[go: up one dir, main page]

WO2018138789A1 - Built-in device and firmware update method - Google Patents

Built-in device and firmware update method Download PDF

Info

Publication number
WO2018138789A1
WO2018138789A1 PCT/JP2017/002442 JP2017002442W WO2018138789A1 WO 2018138789 A1 WO2018138789 A1 WO 2018138789A1 JP 2017002442 W JP2017002442 W JP 2017002442W WO 2018138789 A1 WO2018138789 A1 WO 2018138789A1
Authority
WO
WIPO (PCT)
Prior art keywords
firmware
update
embedded device
application
control unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2017/002442
Other languages
French (fr)
Japanese (ja)
Inventor
俊介 西尾
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mitsubishi Electric Corp
Original Assignee
Mitsubishi Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp filed Critical Mitsubishi Electric Corp
Priority to JP2018563980A priority Critical patent/JP6861739B2/en
Priority to PCT/JP2017/002442 priority patent/WO2018138789A1/en
Publication of WO2018138789A1 publication Critical patent/WO2018138789A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/445Program loading or initiating

Definitions

  • the present invention relates to an embedded device that operates according to firmware and a firmware update method in the embedded device.
  • IoT Internet of Things
  • Patent Document 1 discloses a secure boot method for safely starting an embedded device by verifying the validity of a part (that is, a partial program) of the OS of the embedded device. is suggesting.
  • Patent Document 2 discloses a startup program data, a backup program data, and a non-volatile memory that stores correction data having the same contents as the backup program data.
  • bit error detection is performed on the backup program data, and when a bit error is detected, the bit error is corrected with correction data.
  • An apparatus is provided that includes an error correction unit that restarts and a restart unit that restarts the system using backup program data when an abnormality of the startup program data is detected by the abnormality detection unit.
  • EP-A-2733612 (eg abstract, FIG. 2)
  • the apparatus described in Patent Document 2 detects the presence or absence of abnormality in the activation program data in parallel with the activation of the activation program data, and when an abnormality in the activation program data is detected, Since restart is performed, it is possible to ensure continuity of service. However, since the detection of abnormality of the activation program data is performed when the activation program is activated, the system may be restarted at the activation.
  • the present invention has been made in order to solve the above-described problems, and its purpose is to be able to start up safely with firmware whose validity has been confirmed, and to avoid the suspension of operation due to tampered firmware. It is to provide an embedded device and a firmware update method that can be used.
  • An embedded device is an embedded device connected to a network, and a firmware storage unit that stores firmware, and the firmware is read from the firmware storage unit and executed to activate the embedded device
  • An activation control unit that performs update, a device control unit that acquires firmware for update through the network, and a firmware verification unit that verifies the validity of the firmware stored in the firmware storage unit and the validity of the firmware for update
  • a firmware update control unit that writes the update firmware that has been determined to be a legitimate program by the firmware verification unit to the firmware storage unit, and the activation control unit includes the update firmware as the firmware.
  • a firmware update method is a firmware update method in an embedded device that is connected to a network and is activated by reading and executing firmware stored in a firmware storage unit.
  • the update firmware written in the firmware storage unit updates the new firmware.
  • Reading the firmware is characterized by having a start executing.
  • the present invention it is possible to safely start the embedded device with the firmware whose validity has been confirmed, and it is possible to prevent the operation from being stopped by the altered firmware, and to continue providing services by the embedded device. Sex can be secured.
  • FIG. 1 is a block diagram schematically showing a configuration of an embedded device according to Embodiment 1 of the present invention.
  • FIG. 3 is a diagram illustrating an example of a file configuration of update firmware acquired by the embedded device according to the first embodiment.
  • 6 is a flowchart illustrating an example of an operation at the time of update in which the embedded device according to the first embodiment acquires a file of update firmware and replaces the firmware stored in the firmware storage unit with the update firmware.
  • 6 is a diagram illustrating an example of a startup process of the embedded device according to the first embodiment.
  • FIG. 6 is a flowchart illustrating an example of an activation process of the embedded device according to the first embodiment.
  • 10 is a flowchart illustrating an example of an operation at the time of update in which an embedded device according to Embodiment 2 of the present invention acquires a firmware file for update and replaces firmware stored in a firmware storage unit with firmware for update.
  • an embedded device (also referred to as “embedded device”) is a computer that is incorporated into household appliances, industrial equipment such as factory equipment, communication equipment, and transportation equipment such as automobiles in order to realize a specific function. is there.
  • industrial equipment such as factory equipment, communication equipment, and transportation equipment such as automobiles in order to realize a specific function.
  • transportation equipment such as automobiles in order to realize a specific function.
  • FIG. 1 is a block diagram schematically showing the configuration of the embedded device 1 according to the first embodiment.
  • the embedded device 1 is a device that can perform the firmware update method according to the first embodiment.
  • the embedded device 1 includes a device control unit 2 that controls the overall operation of the embedded device 1, and a communication interface unit 3 that is communicably connected to a network by Ethernet (registered trademark) connection or the like.
  • a boot control unit 4 for controlling the operation of the embedded device 1 according to the boot program and firmware, a firmware update control unit 5 for updating firmware, a firmware verification unit 6 for verifying firmware, and firmware verification
  • a certificate information storage unit 61 for storing certificate information used for verification in the firmware.
  • the embedded device 1 also includes a boot ROM (Read Only Memory) 7 as a storage unit of a boot program 7a, which is a storage device configured by a nonvolatile semiconductor memory, and a memory configured by a semiconductor memory or a hard disk drive. And a firmware storage unit 8 which is a device.
  • boot ROM Read Only Memory
  • the firmware storage unit 8 includes an OS storage unit 9 for storing an OS (Operating System) and an application storage unit 10 for storing an application program (also referred to as “application”).
  • the firmware includes an OS and an application.
  • the OS storage unit 9 and the application storage unit 10 may be provided in different storage devices, but may be different storage areas of the same storage device.
  • the OS storage unit 9 has an OS storage area (A) 11 and an OS storage area (B) 12 which are duplicated storage areas.
  • An OS (A) 15 is stored in the OS storage area (A) 11.
  • the OS (A) 15 includes OS signature information (A) 15a for proving the legitimacy of the OS (A) 15.
  • An OS (B) 16 is stored in the OS storage area (B) 12.
  • the OS (B) 16 includes OS signature information (B) 16 a for verifying the legitimacy of the OS (B) 16.
  • (A) and (B) are symbols assigned to facilitate the distinction between the OS storage area (A) 11 and the OS storage area (B) 12. For example, when (A) indicates an operating OS storage area or OS currently in operation, (B) is a standby OS storage area or standby firmware that has been operated before. Indicates the OS. In some cases, (A) and (B) are reversed.
  • the application storage unit 10 has an application storage area (A) 13 and an application storage area (B) 14 which are duplicated storage areas.
  • the application (A) 17 is stored in the application storage area (A) 13.
  • the application (A) 17 includes application signature information (A) 17a for verifying the validity of the application (A) 17.
  • An application (B) 18 is stored in the application storage area (B) 14.
  • the application (B) 18 includes application signature information (B) 18 a for verifying the validity of the application (B) 18.
  • (A) indicates a currently operating application storage area or application
  • (B) is a standby application storage area or standby firmware that was previously operated. Indicates an application. In some cases, (A) and (B) are reversed.
  • FIG. 2 is a diagram illustrating an example of a file configuration of the update firmware 20 acquired by the embedded device 1 according to the first embodiment.
  • the update firmware 20 file acquired from the network through the communication interface unit 3 includes an update OS 21 and an update application 22.
  • the update OS 21 includes OS signature information 21a
  • the update application 22 includes application signature information 22a.
  • FIG. 3 shows that the embedded device 1 according to the first embodiment acquires a file of the firmware 20 for update, and places the firmware stored in the firmware storage unit 8 in the firmware 20 for update. It is a flowchart which shows the operation example at the time of the update to replace.
  • step S101 the device control unit 2 acquires a file of the firmware 20 for update from the network through the communication interface unit 3, and instructs the firmware update control unit 5 to update the firmware.
  • the update firmware 20 includes an update OS 21 having OS update information 21a and an update application 22 having application signature information 22a.
  • the firmware update control unit 5 separates and extracts the update OS 21 and the update application 22 from the file of the update firmware 20.
  • the firmware verification unit 6 verifies whether or not the OS signature information 21a of the update OS 21 is valid (ie, confirms the validity).
  • a checksum (or hash value) for the OS object code is obtained, and this is stored in advance in the certificate information storage unit 61 as a valid checksum (or a valid hash value), and the obtained update firmware
  • the checksum (or hash value) obtained for 20 is compared with a stored valid checksum (or valid hash value) and is judged to be valid if they match.
  • Examples of the algorithm for obtaining the hash value include SHA (Secure Hash Algorithm) -1, SHA-256, SHA-384, SHA-512, SHA-224, Wirlpool, MD5 (Message Digest 5), and SHA-3.
  • the length of the hash value varies depending on the algorithm for obtaining the hash value, and is, for example, 128 bits, 160 bits, 224 bits, 256 bits, 384 bits, 512 bits, 1024 bits, or the like.
  • step S103 when the firmware verification unit 6 determines that the program of the update OS 21 has been tampered (NO in step S103), the process proceeds to step S110, and the firmware update control unit 5 The firmware 20 stops the update process for replacing the firmware in the firmware storage unit 8.
  • step S103 if the firmware verification unit 6 determines that the OS 21 program for update is valid (YES in step S103), the process proceeds to step S104.
  • step S104 the firmware update control unit 5 stores (writes) the OS 21 for updating the obtained firmware 20 for update in an OS storage area different from the OS storage area currently in operation. Specifically, when the embedded device 1 is currently operating on the OS (A) 15 stored in the OS storage area (A) 11, the firmware update control unit 5 sets the update OS 21 to the current status. Store in the OS storage area (B) 12 that is not in operation. Conversely, when the embedded device 1 is operating on the OS (B) 16 stored in the OS storage area (B) 12, the firmware update control unit 5 sets the OS 21 for update as an OS that is not currently operated. Store in the storage area (A) 11.
  • step S105 the firmware update control unit 5 sets the OS storage area updated this time (for example, the OS storage area (B) 12) as a program to be executed when the next embedded device 1 is started up.
  • the firmware verification unit 6 verifies whether or not the application signature information 22a of the update application 22 included in the update OS 20 is valid (that is, confirms the validity). .
  • the verification is executed by the same method as the verification method in step S103.
  • step S106 if the firmware verification unit 6 determines that the program of the update application 22 is valid (YES in step S106), the process proceeds to step S107.
  • step S107 the firmware update control unit 5 stores (writes) the acquired update application 22 in an application storage area different from the currently operated application storage area. Specifically, when the embedded device 1 is currently operating with the application (A) 17 stored in the application storage area (A) 13, the firmware update control unit 5 sets the update application 22 as follows: It stores in the application storage area (B) 14 which is not currently operated. Conversely, when the embedded device 1 is operating with the application (B) 18 stored in the application storage area (B) 14, the firmware update control unit 5 does not currently operate the application 22 for update. Store in the application storage area (A) 13.
  • step S108 the firmware update control unit 5 uses the application (A) 17 or (B) 18 stored in the application storage unit (A) 13 or (B) 14 of the application storage unit 10 in step S107 at the next startup. Set as the program to be executed.
  • step S106 if the firmware verification unit 6 determines that the program of the update application 22 has been tampered (NO in step S106), the update process skips steps S107 and S108 and updates this time. In order to validate the OS, the process proceeds to step S109. Moreover, after the process of step S108 is performed, a process progresses to step S109.
  • step S109 the embedded device 1 is restarted, and the update process is terminated.
  • the restart is executed by the update firmware stored in the firmware storage unit 8 this time.
  • FIG. 4 is a diagram illustrating an example of a startup process of the embedded device 1 according to the first embodiment.
  • the boot program 31 read from the boot ROM 7 is started first, and the boot program 31 is sequentially started from the OS 32 read from the firmware storage unit 8. Then, the OS 32 activates the application 33.
  • FIG. 5 is a flowchart showing an example of the startup process of the embedded device 1 according to the first embodiment.
  • FIG. 5 shows a case where the OS 21 for update and the application 22 for update are respectively written in the OS storage area (B) 12 and the application storage area (B) 14 in the last firmware update.
  • step S201 the activation control unit 4 reads the boot program 31 for activating the embedded device 1 from the boot ROM 7 which is a non-rewritable storage area when the embedded device 1 is activated, and executes the read boot program. .
  • the firmware verification unit 6 determines the OS signature information (B) 16a of the OS (B) 16 stored in the OS storage area (B) 12 that is currently being executed (that is, by the previous firmware update). The written OS signature information 21a) of the update OS 21 is verified.
  • step S203 the activation control unit 4 determines that the OS (OS) in the OS storage area (B) 12 B) 16 is read and executed, and then the process proceeds to step S207.
  • step S202 If it is determined that the OS (B) 16 has been falsified as a result of the verification of the OS (B) 16 in step S202 (NO in step S202), the process proceeds to step S204.
  • step S204 the OS storage area to be used is switched to the OS storage area (A) 11 different from the currently operating OS storage area (B) 12.
  • step S205 it is verified whether or not the stored OS signature information (A) 15 is valid.
  • step S205 if it is determined that the OS signature information (A) 15 is valid (has not been tampered with) (YES in step S205), in step S206, the activation control unit 4 displays the OS storage area (A ) 11 OS (A) 15 is read and executed, and then the process proceeds to step S207.
  • step S205 when it is determined that the OS storage area (A) 11 is not valid (tampered) (NO in step S205), the stored OS storage area (B) 12 and the OS storage area (A) It is determined that none of the OSs of 11 can be trusted, and the startup operation is terminated as a startup failure.
  • step S207 the firmware verification unit 6 writes the application signature information (B) 18a of the application (B) 18 stored in the application storage area (B) 14 that is currently being executed (that is, written by the previous firmware update).
  • the application signature information 22a) of the application 22 is verified.
  • step S208 the activation control unit 4 determines that the application (B) 14 application ( B) 18 is read and executed, the verified OS and application are successfully started, and the start process is terminated.
  • step S207 If it is determined that the application (B) 18 has been tampered with as a result of the application verification in step S207 (NO in step S207), the process proceeds to step S209.
  • step S209 the activation control unit 4 switches the application storage area to be used to an application storage area (A) 13 different from the application storage area (B) 14 currently used.
  • the firmware verification unit 6 verifies the application signature information (A) 17a stored in the application storage area (A) 13.
  • step S211 the activation control unit 4 determines that the application (A) 13 A) 17 is read and executed.
  • step S210 when it is determined that the application (A) 17 has been tampered with (NO in step S210), the application (A) 17 stored in the application storage area (A) 13 and the application storage are stored. It is determined that none of the applications (B) 18 stored in the area (B) 14 can be trusted, the reading and execution of the applications are skipped, and the activation process is terminated with only the OS activated.
  • the service provided by the OS can be provided as the embedded device 1, but the service provided by the application cannot be provided. However, it is more secure because the operation of applications that cannot be trusted is suppressed.
  • ⁇ 1-5 Effect As described above, according to the embedded device 1 and the firmware update method according to the first embodiment, after the firmware 20 for update is acquired and stored in the firmware storage unit 8, The firmware verification unit 6 verifies the validity of the update firmware 20 (steps S103 and S106 in FIG. 3). For this reason, if the updating firmware 20 is not a valid program, the firmware 20 is not stored in the firmware storage unit 8 (step S110 in FIG. 3), and it is illegal to consider the continuity of the service. Control without operating the firmware program becomes possible.
  • the OS (B) 16 and the application (B) 18 read from the firmware storage unit 8 when the embedded device 1 is activated by the activation control unit 4.
  • the validity of (or OS (A) 15 and application (A) 17) is verified (steps S202 and S207 in FIG. 5). For this reason, when the OS or application to be executed is not a valid program, the OS used before being stored in another OS storage area and used before being stored in another application storage area are used.
  • the loaded application is read and executed (steps S204, S206, S209, and S211 in FIG. 5). For this reason, it is possible to ensure the continuity of the service provided by the embedded device 1 without stopping the operation of the embedded device 1.
  • Steps S205 and S210 in FIG. 5 a more secure program execution environment can be provided.
  • ⁇ 2 Embodiment 2
  • the validity of the OS signature information 21a is verified in the validity confirmation process performed when the file of the firmware 20 for update is acquired. Both confirmation of the authenticity (step S103) and validity of the application signature information 22a (step S106) are performed.
  • the file size of the application is larger than the file size of the OS, the amount of calculation required for the process of confirming the validity of the application is relatively large, and the processing time is relatively long.
  • the validity of the OS signature information 21a is confirmed in the validity confirmation process performed when the update firmware 20 file is acquired.
  • the validity of the application authentication information 22a is not confirmed.
  • the second embodiment is almost the same as the first embodiment. Therefore, in the description of the second embodiment, reference is also made to FIG. 1 showing the configuration of the embedded device, FIG. 2 showing the file of the firmware 20 for update, and FIG. 5 showing the operation at startup.
  • FIG. 6 shows an operation example at the time of update in which the embedded device according to the second embodiment acquires the file of the firmware 20 for update and replaces the firmware stored in the firmware storage unit 8 with the firmware 20 for update. It is a flowchart.
  • step S301 the apparatus control unit 2 acquires a firmware 20 file for update from the network through the communication interface unit 3, and instructs the firmware update control unit 5 to update the firmware.
  • the firmware 20 includes an update OS 21 having OS signature information 21a and an update application 22 having application signature information 22a.
  • the firmware update control unit 5 separates and extracts the update OS 21 and the update application 22 from the file of the update firmware 20.
  • the firmware verification unit 6 verifies whether or not the OS signature information 21a of the update OS 21 is valid (that is, confirms the validity).
  • step S303 if the firmware verification unit 6 determines that the program of the update OS 21 has been falsified (NO in step S303), the process proceeds to step S307, and the firmware update control unit 5 The update process for rewriting the firmware in the firmware storage unit 8 is stopped by the firmware.
  • step S303 if the firmware verification unit 6 determines that the OS 21 program for update is valid (YES in step S303), the process proceeds to step S304.
  • step S304 the firmware update control unit 5 stores (writes) the OS 21 for update of the obtained update firmware 20 in an OS storage area different from the OS storage area currently in operation, and performs the current operation.
  • the update application 22 of the acquired update firmware 20 is stored (written) in a different application storage area from the application storage area being used. Specifically, when the embedded device is currently operating on the OS (A) 15 stored in the OS storage area (A) 11, the firmware update control unit 5 operates the OS 21 for update at present. If the embedded device is operating in the application (A) 17 stored in the unstored OS storage area (B) 12 and currently stored in the application storage area (A) 13, the firmware update control unit 5 The update application 22 is stored in the application storage area (B) 14 that is not currently operated.
  • the firmware update control unit 5 does not currently operate the OS 21 for update.
  • the firmware update control unit 5 are stored in the application storage area (A) 13 which is not currently operated.
  • step S305 the firmware update control unit 5 sets the OS storage area updated this time (for example, the OS storage area (B) 12) as a program to be executed when the next embedded device is started up.
  • step S109 the embedded device is restarted, and the update process ends.
  • the restart is executed by the update firmware stored in the firmware storage unit 8 this time.
  • the first purpose is to quickly detect the presence or absence of tampering. Therefore, the verification of the update firmware 20 is performed only for the verification of the update OS 21, and the verification of the application is performed when the embedded device is started.
  • 1 embedded device 1 embedded device, 2 device control unit, 3 communication interface unit, 4 startup control unit, 5 firmware update control unit, 6 firmware verification unit, 6a certificate information storage unit, 7 boot ROM, 8 firmware storage unit, 9 OS storage unit , 10 Application storage section, 11 OS storage area (A), 12 OS storage area (B), 13 Application storage area (A), 14 Application storage area (B), 15 OS (A), 15a OS signature information (A ), 16 OS (B), 16a OS signature information (B), 17 application (A), 17a application signature information (A), 18 application (B), 18a application signature information (B), 20 for update Firmware, OS for 21 updating, 21a OS signature information, application for 22 updating, 22a application signature information, 31 boot program, 32 OS, 33 applications, 61 certificate information storage section.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Stored Programmes (AREA)

Abstract

A built-in device (1) is provided with: a firmware storage unit (8); a start-up control unit (4) that reads firmware programs (15, 17, or 16, 18) from the firmware storage unit (8) and executes the read firmware programs to start up the built-in device; a device control unit (2) that acquires update firmware programs (20) via a network; a firmware verification unit (6) that verifies the validity of the firmware programs stored in the firmware storage unit (8) and the validity of the update firmware programs (20); a firmware update control unit (5) that writes the update firmware programs (20) to the firmware storage unit (8) if the firmware verification unit (6) determines that the update firmware programs (20) are valid programs. When starting up the built-in device, the start-up control unit (4) reads, as new firmware programs (15, 17, or 16, 18), the update firmware programs (20) that have been written to the firmware storage unit (8), and executes the read update firmware programs (20).

Description

組み込み装置及びファームウェア更新方法Embedded device and firmware update method

 本発明は、ファームウェアに従って動作する組み込み装置及び組み込み装置におけるファームウェア更新方法に関する。 The present invention relates to an embedded device that operates according to firmware and a firmware update method in the embedded device.

 近年、インターネットなどのネットワークに接続された組み込み装置(例えば、特定の機能を実現するために家電製品、機械又は設備等に組み込まれるコンピュータ)によって、音楽コンテンツ又は映像コンテンツなどの著作物の配信、公共機関又は企業が保有する情報の閲覧サービスの提供、及びオンラインバンキング又は電子マネーなどの金融サービスの提供などが行われている。また、ネットワークを通して通信機能及び制御機能を持つ「もの」に接続することで、計測データ、センサデータ、制御データなどの通信を行う仕組みであるIoT(「もののインターネット」:Internet Of Things)も普及しつつある。 In recent years, distribution of copyrighted works such as music contents or video contents by publicly available embedded devices connected to a network such as the Internet (for example, a computer incorporated in a home appliance, machine or facility to realize a specific function), public There are provided services for browsing information held by institutions or companies, and financial services such as online banking or electronic money. In addition, IoT (“Internet of Things”), which is a mechanism for communicating measurement data, sensor data, control data, etc. by connecting to “things” that have communication and control functions through a network, has also become widespread. It's getting on.

 しかし、ネットワークに接続された組み込み装置では、ファームウェアが悪意ある第三者によって改ざんされ、改ざんされたファームウェア(不正プログラム)が予期しない動作を実行して、予期しない事態を引き起こす危険性がある。 However, in an embedded device connected to a network, there is a risk that the firmware is falsified by a malicious third party, and the falsified firmware (unauthorized program) executes an unexpected operation, causing an unexpected situation.

 このような課題に対して、特許文献1は、組み込み装置のOSの一部分(すなわち、部分プログラム)に対して正当性の検証を実施することで、安全に組み込み装置の起動を行うセキュアブート方法を提案している。 In response to such a problem, Patent Document 1 discloses a secure boot method for safely starting an embedded device by verifying the validity of a part (that is, a partial program) of the OS of the embedded device. is suggesting.

 また、特許文献2は、起動プログラムデータ、バックアッププログラムデータ、及びバックアッププログラムデータと同一内容の修正用データを記憶する不揮発性メモリと、起動プログラムデータの起動と並行して、起動プログラムデータの異常を検出する異常検出部と、起動プログラムデータによってシステムの起動が行われる場合に、バックアッププログラムデータに対してビットエラーの検出を行い、ビットエラーが検出されたときに当該ビットエラーを修正用データにより修正するエラー修正部と、異常検出部により起動プログラムデータの異常が検出された場合に、バックアッププログラムデータによりシステムの再起動を行う再起動部とを備える装置を提案している。 In addition, Patent Document 2 discloses a startup program data, a backup program data, and a non-volatile memory that stores correction data having the same contents as the backup program data. When the system is started with the detected anomaly detection unit and startup program data, bit error detection is performed on the backup program data, and when a bit error is detected, the bit error is corrected with correction data. An apparatus is provided that includes an error correction unit that restarts and a restart unit that restarts the system using backup program data when an abnormality of the startup program data is detected by the abnormality detection unit.

特開2015-022521号公報(例えば、要約、図4)Japanese Patent Laying-Open No. 2015-022521 (for example, summary, FIG. 4) 欧州特許出願公開第2733612号明細書(例えば、要約、図2)EP-A-2733612 (eg abstract, FIG. 2)

 特許文献1に記載のセキュアブート方法では、組み込み装置の起動時にファームウェアの正当性を検証し、ファームウェアが不正プログラムであると判断された場合に、ファームウェアの起動を中止して、組み込み装置の動作を停止する。しかし、組み込み装置の動作が停止されると、組み込み装置が組み込まれている設備からのサービスの提供が停止し、サービスを継続的に提供することができないという問題がある。特に、組み込み装置を搭載した設備が遠隔地に設置されている場合には、復旧のために作業者が遠隔地に赴く必要があった。 In the secure boot method described in Patent Document 1, the validity of the firmware is verified when the embedded device is activated, and when it is determined that the firmware is an illegal program, the activation of the firmware is stopped and the operation of the embedded device is performed. Stop. However, when the operation of the embedded device is stopped, there is a problem that the service is not provided from the facility in which the embedded device is embedded, and the service cannot be continuously provided. In particular, when a facility equipped with an embedded device is installed in a remote place, it is necessary for an operator to go to the remote place for recovery.

 また、特許文献2に記載の装置は、起動プログラムデータの起動と並行して、起動プログラムデータの異常の有無を検出し、起動プログラムデータの異常が検出された場合に、バックアッププログラムデータによりシステムの再起動を行うので、サービスの継続性を確保することは可能である。しかし、起動プログラムデータの異常の有無の検出は、起動プログラムの起動時に行われるので、起動時にシステムの再起動が発生することがある。 In addition, the apparatus described in Patent Document 2 detects the presence or absence of abnormality in the activation program data in parallel with the activation of the activation program data, and when an abnormality in the activation program data is detected, Since restart is performed, it is possible to ensure continuity of service. However, since the detection of abnormality of the activation program data is performed when the activation program is activated, the system may be restarted at the activation.

 本発明は、上記課題を解決するためになされたものであり、その目的は、正当性が確認されたファームウェアによって安全に起動することができ、改ざんされたファームウェアによる動作の停止を回避することができる組み込み装置及びファームウェア更新方法を提供することである。 The present invention has been made in order to solve the above-described problems, and its purpose is to be able to start up safely with firmware whose validity has been confirmed, and to avoid the suspension of operation due to tampered firmware. It is to provide an embedded device and a firmware update method that can be used.

 本発明の一態様に係る組み込み装置は、ネットワークに接続される組み込み装置であって、ファームウェアを格納するファームウェア格納部と、前記ファームウェア格納部から前記ファームウェアを読み込み、実行することで前記組み込み装置を起動する起動制御部と、前記ネットワークを通して更新用のファームウェアを取得する装置制御部と、前記ファームウェア格納部に格納されている前記ファームウェアの正当性及び前記更新用のファームウェアの正当性を検証するファームウェア検証部と、前記ファームウェア検証部によって正当なプログラムであると判断された前記更新用のファームウェアを前記ファームウェア格納部に書き込むファームウェア更新制御部とを備え、前記起動制御部は、前記更新用のファームウェアが前記ファームウェア格納部に書き込まれた後の前記組み込み装置の起動時に、前記ファームウェア格納部に書き込まれた前記更新用のファームウェアを新たなファームウェアとして読み込み、実行することを特徴としている。 An embedded device according to one aspect of the present invention is an embedded device connected to a network, and a firmware storage unit that stores firmware, and the firmware is read from the firmware storage unit and executed to activate the embedded device An activation control unit that performs update, a device control unit that acquires firmware for update through the network, and a firmware verification unit that verifies the validity of the firmware stored in the firmware storage unit and the validity of the firmware for update And a firmware update control unit that writes the update firmware that has been determined to be a legitimate program by the firmware verification unit to the firmware storage unit, and the activation control unit includes the update firmware as the firmware. The startup of the embedded device after it has been written in the Muwea storage unit, the firmware for the said written in the firmware storage unit updates read as a new firmware is characterized by executing.

 本発明の他の態様に係るファームウェア更新方法は、ネットワークに接続され、ファームウェア格納部に格納されているファームウェアを読み込み、実行することで起動する組み込み装置におけるファームウェア更新方法であって、前記ネットワークを通して更新用のファームウェアを取得する取得ステップと、前記更新用のファームウェアの正当性を検証する検証ステップと、前記検証ステップにおいて正当なプログラムであると判断された前記更新用のファームウェアをファームウェア格納部に書き込む更新ステップと、前記更新用のファームウェアが前記ファームウェア格納部に書き込まれた後の前記組み込み装置の起動時に、前記ファームウェア格納部に書き込まれた前記更新用のファームウェアが新たなファームウェアを新たなファームウェアとして読み込み、実行する起動ステップとを有することを特徴としている。 A firmware update method according to another aspect of the present invention is a firmware update method in an embedded device that is connected to a network and is activated by reading and executing firmware stored in a firmware storage unit. An acquisition step of acquiring firmware for verification, a verification step of verifying the validity of the firmware for update, and an update for writing the update firmware determined to be a valid program in the verification step into a firmware storage unit And when the embedded device is started after the update firmware is written in the firmware storage unit, the update firmware written in the firmware storage unit updates the new firmware. Reading the firmware is characterized by having a start executing.

 本発明によれば、組み込み装置を正当性が確認されたファームウェアによって安全に起動することができ、また、改ざんされたファームウェアによる動作の停止を回避することができ、組み込み装置によるサービスの提供の継続性を確保することができる。 According to the present invention, it is possible to safely start the embedded device with the firmware whose validity has been confirmed, and it is possible to prevent the operation from being stopped by the altered firmware, and to continue providing services by the embedded device. Sex can be secured.

本発明の実施の形態1に係る組み込み装置の構成を概略的に示すブロック図である。1 is a block diagram schematically showing a configuration of an embedded device according to Embodiment 1 of the present invention. 実施の形態1に係る組み込み装置が取得する更新用のファームウェアのファイル構成の例を示す図である。FIG. 3 is a diagram illustrating an example of a file configuration of update firmware acquired by the embedded device according to the first embodiment. 実施の形態1に係る組み込み装置が更新用のファームウェアのファイルを取得し、ファームウェア格納部に格納されているファームウェアを更新用のファームウェアに置き替える更新時の動作例を示すフローチャートである。6 is a flowchart illustrating an example of an operation at the time of update in which the embedded device according to the first embodiment acquires a file of update firmware and replaces the firmware stored in the firmware storage unit with the update firmware. 実施の形態1に係る組み込み装置の起動処理の例を示す図である。6 is a diagram illustrating an example of a startup process of the embedded device according to the first embodiment. FIG. 実施の形態1に係る組み込み装置の起動処理の例を示すフローチャートである。6 is a flowchart illustrating an example of an activation process of the embedded device according to the first embodiment. 本発明の実施の形態2に係る組み込み装置が更新用のファームウェアのファイルを取得し、ファームウェア格納部に格納されているファームウェアを更新用のファームウェアに置き替える更新時の動作例を示すフローチャートである。10 is a flowchart illustrating an example of an operation at the time of update in which an embedded device according to Embodiment 2 of the present invention acquires a firmware file for update and replaces firmware stored in a firmware storage unit with firmware for update.

 以下に、本発明の実施の形態に係る組み込み装置及びファームウェア更新方法を、添付図面を参照しながら説明する。本出願において、組み込み装置(「組み込み機器」とも言う)は、特定の機能を実現するために家電機器、工場設備などの産業用機器、通信機器、自動車などの輸送用機器などに組み込まれるコンピュータである。なお、以下の実施の形態は、例にすぎず、本発明の範囲内で種々の変更が可能である。 Hereinafter, an embedded device and a firmware update method according to an embodiment of the present invention will be described with reference to the accompanying drawings. In this application, an embedded device (also referred to as “embedded device”) is a computer that is incorporated into household appliances, industrial equipment such as factory equipment, communication equipment, and transportation equipment such as automobiles in order to realize a specific function. is there. The following embodiments are merely examples, and various modifications can be made within the scope of the present invention.

《1》実施の形態1.
《1-1》組み込み装置1
 図1は、実施の形態1に係る組み込み装置1の構成を概略的に示すブロック図である。組み込み装置1は、実施の形態1に係るファームウェア更新方法を実施することができる装置である。図1に示されるように、組み込み装置1は、組み込み装置1の全体の動作を制御する装置制御部2と、イーサネット(登録商標)接続などによりネットワークと通信可能に接続される通信インタフェース部3と、ブートプログラム及びファームウェアに従う組み込み装置1の動作の制御を行う起動制御部4と、ファームウェアの更新を行うためのファームウェア更新制御部5と、ファームウェアの検証を行うためのファームウェア検証部6と、ファームウェア検証部6に備えられ、ファームウェアに検証に用いる証明書情報を格納するための証明書情報格納部61とを備えている。また、組み込み装置1は、不揮発性の半導体メモリなどで構成された記憶装置であるブートプログラム7aの格納部としてのブートROM(Read Only Memory)7と、半導体メモリ又はハードディスクドライブなどで構成された記憶装置であるファームウェア格納部8とを備えている。 << 1 >> Embodiment 1
<< 1-1 >> Embedded Device 1
FIG. 1 is a block diagram schematically showing the configuration of the embedded device 1 according to the first embodiment. The embedded device 1 is a device that can perform the firmware update method according to the first embodiment. As shown in FIG. 1, the embedded device 1 includes a device control unit 2 that controls the overall operation of the embedded device 1, and a communication interface unit 3 that is communicably connected to a network by Ethernet (registered trademark) connection or the like. A boot control unit 4 for controlling the operation of the embedded device 1 according to the boot program and firmware, a firmware update control unit 5 for updating firmware, a firmware verification unit 6 for verifying firmware, and firmware verification And a certificate information storage unit 61 for storing certificate information used for verification in the firmware. The embedded device 1 also includes a boot ROM (Read Only Memory) 7 as a storage unit of a boot program 7a, which is a storage device configured by a nonvolatile semiconductor memory, and a memory configured by a semiconductor memory or a hard disk drive. And a firmware storage unit 8 which is a device.

 ファームウェア格納部8は、OS(Operating System)を格納するためのOS格納部9と、アプリケーションプログラム(「アプリケーション」とも言う)を格納するためのアプリケーション格納部10とを有している。本願では、ファームウェアは、OSとアプリケーションとを含む。OS格納部9とアプリケーション格納部10とは、互いに異なる記憶装置に備えられてもよいが、同じ記憶装置の異なる記憶領域であってもよい。 The firmware storage unit 8 includes an OS storage unit 9 for storing an OS (Operating System) and an application storage unit 10 for storing an application program (also referred to as “application”). In the present application, the firmware includes an OS and an application. The OS storage unit 9 and the application storage unit 10 may be provided in different storage devices, but may be different storage areas of the same storage device.

 OS格納部9は、2重化された格納領域であるOS格納領域(A)11とOS格納領域(B)12とを有している。OS格納領域(A)11には、OS(A)15が格納されている。OS(A)15は、OS(A)15の正当性を証明するためのOS署名情報(A)15aを含んでいる。OS格納領域(B)12には、OS(B)16が格納されている。OS(B)16は、OS(B)16の正当性を証明するためのOS署名情報(B)16aを含んでいる。なお、(A)と(B)とは、OS格納領域(A)11とOS格納領域(B)12との区別を容易にするために付与された記号である。例えば、(A)が現在運用されている運用中のOS格納領域又はOSを示している場合には、(B)は以前に運用されていた待機中のOS格納領域又は待機中のファームウェアであるOSを示す。(A)と(B)とが逆の場合もある。 The OS storage unit 9 has an OS storage area (A) 11 and an OS storage area (B) 12 which are duplicated storage areas. An OS (A) 15 is stored in the OS storage area (A) 11. The OS (A) 15 includes OS signature information (A) 15a for proving the legitimacy of the OS (A) 15. An OS (B) 16 is stored in the OS storage area (B) 12. The OS (B) 16 includes OS signature information (B) 16 a for verifying the legitimacy of the OS (B) 16. Note that (A) and (B) are symbols assigned to facilitate the distinction between the OS storage area (A) 11 and the OS storage area (B) 12. For example, when (A) indicates an operating OS storage area or OS currently in operation, (B) is a standby OS storage area or standby firmware that has been operated before. Indicates the OS. In some cases, (A) and (B) are reversed.

 アプリケーション格納部10は、2重化された格納領域であるアプリケーション格納領域(A)13とアプリケーション格納領域(B)14とを有している。アプリケーション格納領域(A)13には、アプリケーション(A)17が格納されている。アプリケーション(A)17は、アプリケーション(A)17の正当性を証明するためのアプリケーション署名情報(A)17aを含んでいる。アプリケーション格納領域(B)14には、アプリケーション(B)18が格納されている。アプリケーション(B)18は、アプリケーション(B)18の正当性を証明するためのアプリケーション署名情報(B)18aを含んでいる。例えば、(A)が現在運用されている運用中のアプリケーション格納領域又はアプリケーションを示している場合には、(B)は以前に運用されていた待機中のアプリケーション格納領域又は待機中のファームウェアであるアプリケーションを示す。(A)と(B)とが逆の場合もある。 The application storage unit 10 has an application storage area (A) 13 and an application storage area (B) 14 which are duplicated storage areas. The application (A) 17 is stored in the application storage area (A) 13. The application (A) 17 includes application signature information (A) 17a for verifying the validity of the application (A) 17. An application (B) 18 is stored in the application storage area (B) 14. The application (B) 18 includes application signature information (B) 18 a for verifying the validity of the application (B) 18. For example, when (A) indicates a currently operating application storage area or application, (B) is a standby application storage area or standby firmware that was previously operated. Indicates an application. In some cases, (A) and (B) are reversed.

《1-2》更新用のファームウェア20
 図2は、実施の形態1に係る組み込み装置1が取得する更新用のファームウェア20のファイル構成の例を示す図である。図2に示されるように、ネットワークから通信インタフェース部3を通して取得される更新用のファームウェア20のファイルは、更新用のOS21と更新用のアプリケーション22とを有している。更新用のOS21は、OS署名情報21aを含み、更新用のアプリケーション22は、アプリケーション署名情報22aを含んでいる。 << 1-2 >> Updating firmware 20
FIG. 2 is a diagram illustrating an example of a file configuration of the update firmware 20 acquired by the embedded device 1 according to the first embodiment. As shown in FIG. 2, the update firmware 20 file acquired from the network through the communication interface unit 3 includes an update OS 21 and an update application 22. The update OS 21 includes OS signature information 21a, and the update application 22 includes application signature information 22a.

《1-3》ファームウェア更新
 図3は、実施の形態1に係る組み込み装置1が更新用のファームウェア20のファイルを取得し、ファームウェア格納部8に格納されているファームウェアを更新用のファームウェア20に置き替える更新時の動作例を示すフローチャートである。 << 1-3 >> Firmware Update FIG. 3 shows that the embedded device 1 according to the first embodiment acquires a file of the firmware 20 for update, and places the firmware stored in the firmware storage unit 8 in the firmware 20 for update. It is a flowchart which shows the operation example at the time of the update to replace.

 先ず、ステップS101において、装置制御部2は、ネットワークから通信インタフェース部3を通して更新用のファームウェア20のファイルを取得し、ファームウェア更新制御部5にファームウェア更新指示を行う。更新用のファームウェア20には、OS更新情報21aを持つ更新用のOS21とアプリケーション署名情報22aを持つ更新用のアプリケーション22とが含まれている。 First, in step S101, the device control unit 2 acquires a file of the firmware 20 for update from the network through the communication interface unit 3, and instructs the firmware update control unit 5 to update the firmware. The update firmware 20 includes an update OS 21 having OS update information 21a and an update application 22 having application signature information 22a.

 次のステップS102において、ファームウェア更新制御部5は、更新用のファームウェア20のファイルから更新用のOS21と更新用のアプリケーション22とを分離して取り出す。 In the next step S102, the firmware update control unit 5 separates and extracts the update OS 21 and the update application 22 from the file of the update firmware 20.

 次のステップS103において、ファームウェア検証部6は、更新用のOS21のOS署名情報21aが正当なものであるか否かを検証する(すなわち、正当性を確認する)。検証方法としては、OSオブジェクトコードに対するチェックサム(又はハッシュ値)を求め、これを正当なチェックサム(又は正当なハッシュ値)として予め証明書情報格納部61に記憶し、取得した更新用のファームウェア20に対して求められたチェックサム(又はハッシュ値)を、記憶されている正当なチェックサム(又は正当なハッシュ値)と照合し、一致する場合に正当であると判断する方法がある。また、他の検証方法としては、OS署名情報21a及びアプリケーション署名情報22aを利用して改ざんの有無を検査する方法がある。ハッシュ値を求めるアルゴリズムとしては、例えば、SHA(Secure Hash Algorithm)-1、SHA-256、SHA-384、SHA-512、SHA-224、Wirlpool、MD5(Message Digest 5)、SHA-3がある。なお、ハッシュ値の長さは、ハッシュ値を求めるアルゴリズムによって異なるが、例えば、128bit、160bit、224bit、256bit、384bit、512bit、1024bitなどである。 In the next step S103, the firmware verification unit 6 verifies whether or not the OS signature information 21a of the update OS 21 is valid (ie, confirms the validity). As a verification method, a checksum (or hash value) for the OS object code is obtained, and this is stored in advance in the certificate information storage unit 61 as a valid checksum (or a valid hash value), and the obtained update firmware There is a method in which the checksum (or hash value) obtained for 20 is compared with a stored valid checksum (or valid hash value) and is judged to be valid if they match. In addition, as another verification method, there is a method of inspecting the presence or absence of falsification using the OS signature information 21a and the application signature information 22a. Examples of the algorithm for obtaining the hash value include SHA (Secure Hash Algorithm) -1, SHA-256, SHA-384, SHA-512, SHA-224, Wirlpool, MD5 (Message Digest 5), and SHA-3. The length of the hash value varies depending on the algorithm for obtaining the hash value, and is, for example, 128 bits, 160 bits, 224 bits, 256 bits, 384 bits, 512 bits, 1024 bits, or the like.

 ステップS103の検証において、ファームウェア検証部6が更新用のOS21のプログラムは改ざんされていると判断した場合(ステップS103においてNO)、処理はステップS110に進み、ファームウェア更新制御部5は、検証対象のファームウェア20によって、ファームウェア格納部8におけるファームウェアを置き換えるための更新処理を停止する。 In the verification in step S103, when the firmware verification unit 6 determines that the program of the update OS 21 has been tampered (NO in step S103), the process proceeds to step S110, and the firmware update control unit 5 The firmware 20 stops the update process for replacing the firmware in the firmware storage unit 8.

 ステップS103の検証において、ファームウェア検証部6が更新用のOS21のプログラムは正当であると判断した場合(ステップS103においてYES)、処理はステップS104に進む。 In the verification in step S103, if the firmware verification unit 6 determines that the OS 21 program for update is valid (YES in step S103), the process proceeds to step S104.

 ステップS104において、ファームウェア更新制御部5は、現在運用しているOS格納領域とは別のOS格納領域に、取得された更新用のファームウェア20の更新用のOS21を格納する(書き込む)。具体的に言えば、現在、OS格納領域(A)11に格納されているOS(A)15で組み込み装置1が動作している場合、ファームウェア更新制御部5は、更新用のOS21を、現在運用されていないOS格納領域(B)12に格納する。逆に、OS格納領域(B)12に格納されているOS(B)16で組み込み装置1が動作している場合、ファームウェア更新制御部5は、更新用のOS21を、現在運用されていないOS格納領域(A)11に格納する。 In step S104, the firmware update control unit 5 stores (writes) the OS 21 for updating the obtained firmware 20 for update in an OS storage area different from the OS storage area currently in operation. Specifically, when the embedded device 1 is currently operating on the OS (A) 15 stored in the OS storage area (A) 11, the firmware update control unit 5 sets the update OS 21 to the current status. Store in the OS storage area (B) 12 that is not in operation. Conversely, when the embedded device 1 is operating on the OS (B) 16 stored in the OS storage area (B) 12, the firmware update control unit 5 sets the OS 21 for update as an OS that is not currently operated. Store in the storage area (A) 11.

 ステップS105において、ファームウェア更新制御部5は、今回更新したOS格納領域(例えば、OS格納領域(B)12)を、次の組み込み装置1の起動時に実行するプログラムとして設定する。 In step S105, the firmware update control unit 5 sets the OS storage area updated this time (for example, the OS storage area (B) 12) as a program to be executed when the next embedded device 1 is started up.

 次のステップS106において、ファームウェア検証部6は、更新用のOS20に含まれる更新用のアプリケーション22のアプリケーション署名情報22aが正当なものであるか否かを検証する(すなわち、正当性を確認する)。検証は、ステップS103における検証方法と同様の方法で実行される。 In the next step S106, the firmware verification unit 6 verifies whether or not the application signature information 22a of the update application 22 included in the update OS 20 is valid (that is, confirms the validity). . The verification is executed by the same method as the verification method in step S103.

 ステップS106の検証において、ファームウェア検証部6が更新用のアプリケーション22のプログラムは正当であると判断した場合(ステップS106においてYES)、処理はステップS107に進む。 In the verification in step S106, if the firmware verification unit 6 determines that the program of the update application 22 is valid (YES in step S106), the process proceeds to step S107.

 ステップS107において、ファームウェア更新制御部5は、現在運用しているアプリケーション格納領域とは別のアプリケーション格納領域に、取得された更新用のアプリケーション22を格納する(書き込む)。具体的に言えば、現在、アプリケーション格納領域(A)13に格納されているアプリケーション(A)17で組み込み装置1が動作している場合、ファームウェア更新制御部5は、更新用のアプリケーション22を、現在運用されていないアプリケーション格納領域(B)14に格納する。逆に、アプリケーション格納領域(B)14に格納されているアプリケーション(B)18で組み込み装置1が動作している場合、ファームウェア更新制御部5は、更新用のアプリケーション22を、現在運用されていないアプリケーション格納領域(A)13に格納する。 In step S107, the firmware update control unit 5 stores (writes) the acquired update application 22 in an application storage area different from the currently operated application storage area. Specifically, when the embedded device 1 is currently operating with the application (A) 17 stored in the application storage area (A) 13, the firmware update control unit 5 sets the update application 22 as follows: It stores in the application storage area (B) 14 which is not currently operated. Conversely, when the embedded device 1 is operating with the application (B) 18 stored in the application storage area (B) 14, the firmware update control unit 5 does not currently operate the application 22 for update. Store in the application storage area (A) 13.

 ステップS108において、ファームウェア更新制御部5は、ステップS107でアプリケーション格納部10のアプリケーション格納部(A)13又は(B)14に格納されたアプリケーション(A)17又は(B)18を次の起動時に実行するプログラムとして設定する。 In step S108, the firmware update control unit 5 uses the application (A) 17 or (B) 18 stored in the application storage unit (A) 13 or (B) 14 of the application storage unit 10 in step S107 at the next startup. Set as the program to be executed.

 ステップS106の検証において、ファームウェア検証部6が更新用のアプリケーション22のプログラムは改ざんされていると判断した場合(ステップS106においてNO)、アプリケーションの更新処理であるステップS107及びS108をスキップし、今回更新したOSを有効とするために、処理はステップS109に進む。また、ステップS108の処理が実行された後、処理はステップS109に進む。 In the verification in step S106, if the firmware verification unit 6 determines that the program of the update application 22 has been tampered (NO in step S106), the update process skips steps S107 and S108 and updates this time. In order to validate the OS, the process proceeds to step S109. Moreover, after the process of step S108 is performed, a process progresses to step S109.

 ステップS109において、組み込み装置1の再起動処理を行い、更新処理は終了する。再起動は、今回、ファームウェア格納部8に記憶された更新用のファームウェアによって実行される。 In step S109, the embedded device 1 is restarted, and the update process is terminated. The restart is executed by the update firmware stored in the firmware storage unit 8 this time.

《1-4》組み込み装置1の起動
 次に、組み込み装置1の起動処理について、図を参照して説明する。図4は、実施の形態1に係る組み込み装置1の起動処理の例を示す図である。一般的に、組み込み装置1では、図4に示されるように、ブートROM7から読み出されたブートプログラム31を最初に起動し、順次ブートプログラム31がファームウェア格納部8から読み出されたOS32を起動し、OS32がアプリケーション33を起動する。 << 1-4 >> Startup of Embedded Device 1 Next, startup processing of the embedded device 1 will be described with reference to the drawings. FIG. 4 is a diagram illustrating an example of a startup process of the embedded device 1 according to the first embodiment. Generally, in the embedded device 1, as shown in FIG. 4, the boot program 31 read from the boot ROM 7 is started first, and the boot program 31 is sequentially started from the OS 32 read from the firmware storage unit 8. Then, the OS 32 activates the application 33.

 図5は、実施の形態1に係る組み込み装置1の起動処理の例を示すフローチャートである。図5は、直前のファームウェア更新において、OS格納領域(B)12及びアプリケーション格納領域(B)14に更新用のOS21と更新用のアプリケーション22がそれぞれ書き込まれた場合を示す。 FIG. 5 is a flowchart showing an example of the startup process of the embedded device 1 according to the first embodiment. FIG. 5 shows a case where the OS 21 for update and the application 22 for update are respectively written in the OS storage area (B) 12 and the application storage area (B) 14 in the last firmware update.

 ステップS201において、起動制御部4は、組み込み装置1の起動時に、書き換えできない記憶領域であるブートROM7から、組み込み装置1を起動するためのブートプログラム31を読み込み、読み出されたブートプログラムを実行する。 In step S201, the activation control unit 4 reads the boot program 31 for activating the embedded device 1 from the boot ROM 7 which is a non-rewritable storage area when the embedded device 1 is activated, and executes the read boot program. .

 次のステップS202において、ファームウェア検証部6は、現在実行しようとしているOS格納領域(B)12に格納されているOS(B)16のOS署名情報(B)16a(すなわち、直前のファームウェア更新によって書き込まれた更新用のOS21のOS署名情報21a)の検証を行う。 In the next step S202, the firmware verification unit 6 determines the OS signature information (B) 16a of the OS (B) 16 stored in the OS storage area (B) 12 that is currently being executed (that is, by the previous firmware update). The written OS signature information 21a) of the update OS 21 is verified.

 ステップS202のOSの検証の結果、OS(B)16は改ざんされていないと判断した場合(ステップS202においてYES)、ステップS203において、起動制御部4は、OS格納領域(B)12のOS(B)16の読み込み、実行を行い、その後、処理はステップS207に進む。 As a result of verifying the OS in step S202, if it is determined that the OS (B) 16 has not been tampered with (YES in step S202), in step S203, the activation control unit 4 determines that the OS (OS) in the OS storage area (B) 12 B) 16 is read and executed, and then the process proceeds to step S207.

 ステップS202のOS(B)16の検証の結果、OS(B)16は改ざんされていると判断した場合(ステップS202においてNO)、処理はステップS204に進む。 If it is determined that the OS (B) 16 has been falsified as a result of the verification of the OS (B) 16 in step S202 (NO in step S202), the process proceeds to step S204.

 ステップS204において、使用するOS格納領域を、現在運用しているOS格納領域(B)12とは別のOS格納領域(A)11に切り替える。 In step S204, the OS storage area to be used is switched to the OS storage area (A) 11 different from the currently operating OS storage area (B) 12.

 次のステップS205において、格納されているOS署名情報(A)15が正当であるか否かを検証する。 In the next step S205, it is verified whether or not the stored OS signature information (A) 15 is valid.

 ステップS205の検証の結果、OS署名情報(A)15が正当である(改ざんされていない)と判断した場合(ステップS205においてYES)、ステップS206において、起動制御部4は、OS格納領域(A)11のOS(A)15の読み込み、実行を行い、その後、処理はステップS207に進む。 As a result of the verification in step S205, if it is determined that the OS signature information (A) 15 is valid (has not been tampered with) (YES in step S205), in step S206, the activation control unit 4 displays the OS storage area (A ) 11 OS (A) 15 is read and executed, and then the process proceeds to step S207.

 ステップS205の検証の結果、OS格納領域(A)11が正当ではない(改ざんされている)と判断した場合(ステップS205においてNO)、格納されているOS格納領域(B)12及びOS格納領域(A)11のいずれのOSも信頼することができないと判断し、起動失敗として起動動作を終了する。 As a result of the verification in step S205, when it is determined that the OS storage area (A) 11 is not valid (tampered) (NO in step S205), the stored OS storage area (B) 12 and the OS storage area (A) It is determined that none of the OSs of 11 can be trusted, and the startup operation is terminated as a startup failure.

 ステップS207において、ファームウェア検証部6は、現在実行しようとしているアプリケーション格納領域(B)14に格納されているアプリケーション(B)18のアプリケーション署名情報(B)18a(すなわち、直前のファームウェア更新によって書き込まれたアプリケーション22のアプリケーション署名情報22a)の検証を行う。 In step S207, the firmware verification unit 6 writes the application signature information (B) 18a of the application (B) 18 stored in the application storage area (B) 14 that is currently being executed (that is, written by the previous firmware update). The application signature information 22a) of the application 22 is verified.

 ステップS207のアプリケーションの検証の結果、アプリケーション(B)18は改ざんされていないと判断した場合(ステップS207においてYES)、ステップS208において、起動制御部4は、アプリケーション格納領域(B)14のアプリケーション(B)18の読み込み、実行を行い、検証されたOS及びアプリケーションの起動に成功し、起動処理を終了する。 As a result of the verification of the application in step S207, when it is determined that the application (B) 18 has not been tampered with (YES in step S207), in step S208, the activation control unit 4 determines that the application (B) 14 application ( B) 18 is read and executed, the verified OS and application are successfully started, and the start process is terminated.

 ステップS207のアプリケーションの検証の結果、アプリケーション(B)18は改ざんされていると判断した場合(ステップS207においてNO)、処理はステップS209に進む。 If it is determined that the application (B) 18 has been tampered with as a result of the application verification in step S207 (NO in step S207), the process proceeds to step S209.

 ステップS209において、起動制御部4は、使用するアプリケーション格納領域を、現在使用しているアプリケーション格納領域(B)14とは別のアプリケーション格納領域(A)13に切り替える。 In step S209, the activation control unit 4 switches the application storage area to be used to an application storage area (A) 13 different from the application storage area (B) 14 currently used.

 次のステップS210において、ファームウェア検証部6は、アプリケーション格納領域(A)13に格納されているアプリケーション署名情報(A)17aの検証を行う。 In the next step S210, the firmware verification unit 6 verifies the application signature information (A) 17a stored in the application storage area (A) 13.

 ステップS210のアプリケーションの検証の結果、アプリケーション(A)17は改ざんされていないと判断した場合(ステップS210においてYES)、ステップS211において、起動制御部4は、アプリケーション格納領域(A)13のアプリケーション(A)17の読み込み、実行を行う。 As a result of the verification of the application in step S210, when it is determined that the application (A) 17 has not been tampered with (YES in step S210), in step S211, the activation control unit 4 determines that the application (A) 13 A) 17 is read and executed.

 ステップS210のアプリケーションの検証の結果、アプリケーション(A)17は改ざんされていると判断した場合(ステップS210においてNO)、アプリケーション格納領域(A)13に格納されているアプリケーション(A)17及びアプリケーション格納領域(B)14に格納されているアプリケーション(B)18のいずれも信頼することができないと判断し、アプリケーションの読み込み、実行をスキップし、OSのみ起動した状態で起動処理を終了する。この場合、組み込み装置1として、OSが提供するサービスは提供できるが、アプリケーションが提供するサービスは提供できない。しかし、信頼することができないアプリケーションの動作が抑制されるため、よりセキュアである。 As a result of the application verification in step S210, when it is determined that the application (A) 17 has been tampered with (NO in step S210), the application (A) 17 stored in the application storage area (A) 13 and the application storage are stored. It is determined that none of the applications (B) 18 stored in the area (B) 14 can be trusted, the reading and execution of the applications are skipped, and the activation process is terminated with only the OS activated. In this case, the service provided by the OS can be provided as the embedded device 1, but the service provided by the application cannot be provided. However, it is more secure because the operation of applications that cannot be trusted is suppressed.

《1-5》効果
 以上に説明したように、実施の形態1に係る組み込み装置1及びファームウェア更新方法によれば、更新用のファームウェア20を取得した後、ファームウェア格納部8に格納する前に、ファームウェア検証部6によって更新用のファームウェア20の正当性の検証を行う(図3におけるステップS103,S106)。このため、更新用のファームウェア20が正当なプログラムでない場合には、ファームウェア20がファームウェア格納部8に格納されることはなく(図3におけるステップS110)、サービスの継続性を考慮しつつ、不正なファームウェアプログラムを動作させない制御が可能となる。 << 1-5 >> Effect As described above, according to the embedded device 1 and the firmware update method according to the first embodiment, after the firmware 20 for update is acquired and stored in the firmware storage unit 8, The firmware verification unit 6 verifies the validity of the update firmware 20 (steps S103 and S106 in FIG. 3). For this reason, if the updating firmware 20 is not a valid program, the firmware 20 is not stored in the firmware storage unit 8 (step S110 in FIG. 3), and it is illegal to consider the continuity of the service. Control without operating the firmware program becomes possible.

 また、実施の形態1に係る組み込み装置1及びファームウェア更新方法によれば、起動制御部4による組み込み装置1の起動時に、ファームウェア格納部8から読み込まれたOS(B)16及びアプリケーション(B)18(又は、OS(A)15及びアプリケーション(A)17)の正当性の検証を行う(図5におけるステップS202,S207)。このため、実行しようとしたOS又はアプリケーションが正当なプログラムでない場合には、別のOS格納領域に格納されている以前に使用していたOS及び別のアプリケーション格納領域に格納されている以前に使用していたアプリケーションを読み込んで、実行する(図5におけるステップS204,S206,S209,S211)。このため、組み込み装置1の動作は中止することなく、組み込み装置1が提供するサービスの継続性を確保することが可能となる。 In addition, according to the embedded device 1 and the firmware update method according to the first embodiment, the OS (B) 16 and the application (B) 18 read from the firmware storage unit 8 when the embedded device 1 is activated by the activation control unit 4. The validity of (or OS (A) 15 and application (A) 17) is verified (steps S202 and S207 in FIG. 5). For this reason, when the OS or application to be executed is not a valid program, the OS used before being stored in another OS storage area and used before being stored in another application storage area are used. The loaded application is read and executed (steps S204, S206, S209, and S211 in FIG. 5). For this reason, it is possible to ensure the continuity of the service provided by the embedded device 1 without stopping the operation of the embedded device 1.

 さらに、別のOS格納領域に格納されている以前に使用していたOS及び別のアプリケーション格納領域に格納されている以前に使用していたアプリケーションを読み込んで、実行する前に、正当性の検証を行うので(図5におけるステップS205,S210)、よりセキュアなプログラム実行環境を提供することができる。 Furthermore, verifying the validity before reading and executing the previously used OS stored in another OS storage area and the previously used application stored in another application storage area. (Steps S205 and S210 in FIG. 5), a more secure program execution environment can be provided.

《2》実施の形態2.
 上記実施の形態1に係る組み込み装置1及びファームウェア更新方法では、図3に示されるように、更新用のファームウェア20のファイルを取得したときに行う正当性の確認処理において、OS署名情報21aの正当性の確認(ステップS103)とアプリケーション署名情報22aの正当性の確認(ステップS106)の両方を行う。しかし、一般に、アプリケーションのファイルサイズは、OSのファイルサイズより大きく、アプリケーションの正当性の確認処理に要する演算量は比較的大きく、処理時間は比較的長い。 << 2 >> Embodiment 2
In the embedded device 1 and the firmware update method according to the first embodiment, as shown in FIG. 3, the validity of the OS signature information 21a is verified in the validity confirmation process performed when the file of the firmware 20 for update is acquired. Both confirmation of the authenticity (step S103) and validity of the application signature information 22a (step S106) are performed. However, in general, the file size of the application is larger than the file size of the OS, the amount of calculation required for the process of confirming the validity of the application is relatively large, and the processing time is relatively long.

 そこで、本発明の実施の形態2に係る組み込み装置及びファームウェア更新方法においては、更新用のファームウェア20のファイルを取得したときに行う正当性の確認処理において、OS署名情報21aの正当性の確認を行うが、アプリケーション認証情報22aの正当性の確認を行わない。この点以外に関しては、実施の形態2は、実施の形態1とほぼ同じである。したがって、実施の形態2の説明に際しては、組み込み装置の構成を示す図1、更新用のファームウェア20のファイルを示す図2、及び起動時の動作を示す図5をも参照する。 Therefore, in the embedded device and the firmware update method according to the second embodiment of the present invention, the validity of the OS signature information 21a is confirmed in the validity confirmation process performed when the update firmware 20 file is acquired. However, the validity of the application authentication information 22a is not confirmed. Except for this point, the second embodiment is almost the same as the first embodiment. Therefore, in the description of the second embodiment, reference is also made to FIG. 1 showing the configuration of the embedded device, FIG. 2 showing the file of the firmware 20 for update, and FIG. 5 showing the operation at startup.

 図6は、実施の形態2に係る組み込み装置が更新用のファームウェア20のファイルを取得し、ファームウェア格納部8に格納されているファームウェアを更新用のファームウェア20に置き替える更新時の動作例を示すフローチャートである。 FIG. 6 shows an operation example at the time of update in which the embedded device according to the second embodiment acquires the file of the firmware 20 for update and replaces the firmware stored in the firmware storage unit 8 with the firmware 20 for update. It is a flowchart.

 先ず、ステップS301において、装置制御部2は、ネットワークから通信インタフェース部3を通して更新用のファームウェア20のファイルを取得し、ファームウェア更新制御部5にファームウェア更新指示を行う。ファームウェア20には、OS署名情報21aを持つ更新用のOS21とアプリケーション署名情報22aを持つ更新用のアプリケーション22とが含まれている。 First, in step S301, the apparatus control unit 2 acquires a firmware 20 file for update from the network through the communication interface unit 3, and instructs the firmware update control unit 5 to update the firmware. The firmware 20 includes an update OS 21 having OS signature information 21a and an update application 22 having application signature information 22a.

 次のステップS302において、ファームウェア更新制御部5は、更新用のファームウェア20のファイルから更新用のOS21と更新用のアプリケーション22とを分離して取り出す。 In the next step S302, the firmware update control unit 5 separates and extracts the update OS 21 and the update application 22 from the file of the update firmware 20.

 次のステップS303において、ファームウェア検証部6は、更新用のOS21のOS署名情報21aが正当なものであるか否かを検証する(すなわち、正当性を確認する)。 In the next step S303, the firmware verification unit 6 verifies whether or not the OS signature information 21a of the update OS 21 is valid (that is, confirms the validity).

 ステップS303の検証において、ファームウェア検証部6が更新用のOS21のプログラムは改ざんされていると判断した場合(ステップS303においてNO)、処理はステップS307に進み、ファームウェア更新制御部5は、検証対象のファームウェアによって、ファームウェア格納部8におけるファームウェアを書き換える更新処理を停止する。 In the verification in step S303, if the firmware verification unit 6 determines that the program of the update OS 21 has been falsified (NO in step S303), the process proceeds to step S307, and the firmware update control unit 5 The update process for rewriting the firmware in the firmware storage unit 8 is stopped by the firmware.

 ステップS303の検証において、ファームウェア検証部6が更新用のOS21のプログラムは正当であると判断した場合(ステップS303においてYES)、処理はステップS304に進む。 In the verification in step S303, if the firmware verification unit 6 determines that the OS 21 program for update is valid (YES in step S303), the process proceeds to step S304.

 ステップS304において、ファームウェア更新制御部5は、現在運用しているOS格納領域とは別のOS格納領域に、取得された更新用のファームウェア20の更新用のOS21を格納し(書き込み)、現在運用しているアプリケーション格納領域とは別のアプリケーション格納領域に、取得された更新用のファームウェア20の更新用のアプリケーション22を格納する(書き込む)。具体的に言えば、現在、OS格納領域(A)11に格納されているOS(A)15で組み込み装置が動作している場合、ファームウェア更新制御部5は、更新用のOS21を、現在運用されていないOS格納領域(B)12に格納し、現在、アプリケーション格納領域(A)13に格納されているアプリケーション(A)17で組み込み装置が動作している場合、ファームウェア更新制御部5は、更新用のアプリケーション22を、現在運用されていないアプリケーション格納領域(B)14に格納する。なお、現在、OS格納領域(B)12に格納されているOS(B)16で組み込み装置1が動作している場合、ファームウェア更新制御部5は、更新用のOS21を、現在運用されていないOS格納領域(A)11に格納し、現在、アプリケーション格納領域(B)14に格納されているアプリケーション(B)18で組み込み装置1が動作している場合、ファームウェア更新制御部5は、更新用のアプリケーション22を、現在運用されていないアプリケーション格納領域(A)13に格納する。 In step S304, the firmware update control unit 5 stores (writes) the OS 21 for update of the obtained update firmware 20 in an OS storage area different from the OS storage area currently in operation, and performs the current operation. The update application 22 of the acquired update firmware 20 is stored (written) in a different application storage area from the application storage area being used. Specifically, when the embedded device is currently operating on the OS (A) 15 stored in the OS storage area (A) 11, the firmware update control unit 5 operates the OS 21 for update at present. If the embedded device is operating in the application (A) 17 stored in the unstored OS storage area (B) 12 and currently stored in the application storage area (A) 13, the firmware update control unit 5 The update application 22 is stored in the application storage area (B) 14 that is not currently operated. When the embedded device 1 is currently operating on the OS (B) 16 stored in the OS storage area (B) 12, the firmware update control unit 5 does not currently operate the OS 21 for update. When the embedded device 1 is operating in the application (B) 18 stored in the OS storage area (A) 11 and currently stored in the application storage area (B) 14, the firmware update control unit 5 Are stored in the application storage area (A) 13 which is not currently operated.

 ステップS305において、ファームウェア更新制御部5は、今回更新したOS格納領域(例えば、OS格納領域(B)12)を、次の組み込み装置の起動時に実行するプログラムとして設定する。 In step S305, the firmware update control unit 5 sets the OS storage area updated this time (for example, the OS storage area (B) 12) as a program to be executed when the next embedded device is started up.

 ステップS109において、組み込み装置の再起動処理を行い、更新処理は終了する。再起動は、今回、ファームウェア格納部8に記憶された更新用のファームウェアによって実行される。 In step S109, the embedded device is restarted, and the update process ends. The restart is executed by the update firmware stored in the firmware storage unit 8 this time.

 アプリケーションは、一般的には、サイズ的に大きなものであるため、組み込み装置の処理能力が小さい場合、アプリケーションからチェックサム又はハッシュ値を求める行為そのものに時間がかかる可能性ある。一方、この段階では、改ざん有無をいち早く検知することが第一の目的である。このため、更新用のファームウェア20の検証は更新用のOS21の検証のみを実施することとし、アプリケーションの検証は、組み込み装置の起動時に行う。 Since the application is generally large in size, if the processing capability of the embedded device is small, there is a possibility that it takes time to obtain the checksum or hash value from the application itself. On the other hand, at this stage, the first purpose is to quickly detect the presence or absence of tampering. Therefore, the verification of the update firmware 20 is performed only for the verification of the update OS 21, and the verification of the application is performed when the embedded device is started.

 以上により、実施の形態2に係る組み込み装置及びファームウェア更新方法においては、実施の形態1において説明した効果に加えて、更新用のOS21の検証のみを行い、更新用のアプリケーション22の検証をスキップすることで、処理時間の短縮を図ることができる。 As described above, in the embedded device and the firmware update method according to the second embodiment, in addition to the effects described in the first embodiment, only the update OS 21 is verified, and the verification of the update application 22 is skipped. Thus, the processing time can be shortened.

 1 組み込み装置、 2 装置制御部、 3 通信インタフェース部、 4 起動制御部、 5 ファームウェア更新制御部、 6 ファームウェア検証部、 6a 証明書情報格納部、 7 ブートROM、 8 ファームウェア格納部、 9 OS格納部、 10 アプリケーション格納部、 11 OS格納領域(A)、 12 OS格納領域(B)、 13 アプリケーション格納領域(A)、 14 アプリケーション格納領域(B)、 15 OS(A)、 15a OS署名情報(A)、 16 OS(B)、 16a OS署名情報(B)、 17 アプリケーション(A)、 17a アプリケーション署名情報(A)、 18 アプリケーション(B)、 18a アプリケーション署名情報(B)、 20 更新用のファームウェア、 21 更新用のOS、 21a OS署名情報、 22 更新用のアプリケーション、 22a アプリケーション署名情報、 31 ブートプログラム、 32 OS、 33 アプリケーション、 61 証明書情報格納部。 1 embedded device, 2 device control unit, 3 communication interface unit, 4 startup control unit, 5 firmware update control unit, 6 firmware verification unit, 6a certificate information storage unit, 7 boot ROM, 8 firmware storage unit, 9 OS storage unit , 10 Application storage section, 11 OS storage area (A), 12 OS storage area (B), 13 Application storage area (A), 14 Application storage area (B), 15 OS (A), 15a OS signature information (A ), 16 OS (B), 16a OS signature information (B), 17 application (A), 17a application signature information (A), 18 application (B), 18a application signature information (B), 20 for update Firmware, OS for 21 updating, 21a OS signature information, application for 22 updating, 22a application signature information, 31 boot program, 32 OS, 33 applications, 61 certificate information storage section.

Claims (9)

 ネットワークに接続される組み込み装置であって、
 ファームウェアを格納するファームウェア格納部と、
 前記ファームウェア格納部から前記ファームウェアを読み込み、実行することで前記組み込み装置を起動する起動制御部と、
 前記ネットワークを通して更新用のファームウェアを取得する装置制御部と、
 前記ファームウェア格納部に格納されている前記ファームウェアの正当性及び前記更新用のファームウェアの正当性を検証するファームウェア検証部と、
 前記ファームウェア検証部によって正当なプログラムであると判断された前記更新用のファームウェアを前記ファームウェア格納部に書き込むファームウェア更新制御部と
 を備え、
 前記起動制御部は、前記更新用のファームウェアが前記ファームウェア格納部に書き込まれた後の前記組み込み装置の起動時に、前記ファームウェア格納部に書き込まれた前記更新用のファームウェアを新たなファームウェアとして読み込み、実行する
 ことを特徴とする組み込み装置。 An embedded device connected to a network,
A firmware storage unit for storing firmware;
An activation control unit that activates the embedded device by reading and executing the firmware from the firmware storage unit;
An apparatus control unit for obtaining firmware for update through the network;
A firmware verification unit that verifies the validity of the firmware stored in the firmware storage unit and the validity of the firmware for update;
A firmware update control unit that writes the firmware for update determined to be a legitimate program by the firmware verification unit to the firmware storage unit, and
The activation control unit reads and executes the update firmware written in the firmware storage unit as new firmware when the embedded device is activated after the update firmware is written in the firmware storage unit. An embedded device characterized by  前記ファームウェア検証部は、前記起動制御部による前記組み込み装置の起動時に、前記ファームウェア格納部から読み込まれた前記ファームウェアの正当性を検証し、
 前記ファームウェア検証部によって正当なプログラムであると判断されたときに、前記起動制御部は、正当なプログラムであると判断された前記ファームウェアを実行する
 ことを特徴とする請求項1に記載の組み込み装置。 The firmware verification unit verifies the validity of the firmware read from the firmware storage unit when the embedded device is activated by the activation control unit,
The embedded device according to claim 1, wherein when the firmware verification unit determines that the program is a valid program, the activation control unit executes the firmware that is determined to be a valid program. .  前記ファームウェアは、OSとアプリケーションとを含み、
 前記ファームウェア検証部は、前記起動制御部による前記組み込み装置の起動時に、前記ファームウェア格納部から読み込まれた前記OSの正当性を検証し、
 前記ファームウェア検証部によって前記OSが正当なプログラムであると判断されたときに、前記起動制御部は、正当なプログラムであると判断された前記OSを実行する
 ことを特徴とする請求項2に記載の組み込み装置。 The firmware includes an OS and an application,
The firmware verification unit verifies the legitimacy of the OS read from the firmware storage unit at the time of startup of the embedded device by the startup control unit,
The boot control unit executes the OS that is determined to be a valid program when the firmware verification unit determines that the OS is a valid program. Embedded device.  前記ファームウェア検証部は、前記起動制御部による前記組み込み装置の起動時に、前記ファームウェア検証部によって前記OSが正当なプログラムであると判断されたときに、前記ファームウェア格納部から読み込まれた前記アプリケーションの正当性を検証し、
 前記ファームウェア検証部によって前記アプリケーションが正当なプログラムであると判断されたときに、前記起動制御部は、正当なプログラムであると判断された前記アプリケーションを実行する
 ことを特徴とする請求項3に記載の組み込み装置。 The firmware verification unit validates the application read from the firmware storage unit when the firmware verification unit determines that the OS is a valid program at the time of activation of the embedded device by the activation control unit. Verify the sex,
4. The activation control unit executes the application determined to be a valid program when the firmware verification unit determines that the application is a valid program. Embedded device.  前記ファームウェアは、前記起動制御部によって実行されている運用中のファームウェアと、待機中のファームウェアとを含み、
 前記ファームウェア更新制御部は、前記待機中のファームウェアを、前記ファームウェア検証部によって正当なプログラムであると判断された前記更新用のファームウェアに置き換える
 ことを特徴とする請求項1から4のいずれか1項に記載の組み込み装置。 The firmware includes operational firmware being executed by the activation control unit, and standby firmware,
5. The firmware update control unit replaces the waiting firmware with the update firmware that is determined to be a valid program by the firmware verification unit. 6. The embedded device described in 1.  前記更新用のファームウェアは、更新用のOSと更新用のアプリケーションとを含み、
 前記ファームウェア検証部は、前記更新用のファームウェアの正当性の検証時に、前記更新用のOSの正当性の検証と、前記更新用のアプリケーションの正当性の検証とを行う
 ことを特徴とする請求項1から5のいずれか1項に記載の組み込み装置。 The update firmware includes an update OS and an update application,
The firmware verification unit performs verification of the validity of the OS for update and verification of the validity of the application for update when verifying the validity of the firmware for update. The embedded device according to any one of 1 to 5.  前記更新用のファームウェアは、更新用のOSと更新用のアプリケーションとを含み、
 前記ファームウェア検証部は、前記更新用のファームウェアの正当性の検証時に、前記更新用のOSの正当性の検証を行い、前記更新用のアプリケーションの正当性の検証を行わない
 ことを特徴とする請求項1から5のいずれか1項に記載の組み込み装置。 The update firmware includes an update OS and an update application,
The firmware verification unit verifies the validity of the OS for update and does not verify the validity of the application for update when verifying the validity of the firmware for update. Item 6. The embedded device according to any one of Items 1 to 5.  ネットワークに接続され、ファームウェア格納部に格納されているファームウェアを読み込み、実行することで起動する組み込み装置おけるファームウェア更新方法であって、
 前記ネットワークを通して更新用のファームウェアを取得する取得ステップと、
 前記更新用のファームウェアの正当性を検証する検証ステップと、
 前記検証ステップにおいて正当なプログラムであると判断された前記更新用のファームウェアをファームウェア格納部に書き込む更新ステップと、
 前記更新用のファームウェアが前記ファームウェア格納部に書き込まれた後の前記組み込み装置の起動時に、前記ファームウェア格納部に書き込まれた前記更新用のファームウェアが新たなファームウェアを新たなファームウェアとして読み込み、実行する起動ステップと
 を有することを特徴とするファームウェア更新方法。 A firmware update method for an embedded device that is connected to a network and starts by reading and executing firmware stored in a firmware storage unit,
An acquisition step of acquiring firmware for update through the network;
A verification step of verifying the validity of the firmware for update;
An update step of writing the update firmware, which is determined to be a valid program in the verification step, into a firmware storage unit;
When the embedded device is started after the update firmware is written in the firmware storage unit, the update firmware written in the firmware storage unit reads and executes new firmware as new firmware A firmware update method comprising the steps of:  前記起動ステップにおいて、前記ファームウェア格納部から読み込まれた前記ファームウェアの正当性を検証し、前記ファームウェアが正当なプログラムであると判断されたときに、前記起動制御部は、正当なプログラムであると判断された前記ファームウェアを実行する
 ことを特徴とする請求項8に記載のファームウェア更新方法。 In the activation step, the validity of the firmware read from the firmware storage unit is verified, and when it is determined that the firmware is a valid program, the activation control unit determines that the firmware is a valid program. The firmware update method according to claim 8, wherein the firmware is executed.
PCT/JP2017/002442 2017-01-25 2017-01-25 Built-in device and firmware update method Ceased WO2018138789A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2018563980A JP6861739B2 (en) 2017-01-25 2017-01-25 Embedded device and firmware update method
PCT/JP2017/002442 WO2018138789A1 (en) 2017-01-25 2017-01-25 Built-in device and firmware update method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2017/002442 WO2018138789A1 (en) 2017-01-25 2017-01-25 Built-in device and firmware update method

Publications (1)

Publication Number Publication Date
WO2018138789A1 true WO2018138789A1 (en) 2018-08-02

Family

ID=62977942

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/002442 Ceased WO2018138789A1 (en) 2017-01-25 2017-01-25 Built-in device and firmware update method

Country Status (2)

Country Link
JP (1) JP6861739B2 (en)
WO (1) WO2018138789A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110737448A (en) * 2018-09-05 2020-01-31 杭州瑞彼加医疗科技有限公司 firmware encryption system containing microcontroller and firmware protection and upgrade method thereof
CN111831308A (en) * 2020-04-15 2020-10-27 腾讯科技(深圳)有限公司 Firmware update method, program, fast charging device and storage medium for fast charging device
JP2021077971A (en) * 2019-11-07 2021-05-20 株式会社リコー Information processing apparatus, file ensuring method, and file ensuring program
JPWO2021181828A1 (en) * 2020-03-10 2021-09-16
WO2025187604A1 (en) * 2024-03-05 2025-09-12 株式会社オートネットワーク技術研究所 Vehicle-mounted device, vehicle-mounted device startup method, and startup program

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040054883A1 (en) * 2002-09-13 2004-03-18 International Business Machines Corporation Firmware updating
JP2008226159A (en) * 2007-03-15 2008-09-25 Ricoh Co Ltd Information processing apparatus, software update method, and image processing apparatus
JP2011118873A (en) * 2009-11-30 2011-06-16 Intel Corp Automated modular and secure boot firmware update
JP2015022521A (en) * 2013-07-19 2015-02-02 スパンション エルエルシー Secure boot method, built-in apparatus, secure boot device and secure boot program
JP2015055898A (en) * 2013-09-10 2015-03-23 富士通セミコンダクター株式会社 Secure boot method, semiconductor device, and secure boot program

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040054883A1 (en) * 2002-09-13 2004-03-18 International Business Machines Corporation Firmware updating
JP2008226159A (en) * 2007-03-15 2008-09-25 Ricoh Co Ltd Information processing apparatus, software update method, and image processing apparatus
JP2011118873A (en) * 2009-11-30 2011-06-16 Intel Corp Automated modular and secure boot firmware update
JP2015022521A (en) * 2013-07-19 2015-02-02 スパンション エルエルシー Secure boot method, built-in apparatus, secure boot device and secure boot program
JP2015055898A (en) * 2013-09-10 2015-03-23 富士通セミコンダクター株式会社 Secure boot method, semiconductor device, and secure boot program

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110737448A (en) * 2018-09-05 2020-01-31 杭州瑞彼加医疗科技有限公司 firmware encryption system containing microcontroller and firmware protection and upgrade method thereof
CN110737448B (en) * 2018-09-05 2023-08-11 杭州瑞彼加医疗科技有限公司 Firmware encryption system comprising microcontroller and firmware protection and upgrading method thereof
JP2021077971A (en) * 2019-11-07 2021-05-20 株式会社リコー Information processing apparatus, file ensuring method, and file ensuring program
JP7367471B2 (en) 2019-11-07 2023-10-24 株式会社リコー Information processing device, file guarantee method, and file guarantee program
JPWO2021181828A1 (en) * 2020-03-10 2021-09-16
WO2021181828A1 (en) * 2020-03-10 2021-09-16 日立Astemo株式会社 Vehicle control device and vehicle control system
JP7320126B2 (en) 2020-03-10 2023-08-02 日立Astemo株式会社 Vehicle control device and vehicle control system
CN111831308A (en) * 2020-04-15 2020-10-27 腾讯科技(深圳)有限公司 Firmware update method, program, fast charging device and storage medium for fast charging device
WO2025187604A1 (en) * 2024-03-05 2025-09-12 株式会社オートネットワーク技術研究所 Vehicle-mounted device, vehicle-mounted device startup method, and startup program

Also Published As

Publication number Publication date
JPWO2018138789A1 (en) 2019-04-11
JP6861739B2 (en) 2021-04-21

Similar Documents

Publication Publication Date Title
CN110990084B (en) Chip secure starting method and device, storage medium and terminal
JP4769608B2 (en) Information processing apparatus having start verification function
JP5740646B2 (en) How to download software
KR101066779B1 (en) Secure booting a computing device
US8806221B2 (en) Securely recovering a computing device
US8296579B2 (en) System and method for updating a basic input/output system (BIOS)
JP6861739B2 (en) Embedded device and firmware update method
JP2015036847A (en) Semiconductor device
CN113127011A (en) Electronic device and operation method of electronic device
US10621330B2 (en) Allowing use of a test key for a BIOS installation
CN107783776B (en) Method and device for processing firmware upgrade package, and electronic device
US20100100966A1 (en) Method and system for blocking installation of some processes
TWI706274B (en) Computing device and non-transitory computer-readable storage medium enabling operating system repairs via recovery agents
WO2021184712A1 (en) Software upgrading method and device
WO2019233022A1 (en) Rollback prevention method and system
KR101954439B1 (en) Soc having double security features, and double security method for soc
CN116415225A (en) Firmware verification system and firmware verification method
WO2020233044A1 (en) Plug-in verification method and device, and server and computer-readable storage medium
CN113051577B (en) A processing method and electronic device
US11663299B2 (en) Method and apparatus for preventing rollback of firmware of data processing device, and data processing device
US20240202341A1 (en) Method for patching secure boot in iot
CN116055124B (en) Whitelist updating method, device, electronic device and storage medium
CN112487500B (en) Authentication method
JP5895271B2 (en) How to download software
CN120255925A (en) Method, embedded chip and storage medium for preventing crash during program code operation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17894621

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2018563980

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17894621

Country of ref document: EP

Kind code of ref document: A1