[go: up one dir, main page]

CN115421756B - A service-oriented gateway upgrade method - Google Patents

A service-oriented gateway upgrade method Download PDF

Info

Publication number
CN115421756B
CN115421756B CN202211130453.7A CN202211130453A CN115421756B CN 115421756 B CN115421756 B CN 115421756B CN 202211130453 A CN202211130453 A CN 202211130453A CN 115421756 B CN115421756 B CN 115421756B
Authority
CN
China
Prior art keywords
program
data
gateway
memory
upgrade
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202211130453.7A
Other languages
Chinese (zh)
Other versions
CN115421756A (en
Inventor
赵俊鹏
冯晶晶
全剑敏
姚敏杰
宋莉丽
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Yodosmart Automobile Technology Co ltd
Original Assignee
Hangzhou Yodosmart Automobile Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Yodosmart Automobile Technology Co ltd filed Critical Hangzhou Yodosmart Automobile Technology Co ltd
Priority to CN202211130453.7A priority Critical patent/CN115421756B/en
Publication of CN115421756A publication Critical patent/CN115421756A/en
Application granted granted Critical
Publication of CN115421756B publication Critical patent/CN115421756B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/71Version control; Configuration management
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

本发明提供了一种服务型网关升级方法,包括:网关处于首次上电状态时,启动存储器运行网关预引导程序;网关预引导程序校验当前的有效分区内的引导程序的有效性;硬件加密模块通过非对称加密算法公钥数据和设定加密算法对升级程序和数据签名进行有效性校验;若校验通过,则将引导程序、基础软件程序、路由表配置数据的签名值存储至当前的无效分区的安全存储器中。本发明在车载控制器的软件更新时实现后台下载,不影响网关功能,可在网关控制器休眠或满足复位条件时进行复位完成升级过程,提升用户体验感;对下载的升级程序和数据进行签名验证,有效防止程序和数据被非法篡改,保障车载服务型网管控制器的软件和数据安全。

The present invention provides a service-type gateway upgrade method, comprising: when the gateway is powered on for the first time, start the memory to run the gateway pre-boot program; the gateway pre-boot program checks the validity of the boot program in the current effective partition; hardware encryption The module checks the validity of the upgrade program and data signature through the public key data of the asymmetric encryption algorithm and the set encryption algorithm; if the verification is passed, the signature value of the boot program, basic software program, and routing table configuration data is stored in the current in the secure memory of the invalid partition. The present invention realizes the background download when the software of the on-board controller is updated, without affecting the function of the gateway, and can reset the gateway controller to complete the upgrade process when the gateway controller is in sleep or meets the reset condition, improving the user experience; signing the downloaded upgrade program and data Verification, effectively prevent programs and data from being tampered with illegally, and ensure the software and data security of the vehicle service network management controller.

Description

一种服务型网关升级方法A service-oriented gateway upgrade method

技术领域technical field

本发明涉及信息安全领域,特别是涉及一种服务型网关升级方法。The invention relates to the field of information security, in particular to a method for upgrading a service-type gateway.

背景技术Background technique

随着汽车自动化、智能化和网联化的持续发展,各个车载控制器的软件更新功能逐步成为一种必备功能,特别是空中下载技术(OTA,Over-the-Air)可以通过车载通信终端的4G或5G通信实现车载控制器软件的远程升级,不需要到车辆服务站就可完成软件问题的修复和软件功能更新。车载服务型网关控制器一般采用微控制器作为主控芯片,对于内置单块程序存储器的主控芯片,采用非后台下载方式,即升级包的下载需要跳转到引导程序进行,只能采用单区模式,先擦除当前应用程序,再下载新的应用程序,下载过程不能提供网关功能;对于内置两块程序存储器或者内置一块程序存储器加外置一块程序存储器的主控芯片,可以采用后台下载方式,在升级包下载过程中不影响网关功能,新的升级包下载到另外一个非有效程序存储器或外置程序存储器中。With the continuous development of automobile automation, intelligence and networking, the software update function of each vehicle controller has gradually become an essential function, especially the over-the-air download technology (OTA, Over-the-Air) can be The 4G or 5G communication of the vehicle realizes the remote upgrade of the vehicle controller software, and the software problem repair and software function update can be completed without going to the vehicle service station. The vehicle-mounted service gateway controller generally uses a microcontroller as the main control chip. For the main control chip with a built-in single program memory, it adopts a non-background download method, that is, the download of the upgrade package needs to jump to the boot program, and only a single Area mode, first erase the current application program, and then download the new application program, the download process cannot provide the gateway function; for the main control chip with two built-in program memories or a built-in program memory plus an external program memory, background download can be used In this way, the function of the gateway is not affected during the download process of the upgrade package, and the new upgrade package is downloaded to another non-valid program memory or an external program memory.

目前大多数车载服务型网关控制器使用的主控芯片没有内存映射单元MMU,即使内置两块程序存储器也无法实现地址映射,所以采用后台下载方式的升级过程一般为:在升级程序下载完成以后,跳转到引导程序,由引导程序擦除当前应用程序,读取升级程序并写入到应用程序存储空间。因此,目前的车载服务型网关控制器的软件架构如图1所示,包括引导程序和应用程序,应用程序根据功能可划分为基础软件程序、应用软件程序和路由表配置数据。At present, the main control chip used by most vehicle-mounted service gateway controllers does not have a memory mapping unit MMU. Even if there are two built-in program memories, the address mapping cannot be realized. Therefore, the upgrade process using the background download method is generally as follows: After the upgrade program is downloaded, Jump to the bootloader, the bootloader will erase the current application, read the upgrade program and write it to the application storage space. Therefore, the software architecture of the current in-vehicle service gateway controller is shown in Figure 1, including bootstrap programs and application programs. The application programs can be divided into basic software programs, application software programs, and routing table configuration data according to their functions.

现有技术中,车载服务型网关控制器升级过程一般为,在引导程序中验证升级程序的签名,签名验证通过以后设置应用程序有效标志,然后执行软件复位,启动时判断应用程序有效标志,如果应用程序有效则跳转到应用程序运行。现有的车载服务型网关控制器的升级时间较长,升级过程中无法提供网关功能,影响车辆的正常使用,用户体验感较差。升级以后如果应用程序无法正常运行,不能实现自动识别并回滚到上一版本软件,不能保证升级以后的网关功能仍正常运行。此外,为了保证车载服务型网关控制器的启动性能,其在引导程序中只判断应用程序有效标志,不能有效识别应用程序被篡改,车载服务型网关控制器软件安全性无法得到保证。In the prior art, the upgrade process of the vehicle-mounted service gateway controller is generally to verify the signature of the upgrade program in the boot program, set the valid flag of the application program after the signature verification is passed, and then execute the software reset, and judge the valid flag of the application program when starting, if If the application program is valid, jump to the application program to run. The upgrade time of the existing in-vehicle service gateway controller is long, and the gateway function cannot be provided during the upgrade process, which affects the normal use of the vehicle, and the user experience is poor. If the application fails to run normally after the upgrade, automatic identification and rollback to the previous version of the software cannot be realized, and the gateway function after the upgrade cannot be guaranteed to still operate normally. In addition, in order to ensure the startup performance of the vehicle service gateway controller, it only judges the valid flag of the application program in the boot program, and cannot effectively identify the tampering of the application program, so the software security of the vehicle service gateway controller cannot be guaranteed.

发明内容Contents of the invention

针对上述技术问题,本发明采用的技术方案为:For the problems of the technologies described above, the technical solution adopted in the present invention is:

一种服务型网关升级方法,应用于网关升级系统,所述网关升级系统包括主控制器模块、硬件加密模块和实时时钟模块,硬件加密模块和实时时钟模块连接主控制器模块,硬件加密模块用于执行硬件加密操作,实时时钟模块用于执行计时操作;A service-type gateway upgrade method, applied to a gateway upgrade system, the gateway upgrade system includes a main controller module, a hardware encryption module and a real-time clock module, the hardware encryption module and the real-time clock module are connected to the main controller module, and the hardware encryption module is used for For performing hardware encryption operations, the real-time clock module is used for performing timing operations;

主控制器模块内不包括内存映射单元,主控制器模块包括启动存储器、第一内置存储器、第二内置存储器和数据存储器,启动存储器用于存储网关预引导程序;将第一内置存储器和第二内置存储器中的一个标记为有效分区,另一个标记为无效分区,第一内置存储器和第二内置存储器用于存储引导程序、随机抽样数据、基础软件程序、应用软件程序和路由表配置数据,第一内置存储器和第二内置存储器的其中一个在执行擦除或写入操作时,不影响另一个的读取操作;数据存储器用于存储网关的运行参数;The main controller module does not include a memory mapping unit. The main controller module includes a boot memory, a first built-in memory, a second built-in memory and a data memory. The boot memory is used to store the gateway pre-boot program; the first built-in memory and the second built-in memory One of the built-in memories is marked as a valid partition, and the other is marked as an invalid partition. The first built-in memory and the second built-in memory are used to store boot programs, random sampling data, basic software programs, application software programs, and routing table configuration data. One of the built-in memory and the second built-in memory does not affect the read operation of the other when performing an erase or write operation; the data memory is used to store operating parameters of the gateway;

硬件加密模块包括加密算法处理器、程序存储器和安全存储器,安全存储器用于存储非对称加/解密算法公钥数据、加密算法密钥数据、引导程序对应的引导程序签名、随机抽样数据对应的mac值、基础软件程序对应的基础软件程序签名、路由表配置数据对应的路由表配置数据签名、有效分区对应的有效分区标志;The hardware encryption module includes an encryption algorithm processor, a program memory, and a security memory. The security memory is used to store the public key data of the asymmetric encryption/decryption algorithm, the key data of the encryption algorithm, the bootloader signature corresponding to the bootloader, and the mac corresponding to the randomly sampled data. value, the basic software program signature corresponding to the basic software program, the routing table configuration data signature corresponding to the routing table configuration data, and the valid partition flag corresponding to the valid partition;

所述服务型网关升级方法,包括如下步骤:The service-type gateway upgrading method includes the following steps:

S100、网关处于首次上电状态时,启动存储器运行网关预引导程序;S100, when the gateway is in the power-on state for the first time, start the memory to run the gateway pre-boot program;

S200、网关预引导程序校验当前的有效分区内的引导程序的有效性,并运行当前的有效分区的引导程序;S200. The gateway pre-boot program verifies the validity of the boot program in the current valid partition, and runs the boot program of the current valid partition;

S300、引导程序校验基础软件程序、随机抽样数据和路由表配置数据的有效性,并运行基础软件程序;S300. The boot program verifies the validity of the basic software program, random sampling data and routing table configuration data, and runs the basic software program;

S400、接收网关的升级请求,通过硬件加密模块获取有效分区标志,确定无效分区的存储空间,通过引导程序擦除无效分区的存储空间,并将无效分区的引导程序签名、基础软件程序签名、路由表配置数据签名、随机抽样数据对应的mac值设置为默认无效值;S400. Receive an upgrade request from the gateway, obtain the valid partition flag through the hardware encryption module, determine the storage space of the invalid partition, erase the storage space of the invalid partition through the boot program, and sign the boot program, basic software program signature, and route of the invalid partition. The mac value corresponding to the table configuration data signature and random sampling data is set to the default invalid value;

S500、将引导程序、基础软件程序、应用软件程序和路由表配置数据下载至无效分区中,并下载升级程序和数据签名,硬件加密模块通过非对称加密算法公钥数据和设定加密算法对升级程序和数据签名进行有效性校验;若校验通过,则执行步骤S600;S500, download the boot program, basic software program, application software program and routing table configuration data to the invalid partition, and download the upgrade program and data signature, and the hardware encryption module upgrades through the public key data of the asymmetric encryption algorithm and the set encryption algorithm The validity of the program and the data signature is verified; if the verification is passed, step S600 is executed;

S600、将引导程序、基础软件程序、路由表配置数据的签名值存储至硬件加密模块的当前的无效分区的安全存储器中;S600. Store the boot program, the basic software program, and the signature value of the routing table configuration data in the security memory of the current invalid partition of the hardware encryption module;

S700、对应用软件程序进行随机抽样处理,得到随机抽样数据并存储至无效分区的安全存储器中,硬件加密模块通过加密算法密钥数据和加密算法计算随机抽样数据对应的mac值,并将mac值存储至硬件加密模块中;S700, perform random sampling processing on the application software program, obtain random sampling data and store it in the safety memory of the invalid partition, the hardware encryption module calculates the mac value corresponding to the random sampling data through the encryption algorithm key data and the encryption algorithm, and stores the mac value Stored in the hardware encryption module;

S800、将硬件加密模块中存储的有效分区标志设置为当前无效分区,运行升级前的程序和数据;当满足网关复位或休眠条件时,执行软件复位操作,返回步骤S200,运行升级后的程序和数据。S800. Set the valid partition flag stored in the hardware encryption module as the current invalid partition, and run the program and data before the upgrade; when the gateway reset or dormancy conditions are satisfied, perform a software reset operation, return to step S200, and run the upgraded program and data data.

本发明至少具有以下有益效果:The present invention has at least the following beneficial effects:

本发明提出的服务型网关升级方法,可在车载控制器的软件更新时实现后台下载,且下载过程不影响网关功能,下载并校验完成后的执行升级时间与软件复位时间相同,可在车载服务型网关控制器休眠或满足复位条件时进行复位完成升级过程,不影响车辆的正常使用,提升了用户的体验感。且在车载服务型网关启动时对各部分软件进行校验,为了保证车载服务型网关控制器的启动性能,对数据量较大的应用软件程序进行随机抽样,可有效识别被篡改的软件,保护车载服务型网关控制器的软件安全;对下载的升级程序和数据进行签名验证,有效防止程序和数据被非法篡改,保障车载服务型网管控制器的软件和数据安全。The service-type gateway upgrading method proposed by the present invention can realize background downloading when the software of the vehicle-mounted controller is updated, and the downloading process does not affect the gateway function, and the execution upgrade time after downloading and verification is the same as the software reset time. When the service-type gateway controller is in sleep or meets the reset conditions, it is reset to complete the upgrade process, which does not affect the normal use of the vehicle and improves the user experience. In addition, each part of the software is verified when the vehicle-mounted service gateway is started. In order to ensure the startup performance of the vehicle-mounted service-type gateway controller, random sampling of application software programs with a large amount of data can effectively identify tampered software and protect The software security of the vehicle service gateway controller; signature verification is performed on the downloaded upgrade program and data, effectively preventing the program and data from being illegally tampered with, and ensuring the software and data security of the vehicle service network management controller.

附图说明Description of drawings

为了更清楚地说明本发明实施例中的技术方案,下面将对实施例描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings that need to be used in the description of the embodiments will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present invention. For those skilled in the art, other drawings can also be obtained based on these drawings without creative effort.

图1为现有的车载服务型网关控制器的软件架构示意图;FIG. 1 is a schematic diagram of a software architecture of an existing vehicle-mounted service gateway controller;

图2为本发明实施例提供的网关升级系统的模块连接示意图;Fig. 2 is a schematic diagram of module connection of the gateway upgrade system provided by the embodiment of the present invention;

图3为本发明实施例提供的服务型网关升级方法的流程图;FIG. 3 is a flowchart of a service-type gateway upgrading method provided by an embodiment of the present invention;

图4为本发明判定当前有效分区内的程序和数据运行异常的流程图;Fig. 4 is a flow chart of the present invention judging that the programs and data in the current effective partition are running abnormally;

图5为本发明的步骤S800之后的方法步骤流程图。FIG. 5 is a flowchart of method steps after step S800 of the present invention.

具体实施方式Detailed ways

下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the accompanying drawings in the embodiments of the present invention. Obviously, the described embodiments are only some, not all, embodiments of the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative efforts fall within the protection scope of the present invention.

一种服务型网关升级方法,应用于网关升级系统:A service-type gateway upgrade method applied to a gateway upgrade system:

如图2所示,所述网关升级系统包括主控制器模块、硬件加密模块和实时时钟模块,硬件加密模块和实时时钟模块连接主控制器模块,硬件加密模块可内置于主控制器模块中,也可通过I2C、SPI或UART的通讯方式外部连接主控制器模块,硬件加密模块用于执行硬件加密操作,实现加解密算法的硬件加速,有效缩短应用软件程序的校验时间;实时时钟模块通过I2C或UART的通讯方式连接主控制器模块,实时时钟模块提供计时服务,用于计算程序的运行时间;主控制器模块为网关的MCU处理器,实时时钟模块采用RTC实时时钟芯片进行数据处理。As shown in Figure 2, the gateway upgrade system includes a main controller module, a hardware encryption module and a real-time clock module, the hardware encryption module and the real-time clock module are connected to the main controller module, and the hardware encryption module can be built in the main controller module, It can also be externally connected to the main controller module through I 2 C, SPI or UART communication. The hardware encryption module is used to perform hardware encryption operations, realize hardware acceleration of encryption and decryption algorithms, and effectively shorten the verification time of application software programs; the real-time clock The module is connected to the main controller module through I 2 C or UART communication, and the real-time clock module provides timing services for calculating the running time of the program; the main controller module is the MCU processor of the gateway, and the real-time clock module uses the RTC real-time clock chip Perform data processing.

主控制器模块内不包括内存映射单元,主控制器模块包括启动存储器、第一内置存储器、第二内置存储器和数据存储器,启动存储器用于存储网关预引导程序;将第一内置存储器和第二内置存储器中的一个标记为有效分区,另一个标记为无效分区,第一内置存储器和第二内置存储器用于存储引导程序、随机抽样数据、基础软件程序、应用软件程序和路由表配置数据,第一内置存储器和第二内置存储器的其中一个在执行擦除或写入操作时,不影响另一个的读取操作;数据存储器用于存储网关的运行参数;The main controller module does not include a memory mapping unit. The main controller module includes a boot memory, a first built-in memory, a second built-in memory and a data memory. The boot memory is used to store the gateway pre-boot program; the first built-in memory and the second built-in memory One of the built-in memories is marked as a valid partition, and the other is marked as an invalid partition. The first built-in memory and the second built-in memory are used to store boot programs, random sampling data, basic software programs, application software programs, and routing table configuration data. One of the built-in memory and the second built-in memory does not affect the read operation of the other when performing an erase or write operation; the data memory is used to store operating parameters of the gateway;

硬件加密模块包括加密算法处理器、程序存储器和安全存储器,安全存储器用于存储非对称加/解密算法公钥数据、加密算法密钥数据、引导程序对应的引导程序签名、随机抽样数据对应的mac值、基础软件程序对应的基础软件程序签名、路由表配置数据对应的路由表配置数据签名、有效分区对应的有效分区标志;The hardware encryption module includes an encryption algorithm processor, a program memory, and a security memory. The security memory is used to store the public key data of the asymmetric encryption/decryption algorithm, the key data of the encryption algorithm, the bootloader signature corresponding to the bootloader, and the mac corresponding to the randomly sampled data. value, the basic software program signature corresponding to the basic software program, the routing table configuration data signature corresponding to the routing table configuration data, and the valid partition flag corresponding to the valid partition;

有效分区标志为表明当前有效程序存储在主控制器模块的第一内置存储器或第二内置存储器的标志,如有效分区标志默认为0xFFFFFFFF或0x00000000,表示没有有效程序,0xA555A555表示当前有效程序存储在第一内置存储器中,0xA5AAA5AA表示当前有效程序存储在第二内置存储器中,其他值则表示无效值。The valid partition flag is a flag indicating that the currently valid program is stored in the first built-in memory or the second built-in memory of the main controller module. If the valid partition flag defaults to 0xFFFFFFFF or 0x00000000, it means that there is no valid program, and 0xA555A555 means that the current valid program is stored in the first In the first built-in memory, 0xA5AAA5AA means that the currently valid program is stored in the second built-in memory, and other values mean invalid values.

若有效分区标志指向第一内置存储器,则当前无效分区为第二内置存储器;若有效分区标志指向第二内置存储器,则当前无效分区为第一内置存储器。If the valid partition flag points to the first built-in memory, the current invalid partition is the second built-in memory; if the valid partition mark points to the second built-in memory, then the current invalid partition is the first built-in memory.

如图3所示,所述服务型网关升级方法,包括如下步骤:As shown in Figure 3, the service-type gateway upgrade method includes the following steps:

S001、将硬件加密模块的程序和非对称加密算法公钥数据、加密算法密钥数据烧录至硬件加密模块中;S001. Burn the program of the hardware encryption module, the public key data of the asymmetric encryption algorithm, and the key data of the encryption algorithm into the hardware encryption module;

S002、将网关预引导程序烧录至启动存储器中,并将启动存储器保护选项设置为只读保护模式;S002, burn the gateway pre-boot program into the boot memory, and set the boot memory protection option to read-only protection mode;

S003、将网关的初始版本的引导程序、随机抽样数据、基础软件程序、应用软件程序和路由表配置数据烧录至第一内置存储器和第二内置存储器中,并将两个分区的引导程序签名、随机抽样数据的mac值、基础软件程序签名和路由表配置数据签名通过硬件加密模块安全存储,并设置有效分区标志指向第一内置存储器;S003. Burn the initial version of the boot program of the gateway, random sampling data, basic software programs, application software programs and routing table configuration data into the first built-in memory and the second built-in memory, and sign the boot programs of the two partitions , the mac value of the randomly sampled data, the signature of the basic software program and the signature of the routing table configuration data are safely stored through the hardware encryption module, and the effective partition flag is set to point to the first built-in memory;

步骤S001-S003为车载服务型网关的初始程序烧录步骤,将初始程序烧录至网关后,进行车载服务型网关的升级步骤,所述车载服务型网关安全静默升级步骤为:Steps S001-S003 are the initial program burning steps of the vehicle-mounted service gateway. After the initial program is burned into the gateway, the upgrade steps of the vehicle-mounted service gateway are carried out. The safe and silent upgrade steps of the vehicle-mounted service gateway are as follows:

S100、网关处于首次上电状态时,启动存储器运行网关预引导程序;S100, when the gateway is in the power-on state for the first time, start the memory to run the gateway pre-boot program;

S200、网关预引导程序校验当前的有效分区内的引导程序的有效性,并运行当前的有效分区的引导程序;S200. The gateway pre-boot program verifies the validity of the boot program in the current valid partition, and runs the boot program of the current valid partition;

S300、引导程序校验基础软件程序、随机抽样数据和路由表配置数据的有效性,并运行基础软件程序;S300. The boot program verifies the validity of the basic software program, random sampling data and routing table configuration data, and runs the basic software program;

S400、接收网关的升级请求,通过硬件加密模块获取有效分区标志,确定无效分区的存储空间,通过引导程序擦除无效分区的存储空间,并将无效分区的引导程序签名、基础软件程序签名、路由表配置数据签名、随机抽样数据对应的mac值擦除,设置为默认无效值,如全部设置为0xFFFFFFFF值;S400. Receive an upgrade request from the gateway, obtain the valid partition flag through the hardware encryption module, determine the storage space of the invalid partition, erase the storage space of the invalid partition through the boot program, and sign the boot program, basic software program signature, and route of the invalid partition. Table configuration data signature, mac value erasure corresponding to random sampling data, set to default invalid value, such as all set to 0xFFFFFFFF value;

升级请求由外部诊断仪通过车载诊断系统进行身份认证,验证通过后发送诊断请求进入编程会话,或由车载远程升级终端(可以为远程通信终端TBox)执行升级,并发送诊断请求进入编程会话。The upgrade request is authenticated by the external diagnostic instrument through the on-board diagnostic system. After the verification is passed, the diagnostic request is sent to enter the programming session, or the on-board remote upgrade terminal (which can be a remote communication terminal TBox) executes the upgrade and sends a diagnostic request to enter the programming session.

S500、将引导程序、基础软件程序、应用软件程序和路由表配置数据下载至无效分区中,并下载升级程序和数据签名,硬件加密模块通过非对称加密算法公钥数据和设定加密算法对升级程序和数据签名进行有效性校验;若校验通过,则执行步骤S600;S500, download the boot program, basic software program, application software program and routing table configuration data to the invalid partition, and download the upgrade program and data signature, and the hardware encryption module upgrades through the public key data of the asymmetric encryption algorithm and the set encryption algorithm The validity of the program and the data signature is verified; if the verification is passed, step S600 is executed;

由于主控制器模块没有内置内存映射单元MMU,升级文件包含两个分区空间的程序,所以接收到当前有效分区对应存储器空间的程序时不执行校验和写入,只有接收到当前无效分区程序存储器空间的程序才写入当前无效分区程序存储器空间,下载的引导程序签名值不写入无效分区程序存储器,用于对下载的引导程序进行校验。Since the main controller module does not have a built-in memory mapping unit MMU, the upgrade file contains programs of two partition spaces, so when receiving the program corresponding to the memory space of the current valid partition, no checksum write is performed, only the program memory of the current invalid partition is received The program in the space is written into the current invalid partition program storage space, and the downloaded bootloader signature value is not written into the invalid partition program storage, which is used to verify the downloaded bootloader.

S600、将引导程序、基础软件程序、路由表配置数据的签名值存储至硬件加密模块的当前的无效分区的安全存储器中;S600. Store the boot program, the basic software program, and the signature value of the routing table configuration data in the security memory of the current invalid partition of the hardware encryption module;

S700、对应用软件程序进行随机抽样处理,得到随机抽样数据并存储至无效分区的安全存储器中,随机抽样处理为随机抽取32kb或其他大小的数据,硬件加密模块通过加密算法密钥数据和加密算法计算随机抽样数据对应的mac值,并将mac值存储至硬件加密模块中,所述加密算法可以为AES128-CMAC算法;S700. Perform random sampling processing on the application software program to obtain random sampling data and store them in the safety memory of the invalid partition. The random sampling processing is to randomly extract data of 32kb or other sizes, and the hardware encryption module uses encryption algorithm key data and encryption algorithm Calculate the mac value corresponding to the randomly sampled data, and store the mac value in the hardware encryption module, and the encryption algorithm can be the AES128-CMAC algorithm;

随机抽样数据和mac值用于安全启动时对应用软件程序的快速校验,防止出现因应用软件程序占用程序存储器空间过大导致校验时间长,从而导致启动性能降低的情况。The randomly sampled data and mac value are used for fast verification of the application software program during secure boot, preventing the occurrence of a situation where the verification time is long due to the application software program occupying too much program memory space, resulting in reduced startup performance.

S800、将硬件加密模块中存储的有效分区标志设置为当前无效分区,运行升级前的程序和数据;当满足网关复位或休眠条件时,执行软件复位操作,返回步骤S200,运行升级后的程序和数据;S800. Set the valid partition flag stored in the hardware encryption module as the current invalid partition, and run the program and data before the upgrade; when the gateway reset or dormancy conditions are satisfied, perform a software reset operation, return to step S200, and run the upgraded program and data data;

如图5所示,所述步骤S800之后,还包括:As shown in Figure 5, after the step S800, it also includes:

S910、复位后的网关预引导程序在启动时,获取复位类型并计算上次启动后的运行时间;S910, when the gateway pre-boot program after the reset is started, the reset type is obtained and the running time after the last start is calculated;

S920、若复位类型为看门狗复位,且运行时间小于设定的最小运行时间,且连续发生三次,则判定当前有效分区内的程序和数据运行异常,并将硬件加密模块中存储的有效分区的引导程序签名、随机抽样数据对应的mac值、基础软件程序签名、路由表配置数据签名设置为默认无效值,如全部设置为0xFF值;S920. If the reset type is watchdog reset, and the running time is less than the set minimum running time, and it occurs three times in a row, it is determined that the programs and data in the current valid partition are running abnormally, and the valid partition stored in the hardware encryption module is The boot program signature, the mac value corresponding to the randomly sampled data, the basic software program signature, and the routing table configuration data signature are set to default invalid values, such as all set to 0xFF value;

如图4所示,所述步骤S920中,判定当前有效分区内的程序和数据运行异常,包括:As shown in Figure 4, in the step S920, it is determined that the programs and data in the current effective partition are running abnormally, including:

S921、网关预引导程序启动时获取主控制器模块的复位类型,并获取实时时钟模块的当前时间T0,并存储至数据存储器中;S921. Obtain the reset type of the main controller module when the gateway pre-boot program starts, and obtain the current time T 0 of the real-time clock module, and store it in the data memory;

S922、若复位类型为看门狗复位,则执行步骤S923;若复位类型不为看门狗复位,则执行步骤S924;S922. If the reset type is watchdog reset, execute step S923; if the reset type is not watchdog reset, execute step S924;

S923、确定看门狗复位的运行时间T=T0-T2;其中,T2为在T0前的时间段内,主控制器模块复位时对应的实时时钟模块存储的时间;S923. Determine the running time T=T 0 -T 2 of watchdog reset; wherein, T 2 is the time stored in the corresponding real-time clock module when the main controller module is reset in the time period before T 0 ;

若T<Tmin,则执行步骤S925;其中,Tmin为预设的看门狗复位的最小运行时间;If T<T min , execute step S925; wherein, T min is the preset minimum running time of watchdog reset;

S924、将主控制器模块的复位计数值C清零;S924. Clear the reset count value C of the main controller module;

S925、将主控制模块的复位计数值C加1进行存储;S925, adding 1 to the reset count value C of the main control module for storage;

所述步骤S925,包括:The step S925 includes:

S926、若主控制模块的复位计数值C=Cmax,则判定当前有效分区内的程序和数据运行异常;其中,Cmax为预设的复位状态的最大复位计数值;S926. If the reset count value C=C max of the main control module, it is determined that the programs and data in the current effective partition are running abnormally; wherein, C max is the maximum reset count value in the preset reset state;

S930、硬件加密模块校验当前无效分区的程序的有效性;若程序有效,则将硬件加密模块中存储的有效分区标志设置为当前无效分区,执行软件复位操作,切换到当前的有效分区运行,并返回步骤S200,实现软件自动回滚。S930, the validity of the program of the hardware encryption module checking the current invalid partition; if the program is valid, the valid partition flag stored in the hardware encryption module is set to the current invalid partition, execute the software reset operation, switch to the current valid partition to run, And return to step S200 to realize automatic software rollback.

所述硬件加密模块通过非对称加密算法公钥数据和设定加密算法对升级程序和数据签名进行有效性校验步骤,包括:The hardware encryption module performs a validity verification step for the upgrade program and the data signature through the public key data of the asymmetric encryption algorithm and the set encryption algorithm, including:

S510、硬件加密模块通过密码杂凑算法对下载的升级程序和数据进行处理,得到第一哈希值;S510. The hardware encryption module processes the downloaded upgrade program and data through a cryptographic hash algorithm to obtain a first hash value;

S520、硬件加密模块通过非对称加密算法公钥数据和设定加密算法对下载的升级程序和数据签名进行解密处理,得到第二哈希值;S520. The hardware encryption module decrypts the downloaded upgrade program and data signature by using the asymmetric encryption algorithm public key data and the set encryption algorithm to obtain a second hash value;

若第一哈希值与第二哈希值相等,则有效性校验通过;否则,则有效性校验未通过;If the first hash value is equal to the second hash value, the validity check is passed; otherwise, the validity check is not passed;

S530、若第一哈希值与第二哈希值相等,则将引导程序签名、基础软件程序签名、路由表配置数据签名存储至所述硬件加密模块;否则,则下载的引导程序存在被篡改或文件损坏的情况,停止升级。S530. If the first hash value is equal to the second hash value, store the signature of the boot program, the signature of the basic software program, and the signature of the routing table configuration data in the hardware encryption module; otherwise, the downloaded boot program has been tampered with or the file is damaged, stop the upgrade.

步骤S510中,下载的升级程序和数据包括引导程序、基础软件程序、应用软件程序、路由表配置数据。In step S510, the downloaded upgrade programs and data include boot programs, basic software programs, application software programs, and routing table configuration data.

本发明提出的服务型网关升级方法,可在车载控制器的软件更新时实现后台下载,且下载过程不影响网关功能,下载并校验完成后的执行升级时间与软件复位时间相同,可在车载服务型网关控制器休眠或满足复位条件时进行复位完成升级过程,不影响车辆的正常使用,提升了用户的体验感。且在车载服务型网关启动时对各部分软件进行校验,为了保证车载服务型网关控制器的启动性能,对数据量较大的应用软件程序进行随机抽样,可有效识别被篡改的软件,保护车载服务型网关控制器的软件安全。The service-type gateway upgrading method proposed by the present invention can realize background downloading when the software of the vehicle-mounted controller is updated, and the downloading process does not affect the gateway function, and the execution upgrade time after downloading and verification is the same as the software reset time. When the service-type gateway controller is in sleep or meets the reset conditions, it is reset to complete the upgrade process, which does not affect the normal use of the vehicle and improves the user experience. In addition, each part of the software is verified when the vehicle-mounted service gateway is started. In order to ensure the startup performance of the vehicle-mounted service-type gateway controller, random sampling of application software programs with a large amount of data can effectively identify tampered software and protect Software security for in-vehicle service gateway controllers.

此外,尽管在附图中以特定顺序描述了本公开中方法的各个步骤,但是,这并非要求或者暗示必须按照该特定顺序来执行这些步骤,或是必须执行全部所示的步骤才能实现期望的结果。附加的或备选的,可以省略某些步骤,将多个步骤合并为一个步骤执行,以及/或者将一个步骤分解为多个步骤执行等。In addition, although steps of the methods of the present disclosure are depicted in the drawings in a particular order, there is no requirement or implication that the steps must be performed in that particular order, or that all illustrated steps must be performed to achieve the desired result. Additionally or alternatively, certain steps may be omitted, multiple steps may be combined into one step for execution, and/or one step may be decomposed into multiple steps for execution, etc.

通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本公开实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、移动终端、或者网络设备等)执行根据本公开实施方式的方法。Through the description of the above implementations, those skilled in the art can easily understand that the example implementations described here can be implemented by software, or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of the present disclosure can be embodied in the form of software products, and the software products can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.) or on the network , including several instructions to make a computing device (which may be a personal computer, a server, a mobile terminal, or a network device, etc.) execute the method according to the embodiments of the present disclosure.

在本公开的示例性实施例中,还提供了一种能够实现上述方法的电子设备。In an exemplary embodiment of the present disclosure, an electronic device capable of implementing the above method is also provided.

所属技术领域的技术人员能够理解,本发明的各个方面可以实现为系统、方法或程序产品。因此,本发明的各个方面可以具体实现为以下形式,即:完全的硬件实施方式、完全的软件实施方式(包括固件、微代码等),或硬件和软件方面结合的实施方式,这里可以统称为“电路”、“模块”或“系统”。Those skilled in the art can understand that various aspects of the present invention can be implemented as systems, methods or program products. Therefore, various aspects of the present invention can be embodied in the following forms, that is: a complete hardware implementation, a complete software implementation (including firmware, microcode, etc.), or a combination of hardware and software implementations, which can be collectively referred to herein as "circuit", "module" or "system".

根据本发明的这种实施方式的电子设备。电子设备仅仅是一个示例,不应对本发明实施例的功能和使用范围带来任何限制。An electronic device according to this embodiment of the invention. The electronic device is just an example, and should not limit the functions and application scope of the embodiments of the present invention.

电子设备以通用计算设备的形式表现。电子设备的组件可以包括但不限于:上述至少一个处理器、上述至少一个储存器、连接不同系统组件(包括储存器和处理器)的总线。Electronic devices take the form of general-purpose computing devices. Components of an electronic device may include, but are not limited to: the above at least one processor, the above at least one storage, and a bus connecting different system components (including the storage and the processor).

其中,所述储存器存储有程序代码,所述程序代码可以被所述处理器执行,使得所述处理器执行本说明书上述“示例性方法”部分中描述的根据本发明各种示例性实施方式的步骤。Wherein, the memory stores program codes, and the program codes can be executed by the processor, so that the processor executes the various exemplary embodiments according to the present invention described in the above-mentioned "Exemplary Methods" section of this specification. A step of.

储存器可以包括易失性储存器形式的可读介质,例如随机存取储存器(RAM)和/或高速缓存储存器,还可以进一步包括只读储存器(ROM)。The storage may include readable media in the form of volatile storage, such as random access memory (RAM) and/or cache memory, and may further include read only memory (ROM).

储存器还可以包括具有一组(至少一个)程序模块的程序/实用工具,这样的程序模块包括但不限于:操作系统、一个或者多个应用程序、其它程序模块以及程序数据,这些示例中的每一个或某种组合中可能包括网络环境的实现。The storage may also include programs/utilities having a set (at least one) of program modules including, but not limited to, an operating system, one or more application programs, other program modules, and program data, in which case Each or some combination may include implementations of network environments.

总线可以为表示几类总线结构中的一种或多种,包括储存器总线或者储存器控制器、外围总线、图形加速端口、处理器或者使用多种总线结构中的任意总线结构的局域总线。A bus may represent one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, a processor, or a local bus using any of a variety of bus structures .

电子设备也可以与一个或多个外部设备(例如键盘、指向设备、蓝牙设备等)通信,还可与一个或者多个使得用户能与该电子设备交互的设备通信,和/或与使得该电子设备能与一个或多个其它计算设备进行通信的任何设备(例如路由器、调制解调器等等)通信。这种通信可以通过输入/输出(I/O)接口进行。并且,电子设备还可以通过网络适配器与一个或者多个网络(例如局域网(LAN),广域网(WAN)和/或公共网络,例如因特网)通信。如图所示,网络适配器通过总线与电子设备的其它模块通信。应当明白,尽管图中未示出,可以结合电子设备使用其它硬件和/或软件模块,包括但不限于:微代码、设备驱动器、冗余处理器、外部磁盘驱动阵列、RAID系统、磁带驱动器以及数据备份存储系统等。The electronic device can also communicate with one or more external devices (such as keyboards, pointing devices, Bluetooth devices, etc.), and can also communicate with one or more devices that enable the user to interact with the electronic device, and/or communicate with the electronic A device communicates with any device (eg, router, modem, etc.) that is capable of communicating with one or more other computing devices. Such communication may occur through input/output (I/O) interfaces. Moreover, the electronic device can also communicate with one or more networks (such as a local area network (LAN), a wide area network (WAN) and/or a public network such as the Internet) through a network adapter. As shown, the network adapter communicates with other modules of the electronic device through a bus. It should be understood that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device, including but not limited to: microcode, device drivers, redundant processors, external disk drive arrays, RAID systems, tape drives, and Data backup storage system, etc.

通过以上的实施方式的描述,本领域的技术人员易于理解,这里描述的示例实施方式可以通过软件实现,也可以通过软件结合必要的硬件的方式来实现。因此,根据本公开实施方式的技术方案可以以软件产品的形式体现出来,该软件产品可以存储在一个非易失性存储介质(可以是CD-ROM,U盘,移动硬盘等)中或网络上,包括若干指令以使得一台计算设备(可以是个人计算机、服务器、终端装置、或者网络设备等)执行根据本公开实施方式的方法。Through the description of the above implementations, those skilled in the art can easily understand that the example implementations described here can be implemented by software, or by combining software with necessary hardware. Therefore, the technical solutions according to the embodiments of the present disclosure can be embodied in the form of software products, and the software products can be stored in a non-volatile storage medium (which can be CD-ROM, U disk, mobile hard disk, etc.) or on the network , including several instructions to make a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) execute the method according to the embodiments of the present disclosure.

在本公开的示例性实施例中,还提供了一种计算机可读存储介质,其上存储有能够实现本说明书上述方法的程序产品。在一些可能的实施方式中,本发明的各个方面还可以实现为一种程序产品的形式,其包括程序代码,当所述程序产品在终端设备上运行时,所述程序代码用于使所述终端设备执行本说明书上述“示例性方法”部分中描述的根据本发明各种示例性实施方式的步骤。In an exemplary embodiment of the present disclosure, there is also provided a computer-readable storage medium on which a program product capable of implementing the above-mentioned method in this specification is stored. In some possible implementations, various aspects of the present invention can also be implemented in the form of a program product, which includes program code, and when the program product is run on a terminal device, the program code is used to make the The terminal device executes the steps according to various exemplary embodiments of the present invention described in the "Exemplary Method" section above in this specification.

计算机可读信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了可读程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。可读信号介质还可以是可读存储介质以外的任何可读介质,该可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。A computer readable signal medium may include a data signal carrying readable program code in baseband or as part of a carrier wave. Such propagated data signals may take many forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium other than a readable storage medium that can transmit, propagate, or transport a program for use by or in conjunction with an instruction execution system, apparatus, or device.

可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于无线、有线、光缆、RF等等,或者上述的任意合适的组合。Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

可以以一种或多种程序设计语言的任意组合来编写用于执行本发明操作的程序代码,所述程序设计语言包括面向对象的程序设计语言—诸如Java、C++等,还包括常规的过程式程序设计语言—诸如“C”语言或类似的程序设计语言。程序代码可以完全地在用户计算设备上执行、部分地在用户设备上执行、作为一个独立的软件包执行、部分在用户计算设备上部分在远程计算设备上执行、或者完全在远程计算设备或服务器上执行。在涉及远程计算设备的情形中,远程计算设备可以通过任意种类的网络,包括局域网(LAN)或广域网(WAN),连接到用户计算设备,或者,可以连接到外部计算设备(例如利用因特网服务提供商来通过因特网连接)。Program code for carrying out the operations of the present invention may be written in any combination of one or more programming languages, including object-oriented programming languages—such as Java, C++, etc., as well as conventional procedural programming languages. Programming language - such as "C" or a similar programming language. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server to execute. In cases involving a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a local area network (LAN) or a wide area network (WAN), or may be connected to an external computing device (for example, using an Internet service provider). business to connect via the Internet).

此外,上述附图仅是根据本发明示例性实施例的方法所包括的处理的示意性说明,而不是限制目的。易于理解,上述附图所示的处理并不表明或限制这些处理的时间顺序。另外,也易于理解,这些处理可以是例如在多个模块中同步或异步执行的。In addition, the above-mentioned figures are only schematic illustrations of the processes included in the method according to the exemplary embodiments of the present invention, and are not intended to be limiting. It is easy to understand that the processes shown in the above figures do not imply or limit the chronological order of these processes. In addition, it is also easy to understand that these processes may be executed synchronously or asynchronously in multiple modules, for example.

应当注意,尽管在上文详细描述中提及了用于动作执行的设备的若干模块或者单元,但是这种划分并非强制性的。实际上,根据本公开的实施方式,上文描述的两个或更多模块或者单元的特征和功能可以在一个模块或者单元中具体化。反之,上文描述的一个模块或者单元的特征和功能可以进一步划分为由多个模块或者单元来具体化。It should be noted that although several modules or units of the device for action execution are mentioned in the above detailed description, this division is not mandatory. Actually, according to the embodiment of the present disclosure, the features and functions of two or more modules or units described above may be embodied in one module or unit. Conversely, the features and functions of one module or unit described above can be further divided to be embodied by a plurality of modules or units.

以上所述,仅为本发明的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以权利要求的保护范围为准。The above is only a specific embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Anyone skilled in the art can easily think of changes or substitutions within the technical scope disclosed in the present invention. All should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (9)

1.一种服务型网关升级方法,应用于网关升级系统,其特征在于,所述网关升级系统包括主控制器模块、硬件加密模块;硬件加密模块连接主控制器模块;所述硬件加密模块包括加密算法处理器、程序存储器和安全存储器,所述硬件加密模块用于执行硬件加密操作;所述主控制器模块包括启动存储器、第一内置存储器、第二内置存储器和数据存储器;所述启动存储器存储有网关预引导程序;所述数据存储器用于存储网关的运行参数;1. A service gateway upgrade method, applied to a gateway upgrade system, characterized in that the gateway upgrade system includes a main controller module and a hardware encryption module; the hardware encryption module is connected to the main controller module; the hardware encryption module includes an encryption algorithm processor, a program memory, and a security memory, and is used to perform hardware encryption operations; the main controller module includes a boot memory, a first built-in memory, a second built-in memory, and a data memory; the boot memory stores a gateway pre-boot program; the data memory is used to store the gateway's operating parameters; 所述服务型网关升级方法,包括如下步骤:The service gateway upgrade method includes the following steps: S100、网关处于首次上电状态时,所述启动存储器运行网关预引导程序;S100. When the gateway is in the initial power-on state, the startup memory runs the gateway pre-boot program. S200、将第一内置存储器和第二内置存储器中的一个标记为有效分区,另一个标记为无效分区;网关预引导程序校验当前的有效分区内的引导程序的有效性,并运行当前的有效分区的引导程序;S200: Mark one of the first built-in memory and the second built-in memory as a valid partition and the other as an invalid partition; the gateway pre-boot program verifies the validity of the boot program in the currently valid partition and runs the boot program of the currently valid partition; S300、引导程序校验当前的有效分区内的基础软件程序、随机抽样数据和路由表配置数据的有效性,并运行基础软件程序;S300: The bootloader verifies the validity of the basic software programs, random sampling data, and routing table configuration data within the currently valid partition, and then runs the basic software programs. S400、接收网关的升级请求,通过硬件加密模块获取有效分区标志,确定无效分区的存储空间,通过所述引导程序擦除无效分区的存储空间,并将无效分区的引导程序签名、基础软件程序签名、路由表配置数据签名、随机抽样数据对应的mac值设置为默认无效值;S400: Receive the upgrade request from the gateway, obtain the valid partition flag through the hardware encryption module, determine the storage space of the invalid partition, erase the storage space of the invalid partition through the bootloader, and set the bootloader signature, basic software program signature, routing table configuration data signature, and MAC value corresponding to the random sampled data of the invalid partition to the default invalid value. S500、下载升级程序和数据签名,所述硬件加密模块通过非对称加密算法公钥数据和设定加密算法对升级程序和数据签名进行有效性校验;若校验通过,则执行步骤S600;S500: Download the upgrade program and data signature. The hardware encryption module verifies the validity of the upgrade program and data signature using the public key data of the asymmetric encryption algorithm and the set encryption algorithm. If the verification passes, proceed to step S600. S600、将引导程序签名、基础软件程序签名、路由表配置数据签名存储至所述硬件加密模块的当前的无效分区的安全存储器中;S600. Store the bootloader signature, basic software program signature, and routing table configuration data signature into the secure memory of the current invalid partition of the hardware encryption module. S700、对第一内置存储器和第二内置存储器中的应用软件程序进行随机抽样处理,得到随机抽样数据并存储至无效分区的安全存储器中,硬件加密模块通过加密算法密钥数据和加密算法计算随机抽样数据对应的mac值,并将mac值存储至硬件加密模块中;S700: Random sampling is performed on the application software program in the first built-in memory and the second built-in memory to obtain random sampling data and store it in the secure memory of the invalid partition. The hardware encryption module calculates the MAC value corresponding to the random sampling data through the encryption algorithm key data and the encryption algorithm, and stores the MAC value in the hardware encryption module. S800、将所述硬件加密模块中存储的有效分区标志设置为当前无效分区,运行升级前的程序和数据;当满足网关复位或休眠条件时,执行软件复位操作,返回步骤S200,运行升级后的程序和数据。S800: Set the valid partition flag stored in the hardware encryption module to the current invalid partition, and run the program and data before the upgrade; when the gateway reset or hibernation conditions are met, perform a software reset operation, return to step S200, and run the upgraded program and data. 2.根据权利要求1所述的方法,其特征在于,所述步骤S800之后,还包括:2. The method according to claim 1, characterized in that, after step S800, it further includes: S910、复位后的所述网关预引导程序在启动时,获取复位类型并计算上次启动后的运行时间;S910. When the reset gateway pre-boot program starts up, it obtains the reset type and calculates the running time since the last startup. S920、若复位类型为看门狗复位,且运行时间小于设定的最小运行时间,且连续发生三次,则判定当前有效分区内的程序和数据运行异常,并将所述硬件加密模块中存储的有效分区的引导程序签名、随机抽样数据对应的mac值、基础软件程序签名、路由表配置数据签名设置为默认无效值;S920. If the reset type is watchdog reset, and the running time is less than the set minimum running time, and this occurs three times consecutively, then the program and data in the current valid partition are determined to be abnormal, and the boot program signature, MAC value corresponding to the random sampled data, basic software program signature, and routing table configuration data signature of the valid partition stored in the hardware encryption module are set to default invalid values. S930、所述硬件加密模块校验当前无效分区的程序的有效性;若程序有效,则将所述硬件加密模块中存储的有效分区标志设置为当前无效分区,执行软件复位操作,并返回步骤S200。S930. The hardware encryption module verifies the validity of the program for the current invalid partition. If the program is valid, the valid partition flag stored in the hardware encryption module is set to the current invalid partition, a software reset operation is performed, and the process returns to step S200. 3.根据权利要求1所述的方法,其特征在于,所述硬件加密模块通过非对称加密算法公钥数据和设定加密算法对升级程序和数据签名进行有效性校验,包括:3. The method according to claim 1, characterized in that the hardware encryption module verifies the validity of the upgrade program and data signature using asymmetric encryption algorithm public key data and a set encryption algorithm, including: S510、所述硬件加密模块通过密码杂凑算法对下载的升级程序和数据进行处理,得到第一哈希值;S510. The hardware encryption module processes the downloaded upgrade program and data using a cryptographic hash algorithm to obtain a first hash value; S520、所述硬件加密模块通过非对称加密算法公钥数据和设定加密算法对下载的升级程序和数据签名进行解密处理,得到第二哈希值;S520. The hardware encryption module decrypts the downloaded upgrade program and data signature using the public key data of the asymmetric encryption algorithm and the set encryption algorithm to obtain the second hash value. 若第一哈希值与第二哈希值相等,则有效性校验通过;否则,则有效性校验未通过。If the first hash value is equal to the second hash value, the validity check passes; otherwise, the validity check fails. 4.根据权利要求2所述的方法,其特征在于,所述主控制器模块连接有实时时钟模块,所述实时时钟模块用于执行计时操作;4. The method according to claim 2, wherein the main controller module is connected to a real-time clock module, and the real-time clock module is used to perform timing operations; 所述步骤S920中,判定当前有效分区内的程序和数据运行异常,包括:In step S920, determining that the program and data within the currently valid partition are running abnormally includes: S921、所述网关预引导程序启动时获取所述主控制器模块的复位类型,并获取所述实时时钟模块的当前时间T0,并存储至所述数据存储器中;S921. When the gateway pre-boot program starts, it obtains the reset type of the main controller module and the current time T0 of the real-time clock module, and stores it in the data memory. S922、若复位类型为看门狗复位,则执行步骤S923;若复位类型不为看门狗复位,则执行步骤S924;S922. If the reset type is watchdog reset, proceed to step S923; if the reset type is not watchdog reset, proceed to step S924. S923、确定看门狗复位的运行时间;其中,为在前的时间段内,所述主控制器模块复位时对应的所述实时时钟模块存储的时间;S923. Determine the watchdog reset runtime. ;in, In order to be in The time stored in the real-time clock module when the main controller module is reset within the previous time period; ,则执行步骤S925;其中,为预设的看门狗复位的最小运行时间;like Then proceed to step S925; where, The minimum runtime for the preset watchdog reset; S924、将所述主控制器模块的复位计数值C清零;S924. Clear the reset count value C of the main controller module to zero; S925、将主控制模块的复位计数值C加1进行存储。S925. Increment the reset count value C of the main control module by 1 and store it. 5.根据权利要求4所述的方法,其特征在于,所述步骤S925,包括:5. The method according to claim 4, wherein step S925 comprises: S926、若主控制模块的复位计数值,则判定当前有效分区内的程序和数据运行异常;其中,为预设的复位状态的最大复位计数值。S926, If the reset count value of the main control module is... If so, it is determined that the programs and data within the currently valid partition are running abnormally; among them, The maximum reset count value for the preset reset state. 6.根据权利要求4所述的方法,其特征在于,所述实时时钟模块通过或UART接口连接所述主控制器模块。6. The method according to claim 4, characterized in that the real-time clock module is... Alternatively, it can be connected to the main controller module via a UART interface. 7.根据权利要求3所述的方法,其特征在于,所述硬件加密模块通过非对称加密算法公钥数据和设定加密算法对升级程序和数据签名进行有效性校验,还包括:7. The method according to claim 3, characterized in that, the hardware encryption module verifies the validity of the upgrade program and data signature using asymmetric encryption algorithm public key data and a set encryption algorithm, further comprising: S530、若第一哈希值与第二哈希值相等,则将引导程序签名、基础软件程序签名、路由表配置数据签名存储至所述硬件加密模块;否则,则停止升级。S530. If the first hash value is equal to the second hash value, the bootloader signature, the basic software program signature, and the routing table configuration data signature are stored in the hardware encryption module; otherwise, the upgrade is stopped. 8.根据权利要求1所述的方法,其特征在于,所述升级请求由外部诊断仪通过车载诊断系统进行身份认证,验证通过后发送诊断请求进入编程会话。8. The method according to claim 1, wherein the upgrade request is authenticated by an external diagnostic instrument through an on-board diagnostic system, and after successful authentication, a diagnostic request is sent to enter a programming session. 9.根据权利要求1所述的方法,其特征在于,所述升级请求由车载远程升级终端执行升级,并发送诊断请求进入编程会话。9. The method according to claim 1, wherein the upgrade request is executed by an on-board remote upgrade terminal, and a diagnostic request is sent to enter the programming session.
CN202211130453.7A 2022-09-16 2022-09-16 A service-oriented gateway upgrade method Active CN115421756B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211130453.7A CN115421756B (en) 2022-09-16 2022-09-16 A service-oriented gateway upgrade method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211130453.7A CN115421756B (en) 2022-09-16 2022-09-16 A service-oriented gateway upgrade method

Publications (2)

Publication Number Publication Date
CN115421756A CN115421756A (en) 2022-12-02
CN115421756B true CN115421756B (en) 2023-07-18

Family

ID=84204200

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211130453.7A Active CN115421756B (en) 2022-09-16 2022-09-16 A service-oriented gateway upgrade method

Country Status (1)

Country Link
CN (1) CN115421756B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111327689A (en) * 2020-01-22 2020-06-23 大运汽车股份有限公司 Method for realizing remote upgrading of vehicle ECU (electronic control Unit) based on UDS (Universal data System) communication protocol
CN111343064A (en) * 2020-02-29 2020-06-26 东风汽车集团有限公司 System and method for upgrading software of automobile control system
CN112486554A (en) * 2020-12-01 2021-03-12 中国科学院合肥物质科学研究院 Vehicle-mounted networking terminal software upgrading method
WO2021115477A1 (en) * 2019-12-13 2021-06-17 中兴通讯股份有限公司 Program upgrade method and apparatus, electronic device and storage medium
CN113467813A (en) * 2021-05-19 2021-10-01 深圳拓邦股份有限公司 Controller online upgrading method and device, electronic equipment and storage medium
CN113553115A (en) * 2020-04-23 2021-10-26 上汽通用汽车有限公司 Starting method based on heterogeneous multi-core chip and storage medium
CN113849212A (en) * 2021-09-30 2021-12-28 蜂巢能源科技有限公司 Software upgrading control method and device and electronic equipment
CN114398064A (en) * 2022-01-29 2022-04-26 重庆长安汽车股份有限公司 A method and system for OTA upgrading vehicle controller
CN114880011A (en) * 2022-05-25 2022-08-09 歌尔股份有限公司 OTA (over the air) upgrading method and device, electronic equipment and readable storage medium

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9652755B2 (en) * 2009-08-11 2017-05-16 Silver Spring Networks, Inc. Method and system for securely updating field upgradeable units

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021115477A1 (en) * 2019-12-13 2021-06-17 中兴通讯股份有限公司 Program upgrade method and apparatus, electronic device and storage medium
CN111327689A (en) * 2020-01-22 2020-06-23 大运汽车股份有限公司 Method for realizing remote upgrading of vehicle ECU (electronic control Unit) based on UDS (Universal data System) communication protocol
CN111343064A (en) * 2020-02-29 2020-06-26 东风汽车集团有限公司 System and method for upgrading software of automobile control system
CN113553115A (en) * 2020-04-23 2021-10-26 上汽通用汽车有限公司 Starting method based on heterogeneous multi-core chip and storage medium
CN112486554A (en) * 2020-12-01 2021-03-12 中国科学院合肥物质科学研究院 Vehicle-mounted networking terminal software upgrading method
CN113467813A (en) * 2021-05-19 2021-10-01 深圳拓邦股份有限公司 Controller online upgrading method and device, electronic equipment and storage medium
CN113849212A (en) * 2021-09-30 2021-12-28 蜂巢能源科技有限公司 Software upgrading control method and device and electronic equipment
CN114398064A (en) * 2022-01-29 2022-04-26 重庆长安汽车股份有限公司 A method and system for OTA upgrading vehicle controller
CN114880011A (en) * 2022-05-25 2022-08-09 歌尔股份有限公司 OTA (over the air) upgrading method and device, electronic equipment and readable storage medium

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
OTA实现方案及汽车端设计分析;李立安;赵帼娟;任广乐;;汽车实用技术(第14期);全文 *

Also Published As

Publication number Publication date
CN115421756A (en) 2022-12-02

Similar Documents

Publication Publication Date Title
CN108399339B (en) Trusted starting method based on security chip
CN108958787B (en) Block chain system upgrading method, device, equipment and storage medium
JP4647300B2 (en) Method and system to ensure that software updates can be installed or run only on a specific device or class of devices
CN108376077A (en) The upgrade method and device of control unit
US20240028738A1 (en) Trusted verification system and method, motherboard, micro-board card, and storage medium
EP4075309A1 (en) Secure boot device
CN112148314B (en) Mirror image verification method, device and equipment of embedded system and storage medium
CN111353150A (en) A trusted boot method, device, electronic device and readable storage medium
KR20230081988A (en) Vehicle security starting method, device, electronic control unit and storage medium
CN115329321A (en) Firmware starting method, chip and computing device
CN111400771A (en) Target partition checking method and device, storage medium and computer equipment
CN115935335B (en) Firmware starting method, chip and computing device
CN114721693B (en) Microprocessor, BIOS firmware updating method, computer equipment and storage medium
CN115421756B (en) A service-oriented gateway upgrade method
CN110730079B (en) System for safe starting and trusted measurement of embedded system based on trusted computing module
CN119917149A (en) A wireless embedded product online upgrade method
CN117075950A (en) System upgrade and rollback method and system for embedded devices based on main control chip
CN115964721A (en) Program verification method and electronic equipment
CN116541891A (en) UEFI image file integrity protection method, device, equipment and medium
CN113190246A (en) Software program upgrading method and device, readable storage medium and electronic equipment
CN112015484A (en) Encryption, modification and reading method and device for configuration file of Internet of things equipment
JP7649362B1 (en) Information processing device, control method, and program
CN114895926B (en) Application program installation method and device, electronic equipment and storage medium
US20250358110A1 (en) Extending firmware verification to other components within system as part of chain of trust
CN119203144A (en) A method and device for configuring firmware measurement information

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant