WO2020090418A1 - Dispositif de commande électronique et procédé de reprogrammation pour dispositif de commande électronique - Google Patents

Dispositif de commande électronique et procédé de reprogrammation pour dispositif de commande électronique Download PDF

Info

Publication number
WO2020090418A1
WO2020090418A1 PCT/JP2019/040168 JP2019040168W WO2020090418A1 WO 2020090418 A1 WO2020090418 A1 WO 2020090418A1 JP 2019040168 W JP2019040168 W JP 2019040168W WO 2020090418 A1 WO2020090418 A1 WO 2020090418A1
Authority
WO
WIPO (PCT)
Prior art keywords
secure
information
main
code
repro
Prior art date
Application number
PCT/JP2019/040168
Other languages
English (en)
Japanese (ja)
Inventor
裕紀 山▲崎▼
尚幸 山本
矢野 正
伸義 森田
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Priority to JP2020553737A priority Critical patent/JPWO2020090418A1/ja
Publication of WO2020090418A1 publication Critical patent/WO2020090418A1/fr

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R16/00Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for
    • B60R16/02Electric or fluid circuits specially adapted for vehicles and not otherwise provided for; Arrangement of elements of electric or fluid circuits specially adapted for vehicles and not otherwise provided for electric constitutive elements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Definitions

  • the present invention relates to an electronic control device and a reprogramming method for the electronic control device.
  • a security module is mounted on the in-vehicle device (electronic control device).
  • Patent Document 1 discloses a method of applying update data to a vehicle-mounted device.
  • the control code of the in-vehicle device needs to be updated appropriately to ensure security.
  • the secure control code in the secure area such as HSM (Hardware Security Module) installed in the in-vehicle device can be updated when the vulnerability of the encryption algorithm is detected, when the encryption method is changed, or when the function is updated. Is desirable.
  • Patent Document 1 does not disclose a method for updating the secure control code.
  • the present invention is intended to solve the above problems, and an object thereof is to provide a technique capable of increasing the flexibility of reprogramming the secure area.
  • an electronic control device mounted on a moving body, the electronic control device including a plurality of CPUs and a plurality of memories, and one of the plurality of CPUs. And one of the plurality of memories form a main area, and the other CPU of the plurality of CPUs and the other memory of the plurality of memories form a secure area.
  • the memory stores secure control information for operating the other CPU, and secure writing software for updating the secure control information, and the secure control information is stored in one area in the other memory.
  • the first secure control information and the second secure control information stored in another area in the other memory, and the other CPU is controlled by the first secure control information.
  • the block diagram of the reprogramming data which concerns on 1st Embodiment. 6 is a flowchart showing a reprogramming process according to the first embodiment. 6 is a flowchart showing secure boot processing according to the first embodiment. The flowchart which shows the reprogramming process which concerns on 2nd Embodiment. The flowchart which shows the reprogramming process which concerns on 3rd Embodiment.
  • FIG. 1 is a block diagram showing a configuration example of the vehicle information system according to the first embodiment.
  • the vehicle information system includes a vehicle 900 as an example of a “moving body” and a repro device 800 that can communicate with each other.
  • the repro device 800 includes a diagnostic machine 800A, an in-vehicle repro master 800B1, a communication device 800B2, and an OTA server 800B3.
  • the vehicle 900 includes an ECU 901 that is a repro target, an in-vehicle repro master 800B1, and a communication device 800B2.
  • the vehicle-mounted repro master 800B1 may include a communication device 800B2.
  • the repro device 800 if it is not necessary to distinguish the diagnostic device 800A, the in-vehicle repro master 800B1, the communication device 800B2, and the OTA server 800B3, these are simply referred to as the repro device 800.
  • the vehicle 900 is an automobile including an ECU 901 of an in-vehicle device that is a repro target.
  • the vehicle 900 may include at least one of the vehicle-mounted repro master 800B1 and the communication device 800B2.
  • the vehicle 900 includes a plurality of ECUs, which are in-vehicle devices, and each ECU is connected by an in-vehicle network.
  • the repro device 800 is a device that reproscopes the ECU 901.
  • the repro device 800 will be described by taking the diagnostic machine 800A, the vehicle-mounted repro master 800B1, the communication device 800B2, and the OTA server 800B3 as examples.
  • the diagnostic machine 800A is a device for writing the repro data of the ECU 901 into the ECU 901.
  • the diagnostic device 800A is connected to the in-vehicle network through the OBD-II port.
  • the diagnostic device 800A receives commands and data relating to diagnostics and repro of the ECU 901 via CAN (Control Area Network), CAN FD, Ethernet (registered trademark, the same applies hereinafter), or FlexRay (registered trademark, apply the same below).
  • a gateway (not shown) may be interposed between the diagnostic device 800A and the ECU 901. Further, the diagnostic machine 800A may communicate with the OTA server 800B3. Further, the diagnostic machine 800A may receive commands and data via the vehicle-mounted repro master 800B1.
  • the in-vehicle repro master 800B1 is an in-vehicle device for writing repro data in the ECU 901.
  • the in-vehicle repro master 800B1 is connected to an in-vehicle network such as CAN, CAN FD, Ethernet, and FlexRay, and transmits / receives commands and data relating to diagnosis and repro of the ECU 901.
  • a gateway (not shown) may be interposed between the in-vehicle repro master 800B1 and the ECU 901, and the in-vehicle repro master 800B1 may be the same device as the gateway.
  • the in-vehicle repro master 800B1 may be a repro target, that is, the same device as the ECU 901.
  • the in-vehicle repro master 800B1 may communicate with the OTA server 800B3 via the communication device 800B2 to receive the repro data and the command.
  • the in-vehicle repro master 800B1 may be the same device as the communication device 800B2.
  • the communication device 800B2 is a device for the vehicle 900 to communicate with the outside of the vehicle.
  • the communication device 800B2 communicates with the outside of the vehicle by wireless communication, wired LAN, the Internet, or wired communication using a dedicated line.
  • the wireless communication may be LTE (Long Term Evolution), 3G (3rd Generation), WiMAX (Worldwide Interoperability for Microwave Access), wireless LAN (Local Area Network), or WAN (Wide Area Network), C2X, V2X.
  • the communication device 800B2 acquires, from the OTA server 800B3, repro data and commands for the in-vehicle repro master 800B1 to write in the ECU 901.
  • the communication device 800B2 is connected to an in-vehicle network such as CAN, CAN FD, Ethernet, and FlexRay, and transmits / receives commands and data to / from the in-vehicle repro master 800B1.
  • the communication device 800B2 may be the same device as the vehicle-mounted repro master 800B1.
  • a gateway (not shown) may be interposed between the communication device 800B2 and the vehicle-mounted repro master 800B1, and the communication device 800B2 may be the same device as the gateway.
  • the communication device 800B2 may be a repro target, that is, the same device as the ECU 901.
  • the OTA server 800B3 is a server that communicates with the vehicle 900 via a network.
  • the OTA server 800B3 may communicate with the diagnostic machine 800A.
  • the OTA server 800B3 delivers the repro data of the ECU 901.
  • the repro data is encrypted and tampering detection processing code is added by the OTA server 800B3 or other components (not shown).
  • the repro data distributed from the OTA server 800B3 is decrypted by the ECU 901.
  • the OTA server 800B3 may be a service server having a distribution function other than the update program.
  • the OTA server 800B3 may be a server that distributes map information or a server that generally executes key management and incident management.
  • the OTA server 800B3 may have a function of receiving an instruction to register repro data from the outside.
  • the instruction from the outside may be via the network or may be operated on the screen.
  • the repro device 800 includes the functions of the diagnostic device 800A, the in-vehicle repro master 800B1, the communication device 800B2, and the OTA server 800B3, or a combination thereof, and delivers the repro data of the ECU 901.
  • the illustrated configuration is an example, and the repro data may be distributed by a route not shown in the figure.
  • FIG. 2 is a block diagram showing a configuration example of the ECU according to the first embodiment.
  • the ECU 901 includes a communication unit 19, a main control unit 10 as an example of “one CPU”, a main code storage unit 11 as an example of “one memory”, and a “one of” that are connected to each other by a bus line.
  • the main data storage unit 12 as an example of a “memory”. Further, the bus line can be accessed from the secure control unit 20 described later. An area to which these constituent elements belong and a connection to a secure area described later are referred to as a main area 1 for convenience.
  • the communication unit 19 is a component for the ECU 901 to communicate with other components of the vehicle 900.
  • the communication unit 19 is a module for communicating by CAN, CAN FD, Ethernet, or FlexRay.
  • the ECU 901 may include a plurality of communication units 19 depending on the application and the communication method. Furthermore, the communication unit 19 may be shared with a module that performs other communication. Note that the communication unit 19 may include an antenna and a modulation / demodulation circuit when performing wireless communication.
  • the communication unit 19 may include a connector and a modulation / demodulation circuit when performing wired communication.
  • the ECU 901 includes a secure control unit 20 as an example of “another CPU”, a secure code storage unit 21 as an example of “another memory”, and a “other memory” that are connected to each other by a bus line.
  • the secure data storage part 22 as an example is provided.
  • the area and connection to which the secure control unit 20, the secure code storage unit 21, and the secure data storage unit 22 belong are referred to as the secure area 2 for convenience.
  • the main area 1 is a part of the ECU 901 excluding the secure area 2.
  • the bus line in the main area 1 and the bus line in the secure area 2 are not directly connected to each other for security reasons. Commands and data are transferred between the areas 1 and 2 via the secure control unit 20.
  • the main control unit 10 has a processor (CPU, MPU, or DSP) and executes the program stored in the main code storage unit 11.
  • processor CPU, MPU, or DSP
  • the main code storage unit 11 stores a program executed by the main control unit 10.
  • the main code storage unit 11 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM (registered trademark, the same applies hereinafter), or a magnetic disk.
  • the main code storage unit 11 may be composed of a plurality of storage devices, and each program may be distributed and stored in the plurality of storage devices.
  • the main data storage unit 12 stores data used when the main control unit 10 executes a program.
  • the main data storage unit 12 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM, or a magnetic disk.
  • the data storage unit 11 may be composed of a plurality of storage devices, and each data may be distributed and stored in the plurality of storage devices.
  • the main code storage unit 11 and the main data storage unit 12 may be memories having a ROM that is a non-volatile storage element and a RAM that is a volatile storage element.
  • the ROM stores an immutable program.
  • the RAM is a high-speed and volatile storage element such as a DRAM (Dynamic Random Access Memory), and temporarily stores a program executed by the main control unit 10 and data used when the program is executed.
  • the main code storage unit 11 and the main data storage unit 12 may have some or all of them as constituent elements of each other. Even if there is no clear distinction as a device, the main code storage unit 11 indicates a portion storing a code, and the main data storage unit 12 indicates a portion storing data.
  • the main code storage unit 11 includes a main control code 110 as an example of “main control information” and main writing software (hereinafter, main writing software) 111.
  • the main control code 110 is a program executed by the main control unit 10 and is a program for realizing the function of the ECU 901 as an in-vehicle device.
  • the main control code 110A and the main control code 110B have a relationship between the old and new programs before and after the update.
  • the main writing software 111 is a program executed by the main control unit 10 and is a program for rewriting (reproposing) the main control code 110.
  • the main writing software 111 writes the new program (repro data) received by the ECU 901 in the main code storage unit 11 as a new main control code 110.
  • the main writing software 111 cooperates with the communication unit 19 and the secure control unit 20 according to a sequence described below to securely reprovision the secure control code 210 as an example of “secure control information” in the secure code storage unit 21 described later. Give a trigger to control the sequence.
  • main writing software 111 or the secure writing software 211 to be described later will rewrite one of the main control code 110A and the main control code 110B that is not used by the main control unit 10 for operation.
  • main writing software 111 rewrites the main control code 110B.
  • main writing software 111 rewrites the main control code 110A.
  • the main control unit 10 when the main control unit 10 does not use either the main control code 110A or the main control code 110B for the operation, either the main control code 110A or the main control code 110B may be rewritten, or both of them may be rewritten. You may. These repro processings are applicable even when there is only one main control code 110. In this case, the main control unit 10 rewrites the main control code 110 while using the main writing software 111 for the operation and not using the main control code 110 for the operation.
  • the main data storage unit 12 includes main control data 120 as an example of “main control information” and a repro data storage unit 121 as an example of “shared memory”.
  • the main control data 120 is data used by the main control code 110 executed by the main control unit 10 for processing, and is data for realizing the function of the ECU 901 as an in-vehicle device. There may be a plurality of main control data 120 depending on the application.
  • the repro data storage unit 121 is an area for storing the repro data received by the main writing software 111 from the communication device 19.
  • the stored repro data includes the secure control code 210, the main control code 110, or both new control programs. The contents of the repro data will be described later with reference to FIG.
  • the repro data may be encrypted, tampering detection code added, and signature added, and decrypted and verified in the sequence described below.
  • the secure control unit 20 is configured by a processor (CPU, MPU, or DSP) called HSM, SHE, TPM, other secure microcomputer, or secure core.
  • the secure control unit 20 executes the program stored in the secure code storage unit 21.
  • the secure control unit 20 may have tamper resistance.
  • the HSM, SHE, or TPM shown as an example of the secure control unit 20 may include a secure code storage unit 21 and a secure data storage unit 22 described later.
  • the secure code storage unit 21 stores the program executed by the secure control unit 20.
  • the secure code storage unit 21 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM, or a magnetic disk.
  • the secure code storage unit 21 may have tamper resistance.
  • the secure code storage unit 21 may be composed of a plurality of storage devices, and each program may be distributed and stored in the plurality of storage devices.
  • the secure data storage unit 22 stores data used when the secure control unit 20 executes a program.
  • the secure data storage unit 22 may be a non-volatile storage device such as a flash memory, an EEPROM, an SSD, an FRAM, or a magnetic disk.
  • the secure data storage unit 22 may have tamper resistance.
  • the secure code storage unit 21 and the secure data storage unit 22 may be memories having a ROM that is a nonvolatile storage element and a RAM that is a volatile storage element.
  • the ROM stores an immutable program.
  • the RAM is a high-speed and volatile storage element such as a DRAM (Dynamic Random Access Memory), and temporarily stores a program executed by the secure control unit 20 and data used when the program is executed.
  • the secure code storage unit 21 and the secure data storage unit 22 may have some or all of them as constituent elements of each other. Even if there is no clear distinction as a device, the secure code storage unit 21 shows the portion storing the code in the secure area 2, and the secure data storage unit 22 displays the portion storing the data in the secure area 2. Shall be shown.
  • the secure code storage unit 21 includes a secure control code 210 and secure writing software (hereinafter, secure writing software) 211.
  • the secure control code 210 is a program executed by the secure control unit 20, and is a program for realizing the security function of the ECU 901 as an in-vehicle device.
  • FIG. 2 two secure control codes 210A, which is an example of "first secure control information" and a control code 210B which is an example of "second secure control information", are provided. Is shown.
  • the secure control code 210A and the secure control code 210B have a relationship between the old and new programs before and after the update.
  • the secure writing software 211 is a program executed by the secure control unit 20 and is a program for rewriting (reprovisioning) the secure control code 210.
  • the secure writing software 211 writes the new program (repro data) received by the ECU 901 in the secure code storage unit 21 as a new secure control code 210.
  • the secure writing software 211 cooperates with the main control unit 10 and the main writing software 111 according to a sequence described later to securely reprovision the secure control code 210 in the secure code storage unit 21.
  • the secure writing software 221 uses a main area key 225 and a secure area key 226, which will be described later, when decrypting the repro data, falsification detection code verification, and signature verification.
  • the secure writing software 211 rewrites either the secure control code 210A or the secure control code 210B that is not used by the secure control unit 20 for operation.
  • the secure writing software 211 rewrites the secure control code 210B.
  • the secure writing software 211 rewrites the secure control code 210A.
  • the secure control unit 20 when the secure control unit 20 does not use either the secure control code 210A or the secure control code 210B for operation, either the secure control code 210A or the secure control code 210B may be rewritten, or both may be rewritten. You may. These repro processings are applicable even when there is only one secure control code 210. In this case, the secure control unit 20 rewrites the secure control code 210 while using the secure writing software 211 for the operation and not using the secure control code 210 for the operation.
  • the secure data storage unit 22 includes secure control data 220, a main area key 225, a secure area key 226, and operation code selection information 229.
  • the secure control data 220 is an example of “secure control information”.
  • the main area key 225 is an example of a “third decryption key”.
  • the secure area key 226 is an example of a “first decryption key” and a “verification key”.
  • the operation code selection information 229 is an example of “operation information selection information”.
  • the secure data storage unit 22 may include a repro data storage unit.
  • the secure control data 220 is data used by the secure control code 210 executed by the secure control unit 20 for processing, and is data for realizing a security function as an in-vehicle device of the ECU 901. There may be a plurality of secure control data 220 depending on the application.
  • the main area key 225 is a key for the secure writing software 211 executed by the secure control unit 20 to detect the decryption or tampering of the repro data stored in the repro data storage unit 121.
  • the main area key 225 may be a symmetric encryption key such as AES or an asymmetric encryption key such as RSA or elliptic curve encryption.
  • the main area key 225 may have a plurality of mutually different keys used when performing both decryption and tampering detection. Further, when the falsification detection is performed by using the asymmetric key signature, the main writing software 111 may perform the verification process.
  • the secure area key 226 is a key for the secure writing software 211 executed by the secure control unit 20 to detect the repro data stored in the repro data storage unit 121.
  • the secure area key 226 is used for decrypting or tampering detection of a portion of the repro data, which is particularly related to the secure control code 210.
  • the secure area key 226 may be a symmetric encryption key such as AES or an asymmetric encryption key such as RSA or elliptic curve encryption. When performing both decryption and tampering detection, a plurality of mutually different keys may be used. Note that the secure area key 226 and the main area key 225 may be configured so that there is no particular distinction.
  • the operation code selection information 229 is information for the main control unit 10 or the secure control unit 20 to select a code to be read and executed after starting when there are a plurality of main control unit codes 110 and secure control codes 210.
  • the operation code selection information 229 may be a flag and data that are rewritten when the replacement of the old and new programs is determined by a repro sequence described later. Further, the operation code selection information 229 may include a plurality of pieces of information so that the main control code 110 and the secure control code 210 respectively indicate separate selection information. Further, the operation code selection information 229 may be replaced with information such as whether or not the code is being rewritten.
  • FIG. 3 is a configuration diagram of reprogramming data according to the first embodiment.
  • the repro data is stored in the repro data storage unit 121.
  • the repro data includes, for example, main control code repro data 601, signature 602, secure control code repro data 603, and tampering detection code 604.
  • the main control code repro data 601 includes a new program of the main control code 110.
  • the main control code repro data 601 may be encrypted data that is decrypted with a key belonging to the main area key 225.
  • the encryption method of the main control code repro data 601 may be a symmetric key or an asymmetric key.
  • the main control code repro data 601 may not be encrypted depending on the use.
  • the signature 602 is information for detecting alteration of the repro data.
  • the signature 602 may be the electronic title of the main control code repro data 601, the secure control code repro data 603, and the tampering detection code 604 as verification targets.
  • the main writing software 111 or the secure writing software 211 can verify the signature 602 with the key belonging to the main area key 225 and confirm that the repro data has not been tampered with.
  • the secure control code repro data 603 includes a new program of the secure control code 210.
  • the secure control code repro data 603 may be encrypted data that is decrypted with a key belonging to the secure area key 226.
  • the encryption method of the secure control code repro data 603 may be a symmetric key or an asymmetric key.
  • the falsification detection code 604 is information for detecting falsification of the secure control code repro data 603.
  • the tampering detection code 604 may be a MAC (Message Authentication Code) whose verification target is the secure control code repro data 603.
  • the secure writing software 211 can verify the tampering detection code 604 with the key belonging to the secure area key 226 and confirm that the secure control code repro data 603 has not been tampered with.
  • the repro data may lack some of the components shown in FIG. 3, and may lack either the main control code repro data 601 or the secure control code repro data 603.
  • the verification range of the signature 602 is not limited to the exemplified one.
  • the verification range of the signature 602 may be only the main control code repro data 601, only the secure control code repro data 603, or only the secure control code repro data 603 and the falsification detection code 604.
  • the verification algorithm of the signature 602 need not be based on an asymmetric key as long as it is a method capable of detecting falsification, and as shown in the example of the falsification detection code 604, a MAC using a target key may be used. Further, the signature 602 may be omitted when the main control code repro data 601 is included in the verification range of the falsification detection code 604.
  • the verification algorithm of the tampering detection code 604 need not be a symmetric key as long as it is a method capable of tampering detection, and as shown in the example of the signature 602, an electronic signature using an asymmetric key may be used. ..
  • FIG. 4 is a flowchart showing the reprogramming process according to the first embodiment.
  • the repro device 800 (diagnostic device 800A, vehicle-mounted repro master 800B1, communication device 800B2, OTA center 800B3) and the components of the ECU 901 transfer commands and data to securely repro the secure control code 210.
  • the repro device 800 is any one or combination of the diagnostic device 800A, the vehicle-mounted repro master 800B1, the communication device 800B2, and the OTA center 800B3, and each device relays the communication path to the ECU 901 as necessary. I shall. Further, the communication between the ECU 901 and the outside shall be relayed by the communication unit 19 as necessary.
  • the main control unit 10 executes the program. Further, when the description in which the program in the secure code storage unit 21 is the execution subject is made, the secure control unit 20 executes the program.
  • arrows in the following figures show the conceptual flow of commands and data, and do not limit the communication direction and instruction direction. There may be processing instructions and data flows not shown by arrows.
  • the illustrated sequence starts with the repro device 800 having repro data.
  • the repro device 800 notifies the main writing software 111 of the start of repro (S101). Then, the main writing software 111 receives the repro data from the repro device 800 (S102). The received repro data is stored in the repro data storage unit 121 for tampering detection (S103).
  • the main writing software 111 may receive the public key belonging to the main area key 225 from the secure writing software 211 and verify the signature 602.
  • the main writing software 111 notifies the secure writing software 211 of the start of repro (S104).
  • the secure writing software 211 that has received the repro start notification notifies the alteration detection code 604 of the repro data stored in the repro data storage unit 121 with the key belonging to the secure area key 226 (S105).
  • the signature 602 may be verified using a key belonging to the main area key.
  • the main writing software 111 may be notified of the abnormality and the subsequent repro processing may be stopped.
  • the secure writing software 211 acquires the repro data from the repro data storage unit 121 (S106), and executes the decryption process using the decryption key belonging to the secure area key 226 (S107). Then, the secure writing software 211 updates the secure control code 210 by writing the decrypted repro data to a predetermined location in the secure code storage unit 21 (S108). The processing from S106 to S108 may be repeatedly executed depending on the capacity of the work memory area that the secure area 2 can secure for these processing. Note that, in S108, the secure control code 210 not used by the secure control unit 20 for rewriting is as described in FIG.
  • the secure writing software 211 verifies whether or not the writing in S108 is normally executed, and if the verification result is correct, the operation code selection information 229 is changed to information indicating that the new written program is selected.
  • Rewrite (S109).
  • the verification may be performed by comparing the tampering detection code calculated from the target area with the tampering detection code 604, and when the tampering detection code 604 is an electronic signature, the verification may be performed. The verification may be determined based on the calculation of another error detection code or error correction code.
  • the main writing software 111 is notified of the abnormality and the subsequent repro processing does not have to be continued. Further, the verification or the switching of the operation code may be judged or executed by receiving the instruction from the main writing software 111 as a trigger after a predetermined notification is given to the main writing software 111.
  • the secure writing software 211 notifies the main writing software 111 that the repro- duction of the secure code storage unit 21 has been completed normally (S110).
  • the main writing software 111 Upon receiving the completion notification, the main writing software 111 deletes the repro data stored in the repro data storage unit 121 (S111).
  • the deletion of the repro data may be determined or executed after receiving the instruction from the repro device 800 as a trigger after S112 described below.
  • the main writing software 111 notifies the repro device 800 that the repro has been completed normally (S112). If the main writing software 111 detects any abnormality during a series of processes, the repro device 800 may be notified of the abnormality and the subsequent repro process may be stopped.
  • the secure writing software 211 performs data authentication and decryption processing, and controls the secure control code 210 to be rewritten, whereby flexibility of reprogramming can be increased while maintaining security strength. ..
  • FIG. 5 is a flowchart showing the secure boot process according to the first embodiment.
  • the secure boot process is executed when the ECU 901 starts up with a new program as a result of the repro process shown in the sequence of FIG.
  • the secure control unit 20 When the ECU 901 is activated (S401), the secure control unit 20 starts secure boot processing (S402).
  • the secure control unit 20 executes self-verification of the secure control code 210 used by itself by a boot code (not shown) (S403).
  • the verification method may be MAC verification by a symmetric key method or signature verification by an asymmetric key method. If an abnormality is detected during the self-verification in S403, the secure control unit 20 may execute a predetermined error process. In the error processing, the log is saved and the secure boot processing is stopped. Then, the secure control unit 20 selects an operation code verified to be correct, and transfers the processing subject to the selected secure control code 210 (S404).
  • the secure control code 210 verifies the main control code 110, which is the operation code of the main control unit 10 (S405), and determines whether the verification result is normal (S406).
  • S406 determination result of S406
  • operation permission is given to the boot code (not shown) of the main control unit 10 (S408).
  • S407 a predetermined error process is executed (S407). In the error processing of S407, the log may be saved and the secure boot processing may be stopped.
  • the main control unit 10 that has obtained the operation permission starts the boot process using a boot code (not shown) (S409). If it is necessary to select the operation code, the secure control unit 20 is inquired about the operation code selection information 229 (S410), and the secure control code 210 presents the operation code selection information 229 to the main control unit 10 (S411). .. Subsequently, the main control unit 10 shifts the processing subject to a predetermined main control code 110 according to the operation code selection information 229 acquired in S410 (S412).
  • the main control unit 10 can operate with a correct control code by using the operation code selection information 229 that is securely managed and updated.
  • the error may be notified to the control unit of each component of the vehicle information system.
  • each program included in the main writing software 111, the secure writing software 211, the main control code 110, and the secure control code 210 displays information indicating the processing being executed on the display device as necessary. Good. It is desirable for each of these programs to display information indicating the completion of a series of processing and the occurrence of branch processing on the display device. Further, the determination in the branching process may be performed by the user via the input device.
  • the exchange of information between each step may be omitted. However, in reality, it may form a response pair for a command. Further, even when the exchange of information between steps is indicated by a set of bidirectional arrows, a plurality of commands and responses may be included in this exchange. Further, even when the content of transmitting and receiving data between the entities is described, one entity may act as a client and the other entity may act as a server in actual communication. In this case, the actual communication may be carried out via commands and responses, resulting in the transmission of the aforementioned data.
  • the reprogramming process according to the second embodiment will be described.
  • the reprogramming process according to the second embodiment is different from the reprogramming process according to the first embodiment only in the configuration for transmitting and receiving repro data, and other configurations are the reprogramming process according to the first embodiment. It is similar to the processing. Therefore, the differences from the first embodiment will be mainly described.
  • FIG. 6 is a flowchart showing a reprogramming process according to the second embodiment.
  • the rewriting data is sent from the main writing software 111 to the secure writing software 211.
  • This embodiment is an effective method when a work memory for data reception can be sufficiently secured in the secure area 2, and is a feasible method even when the secure writing software 211 cannot directly refer to the main data storage unit 12. is there.
  • the main writing software 111 notifies the secure writing software 211 of the start of the rewriting in S104 (S104), then acquires the repro data from the repro data storage unit 121, and transmits it to the secure writing software 211.
  • the secure writing software 211 holds the received repro data in an appropriate work memory (not shown) such as the secure data storage unit 22 (S202).
  • S201 and S202 may be repeatedly performed by a predetermined amount according to the communication band between the components.
  • the secure writing software 211 executes tampering detection on the repro data received in S202 in S105, and after S107, executes the same processing as the flow shown in FIG.
  • the secure writing software 211 when sufficient work memory can be secured in the secure area 2, even if the secure writing software 211 cannot directly refer to the main data storage unit 12, the secure writing software 211 performs the data authentication and decryption processing. Can be executed. That is, by controlling the secure control code 210 to be rewritten, the flexibility of reprogramming can be increased while maintaining the strength of security.
  • the reprogramming process according to the third embodiment will be described.
  • the reprogramming process according to the third embodiment is different from the reprogramming process according to the first embodiment only in the configuration of the reprod target, and other configurations are the same as the reprogramming process according to the first embodiment. It is the same. Therefore, the differences from the first embodiment will be mainly described.
  • FIG. 7 is a flowchart showing a reprogramming process according to the third embodiment.
  • FIG. 7 shows a method of rewriting the main code storage unit 11 of the main area 1 from the secure writing software 211 before or after S104 to S111 of FIG. 4 (an example of the previous case is shown).
  • the main writing software 111 delegates the repro process to the secure writing software 211. Therefore, by performing all security judgments regarding the repro process in the secure area 2, more secure repro is possible. ..
  • the main writing software 111 executes a repro start request to the secure writing software 211 (S301).
  • S301 of the repro start request and S104 of the repro start notification may be one command including both meanings.
  • the secure writing software 211 that has received the request to start the repro verification verifies the signature 602 of the repro data stored in the repro data storage unit 121 with the key belonging to the main area key 226 (S302). If the verification of tampering detection fails, the secure writing software 211 may notify the main writing software 111 of an abnormality after performing a predetermined retry and stop the subsequent repro processing.
  • the secure writing software 211 acquires the repro data from the repro data storage unit 121 (S303), executes the decryption process using the decryption key belonging to the main area key 225 (S304),
  • the main control code 110 is updated by writing in a predetermined location of the code storage unit 11 (S305).
  • the processes of S303 to S305 may be repeatedly executed by a predetermined amount according to the capacity of the work memory area that the secure area 2 can secure for these processing. Note that, in S305, the main control unit 10 rewrites the main control code 110 that is not used for the operation as described in FIG.
  • the secure writing software 211 verifies whether or not the writing in S305 has been normally executed, and if the verification result is correct, the operation code selection information 229 is information indicating that a new written program is selected. (S306).
  • the verification may be performed by comparing the hash value extracted from the signature 602 with the hash value calculated from the target area, or when the signature 602 is a MAC, the verification may be performed. Furthermore, the determination may be made based on the calculation of another error detection code or error correction code. Further, if the writing has failed, after performing a predetermined retry, the main writing software 111 may be notified of the abnormality and the subsequent repro processing may be stopped. Further, the verification or the switching of the operation code may be judged or executed by receiving the instruction from the main writing software 111 as a trigger after a predetermined notification is given to the main writing software 111.
  • the secure writing software 211 notifies the main writing software 111 that the repro- duction of the main code storage unit 11 has been completed normally (S307).
  • the operation code switching of S306 and the operation code switching of S109 may be executed as a single step after the rewriting processing of both the main code storage unit 11 and the secure code storage unit 21 is completed.
  • the completion notifications in S307 and S110 may be one notification including both meanings.
  • S301 to S307 were executed before S104 to S110. However, S301 to S307 may be executed after S104 to S110. Further, the processes of S104 to S110 may be omitted, and only the repro of the main code storage unit 11 may be executed.
  • the main writing software 111 may transmit the repro data to the secure writing software 211 as in the example shown in FIG.
  • the secure writing software 211 can perform control for rewriting the main control code 110, the secure control code 210, or both by executing data authentication and decryption processing.
  • the flexibility of reprogramming can be enhanced while maintaining the strength of security.
  • the present invention is not limited to the above-described embodiments, and various modifications are included.
  • the above-described embodiments have been described in detail for the purpose of explaining the present invention in an easy-to-understand manner, and are not necessarily limited to those having all the configurations described.
  • a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and further, the configuration of another embodiment can be added to the configuration of one embodiment.
  • the secure writing software 211 may have a smaller code amount than the secure control code 210A. According to this configuration, even if the capacity is small, the secure control code 210A can be written.
  • each of the above-mentioned configurations, functions, processing units, and processing means may be realized by hardware by designing a part or all of them with an integrated circuit. Further, each of the above configurations and functions may be realized by software by a processor interpreting and executing a program that realizes each function. Information such as a program, a table, and a file that realizes each function may be stored in a recording device such as a memory, a hard disk, or an SSD, or a recording medium such as an IC card, an SD card, or a DVD.
  • a recording device such as a memory, a hard disk, or an SSD, or a recording medium such as an IC card, an SD card, or a DVD.
  • control lines and information lines are shown to be necessary for explanation, and not all control lines and information lines are shown on the product. In practice, almost all configurations may be connected together.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Mechanical Engineering (AREA)
  • Stored Programmes (AREA)

Abstract

La présente invention permet une augmentation de la flexibilité de reprogrammation d'une zone sécurisée. Une zone sécurisée 2 stocke un code de commande sécurisé 210 et des données de commande sécurisées 220 pour actionner une unité de commande sécurisée 20, et un logiciel d'écriture sécurisé 211 pour mettre à jour le code de commande sécurisé et les données de commande sécurisées. Le code de commande sécurisé et les données de commande sécurisées comportent un code de commande sécurisé 210A stocké sur la surface opérationnelle dans une unité de stockage de code sécurisé 21 et une unité de stockage de données sécurisées 22, et un code de commande sécurisé 210B stocké sur la surface non opérationnelle dans une unité de stockage de code principal et une unité de stockage de données principales. L'unité de commande sécurisée actionne le logiciel d'écriture sécurisé conformément aux informations de commande sécurisées 210A et met à jour les informations de commande sécurisées 210B avec les informations de mise à jour reçues depuis l'extérieur par l'intermédiaire de la zone principale.
PCT/JP2019/040168 2018-10-31 2019-10-11 Dispositif de commande électronique et procédé de reprogrammation pour dispositif de commande électronique WO2020090418A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2020553737A JPWO2020090418A1 (ja) 2018-10-31 2019-10-11 電子制御装置、電子制御装置のリプログラミング方法

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018204695 2018-10-31
JP2018-204695 2018-10-31

Publications (1)

Publication Number Publication Date
WO2020090418A1 true WO2020090418A1 (fr) 2020-05-07

Family

ID=70462214

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/040168 WO2020090418A1 (fr) 2018-10-31 2019-10-11 Dispositif de commande électronique et procédé de reprogrammation pour dispositif de commande électronique

Country Status (2)

Country Link
JP (1) JPWO2020090418A1 (fr)
WO (1) WO2020090418A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7472844B2 (ja) 2021-04-14 2024-04-23 株式会社デンソー 電子制御装置

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010501953A (ja) * 2006-09-07 2010-01-21 ノキア コーポレイション セキュアモジュールアプリケーションに関連する情報の管理
US20150172255A1 (en) * 2013-12-13 2015-06-18 Nxp B.V. Updating software on a secure element
US20150199190A1 (en) * 2012-02-23 2015-07-16 Google Inc. System and method for updating firmware
JP2016207219A (ja) * 2015-04-27 2016-12-08 三星電子株式会社Samsung Electronics Co.,Ltd. ソフトウェア更新方法及びそのシステム

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005284902A (ja) * 2004-03-30 2005-10-13 Net Conscious Kk 端末装置、その制御方法及び制御プログラム、ホスト装置、その制御方法及び制御プログラム、遠隔更新システム、方法及びプログラム
JP6011687B1 (ja) * 2015-07-09 2016-10-19 日本電気株式会社 記憶装置およびその制御方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010501953A (ja) * 2006-09-07 2010-01-21 ノキア コーポレイション セキュアモジュールアプリケーションに関連する情報の管理
US20150199190A1 (en) * 2012-02-23 2015-07-16 Google Inc. System and method for updating firmware
US20150172255A1 (en) * 2013-12-13 2015-06-18 Nxp B.V. Updating software on a secure element
JP2016207219A (ja) * 2015-04-27 2016-12-08 三星電子株式会社Samsung Electronics Co.,Ltd. ソフトウェア更新方法及びそのシステム

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7472844B2 (ja) 2021-04-14 2024-04-23 株式会社デンソー 電子制御装置

Also Published As

Publication number Publication date
JPWO2020090418A1 (ja) 2021-09-30

Similar Documents

Publication Publication Date Title
US11962701B2 (en) Verifying identity of a vehicle entering a trust zone
US10855460B2 (en) In-vehicle computer system, vehicle, key generation device, management method, key generation method, and computer program
US11361660B2 (en) Verifying identity of an emergency vehicle during operation
JP5949732B2 (ja) プログラム更新システム及びプログラム更新方法
KR102470524B1 (ko) 집적회로들에서의 보안 피쳐 및 키 관리
KR102407066B1 (ko) 집적 회로를 위한 상이한 엔티티들의 특권들의 관리
US20110138475A1 (en) Systems and method for providing trusted system functionalities in a cluster based system
US11728987B2 (en) Secure vehicular part communication
US20140040631A1 (en) Memory controller, nonvolatile memory device, nonvolatile memory system, and access device
US20220131848A1 (en) Management of Identifications of an Endpoint having a Memory Device Secured for Reliable Identity Validation
US20190034637A1 (en) In-vehicle apparatus for efficient reprogramming and controlling method thereof
US11811743B2 (en) Online service store for endpoints
US20220129389A1 (en) Online Security Services based on Security Features Implemented in Memory Devices
US20220132298A1 (en) Cloud-service on-boarding without prior customization of endpoints
WO2020090418A1 (fr) Dispositif de commande électronique et procédé de reprogrammation pour dispositif de commande électronique
EP3486832B1 (fr) Dispositif à semiconducteur, système d'authentification et procédé d'authentification
US20220131847A1 (en) Subscription Sharing among a Group of Endpoints having Memory Devices Secured for Reliable Identity Validation
US20220129390A1 (en) Monitor Integrity of Endpoints having Secure Memory Devices for Identity Authentication
JP2020035202A (ja) 情報処理装置、システム及び方法
JP7320126B2 (ja) 車両制御装置及び車両制御システム
US20240020386A1 (en) Control apparatus
US20220129259A1 (en) Endpoint Customization via Online Firmware Store
CN115021950A (zh) 用于端点的在线服务商店
CN115037491A (zh) 具有被保护用于可靠身份验证的存储器装置的端点群组中的订阅共享
CN115037494A (zh) 无需预先定制端点的云服务登入

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19880320

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020553737

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19880320

Country of ref document: EP

Kind code of ref document: A1