Information processing device

By implementing secure and processing modules with varying interference levels and rendering processing modules unusable, the device addresses security risks and reduces development time, ensuring secure and efficient function execution.

JP2026093202APending Publication Date: 2026-06-08DENSO CORP

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
DENSO CORP
Filing Date
2024-11-27
Publication Date
2026-06-08

Smart Images

  • Figure 2026093202000001_ABST
    Figure 2026093202000001_ABST
Patent Text Reader

Abstract

To provide an information processing device that can reduce development man-hours and lower vulnerabilities. [Solution] The memory 10 of the information processing device 1 stores a secure function module 111a that contains instructions to be executed by the processor 20 in the performance of a function and is restricted from external interference. The memory 10 also stores a processing function module 131 that contains instructions common to the secure function module 111a, has less restrictive external interference than the secure function module 111a, and is processed into a disabled state in which the processor 20 cannot execute instructions. The memory 10 also stores a release module 112 that has more restricted external interference than the processing function module 131 and can release the disabled state in the processing function module 131. The memory 10 also stores a security request determination flag 115 that defines the security level required in the performance of a function.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present disclosure relates to information processing technology for performing at least one function.

Background Art

[0002] Patent Document 1 discloses an ECU that requires access authentication using a key.

Prior Art Documents

Patent Documents

[0003]

Patent Document 1

Summary of the Invention

Problems to be Solved by the Invention

[0004] By the way, the security level required for an information processing device may vary depending on the device. In such a situation, in order to suppress the development man-hours, for a specific application, both a function corresponding to an information processing device with a relatively high security level and a function corresponding to an information processing device with a relatively low security level are installed in the information processing device regardless of the security level. However, in this case, an information processing device with a relatively high security level will include a function corresponding to an information processing device with a relatively low security level. As a result, there is a risk of an increase in security risk in an information processing device that requires a relatively high security level.

[0005] An object of the present disclosure is to provide an information processing device capable of suppressing security risk.

Means for Solving the Problems

[0006] The following describes the technical means of solving the problem described in this disclosure. Note that the claims and the reference numerals in parentheses in this section indicate the correspondence with the specific means described in the embodiments detailed later, and do not limit the technical scope of this disclosure.

[0007] Aspects of the present disclosure are information processing devices having a storage medium (10) and a processor (20) and performing at least one function, Storage media are, A functional module containing instructions to be executed by the processor in performing a function, and a secure functional module (111a, 111p) that is restricted from external interference, A functional module (131) that includes instructions common to a secure functional module, wherein external interference restrictions are more relaxed than those of the secure functional module, and the processor is processed to be in a disabled state in which it cannot execute instructions, A release module (112) that is less susceptible to external interference than the processing function module and can release the disabled state in the processing function module, Definition information (115) that defines the security level required for the performance of the function, I remember that.

[0008] According to these embodiments, the information processing device can select and execute secure function modules and processing function modules in the performance of its functions, depending on the security level. Since the processing function modules are processed into a non-executable state, it becomes difficult to illegally execute them even in the event of external interference. Therefore, the information processing device can suppress security risks while having both function modules that are protected from external interference and function modules that are protected from external interference. [Brief explanation of the drawing]

[0009] [Figure 1] This is a block diagram showing the overall configuration of the information processing device in the first embodiment. [Figure 2]This is a block diagram showing the functional configuration for realizing the information processing method according to the first embodiment. [Figure 3] This is a block diagram showing the information processing device after the malfunction state has been resolved. [Figure 4] This is a flowchart showing the information processing flow according to the first embodiment. [Figure 5] This is a flowchart showing the information processing flow according to the second embodiment. [Modes for carrying out the invention]

[0010] Hereinafter, several embodiments of this disclosure will be described with reference to the drawings. In each embodiment, the same reference numerals will be used for corresponding components, and redundant explanations may be omitted. Furthermore, if only a part of the configuration is described in each embodiment, the configuration of other embodiments described earlier may be applied to the other parts of that configuration. Moreover, not only the combinations of configurations explicitly stated in the description of each embodiment, but also the configurations of multiple embodiments may be partially combined even if not explicitly stated, as long as there are no particular problems with the combination.

[0011] (First Embodiment) The information processing device 1 of the first embodiment will be described with reference to Figures 1 to 4. The information processing device 1 of the first embodiment is provided by an information processing device 1 which is an electronic control unit (ECU) mounted on a vehicle, which is an example of a mobile device.

[0012] The information processing device 1 performs specific information processing in the vehicle. The vehicle may be given an automated driving mode, which is divided into levels according to the degree of manual intervention by the occupant in dynamic driving tasks. The automated driving mode may be realized by autonomous driving control in which the system performs all dynamic driving tasks when in operation, such as conditional driving automation, advanced driving automation, or full driving automation. The automated driving mode may also be realized by advanced driving assistance control in which the occupant performs some or all of the dynamic driving tasks, such as driving assistance or partial driving automation. The automated driving mode may be realized by either one of these autonomous driving controls or advanced driving assistance controls, or by a combination of them, or by switching between them.

[0013] The information processing device 1 is configured to include at least one dedicated computer. The dedicated computer constituting the information processing device 1 may be an integrated ECU that integrates the driving control of the host vehicle. The dedicated computer constituting the information processing device 1 may be a decision ECU that determines driving tasks in the driving control of the host vehicle. The dedicated computer constituting the information processing device 1 may be a monitoring ECU that monitors the driving control of the host vehicle. The dedicated computer constituting the information processing device 1 may be an evaluation ECU that evaluates the driving control of the host vehicle.

[0014] The dedicated computer constituting the information processing device 1 may be a navigation ECU that navigates the driving route of the host vehicle. The dedicated computer constituting the information processing device 1 may be a locator ECU that estimates the self-state quantities of the host vehicle. The dedicated computer constituting the information processing device 1 may be an actuator ECU that controls the driving actuators of the host vehicle. The dedicated computer constituting the information processing device 1 may be an HCU (HMI (Human Machine Interface) Control Unit) that controls the presentation of information in the host vehicle. The dedicated computer constituting the information processing device 1 may be a computer other than the vehicle that constructs, for example, an external center or mobile terminal that can communicate with the vehicle.

[0015] The dedicated computer that constitutes the information processing apparatus 1 has at least one memory 10 and one processor 20. The memory 10 is at least one type of non-transitory tangible storage medium, such as a semiconductor memory, a magnetic medium, and an optical medium, that non-temporarily stores programs, data, etc. that can be read by a computer. Here, storage may be an accumulation in which data is maintained even when the power supply is turned off, or it may be a temporary storage in which data is erased when the power supply is turned off.

[0016] The memory 10 includes, for example, a ROM 11, a RAM 12, and a data flash 13. ROM 11 is an abbreviation for Read Only Memory. ROM 11 is a non-volatile memory medium in which data (stored information) is maintained even when the power supply is turned off.

[0017] The ROM 11 has, for example, a plurality of storage areas. Specifically, the ROM 11 has a rewrite area R1 and a rewrite prohibited area R2. The rewrite area R1 is an area in which data such as a stored program can be rewritten. Rewriting of a program is also referred to as reprogramming. The rewrite area R1 may be an empty area at the time of factory shipment. Or, the rewrite area R1 may be an area in which a predetermined program is stored at the time of factory shipment.

[0018] In the rewrite area R1, a predetermined application is stored and updated by a user. Here, the user is, for example, a factory worker, a dealer, and a vehicle owner, etc. The application may execute specific vehicle control. For example, the application may execute shift control of a transmission. The application includes a plurality of secure function modules 111a, a control unit 113, and a constant 114.

[0019] The plurality of secure function modules 111a are function modules that at least include those in which the programs constituting the application are subdivided by function. The program of each function module includes instructions for causing the processor 20 to execute in the execution of the corresponding function. For example, in the case of a transmission shift control application, the secure function module 111a is configured for each function such as an information acquisition function from in-vehicle sensors, a solenoid shift control function, and a communication function.

[0020] Each secure function module 111a stored in the rewrite area R1 of the ROM 11 is in a secure state with restricted external interference. Here, external interference is at least one type such as unauthorized access from the outside and data rewriting. Each secure function module 111a may be restricted from external interference, for example, by restricting access from outside a specific core of the processor 20. Alternatively, each secure function module 111a may be restricted from external interference by encryption. Each secure function module 111a may be restricted from interference by being stored in an isolation area constructed in the ROM 11 by a technology such as a TEE (Trusted Execution Environment).

[0021] The control unit 113 is control logic that generates control commands necessary for the execution of the application and includes instructions for outputting them to the control target. The constant 114 is a fixed value that is not changed during program execution. The constant 114 is data that is referred to in a specific process in the execution of the application.

[0022] The write prohibition area R2 is an area where rewriting of the stored data is prohibited. The write prohibition area R2 stores data at the time of factory shipment. For example, a secure function module 111p related to the primary boot loader and a security requirement discrimination flag 115 are stored in the write prohibition area R2.

[0023] The primary boot loader is a program executed when the information processing device 1 is started. When the primary boot loader receives a reprogram request for an application stored in the rewrite area R1, it deploys a secondary boot loader (not shown) to RAM 12. The secondary boot loader is a program for deleting application programs and writing new application programs during reprogramming. The primary boot loader, like the applications in the rewrite area R1, is composed of multiple secure function modules 111p, which are secure function modules. At least one of the multiple secure function modules 111p that make up the primary boot loader may have a function in common with the secure function module 111a of the application stored in the rewrite area R1. For example, as shown in Figure 1, a function module that performs function F1 may be included in both secure function modules 111a and 111p.

[0024] The security requirement determination flag 115 is data that defines the level of cybersecurity required by the information processing device 1. The security requirement determination flag 115 is either a flag that specifies that there is a cybersecurity requirement, or a flag that specifies that there is no such requirement. For example, if the information processing device 1 is installed in a vehicle that supports OTA (Over The Air), the security requirement determination flag 115 is set to indicate that there is a security requirement. On the other hand, if the information processing device 1 is installed in a vehicle that does not support OTA, the security requirement determination flag 115 is set to indicate that there is no security requirement. The security requirement determination flag 115 is an example of "definition information". Furthermore, if the security requirement determination flag 115 is set to indicate that there is a security requirement, it corresponds to "the security level is in the high-level range, which is higher than the low-level range". Furthermore, if the security requirement determination flag 115 is set to indicate that there is no security requirement, it corresponds to "the security level is in the low-level range, which is lower than the high-level range". Note that the security level may be defined in more detail.

[0025] RAM12 is an abbreviation for Random Access Memory. RAM12 is a volatile storage medium whose data is erased when the power supply is turned off. RAM12 is an example of a "volatile area" in memory 10. RAM12 has a work area for temporarily storing data used in various processing processes of the processor. When there are no security requirements, the processing function module 131, which will be described later, is deployed (stored) in RAM12 in the information processing device 1.

[0026] The data flash 13, like the ROM 11, is a non-volatile storage medium. The data flash 13 is an example of a "non-volatile area" in the memory 10. The data flash 13 stores a function module that has functions common to the secure function module 111a of the application stored in the ROM 11. The data flash 13 also stores a function module that has functions common to the secure function module 111p of the primary boot loader. Here, "common functions" may mean that the program source code is substantially identical. Alternatively, "common functions" may mean that when the same input data is input, substantially identical results are output.

[0027] The function modules stored in data flash 13 are in a state where external interference restrictions are relaxed compared to the secure function modules 111a and 111p of ROM 11. A state where interference restrictions are relaxed means, for example, that no measures have been taken to make the function modules secure, i.e., an insecure state without interference restrictions. Alternatively, a state where interference restrictions are relaxed may be a state in which less secure interference restrictions are applied compared to the secure state of the secure function modules 111a and 111p.

[0028] The function module stored in the data flash 13 is stored as a modified function module 131, which has been modified by the processor 20 to render its function unexecutable. Here, a state in which a function is rendered unexecutable means that at least a part of the machine code that constitutes the program has been changed from its original form. In the following, a state in which a function is rendered unexecutable may be referred to as an unusable state. For example, the modified function module 131 may be rendered unusable by bit-inverting the machine code according to a specific rule. Alternatively, the modified function module 131 may be rendered unusable by address substitution of the machine code according to a specific rule. Alternatively, the modified function module 131 may be rendered unusable by encryption of the machine code according to a specific rule. Due to the modification to an unusable state, even if the modified function module 131 is intercepted and read from the outside, it is practically impossible to execute its function illegally. Such a modified function module 131 can also be said to be obfuscated to the point of being uninterpretable by the processor 20.

[0029] Memory 10 has a release module 112 that has a release function that can release the disabled state of the processing function module 131 of the data flash 13. The release module 112 includes at least data that restores the processing function module 131 to its state before processing when acted upon by the disabled processing function module 131. If the processing function module 131 has been processed into a disabled state by bit inversion, the release module 112 includes data for re-inverting the bit-inverted portion. If the processing function module 131 has been processed into a disabled state by address substitution, the release module 112 includes data for restoring the substituted address. If the processing function module 131 has been processed into a disabled state by encryption, the release module 112 includes key data for decryption.

[0030] The release module 112 is stored in a more secure state than the disabled processing function module 131. Specifically, the release module 112 is stored in ROM 11 in a state where external interference is restricted by the same method as the secure function modules 111a and 111p. The release module 112 corresponding to the secure function module 111a of the application stored in the rewrite area R1 and the processing function module 131 which shares functions is stored in the rewrite area R1. The release module 112 corresponding to the secure function module 111p of the primary boot loader stored in the rewrite-protected area R2 and the processing function module 131 which shares functions is stored in the rewrite-protected area R2.

[0031] The processor 20 includes at least one core from among, for example, a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), a RISC (Reduced Instruction Set Computer)-CPU, a CISC (Complex Instruction Set Computer)-CPU, a DFP (Data Flow Processor), and a GSP (Graph Streaming Processor).

[0032] The processor 20 executes multiple instructions contained in an information processing program (not shown) stored in memory 10 to perform functions in the vehicle application. This causes the information processing device 1 to construct multiple functional blocks for performing functions in the vehicle application. The multiple functional blocks constructed in the information processing device 1 include an acquisition block 110, a determination block 120, and an execution block 130, as shown in Figure 2.

[0033] The acquisition block 110 acquires a function execution request for a predetermined function from the control unit 113, etc. The determination block 120 performs a determination process to execute the function in the application. For example, the determination block 120 determines whether the information processing device 1 supports the requested function. In addition, the determination block 120 determines whether there is a security request in the vehicle in order to select one of the function modules capable of executing the requested function, from among the secure function modules 111a, 111p and the processing function module 131.

[0034] The execution block 130 executes either the secure function modules 111a, 111p, or the processing function module 131. When executing the processing function module 131, the execution block 130 first releases the disabled state using the release module 112, and then executes the processing function module 131. As shown in Figure 3, the execution block 130 loads the disabled processing function module 131 into the RAM 12 to release the disabled state and execute the function.

[0035] Through the combined action of blocks 110, 120, and 130, the information processing method by which the information processing device 1 executes functions in the vehicle's application is performed according to the information processing flow shown in Figure 4. This information processing flow is executed repeatedly while the host vehicle is running. In this information processing flow, each "S" represents multiple steps executed by multiple instructions included in the information processing program.

[0036] First, in S10, the acquisition block 110 acquires a function execution request for a predetermined function. Next, in S20, the determination block 120 determines whether or not the requested function is supported. Specifically, the determination block 120 determines whether or not a function module corresponding to the function exists in memory 10. If it is determined that the requested function is not supported, this flow terminates. On the other hand, if it is determined that the requested function is supported, that is, that a function module corresponding to the function exists, this flow proceeds to S30.

[0037] In S30, the determination block 120 determines whether or not there is a security request for the vehicle on which the information processing device 1 is installed. The determination block 120 determines the presence or absence of a security request by referring to the security request determination flag 115 stored in the rewrite-protected area R2 of the ROM 11. If the security request determination flag 115 indicates that there is a security request, this flow proceeds to S40. In S40, the execution block 130 executes the secure function module 111a corresponding to the requested function. In this embodiment, the secure function module 111a stored in the ROM 11 is executed. Note that, unlike when the processing function module 131 described later is executed, the secure function module 111a is executed without being loaded into the RAM 12.

[0038] On the other hand, if it is determined in S30 that there are no security requests regarding the vehicle, the flow proceeds to S50. In S50, the execution block 130 deploys the disabled machining function module 131 stored in the data flash 13 to the RAM 12, enabling it to execute the requested function. Next, in S60, the execution block 130 releases the disabled state of the deployed machining function module 131. Specifically, the execution block 130 uses the secure state release module 112 to restore the machining function module 131 to its pre-machining state. Then, in S70, the execution block 130 executes the machining function module 131, which has had its disabled state released.

[0039] According to the first embodiment described above, the information processing device 1 includes secure function modules 111a and 111p and a processing function module 131. When the information processing device 1 requires restrictions on external access, the secure function modules 111a and 111p can perform the function. Furthermore, since the processing function module 131 is processed into a disabled state in which it cannot execute instructions, it becomes difficult to execute the processing function module 131 illegally even if it is accessed illegally. Therefore, it is possible to suppress security risks while reducing development man-hours.

[0040] Furthermore, according to the first embodiment, the instruction in one of the secure function modules 111a, 111p and the processing function module 131 selected in response to the security requirement is executed. Therefore, it becomes possible to appropriately select and execute the function module to be executed from the secure function modules 111a, 111p and the processing function module 131 in response to the security requirement.

[0041] Furthermore, according to the first embodiment, the information processing device 1 with security requirements can execute the functions of the secure function modules 111a and 111p. This allows the information processing device 1 with security requirements to execute functions securely while the processing function module 131 remains disabled.

[0042] In addition, according to the first embodiment, if there is no security request, the disabled state of the processing function module 131 is released by the release module 112, and the commands of the processing function module 131 whose disabled state has been released are executed. Therefore, in the case of no security request, the information processing device 1 can execute non-secure functions.

[0043] Furthermore, according to the first embodiment, the processing function module 131 is loaded into the RAM 12 and the disabled state is released, thereby executing the function of the processing function module 131. Therefore, in the information processing device 1 in which the processing function module 131 is stored in the data flash 13, non-secure functions can be executed at high speed.

[0044] Furthermore, according to the first embodiment, only the processing function module 131 corresponding to the function for which an execution request has been received can be loaded into RAM 12 and executed. As a result, security is further improved because only the function for which an execution request has been received is released from its disabled state.

[0045] (Second embodiment) As shown in Figure 5, the second embodiment is a modification of the first embodiment. In particular, the timing of deploying the processing function module 131 to the RAM 12 differs from that of the first embodiment. In the second embodiment, the information processing method by which the information processing device 1 executes functions in the vehicle application is performed according to the information processing flow shown in Figure 5.

[0046] First, in S210, the execution block 130 loads all the disabled processing function modules 131 stored in the data flash 13 into the RAM 12. Next, in S220, the acquisition block 110 acquires the function execution request. Then, in S230, the determination block 120 determines whether or not the requested function is supported. If it is determined that there is no support, this flow ends. On the other hand, if it is determined that there is support, this flow proceeds to S240.

[0047] In S240, it is determined whether or not there is a security request for the vehicle equipped with the information processing device 1. If it is determined that there is a security request, this flow proceeds to S250. In S250, the execution block 130 executes the secure function modules 111a and 111p.

[0048] On the other hand, if it is determined in S240 that there are no security requests, the flow proceeds to S260. In S260, the execution block 130 releases the disabled state for the processing function module 131 deployed in RAM 12 that has received an execution request. Then, in S270, the execution block 130 executes the processing function module 131 whose disabled state has been released.

[0049] According to the second embodiment described above, the processing function module 131 can be loaded into RAM 12 in a batch before obtaining a request to perform a specific function. This makes it possible to execute the function with simpler processing.

[0050] (Other embodiments) Although several embodiments have been described above, this disclosure is not limited to those embodiments and can be applied to various embodiments and combinations without departing from the spirit of this disclosure.

[0051] In the modified example, the dedicated computer constituting the information processing device 1 may have at least one of the digital circuit and the analog circuit as a processor. Here, the digital circuit is at least one of the following, for example, ASIC (Application Specific Integrated Circuit), FPGA (Field Programmable Gate Array), SOC (System on a Chip), PGA (Programmable Gate Array), and CPLD (Complex Programmable Logic Device). Furthermore, such a digital circuit may have a memory that stores a program.

[0052] In the modified example, the vehicle on which the information processing device 1 is mounted may be, for example, an autonomous robot capable of transporting goods or collecting information by autonomous driving or remote driving. Furthermore, the information processing device 1 may be mounted on a device other than a vehicle. [Explanation of Symbols]

[0053] 1: Information processing device, 10: Memory (storage medium), 12: RAM (volatile area), 13: Data flash (non-volatile area), 20: Processor, 111a, 111p: Secure function module, 131: Processing function module, 112: Release module, 115: Security request determination flag (definition information)

Claims

1. An information processing device having a storage medium (10) and a processor (20), which performs at least one function, The aforementioned storage medium is A functional module (111a, 111p) that includes instructions to be executed by the processor in performing the aforementioned function, and which is a secure functional module (111a, 111p) that is restricted from external interference, A processing function module (131) that includes the same instructions as the secure function module, wherein the external interference restrictions are more relaxed than those of the secure function module, and the processor is processed to be in a disabled state in which it cannot execute the instructions, A release module (112) that is less susceptible to external interference than the aforementioned processing function module and can release the disabled state in the processing function module, Definition information (115) that defines the security level required for the performance of the above function, An information processing device that stores data.

2. The aforementioned processor, The information processing apparatus according to claim 1, which is configured to perform the above-mentioned function by selecting a function module to be executed from among the secure function module and the processing function module according to the security level.

3. Selecting a functional module is The information processing apparatus according to claim 2, further comprising selecting the secure function module if the required security level is in a high-level range that is higher than the low-level range.

4. Selecting a functional module is If the required security level falls within the low-level range, which is lower than the high-level range, the disabled state of the processing function module is released by the release module. Selecting the processing function module whose disabled state has been released as the function module to be executed, The information processing apparatus according to claim 2, including the following:

5. The aforementioned storage medium is It has a volatile region (12) in which the stored information is erased when the power supply is turned off, and a non-volatile region (13) in which the stored information is maintained when the power supply is turned off. The processing function module is stored in the non-volatile region. Selecting a functional module is The processing function module is deployed to the volatile region before the disabled state is released. The disabled state of the processing function module deployed in the volatile region is released by the release module. The information processing apparatus according to claim 4, including the following:

6. The aforementioned processor, It is further configured to perform the acquisition of a request to perform a specific function, Selecting a functional module is The information processing apparatus according to claim 5, comprising deploying the processing function module corresponding to a specific function that has obtained an execution request in the volatile region.

7. The aforementioned processor, It is further configured to perform the acquisition of a request to perform a specific function, Selecting a functional module is The information processing apparatus according to claim 5, further comprising deploying the processing function module stored in the non-volatile region to the volatile region before obtaining an execution request.