メイン領域を介して受信した更新情報によって前記第二セキュア制御情報を更新する電子制御装置。     An electronic control device mounted on a mobile body,
    Multiple CPUs,
    With multiple memories,
    The main area is configured by one of the plurality of CPUs and one of the plurality of memories,
    A secure area is configured by another CPU of the plurality of CPUs and another memory of the plurality of memories,
    The other memory stores secure control information for operating the other CPU, and secure writing software for updating the secure control information,
    The secure control information has first secure control information stored in one area in the other memory and second secure control information stored in another area in the other memory,
    The other CPU operates the secure write software according to the first secure control information, and updates the second secure control information with update information received from the outside via the main area.
  2.  前記他のメモリは、前記更新情報が第一鍵を使用して暗号化された暗号更新情報を復号する第一復号鍵機能を格納し、
     前記他のCPUは、前記第一セキュア制御情報によって前記セキュア書込ソフトウェアを動作させて、外部から前記メイン領域を介して受信した前記暗号更新情報を前記第一復号鍵を使用して復号化し、当該暗号更新情報を復号化した更新情報によって前記第二セキュア制御情報を更新する、請求項1に記載の電子制御装置。     The other memory stores a first decryption key function of decrypting the encrypted update information in which the update information is encrypted using the first key,
    The other CPU operates the secure write software according to the first secure control information to decrypt the cipher update information received from the outside through the main area using the first decryption key, The electronic control device according to claim 1, wherein the second secure control information is updated by update information obtained by decrypting the encryption update information.
  3.  前記他のメモリは、前記更新情報が第二鍵を使用して改竄防止された改竄防止付き更新情報を検証する検証鍵を格納し、
     前記他のCPUは、外部から前記メイン領域を介して受信した前記改竄防止付き更新情報を、前記検証鍵を使用して検証する、請求項2に記載の電子制御装置。     The other memory stores a verification key for verifying the tamperproof update information in which the update information has been tampered with using a second key,
    The electronic control device according to claim 2, wherein the other CPU verifies the tamperproof update information received from the outside through the main area using the verification key.
  4.  前記他のメモリは、当該メイン領域を制御するメイン制御部と、当該メイン制御部を動作させるメイン制御部情報と、を格納し、
     前記他のCPUは、前記第一セキュア制御情報によって前記セキュア書込ソフトウェアを動作させて、外部から受信した更新情報によって前記メイン制御情報を更新する、請求項1に記載の電子制御装置。     The other memory stores a main control unit that controls the main area and main control unit information that operates the main control unit,
    The electronic control device according to claim 1, wherein the other CPU operates the secure write software according to the first secure control information and updates the main control information according to update information received from the outside.
  5.  前記他のメモリは、前記第一セキュア制御情報及び前記第二セキュア制御情報のうち、動作に使用するセキュア制御情報を選択する動作情報選択情報を格納し、
     前記他のCPUは、前記第二セキュア制御情報を更新する場合、前記動作情報選択情報を更新する、請求項1に記載の電子制御装置。     The other memory stores operation information selection information for selecting secure control information used for an operation from the first secure control information and the second secure control information,
    The electronic control device according to claim 1, wherein the other CPU updates the operation information selection information when updating the second secure control information.
  6.  前記セキュア書込ソフトウェアは、前記第一セキュア制御情報よりもコード量が少ない、
    請求項5に記載の電子制御装置。     The secure writing software has a smaller code amount than the first secure control information,
    The electronic control device according to claim 5.
  7.  前記一のメモリは、外部から受信した前記更新情報を格納する共有メモリを有し、
     前記他のCPUは、前記共有メモリから前記更新情報を受信する、請求項1に記載の電子制御装置。     The one memory has a shared memory for storing the update information received from the outside,
    The electronic control device according to claim 1, wherein the other CPU receives the update information from the shared memory.
  8.  前記他のメモリは、前記更新情報が第三鍵を使用して暗号化された暗号更新情報を復号する第三復号鍵を格納し、
     前記他のCPUは、前記暗号更新情報を外部から受信し、当該受信した暗号更新情報を前記第三復号鍵を使用して復号化し、当該暗号更新情報を復号化した更新情報を前記他のメモリに転送する、請求項1に記載の電子制御装置。     The other memory stores a third decryption key for decrypting the encrypted update information in which the update information is encrypted using the third key,
    The other CPU receives the cryptographic update information from the outside, decrypts the received cryptographic update information using the third decryption key, and decrypts the cryptographic update information to update the other memory. The electronic control device according to claim 1, wherein the electronic control device is transferred to.
  9.  複数のCPUと、
     複数のメモリと、を備え、
     複数のCPUのうちの一のCPUと、複数のメモリのうちの一のメモリとによってメイン領域が構成され、
     複数のCPUのうちの他のCPUと、複数のメモリのうちの他のメモリとによってセキュア領域が構成され、
     移動体に搭載される電子制御装置のリプログラミング方法であって、
     前記一のCPUは、更新情報が第一鍵を使用して暗号化された暗号更新情報を外部から受信し、当該受信した暗号更新情報に第一復号鍵を使用して復号化し、前記暗号更新情報を復号化した更新情報を前記セキュア領域に転送し、
     前記他のCPUは、前記他のメモリ内の一の領域に格納された第一セキュア制御情報によってセキュア書込ソフトウェアを動作させて、前記メイン領域から受信した更新情報によって前記他のメモリ内の他の領域に格納された第二セキュア制御情報を更新する電子制御装置のリプログラミング方法。     Multiple CPUs,
    With multiple memories,
    The main area is configured by one of the plurality of CPUs and one of the plurality of memories,
    A secure area is configured by the other CPU of the plurality of CPUs and the other memory of the plurality of memories,
    A method for reprogramming an electronic control device mounted on a mobile body, comprising:
    The one CPU receives from the outside the encrypted update information in which the update information is encrypted using the first key, decrypts the received encrypted update information using the first decryption key, and updates the encrypted update information. Transfer the updated information obtained by decrypting the information to the secure area,
    The other CPU operates the secure write software according to the first secure control information stored in the one area in the other memory, and causes the other CPU in the other memory to operate according to the update information received from the main area. Reprogramming method of the electronic control device for updating the second secure control information stored in the area.
PCT/JP2019/040168 2018-10-31 2019-10-11 Electronic control device, and reprogramming method for electronic control device WO2020090418A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2020553737A JPWO2020090418A1 (en) 2018-10-31 2019-10-11 Electronic control device, reprogramming method of electronic control device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018-204695 2018-10-31
JP2018204695 2018-10-31

Publications (1)

Publication Number Publication Date
WO2020090418A1 true WO2020090418A1 (en) 2020-05-07

Family

ID=70462214

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/040168 WO2020090418A1 (en) 2018-10-31 2019-10-11 Electronic control device, and reprogramming method for electronic control device

Country Status (2)

Country Link
JP (1) JPWO2020090418A1 (en)
WO (1) WO2020090418A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7472844B2 (en) 2021-04-14 2024-04-23 株式会社デンソー Electronic Control Unit
JP7511492B2 (en) 2021-01-08 2024-07-05 日立Astemo株式会社 Automotive Electronic Control Units

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010501953A (en) * 2006-09-07 2010-01-21 ノキア コーポレイション Management of information related to secure module applications
US20150172255A1 (en) * 2013-12-13 2015-06-18 Nxp B.V. Updating software on a secure element
US20150199190A1 (en) * 2012-02-23 2015-07-16 Google Inc. System and method for updating firmware
JP2016207219A (en) * 2015-04-27 2016-12-08 三星電子株式会社Samsung Electronics Co.,Ltd. Method and system for updating software

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005284902A (en) * 2004-03-30 2005-10-13 Net Conscious Kk Terminal device, control method and control program thereof, host device, control method and control program thereof, and method, system, and program for remote updating
JP6011687B1 (en) * 2015-07-09 2016-10-19 日本電気株式会社 Storage device and control method thereof

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010501953A (en) * 2006-09-07 2010-01-21 ノキア コーポレイション Management of information related to secure module applications
US20150199190A1 (en) * 2012-02-23 2015-07-16 Google Inc. System and method for updating firmware
US20150172255A1 (en) * 2013-12-13 2015-06-18 Nxp B.V. Updating software on a secure element
JP2016207219A (en) * 2015-04-27 2016-12-08 三星電子株式会社Samsung Electronics Co.,Ltd. Method and system for updating software

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7511492B2 (en) 2021-01-08 2024-07-05 日立Astemo株式会社 Automotive Electronic Control Units
JP7472844B2 (en) 2021-04-14 2024-04-23 株式会社デンソー Electronic Control Unit

Also Published As

Publication number Publication date
JPWO2020090418A1 (en) 2021-09-30

Similar Documents

Publication Publication Date Title
US11962701B2 (en) Verifying identity of a vehicle entering a trust zone
US10855460B2 (en) In-vehicle computer system, vehicle, key generation device, management method, key generation method, and computer program
US11361660B2 (en) Verifying identity of an emergency vehicle during operation
JP5949732B2 (en) Program update system and program update method
KR102407066B1 (en) Managing privileges of different entities for an integrated circuit
US11182485B2 (en) In-vehicle apparatus for efficient reprogramming and controlling method thereof
US11728987B2 (en) Secure vehicular part communication
US20220131848A1 (en) Management of Identifications of an Endpoint having a Memory Device Secured for Reliable Identity Validation
US20140040631A1 (en) Memory controller, nonvolatile memory device, nonvolatile memory system, and access device
WO2020090418A1 (en) Electronic control device, and reprogramming method for electronic control device
US12075520B2 (en) Cloud-service on-boarding without prior customization of endpoints
US11811743B2 (en) Online service store for endpoints
US20220129389A1 (en) Online Security Services based on Security Features Implemented in Memory Devices
EP3486832B1 (en) Semiconductor device, authentication system, and authentication method
US20220131847A1 (en) Subscription Sharing among a Group of Endpoints having Memory Devices Secured for Reliable Identity Validation
US20220129390A1 (en) Monitor Integrity of Endpoints having Secure Memory Devices for Identity Authentication
US20220129259A1 (en) Endpoint Customization via Online Firmware Store
US20220129391A1 (en) Track Activities of Endpoints having Secure Memory Devices for Security Operations during Identity Validation
CN115037492B (en) Method, system and computer storage medium for memory authentication
US12089049B2 (en) Virtual subscriber identification module and virtual smart card
EP3989480A1 (en) Virtual subscriber identification module and virtual smart card
CN115021950A (en) Online service store for endpoints
CN115037491A (en) Subscription sharing in a group of endpoints with memory devices protected for reliable authentication
CN115037492A (en) Online security services based on security features implemented in memory devices
CN115021949A (en) Method and system for identification management of endpoints having memory devices protected for reliable authentication

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19880320

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020553737

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19880320

Country of ref document: EP

Kind code of ref document: A1