JP2013161299A - Information processing apparatus and interface access method - Google Patents

Abstract

An information processing apparatus capable of protecting an I / O port by using an appropriate amount of management information without using special hardware.
An information processing apparatus includes: a program storage unit that stores a plurality of programs; one or more arithmetic units that execute the program; and a plurality of interfaces that can communicate with an external circuit. If the interface registration table 34 in which the interface accessible by the program is registered and the program that requested access to the interface are permitted to access the interface, instead of the program, Access control means 33 for accessing the interface.
[Selection] Figure 2

Description

  The present invention relates to an information processing apparatus having an I / O port, and relates to an information processing apparatus capable of controlling access to an I / O port for each system or application.

  In an information processing apparatus such as a microcomputer, a plurality of tasks may be executed independently. When a plurality of tasks should access dedicated I / O, it is not preferable that one task accesses I / O dedicated to another task. For this reason, conventionally, a technique for protecting access to I / O by a task is known.

  In a conventional microcomputer, access to a task I / O port is restricted by a hardware memory access protection resource (for example, a memory management unit). However, the memory protection resource provided by the microcomputer provides memory protection in units called pages or blocks (for example, 512 bytes to 4 kbytes). On the other hand, since the register of the I / O port is composed of several bytes (for example, 1 to 4 bytes), the conventional method cannot perform access control in units of I / O ports (one page or one block). Access to multiple I / O ports is restricted by memory protection).

  In addition, a technique for restricting access to a task I / O port by adding new hardware is also considered (see, for example, Patent Document 1). FIG. 12 is an example of a diagram illustrating access protection disclosed in Patent Document 1. In FIG. In Patent Document 1, an OS (Operating System) manages the access right of each application to the processor bus address space in units of pages. Further, the converter converts the processor bus address space and the I / O address space, and maps each I / O port of the I / O address space to the processor bus address space. Since the OS permits the converter to access the I / O when the application has an access right to the I / O, it is possible to prevent unauthorized access to the application.

JP-A-7-191904

However, the technique disclosed in Patent Document 1 or the conventional technique has the following problems.
1. It is necessary to add a converter.
Unlike processors for servers and workstations, a built-in processor such as a vehicle often does not have a converter, so that it is necessary to add a converter. Or, it must be changed to a microcomputer equipped with a converter.
2. When a converter is added, the address of the I / O port visible from the application side is changed.
That is, the I / O address output by the application to the processor bus address before the addition of the converter is changed by the converter. For this reason, it becomes necessary to modify the application. Modification is possible with only one application, but for example, when a plurality of applications are implemented in one virtual environment using virtualization technology, the merit of integration by virtualization is lost.
3. If the memory access protection resource of the hardware described above, which increases the information related to the access right held by the OS if the memory protection unit is made finer, memory protection is performed in the same unit (for example, 4 bytes) in the entire system due to hardware restrictions. There is a need. For this reason, when the memory protection is performed with the optimum granularity (for example, 4 bytes) for the I / O port using the memory access protection resource, it is necessary to set the access right for each protection unit. For example, if one page is 4 kbytes, 1000 access rights need to be set for only one page. Therefore, OS management information increases in inverse proportion to the protection unit.

  In view of the above problems, an object of the present invention is to provide an information processing apparatus capable of protecting an I / O port by using an appropriate amount of management information without using special hardware.

  The present invention is an information processing apparatus having a program storage means in which a plurality of programs are stored, one or more arithmetic means for executing the programs, and a plurality of interfaces capable of communicating with an external circuit, The interface registration table in which the interface accessible by the program is registered, and when the program that requested access to the interface is permitted to access the interface, the interface is accessed instead of the program. Access control means.

  An information processing apparatus that can protect an I / O port by using an appropriate amount of management information without using special hardware can be provided.

It is an example of the figure explaining access control to an I / O port. It is an example of the hardware block diagram of a microcomputer. It is an example of the figure explaining integration of two systems by virtualization technology. It is an example of the figure which illustrates the function of a memory protection mechanism typically. It is a figure which shows the example of a setting of PTE at the time of prohibiting the access to the I / O port by the systems 1 and 2. It is an example of the functional block diagram of a hypervisor. It is a figure which shows an example of system execution information etc. It is a figure which shows an example of an access history table. It is an example of the flowchart figure which shows the operation | movement procedure of a microcomputer. It is an example of the figure explaining prediction of access timing. It is an example of the flowchart figure which shows the operation | movement procedure of a microcomputer. 10 is an example of a diagram illustrating access protection disclosed in Patent Document 1. FIG.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings.

  FIG. 1 is an example of a diagram illustrating access control to an I / O port according to the present embodiment.

  1. First, when the system is activated, for example, the hypervisor 31 prohibits the memory protection mechanism 32 from accessing the I / O port by the applications 1 and 2. The hypervisor 31 can access all the I / O ports.

  2. When application 1 or application 2 tries to access the I / O port, the memory protection mechanism 32 detects an access violation (causes an exception).

  3. The hypervisor 31 acquires information on the accessed application and I / O port from the memory protection mechanism 32, and determines whether or not the application has the authority to access the I / O port.

  4). When the application has an access right to the I / O port, the hypervisor 31 accesses the I / O port instead of the application.

  5. When the application does not have access right to the I / O port, the hypervisor 31 notifies the access violation to the application to be accessed.

  Therefore, the I / O access of each application can be protected without adding new hardware such as a converter. Since the memory protection mechanism 32 converts the logical address to the physical address, it is not necessary to change the address of the I / O port designated by the application. Further, since it is only necessary to prohibit access to all I / O ports to the memory protection mechanism 32, the management information of the hypervisor 31 does not increase.

[Configuration example]
FIG. 2 is an example of a hardware configuration diagram of the microcomputer 100. The microcomputer 100 includes a CPU 11, a RAM 12, a ROM 13, an INTC 14, a WDT 15, and a DMAC 16 connected to the main bus 21, and a CAN (Controller Area Network) controller 18, an ADC 19, and an I / O connected to the peripheral bus 22. It has a port 20. The main bus 21 and the peripheral bus 22 are connected via the bridge 17.

  The CPU 11 preferably has a plurality of cores and controls the entire microcomputer 100 by executing a program stored in the ROM 13. The CPU has a memory protection mechanism 32. The RAM 12 is a working memory when the CPU 11 executes a program. The flash ROM 13 stores a hypervisor 31 and each system (OS, device driver, middleware, and application).

  The INTC 14 monitors the interrupt register, arbitrates an interrupt request from a peripheral device based on the priority of the interrupt, and notifies the CPU 11 of it. Thereby, the CPU 11 executes an ISR (Interrupt Service Routine), for example, and wakes up a task determined according to the interrupted peripheral device.

  The WDT 15 is a circuit that detects an abnormality (microcomputer reset, CPU interrupt, etc.) when the time measured by counting the operation clock reaches a predetermined reset time (when overflowing).

  The DMAC 16 moves data between the RAM 12 and peripheral circuits or within the RAM 12 without going through the CPU 11. When the CPU 11 transmits data from the I / O port 20 to the outside, the CPU 11 instructs an address of data stored in the RAM 12 and an address of a transmission destination peripheral circuit. The DMAC 16 writes the data read from the RAM 12 to the I / O port 20 corresponding to the peripheral circuit address. In addition, when the CPU 11 receives data from the outside, when the data reaches the I / O port 20, the DMAC 16 detects it and transfers the data to the RAM 12. When the reception is completed, the DMAC 16 issues an interrupt request to the INTC 14, so that the CPU 11 can read the data in the RAM 12.

  The bridge 17 absorbs the difference in frequency between the main bus 21 and the peripheral bus 22 and connects the circuit connected to the main bus 21 and the circuit connected to the peripheral bus 22 so that they can communicate with each other. The CAN controller 18 is a communication circuit for the microcomputer 100 to communicate with another ECU (Electronic Control Unit) connected to the CAN bus 43. When the CAN controller 18 notifies the DMAC 16 of reception of the CAN frame, the DMAC 16 reads the CAN frame from the reception buffer of the CAN controller 18 and stores it in the RAM 12. When the reception is completed, the DMAC 16 issues an interrupt request to the INTC 14 to notify the CPU 11 of the reception of the CAN frame.

  An ADC (A / D controller) 19 converts an analog signal of a sensor connected to the microcomputer 100 into a digital signal and outputs a control signal to an actuator or the like. The I / O port 20 is an input / output interface with a peripheral circuit, and a plurality of I / O ports 20 are prepared for each peripheral circuit. For example, sensors, actuators, switches, and the like are connected to the I / O port 20. In this embodiment, the system 1 uses the I / O port 1 and the system 2 uses the I / O port 2 respectively.

  The microcomputer 100 is mounted on various electronic control devices. In this embodiment, since the systems 1 and 2 mounted on different electronic control devices can be mounted on one electronic control device, the electronic control device does not always have only a single function. . However, the electronic control device has various functions such as an HV-ECU, an engine ECU, a brake ECU, and a navigation ECU. The microcomputer 100 of this embodiment provides one or more of these functions.

[System integration]
FIG. 3 is an example of a diagram illustrating the integration of two systems by the virtualization technology. The application 1 and OS 1 installed in the ECU 1 are referred to as a system 1, and the application 2 and OS 2 installed in the ECU 2 are referred to as a system 2. The microcomputers of ECU1 and ECU2 do not need to be the same, and OS1 and OS2 need not be the same.

By using the virtualization technology, the two systems 1 and 2 can be mounted on one microcomputer 100 as they are. Since no system change is required, system integration is possible at a low cost in a short time. By the way, the functional safety of a vehicle has a safety level of an index called ASIL (Automotive Safety Integrity Level), and it is required that functional safety corresponding to ASIL is achieved. When integrating the systems 1 and 2, it is considered that the ASIL of the systems 1 and 2 may be different. However, when the ASIL is different, the I / O port 20 of the system having a high ASIL may be protected from the system having a low ASIL. Required. In this embodiment, the I / O port 20 is protected by using the hypervisor 31 and the memory protection mechanism 32. The hypervisor 31 is software that emulates the hardware of the microcomputers 1 and 2. The microcomputers 1 and 2 have general hardware (CPU, memory, I / O port, etc.). For example, when the memories of the microcomputers 1 and 2 are emulated, the hypervisor 32 describes a process (a series of instructions) for securing the ROM and RAM areas mounted on the microcomputers 1 and 2. When the microcomputer 100 executes the programs of the microcomputers 1 and 2, the reserved area is accessed as the memory of the microcomputers 1 and 2 to emulate the operations of the microcomputers 1 and 2. That is, the same data as when the microcomputers 1 and 2 operate the systems 1 and 2 is stored in the secured area.

  When emulating a CPU, the hypervisor 32 describes a process for securing an area corresponding to a register (general-purpose register, program counter, flag register, stack pointer) in the CPU 100 in the RAM 12 of the microcomputer 100. Further, the hypervisor 32 has a process of repeatedly reading, decoding, and executing instructions from the emulated memory one by one, and a process of updating a register value secured in the RAM 12 according to the execution result. It has been described. At the time of decoding, which instruction corresponds to all the instructions executable by the CPUs of the microcomputers 1 and 2 is specified. A process for operating the secured register is described in accordance with the decoding result. The contents of execution include copying data from the memory to the register (for example, in the case of a Load instruction), copying data from the register to the memory (for example, in the case of a Store instruction), addition / subtraction / multiplication / division of a register value, logical operation, etc. is there. Therefore, the register secured in the RAM 12 stores the same data as the data stored in the CPU registers of the microcomputers 1 and 2 when the microcomputers 1 and 2 operate the systems 1 and 2.

  When emulating an I / O port, the hypervisor 32 describes a process corresponding to the I / O port for which input / output is instructed. That is, as a result of decoding, when the instruction is for operating the I / O ports of the microcomputers 1 and 2, a process for accessing the I / O port of the microcomputer 100 is described. For example, a process for reading data from the I / O port 20 corresponding to the input port is described in response to the designation of the input port. Therefore, for example, when the input port to which the sensor is connected in the microcomputers 1 and 2 is designated, the process of reading data from the I / O port 20 of the microcomputer 100 to which the sensor connected to the input port is connected Is described.

  A process for writing data to the output port in response to the designation of the output port is described. Thus, for example, when the output port to which the actuator is connected in the microcomputers 1 and 2 is specified, the data is written to the I / O port 20 of the microcomputer 100 to which the actuator connected to the output port is connected. Is described.

  In this embodiment, the microcomputers 1 and 2 access the I / O port 20 by memory mapped I / O (I / O designation method in which an I / O port is assigned to an address for access). Accordingly, the above-described access instruction to the input port or output port is detected by detecting the address corresponding to the access destination I / O port 20 (the access destination address (operand) of the decoded instruction). .

  When installed in one microcomputer 100 including the OS as in the systems 1 and 2, the instruction executed by the OS 1 and 2 may be an instruction that is allowed to be executed only in the privileged mode of the CPU 11. The privileged mode is an operation mode of the CPU 11 and a user mode is a mode to be compared. General apps are only allowed to run in user mode to maintain system stability and security.

  However, since the OSs 1 and 2 executed on the hypervisor 31 of the microcomputer 100 are executed in the user mode, there is a possibility that the hypervisor 31 cannot emulate the execution of the OSs 1 and 2 (an exception occurs if executed as it is). ) For this reason, the hypervisor 31 converts a specific instruction of the OSs 1 and 2 into another instruction so that it can be executed in the user mode.

  The privilege mode is changed to the user mode by executing a specific instruction prepared in the microcomputer 100. Conversely, since the user mode is changed to the privileged mode when the hypervisor 31 executes a special instruction, the systems 1 and 2 cannot be switched to the privileged mode.

  In addition, the hypervisor 31 can also emulate the microcomputers 1 and 2 for communication by the CAN controller mounted on the microcomputers 1 and 2. That is, the hypervisor 31 describes a process of detecting communication by the CAN controller by decoding a command and communicating by the CAN controller of the microcomputer 100.

  Since the hypervisor 31 executes the systems 1 and 2 as applications, the hypervisor 31 executes and manages the systems 1 and 2 as an execution unit such as one task or thread. Accordingly, at least the CPU 11 detects which system is running. If the CPU 11 is a single core, the hypervisor 31 switches between the systems 1 and 2 in a time division manner and assigns them to the CPU 11, for example. If the CPU 11 is multi-core, the hypervisor 31 assigns the systems 1 and 2 to the core 1 and the core 2, for example.

[Memory protection]
Thus, the systems 1 and 2 operate on the hypervisor 31 without changing the systems 1 and 2 by the virtualization technology. The microcomputer 100 loads the systems 1 and 2 into the RAM so that they can be rearranged, for example, by base address designation. An address specified by a relocatable program is called a logical address. On the other hand, the addresses of the systems 1 and 2 on the RAM are called physical addresses. Although the addresses of the RAMs of the systems 1 and 2 are indefinite, the addresses included in the instructions of the systems 1 and 2 are fixed. Therefore, the microcomputer 100 uses the memory protection mechanism 32 to determine the logical addresses output by the systems 1 and 2. The physical address of the RAM is associated.

  FIG. 4 is an example of a diagram for schematically explaining the function of the memory protection mechanism 32. The hypervisor 31 detects the activation of the systems 1 and 2 from the execution of a specific command and creates a page table entry (PTE) and a page table for each system. The memory protection mechanism 32 divides a physical address such as RAM into pages, and divides the address space of logical addresses into pages of the same size. Then, the page number of the physical page is associated with the page number of the logical page.

  In the PTE, a page table address, an invalid flag, an R / W flag, a U / H flag, and the like are registered in association with the logical page number. The page table address is the top address of a page table prepared for each system. The invalid flag indicates the presence or absence of the corresponding physical page. The R / W flag indicates read / write permission. The U / H flag indicates whether access is permitted in the user mode or the privilege mode (hypervisor mode).

  A predetermined number of bits at the beginning of the logical address are logical page numbers, and the rest are offsets within the page. The memory protection mechanism 32 refers to the PTE, refers to the page table, and specifies the physical page number associated with the logical page number included in the instructions of the systems 1 and 2. An address obtained by integrating the physical page number and the offset becomes a physical address. Since the page table is different for each system, even if the logical address is the same, the physical address does not overlap.

  When the system 1 or 2 outputs a logical address to the memory protection mechanism 32, the memory protection mechanism 32 identifies a running system and refers to a page table specific to the system. Therefore, the systems 1 and 2 can access the areas of the systems 1 and 2 in the RAM. Since the I / O port 20 is also assigned to a part of the address space, it can be accessed in the same manner as the RAM.

  Further, when the system 1 designates a logical address that is not mapped to the RAM, the memory protection mechanism 32 generates an exception. Whether or not mapping is performed is determined by an invalid flag. The same applies when a logical address that is converted into a physical address that is not permitted to be read / written is specified, or when a logical address that is converted into a physical address that is allowed to be accessed only in the privileged mode is specified. As described above, the memory accessed by the systems 1 and 2 is protected by the memory protection mechanism 32.

  When the systems 1 and 2 access the I / O port 20, the logical address assigned to the I / O port 20 is designated. Conventionally, the memory protection mechanism 32 converts this logical address into a physical address, but in this embodiment, the systems 1 and 2 are prohibited from directly accessing the I / O port 20.

FIG. 5 is a diagram illustrating a setting example of the PTE when the access to the I / O port 20 by the systems 1 and 2 is prohibited. It is assumed that the flag = “1” and permission is given.
・ R / W flag = 1/1
・ U / H flag = 0/1
According to the R / W flag, since both are “1”, it is possible to read from or write to the I / O port 20 corresponding to the logical page indicated by the PTE. However, since the U / H flag is “0/1”, read / write is not permitted in the user mode. That is, the systems 1 and 2 cannot access the I / O port 20. On the other hand, since read / write is permitted in the privileged mode, the hypervisor 31 can access the I / O port 20.

  Therefore, for example, when the hypervisor 31 starts up the microcomputer 100, the logical page PTE of the logical page including the I / O port 20 is set as shown in FIG. Access can be prohibited. The logical address of the I / O port 20 is obvious from the configuration of the systems 1 and 2 and is known to the developer.

  When the system 1 or 2 executes an instruction to access the I / O port 20, the memory protection mechanism 32 generates an exception (the occurrence of this exception may be referred to as an access violation). Thereby, the hypervisor 31 detects access to the I / O port 20 by the systems 1 and 2.

  As described above, in this embodiment, it is only necessary to restrict access to the I / O port 20 in units of pages (since all I / O ports should be prohibited from accessing), the number of page table entries may become too large. Absent.

[Function configuration]
FIG. 6 shows an example of a functional block diagram of the hypervisor 31. The hypervisor 31 mainly includes an access control unit 33, I / O access management information 34, and system execution information 35.

  The system execution information 35 is information for specifying a system (OS or application) being executed when an access violation is notified. This is because access to the I / O port 20 is prohibited in both the systems 1 and 2, and it is necessary to specify which one has accessed.

  FIG. 7A shows an example of the system execution information 35. Examples of the system execution information 35 include identification information of the system being executed by the microcomputer 100 and the address of the program that generated the exception. The identification information of the system being executed by the microcomputer 100 is constantly managed by the hypervisor 31. Since the hypervisor 31 has registered the system assigned to the CPU 11 in a table or the like, the system can be specified by referring to this table.

  The address of the program that generated the exception is set in the emulated program counter. Since the value of the program counter is a logical address, if the physical address is specified by referring to the page table, it can be determined whether it is the system 1 area or the system 2 area. The address set in the program counter can be easily specified because the hypervisor 31 has acquired it by emulation. Since the instruction executed by the systems 1 and 2 can be found from the address set in the program counter, it can be determined whether the systems 1 and 2 have accessed the I / O port 1 or the I / O port 2.

  Since the memory protection mechanism outputs a physical address from the logical address (since it performs conversion related to the address), the logical address of the program that generated the exception, and the physical address of the I / O port 20 when the access violation occurred The data (or its address) to be written by the system is set. Therefore, information equivalent to the system execution information can be acquired from the memory protection mechanism.

  The I / O access management information 34 is information in which the access rights of each system for the I / O ports 1 and 2 are registered. That is, the I / O ports 1 and 2 that are prohibited in the memory protection mechanism 32 but are allowed to be accessed in the system before the integration are registered in association with the system.

  FIG. 7B is a diagram showing an example of the I / O access management information 34. As illustrated, for example, system 1 is associated with I / O port 1 and system 2 is associated with I / O port 2. Since the I / O access management information 34 is static information, it can be set by a developer or the like when the hypervisor 31 is built. Further, the hypervisor 31 may dynamically set when the microcomputer 100 is activated. This method can be adopted when the systems 1 and 2 may use either the I / O ports 1 or 2. For example, the I / O ports 1 and 2 are assigned in the order in which the systems 1 and 2 are activated.

  The access control unit 33 is a function inside the hypervisor 31. That is, it operates in a privileged mode. The access control unit 33 is activated when an exception of the memory protection mechanism 32 occurs. The access control unit 33 identifies the executed instruction based on the value of the program counter at the time of the exception occurrence, and determines whether the instruction is due to access to an address corresponding to the I / O port 20.

  When an exception occurs due to access to the I / O port 20, the access control unit 33 performs access control. That is, the system when an exception occurs is specified based on the system execution information 35, and it is determined in the I / O access management information 34 whether access to the system is permitted. If access is permitted, the I / O port 20 is accessed instead of the system. If access is not permitted, an access violation is notified to the system.

  In the systems 1 and 2 before integration, no I / O port access violation may occur. However, if not limited to I / O ports, when an access violation occurs, the memory protection mechanism 32 mounted on the microcomputers 1 and 2 notifies the OS of the occurrence of an exception by an interrupt or the like. The systems 1 and 2 execute processing corresponding to the occurrence of an exception by executing, for example, an exception handler provided in the OS 1 and 2. This process is determined by the OS 1 and 2 before integration. Therefore, the access control unit 33 can notify the OSs 1 and 2 of the occurrence of an exception by causing the systems 1 and 2 to execute the exception handler. Specifically, the decoding of the instructions of the systems 1 and 2 is resumed from the addresses of the systems 1 and 2 in which the exception handler is described.

  Further, the access control unit 33 records an access history in order to manage how much access violation has occurred due to the influence of integration.

  FIG. 8 is a diagram illustrating an example of the access history table. The access control unit 33 records, for example, the system that accessed the I / O port 20, the access time, the physical address of the instruction executed at the time of access, the I / O ports 1 and 2 to be accessed, the presence / absence of an exception, etc. . The occurrence time is, for example, the elapsed time from the startup, but may be an absolute time.

  With such a record, the developer or the like can verify which I / O ports 1 and 2 are accessed by the systems 1 and 2 and the periodicity. In addition, it is possible to verify whether there is an access pattern of the system 1 and the system 2 (for example, when the system 1 accesses twice, the system 1 accesses once, and the system 1 and system 2 continuously access). When an exception occurs, for example, an exception is likely to occur with an instruction at a specific physical address, and an access pattern before and after the occurrence of the exception (for example, an exception occurs when the system 1 or 2 is accessed continuously). The presence or absence of can be verified.

[Advantages of the access control unit 33 substituting access to the I / O port when an exception occurs]
Since the hypervisor 31 analyzes instructions executed by the systems 1 and 2, when access to the I / O port 20 is detected, it is possible to access the I / O port 20 without waiting for an exception to occur. It is. In this case, a method for prohibiting access to the I / O port 20 in the user mode by the memory protection mechanism 32 and a method for prohibiting the access can be considered. The method that does not prohibit the access to the I / O port 20 is not preferable because there is a possibility that the I / O port 20 may be accessed due to the addition of an unexpected program.

  In the method of prohibiting access to the I / O port 20, when access to the I / O port 20 is detected, it is necessary to describe processing for switching to the privileged mode in the hypervisor 32, and the hypervisor 31 is corrected. (The versatility of the hypervisor 31 is reduced.) On the other hand, when the access control unit 33 accesses the I / O port 20 due to the occurrence of an exception, it is only necessary to add an exception processing module to the hypervisor 32. Therefore, the merit that the versatility of the hypervisor 33 is unlikely to deteriorate. There is.

  Therefore, although the method of this embodiment is suitable, it is also possible to access the I / O port 20 without waiting for the occurrence of an exception when the access to the I / O port 20 is detected.

[Operation procedure]
FIG. 9A is an example of a flowchart showing an operation procedure of the microcomputer 100, and FIG. 9B is an example of an arrow showing the operation of the microcomputer 100. Note that the numbers in parentheses in FIGS. 9A and 9B correspond to each other.

  First, the hypervisor 31 prohibits access to the I / O port 20 in the user mode at the time of startup, for example (S10). Thereafter, the systems 1 and 2 are executed on the hypervisor 31.

  For example, it is assumed that the system 1 executes an instruction to access the I / O port 20 (S20).

  The memory protection mechanism 32 detects an access violation and generates an exception (S30). The occurrence of an exception is notified to the hypervisor 31 by the execution of a program executed by the CPU 11 when the exception occurs.

The access control unit 33 of the hypervisor 31 acquires the following information regarding access from the memory protection mechanism 32 (S40).
-Physical address of the I / O port where the access violation occurred-Data to be written by the system (or its address)
The address of the program that generated the exception Then, the system being executed and the I / O port 20 are identified based on the system execution information 35 or the information acquired in step 40 (S50).

  When an exception occurs, the hypervisor 31 stops at least the emulation of the system 1 that caused the exception, and saves the context (emulated contents) of the system 1. As a result, the system 1 does not execute the instruction after accessing the I / O port 20.

  The access control unit 33 determines whether or not the identified system 1 has an access right to the I / O port 20 by referring to the I / O access management information 34 (S60).

  When the system 1 has an access right to the I / O port 20 (Yes in S60), the access control unit 33 accesses the I / O port 20 instead of the system 1 (S70). The access control unit 33 identifies an instruction executed by the system from the address set in the program counter, and executes the instruction. Instead of executing the instruction itself executed by the system, an instruction for specifying the data storage source from the instruction and writing the data to the I / O port 20 may be executed. As a result, the hypervisor 31 can execute an instruction for the system 1 to access the I / O port 20.

  When the access to the I / O port 20 is writing, the hypervisor 31 accesses the I / O port 20 instead of the system 1 and then returns the context. As a result, the system 1 can resume execution from the instruction after the occurrence of the exception.

  When the access to the I / O port 20 is read, the hypervisor 31 accesses the I / O port 20 instead of the system 1 and then waits for an interrupt from the DMAC. The DMAC accesses the I / O port 20 of the physical address output from the memory protection mechanism 32, reads data from the reception buffer of the I / O port 20, and writes it to the RAM. When the DMAC completes the transfer from the I / O port 20 to the RAM, the DMAC interrupts the CPU 11 so that the hypervisor 31 restores the interrupted context of the system 1 by the interrupt. The system 1 can resume execution from the instruction after the occurrence of the exception, and read data read from the I / O port 20 from the RAM.

  When the system 1 does not have the access right to the I / O port 20 (No in S60), the access control unit 33 notifies the system 1 of an access violation (S80). That is, the exception handler is executed, and after execution, the hypervisor 31 returns the interrupted context of the system 1. Thereby, the system 1 can detect an access violation as before the integration.

  As described above, in the microcomputer 100 according to the present embodiment, when a plurality of systems 1 and 2 in which the I / O ports 20 to be accessed before integration are integrated into one microcomputer 100, the access control unit 33 is Controls access to the / O port 20. Therefore, the access violation of the systems 1 and 2 can be prevented. There is no need to change the systems 1 and 2 and no additional hardware is required. Moreover, even if the number of systems to be integrated increases, it can be dealt with by simply modifying the settings of the access control unit 33 and the memory protection mechanism 32.

  In this embodiment, a microcomputer 100 that controls access to the systems 1 and 2 based on the priority of the system will be described.

  The functional block diagram is the same as FIG. 6 of the first embodiment. However, the access control unit 33 according to the present embodiment gives priority to access to the I / O port 20 of the higher priority system based on the priorities of the systems 1 and 2. Such priority control is effective when different systems 1 and 2 access the same I / O port 20.

  The priorities of the systems 1 and 2 may be known to a developer or the like at the time of integration, or may be determined dynamically by the access control unit 33. When determining the priority based on ASIL, the priority is higher in the order of ASIL QM <A <B <C <D. Therefore, a developer or the like can set the priorities of the systems 1 and 2 in the access control unit 33 in advance.

  When the priority is dynamically determined, for example, it is determined from the frequency of access violation. A system with a high ASIL is highly designed and verified, so there are few access violations. Therefore, it is estimated that a system with few access violations is a system with high priority. The access control unit 33 refers to the access history table of FIG. 8 and dynamically determines the priority of each system based on the frequency of all past or predetermined time access violations.

  Then, the access control unit 33 predicts the next access timing based on the past access history of the systems 1 and 2.

  FIG. 10 is an example of a diagram illustrating prediction of access timing. A cycle in which the system accesses the same I / O port 20 is defined as an access interval Ta, and a time during which the system occupies the I / O port 20 is defined as an access time Tb. As shown in the figure, the access interval of the system 1 is Ta1, the access interval of the system 2 is Ta2, the system 1 access time is Tb1, and the access time of the system 2 is Tb2. In the present embodiment, since the system 1 having a higher priority may be given priority, it is sufficient that the access interval Ta1 of the system 1 and the access time Tb2 of the system 2 can be specified. Therefore, the access interval Tb of the system 2 may be irregular.

  Since the access interval Ta1 of the system 1 has regularity, the access control unit 33 can predict the access timing of the system 1. That is, when the system 1 accesses at time t1, the next access timing is “time t2 = time t1 + access interval Ta1,” and when the system 1 accesses at time t2, the next access timing is “time t4 = time t2 + access. Interval Ta1 ”.

For example, when the system 2 with low priority accesses the I / O port 20 at time t3, as described in the first embodiment, the access control unit 33 detects an access request due to the occurrence of an exception. The access control unit 33 determines whether or not the occupation of the I / O port 20 by the system 2 is completed before the system 1 accesses. Specifically, the following is determined.
Time t4> current time + access time Tb2
When the time t4 is larger than “current time + access time Tb2”, the access of the I / O port 20 by the system 2 is completed before the system 1 starts accessing the I / O port 20. In this case, the access control unit 33 executes the access request of the system 2 without waiting.

  When the time t4 is not greater than the “current time + access time Tb2”, the access to the I / O port 20 by the system 2 is not completed until the system 1 starts accessing the I / O port 20. In this case, the access control unit 33 puts the access request of the system 2 on standby until the access of the system 1 is completed in order to give priority to the access of the I / O port 20 of the system 1. By doing so, even if a situation occurs in which the systems 1 and 2 access the same I / O port 20 due to the integration, the system 1 with higher priority can be given priority.

  FIG. 11A is an example of a flowchart showing an operation procedure of the microcomputer 100, and FIG. 11B is an example of an arrow showing the operation of the microcomputer 100. The numbers in parentheses in FIGS. 11 (a) and 11 (b) correspond to each other.

  The processing from step S10 to step S60 in the procedure of FIG. 11 is the same as that in FIG. 9, but in this embodiment, it is assumed that the system 2 with low priority accesses. When the identified system 2 does not have the access right to the I / O port 20, the access control unit 33 notifies an access violation as in the first embodiment (S80).

  When the identified system 2 has an access right to the I / O port 20 (Yes in S60), the access control unit 33 uses the access history table to determine the access interval Ta1 of the system 1 and the access time of the system 2. Tb2 is specified (S62). The access interval and access time are preferably updated in advance, but may be calculated each time there is an access request.

  The access control unit 33 determines whether the system 1 having a higher priority than the system 2 accesses the I / O port 20 before the access of the system 2 is completed (S64).

  When the system 1 does not access the I / O port 20 until the access of the system 2 is completed (No in S64), the access control unit 33 accesses the I / O port 20 instead of the system 2 (S82).

  When the system 1 accesses the I / O port 20 by the completion of the access of the system 2 (Yes in S64), the access control unit 33 performs the access of the system 1 before the access of the system 2, and then the system 2 Instead, the I / O port 20 is accessed (S84).

  In this way, when systems with different priorities share the same I / O port 20, it is possible to prioritize a system with a higher priority, and the system 1 has the same timing as before the integration. Can be accessed.

  As described above, according to the microcomputer 100 of this embodiment, in addition to the effects of the first embodiment, the access of the I / O port 20 of the system 1 having a high priority can be given priority over the system 2 having a low priority.

31 Hypervisor 32 Memory Protection Mechanism 33 Access Control Unit 34 I / O Access Management Information 35 System Execution Information 100 Microcomputer

Claims (8)

Program storage means for storing a plurality of programs;
One or more computing means for executing the program;
An information processing apparatus having a plurality of interfaces capable of communicating with an external circuit,
An interface registration table in which the interface accessible by the program is registered;
When the program that requested access to the interface is permitted to access the interface, access control means for accessing the interface instead of the program;
An information processing apparatus. Access prohibiting means for prohibiting each of the plurality of programs from accessing the interface;
The access control means detects from the access prohibition means that the program has requested access to the interface;
The information processing apparatus according to claim 1. Having program identification information for identifying the program accessing the interface and the interface;
The access control means specifies the program and the interface based on the program identification information when the program requests access to the interface.
The information processing apparatus according to claim 1 or 2. The program identification information is an address of the program executed by the arithmetic unit when the access prohibition unit detects that the program requests access to the interface.
The information processing apparatus according to claim 3. When a plurality of the programs access the same interface,
When the access control means predicts that access to the interface by the first program is in a standby state by a second program having a lower priority than the first program, the access control means Before accessing the interface, the interface of the first program is accessed, and after the access of the first program to the interface is completed, the interface of the second program to the interface is completed. Access,
The information processing apparatus according to claim 1, wherein the information processing apparatus is an information processing apparatus. The access control means records the program that has requested access to the interface and whether or not access is permitted, and the priority of the program that has more records that access is not permitted is permitted to access. It is determined that the record is not lower than the program with less records,
The information processing apparatus according to claim 5. The access control means is a function of a hypervisor that emulates individual hardware in which the program was operating,
The hypervisor emulates the hardware memory, the CPU register, and the input / output interface when the program is executed on the hardware based on the result of analyzing each instruction of the plurality of programs. Executing a plurality of the programs by updating the state;
The information processing apparatus according to claim 1, wherein: Program storage means for storing a plurality of programs;
One or more computing means for executing the program;
An interface access method for an information processing apparatus having a plurality of interfaces capable of communicating with an external circuit,
When the access control means refers to the interface registration table in which the interface accessible by the program is registered, the program that has requested access to the interface is permitted to access the interface. Access the interface instead of
Interface access method.

Images