CN117892365B

CN117892365B - Secure computing platform

Info

Publication number: CN117892365B
Application number: CN202410289029.XA
Authority: CN
Inventors: 马剑; 韩改堂; 汪小亮; 徐刚; 冯震; 彭萍萍
Original assignee: Beijing Hollysys Co Ltd
Current assignee: Beijing Hollysys Co Ltd
Priority date: 2024-03-14
Filing date: 2024-03-14
Publication date: 2024-11-08
Anticipated expiration: 2044-03-14
Also published as: CN117892365A

Abstract

The embodiment of the present application provides a safety computer module and a safety computing platform, the safety computer module includes at least two safety computers, each safety computer includes a central processing unit, the central processing unit includes a main core and at least one slave core; the main core is configured to run a first operating system, and run a hypervisor and an executive program of a non-safety application on the first operating system; each slave core is configured to start under the control of the main core; and run a second operating system, and run an independent safety application executive program on the second operating system. The present application relates to traffic technology, each slave core in the present application runs an independent safety application executive program, so that each safety application has no effect on each other, meets the EN50129 functional safety certification standard, the number of running safety application executive programs is the same as the number of slave cores, and a safety computing platform can run two or more safety application executive programs.

Description

Secure computing platform

Technical Field

The present disclosure relates to the field of traffic technologies, and in particular, to a secure computing platform.

Background

With the deep research of the cloud technology in the next generation train operation control system, the train control safety computing platform gradually develops from the independent structure trend to the comprehensive and modularized direction, and the train operation control system of the new generation rail transit can be a great technical progress in the future by applying the cloud technology. The cloud technology has the core idea that the physical resources are subjected to abstract management by utilizing a software and hardware technology mode, so that the bottom physical resources are virtualized into a plurality of independent resources or divided into a plurality of independent isolated operating environments, and the application operation on the requirements of various different attributes is met. At present, in a train control system in the field of rail transit, a safe computing platform refers to a computing platform capable of preventing personal safety and important equipment loss from being endangered under the condition of faults, and is a core control unit forming the train control system of rail transit. The ground safety product constructed based on the safety platform in the current rail traffic signal field comprises a computer interlocking system CBI, a station train control center system TCC, a wireless blocking center RBC of a CTCS-3 train control system and a temporary speed limiting server TSRS. These systems are all safety critical subsystems constituting national railway train control systems, the functional safety integrity of the systems needs to meet the EN50129 standard requirement to reach SIL4 level, and a safety computing platform is core equipment for ensuring the requirement.

The security computing platform structure of the train control system in the track traffic field is mainly designed by a security hardware structure, such as a two-by-two-out-of-two structure and a three-out-of-two structure, and a software strategy related to the security hardware structure, such as a two-out-of-two logic and a master-slave switching logic. The two-by-two-out-of-two structure means that the safe computing platform is composed of an A system and a B system, wherein the A system and the B system are the same hardware structure, the A system and the B system are in a primary-standby redundancy relation in normal operation, when the primary system is abnormally down, the standby system is lifted to be the primary system to realize double-system redundancy switching, and the whole system function still operates normally, so that a hardware 'two-by-system' architecture and software primary-standby switching logic are formed. Each system consists of two central processing units, the two central processing units independently run, run the same logic and process the same data, the two central processing units can compare and vote the results of data calculation, and the voting coincidence can output the data externally, so that a hardware 'two-taking' structure and a software 'two-taking-two' logic are formed. The three-in-two structure is similar to the two-in-two structure principle, and thus is not described here.

At present, no matter the train control safety computing platform adopts the two-by-two or three-by-two structure, one set of safety computing platform only supports a subsystem of a train control system or one safety function application. Such a form enables each subsystem to use a separate hardware platform, with the following problems: firstly, each subsystem needs a safe computing platform, and meanwhile, each subsystem needs to comprise a rack, a cabinet, a power supply, an industrial personal computer terminal, a switch, lightning protection and other hardware facilities matched with the safe computing platform, so that the hardware cost of the whole train control system is high and the required deployment area is large; secondly, aiming at the operation and maintenance aspects of the train control system, software and hardware of each subsystem safety computing platform are required to be maintained, the maintenance complexity and the labor cost are increased, for example, the safety computing platform of one subsystem is subjected to software or hardware upgrading, if other subsystems are required to be subjected to the same upgrading according to the safety computing platform, the subsystem is required to be stopped, if the safety computing platform among the systems has variability due to the upgrading, and the version management of the safety computing platform is more complex along with the increase of the subsystems; thirdly, with the increase of demands on a train control system, the increase of subsystems and the expansion of functions are necessarily development trends, when a new subsystem is expanded or the functions of the system are increased, whether the performance of a central processor of the current safe computing platform can meet the requirement of the new subsystem or the function expansion is required to be reevaluated, if not, the software and the hardware of the new safe computing platform with higher performance are required to be developed, so that the workload of system transplanting is increased, and the safety authentication is required to be carried out again, so that the expandability of the system is poor; finally, when the current safety computing platform fails, the system is automatically switched to another system to operate, the failure system needs to be manually maintained to process the failure, and before the failure system is processed, the system can operate in a single system, and if the other system fails, the whole system enters a failure state to influence the operation of the train. The core technology of the cloud technology is a virtualization technology, and particularly relates to a resource management technology in a computer, which provides an easy-to-implement platform for scalable and high-availability service, and is used for carrying out abstract and virtualized processing on entity resources in the computer so as to improve the working effect. The current virtualization technology architecture mainly comprises two implementation architectures, namely a host architecture and a bare metal architecture. The host architecture is shown in fig. 1, the architecture is operated on a hardware platform by a host operating system, and the virtualization function is implemented by embedding a virtual manager in the operating system. The virtual manager manages device drivers and services, virtual machine 1, virtual machine 2, and virtual machine n. Each of virtual machines 1 through n includes an application and an operating system. Bare metal architecture as shown in fig. 1, the architecture does not require host operation to provide, and is operated on a hardware platform by a virtual monitor machine, providing a virtualized environment for the virtual machine upwards. The bare metal structure also includes a device driver, a virtual machine 1, a virtual machine 2, and a virtual machine n. Each of virtual machines 1 through n includes an application and an operating system. However, both these architectures are difficult to meet the EN50129 functional security authentication standard, because, whether by means of the host operating system or the virtual monitor, firstly the complexity of the operating system and the virtual monitor is difficult to perform the fail-safe analysis, and secondly the host operating system or the virtual monitor needs to schedule all hardware resources, such as the central processor and the memory, so that the security applications on each virtual machine cannot be effectively isolated from each other.

Disclosure of Invention

The embodiment of the application provides a secure computer module and a secure computing platform, which can enable each slave core to run an independent execution program of a secure application, so that the secure applications are mutually independent, the EN50129 functional secure authentication standard is met, the number of the running execution programs of the secure application is the same as the number of the slave cores, and one secure computing platform can run the execution programs of two or more secure applications.

The application provides a safe computer module, which comprises at least two safe computers, wherein each safe computer comprises a central processing unit, a first memory and external equipment, each safe computer comprises the central processing unit, the at least two safe computers are arranged to run the same logic, process the same data, compare and vote the calculation results, and output the data after voting coincidence, and each central processing unit comprises a master core and at least one slave core;

The main core is set to run a first operating system, and run a management program and an execution program of the non-secure application on the first operating system;

each slave core being arranged to start up under control of the master core; and running a second operating system and running an independent security application executable program on the second operating system.

In an exemplary embodiment, the first memory includes a non-secure computing address block, a secure computing address block equal to the number of slave cores, and a shared memory address block; the secure computing address block and the shared memory address block are respectively in one-to-one correspondence with the slave cores;

the main core is further configured to only have authority to access and read/write the non-secure computing address block and the shared memory address block; the slave core is also set to only have the authority of accessing, reading and writing the secure computing address block and the shared memory address block corresponding to the slave core; the master core and each slave core communicate via a block of shared memory addresses corresponding to the slave core.

In an exemplary embodiment, the external device includes a second memory;

The second memory is connected with the main core and is used for storing a starting script, a starting program, a mirror image of the first operating system, a device tree file, a management program or an execution program of non-secure application and a mirror image of the second operating system.

In an exemplary embodiment, the master core is further arranged to establish a heartbeat mechanism with each slave core, the state of the slave core being monitored according to the heartbeat mechanism.

In an exemplary embodiment, the hypervisor is configured to drive, access, and initiate a slave core to an external device.

In an exemplary embodiment, the slave core is further configured to perform a hardware self-test meeting a preset standard requirement at start-up.

The application provides a secure computing platform, which comprises a plurality of main control subsystems and a management module;

Each main control subsystem comprises at least two safety computer modules; the secure computer module is the secure computer module according to any one of the above embodiments;

The management module is used for storing execution programs, security application configuration information, security computer module configuration information and security computing platform configuration information of all security applications to be run by the security computing platform; configuring each main control subsystem according to the configuration information of the secure computing platform; after the secure connection is established with the two secure computer modules of any main control subsystem, the execution program of the secure application is issued to the two secure computer modules of the main control subsystem, and each secure application is managed.

In an exemplary embodiment, at least one standby secure computer module is also included;

The management module is further configured to replace a failed safety computer module with the standby safety computer module when one safety computer module in any one main control subsystem fails, so that the standby safety computer module becomes a backup system of the main control subsystem.

In an exemplary embodiment, the system further comprises a switch and a maintenance management terminal;

all the safety computer modules are respectively connected with the switch to realize interconnection among the safety computer modules;

The maintenance management terminal is respectively connected with the switch and is configured to issue execution programs, security application configuration information, security computer module configuration information and security computing platform configuration information of all security applications to be operated by the security computing platform to the management module, and to manually query, modify and update the execution programs, security application configuration information, security computer module configuration information and security computing platform configuration information of all security applications to be operated by the security computing platform stored in the management module.

In an exemplary embodiment, the management module includes a primary management module and a backup management module to form a "two-by-two" architecture;

a redundant switch is also included to form a "two-by-two" architecture with the switch.

The secure computer module of the embodiment of the application runs the management program and the execution program of the non-secure application on the master core and the execution program of the secure application on the slave core by setting the master core, the slave core and the slave core to run under different operating systems, and each slave core runs an independent execution program of the secure application, so that the secure applications have no influence on each other. The number of executives of the running security application is the same as the number of slaves.

Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by practice of the application. Other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and drawings.

Drawings

The accompanying drawings are included to provide an understanding of the principles of the application, and are incorporated in and constitute a part of this specification, illustrate embodiments of the application and together with the description serve to explain, without limitation, the principles of the application.

FIG. 1 is a schematic diagram of a virtualization technology architecture in some embodiments;

FIG. 2 is a schematic diagram of a secure computer module in accordance with at least one embodiment of the present application;

FIG. 3 is a schematic diagram of a secure computer module in accordance with at least one embodiment of the present application;

FIG. 4 is a schematic diagram of a secure computer module in accordance with at least one embodiment of the present application;

FIG. 5 is a schematic diagram of a secure computing platform in accordance with at least one embodiment of the present application;

FIG. 6 is a schematic diagram of a secure computing platform in accordance with at least one embodiment of the present application;

FIG. 7 is a schematic diagram of a secure computing platform in accordance with at least one embodiment of the present application;

FIG. 8 is a schematic diagram of a secure computing platform in accordance with at least one embodiment of the present application;

FIG. 9 is a schematic diagram of a secure computing platform in accordance with at least one embodiment of the present application.

Detailed Description

FIG. 2 is a schematic diagram of a security computer module according to at least one embodiment of the present application, as shown in FIG. 2, where the security computer module includes a first security computer to an nth security computer, where n is a positive integer greater than 1, each security computer includes a central processor, a first memory, and an external device, each security computer includes a central processor, the at least two security computers are configured to run the same logic, process the same data, compare and vote the calculation results, and output the data after voting the same.

The secure computer module of the embodiment of the application runs the management program and the execution program of the non-secure application on the master core and the execution program of the secure application on the slave core by setting the master core, the slave core and the slave core to run under different operating systems, and each slave core runs an independent execution program of the secure application, so that the secure applications have no influence on each other. The number of executives of the running security application is the same as the number of slaves. A secure computing module may run the execution of one secure application or may run the execution of two or more secure applications.

The first operating system may be a LINUX system, and the first operating system may be other real-time operating systems, such as VxWorks, RT-Thread, and real-time operating system RTOS (Real Time operating System, RTOS for short). Among them, vxWorks is a real-time operating system introduced by the company U.S. Fenghe. The RT-Thread is an open source real-time operating system mainly developed by leading of China open source communities.

Illustratively, the second operating system may be an operating system that meets the EN50129 functional security authentication standard or meets the requirements of IEC61508-3 standard for software, the security level reaching SIL 3. For example, the second operating system may be a secure microkernel system, or may be secure VxWorks.

Illustratively, each central processor may include 4 identical processor cores (cores) of the advanced reduced instruction set machine (ADVANCED RISC MACHINE, ARM for short) Cortex-A53 architecture. ARM Cortex-A53 is a processor core facing mobile equipment and embedded systems, adopts ARMv8-A architecture, and is the first ARM Cortex-A series processor core supporting 64-bit instruction sets, which is proposed by ARM company. The operating mechanism of the 4 cores is an Asymmetric Multiprocessing (AMP) architecture, i.e. each core runs its own proprietary independent core.

Illustratively, the master core is responsible for external device drivers, the boot function of the slave core, and the execution of the hypervisor and non-secure applications.

The main external devices of each central processing unit comprise Field Programmable Gate Array (FPGA), an Ethernet interface (ETH), a serial port UART, a FLASH memory FLASH and the like, and only the main core has permission to access the external devices and interfaces and the slave core cannot access the external devices and interfaces.

Illustratively, the slave core may be two or more.

In an exemplary embodiment, the master core is further configured to establish a heartbeat mechanism with each slave core, and monitor the state of the slave core according to the heartbeat mechanism, so as to be able to discover the failure of the slave core in time.

The preset standard may be EN50129 standard. Hardware self-test may include memory self-test, memory management unit self-test, instruction decode self-test, register self-test, instruction execution self-test, program counter self-test, stack pointer self-test, clock self-test.

In an exemplary embodiment, the hypervisor may be used to drive, access, and initiate slave cores to external devices.

Where a non-secure application may refer to the application not participating in a computation involving a secure function.

The first memory may be a program running memory and be a volatile memory, i.e. the data is lost after power failure.

FIG. 3 is a schematic diagram of a secure computer module according to at least one embodiment of the present application, as shown in FIG. 3, the secure computer module comprising: the safety computer module comprises a first safety computer to an nth safety computer, wherein n is a positive integer greater than 1, each safety computer comprises a central processing unit, a first memory and external equipment, each safety computer comprises the central processing unit, at least two safety computers are set to run the same logic, process the same data, compare and vote the calculation results, and output the data after voting is consistent. The first memory comprises an unsecure computing address block, a secure computing address block the same as the number of slave cores and a shared memory address block; the secure computing address block and the shared memory address block are respectively in one-to-one correspondence with the slave cores;

Each slave core being arranged to start up under control of the master core; and running a second operating system, and running an independent execution program of the security application on the second operating system;

The secure computer module of the embodiment of the application runs the management program and the execution program of the non-secure application on the master core and the execution program of the secure application on the slave core by setting the master core, the slave core and the slave core to run under different operating systems, and each slave core runs an independent execution program of the secure application, so that the secure applications have no influence on each other. The number of executives of the running security application is the same as the number of slaves. A secure computing module may run the execution of one secure application or may run the execution of two or more secure applications. The master core and the slave core communicate through the shared memory address block, thereby realizing high-speed communication. The execution program of each security application running on the slave core only uses the own physical memory block to carry out security calculation, the security calculation areas of the security application are isolated from each other, the high-reliability core security is provided, and the requirements of EN50129 standard are met.

The master core is responsible for allocating the first memory, for external device drivers of the secure computer module, for boot functions of the slave core, and for running executives of the hypervisor and non-secure applications, as examples.

The allocation of the first memory may be allocated as follows: assuming that the address space of the first memory is 4GB, the first memory may be divided into 4 address blocks. It is assumed that the master core can be assigned a 1GB address block, which is an unsecure computing address block, for running Linux systems, hypervisors, and executives of unsecure applications. The remaining address space is allocated on average to the slave core. Assuming 3 slave cores are present, each slave core will be assigned a 1GB block of addresses. The 1GB memory address block is divided into two parts: a shared memory communication address block and a secure computation address block; the shared memory communication address block is used for carrying out shared memory communication with the main core, and the size of the shared memory communication address block can be 250MB; the secure compute address block is used to run the secure microkernel and secure application executives, which may be the remaining 750MB in size.

The master core has access and read-write rights to the shared memory communication address blocks allocated to other slave cores, but cannot access the secure computing address blocks allocated to other slave cores. The slave cannot access the address block memory between each other, nor the slave can access the address block of the master.

Illustratively, the slave core may be two or more.

In an exemplary embodiment, the slave core is further configured to perform a self-test meeting a preset criterion at start-up.

In an exemplary embodiment, the hypervisor may be configured to allocate the first memory, drive an external device, access the external device, and initiate a slave core.

The first memory may be a program running memory and be a volatile memory, i.e. the data is lost after power failure. The first memory may be a double rate memory (DDR memory), for example. Such as double rate synchronous dynamic random access memory.

FIG. 4 is a schematic diagram of a secure computer module according to at least one embodiment of the present application, as shown in FIG. 4, the secure computer module comprising: the safety computer module comprises a first safety computer to an nth safety computer, wherein n is a positive integer greater than 1, each safety computer comprises a central processing unit, a first memory and external equipment, each safety computer comprises the central processing unit, at least two safety computers are set to run the same logic, process the same data, compare and vote the calculation results, and output the data after voting is consistent. The first memory comprises an unsecure computing address block, a secure computing address block the same as the number of slave cores and a shared memory address block; the secure computing address block and the shared memory address block are respectively in one-to-one correspondence with the slave cores. The external device comprises a second memory, and the second memory is connected with the main core and is used for storing a starting script, a starting program, an image of the first operating system, a device tree file, an executive program of a management program or a non-secure application and an image of the second operating system.

Illustratively, the slave core may be two or more.

In an exemplary embodiment, the slave core is further configured to perform a hardware self-test meeting a preset standard at start-up.

The second memory may be a non-volatile memory, i.e. the data will not be lost after power failure.

The second memory may be a flash memory card (MicroSD), for example.

Fig. 5 is a schematic diagram of a secure computer module according to at least one embodiment of the present application, as shown in fig. 5, the secure computer module includes two secure computers, a first secure computer 501, a second secure computer 502, and a secure watchdog 503. The first security computer 501 includes a first central processor 51, a first memory 515.

The first central processor 51 includes a main core 511, a first slave core 512, a second slave core 513, a third slave core 514, a first memory 515, a first field programmable array logic (FPGA) 5111 connected to the main core 511, a first ethernet interface 5112 connected to the main core 511, a first serial port (UART) 5113 connected to the main core 511, a first FLASH memory (FLASH) 5114 connected to the main core 511, and a second memory (may be MicroSD) 5115 connected to the main core 511.

A Linux system is run on the main core 511; running a management program and an execution program of the unsafe application on a Linux system; the first slave core 512, the second slave core 513 and the third slave core 514 respectively run a secure microkernel system; an execution program of a security application is run on the respective security microkernel systems of the slave cores.

The first secure computer 501 also includes a first memory 515, the first memory 515 including an unsecure compute address block 5151, 3 secure compute address blocks 5152, and 3 shared memory address blocks 5153.

The second security computer 502 includes a second central processor 52. The second central processor 52 includes a master core 521, a first slave core 522, a second slave core 523, a third slave core 524, a first memory 525, a first field programmable array logic (FPGA) 5211 connected to the master core 521, a second ethernet interface 5212 connected to the master core 521, a second serial port (UART) 5213 connected to the master core 521, a second FLASH memory (FLASH) 5214 connected to the master core 521, and a second memory (may be a MicroSD) 5215 connected to the master core 521.

The second secure computer 502 includes a first memory 525, the first memory 525 including an unsecure compute address block 5251, 3 secure compute address blocks 5252, and 3 shared memory address blocks 5253.

A Linux system is run on the main core 521; running a management program and an execution program of the unsafe application on a Linux system; the first slave core 522, the second slave core 523 and the third slave core 524 respectively run a secure microkernel system; an execution program of a security application is run on the respective security microkernel systems of the slave cores.

The at least two security computers are set to run the same logic, process the same data, compare and vote the calculation results, and output data after voting is consistent;

the safety watchdog 503 is configured to periodically receive the "feeding dog" signal, and if the "feeding dog" signal is not received within a predetermined time, the connection between the safety computer module and the first ethernet interface 5112 and the second ethernet interface 5212 are cut off, so as to ensure that error data is not output.

Wherein the "dog feed" signal is issued by the hypervisor when no abnormal fault occurs in the secure computer module.

The main core is further configured to only have authority to access and read/write the non-secure computing address block and the shared memory address block; the slave core is also set to only have the authority of accessing, reading and writing the secure computing address block and the shared memory address block corresponding to the slave core; the master core has access and read-write rights to the shared memory communication address blocks allocated to other slave cores, but cannot access the secure computing address blocks allocated to other slave cores. The slave cannot access the address block memory between each other, nor the slave can access the address block of the master.

The master core and each slave core communicate via a block of shared memory addresses corresponding to the slave core.

FIG. 6 is a schematic diagram of a secure computing platform according to at least one embodiment of the present application, as shown in FIG. 6, including a plurality of master control subsystems and management modules;

each main control subsystem comprises at least two safety computer modules; the secure computer module of any of the above embodiments the secure computer module of one embodiment;

the management module is used for storing execution programs, security application configuration information, security computer module configuration information and security computing platform configuration information of all security applications to be run by the security computing platform; configuring each main control subsystem according to the configuration information of the secure computing platform; after the secure connection is established with the two secure computer modules of any main control subsystem, the execution program of the secure application, the secure application configuration information and the secure computer module configuration information are issued to the two secure computer modules of the main control subsystem, and the secure application is managed.

The secure computing platform in the embodiment of the application comprises a plurality of main control subsystems, each main control subsystem comprises at least two secure computer modules, each secure computer module can run one or more execution programs of the secure application, so that the one or more execution programs of the secure application can be run on one secure computing platform, and each execution program of the secure application independently runs in one slave core, thus the secure applications have no influence on each other.

The management module is used for managing the issuing and configuration of the execution programs of the security applications of all the main control subsystems, so that the number of the security applications can be increased by expanding the main control subsystems. The method can expand and configure the security application on line, does not influence the operation of the security application on line, and has good expandability.

In some exemplary embodiments, the master core and the slave core communicate via a shared memory address block, enabling high-rate communications. The execution program of each security application running on the slave core only uses the own physical memory block to carry out security calculation, the security calculation areas of the security application are isolated from each other, the high-reliability core security is provided, and the requirements of EN50129 standard are met.

In some exemplary embodiments, the master subsystems communicate via a local area network within the platform.

In some exemplary embodiments, the management module stores the execution program of the secure application, the secure application configuration information, the secure computer module configuration information, and the secure computing platform configuration information in a second memory of the secure computer module. After the management programs of the two security computer modules are connected with the slave cores, the execution programs and the security application configuration information of the security applications operated by the main control subsystem and the security computer module configuration information are issued to the slave cores of the main control subsystem according to the security computing platform configuration information so as to start operation, and the security applications are managed.

In some exemplary embodiments, the security application configuration information may be configuration data of the security application, such as line data of a train control system, supported train IDs, etc., which are equivalent to accessories of the security application program, used during the application running process, and different security applications have different kinds of configuration information.

In some exemplary embodiments, the secure computer module configuration information may be the name of the secure application, the number of the secure application corresponding to the slave core, the IP address of the slave core through which data is primarily output outward, and so forth. This configuration is used for the secure computer module to be able to properly launch the secure application.

In some exemplary embodiments, the configuration information of the secure computing platform may be default configuration information generated by configuring through man-machine interaction of the maintenance management terminal, including a list of secure computing modules in the platform, a correspondence between the secure computing modules and the secure application, number information, address information, and the like of the secure computing modules. This configuration is used for the management module to maintain and manage all the secure computer modules.

In some exemplary embodiments, the management module includes a primary management module and a backup management module to form a "two-by-two" architecture.

FIG. 7 is a schematic diagram of a secure computing platform including a plurality of master control subsystems, a management module, and at least one standby secure computer module, as shown in FIG. 7, in accordance with at least one embodiment of the present application;

Further comprising at least one standby secure computer module;

The management module is used for managing the issuing and configuration of the security applications of all the main control subsystems, so that the number of the security applications can be increased by expanding the main control subsystems. The method can expand and configure the security application on line, does not influence the operation of the security application on line, and has good expandability.

Based on a fault switching mechanism of the secure computing platform, one main control subsystem only has one main system at the same time, when one secure computer module (whether the main system or the standby system) is in fault, the standby secure computer module is started, and can synchronize data and states through the secure computer module which is not in fault of the main control subsystem, so that the standby system of the main control subsystem is quickly formed.

FIG. 8 is a schematic diagram of a secure computing platform according to at least one embodiment of the present application, as shown in FIG. 8, the secure computing platform including a plurality of master control subsystems, a management module, at least one standby secure computer module, a switch, and a maintenance management terminal;

Further comprising at least one standby secure computer module;

The safety computer module, the management module and the standby safety computer module in the safety computing platform are respectively connected with the switch to realize interconnection among the modules;

Based on a fault switching mechanism of the secure computing platform, one main control subsystem only has one main system at the same time, when one secure computer module (whether the main system or the standby system) is in fault, the standby secure computer module is started, and can synchronize data and states through the secure computer module which is not in fault of the main control subsystem, so that the standby system of the main control subsystem is quickly formed. Any one security application can be realized in the current meeting two-by-two architecture through the setting of the standby security computer module and the security mechanism of the fault switching.

In some exemplary embodiments, all of the master control subsystems are in communication with the management module; when communication is needed between security applications running on different security computer modules, the security applications can be connected with each other; the secure computing platform supports flexible configuration of any module as a backup module, so that when the backup module is converted into a backup module of a certain main control subsystem during failover, state information needs to be requested to a main module of the subsystem. In this case the connection between the modules is random and therefore it is necessary to implement all secure computing modules interconnected by a local area network.

In some exemplary embodiments, the configuration information of the secure computing platform is manually configured by the maintenance management terminal, including configuration information of each secure computer module, and when the configuration information of the secure computing platform is issued to the management module, the management module issues the configuration information of each secure computer module in the configuration information of the secure computing platform to the corresponding secure computer module.

In some exemplary embodiments, the secure computing platform further comprises a redundant switch to form a "two-by-two" architecture with the switch, the switch being replaced when the switch fails.

Fig. 9 is a schematic diagram of a secure computing platform according to at least one embodiment of the present application, as shown in fig. 9, the secure computing platform includes a main control subsystem 31, a standby secure computer module 32, a management module 33, a switch 34, a redundant switch 35, and a maintenance management terminal 36. Master subsystem 31 includes master 1a 311, master 1B 312, master 2A, and master 2B; the main control 1A module and the main control 1B module are mutually redundant to form a 'two-by-two-out-of-two' framework capable of running multiple applications, and the main control 2A module and the main control 2B module are mutually redundant to form a 'two-by-two-out-of-two' framework capable of running multiple applications. The management module 33 includes a management module a 331 and a management module B332 that also form a "two-by-two-out-of-two" architecture for configuring and managing security applications of the respective master subsystems. The standby secure computer module 32 includes at least a standby secure computer module 321. The safety computing platform can reserve a plurality of safety computer modules as standby safety computer modules, and is used for automatically starting the standby safety computer modules when one of the two main control modules of any main control subsystem fails, so that a two-by-two architecture can be still formed.

All the safety computer modules are respectively connected to the switch and the redundant switch, so that the interconnection between the safety computer modules is realized. All the secure computer modules establish one internal local area network through the switch and all the secure computer modules are used to establish another redundant internal local area network through the redundant switch. When the switch fails, the safety computer module performs data communication through the other redundant switch, and the normal operation of the platform is not affected.

The maintenance management terminal is also connected to the switch and the redundant switch and used for man-machine interaction configuration management module and log recording.

The application provides a starting method of a secure computing platform, which comprises the following steps:

when the secure computing platform is started for the first time, the maintenance management terminal transmits the execution program, the secure application configuration information, the secure computer module configuration information and the secure computing platform configuration information of all secure applications to be run by the secure computing platform to the management module, and the management module configures the main control subsystem, the secure applications and the like according to the secure computing platform configuration information.

For example, configuring the secure computer modules 1 and 2 as a master 1A and a master 1B, running the secure applications 1, 2, 3, and corresponding configuration parameters; the security computer modules 3 and 4 are configured as a master 2A and a master 2B in the same way, and the security applications 4, 5, 6 and the corresponding configuration parameters are run. The corresponding configuration parameters may include the correspondence between the security applications 1, 2, 3 and the slave core numbers 1, 2, 3, the IP address information of the security applications communicating outside the master core through the master core, the port number information, the protocol information of the slave core security applications communicating with the master core management program, and the like.

And step two, all the safety computer modules enter a starting standby mode according to a starting flow, and the management module establishes safety connection with management programs in main cores of all the safety computer modules.

Wherein, the safe connection adopts the protocol of the safe communication of the railway signal according with TB-T3528.2-2018 part 2: type II protocols.

Step three, after the two secure computer modules of any main control subsystem are connected with the management module in a secure way, the management module transmits the binary execution program and the configuration file of the secure application operated by the main control subsystem to the management program of the main control subsystem, the management program stores the binary execution program and the configuration file of the secure application operated by the main control subsystem into a MicroSD card (corresponding to the second memory) of the secure computer module, and simultaneously, the management program transmits each application to each slave core for starting operation according to the configuration file of the secure application.

And step four, the two systems of security applications of the main control subsystem are respectively provided with a heartbeat mechanism.

The application provides a starting method of a safe computer module, which comprises the following steps of S11-S15:

And S11, when the first central processing unit and the second central processing unit are electrified, a starting script and a starting program in the MicroSD card are automatically acquired and executed.

The starting script and the starting program are responsible for reading and moving the Linux system image, the equipment tree file and the secure microkernel image of the slave core from the microSD card to the corresponding running address space. The method comprises the steps of moving a Linux system image and an equipment tree file to a memory address block (namely a non-secure computing address block) of a master core, respectively moving a secure microkernel image of a slave core to the memory address blocks of all the slave cores, and then starting the Linux system of the master core. The MicroSD card stores a starting script, a starting program, a Linux system image, a device tree file, an execution program of management/non-safety application and a safety microkernel image of a slave core of the CPU. The device tree file is a file of the hardware driving standard supported by the operating system, and the system knows which hardware driving needs to be supported and started by reading the device file, and parameters (such as hardware type, number, rate, address and the like) of the hardware.

S12, initializing a main core by a Linux system; after the initialization of the main core is completed, each slave core is configured and started, and the program operation of each slave core is set to jump to the starting position of the memory address block of the corresponding safe microkernel to be executed. The slave cores will now start running their respective secure microkernel programs. The master core continues to start the Linux operating system.

S13, after the Linux system of the main core is started, the management program and the execution program of the unsafe application are automatically executed. The hypervisor first monitors the shared memory channel of each slave core, responds after receiving the communication connection request, and establishes a secure connection with each slave core.

S14, after the secure microkernel program is started, initializing the core of the secure microkernel program, and completing the starting and running of the secure microkernel. Then executing a default boot self-test program and waiting for an application to execute on the secure microkernel. The self-checking program is started to perform hardware self-checking conforming to EN50129 on own cores and memories, including but not limited to memory self-checking, register self-checking, timer self-checking and kernel software version checking, and the application execution program can be continuously operated and waited only after the checking is passed, otherwise, the safe computer module is down and led to the safe side.

S15, after the safety microkernel finishes starting the self-checking program, executing an application execution program to be waited, and firstly, periodically initiating a communication connection request to a management program running on the main kernel in a shared memory communication mode to wait for the response of the management program. When the management program responds, a secure connection is established with the management program, and the security protocol of the connection adopts the section 2 of the security communication protocol of the railway signal of TB-T3528.2-2018: type II protocols.

After waiting for the application execution program to establish a secure connection with the master core, the management program establishes a heartbeat mechanism with each slave core, namely, periodically transmits an active state request to the slave core, and the slave core immediately replies an active state response, so that the management program can monitor the running state of the slave core in real time, when any slave core breaks the heartbeat mechanism, the management program judges that the slave core fails if the active state of the slave core is not received for 3 continuous periods, the management program executes a failure mode, and the current secure computer module is down to the secure side.

And after the secure computer module is started, each slave core waits for the application execution program to enter a starting standby mode, and waits for the issuing and running of the execution program of the secure application.

The starting process of the main core is as follows: the method comprises the steps of starting a Linux system of a master core through a starting script and a starting program, initializing the master core, starting each slave core, starting the Linux system of the master core to finish starting, automatically executing an execution program of a management program and a non-secure application, and enabling the management program to respond to a communication connection request so as to establish a secure connection for each slave core and establish a heartbeat mechanism between the master core and the slave core.

The starting process of the slave core is as follows: each slave core runs the respective secure microkernel program after being started, starts a self-checking program, executes an application execution program waiting for the application execution program to initiate a communication connection request to a management program, establishes a secure connection with the master core, and establishes a heartbeat mechanism between the master core and the slave core.

The present application has been described in terms of several embodiments, but the description is illustrative and not restrictive, and it will be apparent to those of ordinary skill in the art that many more embodiments and implementations are possible within the scope of the described embodiments. Although many possible combinations of features are shown in the drawings and discussed in the detailed description, many other combinations of the disclosed features are possible. Any feature or element of any embodiment may be used in combination with or in place of any other feature or element of any other embodiment unless specifically limited.

The present application includes and contemplates combinations of features and elements known to those of ordinary skill in the art. The disclosed embodiments, features and elements of the present application may also be combined with any conventional features or elements to form a unique inventive arrangement. Any feature or element of any embodiment may also be combined with features or elements from other inventive arrangements to form another unique inventive arrangement. It is therefore to be understood that any of the features shown and/or discussed in the present application may be implemented alone or in any suitable combination. Accordingly, the embodiments are not to be restricted except in light of the attached claims and their equivalents. Further, various modifications and changes may be made within the scope of the appended claims.

Furthermore, in describing representative embodiments, the specification may have presented the method and/or process as a particular sequence of steps. However, to the extent that the method or process does not rely on the particular order of steps set forth herein, the method or process should not be limited to the particular sequence of steps described. Other sequences of steps are possible as will be appreciated by those of ordinary skill in the art. Accordingly, the particular order of the steps set forth in the specification should not be construed as limitations on the claims. Furthermore, the claims directed to the method and/or process should not be limited to the performance of their steps in the order written, and one skilled in the art can readily appreciate that the sequences may be varied and still remain within the spirit and scope of the embodiments of the present application.

Those of ordinary skill in the art will appreciate that all or some of the steps, systems, functional modules/units in the apparatus, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between the functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed cooperatively by several physical components. Some or all of the components may be implemented as software executed by a central processor, such as a digital signal central processor or a micro central processor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term "computer storage media" includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.

Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "first," "second," etc. can include at least one such feature, either explicitly or implicitly.

In the description of the present application, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.

In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.

While embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims

1. A secure computing platform comprising a plurality of master control subsystems, a management module and at least one standby secure computer module;

each main control subsystem comprises at least two safety computer modules; the management module is used for storing execution programs, security application configuration information, security computer module configuration information and security computing platform configuration information of all security applications to be run by the security computing platform; configuring each main control subsystem according to the configuration information of the secure computing platform; after establishing a secure connection with two secure computer modules of any main control subsystem, issuing an execution program of the secure application to the two secure computer modules of the main control subsystem, and managing each secure application;

The management module is further configured to replace a failed safety computer module with the standby safety computer module when one safety computer module in any one main control subsystem fails, so that the standby safety computer module becomes a backup system of the main control subsystem;

The security computer module comprises at least two security computers, each security computer comprises a central processing unit, a first memory and external equipment, each security computer comprises a central processing unit, the at least two security computers are arranged to run the same logic, process the same data, compare and vote the calculation results, and output the data after voting is consistent, and each central processing unit comprises a master core and at least one slave core;

2. The secure computing platform of claim 1, wherein the computing device is configured to,

The system also comprises a switch and a maintenance management terminal;

3. The secure computing platform of claim 2, wherein the computing device is configured to,

The management module comprises a main management module and a standby management module to form a 'two-by-two-out-of-two' architecture;

4. The secure computing platform of claim 1, wherein the computing device is configured to,

The first memory comprises an unsecure computing address block, a secure computing address block the same as the number of slave cores and a shared memory address block; the secure computing address block and the shared memory address block are respectively in one-to-one correspondence with the slave cores;

5. The secure computing platform of claim 1, wherein the computing device is configured to,

The external device comprises a second memory;

6. The secure computing platform of claim 1, wherein the computing device is configured to,

The master core is further configured to establish a heartbeat mechanism with each slave core, and monitor the state of the slave core according to the heartbeat mechanism.

7. The secure computing platform of claim 1, wherein the computing device is configured to,

The management program is used for driving the external equipment, accessing the external equipment and starting the slave core.

8. The secure computing platform of claim 1, wherein the computing device is configured to,

The slave core is also set to perform hardware self-checking meeting the preset standard requirement when being started.