Safe multi-firmware fusion system and multi-firmware fusion control method
1. A secure multi-firmware fusion system, comprising:
at least one processor;
a storage medium to store respective application firmware;
the storage medium controller is used for finishing reading of application firmware or data on the storage medium according to an access request of the processor or other modules;
the multi-address mapping module is used for completing the address space mapping of different application firmware and converting the logic operation address of the application firmware accessed by the processor into the storage address of the application firmware, and each application firmware has an independent operation address space;
the operating address space detection module is used for judging the current address space according to the current operating address and the executed instruction of the processor;
the access control module is used for setting the access authority of the address space; after enabling, to determine whether the current access is legal;
the key storage control entity is used for storing an application firmware encryption key and application firmware encryption and decryption control, and providing a key read-write protection mechanism to ensure the security of the key; and
and the decryption module is used for decrypting the codes of the specified storage area.
2. The secure multi-firmware fusion system of claim 1, wherein:
when one application firmware is upgraded, the multi-address mapping module only changes the mapping relation between the running address and the storage address of the upgraded application firmware, and the data of other application firmware is kept unchanged.
3. The secure multi-firmware fusion system of claim 1, wherein:
the access control module is used for judging whether the current access is legal or not according to the setting of the access control white list or the access control black list and the detection result of the operation address space detection module.
4. The secure multi-firmware fusion system of claim 1, wherein:
the key stored by the key storage control entity is burned together with the application firmware in a factory, and can be used by the decryption module after the system runs to finish decryption of the application firmware.
5. The secure multi-firmware fusion system of claim 1, wherein:
the decryption module comprises a plurality of address field decryption control units, and different address fields can use different decryption keys.
6. A secure multi-firmware fusion control method is characterized by comprising the following steps:
the storage medium stores each application firmware;
the storage medium controller finishes reading application firmware or data on the storage medium according to an access request of the processor or other modules;
the multi-address mapping module completes the address space mapping of different application firmware, and converts the logic operation address of the processor accessing the application firmware into the storage address of the application firmware, and each application firmware has an independent operation address space;
the operating address space detection module judges the current address space according to the current operating address and the executed instruction of the processor;
the access control module sets the access authority of the address space; determining whether the current access is legitimate after enabling;
the key storage control entity stores an application firmware encryption key and application firmware encryption and decryption control, provides a key read-write protection mechanism and ensures the security of the key;
and the decryption module is used for decrypting the codes or data of the specified storage area.
7. The secure multi-firmware fusion control method according to claim 6, wherein:
when one application firmware is upgraded, the multi-address mapping module only changes the mapping relation between the running address and the storage address of the upgraded application firmware, and the data of other application firmware is kept unchanged.
8. The secure multi-firmware fusion control method according to claim 6, wherein:
and the access control module judges whether the current access is legal or not according to the setting of the access control white list or the access control black list and the detection result of the operation address space detection module.
9. The secure multi-firmware fusion control method according to claim 6, wherein:
the key stored by the key storage control entity is burned together with the application firmware in a factory, and can be used by the decryption module after the system runs to finish decryption of the application firmware.
10. The secure multi-firmware fusion control method according to claim 6, wherein:
the decryption module comprises a plurality of address field decryption control units, and different address fields can use different decryption keys.
Background
With the rapid development of embedded systems and semiconductor industries, more and more systems introduce a multi-firmware architecture, that is, a firmware in a system with complete functions is composed of a plurality of parts, and developers of each firmware may come from different companies, which define firmware application program interfaces and exert respective good parts.
Typical multi-firmware fusion cases include an intelligent door lock case, a home appliance manufacturer and a chip manufacturer cooperation case, and the like. In the case of the intelligent door lock, a fingerprint algorithm company provides fingerprint algorithm firmware, and a scheme company realizes the whole intelligent door lock scheme based on the fingerprint algorithm firmware. In the cooperation case of the household appliance manufacturer and the chip manufacturer, the chip manufacturer provides chip driving firmware, and the household appliance manufacturer realizes the complete functions of the household appliance based on the chip and the driving firmware of the chip manufacturer.
However, in the conventional multi-firmware architecture, there are the following problems.
(1) Firmware upgrading is complex and long in time consumption.
In the multi-firmware fusion system with the existing architecture, because the firmware in the system uses a single system address mapping, the operating address used between the firmware has a relative offset, and thus the same address offset is required to exist in the storage address, so that when one firmware is upgraded, the storage address is changed, and in order to maintain the availability of the firmware, other firmware is also raised to the corresponding address offset. In the system, as long as one firmware needs to be upgraded, other firmware needs to move the position together with the firmware, so that the complexity of firmware upgrading is increased, the firmware upgrading time is prolonged, and the risk of firmware upgrading failure is increased.
For a detailed illustration of the shortcomings of the prior art system, assume firmware X has a starting address of 0X2300000 in its operating address space, firmware Xa at the address of 0X00100000 in memory, and firmware Ya at the address of 0X00180000 in memory, as schematically illustrated in fig. 1.
In order to make the system operate normally, the system mapping relationship is that the operating address 0x23000000 a stores the address 0x00100000, and since there is only one address mapper in the system, the operating address space start address of the firmware Ya is 0x23080000, which also means that the firmware Xa calls the start address space used by the firmware Ya to be 0x 23080000.
Assuming that the firmware Xa needs to be upgraded to Xb now, for stability, when the firmware is upgraded, the new firmware is written to another area, where it is assumed that the memory address written after the firmware Xa is upgraded is 0x00200000, and at this time, if the new firmware Xb is to work normally, the address mapping needs to be modified as follows: the operating address 0x23000000 a stores the address 0x00200000, but at this time, the address used by the new firmware Xb to call the firmware Y should still be 0x23080000, and according to the mapping relationship, the memory address corresponding to the firmware Y should be 0x00280000, as can be seen from fig. 2, there may be no firmware Yb or the existing firmware Yb is not necessarily the latest firmware, and it is necessary to copy the firmware Ya from 0x00180000 to the 0x00280000 region from the region before the firmware Xa is upgraded to enable the system to operate normally, which not only increases the complexity of system upgrade, prolongs the upgrade time, but also increases the failure risk due to firmware copy.
(2) The safety is poor.
Taking the home appliance manufacturer and the chip manufacturer as an example, in order to fully exert the advantages of different manufacturers, the home appliance manufacturer hopes the chip manufacturer to directly provide the drive firmware of the chip, and the home appliance manufacturer only needs to define a drive calling interface, so that the specific implementation mode of the drive manufacturer is not concerned, and the key points are put on the logic function, the cloud application and other functions of the application firmware, furthermore, when the home appliance manufacturer changes the chip manufacturer, only the new chip manufacturer needs to provide the drive interface with the same function, the application firmware of the home appliance manufacturer can be not modified, and thus, the change cost can be greatly reduced. However, in the conventional multi-firmware fusion system, the security of the firmware of the household appliance manufacturer cannot be guaranteed, because the chip manufacturer can implant background codes into the manufacturer firmware, when the household appliance manufacturer calls the firmware interface of the chip manufacturer, the core codes or data of the household appliance manufacturer are acquired, and great risk is caused to the security of the firmware of the household appliance manufacturer.
Taking the door lock application as an example, the firmware in the door lock product is generally divided into two parts, one is fingerprint algorithm firmware and the other is application firmware, the fingerprint algorithm firmware mainly completes core fingerprint algorithms such as fingerprint feature extraction, feature storage and feature matching, and the application firmware mainly completes other functions such as display, setting and unlocking of the fingerprint door lock. In this system, the fingerprint algorithm firmware is taken as the core algorithm firmware, and is not desired to be cloned by copying. The traditional method is to encrypt the firmware, but in the traditional multi-firmware fusion system, the algorithm firmware and the application firmware use the same key as the whole encryption, so that although the risk that the algorithm firmware cannot be stolen by a third party is solved, the problem that the algorithm firmware is read by the application firmware cannot be solved, the risk that the algorithm firmware is stolen by the application firmware still exists, and the intellectual property benefits of the fingerprint algorithm firmware cannot be guaranteed.
In view of the above, there is a need to design a new multi-firmware fusion system to overcome at least some of the above-mentioned disadvantages of the existing multi-firmware fusion system.
Disclosure of Invention
The invention provides a safe multi-firmware fusion system and a multi-firmware fusion control method, which can reduce the complexity of firmware upgrading in the multi-firmware fusion system and improve the stability of the system and the safety of multi-firmware fusion.
In order to solve the technical problem, according to one aspect of the present invention, the following technical solutions are adopted:
a secure multi-firmware fusion system, the multi-firmware fusion system comprising: the device comprises at least one processor, a storage medium controller, a multi-address mapping module, a running address space detection module, an access control module, a key storage control entity and a decryption module.
The storage medium is used for storing each application firmware.
The storage medium controller is used for completing reading of application firmware or data on the storage medium according to an access request of the processor or other modules.
The multi-address mapping module is used for completing address space mapping of different application firmware, and converting a logic operation address of the application firmware accessed by the processor into a storage address of the application firmware, wherein each application firmware has an independent operation address space.
The operation address space detection module is used for judging the current address space according to the current operation address and the executed instruction of the processor.
The access control module is used for setting the access authority of the address space; after enabling, to determine if the current access is legitimate.
The key storage control entity is used for storing the encryption key of the application firmware and the encryption and decryption control of the application firmware, providing a read-write protection mechanism of the key and ensuring the security of the key.
The decryption module is used for completing decryption of codes in the specified storage area.
As an embodiment of the present invention, after an application firmware is upgraded, the multi-address mapping module only changes the mapping relationship between the running address and the storage address of the upgraded application firmware, and the data of other application firmware remains unchanged.
As an embodiment of the present invention, the access control module is configured to determine whether the current access is legal or not according to the setting of the access control white list or the access control black list and a detection result of the operation address space detection module.
As an embodiment of the present invention, the key stored by the key storage control entity is burned together with the application firmware in a factory, and after the system runs, the key can be used by the decryption module to complete decryption of the application firmware.
As an embodiment of the present invention, the decryption module includes a plurality of address segment decryption control units, which can implement that different address segments use different decryption keys.
According to another aspect of the invention, the following technical scheme is adopted: a secure multi-firmware fusion control method comprises the following steps:
the storage medium stores respective application firmware.
The storage medium controller completes reading of application firmware or data on the storage medium according to an access request of the processor or other modules.
The multi-address mapping module is used for completing the address space mapping of different application firmware, and converting the logic operation address of the processor accessing the application firmware into the storage address of the application firmware, wherein each application firmware has an independent operation address space.
The operation address space detection module judges the current address space according to the current operation address and the executed instruction of the processor.
The access control module sets the access authority of the address space; after enabling, it is determined whether the current access is legitimate.
The key storage control entity stores the encryption key of the application firmware and the encryption and decryption control of the application firmware, provides a read-write protection mechanism of the key and guarantees the security of the key.
And the decryption module is used for decrypting the codes of the specified storage area.
As an embodiment of the present invention, after an application firmware is upgraded, the multi-address mapping module only changes the mapping relationship between the running address and the storage address of the upgraded application firmware, and the data of other application firmware remains unchanged.
As an embodiment of the present invention, the access control module determines whether the current access is legal or not according to the setting of the access control white list or the access control black list and the detection result of the operation address space detection module.
As an embodiment of the present invention, the key stored by the key storage control entity is burned together with the application firmware in a factory, and after the system runs, the key can be used by the decryption module to complete decryption of the application firmware or data.
As an embodiment of the present invention, the decryption module includes a plurality of address segment decryption control units, which can implement that different address segments use different decryption keys.
The invention has the beneficial effects that: the safe multi-firmware fusion system and the multi-firmware fusion control method provided by the invention can reduce the complexity of firmware upgrading in the multi-firmware fusion system and improve the stability of the system and the safety of multi-firmware fusion.
The invention can increase the access security among the firmware in the multi-firmware fusion system and ensure the data security and the system security of the firmware. In addition, the invention can also protect intellectual property of each firmware in the multi-firmware fusion system and prevent the firmware from being copied by cloning.
Drawings
FIG. 1 is a diagram illustrating a processor operating address before a firmware upgrade of a conventional multi-firmware system.
Fig. 2 is a schematic diagram of a processor operating address after a firmware upgrade of a conventional multi-firmware system.
Fig. 3 is a schematic diagram illustrating a multi-firmware fusion system according to an embodiment of the present invention.
Fig. 4 is a schematic diagram illustrating a multi-firmware fusion system according to an embodiment of the present invention.
Detailed Description
Preferred embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
For a further understanding of the invention, reference will now be made to the preferred embodiments of the invention by way of example, and it is to be understood that the description is intended to further illustrate features and advantages of the invention, and not to limit the scope of the claims.
The description in this section is for several exemplary embodiments only, and the present invention is not limited only to the scope of the embodiments described. It is within the scope of the present disclosure and protection that the same or similar prior art means and some features of the embodiments may be interchanged.
The steps in the embodiments in the specification are only expressed for convenience of description, and the implementation manner of the present application is not limited by the order of implementation of the steps.
"coupled" in this specification includes both direct and indirect connections, such as through some active device, passive device, or electrically conductive medium; but also may include connections through other active or passive devices, such as through switches, follower circuits, etc., that are known to those skilled in the art for achieving the same or similar functional objectives.
FIG. 3 is a schematic diagram illustrating a multi-firmware fusion system according to an embodiment of the present invention; referring to fig. 3, the secure multi-firmware fusion system includes: at least one CPU1 (processor), a storage medium entity 2 (also referred to as storage medium), a storage medium controller 3, a multiple address mapping module 4, a run address space detection module 5, an access control module 6, a key storage control entity 7 (e.g. an EFUSE storage control entity, such as EFUSE or OTP), and a decryption module 8.
The storage medium 2 is used to store various application firmware. The storage medium controller 3 is used to complete reading of application firmware or data on the storage medium according to an access request of the CPU1 or other modules.
The multi-address mapping module 4 is used for completing address space mapping of different application firmware, and converting a logic operation address of the application firmware accessed by the processor into a storage address of the application firmware, wherein each application firmware has an independent operation address space. In an embodiment of the present invention, after an application firmware is upgraded, the multi-address mapping module 4 only changes the mapping relationship between the running address and the storage address of the upgraded application firmware, and the data of other application firmware remains unchanged.
The operating address space detection module 5 is configured to determine an address space currently located according to an address currently operated by the processor and an executed instruction.
The access control module 6 is used for setting the access authority of the address space; after enabling, to determine if the current access is legitimate. In an embodiment of the present invention, the access control module 6 is configured to determine whether the current access is legal or not according to the setting of the access control white list or the access control black list and a detection result of the operation address space detection module.
The key storage control entity 7 is used for storing an application firmware encryption key and application firmware encryption and decryption control, and providing a key read-write protection mechanism to ensure the security of the key. In an embodiment of the present invention, the key stored by the key storage control entity 7 is burned together with the application firmware in a factory, and after the system runs, the key can be used by the decryption module to complete decryption of the application firmware.
The decryption module 8 is used for completing decryption of codes of the specified storage area. In an embodiment of the present invention, the decryption module 8 includes a plurality of address segment decryption control units, which can implement that different address segments use different decryption keys.
Based on the multi-address mapping module in the system, because independent address spaces are used among all firmware, after one firmware is upgraded, only the address space used by the firmware needs to be remapped, and the address space mapping of other firmware cannot be influenced. The method can effectively solve the problems existing in the firmware upgrading process, simplify the upgrading process and improve the stability of the product. The upgrading process principle and the schematic based on the system are as follows:
taking two firmware in the system, whose operating address start spaces are 0x23000000 and 0x25000000, respectively, as an example, the relationship between the upgrade and the address mapping will be described in detail.
In the initial state, the firmware Xa is located at the memory address 0x00100000, the firmware Ya is located at the memory address 0x00180000, and the mapping relationship is as shown in table 1:
TABLE 1
When the firmware Xa is upgraded, the new firmware is located at the address of 0x00200000 of the memory, at this time, as long as the multi-address mapping module 0 is changed from 0x00100000 to 0x00200000, the execution address of the new firmware Xb is still 0x23000000 and remains unchanged, the firmware offset of the firmware Ya is still set to 0x00180000, the execution start address of the firmware Ya is still 0x25000000, the upgraded firmware Xb calling the firmware Ya still uses the address 0x25000000 section to complete the calling, and the address mapping relationship after the firmware Xa is upgraded to the firmware Xb is as shown in table 2:
TABLE 2
Similarly, if the firmware Ya is upgraded to the address of the memory 0X00280000 at this time, as long as the hardware offset for modifying Yb is 0X00280000, the firmware Xb still uses the segment with the address 0X25000000 to access the firmware Yb at this time, thereby ensuring that the firmware X and the firmware Y can be upgraded independently without affecting the whole function of the whole system.
The access control module based on the system can effectively solve the problem of safe access between firmware, taking a fusion system of home appliance manufacturer firmware and chip manufacturer firmware as an example, assuming that the home appliance manufacturer firmware is firmware X, the starting address of the operating address space is 0X23000000, the chip manufacturer firmware is firmware Y, and the starting address of the operating address space is 0X25000000, when the home appliance manufacturer firmware X is to limit the access of the chip manufacturer firmware Y, the access control module in the system only needs to set the access white list address field of the address space 0X23000000, and the access white list address field of the address space 0X23000000 is not included. Assuming that the chip vendor firmware initiates an access to the appliance vendor application firmware, that is, the 0x23000000 address segment is accessed, the access control module in the system detects that the current running address space is the 0x25000000 segment, and is not in the white list of the 0x23000000 address segment access authority, that is, the access operation of the system to the 0x23000000 address segment may be terminated, for example, resetting the system or prohibiting dropping the clock of the bus. The same is true with the blacklisting mechanism.
Based on the access control module and the decryption module of the system, the problem that firmware codes are easy to clone and copy can be effectively solved. Taking the example that in the application of the intelligent door lock, the fingerprint algorithm firmware needs to protect the code security of the intelligent door lock and prevent the code from being cloned by a third party, the application program can select whether to encrypt the code according to the security requirement of the application program, and the example is that the application firmware does not need to be encrypted. Assuming that the execution address space of the algorithm firmware Y is 0x25000000, the size of an API (application programming interface) reserved for application firmware calling is 4K, namely, a 0x25000000-0x25000FFF (fringe field) area is an insecure area and is an algorithm API interface which can be disclosed, the 0x25001000 starting point is a secure area, and an algorithm core code is stored and cannot be stolen; the execution address space of the application firmware X is 0X23000000, and one possible design scheme based on the system includes the following scheme.
(1) The method comprises the steps of encrypting a fingerprint algorithm firmware Y core code, burning the encrypted fingerprint algorithm firmware Y core code to a program memory 0x00180000 address, burning a decryption key to an EFUSE area of a system, performing read-write protection on the area to prevent the decryption key from being leaked, setting the decryption key of the fingerprint algorithm firmware and the decryption area 0x25001000 through a decryption module of the system, wherein the length of the decryption area can be set according to the actual size of the firmware.
(2) Burning the application algorithm firmware X to the address 0X00100000 of the program memory, wherein the operating address space used by the application firmware is 0X 23000000.
(3) The access control module of the enabling system sets that the 0x25000000-0x25000FFF area can be accessed by codes of other operating address spaces, while the 0x25001000 start address area can be accessed only by the code of the 0x25000000 start area, and the area size can be set according to the actual size of firmware.
(4) The mapping relationship between the operating address and the storage address of the application firmware and the algorithm firmware is shown in table 3:
TABLE 3
Fig. 4 is a schematic diagram illustrating a design scheme of a multi-firmware fusion system according to an embodiment of the present invention, please refer to fig. 4, in an embodiment of the present invention, an application firmware cannot directly use an address space starting from 0x25001000 to access an algorithm firmware due to a security setting of an access control module, and thus cannot directly read an algorithm code through a software manner, and the application firmware can only indirectly execute the algorithm code through an API interface using an address space of 0x25000000 to 0x25000 FFF. Because the core algorithm firmware of the memory is encrypted, a third party cannot acquire the decrypted algorithm firmware in other modes, after the application system calls the algorithm API, the entered execution space is 0x25000000-0x25000FFF and is the operation address space allowed by the 0x25001000 section, the access request can be normally sent out, when the access request is transmitted to the decryption module, the decryption module can automatically extract the decryption key of the 0x25001000 section according to the setting to finish the decryption execution of the algorithm firmware, and therefore a safe and executable multi-firmware system is constructed.
The invention also explains a safe multi-firmware fusion control method which comprises the following steps.
The storage medium stores the respective application firmware [ step S1 ].
Step S2, the storage medium controller completes reading of the application firmware or data on the storage medium according to the access request of the processor or other modules.
Step S3, the multi-address mapping module performs address space mapping of different application firmware, and converts a logical operation address of the application firmware accessed by the processor into a storage address of the application firmware, where each application firmware has an independent operation address space. In an embodiment of the present invention, after an application firmware is upgraded, the multi-address mapping module only changes a mapping relationship between a running address and a storage address of the upgraded application firmware, and data of other application firmware remains unchanged.
Step S4, the operating address space detection module determines the address space currently located according to the currently operating address and the executed instruction of the processor.
Step S5, the access control module sets the access right of the address space; after enabling, it is determined whether the current access is legitimate. In an embodiment of the present invention, the access control module determines whether the current access is legal or not according to the setting of the access control white list or the access control black list and the detection result of the operation address space detection module.
Step S6, the key storage control entity stores the application firmware encryption key and the application firmware encryption and decryption control, and provides a read-write protection mechanism for the key to ensure the security of the key. In an embodiment of the present invention, the key stored by the key storage control entity is burned together with the application firmware in a factory, and after the system runs, the key can be used by the decryption module to complete decryption of the application firmware.
The decryption module completes decrypting the code of the designated storage area [ step S7 ]. In an embodiment of the present invention, the decryption module includes a plurality of address segment decryption control units, which can implement that different address segments use different decryption keys.
In summary, the secure multi-firmware fusion system and the multi-firmware fusion control method provided by the invention can reduce the complexity of firmware upgrade in the multi-firmware fusion system, and improve the stability of the system and the security of multi-firmware fusion.
The invention can increase the access security among the firmware in the multi-firmware fusion system and ensure the data security and the system security of the firmware. In addition, the invention can also protect intellectual property of each firmware in the multi-firmware fusion system and prevent the firmware from being copied by cloning.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware; for example, it may be implemented using Application Specific Integrated Circuits (ASICs), general purpose computers, or any other similar hardware devices. In some embodiments, the software programs of the present application may be executed by a processor to implement the above steps or functions. As such, the software programs (including associated data structures) of the present application can be stored in a computer-readable recording medium; such as RAM memory, magnetic or optical drives or diskettes, and the like. In addition, some steps or functions of the present application may be implemented using hardware; for example, as circuitry that cooperates with the processor to perform various steps or functions.
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The description and applications of the invention herein are illustrative and are not intended to limit the scope of the invention to the embodiments described above. Effects or advantages referred to in the embodiments may not be reflected in the embodiments due to interference of various factors, and the description of the effects or advantages is not intended to limit the embodiments. Variations and modifications of the embodiments disclosed herein are possible, and alternative and equivalent various components of the embodiments will be apparent to those skilled in the art. It will be clear to those skilled in the art that the present invention may be embodied in other forms, structures, arrangements, proportions, and with other components, materials, and parts, without departing from the spirit or essential characteristics thereof. Other variations and modifications of the embodiments disclosed herein may be made without departing from the scope and spirit of the invention.
- 上一篇:石墨接头机器人自动装卡簧、装栓机
- 下一篇:一种文件检测方法、装置、存储介质及服务器