Method, device, electronic controller and medium for starting a vehicle electronic controller

Abstract

The application relates to the field of automobile communication technology, in particular to a starting method of a vehicle electronic controller, which comprises the following steps: after the vehicle electronic controller is powered on, the safety bypass characteristic module of the current firmware of the electronic controller and the safety bypass state of the electronic controller are acquired; if the safety bypass characteristic module and the safety bypass state are both in the opening state, the safety bypass mode of the current firmware is entered, and in the safety bypass mode, the safety bypass information table of the current firmware is acquired; if the first flag bit of the safety bypass information table is the first preset flag bit, the current firmware is verified through the safety bypass characteristic module; after the current firmware is verified, the next firmware is taken as a new current firmware, the new current firmware is verified, and until each firmware of the electronic controller is verified, the electronic controller is started. The method is convenient for checking and analyzing each firmware in the starting stage of the electronic controller, and improves the verification efficiency of the electronic controller.

Description

Technical Field

[0001] This invention relates to the field of automotive communication technology, and in particular to a method, apparatus, electronic controller, and medium for starting a vehicle electronic controller. Background Technology

[0002] In traditional automotive electronic architecture, vehicles have limited external connections, and the Electronic Control Unit (ECU) within the vehicle is relatively independent. However, with the rapid development of vehicle-to-everything (V2X) technology and new electronic architectures, vehicle communication with the outside world is becoming increasingly frequent. Simultaneously, the widespread application of Over-the-Air (OTA) technology in the automotive field allows ECUs to undergo software updates via OTA, providing vehicles with more functions and improved user experience, effectively enhancing automakers' competitiveness. These new changes bring new challenges to traditional automotive ECUs. Hackers may gain direct access to the ECUs via the network and even maliciously upgrade them through OTA.

[0003] To address these issues, current vehicle ECUs employ a hardware safety module verification method during startup. However, this method is unstable in the early stages of software development. Often, it's difficult to pinpoint which step or stage of the verification process is causing the ECU to fail to start. This significantly complicates troubleshooting ECU startup problems, requiring substantial time for repeated modifications and retesting, resulting in low verification efficiency during the ECU startup process. Summary of the Invention

[0004] This invention provides a method, apparatus, electronic controller, and medium for starting a vehicle electronic controller, solving the technical problem of low verification efficiency in the startup process of vehicle electronic controllers in the prior art. It realizes a safe bypass feature module, enabling convenient and secure verification of the vehicle electronic controller during the software development process and the startup process. This ensures the software integrity and legality of the vehicle electronic controller during development and facilitates the investigation and analysis of various firmware during the startup phase, significantly improving the verification efficiency of the electronic controller startup.

[0005] In a first aspect, embodiments of the present invention provide a method for starting a vehicle electronic controller, comprising:

[0006] After the vehicle electronic controller is powered on and the bootloader of the electronic controller passes the verification, the safety bypass feature module of the current firmware of the electronic controller and the safety bypass status of the electronic controller are obtained. The safety bypass feature module is the verification identifier module of the current firmware, and the safety bypass status is the state in which the electronic controller is started through the safety bypass feature module of the firmware.

[0007] If both the security bypass feature module and the security bypass state are enabled, then the current firmware's security bypass mode is entered, and the current firmware's security bypass information table is obtained in the security bypass mode.

[0008] If the first flag bit of the security bypass information table is the first preset flag bit, then the current firmware is verified through the security bypass feature module;

[0009] After the current firmware passes verification, the next firmware is used as the new current firmware. The new current firmware is verified, and the electronic controller is started only after each firmware of the electronic controller has passed verification.

[0010] Preferably, the process of verifying the current firmware through the security bypass feature module further includes:

[0011] Obtain the firmware number, electronic controller type number, and electronic controller name of the safety bypass feature module;

[0012] If the firmware number of the security bypass feature module is consistent with the firmware number in the security bypass information table, and the electronic controller type number of the security bypass feature module is consistent with the electronic controller type number in the security bypass information table, and the electronic controller name of the security bypass feature module is consistent with the electronic controller name in the security bypass information table, then the first public key of the electronic controller is obtained.

[0013] If the signature message of the security bypass feature module can be decrypted using the first public key, and the software CRC checksum in the signature message can be verified, then the session key can be obtained from the signature message, and the second public key of the electronic controller can be obtained.

[0014] If the signature value of the secure bypass feature module can be verified through the session key, or the signature value can be verified through the second public key, then the current firmware is determined to be in a verified state. The first flag bit of the secure bypass information table is set to the second preset flag bit, the second flag bit of the secure bypass information table is configured, and the configured secure bypass information table is stored in the hardware security module and bootloader of the electronic controller.

[0015] Preferably, after obtaining the first public key of the electronic controller, the method further includes:

[0016] If the signature message cannot be decrypted using the first public key, or if the software CRC checksum cannot be verified, an error message for the signature message of the current firmware is output, the secure bypass mode is exited, and the electronic controller is started through the hardware security module of the electronic controller.

[0017] Preferably, after obtaining the security bypass information table of the current firmware, the method further includes:

[0018] If the first flag bit of the safety bypass information table is the second preset flag bit, then the firmware number and electronic controller type number of the safety bypass feature module are obtained.

[0019] If the firmware number of the safety bypass feature module is consistent with the firmware number in the bootloader, and the electronic controller type number of the safety bypass feature module is consistent with the electronic controller type number in the bootloader, then the flag bit of the safety bypass feature module is obtained.

[0020] If the flag bit of the security bypass feature module is a valid flag bit, then the current firmware is determined to be in the verified state, and the next firmware is used as the new current firmware to verify the new current firmware.

[0021] Preferably, after obtaining the firmware number and electronic controller type number of the safety bypass feature module, the method further includes:

[0022] If the firmware number of the safety bypass feature module does not match the firmware number in the bootloader, or the electronic controller type number of the safety bypass feature module does not match the electronic controller type number in the bootloader, then an error message for the firmware number and / or electronic controller type number of the safety bypass feature module is output, the safety bypass mode is exited, and the electronic controller is started through the hardware security module of the electronic controller.

[0023] Preferably, after obtaining the second flag bit of the safety bypass information table, the method further includes:

[0024] If the flag bit of the security bypass feature module is an invalid flag bit, then the first public key is obtained;

[0025] If the signed message can be decrypted using the first public key, then the session key is obtained from the signed message, and the second public key is obtained.

[0026] If the signature value can be verified through the session key or the second public key, then the current firmware is determined to be in a verified state, and the first flag bit of the security bypass information table is set to the second preset flag bit, and the second flag bit is reset.

[0027] Preferably, after obtaining the security bypass feature module of the current firmware of the electronic controller and the security bypass state of the electronic controller, the method further includes:

[0028] If the safety bypass feature module is in the off state, or the safety bypass state is in the off state, or both the safety bypass feature module and the safety bypass state are in the off state, then the electronic controller is started through the hardware safety module of the electronic controller.

[0029] Based on the same inventive concept, in a second aspect, the present invention also provides a starting device for a vehicle electronic controller, comprising:

[0030] The acquisition module is used to acquire the safety bypass feature module of the current firmware and the safety bypass status of the electronic controller after the vehicle electronic controller is powered on and the bootloader of the electronic controller passes the verification. The safety bypass feature module is the verification identifier module of the current firmware, and the safety bypass status is the state in which the electronic controller is started through the safety bypass feature module of the firmware.

[0031] The first judgment module is used to enter the security bypass mode of the current firmware if both the security bypass feature module and the security bypass state are in the enabled state, and to obtain the security bypass information table of the current firmware in the security bypass mode.

[0032] The second judgment module is used to verify the current firmware through the security bypass feature module if the first flag bit of the security bypass information table is the first preset flag bit.

[0033] The startup module is used to, after the current firmware passes verification, take the next firmware as the new current firmware, verify the new current firmware, and control the electronic controller to start up after each firmware of the electronic controller has passed verification.

[0034] Based on the same inventive concept, in a third aspect, the present invention provides a vehicle electronic controller, including a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the processor executes the program to implement the steps of a method for starting the vehicle electronic controller.

[0035] Based on the same inventive concept, in a fourth aspect, the present invention provides a computer-readable storage medium storing a computer program that, when executed by a processor, implements the steps of a method for starting a vehicle electronic controller.

[0036] One or more technical solutions in the embodiments of the present invention have at least the following technical effects or advantages:

[0037] In this embodiment of the invention, upon powering on the vehicle's electronic control unit (ECU), the safety bypass feature module of the current firmware and the safety bypass status of the ECU are first acquired. Then, the safety bypass feature module and the safety bypass status of the ECU are judged. If both the safety bypass feature module and the safety bypass status are enabled, it indicates that the safety bypass feature function of the vehicle's ECU is activated, and the firmware of the ECU can be verified through the safety bypass feature function. In this case, the system enters the safety bypass mode of the current firmware, and the safety bypass information table of the current firmware is acquired in the safety bypass mode.

[0038] Next, the current firmware's safety bypass information table is checked. If the first flag bit of the safety bypass information table is the first preset flag bit, the current firmware is verified through the safety bypass feature module. This allows for convenient and secure verification of the vehicle electronic controller during the software development and startup processes of the electronic controller. This ensures the software integrity and legality of the vehicle electronic controller during development and facilitates the verification of various firmware components during the startup phase of the electronic controller.

[0039] Then, after the current firmware passes verification, the next firmware is used as the new current firmware, the new current firmware is verified, and the electronic controller is started only after every firmware of the electronic controller has passed verification. Attached Figure Description

[0040] Various other advantages and benefits will become apparent to those skilled in the art upon reading the following detailed description of preferred embodiments. The accompanying drawings are for illustrative purposes only and are not intended to limit the invention. Furthermore, the same reference numerals denote the same parts throughout the drawings. In the drawings:

[0041] Figure 1 A flowchart illustrating the steps of the vehicle electronic controller startup method in an embodiment of the present invention is shown.

[0042] Figure 2 A schematic diagram of the starting device of the vehicle electronic controller in an embodiment of the present invention is shown. Detailed Implementation

[0043] Exemplary embodiments of the present disclosure will now be described in more detail with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be implemented in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.

[0044] Example 1

[0045] The first embodiment of the present invention provides a method for starting a vehicle electronic controller, such as... Figure 1 As shown, it includes:

[0046] S101, after the vehicle electronic controller is powered on and the electronic controller's bootloader passes the verification, the current firmware's safety bypass feature module and the electronic controller's safety bypass status are obtained. The safety bypass feature module is the current firmware's verification identifier module, and the safety bypass status is the state in which the electronic controller starts up through the firmware's safety bypass feature module.

[0047] S102, If both the safety bypass feature module and the safety bypass status are enabled, then enter the safety bypass mode of the current firmware, and obtain the safety bypass information table of the current firmware in the safety bypass mode.

[0048] S103, if the first flag bit of the safety bypass information table is the first preset flag bit, then the current firmware is verified through the safety bypass feature module;

[0049] S104, after the current firmware passes verification, takes the next firmware as the new current firmware, verifies the new current firmware, and controls the electronic controller to start after each firmware of the electronic controller has passed verification.

[0050] The vehicle electronic controller startup method of this embodiment is applied to the vehicle's electronic controller ECU (Electronic Control Unit). During the process from ECU power-on to startup completion, a safety bypass feature module is set for each firmware of the ECU, and a safety bypass information table is also configured for each firmware.

[0051] The security bypass feature module for each firmware is an identifier module for that firmware. For each firmware, the firmware includes a firmware header, firmware content, firmware signature, and the security bypass feature module. The security bypass feature module includes an identifier header, module ID (i.e., firmware number), ECU name (i.e., electronic controller name), ECU type number (i.e., electronic controller type number), signature message, and signature value.

[0052] Identifier header: Indicates whether the security bypass feature module in the firmware is enabled. The identifier header typically uses 0x01 to indicate that the security bypass feature module is enabled, i.e., the security bypass function is enabled; 0xFF indicates that the security bypass feature module is disabled, i.e., the security bypass function is disabled.

[0053] Module ID: Represents the firmware number. The Module ID is used to distinguish different firmware stored in the ECU storage area (such as Flash, EMMC). ECU Name: Represents the name code of the ECU. ECU Type Number: A unique identifier representing the type of ECU.

[0054] Signature message: Represents preliminary verification information performed on the firmware. The signature message includes the software CRC (Cyclical Redundancy Check) checksum, ECU type, key type, session key (i.e., symmetric key), and public key. The signature message is valid when the security bypass function is enabled.

[0055] Signature value: Represents the signature entity used for authentication by the security bypass feature module. The signature value is valid when the security bypass function is enabled.

[0056] Each firmware's safety bypass information table records information about the safety bypass feature modules and other modules within the firmware. The format of the safety bypass information table is set according to actual needs, such as configuring it as a BootLoader information table or an application information table. Each firmware's safety bypass information table is pre-stored in the ECU's trusted storage environment (such as the ECU's HSM) to prevent unauthorized tampering.

[0057] Below, in conjunction with Figure 1 The following details the specific implementation steps of the vehicle electronic controller startup method provided in this embodiment:

[0058] First, step S101 is executed. After the vehicle electronic controller is powered on and the electronic controller's bootloader passes the verification, the safety bypass feature module of the current firmware and the safety bypass status of the electronic controller are obtained. The safety bypass feature module is the verification identifier module of the current firmware, and the safety bypass status is the state in which the electronic controller is started through the safety bypass feature module of the firmware.

[0059] Specifically, after the vehicle's ECU is powered on, the ECU's Hardware Security Module (HSM) will start first. After starting, the HSM performs integrity and validity checks on the bootloader. Once the bootloader passes the checks, it obtains the identifier header of the ECU's current firmware's security bypass feature module and the ECU's security bypass status. The ECU's security bypass status indicates its usage state, meaning the ECU is in a non-manufacturing factory mode, booting through the firmware's security bypass feature module. Non-manufacturing factory mode indicates that the vehicle's ECU is in the testing phase, and the vehicle has not yet entered mass production.

[0060] The ECU's safety bypass status indicates whether the ECU's safety bypass function is enabled or disabled. The ECU's safety bypass status is typically set to a default value. During the ECU's cycle, the safety bypass function is enabled; that is, the ECU's safety bypass status is active. One ECU power-on cycle represents one ECU cycle. If the default value reaches a preset threshold, the ECU's safety bypass function is disabled. This preset threshold is set according to actual needs. For example, if the default value for the ECU's safety bypass status is 0xFF, and the default value decreases by 1 each cycle, when the default value reaches 0x00, the ECU's safety bypass function is disabled, and the ECU's safety bypass status is disabled.

[0061] After obtaining the identifier header of the safety bypass feature module of the current ECU firmware and the safety bypass status of the ECU, it is necessary to determine whether both the safety bypass feature module and the safety bypass status of the ECU are in the enabled state. Step S102 is executed. If both the safety bypass feature module and the safety bypass status are in the enabled state, the current firmware's safety bypass mode is entered, and the safety bypass information table of the current firmware is obtained in the safety bypass mode.

[0062] Specifically, if both the safety bypass feature module and the safety bypass status are enabled, it indicates that the ECU can boot through the firmware's safety bypass feature module. In this case, the ECU enters the current firmware's safety bypass mode and retrieves the current firmware's safety bypass information table. The safety bypass feature module being enabled is achieved by setting the identifier header of the current firmware's safety bypass feature module to a first preset identifier threshold. This first preset identifier threshold is set according to actual needs, and is typically 0x01.

[0063] If the safety bypass feature module is in a disabled state, or the safety bypass state is in a disabled state, or both the safety bypass feature module and the safety bypass state are in a disabled state, it means that the ECU cannot be started via the firmware's safety bypass feature module. In this case, the electronic controller is started via the hardware safety module (HSM) of the electronic controller. The disabled state of the safety bypass feature module is achieved by setting the identifier header of the current ECU firmware's safety bypass feature module to a second preset identifier threshold. This second preset identifier threshold is set according to actual needs, and is typically 0xFF.

[0064] It should also be noted that the process of starting the electronic controller through the hardware security module HSM of the electronic controller involves verifying the current firmware through the ECU's bootloader, which is the traditional verification method of the ECU bootloader.

[0065] Then, step S103 is executed. If the first flag bit of the safety bypass information table is the first preset flag bit, the current firmware is verified through the safety bypass feature module.

[0066] Specifically, in the current firmware's security bypass mode, after obtaining the current firmware's security bypass information table, the first flag bit of the security bypass information table is determined. If the first flag bit of the security bypass information table is the first preset flag bit, it indicates that the current firmware has not undergone verification by the current firmware's security bypass feature module. That is, the current firmware triggers the verification of the current firmware's security bypass feature module for the first time. Therefore, the current firmware is verified through the security bypass feature module for the first time. The flag bits of the security bypass information table are represented by 16-bit binary data. The first flag bit of the security bypass information table is the highest two bits of the table. For example, if the flag bits of the security bypass information table are X15, X14, X13, X12, X11, X10, X9, X8, X7, X6, X5, X4, X3, X2, X1, X0, the first flag bit is X15 and X14. The first preset flag bit is set according to actual needs, and is usually 00.

[0067] It should also be noted that the second flag bit of the safety bypass information table is the flag bit excluding the first flag bit in the flag bits of the safety bypass information table. Taking the flag bits of the safety bypass information table as X15X14X13X12X11X10X9X8X7X6X5X4X3X2X1X0 as an example, X0 to X13 are the second flag bits of the safety bypass information table.

[0068] During the initial verification of the current firmware via the security bypass feature module, the data in the security bypass feature module of the current firmware is compared, decrypted, and verified with the data in the security bypass information table of the current firmware in the HSM to achieve the initial verification of the current firmware.

[0069] During the firmware verification process via the safety bypass feature module, the firmware ID, electronic controller type ID, and electronic controller name of the safety bypass feature module are first obtained. Then, the firmware ID, electronic controller type ID, and electronic controller name of the safety bypass feature module are evaluated.

[0070] If the firmware number of the obtained security bypass feature module matches the firmware number in the security bypass information table, the electronic controller type number of the obtained security bypass feature module matches the electronic controller type number in the security bypass information table, and the electronic controller name of the obtained security bypass feature module matches the electronic controller name in the security bypass information table, then the first public key of the electronic controller is obtained. The first public key is set according to actual needs.

[0071] If the firmware number of the obtained safety bypass feature module does not match the firmware number in the safety bypass information table, or the electronic controller type number of the obtained safety bypass feature module does not match the electronic controller type number in the safety bypass information table, or the electronic controller name of the obtained safety bypass feature module matches the electronic controller name in the safety bypass information table, then an error message about the firmware number, electronic controller type number, or electronic controller name of the current firmware will be output. That is, an error message about the safety bypass feature module not matching the safety bypass information table will be output, the safety bypass mode of the current firmware will be exited, the safety bypass feature function of the ECU will be exited, and the electronic controller will be started through the hardware safety module of the electronic controller.

[0072] After obtaining the first public key of the electronic controller, if the signature message of the security bypass feature module can be decrypted using the first public key, and the software CRC checksum in the signature message can be verified, then the session key is obtained from the signature message, and the second public key of the electronic controller is also obtained. The ability to verify the software CRC checksum in the signature message means passing the verification of the software CRC code in the signature message. The second public key is set according to actual needs.

[0073] If the signed message cannot be decrypted using the first public key, or if the software CRC checksum cannot be verified, an error message for the current firmware's signed message will be output, the security bypass mode will be exited, and the electronic controller will be started via the hardware security module of the electronic controller. The failure to verify the software CRC checksum means that the software CRC code in the signed message failed verification.

[0074] After obtaining the session key from the signature message and the second public key of the electronic controller, if the signature value of the security bypass feature module can be verified through the session key, or if the signature value can be verified through the second public key, it indicates that the current firmware has passed verification. Therefore, the current firmware is determined to be in a verified state. The first flag bit of the security bypass information table is set to the second preset flag bit, the second flag bit of the security bypass information table is configured, and the configured security bypass information table is stored in the ECU's hardware security module (HSM) and the ECU's bootloader. That is, a copy of the configured security bypass information table is stored in both the ECU's HSM and the ECU's BootLoader. Specifically, configuring the second flag bit of the security bypass information table involves writing the flag bit of the current firmware's security bypass feature module into the second flag bit of the security bypass information table.

[0075] In this embodiment, the second preset flag is set according to actual needs, and is usually 11. The method for verifying the signature value of the security bypass feature module can be a hash function or other function methods.

[0076] It should also be noted that setting the first flag of the firmware's security bypass information table to the second preset flag indicates that the firmware's security bypass feature module has passed decryption and signature verification. Therefore, after setting the first flag of the firmware's security bypass information table to the second preset flag, the first flag of the firmware's security bypass information table will not be modified again. This avoids the repeated decryption and signature verification of the firmware after the vehicle's ECU is powered on, reducing the waste of software resources, saving firmware verification time, improving the verification efficiency of the vehicle's electronic controller's startup process, ensuring the software integrity and legality of the vehicle's electronic controller during development, and facilitating the investigation and analysis of various firmware components during the electronic controller's startup phase.

[0077] Taking the flag bits of the current firmware's security bypass information table as X15X14X13X12X11X10X9X8X7X6X5X4X3X2X1X0 as an example, in security bypass mode, the current firmware's security bypass information table is obtained. If the first flag bit X15X14 of the security bypass information table is the first preset flag bit 00, then the current firmware is verified through the security bypass feature module. During the verification process through the security bypass feature module, if the current firmware passes the verification, the first flag bit X15X14 of the security bypass information table is set to the second preset flag bit 11, indicating that the current firmware is in a verified state, and the second flag bits X13-X0 of the security bypass information table are configured.

[0078] If the signature value of the security bypass feature module cannot be verified through the session key and the signature value cannot be verified through the second public key, it means that the current firmware has failed the verification. Then, the error message of the signature value of the current firmware is output, the security bypass mode is exited, and the electronic controller is started through the hardware security module of the electronic controller.

[0079] In this embodiment, upon powering on the vehicle's electronic control unit (ECU), the system first acquires the safety bypass feature module of the current firmware and the safety bypass status of the ECU. Then, it judges the safety bypass feature module and the safety bypass status of the ECU. If both the safety bypass feature module and the safety bypass status are enabled, it indicates that the safety bypass feature function of the vehicle's ECU is activated, and the firmware of the ECU can be verified through the safety bypass feature function. In this case, the system enters the safety bypass mode of the current firmware, and within this mode, it acquires the safety bypass information table of the current firmware.

[0080] Next, the current firmware's safety bypass information table is checked. If the first flag bit of the safety bypass information table is the first preset flag bit, the current firmware is verified through the safety bypass feature module. This allows for convenient and secure verification of the vehicle electronic controller during its software development and startup processes. This ensures the integrity and legality of the vehicle electronic controller's software during development and facilitates the investigation and analysis of various firmware components during the startup phase, significantly improving the verification efficiency of the electronic controller startup.

[0081] After executing step S102, that is, in the security bypass mode, after obtaining the security bypass information table of the current firmware, if the first flag bit of the security bypass information table is the second preset flag bit, it means that the current firmware has been verified by the security bypass feature module of the current firmware, that is, the current firmware has passed the verification of the security bypass feature module of the current firmware for the first time, and there is no need to decrypt and verify the current firmware again. Then, the firmware number and electronic controller type number of the security bypass feature module are obtained.

[0082] After obtaining the firmware number and electronic controller type number of the safety bypass feature module, if the firmware number of the safety bypass feature module is consistent with the firmware number in the safety bypass information table in the bootloader, and the electronic controller type number of the safety bypass feature module is consistent with the electronic controller type number in the safety bypass information table in the bootloader, then the flag bit of the safety bypass feature module of the current firmware is obtained.

[0083] If the firmware number of the safety bypass feature module does not match the firmware number in the safety bypass information table in the bootloader, or if the electronic controller type number of the safety bypass feature module does not match the electronic controller type number in the safety bypass information table in the bootloader, then an error message for the firmware number and / or electronic controller type number of the safety bypass feature module will be output, the safety bypass mode will be exited, and the electronic controller will be started through the hardware safety module of the electronic controller.

[0084] After obtaining the flag bit of the security bypass feature module of the current firmware, if the flag bit of the security bypass feature module is a valid flag bit, it is determined that the current firmware is in the verified state, and the next firmware is used as the new current firmware to verify the new current firmware.

[0085] Specifically, after the current firmware passes the verification of the current firmware's safety bypass feature module for the first time, it is determined that the current firmware is in a verified state. The first flag bit of the safety bypass information table is set to the second preset flag bit, the second flag bit of the safety bypass information table is configured, and the set safety bypass information table is stored in the ECU's hardware security module HSM and the ECU's bootloader.

[0086] During the process of re-triggering the verification of the current firmware's safety bypass feature module, the firmware number and electronic controller type number of the current firmware's safety bypass feature module need to be compared with the firmware number and electronic controller type number in the safety bypass information table of the ECU's bootloader. If the firmware number and electronic controller type number of the current firmware's safety bypass feature module match the firmware number and electronic controller type number in the safety bypass information table of the ECU's bootloader, the flag bit of the current firmware's safety bypass feature module is obtained.

[0087] If the flag bit of the security bypass feature module in the current firmware matches the second flag bit of the security bypass information table in the bootloader, then the flag bit of the security bypass feature module in the current firmware is determined to be a valid flag bit. If the flag bit of the security bypass feature module in the current firmware does not match the second flag bit of the security bypass information table in the bootloader, then the flag bit of the security bypass feature module in the current firmware is determined to be an invalid flag bit.

[0088] If the flag bit of the security bypass feature module is invalid, it indicates that the security bypass feature module of the current firmware is faulty, and the current firmware needs to be verified in the same way as the initial verification of the current firmware's security bypass feature module. Specifically, if the flag bit of the security bypass feature module is invalid, the first public key is obtained. After obtaining the first public key, if the signed message can be decrypted using the first public key, the session key and the second public key are obtained from the signed message. If the signature value can be verified using the session key or the second public key, the current firmware is determined to be in a verified state. The first flag bit of the security bypass information table is set to the second preset flag bit, the second flag bit is reset, and the modified security bypass information table is stored in the hardware security module and bootloader of the electronic controller.

[0089] In this embodiment, after the firmware passes the initial verification of the firmware's safety bypass feature module, the firmware stores the configured safety bypass information table in the ECU's hardware security module and the bootloader. Upon subsequent power-up of the ECU, when verifying the firmware again, it is only necessary to compare the data from the firmware's safety bypass feature module with the data in the ECU's bootloader to complete the firmware verification. This allows for convenient and secure verification of the vehicle electronic controller during its software development and startup processes. It ensures the software integrity and legality of the vehicle electronic controller during development, facilitates the investigation and analysis of various firmware components during the startup phase, reduces software resource waste, saves firmware verification time, and significantly improves the verification efficiency of the electronic controller startup.

[0090] After the current firmware passes verification, step S104 is executed, the next firmware is used as the new current firmware, the new current firmware is verified, and the electronic controller is started after each firmware of the electronic controller has passed verification.

[0091] Specifically, after the current firmware passes the verification by the firmware safety bypass feature module, it indicates that the current firmware is in a verified state and the next firmware needs to be verified. The next firmware of the ECU is then used as the new current firmware, and the new current firmware is verified through steps S101-S103, and so on. The process of verifying the firmware through the firmware safety bypass feature module is consistent for each firmware. After each firmware of the electronic controller passes verification, the electronic controller is started. Starting the electronic controller means controlling its normal operation.

[0092] It should be noted that in the vehicle ECU's safety bypass feature function, if a firmware fails verification, the vehicle ECU's safety bypass feature function will be exited directly, and the electronic controller will be started through the electronic controller's hardware safety module.

[0093] For example, suppose the vehicle's ECU needs to verify three firmware components during startup, denoted as A1, A2, and A3. Following steps S101-S103, A1 is verified using the safety bypass feature module of A1, and A1 passes the verification. Then, following steps S101-S103, A2 is verified using the safety bypass feature module of A2. If A2 passes the verification, then following steps S101-S103, A3 is verified using the safety bypass feature module of A3. If A2 fails the verification, the vehicle ECU's safety bypass feature function is directly exited, and the electronic controller is started through the hardware safety module of the electronic controller.

[0094] Following steps S101-S103, A3 is verified through the safety bypass characteristic module. If A3 passes the verification, the electronic controller is activated. If A3 fails the verification, the vehicle ECU's safety bypass characteristic function is deactivated, and the electronic controller is activated through the hardware safety module of the electronic controller.

[0095] One or more technical solutions in the embodiments of the present invention have at least the following technical effects or advantages:

[0096] In this embodiment, upon powering on the vehicle's electronic control unit (ECU), the system first acquires the safety bypass feature module of the current firmware and the safety bypass status of the ECU. Then, it judges the safety bypass feature module and the safety bypass status of the ECU. If both the safety bypass feature module and the safety bypass status are enabled, it indicates that the safety bypass feature function of the vehicle's ECU is activated, and the firmware of the ECU can be verified through the safety bypass feature function. In this case, the system enters the safety bypass mode of the current firmware, and within this mode, it acquires the safety bypass information table of the current firmware.

[0097] Next, the current firmware's safety bypass information table is checked. If the first flag bit of the safety bypass information table is the first preset flag bit, the current firmware is verified through the safety bypass feature module. This allows for convenient and secure verification of the vehicle electronic controller during its software development and startup processes. This ensures the integrity and legality of the vehicle electronic controller's software during development and facilitates the investigation and analysis of various firmware components during the startup phase, significantly improving the verification efficiency of the electronic controller startup.

[0098] Then, after the current firmware passes verification, the next firmware is used as the new current firmware, the new current firmware is verified, and the electronic controller is started only after every firmware of the electronic controller has passed verification.

[0099] Example 2

[0100] Based on the same inventive concept, the second embodiment of the present invention also provides a starting device for a vehicle electronic controller, such as... Figure 2 As shown, it includes:

[0101] The acquisition module 201 is used to acquire the safety bypass feature module of the current firmware and the safety bypass status of the electronic controller after the vehicle electronic controller is powered on and the bootloader of the electronic controller passes the verification. The safety bypass feature module is the verification identifier module of the current firmware, and the safety bypass status is the state in which the electronic controller is started through the safety bypass feature module of the firmware.

[0102] The first judgment module 202 is used to enter the security bypass mode of the current firmware if both the security bypass feature module and the security bypass state are in the enabled state, and to obtain the security bypass information table of the current firmware in the security bypass mode.

[0103] The second judgment module 203 is used to verify the current firmware through the security bypass feature module if the first flag bit of the security bypass information table is the first preset flag bit.

[0104] The startup module 204 is used to, after the current firmware passes verification, take the next firmware as the new current firmware, verify the new current firmware, and control the electronic controller to start up after each firmware of the electronic controller has passed verification.

[0105] As an optional embodiment, the second judgment module 203, during the process of verifying the current firmware through the security bypass feature module, further includes:

[0106] Obtain the firmware number, electronic controller type number, and electronic controller name of the safety bypass feature module;

[0107] If the firmware number of the security bypass feature module is consistent with the firmware number in the security bypass information table, and the electronic controller type number of the security bypass feature module is consistent with the electronic controller type number in the security bypass information table, and the electronic controller name of the security bypass feature module is consistent with the electronic controller name in the security bypass information table, then the first public key of the electronic controller is obtained.

[0108] If the signature message of the security bypass feature module can be decrypted using the first public key, and the software CRC checksum in the signature message can be verified, then the session key can be obtained from the signature message, and the second public key of the electronic controller can be obtained.

[0109] If the signature value of the secure bypass feature module can be verified through the session key, or the signature value can be verified through the second public key, then the current firmware is determined to be in a verified state. The first flag bit of the secure bypass information table is set to the second preset flag bit, the second flag bit of the secure bypass information table is configured, and the configured secure bypass information table is stored in the hardware security module and bootloader of the electronic controller.

[0110] As an optional embodiment, the second judgment module 203 is used to, after obtaining the first public key of the electronic controller, if it fails to decrypt the signature message using the first public key or fails to verify the software CRC checksum, output an error message of the signature message of the current firmware, exit the secure bypass mode, and start the electronic controller through the hardware security module of the electronic controller.

[0111] As an optional embodiment, the second determination module 203 is used for:

[0112] If the first flag bit of the safety bypass information table is the second preset flag bit, then the firmware number and electronic controller type number of the safety bypass feature module are obtained.

[0113] If the firmware number of the safety bypass feature module is consistent with the firmware number in the bootloader, and the electronic controller type number of the safety bypass feature module is consistent with the electronic controller type number in the bootloader, then the flag bit of the safety bypass feature module is obtained.

[0114] If the flag bit of the security bypass feature module is a valid flag bit, then the current firmware is determined to be in the verified state, and the next firmware is used as the new current firmware to verify the new current firmware.

[0115] As an optional embodiment, the second judgment module 203 is configured to, after obtaining the firmware number and electronic controller type number of the safety bypass feature module, if the firmware number of the safety bypass feature module does not match the firmware number in the bootloader, or the electronic controller type number of the safety bypass feature module does not match the electronic controller type number in the bootloader, output error information of the firmware number and / or electronic controller type number of the safety bypass feature module, exit the safety bypass mode, and start the electronic controller through the hardware security module of the electronic controller.

[0116] As an optional embodiment, the second judgment module 203 is used to obtain the first public key if the flag bit of the security bypass feature module is an invalid flag bit after obtaining the second flag bit of the security bypass information table;

[0117] If the signed message can be decrypted using the first public key, then the session key is obtained from the signed message, and the second public key is obtained.

[0118] If the signature value can be verified through the session key or the second public key, then the current firmware is determined to be in a verified state, and the first flag bit of the security bypass information table is set to the second preset flag bit, and the second flag bit is reset.

[0119] As an optional embodiment, the first determination module 202, after obtaining the security bypass feature module of the current firmware of the electronic controller and the security bypass state of the electronic controller, further includes:

[0120] If the safety bypass feature module is in the off state, or the safety bypass state is in the off state, or both the safety bypass feature module and the safety bypass state are in the off state, then the electronic controller is started through the hardware safety module of the electronic controller.

[0121] Since the vehicle electronic controller starting device described in this embodiment is the same device used to implement the vehicle electronic controller starting method in Embodiment 1 of the present invention, those skilled in the art can understand the specific implementation method and various variations of the vehicle electronic controller starting device in this embodiment based on the vehicle electronic controller starting method described in Embodiment 1 of the present invention. Therefore, how the vehicle electronic controller starting device implements the method in Embodiment 1 of the present invention will not be described in detail here. Any device used by those skilled in the art to implement the vehicle electronic controller starting method in Embodiment 1 of the present invention falls within the scope of protection of the present invention.

[0122] Example 3

[0123] Based on the same inventive concept, the third embodiment of the present invention also provides a vehicle electronic controller, including a memory, a processor, and a computer program stored in the memory and executable on the processor. When the processor executes the program, it implements the steps of any of the above-described vehicle electronic controller startup methods.

[0124] Example 4

[0125] Based on the same inventive concept, the fourth embodiment of the present invention also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of any of the methods of the vehicle electronic controller startup method described in the first embodiment above.

[0126] Those skilled in the art will understand that embodiments of the present invention can be provided as methods, systems, or computer program products. Therefore, the present invention can take the form of a completely hardware embodiment, a completely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present invention can take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) containing computer-usable program code.

[0127] This invention is described with reference to flowchart illustrations and / or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each block of the flowchart illustrations and / or block diagrams, and combinations of blocks in the flowchart illustrations and / or block diagrams, can be implemented by computer program instructions. These computer program instructions can be provided to a processor of a general-purpose computer, special-purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, generate instructions for implementing the flowchart illustrations and / or block diagrams. Figure 1 One or more processes and / or boxes Figure 1 A device that provides the functions specified in one or more boxes.

[0128] These computer program instructions may also be stored in a computer-readable storage medium that can direct a computer or other programmable data processing device to function in a particular manner, such that the instructions stored in the computer-readable storage medium produce an article of manufacture including instruction means, which are implemented in a process Figure 1 One or more processes and / or boxes Figure 1 The function specified in one or more boxes.

[0129] These computer program instructions may also be loaded onto a computer or other programmable data processing equipment to cause a series of operational steps to be performed on the computer or other programmable equipment to produce a computer-implemented process, thereby providing instructions that execute on the computer or other programmable equipment for implementing the process. Figure 1 One or more processes and / or boxes Figure 1 The steps of the function specified in one or more boxes.

[0130] Although preferred embodiments of the invention have been described, those skilled in the art, upon learning the basic inventive concept, can make other changes and modifications to these embodiments. Therefore, the appended claims are intended to be interpreted as including both the preferred embodiments and all changes and modifications falling within the scope of the invention.

[0131] Obviously, those skilled in the art can make various modifications and variations to this invention without departing from its spirit and scope. Therefore, if these modifications and variations fall within the scope of the claims of this invention and their equivalents, this invention also intends to include these modifications and variations.

Claims

1. A method for starting a vehicle electronic controller, characterized in that, include: After the vehicle electronic controller is powered on and the bootloader of the electronic controller passes the verification, the safety bypass feature module of the current firmware of the electronic controller and the safety bypass status of the electronic controller are obtained. The safety bypass feature module is the verification identifier module of the current firmware, and the safety bypass status is the state in which the electronic controller is started through the safety bypass feature module of the firmware. If both the security bypass feature module and the security bypass state are enabled, the system enters the security bypass mode of the current firmware and obtains the security bypass information table of the current firmware in the security bypass mode. If the first flag bit of the security bypass information table is the first preset flag bit, then the current firmware is verified through the security bypass feature module; After the current firmware passes verification, the next firmware is used as the new current firmware. The new current firmware is verified, and the electronic controller is started only after each firmware of the electronic controller has passed verification. The process of verifying the current firmware through the security bypass feature module also includes: Obtain the firmware number, electronic controller type number, and electronic controller name of the safety bypass feature module; If the firmware number of the security bypass feature module is consistent with the firmware number in the security bypass information table, and the electronic controller type number of the security bypass feature module is consistent with the electronic controller type number in the security bypass information table, and the electronic controller name of the security bypass feature module is consistent with the electronic controller name in the security bypass information table, then the first public key of the electronic controller is obtained. If the signature message of the security bypass feature module can be decrypted using the first public key, and the software CRC checksum in the signature message can be verified, then the session key can be obtained from the signature message, and the second public key of the electronic controller can be obtained. If the signature value of the secure bypass feature module can be verified through the session key, or the signature value can be verified through the second public key, then the current firmware is determined to be in a verified state. The first flag bit of the secure bypass information table is set to the second preset flag bit, the second flag bit of the secure bypass information table is configured, and the configured secure bypass information table is stored in the hardware security module and bootloader of the electronic controller.

2. The method as described in claim 1, characterized in that, After obtaining the first public key of the electronic controller, the method further includes: If the signature message cannot be decrypted using the first public key, or if the software CRC checksum cannot be verified, an error message for the signature message of the current firmware is output, the secure bypass mode is exited, and the electronic controller is started through the hardware security module of the electronic controller.

3. The method as described in claim 1, characterized in that, After obtaining the security bypass information table of the current firmware, the following is also included: If the first flag bit of the safety bypass information table is the second preset flag bit, then the firmware number and electronic controller type number of the safety bypass feature module are obtained. If the firmware number of the safety bypass feature module is consistent with the firmware number in the bootloader, and the electronic controller type number of the safety bypass feature module is consistent with the electronic controller type number in the bootloader, then the flag bit of the safety bypass feature module is obtained. If the flag bit of the security bypass feature module is a valid flag bit, then the current firmware is determined to be in the verified state, and the next firmware is used as the new current firmware to verify the new current firmware.

4. The method as described in claim 3, characterized in that, After obtaining the firmware number and electronic controller type number of the safety bypass feature module, the method further includes: If the firmware number of the safety bypass feature module does not match the firmware number in the bootloader, or the electronic controller type number of the safety bypass feature module does not match the electronic controller type number in the bootloader, then an error message for the firmware number and / or electronic controller type number of the safety bypass feature module is output, the safety bypass mode is exited, and the electronic controller is started through the hardware security module of the electronic controller.

5. The method as described in claim 3, characterized in that, After obtaining the second flag bit of the safety bypass information table, the method further includes: If the flag bit of the security bypass feature module is an invalid flag bit, then the first public key is obtained; If the signed message can be decrypted using the first public key, then the session key is obtained from the signed message, and the second public key is obtained. If the signature value can be verified through the session key or the second public key, then the current firmware is determined to be in a verified state, and the first flag bit of the security bypass information table is set to the second preset flag bit, and the second flag bit is reset.

6. The method as described in claim 1, characterized in that, After obtaining the current firmware's safety bypass feature module and the electronic controller's safety bypass status, the method further includes: If the safety bypass feature module is in the off state, or the safety bypass state is in the off state, or both the safety bypass feature module and the safety bypass state are in the off state, then the electronic controller is started through the hardware safety module of the electronic controller.

7. A starting device for a vehicle electronic controller, characterized in that, include: The acquisition module is used to acquire the safety bypass feature module of the current firmware and the safety bypass status of the electronic controller after the vehicle electronic controller is powered on and the bootloader of the electronic controller passes the verification. The safety bypass feature module is the verification identifier module of the current firmware, and the safety bypass status is the state in which the electronic controller is started through the safety bypass feature module of the firmware. The first judgment module is used to enter the security bypass mode of the current firmware if both the security bypass feature module and the security bypass state are in the enabled state, and to obtain the security bypass information table of the current firmware in the security bypass mode. The second judgment module is used to verify the current firmware through the security bypass feature module if the first flag bit of the security bypass information table is the first preset flag bit. The second judgment module is also used for Obtain the firmware number, electronic controller type number, and electronic controller name of the safety bypass feature module; If the firmware number of the security bypass feature module is consistent with the firmware number in the security bypass information table, and the electronic controller type number of the security bypass feature module is consistent with the electronic controller type number in the security bypass information table, and the electronic controller name of the security bypass feature module is consistent with the electronic controller name in the security bypass information table, then the first public key of the electronic controller is obtained. If the signature message of the security bypass feature module can be decrypted using the first public key, and the software CRC checksum in the signature message can be verified, then the session key can be obtained from the signature message, and the second public key of the electronic controller can be obtained. If the signature value of the secure bypass feature module can be verified through the session key, or the signature value can be verified through the second public key, then the current firmware is determined to be in a verified state. The first flag bit of the secure bypass information table is set to the second preset flag bit, the second flag bit of the secure bypass information table is configured, and the configured secure bypass information table is stored in the hardware security module and bootloader of the electronic controller. The startup module is used to, after the current firmware passes verification, take the next firmware as the new current firmware, verify the new current firmware, and control the electronic controller to start up after each firmware of the electronic controller has passed verification.

8. A vehicle electronic controller, comprising a memory, a processor, and a computer program stored in the memory and executable on the processor, characterized in that, When the processor executes the program, it implements the method as described in any one of claims 1-6.

9. A computer-readable storage medium storing a computer program thereon, characterized in that, When the program is executed by the processor, it implements the method as described in any one of claims 1-6.

Images