WO2022185570A1 - 制御装置 - Google Patents
制御装置 Download PDFInfo
- Publication number
- WO2022185570A1 WO2022185570A1 PCT/JP2021/030789 JP2021030789W WO2022185570A1 WO 2022185570 A1 WO2022185570 A1 WO 2022185570A1 JP 2021030789 W JP2021030789 W JP 2021030789W WO 2022185570 A1 WO2022185570 A1 WO 2022185570A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- program
- unit
- verification
- microcomputer
- control device
- Prior art date
Links
- 238000012795 verification Methods 0.000 claims abstract description 163
- 238000012545 processing Methods 0.000 claims abstract description 84
- 230000004913 activation Effects 0.000 claims description 70
- 230000000717 retained effect Effects 0.000 abstract 1
- 238000001994 activation Methods 0.000 description 61
- 238000013500 data storage Methods 0.000 description 39
- 238000004891 communication Methods 0.000 description 36
- 230000006870 function Effects 0.000 description 36
- 238000000034 method Methods 0.000 description 21
- 230000008569 process Effects 0.000 description 18
- 238000005516 engineering process Methods 0.000 description 6
- 230000001010 compromised effect Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 4
- 230000007774 longterm Effects 0.000 description 3
- 230000007704 transition Effects 0.000 description 2
- 230000003213 activating effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/572—Secure firmware programming, e.g. of basic input output system [BIOS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/575—Secure boot
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/034—Test or assess a computer or a system
Definitions
- the present invention relates to a control device.
- an in-vehicle control device that controls a vehicle is equipped with a secure boot function that verifies the safety of a program when an arithmetic processing device such as a microcontroller (hereafter referred to as a microcomputer) starts up.
- a security function of a dedicated module with guaranteed tamper resistance such as HSM (Hardware Security Module)
- HSM Hard Security Module
- the control device since the control device includes a plurality of processing units, if all of the processing units are equipped with a security function such as HSM, the cost of the control device will increase significantly.
- Patent Document 1 discloses a secure boot technology for a device having two processing units, and discloses a technology in which one processing device verifies whether or not a program executed in the other processing device has been tampered with at startup. is doing.
- Patent Document 1 does not disclose a verification function of the program itself executed in one of the arithmetic processing units. With the technique disclosed in Patent Document 1, even if the program itself executed in one of the arithmetic processing units is tampered with, it is difficult to detect this. Therefore, the technology disclosed in Patent Literature 1 has room for improvement in terms of easily realizing safe startup of the device.
- the present invention has been made in view of the above, and it is an object of the present invention to easily realize safe startup of a control device having a plurality of processing units.
- the control device of the present invention includes a first arithmetic processing unit including a processor that executes a first program, a second arithmetic processing unit including a processor that executes a second program, the second and a storage device storing a program, wherein the first processing unit includes a verification unit that verifies whether the first program and the second program have been tampered with; a first acquiring unit for acquiring the second program from the storage device when it is verified that the first program has not been tampered with; and when the verification unit verifies that the second program has not been tampered with, and a start permission notifying unit that notifies the second processing unit of start permission for permitting the second processing unit to start the second program, wherein the second processing unit comprises: It is characterized by comprising: a second acquisition unit that acquires the second program from the storage device; and an activation execution unit that activates the second program when the activation permission is notified.
- FIG. 2 is a diagram showing the functional configuration of the control device according to the first embodiment;
- FIG. FIG. 2 is a sequence showing the flow of activation processing of the control device shown in FIG. 1;
- FIG. 2 is a flowchart showing the flow of update processing of the control device shown in FIG. 1;
- FIG. 8 is a diagram showing the functional configuration of a control device according to Embodiment 2;
- FIG. 5 is a sequence showing the flow of activation processing of the control device shown in FIG. 4;
- Embodiment 1 In this embodiment, an example of a control device equipped with a secure boot function that verifies the safety of a program when an arithmetic processing device such as a microcomputer is started will be described. However, the technical idea of the present invention can be widely applied to information security technology such as encryption processing and electronic signature verification processing.
- the control device 5 is a device that electrically controls the control target.
- a control target of the control device 5 is not particularly limited.
- the object controlled by the control device 5 may be a machine or device with a relatively long product life such as an automobile.
- the control device 5 may be configured by an in-vehicle ECU.
- FIG. 1 is a diagram showing the functional configuration of the control device 5 of Embodiment 1.
- FIG. 1 is a diagram showing the functional configuration of the control device 5 of Embodiment 1.
- the control device 5 includes a first microcomputer 1, a second microcomputer 2, and a storage device 3.
- a storage device 3 is connected to each of the first microcomputer 1 and the second microcomputer 2 via a communication bus 4 .
- the communication bus 4 is physically composed of a plurality of communication buses.
- the standards of the plurality of communication buses forming the communication bus 4 may all be the same or different.
- the standards are, for example, SPI (Serial Peripheral Interface) and MII (Media Independent Interface).
- first microcomputer 1 is an example of the "first arithmetic processing unit” described in the claims.
- second microcomputer 2 is an example of the "second arithmetic processing unit” described in the claims.
- the first microcomputer 1 includes a main control section 111, a main program storage section 112, a main data storage section 113, and a communication section 114, which are interconnected by a bus line 115.
- a bus line 115 In this embodiment, the area to which these components of the first microcomputer 1 belong and the bus line 115 are also referred to as "main area 11".
- the first microcomputer 1 includes a secure control unit 123, a secure program storage unit 122, and a secure data storage unit 121, which are interconnected by a bus line 125.
- a secure control unit 123 the area to which these components of the first microcomputer 1 belong and the bus line 125 are also referred to as "secure area 12".
- the main area 11 is an area other than the secure area 12 in the first microcomputer 1 .
- the secure area 12 is a tamper-resistant area. That is, the first microcomputer 1 has a secure area 12 having tamper resistance and a main area 11 other than the secure area 12 .
- the secure area 12 is an area in which programs and data can be rewritten.
- the bus line 115 of the main area 11 and the bus line 125 of the secure area 12 are not directly connected from the viewpoint of ensuring safety, but are indirectly connected via the secure control unit 123 . Commands and data are transmitted and received between the main area 11 and the secure area 12 via the secure control unit 123 .
- the main control unit 111 has a processor (CPU, MPU or DSP) and executes programs stored in the main program storage unit 112 .
- the main control unit 111 is an example of a "processor” included in the "first arithmetic processing unit" recited in the claims.
- the main program storage unit 112 stores programs executed by the main control unit 111 .
- Main data storage unit 113 stores data used when main control unit 111 executes a program.
- Each of the main program storage unit 112 and the main data storage unit 113 is configured by a non-volatile storage device such as flash memory, EEPROM, SSD, FRAM (registered trademark, the same shall apply hereinafter), or a magnetic disk.
- Each of the main program storage section 112 and the main data storage section 113 may be configured by a plurality of storage devices.
- the main program storage unit 112 may store programs distributed over a plurality of storage devices.
- the main data storage unit 113 may store data distributed among a plurality of storage devices.
- Each of the main program storage unit 112 and the main data storage unit 113 may be a memory having a ROM, which is a nonvolatile storage device, and a RAM, which is a volatile storage device.
- the ROM stores immutable programs.
- the RAM may be a high-speed and volatile storage device such as a DRAM, and can temporarily store programs executed by the main control unit 111 and data used during execution of the programs.
- the main program storage unit 112 and the main data storage unit 113 may have part or all of them as components of each other. Even if there is no clear distinction between devices, the main program storage unit 112 is a portion that stores programs, and the main data storage unit 113 is a portion that stores data.
- the main program storage unit 112 stores a main control program 1121, a first verification expected value 1122, a main updating unit 1123, a startup permission notification unit 1124, an acquisition permission notification unit 1125, and a first acquisition unit 1126.
- the main control program 1121, the main update unit 1123, the activation permission notification unit 1124, the acquisition permission notification unit 1125, and the first acquisition unit 1126 are programs executed by the main control unit 111. It is a program for realizing functions.
- the program that is stored in the main program storage unit 112 and executed by the main control unit 111 is also referred to as a "first program".
- the first programs are, for example, the main control program 1121, the main updating unit 1123, the startup permission notification unit 1124, the acquisition permission notification unit 1125, and the first acquisition unit 1126.
- the program executed by the control unit 21 and stored in the second microcomputer storage area 31 of the storage device 3 is also referred to as a "second program".
- the second program is the control program 311, for example.
- the main control program 1121 is a program for the control device 5 to control the controlled object, and is a program executed by the main control section 111 of the first microcomputer 1 . There may be a plurality of main control programs 1121 in order to implement a plurality of control functions of the control device 5 .
- the first verification expected value 1122 is a value expected to be calculated in the process of verifying whether or not the first program has been tampered with.
- the first verification expected value 1122 may be stored in a location where the first microcomputer 1 can read it.
- the first verification expected value 1122 may be stored in any one of the main data storage unit 113, the secure data storage unit 121, and the secure program storage unit 122, for example.
- the first acquisition unit 1126 acquires the second program and the second verification expected value 312 stored in the second microcomputer storage area 31 from the storage device 3 . to get If the verification unit 1221 verifies that the first program has not been tampered with, the acquisition permission notification unit 1125 sends acquisition permission to the second microcomputer 2 to acquire the second program from the storage device 3 . Notify microcomputer 2.
- the acquisition permission notification unit 1125 notifies the acquisition permission to the second microcomputer 2 before the activation permission notification unit 1124 notifies the second microcomputer 2 of the activation permission.
- the activation permission notification unit 1124 notifies the second microcomputer 2 of activation permission that permits the second microcomputer 2 to activate the second program when the verification unit 1221 verifies that the second program has not been tampered with. do.
- the main update unit 1123 stores the update package in the main program storage unit 112, the main data storage unit 113, or the second microcomputer storage area 31 of the storage device 3.
- a program or data to be updated is updated by an update package.
- the main update unit 1123 cooperates with the secure update unit 1223 to update the update stored in the secure program storage unit 122 or the secure data storage unit 121. Update the target program or data with the update package.
- An update target is a program or data predetermined as an update target.
- An update package is a program or data for updating an update target.
- the update package includes a verification expected value that is expected to be calculated in the process of verifying whether the update package has been tampered with.
- the update package is transmitted to the control device 5 from an external device of the control device 5 such as a center server or a terminal.
- control data is data used for processing by the main control program 1121 executed by the main control unit 111, the main update unit 1123, the activation permission notification unit 1124, the acquisition permission notification unit 1125, and the first acquisition unit 1126. It is data for realizing the function of the first microcomputer 1 in the device 5 . There may be a plurality of pieces of this control data depending on the application.
- the communication unit 114 has a function for the first microcomputer 1 to communicate with other components of the control device 5 including the second microcomputer 2 and a function for communicating with an external device of the control device 5 .
- the communication unit 114 may be configured by a communication module conforming to standards such as SPI, MII, CAN, CAN FD, Ethernet, or FlexRay.
- the communication unit 114 may be configured with a plurality of communication units depending on the application and communication method.
- the communication unit 114 may be shared with a communication module that performs other communication. Note that the communication unit 114 includes an antenna and a modulation/demodulation circuit when wireless communication is performed.
- the communication unit 114 includes a connector and a modulation/demodulation circuit when wired communication is performed.
- the secure control unit 123 is composed of a secure microcomputer such as HSM, SHE, or TPM, or a processor (CPU, MPU, or DSP) called a secure core. Secure control unit 123 executes programs stored in secure program storage unit 122 . Secure control unit 123 has tamper resistance. Note that the HSM, SHE, or TPM configuring the secure control unit 123 may be configured to include the secure program storage unit 122 and the secure data storage unit 121 .
- the secure program storage unit 122 stores programs executed by the secure control unit 123.
- Secure data storage unit 121 stores data used when secure control unit 123 executes a program.
- Each of secure program storage unit 122 and secure data storage unit 121 has tamper resistance.
- Each of the secure program storage unit 122 and the secure data storage unit 121 is configured by a non-volatile storage device such as flash memory, EEPROM, SSD, FRAM, or magnetic disk.
- Each of the secure program storage unit 122 and the secure data storage unit 121 may be composed of multiple storage devices.
- the secure program storage unit 122 may store programs in a distributed manner in a plurality of storage devices.
- the secure data storage unit 121 may store the program distributed among a plurality of storage devices.
- Each of the secure program storage unit 122 and the secure data storage unit 121 may be a memory having a ROM, which is a nonvolatile storage device, and a RAM, which is a volatile storage device.
- the ROM stores immutable programs.
- the RAM may be a high-speed and volatile storage device such as a DRAM, and can temporarily store programs executed by the secure control unit 123 and data used during execution of the programs.
- the secure program storage unit 122 and the secure data storage unit 121 may have part or all of them as components of each other. Even if there is no clear distinction between devices, it is sufficient that the secure program storage unit 122 is a portion that stores programs, and the secure data storage unit 121 is a portion that stores data.
- the secure program storage unit 122 stores a verification unit 1221, an encryption processing unit 1222, and a secure update unit 1223.
- the verification unit 1221 , the encryption processing unit 1222 and the secure update unit 1223 are programs executed by the secure control unit 123 and are programs for realizing the security function of the control device 5 installed in the first microcomputer 1 .
- the verification unit 1221 verifies whether or not the program stored in the main area 11 has been tampered with. That is, the verification unit 1221 verifies whether or not the first program has been tampered with. Specifically, the verification unit 1221 acquires a program corresponding to the verification range information 1212 from among the first programs. The verification unit 1221 obtains a verification value from the program corresponding to the verification range information 1212 based on a predetermined algorithm for calculating a verification value for verifying falsification of the program corresponding to the verification range information 1212 and the encryption key 1211 . calculate. The verification unit 1221 then compares the calculated verification value with the first verification expected value 1122 . If the calculated verification value and the first verification expected value 1122 match, the verification unit 1221 determines that the first program has not been tampered with, and if they do not match, it cannot be determined that the first program has not been tampered with. to decide.
- the verification unit 1221 verifies whether or not the program stored in the second microcomputer storage area 31 of the storage device 3 has been tampered with. That is, the verification unit 1221 verifies whether or not the second program has been tampered with. Specifically, the verification unit 1221 acquires a program corresponding to the verification range information 1212 from among the second programs. The verification unit 1221 obtains a verification value from the program corresponding to the verification range information 1212 based on a predetermined algorithm for calculating a verification value for verifying falsification of the program corresponding to the verification range information 1212 and the encryption key 1211 . calculate. The verification unit 1221 then compares the calculated verification value with the second verification expected value 312 . If the calculated verification value and the second verification expected value 312 match, the verification unit 1221 determines that the second program has not been tampered with, and if they do not match, it cannot determine that the second program has not been tampered with. to decide.
- the verification unit 1221 verifies whether the update package has been tampered with. Specifically, the verification unit 1221 acquires the verification expected value included in the update package, and also acquires the program or data corresponding to the verification range information 1212 of the update package. The verification unit 1221 verifies the program or data corresponding to the verification range information 1212 based on a predetermined algorithm for calculating a verification value for verifying falsification of the program or data corresponding to the verification range information 1212 and the encryption key 1211 . Calculate the verification value from The verification unit 1221 then compares the calculated verification value with the verification expected value included in the update package. If the calculated verification value and the verification expected value included in the update package match, the verification unit 1221 determines that the update package has not been tampered with. If they do not match, it cannot determine that the update package has not been tampered with. to decide.
- Each of the above verification processes performed by the verification unit 1221 may be a verification process using a MAC (Message Authentication Code) using a common key, or a verification process using an RSA (Rivest-Shamir-Adleman cryptosystem) or ECDSA (Elliptic Curve Digital Signature Algorithm) using an electronic signature.
- MAC Message Authentication Code
- RSA Raster-Shamir-Adleman cryptosystem
- ECDSA Elliptic Curve Digital Signature Algorithm
- the encryption processing unit 1222 performs encryption processing for encrypting predetermined data or decryption processing for decrypting encrypted data.
- the secure update unit 1223 cooperates with the main update unit 1123 to update the program or data to be updated stored in the secure program storage unit 122 or the secure data storage unit 121 with an update package.
- the main updater 1123 and the secure updater 1223 that update the update target stored in the secure area 12 are an example of the "updater" described in the claims.
- the secure data storage unit 121 stores an encryption key 1211 and verification range information 1212.
- the encryption key 1211 is encryption key data used for verification processing performed by the verification unit 1221 . There may be multiple encryption keys 1211 depending on the application.
- the verification range information 1212 is information indicating programs or data to be verified by the verification unit 1221 .
- the verification range information 1212 may be address information.
- the verification range information 1212 used to verify whether or not the first program has been falsified is address information that specifies the storage location of part or all of the program corresponding to the first program.
- the verification range information 1212 used for verifying whether or not the second program has been falsified is address information specifying the storage location of part or all of the program corresponding to the second program.
- the verification range information 1212 used to verify whether or not the update package has been falsified is address information that specifies the storage location of part or all of the program or data of the update package.
- the secure data storage unit 121 stores secure control data.
- This secure control data is data used for processing by the verification unit 1221, the cryptographic processing unit 1222, and the secure updating unit 1223 executed by the secure control unit 123, and is the security function of the control device 5 mounted on the first microcomputer 1. It is the data for realizing There may be multiple pieces of this secure control data depending on the application.
- the second microcomputer 2 includes a control section 21, a program storage section 22, a data storage section 23, and a communication section 24, which are interconnected by a bus line 25.
- the control unit 21 has a processor (CPU, MPU or DSP), and stores a program stored in the program storage unit 22 and a control program 311 stored in the second microcomputer storage area 31 of the storage device 3. Run. Note that the control unit 21 is an example of a "processor” included in the "second arithmetic processing unit" recited in the claims.
- the program storage unit 22 stores programs executed by the control unit 21.
- the data storage unit 23 stores data used when the control unit 21 executes programs.
- Each of the program storage unit 22 and the data storage unit 23 is configured by a non-volatile storage device such as flash memory, EEPROM, SSD, FRAM, or magnetic disk.
- Each of the program storage unit 22 and the data storage unit 23 may be configured by a plurality of storage devices.
- the program storage unit 22 may store the programs distributed in a plurality of storage devices.
- the data storage unit 23 may store data distributed among a plurality of storage devices.
- Each of the program storage unit 22 and the data storage unit 23 may be a memory having a ROM, which is a non-volatile storage device, and a RAM, which is a volatile storage device.
- the ROM stores immutable programs.
- the RAM may be a high-speed and volatile storage device such as a DRAM, and can temporarily store programs executed by the control unit 21 and data used during execution of the programs.
- the program storage unit 22 and the data storage unit 23 may have part or all of them as components of each other. Even if there is no clear distinction between devices, the program storage unit 22 is a portion that stores programs, and the data storage unit 23 is a portion that stores data.
- the program storage unit 22 stores an activation execution unit 221 and a second acquisition unit 222 .
- the activation execution unit 221 and the second acquisition unit 222 are programs executed by the control unit 21 and are programs for realizing the function of the second microcomputer 2 in the control device 5 .
- the activation execution unit 221 and the second acquisition unit 222 are stored in an OTP (One Time Programable) area in order to prevent unauthorized rewriting.
- the OTP area is a storage area in which a program can be written only once, and once a program is written, it cannot be rewritten with a different program. That is, the second microcomputer 2 has an OTP area in the program storage unit 22 in which the program cannot be rewritten.
- the activation execution unit 221 and the second acquisition unit 222 are stored in the OTP area.
- the second acquisition unit 222 acquires the program stored in the second microcomputer storage area 31 of the storage device 3 at a predetermined timing. Specifically, the second acquisition unit 222 acquires the second program from the second microcomputer storage area 31 of the storage device 3 when the acquisition permission is notified from the first microcomputer 1 . The second acquisition unit 222 develops and stores the acquired second program in a predetermined storage area of the second microcomputer 2 . When acquiring the second program from the second microcomputer storage area 31 of the storage device 3 , the second acquisition unit 222 may acquire data stored in the second microcomputer storage area 31 .
- the activation execution unit 221 activates the program stored in the second microcomputer storage area 31 of the storage device 3 at a predetermined timing. Specifically, the activation execution unit 221 activates the second program acquired from the second microcomputer storage area 31 of the storage device 3 when the activation permission is notified from the first microcomputer 1 . Further, after the control device 5 is powered on, the activation execution unit 221 shifts the second microcomputer 2 to a standby state until the acquisition permission is notified from the first microcomputer 1 . After the second acquisition unit 222 acquires the second program, the activation executing unit 221 causes the second microcomputer 2 to transition to the standby state until the activation permission is notified from the first microcomputer 1 .
- control data storage unit 23 stores control data.
- This control data is data used for processing by the control program 311 executed by the control unit 21, the activation execution unit 221, and the second acquisition unit 222. data. There may be a plurality of pieces of this control data depending on the application.
- the communication unit 24 has a function for the second microcomputer 2 to communicate with other components of the control device 5 including the first microcomputer 1 and a function for communicating with an external device of the control device 5 .
- the communication unit 24 may be configured by a communication module conforming to standards such as SPI, MII, CAN, CAN FD, Ethernet, or FlexRay.
- the communication unit 24 may be composed of a plurality of communication units depending on the application and communication method.
- the communication unit 24 may be shared with a communication module that performs other communication. Note that the communication unit 24 includes an antenna and a modulation/demodulation circuit when wireless communication is performed.
- the communication unit 24 includes a connector and a modulation/demodulation circuit when performing wired communication.
- the storage device 3 is composed of a non-volatile storage device such as flash memory, EEPROM, SSD, FRAM or magnetic disk.
- the storage device 3 has a second microcomputer storage area 31 .
- the second microcomputer storage area 31 stores a control program 311 as a second program and a second verification expected value 312 .
- the control program 311 is a program for the control device 5 to control the controlled object, and is a program executed by the control unit 21 of the second microcomputer 2 .
- the control program 311 is developed in a predetermined storage area of the second microcomputer 2 and executed by the control section 21 according to the activation executing section 221 .
- the control program 311 may be stored in a location where both the first microcomputer 1 and the second microcomputer 2 can read it.
- the second verification expected value 312 is a value expected to be calculated in the process of verifying whether or not the second program has been tampered with.
- the second verification expected value 312 may be stored in a location where the first microcomputer 1 can read it.
- the second verification expected value 312 may be stored in any one of the main data storage unit 113, the secure data storage unit 121, and the secure program storage unit 122, for example.
- control device 5 may include a plurality of microcomputers having the same configuration as the second microcomputer 2.
- the storage device 3 stores multiple control programs 311 and multiple second verification expected values 312 .
- FIG. 2 is a sequence showing the flow of activation processing of the control device 5 shown in FIG.
- the program stored in the main program storage unit 112 is executed by the main control unit 111, and the program stored in the secure program storage unit 122 is executed by the secure control unit 123. . It is assumed that the program stored in the program storage unit 22 and the second microcomputer storage area 31 is executed by the control unit 21 .
- the arrows shown in FIG. 2 indicate the conceptual flow of commands and data, and do not limit the communication direction or command direction.
- the activation process shown in FIG. 2 may include command and data flows other than the arrows shown in FIG.
- the activation process shown in FIG. 2 is started after the control device 5 is powered on.
- the power of the control device 5 is turned on, for example, when the ignition switch of a vehicle or the like, which is a control target of the control device 5, is turned on.
- step S101 the first microcomputer 1 uses the verification unit 1221 to verify whether or not the program stored in the main area 11 has been tampered with.
- the first microcomputer 1 acquires the program corresponding to the address indicated by the verification range information 1212 , calculates the verification value, and compares it with the first verification expected value 1122 .
- the first microcomputer 1 determines that the first program has not been tampered with, and determines that the verification is OK (verification success).
- the first microcomputer 1 cannot determine that the first program has not been tampered with, and determines verification NG (verification unsuccessful).
- step S102 when the first microcomputer 1 determines that the verification is OK in step S101, the process proceeds to step S104.
- the process proceeds to step S103.
- step S103 the first microcomputer 1 uses the verification unit 1221 to execute predetermined error processing.
- the first microcomputer 1 re-executes the verification processing of step S101, sets to execute a degenerate operation that restricts a specific function of the first microcomputer 1, or activates the control device 5. completely stop.
- the first microcomputer 1 can report that the verification is NG or that these error processes will be executed.
- step S104 the first microcomputer 1 uses the first acquisition unit 1126 to acquire the second program and the second verification expected value 312 stored in the second microcomputer storage area 31 from the storage device 3.
- step S105 the first microcomputer 1 uses the acquisition permission notification unit 1125 to notify the second microcomputer 2 of permission to acquire the second program.
- step S106 the first microcomputer 1 uses the verification unit 1221 to verify whether or not the second program acquired in step S104 has been tampered with.
- the first microcomputer 1 acquires the program corresponding to the address indicated by the verification range information 1212 , calculates the verification value, and compares it with the second verification expected value 312 .
- the first microcomputer 1 determines that the second program has not been tampered with, and determines that the verification is OK (verification success).
- the first microcomputer 1 cannot determine that the second program has not been tampered with, and determines verification NG (verification unsuccessful).
- step S107 when the first microcomputer 1 determines that the verification is OK in step S106, the process proceeds to step S109. On the other hand, when the first microcomputer 1 determines that the verification is NG in step S106, the process proceeds to step S108.
- step S108 the first microcomputer 1 uses the verification unit 1221 to execute predetermined error processing. For example, as error processing, the first microcomputer 1 re-executes the verification processing in step S106, sets to execute a degenerate operation that restricts a specific function of the second microcomputer 2, or activates the control device 5. completely stop. Furthermore, the first microcomputer 1 can report that the verification is NG or that these error processes will be executed.
- step S109 the first microcomputer 1 uses the activation permission notification unit 1124 to notify the second microcomputer 2 of activation permission.
- step S201 the second microcomputer 2 uses the activation execution unit 221 to shift to a standby state until the first microcomputer 1 notifies of permission to acquire the second program.
- step S ⁇ b>202 when permission to acquire the second program is notified from the first microcomputer 1 , the second microcomputer 2 uses the second acquisition unit 222 to store the second program from the storage device 3 in the second microcomputer storage area 31 . get the second program. After that, the second microcomputer 2 uses the activation execution unit 221 to shift to a standby state until the first microcomputer 1 notifies the activation permission of the second program.
- step S203 when the first microcomputer 1 notifies the second program activation permission, the second microcomputer 2 activates the second program obtained in step S202 using the activation execution unit 221.
- step S204 when the activation of the second program is completed, the second microcomputer 2 notifies the first microcomputer 1 of activation completion of the second microcomputer 2 using the activation execution unit 221. By the processing shown in FIG. 2, the control device 5 can be safely activated.
- step S105 in FIG. 2 need only be performed after step S102 and before step S109, and need not be performed between steps S104 and S106.
- Step S105 may be executed between steps S102 and S104, or between steps S107 and S109, for example.
- FIG. 3 is a flow chart showing the update process flow of the control device 5 shown in FIG.
- the update process shown in FIG. 3 starts when a request to update the program or data of the control device 5 is sent from an external device of the control device 5 .
- step S301 the control device 5 receives an update request from an external device via the communication unit 114 or the communication unit 24. Using the main update unit 1123, the control device 5 transitions to a standby state in which it waits until an update package is received. Before transitioning to this standby state, the control device 5 may perform predetermined device authentication to verify that the external device that has sent the update request is a legitimate device.
- step S302 the control device 5 uses the main update unit 1123 to receive the update package from the external device and store it in a predetermined storage area.
- a predetermined storage area for storing update packages may be provided in either or both of the main data storage unit 113 and the storage device 3, for example.
- a predetermined storage area for storing update packages may be provided in a volatile storage device or may be provided in a non-volatile storage device.
- step S303 the first microcomputer 1 uses the verification unit 1221 to verify whether the update package received in step S302 has been tampered with.
- the first microcomputer 1 acquires the program corresponding to the address indicated by the verification range information 1212, calculates the verification value, and compares it with the verification expected value for the update package. When the calculated verification value and the verification expected value match, the first microcomputer 1 determines that the update package has not been tampered with and determines that the verification is OK (verification success). On the other hand, if the calculated verification value and the verification expected value do not match, the first microcomputer 1 cannot determine that the update package has not been tampered with, and determines verification NG (verification unsuccessful).
- step S304 when the first microcomputer 1 determines that the verification is OK in step S303, the process proceeds to step S306. On the other hand, when the first microcomputer 1 determines that the verification is NG in step S303, the process proceeds to step S305.
- step S305 the first microcomputer 1 uses the verification unit 1221 to execute predetermined error processing.
- the first microcomputer 1 re-executes the verification process of step S303, sets to restrict updating of a specific function of the first microcomputer 1 or the second microcomputer 2, or controls the control device 5 completely stop updating the Furthermore, the first microcomputer 1 can report that the verification is NG or that these error processes will be executed.
- the first microcomputer 1 uses the encryption processing unit 1222 to decrypt the update package based on the encryption key 1211 used for confidentiality and a predetermined algorithm.
- the first microcomputer 1 may perform encryption processing and decryption processing using AES-CBC. Further, the first microcomputer 1 may perform decryption processing based on the update package encryption key 1211 stored in the secure data storage unit 121 to which only the secure control unit 123 can access.
- the first microcomputer 1 uses the main updater 1123 (and the secure updater 1223) to store the update package decrypted in step S306 in the storage location of the program or data to be updated.
- the update package may include address information specifying the storage location of the update target.
- An update package may consist of multiple update programs or update data. A storage destination ID may be assigned to each of these multiple update programs or update data. For example, when an update package is composed of an update program for updating the verification unit 1221 and update data for updating the encryption key 1211, the update program has an ID corresponding to the address information of the verification unit 1221.
- the update program may be given an ID corresponding to the address information of the encryption key 1211 .
- the control device 5 of the first embodiment stores the first microcomputer 1 including the processor that executes the first program, the second microcomputer 2 including the processor that executes the second program, and the second program. and a storage device 3 .
- the first microcomputer 1 verifies whether or not the first program and the second program have been tampered with. and a first acquisition unit 1126 that acquires the program.
- the verification unit 1221 verifies that the second program has not been tampered with
- the first microcomputer 1 gives the second microcomputer 2 permission to start the second program. It has an activation permission notification unit 1124 that notifies.
- the second microcomputer 2 has a second acquisition unit 222 that acquires the second program from the storage device 3, and an activation execution unit 221 that activates the second program when activation permission is notified.
- the first microcomputer 1 having the program verification function only verifies the second program executed in the second microcomputer 2 not having the program verification function at startup. Instead, the first program itself executed by the first microcomputer 1 can be verified. Then, the first microcomputer 1 can verify the second program based on the function of the first program that has been confirmed to be free of tampering, and permit the activation of the second program that has been confirmed to be free of tampering. . Therefore, even if the program verification function is not installed in both the first microcomputer 1 and the second microcomputer 2, the control device 5 of the first embodiment can appropriately detect that either the first program or the second program has been tampered with. can be detected and dealt with. Therefore, the control device 5 of the first embodiment can easily realize safe activation of a control device having a plurality of processing units.
- the first microcomputer 1 has the secure area 12 with tamper resistance
- the second microcomputer 2 has the OTP area where the program cannot be rewritten.
- the verification unit 1221 is stored in the secure area 12
- the second acquisition unit 222 and the activation execution unit 221 are stored in the OTP area.
- the first microcomputer 1 of the first embodiment can verify the first program based on the verification unit 1221 stored in the secure area 12 such as HSM, which ensures tamper resistance, at startup. can be done. Then, the first microcomputer 1 can verify the second program based on the function of the first program that has been confirmed to be free of tampering, and permit the activation of the second program that has been confirmed to be free of tampering. . On the other hand, the second microcomputer 2 of the first embodiment can acquire the second program using the second acquiring section 222 stored in the unalterable OTP area.
- the control device 5 of the first embodiment ensures that the verification unit 1221 capable of realizing the security function of the control device 5 and the second acquisition unit 222 and the activation execution unit 221 related to activation of the second program are not tampered with. can be prevented. Therefore, the control device 5 of the first embodiment does not require all of the first microcomputer 1 and the second microcomputer 2 to be equipped with a security function with a high security level such as an HSM. It is possible to further improve safety at startup.
- the activation execution unit 221 keeps the second microcomputer 2 in the standby state after the second acquisition unit 222 acquires the second program and until the activation permission of the second program is notified. move to
- control device 5 of the first embodiment an illegal situation such as the second microcomputer 2 activating the malicious program occurs after the acquisition of the second program and before notification of activation permission. can be reliably prevented. Therefore, the control device 5 of Embodiment 1 can further improve the safety at the time of starting the control device including a plurality of processing units.
- the second microcomputer 2 acquires the second program from the storage device 3 when the verification unit 1221 verifies that the first program has not been tampered with. It has an acquisition permission notification unit 1125 for notifying the second microcomputer 2 of acquisition permission for permitting the acquisition. The acquisition permission notification unit 1125 notifies the acquisition permission to the second microcomputer 2 before the activation permission notification unit 1124 notifies the second microcomputer 2 of the activation permission. The second acquisition unit 222 acquires the second program from the storage device 3 when the acquisition permission is notified.
- the second microcomputer 2 of the first embodiment acquires the second program before being notified of the activation permission of the second program if it is confirmed that the first program has not been tampered with. , the second program can be started as soon as the start permission is notified. Therefore, the control device 5 of the first embodiment can easily realize safe and high-speed startup of a control device having a plurality of processing units.
- the activation execution unit 221 shifts the second microcomputer 2 to the standby state after the power of the control device 5 is turned on until permission to acquire the second program is notified.
- the second microcomputer 2 may start a tampered program during the period from when the power of the control device 5 is turned on until the acquisition permission is notified. It is possible to reliably prevent an illegal situation from occurring. Therefore, the control device 5 of Embodiment 1 can further improve the safety at the time of starting the control device including a plurality of processing units.
- the secure area 12 is a program rewritable area, and the first microcomputer 1 updates the update target stored in the secure area 12 with an update package; It has a secure update unit 1223 .
- the verification unit 1221 verifies whether or not the update package has been tampered with. If the verification unit 1221 verifies that the update package has not been tampered with, the main update unit 1123 and the secure update unit 1223 update the update target with the update package.
- the algorithm of the verification unit 1221 and the data of the encryption key 1211 stored in the secure area 12 can be updated.
- the control device 5 may be a control device for a machine or device with a relatively long product life such as an automobile.
- the control device 5 when the control device 5 is configured by an in-vehicle ECU, the control device 5 must continue to ensure the safety of the control over a long period of time exceeding 10 years because the driving control of the vehicle is related to human life. not.
- the algorithms and data that constitute the program verification function related to travel control will be compromised. In the unlikely event that these algorithms and data are compromised, they should be updated to safe algorithms and data.
- the program verification function is stored in the OTP area as in Patent Document 1, these compromised algorithms and data cannot be updated to safe algorithms and data.
- control device 5 of Embodiment 1 it is possible to update the algorithm of the verification unit 1221 and the data of the encryption key 1211 stored in the secure area 12 that guarantees tamper resistance such as HSM.
- the control device 5 of the first embodiment can update the algorithm of the verification unit 1221 and the data of the encryption key 1211 to safe algorithms and data before they are compromised. Therefore, the control device 5 of the first embodiment can realize long-term safe start-up over the period of the product life even if the control target is a machine with a relatively long product life.
- FIG. 4 is a diagram showing the functional configuration of the control device 5 of the second embodiment.
- FIG. 5 is a sequence showing the flow of activation processing of the control device 5 shown in FIG. 5 corresponds to the activation process shown in FIG. 2, and is started after the control device 5 is powered on.
- the verification unit 1221 is stored in the secure area 12, and the second acquisition unit 222 and the activation execution unit 221 are stored in the OTP area of the second microcomputer 2. .
- the storage device 3 may store not only the second program but also the first program.
- the main control program 1121, the main updating unit 1123, the activation permission notifying unit 1124, and the acquisition permission notifying unit 1125 of the second embodiment operate as the first program in the first It may be stored in the microcomputer storage area 32 .
- the first verification expected value 1122 of the second embodiment may also be stored in the first microcomputer storage area 32 of the storage device 3 .
- the main program storage unit 112 has an OTP area in which the program cannot be rewritten, and the first acquisition unit 1126 is stored in the OTP area. may be Then, the first acquisition unit 1126 of the second embodiment not only acquires the second program and the second verification expected value 312 from the storage device 3, but also acquires the first program and the first verification expected value 1122 from the storage device 3. You may
- the first microcomputer 1 of the second embodiment uses the first acquisition unit 1126 to perform The first program is acquired from the first microcomputer storage area 32 of the storage device 3 .
- the first microcomputer 1 of the second embodiment may execute steps S101 to S109 as in the first embodiment.
- the second microcomputer 2 of the second embodiment may execute steps S201 to S204 similar to those of the first embodiment.
- the first microcomputer 1 of the second embodiment can also acquire both the first program and the second program using the first acquisition unit 1126.
- the first microcomputer 1 of the second embodiment can omit step S104.
- the first microcomputer 1 of the second embodiment executes step S105 to permit acquisition of the second program immediately after it is verified that the first program has not been tampered with (step S102: immediately after YES). can be notified to the second microcomputer 2 .
- the verification unit 1221 is stored in the secure area 12, and the first acquisition unit 1126, the second acquisition unit 222, and the activation execution unit 221 are stored in the OTP area.
- the control device 5 of the second embodiment includes a verification unit 1221 capable of realizing the security function of the control device 5, a first acquisition unit 1126 involved in starting the first program and the second program, a second It is possible to reliably prevent the acquisition unit 222 and the activation execution unit 221 from being tampered with.
- the storage device 3 with higher expandability than the first microcomputer 1 can be replaced with a storage device with a large capacity. can be easily dealt with. Therefore, the control device 5 of the second embodiment can easily and continuously implement safe activation of a control device having a plurality of processing units.
- the present invention is not limited to the above-described embodiments, and includes various modifications.
- the above embodiments have been described in detail in order to explain the present invention in an easy-to-understand manner, and are not necessarily limited to those having all the configurations described.
- it is possible to replace part of the configuration of one embodiment with the configuration of another embodiment and it is also possible to add the configuration of another embodiment to the configuration of one embodiment.
- each of the above configurations, functions, processing units, processing means, etc. may be realized by hardware, for example, by designing them in integrated circuits, in part or in whole.
- each of the above configurations, functions, etc. may be realized by software by a processor interpreting and executing a program for realizing each function.
- Information such as programs, tapes, and files that implement each function can be stored in a recording device such as a memory, a hard disk, or an SSD, or a recording medium such as an IC card, an SD card, or a DVD.
- control lines and information lines indicate what is considered necessary for explanation, and not all control lines and information lines are necessarily indicated on the product. In practice, it may be considered that almost all configurations are interconnected.
- Reference Signs List 1 First microcomputer (first arithmetic processing unit) 111 Main control unit (processor) 1123 Main update unit 1124 Activation permission notification unit 1125 Acquisition permission notification unit 1126 First acquisition unit 12 Secure area 1221 Verification unit 1223 Secure update unit 2 Second microcomputer (second arithmetic processing unit) 21 Control unit (processor) 221 Activation execution unit 222 Second acquisition unit 3 ... storage device, 5 ... control device
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
- Stored Programmes (AREA)
Abstract
Description
上記以外の課題、構成および効果は、以下の実施形態の説明により明らかにされる。
本実施形態では、マイコン等の演算処理装置が起動時にプログラムの安全性を検証するセキュアブート機能を搭載した制御装置の一例について説明する。しかしながら、本発明の技術的思想は、暗号処理や電子署名の検証処理等の情報セキュリティ技術に広く適用することができる。
図4及び図5を用いて、実施形態2の制御装置5について説明する。実施形態2の制御装置5において、実施形態1と同様の構成及び動作については、説明を省略する。
なお、本発明は上記の実施形態に限定されるものではなく、様々な変形例が含まれる。例えば、上記の実施形態は本発明を分かりやすく説明するために詳細に説明したものであり、必ずしも説明した全ての構成を備えるものに限定されるものではない。また、或る実施形態の構成の一部を他の実施形態の構成に置き換えることが可能であり、また、或る実施形態の構成に他の実施形態の構成を加えることも可能である。また、各実施形態の構成の一部について、他の構成の追加・削除・置換をすることが可能である。
Claims (7)
- 第1プログラムを実行するプロセッサを含む第1演算処理装置と、第2プログラムを実行するプロセッサを含む第2演算処理装置と、前記第2プログラムが格納された記憶装置と、を備える制御装置であって、
前記第1演算処理装置は、
前記第1プログラム及び前記第2プログラムのそれぞれの改竄有無を検証する検証部と、
前記検証部により前記第1プログラムの改竄が無いと検証された場合に、前記記憶装置から前記第2プログラムを取得する第1取得部と、
前記検証部により前記第2プログラムの改竄が無いと検証された場合に、前記第2演算処理装置が前記第2プログラムを起動することを許可する起動許可を、前記第2演算処理装置に通知する起動許可通知部と、を有し、
前記第2演算処理装置は、
前記記憶装置から前記第2プログラムを取得する第2取得部と、
前記起動許可が通知された場合に、前記第2プログラムを起動させる起動実行部と、を有する
ことを特徴とする制御装置。 - 前記第1演算処理装置は、耐タンパ性を有するセキュア領域を有し、
前記第2演算処理装置は、プログラムの書き換えが不可能なOTP領域を有し、
前記検証部は、前記セキュア領域に格納され、
前記第2取得部及び前記起動実行部は、前記OTP領域に格納されている
ことを特徴とする請求項1に記載の制御装置。 - 前記起動実行部は、前記第2取得部が前記第2プログラムを取得した後、前記起動許可が通知されるまで、前記第2演算処理装置を待機状態に移行させる
ことを特徴とする請求項2に記載の制御装置。 - 前記セキュア領域は、プログラムの書き換えが可能な領域であり、
前記第1演算処理装置は、前記セキュア領域に格納された更新対象を、更新パッケージによって更新する更新部を有し、
前記検証部は、前記更新パッケージの改竄有無を検証し、
前記更新部は、前記検証部により前記更新パッケージの改竄が無いと検証された場合に、前記更新パッケージによって前記更新対象を更新する
ことを特徴とする請求項2に記載の制御装置。 - 前記第1演算処理装置は、前記検証部により前記第1プログラムの改竄が無いと検証された場合に、前記第2演算処理装置が前記記憶装置から前記第2プログラムを取得することを許可する取得許可を、前記第2演算処理装置に通知する取得許可通知部を有し、
前記取得許可通知部は、前記起動許可通知部が前記起動許可を前記第2演算処理装置に通知する前に、前記取得許可を前記第2演算処理装置に通知し、
前記第2取得部は、前記取得許可が通知された場合に、前記記憶装置から前記第2プログラムを取得する
ことを特徴とする請求項2に記載の制御装置。 - 前記起動実行部は、前記制御装置の電源投入後、前記取得許可が通知されるまで、前記第2演算処理装置を待機状態に移行させる
ことを特徴とする請求項5に記載の制御装置。 - 前記第1演算処理装置は、耐タンパ性を有するセキュア領域と、プログラムの書き換えが不可能なOTP領域とを有し、
前記第2演算処理装置は、プログラムの書き換えが不可能なOTP領域を有し、
前記記憶装置は、前記第1プログラム及び前記第2プログラムを格納し、
前記検証部は、前記セキュア領域に格納され、
前記第1取得部は、前記第1演算処理装置の前記OTP領域に格納され、前記記憶装置から前記第1プログラムを取得し、
前記第2取得部及び前記起動実行部は、前記第2演算処理装置の前記OTP領域に格納されている
ことを特徴とする請求項1に記載の制御装置。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202180083321.0A CN116569170A (zh) | 2021-03-02 | 2021-08-23 | 控制装置 |
US18/258,392 US20240020386A1 (en) | 2021-03-02 | 2021-08-23 | Control apparatus |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2021032856A JP2022133908A (ja) | 2021-03-02 | 2021-03-02 | 制御装置 |
JP2021-032856 | 2021-03-02 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022185570A1 true WO2022185570A1 (ja) | 2022-09-09 |
Family
ID=83155227
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2021/030789 WO2022185570A1 (ja) | 2021-03-02 | 2021-08-23 | 制御装置 |
Country Status (4)
Country | Link |
---|---|
US (1) | US20240020386A1 (ja) |
JP (1) | JP2022133908A (ja) |
CN (1) | CN116569170A (ja) |
WO (1) | WO2022185570A1 (ja) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2019212114A (ja) * | 2018-06-06 | 2019-12-12 | キヤノン株式会社 | 情報処理装置、その制御方法およびプログラム |
JP2020047064A (ja) * | 2018-09-20 | 2020-03-26 | キヤノン株式会社 | 情報処理装置及びその制御方法、並びにプログラム |
JP2020140561A (ja) * | 2019-02-28 | 2020-09-03 | キヤノン株式会社 | 情報処理装置、情報処理方法 |
JP2020154601A (ja) * | 2019-03-19 | 2020-09-24 | キヤノン株式会社 | 情報処理装置とその制御方法、及びプログラム |
-
2021
- 2021-03-02 JP JP2021032856A patent/JP2022133908A/ja active Pending
- 2021-08-23 US US18/258,392 patent/US20240020386A1/en active Pending
- 2021-08-23 CN CN202180083321.0A patent/CN116569170A/zh active Pending
- 2021-08-23 WO PCT/JP2021/030789 patent/WO2022185570A1/ja active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2019212114A (ja) * | 2018-06-06 | 2019-12-12 | キヤノン株式会社 | 情報処理装置、その制御方法およびプログラム |
JP2020047064A (ja) * | 2018-09-20 | 2020-03-26 | キヤノン株式会社 | 情報処理装置及びその制御方法、並びにプログラム |
JP2020140561A (ja) * | 2019-02-28 | 2020-09-03 | キヤノン株式会社 | 情報処理装置、情報処理方法 |
JP2020154601A (ja) * | 2019-03-19 | 2020-09-24 | キヤノン株式会社 | 情報処理装置とその制御方法、及びプログラム |
Also Published As
Publication number | Publication date |
---|---|
CN116569170A (zh) | 2023-08-08 |
JP2022133908A (ja) | 2022-09-14 |
US20240020386A1 (en) | 2024-01-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10719606B2 (en) | Security processor for an embedded system | |
JP4344115B2 (ja) | マイクロコンピュータシステムのメモリ装置に格納された制御プログラムの検査メカニズムを活性化又は不活性化するための方法及びマイクロコンピュータシステム | |
FI114416B (fi) | Menetelmä elektroniikkalaitteen varmistamiseksi, varmistusjärjestelmä ja elektroniikkalaite | |
US9594909B2 (en) | Software updating apparatus, software updating system, invalidation method, and invalidation program | |
JP6373888B2 (ja) | 情報処理装置及び制御方法 | |
US20210012008A1 (en) | Method of initializing device and method of updating firmware of device having enhanced security function | |
US8392724B2 (en) | Information terminal, security device, data protection method, and data protection program | |
JP2005227995A (ja) | 情報処理装置、および情報処理方法、並びにコンピュータ・プログラム | |
CN109445705B (zh) | 固件认证方法及固态硬盘 | |
JPWO2009013825A1 (ja) | 情報処理装置、及び改竄検証方法 | |
CN113656086A (zh) | 安全存储及加载固件的方法及电子装置 | |
US10282549B2 (en) | Modifying service operating system of baseboard management controller | |
CN109814934B (zh) | 数据处理方法、装置、可读介质和系统 | |
JP6636028B2 (ja) | セキュア素子 | |
WO2019059148A1 (ja) | Bios管理装置、bios管理システム、bios管理方法、及び、bios管理プログラムが格納された記録媒体 | |
WO2022185570A1 (ja) | 制御装置 | |
JP6622360B2 (ja) | 情報処理装置 | |
EP3460705B1 (en) | Distributed deployment of unique firmware | |
KR20190118894A (ko) | 안전한 usb 장치를 보장하는 부트 방법 | |
JP7508571B2 (ja) | 車両の安全始動方法、安全始動装置、電子制御ユニット及び記憶媒体 | |
CN111914222B (zh) | 保护电子控制单元的方法 | |
KR102680666B1 (ko) | 차량 보안 시동 방법, 장치, 전자 제어 유닛 및 저장 매체 | |
WO2023092958A1 (zh) | 车辆安全启动方法、装置,电子控制单元及存储介质 | |
CN107943721B (zh) | 一种电子设备的数据加密方法及装置 | |
CN117708897A (zh) | 用于保护嵌入式设备固件数据的方法以及嵌入式设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21929138 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 202180083321.0 Country of ref document: CN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18258392 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21929138 Country of ref document: EP Kind code of ref document: A1 |