WO2023221251A1 - Controller security management method and apparatus, and vehicle and storage medium - Google Patents

Controller security management method and apparatus, and vehicle and storage medium Download PDF

Info

Publication number
WO2023221251A1
WO2023221251A1 PCT/CN2022/102615 CN2022102615W WO2023221251A1 WO 2023221251 A1 WO2023221251 A1 WO 2023221251A1 CN 2022102615 W CN2022102615 W CN 2022102615W WO 2023221251 A1 WO2023221251 A1 WO 2023221251A1
Authority
WO
WIPO (PCT)
Prior art keywords
function
signature
controller
application function
verification key
Prior art date
Application number
PCT/CN2022/102615
Other languages
French (fr)
Chinese (zh)
Inventor
蒋春阳
万军
宋卫桥
Original Assignee
惠州市德赛西威汽车电子股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 惠州市德赛西威汽车电子股份有限公司 filed Critical 惠州市德赛西威汽车电子股份有限公司
Publication of WO2023221251A1 publication Critical patent/WO2023221251A1/en

Links

Images

Classifications

    • BPERFORMING OPERATIONS; TRANSPORTING
    • B60VEHICLES IN GENERAL
    • B60RVEHICLES, VEHICLE FITTINGS, OR VEHICLE PARTS, NOT OTHERWISE PROVIDED FOR
    • B60R25/00Fittings or systems for preventing or indicating unauthorised use or theft of vehicles
    • B60R25/20Means to switch the anti-theft system on or off
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials

Definitions

  • the present application relates to the field of vehicle management technology, and in particular to a controller safety management method, device, vehicle and storage medium.
  • This application provides a controller security management method, device, vehicle and storage medium to achieve security management of the controller.
  • a controller security management method is provided, which is applied to a control system.
  • the control system includes a controller and a hardware encryption management module.
  • the memory of the controller includes a first partition and a second partition.
  • the first partition stores the secure boot function, the first area verification key and the second area verification key.
  • the second partition stores application functions and application function signatures.
  • the first partition is set to be one-time programmable. area, the methods include:
  • a controller security management device which is applied to a controller.
  • the memory of the controller includes a first partition and a second partition.
  • the first partition stores a secure startup function, a first Area verification key and second area verification key
  • the second partition stores application functions and application function signatures
  • the first partition is set as a one-time programmable area, including:
  • a key storage module configured to call the secure startup function to store the first area verification key and the second area verification key to the hardware encryption management module when it is detected that the controller is powered on for the first time.
  • a signature storage module configured to determine a startup function signature based on the secure startup function and the first area verification key, and store it in the hardware encryption management module;
  • a startup module configured to control the startup of the application function according to the secure startup function in combination with the second area verification key and the application function signature to implement secure startup of the controller.
  • a vehicle including: a control system including a controller and a hardware encryption management module;
  • the memory is used to store one or more programs
  • the controller When the one or more programs are executed by the controller, the controller is caused to implement the controller security management method described in any embodiment of this application.
  • a computer-readable storage medium stores computer instructions, and the computer instructions are used to implement any of the embodiments of the present application when executed by a processor. Controller security management methods.
  • the embodiment of the present application provides a controller security management method, which is applied to a control system.
  • the control system includes a controller and a hardware encryption management module.
  • the memory of the controller includes a first partition and a second partition.
  • the first partition stores a secure startup function.
  • the method includes: when the controller is detected for the first time When powering on, the secure startup function is called to store the first area verification key and the second area verification key to the hardware encryption management module; the startup function signature is determined based on the secure startup function and the first area verification key, and Store it in the hardware encryption management module; call the application function based on the secure startup function combined with the second area verification key and application function signature control to achieve safe startup of the controller, solving the problem that function security cannot be guaranteed during the startup process of the controller.
  • the startup function signature is determined through the secure startup function and the first area verification key, and is stored in the hardware encryption management module so that the secure startup function can be safely verified during subsequent startups.
  • the application function is verified through the secure startup function combined with the second area verification key and the application function signature, and the application function is called based on the verification result to achieve a secure startup of the controller and avoid functions being intruded, tampered and illegal by malware. Injection, etc., to ensure the normal operation of the equipment and ensure the safety of the equipment.
  • Figure 1 is a flow chart of a controller security management method provided according to Embodiment 1 of the present application.
  • Figure 2 is a flow chart of a controller security management method provided according to Embodiment 2 of the present application.
  • Figure 3 is a schematic structural diagram of a controller security management device provided according to Embodiment 3 of the present application.
  • Figure 4 is a schematic structural diagram of a vehicle that implements the controller safety management method according to the embodiment of the present application.
  • FIG. 1 is a flow chart of a controller security management method provided in Embodiment 1 of the present application. This embodiment can be applied to the situation of security management of the controller.
  • the method can be executed by the controller security management device.
  • the control The controller security management device can be implemented in the form of hardware and/or software, and the controller security management device can be configured in the controller.
  • the method is applied to a control system.
  • the control system includes a controller and a hardware encryption management module.
  • the memory of the controller includes a first partition and a second partition.
  • the first partition stores the secure startup function, the first area verification key and the second area. Verification key, the second partition stores application functions and application function signatures, and the first partition is set as a one-time programmable area.
  • This application partitions the memory of the controller and divides the memory into a first partition and a second partition to store different types of data respectively.
  • the method includes:
  • the secure startup function can be understood as a function that initializes and starts the system.
  • the first area verification key can be specifically understood as a key used to verify the startup function.
  • the second area verification key is also a key used to verify application functions.
  • the hardware encryption management module can specifically be understood as a module that manages keys.
  • the hardware encryption management module in this application is an HSM (Hardware security module) module.
  • the controller in this application may be a micro control unit MCU.
  • the secure startup function is called to obtain the first area verification key and the second area verification key from the first partition, and the The first area verification key and the second area verification key are loaded into the hardware encryption management module and stored.
  • the first power-on startup of this application is the first power-on startup after the first partition and the second partition write data during the MCU development process.
  • the device used by the controller may not be officially Factory and application.
  • the second partition in this application can also store other types of data.
  • S102 Determine the startup function signature according to the secure startup function and the first area verification key, and store it in the hardware encryption management module.
  • the startup function signature can specifically be understood as signature information used to verify the security and legality of the secure startup function.
  • the first area verification key is used as the key of the algorithm, a startup function signature corresponding to the secure startup function is generated, and the startup function signature is stored in the hardware encryption management module.
  • the startup function signature in this application can use the message authentication code (Cipher Block Chaining-message authentication code, CMAC) based on block encryption.
  • the application function signature can be specifically understood as signature information used for security verification of the application function; the application function can be specifically understood as a function that executes or realizes a certain function. Generate a signature based on the secure boot function and the second area verification key, verify the generated signature by applying the function signature, and determine the verification result. When the verification is passed, the application function is called normally and the corresponding function is executed to realize the safe startup of the controller.
  • the embodiment of the present application provides a controller security management method, which is applied to a control system.
  • the control system includes a controller and a hardware encryption management module.
  • the memory of the controller includes a first partition and a second partition.
  • the first partition stores a secure startup function.
  • the second partition stores application functions and application function signatures
  • the first partition is set as a one-time programmable area, which solves the problem that function security cannot be guaranteed during the startup process of the controller.
  • set the first partition and the second partition of the memory to store different data.
  • Set the first partition as a one-time programmable area to avoid data tampering.
  • Set the first area verification key and the second area verification key set the first area verification key and the second area verification key.
  • the startup function signature is determined through the secure startup function and the first area verification key, and is stored in the hardware encryption management module so that the secure startup function can be safely verified during subsequent startups.
  • the application function is verified through the secure startup function combined with the second area verification key and the application function signature, and the application function is called based on the verification result to achieve a secure startup of the controller and avoid functions being intruded, tampered and illegal by malware. Injection, etc., to ensure the normal operation of the equipment and ensure the safety of the equipment.
  • FIG 2 is a flow chart of a controller security management method provided in Embodiment 2 of the present application. This embodiment is refined based on the above embodiment. As shown in Figure 2, the method includes:
  • S202 Process the secure startup function and the first area verification key according to the predetermined first preset algorithm, determine the startup function signature, and store it in the hardware encryption management module.
  • the first preset algorithm can be specifically understood as an encryption algorithm, such as Hash algorithm, AES128 algorithm, AES-192 algorithm, AE-256 algorithm, etc.
  • a first preset algorithm is determined in advance, the secure startup function and the first area verification key are encrypted according to the first preset algorithm, a startup function signature is generated, and stored in the hardware encryption management module.
  • the secure startup function in this application can be implemented through code. Therefore, when generating the startup function signature, the secure startup code corresponding to the secure startup function can be combined with the first area verification key and encrypted through the first preset algorithm to generate Start function signature.
  • S203 Process the secure startup function and the second area verification key according to the predetermined second preset algorithm to determine the signature of the application function to be verified.
  • the second preset algorithm can be specifically understood as an encryption algorithm, and the second preset algorithm and the first preset algorithm may be the same or different.
  • the signature of the application function to be verified can be specifically understood as a signature with verification requirements, which is used to verify the legality of the application function.
  • a second preset algorithm is determined in advance, and the secure startup function and the second area verification key are encrypted using the second preset algorithm to obtain the application function signature to be verified.
  • the signature of the application function to be verified can also be generated based on the secure startup code corresponding to the secure startup function.
  • the signature of the startup function to be verified can be specifically understood as a signature with verification requirements, and is used to determine whether the secure startup function is legal.
  • the secure startup function and the first area verification key are obtained from the first partition, and the secure startup function and the first area verification key are processed according to the first preset algorithm. Encryption processing, generates a startup function signature to be verified, and obtains the startup function signature stored in the hardware encryption management module.
  • the application function will be upgraded due to function updates or other reasons.
  • the controller can be upgraded after the first power-on and before the second power-on; it can also be upgraded after the n-th power-on and start. Therefore, the execution order of S205-S206 and S207-S210 may be upgrade first or upgrade last.
  • Figure 2 takes the upgrade as an example to illustrate the controller security management method.
  • the signature of the application function to be upgraded can specifically be understood as signature information used for application function upgrade verification.
  • the second area verification key verification data information can specifically be understood as information used for security verification during the upgrade process.
  • the version or date is used to determine whether the application function needs to be upgraded.
  • the application function is determined to be upgraded; or, the user manually upgrades.
  • the user manual upgrade can be when the user discovers a new version of the application function. Click, double-click, slide, etc.
  • the controller communicates with the cloud, The host computer and others establish a connection, determine whether there is a new version of the application function, and determine the application function upgrade when a new version exists.
  • the application function signature, random number and second area verification key verification data information to be upgraded can be stored in the cloud, host computer, etc., and can be stored in the same space as the new application function.
  • the signature of the application function to be upgraded, the random number and the second area verification key verification data information can also be stored in the second partition after the upgrade of the application function is completed, so that the random number and second area verification key originally stored in the second partition can be stored. Update of key verification data information.
  • the application function signature, random number and second area verification key verification data information to be upgraded, the length information of the application function can also be obtained.
  • key verification will be performed based on random numbers and second area verification key verification data information, which is optimized as:
  • A1. Determine the real key based on the random number and the second area verification key verification data information combined with the predetermined third preset algorithm.
  • the third preset algorithm is a decryption algorithm, for example, the AES algorithm and the Hash algorithm.
  • the AES algorithm and the Hash algorithm can perform both encryption operations and decryption.
  • the third preset algorithm in this application may use the same algorithm as the first preset algorithm and the second preset algorithm, or may use different algorithms.
  • the first preset algorithm and the second preset algorithm perform encryption operations on the data
  • the third preset algorithm performs the decryption operation on the data.
  • the real key can specifically be understood as the key corresponding to the second area verification key verification data information obtained by the decryption process. Decrypt the random number and the second area verification key verification data information according to the third preset algorithm to obtain the real key.
  • the new application function is an upgraded application function.
  • the functions of the new application function are more comprehensive than those of the original application function and are an extension of the original application function. optimization. New application functions can be stored in the cloud, host computer, etc.
  • this optional embodiment further controls the upgrade of the application function based on the new application function, the second area verification key and the signature of the application function to be upgraded, including:
  • B1 processes the new application function and the second area verification key according to the predetermined fourth preset algorithm, and determines the signature of the upgrade function to be verified.
  • the fourth preset algorithm is a preset algorithm, which may be the same as the first preset algorithm, the second preset algorithm, and the third preset algorithm, or may be different.
  • the signature of the upgrade function to be verified can be specifically understood as a kind of signature information, used to verify the legality of the new application function.
  • a fourth preset algorithm is determined in advance, the new application function and the second area verification key are encrypted using the fourth preset algorithm, and a signature of the upgrade function to be verified is generated.
  • New application functions can also be implemented through code. Therefore, when determining the signature of the upgrade function to be verified, encryption operations can be performed through the code corresponding to the new application function, thereby determining the signature of the upgrade function to be verified.
  • the new application function is replaced by a new application function and the new application function is executed to implement the corresponding function.
  • the new application function can replace the application function by directly deleting the original application function and overwriting the original application function with the new application function, or by not deleting the original application function, but after the safe startup function is verified when the controller starts, , when calling the application function, directly call the new application function.
  • the application function is stored in the second partition. Since the second partition is not set as a one-time programmable area, the data in the second partition can be modified, so the application function can be upgraded.
  • safe startup is ensured without affecting device upgrades.
  • Bootloader or APP operation error you can switch to the previous version of the application function through the rollback function, thereby solving the problem of the machine being unable to start and improving the stability and reliability of the product.
  • This application sets regional verification keys for the first area and the second area respectively to ensure regional security. Multiple regional verification keys can also be used for encryption and decryption.
  • the embodiment of the present application provides a controller security management method, which is applied to a control system.
  • the control system includes a controller and a hardware encryption management module.
  • the memory of the controller includes a first partition and a second partition.
  • the first partition is set to be disposable.
  • the programmable area ensures the security of the safe startup function and prevents the safe startup function from being tampered with. Solve the problem that function security cannot be guaranteed during the startup process of the controller.
  • Set the first and second partitions of the memory to store different data, and store the first and second area verification keys in hardware encryption management. module to avoid key loss and tampering.
  • the startup function signature is determined through the secure startup function and the first area verification key, and is stored in the hardware encryption management module so that the secure startup function can be safely verified during subsequent startups.
  • the application function is verified through the secure startup function combined with the second area verification key and the application function signature, and the application function is called based on the verification result to achieve a secure startup of the controller and avoid functions being intruded, tampered and illegal by malware. Injection, etc., to ensure the normal operation of the equipment and ensure the safety of the equipment.
  • the data in the second partition can be modified, ensuring safe startup without affecting device upgrades.
  • the device startup and upgrade processes require multiple verifications to ensure data security.
  • Figure 3 is a schematic structural diagram of a controller security management device provided in Embodiment 3 of the present application.
  • the device is applied to a controller.
  • the memory of the controller includes a first partition and a second partition.
  • the first partition stores the secure startup function and the third partition.
  • the first area verification key and the second area verification key, the second partition stores application functions and application function signatures, and the first partition is set as a one-time programmable area.
  • the device includes: a key storage module 31, a signature storage module 32 and a startup module 33.
  • the key storage module 31 is used to call the secure startup function to store the first area verification key and the second area verification key to the hardware when it is detected that the controller is powered on for the first time.
  • Encryption management module ;
  • Signature storage module 32 configured to determine the startup function signature according to the secure startup function and the first area verification key, and store it in the hardware encryption management module;
  • the startup module 33 is configured to control the startup of the application function according to the secure startup function in combination with the second area verification key and the application function signature to achieve secure startup of the controller.
  • the embodiment of the present application provides a controller security management device, which solves the problem that function security cannot be guaranteed during the startup process of the controller.
  • the startup function signature is determined through the secure startup function and the first area verification key, and is stored in hardware encryption Management module to perform security verification on the safe startup function during subsequent startups.
  • the application function is verified through the secure startup function combined with the second area verification key and the application function signature, and the application function is called based on the verification result to achieve a secure startup of the controller and avoid functions being intruded, tampered and illegal by malware. Injection, etc., to ensure the normal operation of the equipment and ensure the safety of the equipment.
  • the signature storage module 32 is specifically configured to process the secure startup function and the first area verification key according to a predetermined first preset algorithm to determine the startup function signature.
  • the device also includes:
  • a startup signature verification module used to determine the startup function signature to be verified based on the secure startup function and the first area verification key when it is detected that the controller is not powered on for the first time, and obtain the hardware encryption management module Stored startup function signature;
  • An application function calling module is configured to call the application function according to the secure startup function in combination with the second area verification key and the application function signature if the startup function signature to be verified is consistent with the startup function signature to achieve control. The server starts safely.
  • calling the application function according to the secure startup function in combination with the second area verification key and the application function signature includes: combining the secure startup function and the application function signature according to a predetermined second preset algorithm.
  • the second area verification key is processed to determine the signature of the application function to be verified; if the signature of the application function to be verified is consistent with the signature of the application function, the application function is called.
  • the device also includes:
  • An upgrade information acquisition module configured to obtain the signature of the application function to be upgraded, the random number and the second area verification key verification data information when an upgrade of the application function is detected;
  • a random number verification module configured to perform key verification based on the random number and the second area verification key verification data information
  • the application function acquisition module is used to obtain the new application function if the verification is passed;
  • An application function upgrade module is configured to control the upgrade of the application function according to the new application function, the second area verification key and the signature of the application function to be upgraded.
  • random number verification module including:
  • a real key determination unit configured to determine the real key based on the random number and the second area verification key verification data information combined with a predetermined third preset algorithm
  • a key acquisition unit used to acquire the second area verification key stored in the hardware encryption management module
  • a key verification unit configured to determine that the key verification result is that the verification is passed if the real key is consistent with the second area verification key.
  • application function upgrade modules include:
  • An upgrade signature determination unit configured to process the new application function and the second area verification key according to a predetermined fourth preset algorithm to determine the upgrade function signature to be verified;
  • An upgrade verification unit configured to replace the application function with the new application function if the signature of the upgrade function to be verified is consistent with the signature of the application function to be upgraded, so as to realize the upgrade of the application function.
  • the controller security management device provided by the embodiments of this application can execute the controller security management method provided by any embodiment of this application, and has the corresponding functional modules and effects of the execution method.
  • FIG. 4 shows a schematic structural diagram of a vehicle that can be used to implement embodiments of the present application.
  • the vehicle includes a control system 41 including a controller 411 and a hardware encryption management module 412 .
  • the components shown herein, their connections and relationships, and their functions are examples only and are not intended to limit the implementation of the present application as described and/or claimed herein.
  • the vehicle includes at least one controller 411, and a memory communicatively connected to the at least one controller 411, such as a read-only memory (ROM) 42, a random access memory (RAM) 43, etc., wherein the memory stores data that can be A computer program executed by at least one controller.
  • the controller 411 may execute each program according to a computer program stored in the read-only memory (ROM) 42 or loaded from the storage unit 48 into the random access memory (RAM) 43. appropriate actions and handling.
  • RAM 43 various programs and data required for vehicle operation can also be stored.
  • the controller 411, ROM 42 and RAM 43 are connected to each other through a bus 44.
  • An input/output (I/O) interface 45 is also connected to bus 44 .
  • I/O interface 45 Multiple components in the vehicle are connected to the I/O interface 45, including: input unit 46, such as keyboard, mouse, etc.; output unit 47, such as various types of displays, speakers, etc.; storage unit 48, such as magnetic disk, optical disk, etc.; and a communication unit 49, such as a network card, modem, wireless communication transceiver, etc.
  • the communication unit 49 allows the vehicle to exchange information/data with other devices via computer networks such as the Internet and/or various telecommunications networks.
  • Controller 411 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of the controller 411 include, but are not limited to, a central processing unit (CPU), a graphics processing unit (GPU), various specialized artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, digital signal processing processor (DSP), and any appropriate processor, controller, microcontroller, etc.
  • the controller 411 performs various methods and processes described above, such as the controller security management method.
  • the controller security management method may be implemented as a computer program, which is tangibly embodied in a computer-readable storage medium, such as storage unit 48.
  • part or all of the computer program may be loaded and/or installed on the vehicle via ROM 42 and/or communication unit 49.
  • the controller 411 may be configured to perform the controller security management method in any other suitable manner (eg, via firmware).
  • Various implementations of the systems and techniques described above may be implemented in digital electronic circuit systems, integrated circuit systems, field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), application specific standard products (ASSPs), systems on a chip implemented in a system (SOC), complex programmable logic device (CPLD), computer hardware, firmware, software, and/or combinations thereof.
  • FPGAs field programmable gate arrays
  • ASICs application specific integrated circuits
  • ASSPs application specific standard products
  • SOC system
  • CPLD complex programmable logic device
  • computer hardware firmware, software, and/or combinations thereof.
  • These various embodiments may include implementation in one or more computer programs executable and/or interpreted on a programmable system including at least one programmable processor, the programmable processor
  • the processor which may be a special purpose or general purpose programmable processor, may receive data and instructions from a storage system, at least one input device, and at least one output device, and transmit data and instructions to the storage system, the at least one input device, and the at least one output device.
  • An output device may be a special purpose or general purpose programmable processor, may receive data and instructions from a storage system, at least one input device, and at least one output device, and transmit data and instructions to the storage system, the at least one input device, and the at least one output device.
  • An output device may be a special purpose or general purpose programmable processor, may receive data and instructions from a storage system, at least one input device, and at least one output device, and transmit data and instructions to the storage system, the at least one input device, and the at least one output device.
  • Computer programs for implementing the methods of the present application may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, such that the computer program, when executed by the processor, causes the functions/operations specified in the flowcharts and/or block diagrams to be implemented.
  • a computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
  • a computer-readable storage medium may be a tangible medium that may contain or store a computer program for use by or in connection with an instruction execution system, apparatus, or device.
  • Computer-readable storage media may include, but are not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices or devices, or any suitable combination of the foregoing.
  • the computer-readable storage medium may be a machine-readable signal medium.
  • machine-readable storage media would include one or more wire-based electrical connections, laptop disks, hard drives, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
  • RAM random access memory
  • ROM read only memory
  • EPROM or flash memory erasable programmable read only memory
  • CD-ROM portable compact disk read-only memory
  • magnetic storage device or any suitable combination of the above.
  • the systems and techniques described herein may be implemented on a vehicle having: a display device (eg, a CRT (Cathode Ray Tube) or LCD (Liquid Crystal Display) monitor) for displaying information to the user ); and a keyboard and pointing device (eg, a mouse or a trackball) through which a user can provide input to the vehicle.
  • a display device eg, a CRT (Cathode Ray Tube) or LCD (Liquid Crystal Display) monitor
  • a keyboard and pointing device eg, a mouse or a trackball
  • Other kinds of devices may also be used to provide interaction with the user; for example, the feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and may be provided in any form, including Acoustic input, voice input or tactile input) to receive input from the user.
  • the systems and techniques described herein may be implemented in a computing system that includes back-end components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes front-end components (e.g., A user's computer having a graphical user interface or web browser through which the user can interact with implementations of the systems and technologies described herein), or including such backend components, middleware components, or any combination of front-end components in a computing system.
  • the components of the system may be interconnected by any form or medium of digital data communication (eg, a communications network). Examples of communication networks include: local area network (LAN), wide area network (WAN), blockchain network, and the Internet.
  • Computing systems may include clients and servers.
  • Clients and servers are generally remote from each other and typically interact over a communications network.
  • the relationship of client and server is created by computer programs running on corresponding computers and having a client-server relationship with each other.
  • the server can be a cloud server, also known as cloud computing server or cloud host. It is a host product in the cloud computing service system to solve the problems of difficult management and weak business scalability in traditional physical hosts and VPS. .

Abstract

Disclosed in the present application are a controller security management method and apparatus, and a vehicle and a storage medium. The method is applied to a control system. The control system comprises a controller and a hardware encryption management module, wherein a memory of the controller comprises a first partition and a second partition. The method comprises: when it is detected that a controller is powered on and started for the first time, calling a secure starting function to store a first area check key and a second area check key in a hardware encryption management module; determining a starting function signature according to the secure starting function and the first area check key, and storing same in the hardware encryption management module; and calling an application function according to the secure starting function combined with the second area check key and an application function signature, so as to realize the secure starting of the controller.

Description

一种控制器安全管理方法、装置、车辆及存储介质A controller security management method, device, vehicle and storage medium
本申请要求在2022年05月19日提交中国专利局、申请号为202210556446.7的中国专利申请的优先权,该申请的全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application with application number 202210556446.7, which was submitted to the China Patent Office on May 19, 2022. The entire content of this application is incorporated into this application by reference.
技术领域Technical field
本申请涉及车辆管理技术领域,尤其涉及一种控制器安全管理方法、装置、车辆及存储介质。The present application relates to the field of vehicle management technology, and in particular to a controller safety management method, device, vehicle and storage medium.
背景技术Background technique
随着科技和生活水平的发展,智能设备越来越多的出现在人们的生活里,例如,车辆、手机等。设备工作通常离不开微控制单元MCU。为保证MCU正常工作,需保证MCU中代码的安全。随着科技的发展,经常出现设备代码被恶意侵入的事情发生。设备代码被恶意侵入后,会执行错误指令,影响设备系统正常运行,带来极大的危害。With the development of technology and living standards, smart devices are increasingly appearing in people's lives, such as vehicles, mobile phones, etc. Equipment work is usually inseparable from the micro control unit MCU. In order to ensure the normal operation of the MCU, the security of the code in the MCU needs to be ensured. With the development of technology, it often happens that device codes are maliciously invaded. After the device code is maliciously invaded, wrong instructions will be executed, affecting the normal operation of the device system and causing great harm.
发明内容Contents of the invention
本申请提供了一种控制器安全管理方法、装置、车辆及存储介质,以实现对控制器的安全管理。This application provides a controller security management method, device, vehicle and storage medium to achieve security management of the controller.
根据本申请的一方面,提供了一种控制器安全管理方法,应用于控制系统,所述控制系统包括控制器和硬件加密管理模块,所述控制器的存储器包括第一分区和第二分区,所述第一分区存储安全启动函数、第一区域校验密钥和第二区域校验密钥,所述第二分区存储应用函数和应用函数签名,所述第一分区设置为一次性可编程区域,所述方法包括:According to one aspect of the present application, a controller security management method is provided, which is applied to a control system. The control system includes a controller and a hardware encryption management module. The memory of the controller includes a first partition and a second partition. The first partition stores the secure boot function, the first area verification key and the second area verification key. The second partition stores application functions and application function signatures. The first partition is set to be one-time programmable. area, the methods include:
当检测到控制器第一次上电启动时,调用所述安全启动函数将所述第一区域校验密钥和第二区域校验密钥存储至所述硬件加密管理模块;When it is detected that the controller is powered on for the first time, call the secure startup function to store the first area verification key and the second area verification key into the hardware encryption management module;
根据所述安全启动函数和第一区域校验密钥确定启动函数签名,并存储至所述硬件加密管理模块;Determine a startup function signature according to the secure startup function and the first area verification key, and store it in the hardware encryption management module;
根据所述安全启动函数结合第二区域校验密钥和应用函数签名控制所述应用函数启动,以实现控制器安全启动。Control the startup of the application function according to the secure startup function in combination with the second area verification key and the application function signature to implement secure startup of the controller.
根据本申请的另一方面,提供了一种控制器安全管理装置,应用于控制器,所述控制器的存储器包括第一分区和第二分区,所述第一分区存储安全启动函数、第一区域校验密钥和第二区域校验密钥,所述第二分区存储应用 函数和应用函数签名,所述第一分区设置为一次性可编程区域,包括:According to another aspect of the present application, a controller security management device is provided, which is applied to a controller. The memory of the controller includes a first partition and a second partition. The first partition stores a secure startup function, a first Area verification key and second area verification key, the second partition stores application functions and application function signatures, and the first partition is set as a one-time programmable area, including:
密钥存储模块,用于当检测到控制器第一次上电启动时,调用所述安全启动函数将所述第一区域校验密钥和第二区域校验密钥存储至硬件加密管理模块;A key storage module, configured to call the secure startup function to store the first area verification key and the second area verification key to the hardware encryption management module when it is detected that the controller is powered on for the first time. ;
签名存储模块,用于根据所述安全启动函数和第一区域校验密钥确定启动函数签名,并存储至所述硬件加密管理模块;A signature storage module, configured to determine a startup function signature based on the secure startup function and the first area verification key, and store it in the hardware encryption management module;
启动模块,用于根据所述安全启动函数结合第二区域校验密钥和应用函数签名控制所述应用函数启动,以实现控制器安全启动。A startup module, configured to control the startup of the application function according to the secure startup function in combination with the second area verification key and the application function signature to implement secure startup of the controller.
根据本申请的另一方面,提供了一种车辆,所述车辆包括:控制系统,所述控制系统包括控制器和硬件加密管理模块;According to another aspect of the present application, a vehicle is provided, the vehicle including: a control system including a controller and a hardware encryption management module;
所述存储器,用于存储一个或多个程序;The memory is used to store one or more programs;
当所述一个或多个程序被所述控制器执行,使得所述控制器实现本申请任一实施例所述的控制器安全管理方法。When the one or more programs are executed by the controller, the controller is caused to implement the controller security management method described in any embodiment of this application.
根据本申请的另一方面,提供了一种计算机可读存储介质,所述计算机可读存储介质存储有计算机指令,所述计算机指令用于使处理器执行时实现本申请任一实施例所述的控制器安全管理方法。According to another aspect of the present application, a computer-readable storage medium is provided. The computer-readable storage medium stores computer instructions, and the computer instructions are used to implement any of the embodiments of the present application when executed by a processor. Controller security management methods.
本申请实施例提供了一种控制器安全管理方法,应用于控制系统,控制系统包括控制器和硬件加密管理模块,控制器的存储器包括第一分区和第二分区,第一分区存储安全启动函数、第一区域校验密钥和第二区域校验密钥,第二分区存储应用函数和应用函数签名,第一分区设置为一次性可编程区域,方法包括:当检测到控制器第一次上电启动时,调用安全启动函数将第一区域校验密钥和第二区域校验密钥存储至硬件加密管理模块;根据安全启动函数和第一区域校验密钥确定启动函数签名,并存储至硬件加密管理模块;根据安全启动函数结合第二区域校验密钥和应用函数签名控对应用函数进行调用,以实现控制器安全启动,解决了控制器启动过程中函数安全无法保证的问题,将存储器设置第一分区和第二分区存储不同的数据,第一分区设置为一次性可编程区域,避免数据被篡改,将第一区域校验密钥和第二区域校验密钥存储至硬件加密管理模块,避免密钥丢失及被篡改。通过安全启动函数和第一区域校验密钥确定启动函数签名,并存储至硬件加密管理模块,以便后续启动时对安全启动函数进行安全校验。通过安全启动函数结合第二区域校验密钥和应用函数签名对应用函数进行验证,根据验证结果对应用函数进行调用,以此实现控制器的安全启动,避免函数被恶意软件侵入、篡改和非法注入等,确保设备正常运行,保证设备安全。The embodiment of the present application provides a controller security management method, which is applied to a control system. The control system includes a controller and a hardware encryption management module. The memory of the controller includes a first partition and a second partition. The first partition stores a secure startup function. , the first area verification key and the second area verification key, the second partition stores the application function and the application function signature, the first partition is set as a one-time programmable area, the method includes: when the controller is detected for the first time When powering on, the secure startup function is called to store the first area verification key and the second area verification key to the hardware encryption management module; the startup function signature is determined based on the secure startup function and the first area verification key, and Store it in the hardware encryption management module; call the application function based on the secure startup function combined with the second area verification key and application function signature control to achieve safe startup of the controller, solving the problem that function security cannot be guaranteed during the startup process of the controller. , set the first partition and the second partition of the memory to store different data, set the first partition as a one-time programmable area to avoid data tampering, store the first area verification key and the second area verification key in Hardware encryption management module to avoid key loss and tampering. The startup function signature is determined through the secure startup function and the first area verification key, and is stored in the hardware encryption management module so that the secure startup function can be safely verified during subsequent startups. The application function is verified through the secure startup function combined with the second area verification key and the application function signature, and the application function is called based on the verification result to achieve a secure startup of the controller and avoid functions being intruded, tampered and illegal by malware. Injection, etc., to ensure the normal operation of the equipment and ensure the safety of the equipment.
附图说明Description of the drawings
图1是根据本申请实施例一提供的一种控制器安全管理方法的流程图;Figure 1 is a flow chart of a controller security management method provided according to Embodiment 1 of the present application;
图2是根据本申请实施例二提供的一种控制器安全管理方法的流程图;Figure 2 is a flow chart of a controller security management method provided according to Embodiment 2 of the present application;
图3是根据本申请实施例三提供的一种控制器安全管理装置的结构示意图;Figure 3 is a schematic structural diagram of a controller security management device provided according to Embodiment 3 of the present application;
图4是实现本申请实施例的控制器安全管理方法的车辆的结构示意图。Figure 4 is a schematic structural diagram of a vehicle that implements the controller safety management method according to the embodiment of the present application.
具体实施方式Detailed ways
为了使本技术领域的人员更好地理解本申请方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本申请一部分的实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本申请保护的范围。In order to enable those in the technical field to better understand the solutions of the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below in conjunction with the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are only These are part of the embodiments of this application, not all of them. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts should fall within the scope of protection of this application.
需要说明的是,本申请的说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。应该理解这样使用的数据在适当情况下可以互换,以便这里描述的本申请的实施例能够以除了在这里图示或描述的那些以外的顺序实施。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元的过程、方法、系统、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。It should be noted that the terms "first", "second", etc. in the description and claims of this application and the above-mentioned drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It is to be understood that the data so used are interchangeable under appropriate circumstances so that the embodiments of the application described herein can be practiced in sequences other than those illustrated or described herein. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, e.g., a process, method, system, product, or apparatus that encompasses a series of steps or units and need not be limited to those explicitly listed. Those steps or elements may instead include other steps or elements not expressly listed or inherent to the process, method, product or apparatus.
实施例一Embodiment 1
图1为本申请实施例一提供了一种控制器安全管理方法的流程图,本实施例可适用于对控制器进行安全管理的情况,该方法可以由控制器安全管理装置来执行,该控制器安全管理装置可以采用硬件和/或软件的形式实现,该控制器安全管理装置可配置于控制器中。该方法应用于控制系统,控制系统包括控制器和硬件加密管理模块,控制器的存储器包括第一分区和第二分区,第一分区存储安全启动函数、第一区域校验密钥和第二区域校验密钥,第二分区存储应用函数和应用函数签名,第一分区设置为一次性可编程区域。Figure 1 is a flow chart of a controller security management method provided in Embodiment 1 of the present application. This embodiment can be applied to the situation of security management of the controller. The method can be executed by the controller security management device. The control The controller security management device can be implemented in the form of hardware and/or software, and the controller security management device can be configured in the controller. The method is applied to a control system. The control system includes a controller and a hardware encryption management module. The memory of the controller includes a first partition and a second partition. The first partition stores the secure startup function, the first area verification key and the second area. Verification key, the second partition stores application functions and application function signatures, and the first partition is set as a one-time programmable area.
本申请对控制器的存储器进行分区划分,将存储器分为第一分区和第二分区,分别存储不同类型的数据。将安全启动函数、第一区域校验密钥和第二区域校验密钥存储在第一分区,同时将第一分区设置为一次性可编程区域(即OTP区域),避免第一分区中数据被篡改,进一步保证数据安全。This application partitions the memory of the controller and divides the memory into a first partition and a second partition to store different types of data respectively. Store the secure boot function, the first area verification key and the second area verification key in the first partition, and set the first partition as a one-time programmable area (that is, OTP area) to avoid data in the first partition. tampered with to further ensure data security.
如图1所示,该方法包括:As shown in Figure 1, the method includes:
S101、当检测到控制器第一次上电启动时,调用安全启动函数将第一区域校验密钥和第二区域校验密钥存储至硬件加密管理模块。S101. When it is detected that the controller is powered on for the first time, call the secure startup function to store the first area verification key and the second area verification key in the hardware encryption management module.
在本实施例中,安全启动函数可以理解为对系统进行初始化启动的函数。第一区域校验密钥具体可以理解为一种密钥,用于校验启动函数。第二区域校验密钥也是一种密钥,用于校验应用函数。硬件加密管理模块具体可以理解为对密钥进行管理的模块,本申请中的硬件加密管理模块为HSM(Hardware security module)模块。本申请中的控制器可以是微控制单元MCU。In this embodiment, the secure startup function can be understood as a function that initializes and starts the system. The first area verification key can be specifically understood as a key used to verify the startup function. The second area verification key is also a key used to verify application functions. The hardware encryption management module can specifically be understood as a module that manages keys. The hardware encryption management module in this application is an HSM (Hardware security module) module. The controller in this application may be a micro control unit MCU.
具体的,检测控制器是否上电启动,当控制器为第一次上电启动时,调用安全启动函数从第一分区获取第一区域校验密钥和第二区域校验密钥,将第一区域校验密钥和第二区域校验密钥加载到硬件加密管理模块,并存储。Specifically, it detects whether the controller is powered on and started. When the controller is powered on and started for the first time, the secure startup function is called to obtain the first area verification key and the second area verification key from the first partition, and the The first area verification key and the second area verification key are loaded into the hardware encryption management module and stored.
需要知道的是,本申请的第一次上电启动为MCU研发过程中,第一分区和第二分区写入数据后的第一次上电启动,此时控制器所应用的设备可能未正式出厂和应用。本申请中的第二分区还可以存储其他类型的数据。What needs to be known is that the first power-on startup of this application is the first power-on startup after the first partition and the second partition write data during the MCU development process. At this time, the device used by the controller may not be officially Factory and application. The second partition in this application can also store other types of data.
S102、根据安全启动函数和第一区域校验密钥确定启动函数签名,并存储至硬件加密管理模块。S102. Determine the startup function signature according to the secure startup function and the first area verification key, and store it in the hardware encryption management module.
在本实施例中,启动函数签名具体可以理解为用于验证安全启动函数的安全性和合法性的签名信息。将第一区域校验密钥作为算法的密钥,生成安全启动函数对应的启动函数签名,并将启动函数签名存储至硬件加密管理模块。本申请中的启动函数签名可以采用基于分组加密的消息认证码(Cipher Block Chaining-message authentication code,CMAC)。In this embodiment, the startup function signature can specifically be understood as signature information used to verify the security and legality of the secure startup function. The first area verification key is used as the key of the algorithm, a startup function signature corresponding to the secure startup function is generated, and the startup function signature is stored in the hardware encryption management module. The startup function signature in this application can use the message authentication code (Cipher Block Chaining-message authentication code, CMAC) based on block encryption.
S103、根据安全启动函数结合第二区域校验密钥和应用函数签名对应用函数进行调用,以实现控制器安全启动。S103. Call the application function according to the secure startup function combined with the second area verification key and the application function signature to implement secure startup of the controller.
在本实施例中,应用函数签名具体可以理解为用于对应用函数进行安全验证的签名信息;应用函数具体可以理解为具有执行或实现某一功能的函数。根据安全启动函数和第二区域校验密钥生成签名,并通过应用函数签名对生成的签名进行验证,确定验证结果。当验证通过后,应用函数被正常调用,执行相应的功能,实现控制器的安全启动。In this embodiment, the application function signature can be specifically understood as signature information used for security verification of the application function; the application function can be specifically understood as a function that executes or realizes a certain function. Generate a signature based on the secure boot function and the second area verification key, verify the generated signature by applying the function signature, and determine the verification result. When the verification is passed, the application function is called normally and the corresponding function is executed to realize the safe startup of the controller.
本申请实施例提供了一种控制器安全管理方法,应用于控制系统,控制系统包括控制器和硬件加密管理模块,控制器的存储器包括第一分区和第二分区,第一分区存储安全启动函数、第一区域校验密钥和第二区域校验密钥,第二分区存储应用函数和应用函数签名,第一分区设置为一次性可编程区域, 解决了控制器启动过程中函数安全无法保证的问题,将存储器设置第一分区和第二分区存储不同的数据,第一分区设置为一次性可编程区域,避免数据被篡改,将第一区域校验密钥和第二区域校验密钥存储至硬件加密管理模块,避免密钥丢失及被篡改。通过安全启动函数和第一区域校验密钥确定启动函数签名,并存储至硬件加密管理模块,以便后续启动时对安全启动函数进行安全校验。通过安全启动函数结合第二区域校验密钥和应用函数签名对应用函数进行验证,根据验证结果对应用函数进行调用,以此实现控制器的安全启动,避免函数被恶意软件侵入、篡改和非法注入等,确保设备正常运行,保证设备安全。The embodiment of the present application provides a controller security management method, which is applied to a control system. The control system includes a controller and a hardware encryption management module. The memory of the controller includes a first partition and a second partition. The first partition stores a secure startup function. , the first area verification key and the second area verification key, the second partition stores application functions and application function signatures, and the first partition is set as a one-time programmable area, which solves the problem that function security cannot be guaranteed during the startup process of the controller. To solve the problem, set the first partition and the second partition of the memory to store different data. Set the first partition as a one-time programmable area to avoid data tampering. Set the first area verification key and the second area verification key. Store it in the hardware encryption management module to avoid key loss and tampering. The startup function signature is determined through the secure startup function and the first area verification key, and is stored in the hardware encryption management module so that the secure startup function can be safely verified during subsequent startups. The application function is verified through the secure startup function combined with the second area verification key and the application function signature, and the application function is called based on the verification result to achieve a secure startup of the controller and avoid functions being intruded, tampered and illegal by malware. Injection, etc., to ensure the normal operation of the equipment and ensure the safety of the equipment.
实施例二Embodiment 2
图2为本申请实施例二提供的一种控制器安全管理方法的流程图,本实施例在上述实施例的基础上进行细化。如图2所示,该方法包括:Figure 2 is a flow chart of a controller security management method provided in Embodiment 2 of the present application. This embodiment is refined based on the above embodiment. As shown in Figure 2, the method includes:
S201、当检测到控制器第一次上电启动时,调用安全启动函数将第一区域校验密钥和第二区域校验密钥存储至硬件加密管理模块。S201. When it is detected that the controller is powered on for the first time, call the secure startup function to store the first area verification key and the second area verification key in the hardware encryption management module.
S202、根据预确定的第一预设算法对安全启动函数和第一区域校验密钥进行处理,确定启动函数签名,并存储至硬件加密管理模块。S202. Process the secure startup function and the first area verification key according to the predetermined first preset algorithm, determine the startup function signature, and store it in the hardware encryption management module.
在本实施例中,第一预设算法具体可以理解为一种加密算法,例如,哈西Hash算法、AES128算法、AES-192算法、AE-256算法等。预先确定第一预设算法,根据第一预设算法对安全启动函数和第一区域校验密钥进行加密,生成启动函数签名,并存储到硬件加密管理模块中。本申请中的安全启动函数可以通过代码实现,因此在生成启动函数签名时,可以根据安全启动函数对应的安全启动代码结合第一区域校验密钥,通过第一预设算法进行加密处理,生成启动函数签名。In this embodiment, the first preset algorithm can be specifically understood as an encryption algorithm, such as Hash algorithm, AES128 algorithm, AES-192 algorithm, AE-256 algorithm, etc. A first preset algorithm is determined in advance, the secure startup function and the first area verification key are encrypted according to the first preset algorithm, a startup function signature is generated, and stored in the hardware encryption management module. The secure startup function in this application can be implemented through code. Therefore, when generating the startup function signature, the secure startup code corresponding to the secure startup function can be combined with the first area verification key and encrypted through the first preset algorithm to generate Start function signature.
S203、根据预确定的第二预设算法对安全启动函数和第二区域校验密钥进行处理,确定待验证应用函数签名。S203. Process the secure startup function and the second area verification key according to the predetermined second preset algorithm to determine the signature of the application function to be verified.
在本实施例中,第二预设算法具体可以理解为一种加密算法,第二预设算法与第一预设算法可以相同,也可以不同。待验证应用函数签名具体可以理解为具有验证需求的签名,用于验证应用函数的合法性。In this embodiment, the second preset algorithm can be specifically understood as an encryption algorithm, and the second preset algorithm and the first preset algorithm may be the same or different. The signature of the application function to be verified can be specifically understood as a signature with verification requirements, which is used to verify the legality of the application function.
具体的,预先确定第二预设算法,通过第二预设算法对安全启动函数和第二区域校验密钥进行加密处理,得到待验证应用函数签名。在根据安全启动函数确定待验证应用函数签名时,同样可以根据安全启动函数对应的安全启动代码生成待验证应用函数签名。Specifically, a second preset algorithm is determined in advance, and the secure startup function and the second area verification key are encrypted using the second preset algorithm to obtain the application function signature to be verified. When determining the signature of the application function to be verified based on the secure startup function, the signature of the application function to be verified can also be generated based on the secure startup code corresponding to the secure startup function.
S204、如果待验证应用函数签名和应用函数签名一致,对应用函数进行调用。S204. If the signature of the application function to be verified is consistent with the signature of the application function, call the application function.
判断待验证应用函数签名与第二分区存储的应用函数签名是否一致,如果一致,确定应用函数验证通过,调用应用函数实现相应功能。Determine whether the application function signature to be verified is consistent with the application function signature stored in the second partition. If they are consistent, it is determined that the application function has passed the verification, and the application function is called to implement the corresponding function.
S205、当检测到控制器非第一次上电启动时,根据安全启动函数和第一区域校验密钥确定待验证启动函数签名,并获取硬件加密管理模块存储的启动函数签名。S205. When it is detected that the controller is not powered on for the first time, determine the startup function signature to be verified based on the secure startup function and the first area verification key, and obtain the startup function signature stored in the hardware encryption management module.
在本实施例中,待验证启动函数签名具体可以理解为具有验证需求的签名,用于判断安全启动函数是否合法。当检测到控制器非第一次上电启动时,从第一分区获取安全启动函数和第一区域校验密钥,根据第一预设算法对安全启动函数和第一区域校验密钥进行加密处理,生成待验证启动函数签名,同时获取硬件加密管理模块存储的启动函数签名。In this embodiment, the signature of the startup function to be verified can be specifically understood as a signature with verification requirements, and is used to determine whether the secure startup function is legal. When it is detected that the controller is not powered on for the first time, the secure startup function and the first area verification key are obtained from the first partition, and the secure startup function and the first area verification key are processed according to the first preset algorithm. Encryption processing, generates a startup function signature to be verified, and obtains the startup function signature stored in the hardware encryption management module.
S206、如果待验证启动函数签名和启动函数签名一致,根据安全启动函数结合第二区域校验密钥和应用函数签名对应用函数进行调用,以实现控制器安全启动。S206. If the startup function signature to be verified is consistent with the startup function signature, call the application function according to the secure startup function combined with the second area verification key and the application function signature to achieve secure startup of the controller.
判断待验证启动函数签名和启动函数签名是否一致,如果一致,确定安全启动函数验证通过。根据安全启动函数结合第二区域校验密钥和应用函数签名对应用函数进行验证,如果验证通过,此时应用函数合法,调用应用函数实现相应功能,实现控制器的安全启动。根据安全启动函数结合第二区域校验密钥和应用函数签名对应用函数进行验证及调用的方式与S203-S204相同。Determine whether the signature of the startup function to be verified is consistent with the signature of the startup function. If they are consistent, it is determined that the secure startup function has passed the verification. The application function is verified according to the secure startup function combined with the second area verification key and the application function signature. If the verification passes, the application function is legal at this time, and the application function is called to implement the corresponding function and realize the safe startup of the controller. The method of verifying and calling the application function based on the secure startup function combined with the second area verification key and the application function signature is the same as S203-S204.
在本申请实施例中,控制器在运行一段时间后由于功能的更新或其他原因,应用函数会进行升级。应用函数升级时,此时控制器可以是在第一次上电启动后,第二次上电启动前进行升级;也可以是在第n次上电启动后进行升级。因此,S205-S206与S207-S210的执行顺序可以是升级在前,也可以是升级在后。图2以升级在后为例说明控制器安全管理方法。In this embodiment of the present application, after the controller has been running for a period of time, the application function will be upgraded due to function updates or other reasons. When applying function upgrade, the controller can be upgraded after the first power-on and before the second power-on; it can also be upgraded after the n-th power-on and start. Therefore, the execution order of S205-S206 and S207-S210 may be upgrade first or upgrade last. Figure 2 takes the upgrade as an example to illustrate the controller security management method.
S207、当检测到应用函数升级时,获取待升级应用函数签名、随机数和第二区域验证密钥验证数据信息。S207. When an application function upgrade is detected, obtain the application function signature, random number and second area verification key verification data information to be upgraded.
在本实施例中,待升级应用函数签名具体可以理解为用于应用函数升级验证的签名信息。第二区域验证密钥验证数据信息具体可以理解为升级过程中用于安全验证的信息。In this embodiment, the signature of the application function to be upgraded can specifically be understood as signature information used for application function upgrade verification. The second area verification key verification data information can specifically be understood as information used for security verification during the upgrade process.
具体的,应用函数升级时,可以通过接收云端、上位机等所发送的升级指令确定应用函数是否需要进行升级;或者,检测云端、上位机、文件管理 系统等存储的应用函数,根据应用函数的版本或日期判断应用函数是否需要进行升级,当存在新版本的应用函数时,确定应用函数进行升级;或者,由用户手动升级,用户手动升级可以是用户在发现有新版本的应用函数时,通过单击、双击、滑动等方式启动应用函数的升级;或者,用户在不清楚是否存在新版本的应用函数时,通过单击、双击、滑动等方式启动应用函数的升级,控制器通过与云端、上位机等建立通过连接,判断是否存在应用函数的新版本,当存在新版本时确定应用函数升级。Specifically, when upgrading application functions, you can determine whether the application functions need to be upgraded by receiving upgrade instructions sent by the cloud, the host computer, etc.; or, detect the application functions stored in the cloud, host computer, file management system, etc., and based on the The version or date is used to determine whether the application function needs to be upgraded. When a new version of the application function exists, the application function is determined to be upgraded; or, the user manually upgrades. The user manual upgrade can be when the user discovers a new version of the application function. Click, double-click, slide, etc. to start the upgrade of the application function; or when the user does not know whether there is a new version of the application function, start the upgrade of the application function by clicking, double-click, slide, etc., the controller communicates with the cloud, The host computer and others establish a connection, determine whether there is a new version of the application function, and determine the application function upgrade when a new version exists.
如果检测到应用函数需要升级,获取升级所需的待升级应用函数签名、随机数和第二区域验证密钥验证数据信息。待升级应用函数签名、随机数和第二区域验证密钥验证数据信息可以存储在云端、上位机等位置,可以与新的应用函数存储在同一空间。If it is detected that the application function needs to be upgraded, obtain the signature of the application function to be upgraded, the random number and the second area verification key verification data information required for the upgrade. The application function signature, random number and second area verification key verification data information to be upgraded can be stored in the cloud, host computer, etc., and can be stored in the same space as the new application function.
待升级应用函数签名、随机数和第二区域验证密钥验证数据信息还可以在完成应用函数的升级后存储至第二分区,实现对第二分区中原来存储的随机数和第二区域验证密钥验证数据信息的更新。在获取待升级应用函数签名、随机数和第二区域验证密钥验证数据信息时还可以获取应用函数的长度信息。The signature of the application function to be upgraded, the random number and the second area verification key verification data information can also be stored in the second partition after the upgrade of the application function is completed, so that the random number and second area verification key originally stored in the second partition can be stored. Update of key verification data information. When obtaining the application function signature, random number and second area verification key verification data information to be upgraded, the length information of the application function can also be obtained.
S208、根据随机数和第二区域验证密钥验证数据信息进行密钥验证。S208. Perform key verification based on the random number and the second area verification key verification data information.
根据升级所需的随机数和第二区域验证密钥验证数据信息进行密钥解析,确定解析得到的密钥,根据第二区域校验密钥判断解析得到的密钥是否合法,如果合法,确定密钥验证结果为验证通过,可继续执行应用函数的升级;若不合法,确定密钥验证结果为验证失败,结束应用函数的升级,应用函数升级失败。Perform key analysis based on the random number required for upgrade and the second area verification key verification data information to determine the analyzed key, and determine whether the analyzed key is legal based on the second area verification key. If it is legal, determine If the key verification result is verification passed, you can continue to upgrade the application function; if it is illegal, determine that the key verification result is verification failure, end the application function upgrade, and the application function upgrade fails.
作为本实施例的一个可选实施例,将根据随机数和第二区域验证密钥验证数据信息进行密钥验证,优化为:As an optional embodiment of this embodiment, key verification will be performed based on random numbers and second area verification key verification data information, which is optimized as:
A1、根据随机数和第二区域验证密钥验证数据信息结合预确定的第三预设算法确定真实密钥。A1. Determine the real key based on the random number and the second area verification key verification data information combined with the predetermined third preset algorithm.
在本实施例中,第三预设算法为解密算法,例如,AES算法、哈西算法,AES算法和哈西算法既可以进行加密运算,也可以进行解密。本申请中的第三预设算法与第一预设算法和第二预设算法可以采用相同的算法,也可以采用不同的算法。当采用相同的算法时,第一预设算法和第二预设算法对数据进行加密运算,第三预设算法对数据进行解密运算。真实密钥具体可以理解为解密处理得到的第二区域验证密钥验证数据信息对应的密钥。根据第三预设算法对随机数和第二区域验证密钥验证数据信息进行解密,得到真实密钥。In this embodiment, the third preset algorithm is a decryption algorithm, for example, the AES algorithm and the Hash algorithm. The AES algorithm and the Hash algorithm can perform both encryption operations and decryption. The third preset algorithm in this application may use the same algorithm as the first preset algorithm and the second preset algorithm, or may use different algorithms. When the same algorithm is used, the first preset algorithm and the second preset algorithm perform encryption operations on the data, and the third preset algorithm performs the decryption operation on the data. The real key can specifically be understood as the key corresponding to the second area verification key verification data information obtained by the decryption process. Decrypt the random number and the second area verification key verification data information according to the third preset algorithm to obtain the real key.
A2、获取硬件加密管理模块存储的第二区域校验密钥。A2. Obtain the second area verification key stored in the hardware encryption management module.
从硬件加密管理模块相应的存储空间获取第二区域校验密钥。Obtain the second area verification key from the corresponding storage space of the hardware encryption management module.
A3、如果真实密钥与第二区域校验密钥一致,确定密钥验证结果为验证通过。A3. If the real key is consistent with the second area verification key, it is determined that the key verification result is passed.
判断真实密钥与第二区域校验密钥是否一致,如果一致,确定密钥验证结果为验证通过;如果不一致,确定密钥验证结果为验证不通过。Determine whether the real key and the second area verification key are consistent. If they are consistent, the key verification result is determined to be verification passed; if they are inconsistent, the key verification result is determined to be verification failed.
S209、如果验证通过,获取新的应用函数。S209. If the verification passes, obtain a new application function.
如果验证通过,获取新的应用函数,新的应用函数为升级后的应用函数,通常,新的应用函数的功能相比于原有的应用函数的功能更加全面,是对原有的应用函数的优化。新的应用函数可以存储在云端、上位机等。当验证不通过时,结束应用函数的升级,应用函数升级失败。If the verification is passed, a new application function is obtained. The new application function is an upgraded application function. Generally, the functions of the new application function are more comprehensive than those of the original application function and are an extension of the original application function. optimization. New application functions can be stored in the cloud, host computer, etc. When the verification fails, the upgrade of the application function ends and the application function upgrade fails.
S210、根据新的应用函数、第二区域验证密钥和待升级应用函数签名控制应用函数的升级。S210. Control the upgrade of the application function according to the new application function, the second area verification key and the signature of the application function to be upgraded.
获取硬件加密管理模块存储的第二区域校验密钥,通过对新的应用函数和第二区域验证密钥进行加密处理,确定签名,通过此签名对待升级应用函数签名进行安全校验,校验通过后确定新的应用函数合法,通过新的应用函数对应用函数进行升级更新。Obtain the second area verification key stored in the hardware encryption management module, encrypt the new application function and the second area verification key to determine the signature, and use this signature to perform security verification on the signature of the application function to be upgraded. After passing, it is determined that the new application function is legal, and the application function is upgraded and updated through the new application function.
作为本实施例的一个可选实施例,本可选实施例进一步根据新的应用函数、第二区域验证密钥和待升级应用函数签名控制应用函数的升级,包括:As an optional embodiment of this embodiment, this optional embodiment further controls the upgrade of the application function based on the new application function, the second area verification key and the signature of the application function to be upgraded, including:
B1根据预确定的第四预设算法对新的应用函数和第二区域验证密钥进行处理,确定待验证升级函数签名。B1 processes the new application function and the second area verification key according to the predetermined fourth preset algorithm, and determines the signature of the upgrade function to be verified.
在本实施例中,第四预设算法为预先设定的算法,与第一预设算法、第二预设算法、第三预设算法可以相同,也可以不同。待验证升级函数签名具体可以理解为一种签名信息,用于验证新的应用函数的合法性。预先确定第四预设算法,通过第四预设算法对新的应用函数和第二区域验证密钥进行加密处理,生成待验证升级函数签名。新的应用函数同样可以通过代码实现,因此,在确定待验证升级函数签名时,可以通过新的应用函数对应的代码进行加密运算,从而确定待验证升级函数签名。In this embodiment, the fourth preset algorithm is a preset algorithm, which may be the same as the first preset algorithm, the second preset algorithm, and the third preset algorithm, or may be different. The signature of the upgrade function to be verified can be specifically understood as a kind of signature information, used to verify the legality of the new application function. A fourth preset algorithm is determined in advance, the new application function and the second area verification key are encrypted using the fourth preset algorithm, and a signature of the upgrade function to be verified is generated. New application functions can also be implemented through code. Therefore, when determining the signature of the upgrade function to be verified, encryption operations can be performed through the code corresponding to the new application function, thereby determining the signature of the upgrade function to be verified.
B2、如果待验证升级函数签名与待升级应用函数签名一致,通过新的应用函数替换应用函数,以实现应用函数的升级。B2. If the signature of the upgrade function to be verified is consistent with the signature of the application function to be upgraded, replace the application function with a new application function to achieve the upgrade of the application function.
判断待验证升级函数签名与待升级应用函数签名是否一致,若一致,确定新的应用函数验证通过,新的应用函数合法,通过新的应用函数对应用函数进行更新。在控制器启动时,通过新的应用函数替换应用函数,执行新的 应用函数实现相应功能。新的应用函数替换应用函数可以是直接删除原来的应用函数,通过新的应用函数覆盖原来的应用函数,或者,不删掉原来的应用函数,但是在控制器启动时,安全启动函数验证通过后,调用应用函数时,直接调用新的应用函数。Determine whether the signature of the upgrade function to be verified is consistent with the signature of the application function to be upgraded. If they are consistent, it is determined that the new application function has passed the verification, the new application function is legal, and the application function is updated through the new application function. When the controller starts, the application function is replaced by a new application function and the new application function is executed to implement the corresponding function. The new application function can replace the application function by directly deleting the original application function and overwriting the original application function with the new application function, or by not deleting the original application function, but after the safe startup function is verified when the controller starts, , when calling the application function, directly call the new application function.
本申请中通过第二分区存储应用函数,由于第二分区并未设置为一次性可编程区域,第二分区中的数据可修改,因此应用函数可进行升级操作。通过设置不可修改的第一分区和可修改的第二分区,在保证安全启动的同时,不影响设备的升级。并且在遇到升级失败、Bootloader或APP运行错误时可以通过回退功能切换到应用函数的上一版本,从而解决了机器无法启动的问题,提高了产品的稳定性和可靠性。本申请分别为第一区域和第二区域设置区域校验密钥,保证区域安全,也可以使用多个区域校验密钥进行加密和解密。In this application, the application function is stored in the second partition. Since the second partition is not set as a one-time programmable area, the data in the second partition can be modified, so the application function can be upgraded. By setting an unmodifiable first partition and a modifiable second partition, safe startup is ensured without affecting device upgrades. And when encountering an upgrade failure, Bootloader or APP operation error, you can switch to the previous version of the application function through the rollback function, thereby solving the problem of the machine being unable to start and improving the stability and reliability of the product. This application sets regional verification keys for the first area and the second area respectively to ensure regional security. Multiple regional verification keys can also be used for encryption and decryption.
本申请实施例提供了一种控制器安全管理方法,应用于控制系统,控制系统包括控制器和硬件加密管理模块,控制器的存储器包括第一分区和第二分区,第一分区设置为一次性可编程区域,保证安全启动函数的安全,避免安全启动函数被篡改。解决了控制器启动过程中函数安全无法保证的问题,将存储器设置第一分区和第二分区存储不同的数据,将第一区域校验密钥和第二区域校验密钥存储至硬件加密管理模块,避免密钥丢失及被篡改。通过安全启动函数和第一区域校验密钥确定启动函数签名,并存储至硬件加密管理模块,以便后续启动时对安全启动函数进行安全校验。通过安全启动函数结合第二区域校验密钥和应用函数签名对应用函数进行验证,根据验证结果对应用函数进行调用,以此实现控制器的安全启动,避免函数被恶意软件侵入、篡改和非法注入等,确保设备正常运行,保证设备安全。第二分区中的数据可修改,在保证安全启动的同时,不影响设备的升级。设备启动、升级过程均需要经过多次验证,保证数据安全。The embodiment of the present application provides a controller security management method, which is applied to a control system. The control system includes a controller and a hardware encryption management module. The memory of the controller includes a first partition and a second partition. The first partition is set to be disposable. The programmable area ensures the security of the safe startup function and prevents the safe startup function from being tampered with. Solve the problem that function security cannot be guaranteed during the startup process of the controller. Set the first and second partitions of the memory to store different data, and store the first and second area verification keys in hardware encryption management. module to avoid key loss and tampering. The startup function signature is determined through the secure startup function and the first area verification key, and is stored in the hardware encryption management module so that the secure startup function can be safely verified during subsequent startups. The application function is verified through the secure startup function combined with the second area verification key and the application function signature, and the application function is called based on the verification result to achieve a secure startup of the controller and avoid functions being intruded, tampered and illegal by malware. Injection, etc., to ensure the normal operation of the equipment and ensure the safety of the equipment. The data in the second partition can be modified, ensuring safe startup without affecting device upgrades. The device startup and upgrade processes require multiple verifications to ensure data security.
实施例三 Embodiment 3
图3为本申请实施例三提供的一种控制器安全管理装置的结构示意图,该装置应用于控制器,控制器的存储器包括第一分区和第二分区,第一分区存储安全启动函数、第一区域校验密钥和第二区域校验密钥,第二分区存储应用函数和应用函数签名,第一分区设置为一次性可编程区域。如图3所示,该装置包括:密钥存储模块31、签名存储模块32和启动模块33。Figure 3 is a schematic structural diagram of a controller security management device provided in Embodiment 3 of the present application. The device is applied to a controller. The memory of the controller includes a first partition and a second partition. The first partition stores the secure startup function and the third partition. The first area verification key and the second area verification key, the second partition stores application functions and application function signatures, and the first partition is set as a one-time programmable area. As shown in Figure 3, the device includes: a key storage module 31, a signature storage module 32 and a startup module 33.
其中,密钥存储模块31,用于当检测到控制器第一次上电启动时,调用所述安全启动函数将所述第一区域校验密钥和第二区域校验密钥存储至硬件 加密管理模块;Among them, the key storage module 31 is used to call the secure startup function to store the first area verification key and the second area verification key to the hardware when it is detected that the controller is powered on for the first time. Encryption management module;
签名存储模块32,用于根据所述安全启动函数和第一区域校验密钥确定启动函数签名,并存储至所述硬件加密管理模块; Signature storage module 32, configured to determine the startup function signature according to the secure startup function and the first area verification key, and store it in the hardware encryption management module;
启动模块33,用于根据所述安全启动函数结合第二区域校验密钥和应用函数签名控制所述应用函数启动,以实现控制器安全启动。The startup module 33 is configured to control the startup of the application function according to the secure startup function in combination with the second area verification key and the application function signature to achieve secure startup of the controller.
本申请实施例提供了一种控制器安全管理装置,解决了控制器启动过程中函数安全无法保证的问题,通过安全启动函数和第一区域校验密钥确定启动函数签名,并存储至硬件加密管理模块,以便后续启动时对安全启动函数进行安全校验。通过安全启动函数结合第二区域校验密钥和应用函数签名对应用函数进行验证,根据验证结果对应用函数进行调用,以此实现控制器的安全启动,避免函数被恶意软件侵入、篡改和非法注入等,确保设备正常运行,保证设备安全。The embodiment of the present application provides a controller security management device, which solves the problem that function security cannot be guaranteed during the startup process of the controller. The startup function signature is determined through the secure startup function and the first area verification key, and is stored in hardware encryption Management module to perform security verification on the safe startup function during subsequent startups. The application function is verified through the secure startup function combined with the second area verification key and the application function signature, and the application function is called based on the verification result to achieve a secure startup of the controller and avoid functions being intruded, tampered and illegal by malware. Injection, etc., to ensure the normal operation of the equipment and ensure the safety of the equipment.
可选的,签名存储模块32,具体用于根据预确定的第一预设算法对所述安全启动函数和第一区域校验密钥进行处理,确定启动函数签名。Optionally, the signature storage module 32 is specifically configured to process the secure startup function and the first area verification key according to a predetermined first preset algorithm to determine the startup function signature.
可选的,该装置还包括:Optionally, the device also includes:
启动签名验证模块,用于当检测到控制器非第一次上电启动时,根据所述安全启动函数和第一区域校验密钥确定待验证启动函数签名,并获取所述硬件加密管理模块存储的启动函数签名;A startup signature verification module, used to determine the startup function signature to be verified based on the secure startup function and the first area verification key when it is detected that the controller is not powered on for the first time, and obtain the hardware encryption management module Stored startup function signature;
应用函数调用模块,用于如果所述待验证启动函数签名和启动函数签名一致,根据所述安全启动函数结合第二区域校验密钥和应用函数签名对所述应用函数进行调用,以实现控制器安全启动。An application function calling module is configured to call the application function according to the secure startup function in combination with the second area verification key and the application function signature if the startup function signature to be verified is consistent with the startup function signature to achieve control. The server starts safely.
可选的,所述根据所述安全启动函数结合第二区域校验密钥和应用函数签名对所述应用函数进行调用,包括:根据预确定的第二预设算法对所述安全启动函数和第二区域校验密钥进行处理,确定待验证应用函数签名;如果所述待验证应用函数签名和所述应用函数签名一致,调用所述应用函数。Optionally, calling the application function according to the secure startup function in combination with the second area verification key and the application function signature includes: combining the secure startup function and the application function signature according to a predetermined second preset algorithm. The second area verification key is processed to determine the signature of the application function to be verified; if the signature of the application function to be verified is consistent with the signature of the application function, the application function is called.
可选的,该装置还包括:Optionally, the device also includes:
升级信息获取模块,用于当检测到所述应用函数升级时,获取待升级应用函数签名、随机数和第二区域验证密钥验证数据信息;An upgrade information acquisition module, configured to obtain the signature of the application function to be upgraded, the random number and the second area verification key verification data information when an upgrade of the application function is detected;
随机数验证模块,用于根据所述随机数和第二区域验证密钥验证数据信息进行密钥验证;A random number verification module, configured to perform key verification based on the random number and the second area verification key verification data information;
应用函数获取模块,用于如果验证通过,获取新的应用函数;The application function acquisition module is used to obtain the new application function if the verification is passed;
应用函数升级模块,用于根据所述新的应用函数、第二区域验证密钥和 待升级应用函数签名控制所述应用函数的升级。An application function upgrade module is configured to control the upgrade of the application function according to the new application function, the second area verification key and the signature of the application function to be upgraded.
可选的,随机数验证模块,包括:Optional, random number verification module, including:
真实密钥确定单元,用于根据所述随机数和第二区域验证密钥验证数据信息结合预确定的第三预设算法确定真实密钥;A real key determination unit, configured to determine the real key based on the random number and the second area verification key verification data information combined with a predetermined third preset algorithm;
密钥获取单元,用于获取所述硬件加密管理模块存储的第二区域校验密钥;A key acquisition unit, used to acquire the second area verification key stored in the hardware encryption management module;
密钥验证单元,用于如果所述真实密钥与所述第二区域校验密钥一致,确定密钥验证结果为验证通过。A key verification unit, configured to determine that the key verification result is that the verification is passed if the real key is consistent with the second area verification key.
可选的,应用函数升级模块包括:Optional, application function upgrade modules include:
升级签名确定单元,用于根据预确定的第四预设算法对所述新的应用函数和第二区域验证密钥进行处理,确定待验证升级函数签名;An upgrade signature determination unit configured to process the new application function and the second area verification key according to a predetermined fourth preset algorithm to determine the upgrade function signature to be verified;
升级验证单元,用于如果所述待验证升级函数签名与所述待升级应用函数签名一致,通过所述新的应用函数替换所述应用函数,以实现所述应用函数的升级。An upgrade verification unit, configured to replace the application function with the new application function if the signature of the upgrade function to be verified is consistent with the signature of the application function to be upgraded, so as to realize the upgrade of the application function.
本申请实施例所提供的控制器安全管理装置可执行本申请任意实施例所提供的控制器安全管理方法,具备执行方法相应的功能模块和效果。The controller security management device provided by the embodiments of this application can execute the controller security management method provided by any embodiment of this application, and has the corresponding functional modules and effects of the execution method.
实施例四Embodiment 4
图4示出了可以用来实施本申请的实施例的车辆的结构示意图。车辆包括控制系统41,所述控制系统包括控制器411和硬件加密管理模块412。本文所示的部件、它们的连接和关系、以及它们的功能仅仅作为示例,并且不意在限制本文中描述的和/或者要求的本申请的实现。Figure 4 shows a schematic structural diagram of a vehicle that can be used to implement embodiments of the present application. The vehicle includes a control system 41 including a controller 411 and a hardware encryption management module 412 . The components shown herein, their connections and relationships, and their functions are examples only and are not intended to limit the implementation of the present application as described and/or claimed herein.
如图4所示,车辆包括至少一个控制器411,以及与至少一个控制器411通信连接的存储器,如只读存储器(ROM)42、随机访问存储器(RAM)43等,其中,存储器存储有可被至少一个控制器执行的计算机程序,控制器411可以根据存储在只读存储器(ROM)42中的计算机程序或者从存储单元48加载到随机访问存储器(RAM)43中的计算机程序,来执行各种适当的动作和处理。在RAM 43中,还可存储车辆操作所需的各种程序和数据。控制器411、ROM 42以及RAM 43通过总线44彼此相连。输入/输出(I/O)接口45也连接至总线44。As shown in Figure 4, the vehicle includes at least one controller 411, and a memory communicatively connected to the at least one controller 411, such as a read-only memory (ROM) 42, a random access memory (RAM) 43, etc., wherein the memory stores data that can be A computer program executed by at least one controller. The controller 411 may execute each program according to a computer program stored in the read-only memory (ROM) 42 or loaded from the storage unit 48 into the random access memory (RAM) 43. appropriate actions and handling. In RAM 43, various programs and data required for vehicle operation can also be stored. The controller 411, ROM 42 and RAM 43 are connected to each other through a bus 44. An input/output (I/O) interface 45 is also connected to bus 44 .
车辆中的多个部件连接至I/O接口45,包括:输入单元46,例如键盘、鼠标等;输出单元47,例如各种类型的显示器、扬声器等;存储单元48,例 如磁盘、光盘等;以及通信单元49,例如网卡、调制解调器、无线通信收发机等。通信单元49允许车辆通过诸如因特网的计算机网络和/或各种电信网络与其他设备交换信息/数据。Multiple components in the vehicle are connected to the I/O interface 45, including: input unit 46, such as keyboard, mouse, etc.; output unit 47, such as various types of displays, speakers, etc.; storage unit 48, such as magnetic disk, optical disk, etc.; and a communication unit 49, such as a network card, modem, wireless communication transceiver, etc. The communication unit 49 allows the vehicle to exchange information/data with other devices via computer networks such as the Internet and/or various telecommunications networks.
控制器411可以是各种具有处理和计算能力的通用和/或专用处理组件。控制器411的一些示例包括但不限于中央处理单元(CPU)、图形处理单元(GPU)、各种专用的人工智能(AI)计算芯片、各种运行机器学习模型算法的处理器、数字信号处理器(DSP)、以及任何适当的处理器、控制器、微控制器等。控制器411执行上文所描述的各个方法和处理,例如控制器安全管理方法。 Controller 411 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of the controller 411 include, but are not limited to, a central processing unit (CPU), a graphics processing unit (GPU), various specialized artificial intelligence (AI) computing chips, various processors running machine learning model algorithms, digital signal processing processor (DSP), and any appropriate processor, controller, microcontroller, etc. The controller 411 performs various methods and processes described above, such as the controller security management method.
在一些实施例中,控制器安全管理方法可被实现为计算机程序,其被有形地包含于计算机可读存储介质,例如存储单元48。在一些实施例中,计算机程序的部分或者全部可以经由ROM 42和/或通信单元49而被载入和/或安装到车辆上。当计算机程序加载到RAM 43并由控制器411执行时,可以执行上文描述的控制器安全管理方法的一个或多个步骤。备选地,在其他实施例中,控制器411可以通过其他任何适当的方式(例如,借助于固件)而被配置为执行控制器安全管理方法。In some embodiments, the controller security management method may be implemented as a computer program, which is tangibly embodied in a computer-readable storage medium, such as storage unit 48. In some embodiments, part or all of the computer program may be loaded and/or installed on the vehicle via ROM 42 and/or communication unit 49. When the computer program is loaded into RAM 43 and executed by controller 411, one or more steps of the controller security management method described above may be performed. Alternatively, in other embodiments, the controller 411 may be configured to perform the controller security management method in any other suitable manner (eg, via firmware).
本文中以上描述的系统和技术的各种实施方式可以在数字电子电路系统、集成电路系统、场可编程门阵列(FPGA)、专用集成电路(ASIC)、专用标准产品(ASSP)、芯片上系统的系统(SOC)、复杂可编程逻辑设备(CPLD)、计算机硬件、固件、软件、和/或它们的组合中实现。这些各种实施方式可以包括:实施在一个或者多个计算机程序中,该一个或者多个计算机程序可在包括至少一个可编程处理器的可编程系统上执行和/或解释,该可编程处理器可以是专用或者通用可编程处理器,可以从存储系统、至少一个输入装置、和至少一个输出装置接收数据和指令,并且将数据和指令传输至该存储系统、该至少一个输入装置、和该至少一个输出装置。Various implementations of the systems and techniques described above may be implemented in digital electronic circuit systems, integrated circuit systems, field programmable gate arrays (FPGAs), application specific integrated circuits (ASICs), application specific standard products (ASSPs), systems on a chip implemented in a system (SOC), complex programmable logic device (CPLD), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include implementation in one or more computer programs executable and/or interpreted on a programmable system including at least one programmable processor, the programmable processor The processor, which may be a special purpose or general purpose programmable processor, may receive data and instructions from a storage system, at least one input device, and at least one output device, and transmit data and instructions to the storage system, the at least one input device, and the at least one output device. An output device.
用于实施本申请的方法的计算机程序可以采用一个或多个编程语言的任何组合来编写。这些计算机程序可以提供给通用计算机、专用计算机或其他可编程数据处理装置的处理器,使得计算机程序当由处理器执行时使流程图和/或框图中所规定的功能/操作被实施。计算机程序可以完全在机器上执行、部分地在机器上执行,作为独立软件包部分地在机器上执行且部分地在远程机器上执行或完全在远程机器或服务器上执行。Computer programs for implementing the methods of the present application may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general-purpose computer, a special-purpose computer, or other programmable data processing device, such that the computer program, when executed by the processor, causes the functions/operations specified in the flowcharts and/or block diagrams to be implemented. A computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
在本申请的上下文中,计算机可读存储介质可以是有形的介质,其可以包含或存储以供指令执行系统、装置或设备使用或与指令执行系统、装置或设备结合地使用的计算机程序。计算机可读存储介质可以包括但不限于电子 的、磁性的、光学的、电磁的、红外的、或半导体系统、装置或设备,或者上述内容的任何合适组合。备选地,计算机可读存储介质可以是机器可读信号介质。机器可读存储介质的更具体示例会包括基于一个或多个线的电气连接、便携式计算机盘、硬盘、随机存取存储器(RAM)、只读存储器(ROM)、可擦除可编程只读存储器(EPROM或快闪存储器)、光纤、便捷式紧凑盘只读存储器(CD-ROM)、光学储存设备、磁储存设备、或上述内容的任何合适组合。In the context of this application, a computer-readable storage medium may be a tangible medium that may contain or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. Computer-readable storage media may include, but are not limited to, electronic, magnetic, optical, electromagnetic, infrared, or semiconductor systems, devices or devices, or any suitable combination of the foregoing. Alternatively, the computer-readable storage medium may be a machine-readable signal medium. More specific examples of machine-readable storage media would include one or more wire-based electrical connections, laptop disks, hard drives, random access memory (RAM), read only memory (ROM), erasable programmable read only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), optical storage device, magnetic storage device, or any suitable combination of the above.
为了提供与用户的交互,可以在车辆上实施此处描述的系统和技术,该车辆具有:用于向用户显示信息的显示装置(例如,CRT(阴极射线管)或者LCD(液晶显示器)监视器);以及键盘和指向装置(例如,鼠标或者轨迹球),用户可以通过该键盘和该指向装置来将输入提供给车辆。其它种类的装置还可以用于提供与用户的交互;例如,提供给用户的反馈可以是任何形式的传感反馈(例如,视觉反馈、听觉反馈、或者触觉反馈);并且可以用任何形式(包括声输入、语音输入或者、触觉输入)来接收来自用户的输入。To provide interaction with a user, the systems and techniques described herein may be implemented on a vehicle having: a display device (eg, a CRT (Cathode Ray Tube) or LCD (Liquid Crystal Display) monitor) for displaying information to the user ); and a keyboard and pointing device (eg, a mouse or a trackball) through which a user can provide input to the vehicle. Other kinds of devices may also be used to provide interaction with the user; for example, the feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and may be provided in any form, including Acoustic input, voice input or tactile input) to receive input from the user.
可以将此处描述的系统和技术实施在包括后台部件的计算系统(例如,作为数据服务器)、或者包括中间件部件的计算系统(例如,应用服务器)、或者包括前端部件的计算系统(例如,具有图形用户界面或者网络浏览器的用户计算机,用户可以通过该图形用户界面或者该网络浏览器来与此处描述的系统和技术的实施方式交互)、或者包括这种后台部件、中间件部件、或者前端部件的任何组合的计算系统中。可以通过任何形式或者介质的数字数据通信(例如,通信网络)来将系统的部件相互连接。通信网络的示例包括:局域网(LAN)、广域网(WAN)、区块链网络和互联网。The systems and techniques described herein may be implemented in a computing system that includes back-end components (e.g., as a data server), or a computing system that includes middleware components (e.g., an application server), or a computing system that includes front-end components (e.g., A user's computer having a graphical user interface or web browser through which the user can interact with implementations of the systems and technologies described herein), or including such backend components, middleware components, or any combination of front-end components in a computing system. The components of the system may be interconnected by any form or medium of digital data communication (eg, a communications network). Examples of communication networks include: local area network (LAN), wide area network (WAN), blockchain network, and the Internet.
计算系统可以包括客户端和服务器。客户端和服务器一般远离彼此并且通常通过通信网络进行交互。通过在相应的计算机上运行并且彼此具有客户端-服务器关系的计算机程序来产生客户端和服务器的关系。服务器可以是云服务器,又称为云计算服务器或云主机,是云计算服务体系中的一项主机产品,以解决了传统物理主机与VPS中,存在的管理难度大,业务扩展性弱的缺陷。Computing systems may include clients and servers. Clients and servers are generally remote from each other and typically interact over a communications network. The relationship of client and server is created by computer programs running on corresponding computers and having a client-server relationship with each other. The server can be a cloud server, also known as cloud computing server or cloud host. It is a host product in the cloud computing service system to solve the problems of difficult management and weak business scalability in traditional physical hosts and VPS. .
应该理解,可以使用上面所示的各种形式的流程,重新排序、增加或删除步骤。例如,本申请中记载的各步骤可以并行地执行也可以顺序地执行也可以不同的次序执行,只要能够实现本申请的技术方案所期望的结果,本文在此不进行限制。It should be understood that various forms of the process shown above may be used, with steps reordered, added or deleted. For example, each step described in this application can be executed in parallel, sequentially, or in a different order. As long as the desired results of the technical solution of this application can be achieved, there is no limitation here.

Claims (10)

  1. 一种控制器安全管理方法,应用于控制系统,所述控制系统包括控制器和硬件加密管理模块,所述控制器的存储器包括第一分区和第二分区,所述第一分区存储安全启动函数、第一区域校验密钥和第二区域校验密钥,所述第二分区存储应用函数和应用函数签名,所述第一分区设置为一次性可编程区域,所述方法包括:A controller security management method, applied to a control system. The control system includes a controller and a hardware encryption management module. The memory of the controller includes a first partition and a second partition. The first partition stores a secure startup function. , a first area verification key and a second area verification key, the second partition stores application functions and application function signatures, the first partition is set as a one-time programmable area, and the method includes:
    当检测到控制器第一次上电启动时,调用所述安全启动函数将所述第一区域校验密钥和第二区域校验密钥存储至所述硬件加密管理模块;When it is detected that the controller is powered on for the first time, call the secure startup function to store the first area verification key and the second area verification key into the hardware encryption management module;
    根据所述安全启动函数和第一区域校验密钥确定启动函数签名,并存储至所述硬件加密管理模块;Determine a startup function signature according to the secure startup function and the first area verification key, and store it in the hardware encryption management module;
    根据所述安全启动函数结合第二区域校验密钥和应用函数签名对所述应用函数进行调用,以实现控制器安全启动。The application function is called according to the secure startup function in combination with the second area verification key and the application function signature to implement secure startup of the controller.
  2. 根据权利要求1所述的方法,其中,所述根据所述安全启动函数和第一区域校验密钥确定启动函数签名,包括:The method according to claim 1, wherein the determining a startup function signature according to the secure startup function and the first area verification key includes:
    根据预确定的第一预设算法对所述安全启动函数和第一区域校验密钥进行处理,确定启动函数签名。The secure startup function and the first area verification key are processed according to a predetermined first preset algorithm to determine a startup function signature.
  3. 根据权利要求1所述的方法,还包括:The method of claim 1, further comprising:
    当检测到控制器非第一次上电启动时,根据所述安全启动函数和第一区域校验密钥确定待验证启动函数签名,并获取所述硬件加密管理模块存储的启动函数签名;When it is detected that the controller is not powered on for the first time, determine the startup function signature to be verified based on the secure startup function and the first area verification key, and obtain the startup function signature stored in the hardware encryption management module;
    如果所述待验证启动函数签名和启动函数签名一致,根据所述安全启动函数结合第二区域校验密钥和应用函数签名对所述应用函数进行调用,以实现控制器安全启动。If the startup function signature to be verified is consistent with the startup function signature, the application function is called according to the secure startup function in combination with the second area verification key and the application function signature to implement secure startup of the controller.
  4. 根据权利要求1-3中任一项所述的方法,其中,所述根据所述安全启动函数结合第二区域校验密钥和应用函数签名对所述应用函数进行调用,包括:The method according to any one of claims 1-3, wherein the calling the application function according to the secure startup function in combination with the second area verification key and the application function signature includes:
    根据预确定的第二预设算法对所述安全启动函数和第二区域校验密钥进行处理,确定待验证应用函数签名;Process the secure startup function and the second area verification key according to the predetermined second preset algorithm to determine the application function signature to be verified;
    如果所述待验证应用函数签名和所述应用函数签名一致,调用所述应用函数。If the application function signature to be verified is consistent with the application function signature, the application function is called.
  5. 根据权利要求1所述的方法,还包括:The method of claim 1, further comprising:
    当检测到所述应用函数升级时,获取待升级应用函数签名、随机数和第二区域验证密钥验证数据信息;When the application function upgrade is detected, obtain the application function signature, random number and second area verification key verification data information to be upgraded;
    根据所述随机数和第二区域验证密钥验证数据信息进行密钥验证;Perform key verification based on the random number and the second area verification key verification data information;
    如果验证通过,获取新的应用函数;If the verification passes, obtain the new application function;
    根据所述新的应用函数、第二区域验证密钥和待升级应用函数签名控制所述应用函数的升级。The upgrade of the application function is controlled according to the new application function, the second area verification key and the signature of the application function to be upgraded.
  6. 根据权利要求5所述的方法,其中,所述根据所述随机数和第二区域验证密钥验证数据信息进行密钥验证,包括:The method according to claim 5, wherein the key verification based on the random number and the second area verification key verification data information includes:
    根据所述随机数和第二区域验证密钥验证数据信息结合预确定的第三预设算法确定真实密钥;Determine the real key based on the random number and the second area verification key verification data information combined with a predetermined third preset algorithm;
    获取所述硬件加密管理模块存储的第二区域校验密钥;Obtain the second area verification key stored by the hardware encryption management module;
    如果所述真实密钥与所述第二区域校验密钥一致,确定密钥验证结果为验证通过。If the real key is consistent with the second area verification key, it is determined that the key verification result is that the verification is passed.
  7. 根据权利要求5所述的方法,其中,所述根据所述新的应用函数、第二区域验证密钥和待升级应用函数签名控制所述应用函数的升级,包括:The method according to claim 5, wherein controlling the upgrade of the application function according to the new application function, the second area verification key and the signature of the application function to be upgraded includes:
    根据预确定的第四预设算法对所述新的应用函数和第二区域验证密钥进行处理,确定待验证升级函数签名;Process the new application function and the second area verification key according to the predetermined fourth preset algorithm to determine the upgrade function signature to be verified;
    如果所述待验证升级函数签名与所述待升级应用函数签名一致,通过所述新的应用函数替换所述应用函数,以实现所述应用函数的升级。If the signature of the upgrade function to be verified is consistent with the signature of the application function to be upgraded, the application function is replaced with the new application function to implement the upgrade of the application function.
  8. 一种控制器安全管理装置,应用于控制器,所述控制器的存储器包括第一分区和第二分区,所述第一分区存储安全启动函数、第一区域校验密钥和第二区域校验密钥,所述第二分区存储应用函数和应用函数签名,所述第一分区设置为一次性可编程区域,包括:A controller security management device is applied to a controller. The memory of the controller includes a first partition and a second partition. The first partition stores a secure startup function, a first area verification key and a second area verification key. verification key, the second partition stores application functions and application function signatures, and the first partition is set as a one-time programmable area, including:
    密钥存储模块,用于当检测到控制器第一次上电启动时,调用所述安全启动函数将所述第一区域校验密钥和第二区域校验密钥存储至硬件加密管理模块;A key storage module, configured to call the secure startup function to store the first area verification key and the second area verification key to the hardware encryption management module when it is detected that the controller is powered on for the first time. ;
    签名存储模块,用于根据所述安全启动函数和第一区域校验密钥确定启动函数签名,并存储至所述硬件加密管理模块;A signature storage module, configured to determine the startup function signature according to the secure startup function and the first area verification key, and store it in the hardware encryption management module;
    启动模块,用于根据所述安全启动函数结合第二区域校验密钥和应用函数签名控制所述应用函数启动,以实现控制器安全启动。A startup module, configured to control the startup of the application function according to the secure startup function in combination with the second area verification key and the application function signature to implement secure startup of the controller.
  9. 一种车辆,包括:控制系统,所述控制系统包括控制器和硬件加密管理模块;A vehicle includes: a control system, the control system includes a controller and a hardware encryption management module;
    所述存储器,用于存储一个或多个程序;The memory is used to store one or more programs;
    当所述一个或多个程序被所述控制器执行,使得所述控制器实现如权利要 求1-7中任一项所述的控制器安全管理方法。When the one or more programs are executed by the controller, the controller is caused to implement the controller security management method as described in any one of claims 1-7.
  10. 一种计算机可读存储介质,所述计算机可读存储介质存储有计算机指令,所述计算机指令用于使处理器执行时实现权利要求1-7中任一项所述的控制器安全管理方法。A computer-readable storage medium stores computer instructions, and the computer instructions are used to implement the controller security management method described in any one of claims 1-7 when executed by a processor.
PCT/CN2022/102615 2022-05-19 2022-06-30 Controller security management method and apparatus, and vehicle and storage medium WO2023221251A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210556446.7 2022-05-19
CN202210556446.7A CN115766014A (en) 2022-05-19 2022-05-19 Controller safety management method and device, vehicle and storage medium

Publications (1)

Publication Number Publication Date
WO2023221251A1 true WO2023221251A1 (en) 2023-11-23

Family

ID=85349475

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/102615 WO2023221251A1 (en) 2022-05-19 2022-06-30 Controller security management method and apparatus, and vehicle and storage medium

Country Status (2)

Country Link
CN (1) CN115766014A (en)
WO (1) WO2023221251A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018090823A1 (en) * 2016-11-21 2018-05-24 惠州Tcl移动通信有限公司 Method and system for protecting system partition key data, and terminal
CN110990084A (en) * 2019-12-20 2020-04-10 紫光展讯通信(惠州)有限公司 Chip secure starting method and device, storage medium and terminal
US20200117805A1 (en) * 2018-08-23 2020-04-16 Shenzhen GOODIX Technology Co., Ltd. Secure booting method, apparatus, device for embedded program, and storage medium
CN112711761A (en) * 2021-01-12 2021-04-27 联合汽车电子有限公司 Safety protection method of controller, main chip of controller and controller
CN113177201A (en) * 2021-05-20 2021-07-27 北京奕斯伟计算技术有限公司 Program checking and signing method and device and SOC chip

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018090823A1 (en) * 2016-11-21 2018-05-24 惠州Tcl移动通信有限公司 Method and system for protecting system partition key data, and terminal
US20200117805A1 (en) * 2018-08-23 2020-04-16 Shenzhen GOODIX Technology Co., Ltd. Secure booting method, apparatus, device for embedded program, and storage medium
CN110990084A (en) * 2019-12-20 2020-04-10 紫光展讯通信(惠州)有限公司 Chip secure starting method and device, storage medium and terminal
CN112711761A (en) * 2021-01-12 2021-04-27 联合汽车电子有限公司 Safety protection method of controller, main chip of controller and controller
CN113177201A (en) * 2021-05-20 2021-07-27 北京奕斯伟计算技术有限公司 Program checking and signing method and device and SOC chip

Also Published As

Publication number Publication date
CN115766014A (en) 2023-03-07

Similar Documents

Publication Publication Date Title
US8874922B2 (en) Systems and methods for multi-layered authentication/verification of trusted platform updates
US10318724B2 (en) User trusted device for detecting a virtualized environment
US10754955B2 (en) Authenticating a boot path update
TWI598814B (en) System and method for managing and diagnosing a computing device equipped with unified extensible firmware interface (uefi)-compliant firmware
TWI559167B (en) A unified extensible firmware interface(uefi)-compliant computing device and a method for administering a secure boot in the uefi-compliant computing device
EP3317875B1 (en) Keyless signature infrastructure based virtual machine integrity
US20220398321A1 (en) Data management
US11797313B2 (en) Method for securely configuring an information system
US9811654B2 (en) Systems and methods for providing authentication using a managed input/output port
GB2512376A (en) Secure execution of software modules on a computer
CN109995523B (en) Activation code management method and device and activation code generation method and device
CN111695166A (en) Disk encryption protection method and device
US20200293662A1 (en) Unsecure to secure transition of mutable core root of trust
CN111200593A (en) Application login method and device and electronic equipment
CN109522683B (en) Software tracing method, system, computer equipment and storage medium
US10296730B2 (en) Systems and methods for automatic generation and retrieval of an information handling system password
WO2023221251A1 (en) Controller security management method and apparatus, and vehicle and storage medium
US20210336974A1 (en) Computer Security and Methods of Use Thereof
US11347519B2 (en) Systems and methods for detecting short-term changes to BIOS setup
US20180089415A1 (en) User trusted device for detecting a virtualized environment
US11409541B2 (en) Systems and methods for binding secondary operating system to platform basic input/output system
CN115941217A (en) Method for secure communication and related product
CN115913729A (en) Host login method, device, equipment and storage medium
CN114647426A (en) Software upgrading method, device, equipment and storage medium
CN113779543A (en) Software authentication method and device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22942282

Country of ref document: EP

Kind code of ref document: A1