DE102004048945A1 - System monitoring unit - Google Patents

Abstract

A system monitor monitors a microprocessor controller by means of a peripheral monitor which monitors accesses to individual microprocessor peripherals and prevents and reports protection violations, a protection violation manager which classifies reported protection breaches and stores and outputs with further information to an operational mode monitor which, upon reported protection violations, suspends the microprocessor in switches a supervisor mode, a memory access monitor, and a runtime monitor.

Description

The The present invention relates to a device and a Procedure for monitoring the function of a control unit with a microprocessor.

ever bigger and the more complex it becomes, the more difficult it becomes to make mistakes to check and error-free. When running on multitasking systems can faulty programs other applications or the operating system block or crash. This can for example in control units in the automotive field dangerous be if they have security-related responsibilities.

Around to limit the consequences of faulty programs become user programs often running in a different operating mode than the operating system. This allows the access of the user programs to certain Prevent functions.

In order to prevent access to foreign storage areas, the system can be supplemented by a storage monitoring unit which reports or prevents unauthorized access. This uses a varying number of comparators connected to the address bus of the microprocessor and working in pairs on the principle of "greater than" and "less than". Each one protection block of the memory has a pair of these comparators, whereby it can be determined whether a current address of the microprocessor is within the protection block or not. By a classification of access rights can then be determined whether the current memory access is allowed within the protection block or not. An unauthorized access is called a protection violation and triggers an exception handling of the operating system. The operating system, in turn, sets the access rights and limits of the protection blocks. This ensures that the entire system operates only within the specified memory areas. Such a memory monitoring unit is for example in the patent US 5657475 disclosed. The reprogramming of the protection areas of such a device, however, costs additional computing time.

Around to prevent a blockage of the system by individual applications a so-called watchdog timer can be used. This one exists from a clock that expires and regularly new must be started. If a restart of the watch fails, e.g. by a blocking Application, the entire system is reset. The operating system however, can not see why the clock has not been restarted. Furthermore is a reset of the overall system, especially in multitasking control systems he wishes, otherwise error-free running control functions interrupted become.

One Another problem is missing access to peripherals. Such accesses can currently only be poorly achieved by a memory access monitoring stop and this only if the peripherals have memory accesses are reachable.

task This invention is an apparatus and a method for more comprehensive monitoring of Function of a control unit to provide with a microprocessor.

These Task is solved by an apparatus according to claim 1 and a method according to claim 10. The dependent claims refer to advantageous embodiments of the invention.

1 shows an overview of the system monitoring;

2 shows an overview of peripheral monitoring;

3 shows an overview of the protection violation management;

4 shows the use of alternate registers for memory access monitoring;

5 shows a further subdivision of protected areas of the memory; and

6 shows an overview of runtime monitoring.

First, will an example of a system monitoring unit (SPU), which is a Peripheral Monitoring Unit (PPU), a Protection Violation Management Unit (PVH) and an operation mode monitoring unit (OMM), descriptions of a memory access monitoring unit (MPU) follow. and a runtime monitoring unit (DSU).

by virtue of their close connection with internal functions of a microprocessor, the SPU is preferred built directly into the processor core. In this example, the SPU built into the NEC CPU V850 / E2.

The periphery surveillance (PPU) met the task of separate monitoring individual peripherals of the microprocessor. For every perpheria device can read and write access per operating mode of the processor. Preferably all done Access to the system monitor via this Part function. Thus, the task of this subfunction is the backup the SPU, including all peripherals, against unwanted false ones Accesses by program parts of the overall system. Here it is Operating system included, because although the supervisor mode, where the operating system is running which allows access to many parts, can also be used here Access be explicitly blocked.

2 shows the peripheral monitoring connected to the peripheral bus like all other peripherals, including the SPU itself. However, peripheral monitoring provides central access to all peripherals, including the SPU, by controlling the enable signals. It is thus connected between the usual address decoder and the peripherals. The implementation of peripheral monitoring depends on the respective implementation of individual peripheral devices and must be adapted in each case.

PAE Bits (peripheral access authorization bits) contain the coding, which mode of operation of the microprocessor for which subfunctions Access in the reading or writing direction unlocks. This also applies the PAE bits themselves, i. also the coding of the release for the PAE Bits are stored in themselves. The PAE bits are in two Divided into classes, namely in system devices and other peripherals.

To the system devices counting particularly sensitive areas of the system such as DMA, interrupt, memory configuration, Bus configuration and the SPU itself. These PAE bits are through a additional Security sequence in addition protected.

The other peripherals are all the rest Peripherals the no extra Security sequence need.

The Security sequence consists of a write access to a dedicated Security register and the immediately following write access on the PAE bits. There must not be any other peripheral access between the two accesses respectively.

• – Schreibberechtigung im Supervisor-Modus
• – Leseberechtigung im Supervisor-Modus
• – Schreibberechtigung im User-Modus
• – Leseberechtigung im User-Modus

The PAE bits each contain one bit for setting the access rights (authorizations):
Per peripheral device (4 bits)

• - Write authorization in supervisor mode
• - Read authorization in supervisor mode
• - Write authorization in user mode
• - Read authorization in user mode

Consequently arise for n peripherals up to 4n PAE configuration bits. Depending on the peripheral device, permissions may be combined, so that correspondingly less PAE configuration bits needed become.

If PAE configuration bits changeable by an implementation in the register the state of the configuration bits must be after a reset be defined by the system. This can be done for every PAE configuration bit be set separately. It makes sense to reset after a reset system access to all peripherals and system devices for all modes of operation be allowed to write as well as read. This allows the Run old programs that do not yet consider the PPU.

Not Each PAE configuration bit must be a variable register bit. Instead, you can also firm, unchanging Values be used. It makes sense to use e.g. the 4-bit configuration access to the PAE bits themselves (PAE register) so that only in the supervisor mode a read and write authorization for the PAE Bits. Except an increase the operational safety causes the firm attitude that it is not possible is, by deleting all PAE bits get the chance permanently withdraw access to all peripherals, which only by a reset of the system could be lifted.

Of contains more the PPU is a storage register that stores the peripheral address, if a protection fault occurs.

A Protection fault occurs as soon as the microprocessor is in an operating mode on a peripheral device accesses in a way that is not through the appropriate PAE bits have been explicitly allowed (configured). In case of a Protection violation prevents the access of the microprocessor and the access cycle ends so that the microprocessor continues to run can. At the same time, the affected I / O address is stored in the memory register stored and the alarm of protection fault triggered. One Alarm of protection violation is also triggered when the security sequence not correctly adhered to when describing the PAE bits of the system devices becomes. The alarm of the protection violation and the stored affected Peripheral addresses are forwarded to the integrating subfunction PVH.

The Protection Infringement Administration (PVH) is a central collection point for all SPU infringement alerts ( 3 ). The centralized arrangement has the advantage that the operating system can make the treatment of and response to protection violations very compact and generic.

Of contains more the protection violation management a register for a monitoring identification (SID). This register is over the PPU function is writable, is secured in case of alarm and is then readable together with the classified alarm cause. Thereby the operating system has the option to central office to get all the information about protection violations and also to store a flag as SID (with the settings of the PPU so, that the user mode does not get access) to the last status to secure.

If an alarm is triggered it will be classified and with any further additional information stored together with the current value of the SID in the Alarm Cause Register.

ever after alarm cause additional information in the alarm causes register saved. These are as follows.

Tabelle 1: Inhalt des Alarm-Ursachen-Registers

Table 1: Contents of the Alarm Causes Register

The Classification is encrypted as follows:

Tabelle 2: Klassifizierungskodes der Ursachen für Schutzverletzungs-Alarme

Table 2: Classification codes of causes of protection failure alarms

The operating mode monitoring (OMM) is the automatic switching of the operating modes Supervisor and User. This functionality must have the following characteristics for the operation of the SPU:
Each reset, every trap or interrupt forcibly enters the supervisor mode;
a signal triggered by the special protection block of the MPU when entering the jump table area of this protection block leads to the supervisor mode (see below);
If an interrupt routine is terminated by the special return command (RETI), the mode is set which was before entry into the interrupt routine (user or supervisor mode, see below);
by a special jump command (JMPU) (see below) or by directly changing the operating mode (status bit), the supervisor mode can be left, and the user mode is set;
if the special return instruction (RETI) is used to terminate a function called with JMPU, the supervisor mode is set; and
attempting to execute privileged commands in user mode results in a trap of the processor and thus in supervisor mode.

The memory access monitoring (MPU) is integrated in the SPU to allow the completeness of system monitoring. In addition to the well-known functionality of the MPU, which provides exactly one configuration for each protection block, the extension of the MPU by alternative registers offers the possibility of determining two different configurations for each protection block ( 4 ).

The Alternative registers of the configuration may have another setting of the protection block, which can be changed via the changeover can be exchanged very quickly against the normal setting. This means that the operating system has the address settings and access permissions do not have to reprogram, but rather just the configurations exchanges.

About the Switching configuration can now be selected, whether a protection block (a) is activated in the normal configuration, (b) in the alternative configuration is activated, (c) is not activated or (d) the operating mode The microprocessor decides which configuration is active.

The Setting (d) allows a quick switchover of the configuration as soon as the microprocessor changes its operating mode. The operating mode of the processor may be, for example, the supervisor mode / user mode be. If one assumes that the operating system in supervisor mode running, while the applications in user mode so that the setting of the protection blocks for the operating system can be different be set as for the applications. This makes sense, since usually the operating system has more access permissions than an application.

Consequently enable the alternate registers relieve the operating system of the Tasks of readjusting the protection blocks in many cases and thus a significant increase in performance of a real-time system.

For each protection block there should be the possibility to (a) indicate the protection violation (alarm) and force a branch of the microprocessor into the operating system (trap), which compulsorily implements a circuit of the operating mode in the supervisor mode implied.

For a dedicated protection block, in addition to the possibility (a), there should be the additional possibility of (b) forcibly forcibly switching the operating mode to the supervisor mode if the memory access is within a subarea of the monitored memory area of the protection block (jump table). For this purpose, the monitored memory area is divided again by another comparator (see 5 ).

The functionality (b) is an extension that, in combination with the alternate registers, enables the support of operating system calls by applications with minimal system power loss. The procedure is as follows:
A protection block is created which prohibits the execution of programs by applications (in user mode), but which is configured in option (b) (see above). The subarea of the memory area of this protection block is filled with program code, which consists only of jump commands in operating system functions (OS jump table). Now, when an application wants to invoke an operating system function, it jumps to the appropriate entry command within the dedicated portion of the protection block, and, as usual, places its arguments on the stack. The protection block enforces supervisor mode but allows the jump to the operating system. The protection blocks, which are configured with automatic switching of the alternate registers or for the supervisor, allow the operating system to perform the function. The operating system function, as usual, stores its results on the stack. At the end of the operation of the operating system, the processor jumps back into the application, with a special command (JMPU) of the processor at the same time the user mode is set again.

Consequently this call to the operating system has no additional Effort of reprogramming or reprogramming the protection blocks for Episode. This saved effort increases the efficiency of the overall system, since operating system calls by applications usually quite common accomplished become.

Of the Guard violation alarm and the stored memory address stored is for Possibility A) forwarded to the integrating partial function PVH.

The JMPU command supports the callback functionality of the operating system to applications for interrupts, as follows:
An interrupt occurs and is processed by the processor. To do this, the OMM subfunction switches to the supervisor operating mode as defined. The operating system contains a processing function for this interrupt, which is now executed in Supervisor operating mode. An application also contains a processing function for this interrupt, which, however, should run in the user operating mode. Therefore, the operating system uses the JMPU command to invoke the editing function of the application while switching the operating mode to user mode. The JMPU instruction also causes the special return instruction (RETI) to return to supervisor mode. At the end of the processing function of the application, RETI is executed, and at the same time switching to the supervisor mode returns to the operating system where the processing function of the application was called.

Of the Advantage of this method is that with a suitable configuration the protection blocks the MPU (automatic configuration, see setting (d) above) no additional Costs for reprogramming or reprogramming the protection blocks necessary is when an interrupt is in progress in a user mode Application to be served. This saved effort increases the efficiency of the entire system, since callback functions of the applications depending on Interrupt configuration very often accomplished become.

The runtime monitoring (DSU) fulfills the task of separate monitoring of the runtime of individual applications and also interrupt routines. There are three different groups of time counters ( 6 ).

A time counter for monitoring the running time of the currently active application:
The real-time operating system will always allocate the processing time of the processor to an application. The running time of this application until it returns the control to the operating system can be monitored with this timer.

For each intenupt priority level, one time counter each for monitoring the runtime of an interrupt routine (the NEC processor V850 / E2 by way of example has 8 interrupt priority levels):
The time that elapses between the initiation of a priority level interrupt and the completion of the edit Interrupt by the microprocessor elapsed, can be monitored with these counters.

A time counter for monitoring the interrupts:
When the program of the microprocessor disables interrupts (through the Disable Interrupt, DI command), this counter is started and stops when interrupts are released by the Enable Interrupts command, EI.

all counters is common that they are configured to start values and running speed be set. When the start condition occurs, start values become and running speed set to the configured values, subsequently counting she down. Will the meter reading Reaches zero, the set time has elapsed (i.e., the running time has been exceeded), and a protection violation is considered recognized.

If the stop condition occurs, the counters are stopped. For each counter Start and stop conditions are individually controlled. The following Table summarizes the start and stop conditions.

Tabelle 3: Start- und Stoppbedingungen der Zeitzähler der Laufzeitüberwachung

Table 3: Start and stop conditions of the time counters of the runtime monitoring

The Prioritätsabene is a property of the respective interrupt. It can be in the system often set which interrupt which priority level has. If an interrupt of the priority level n is triggered, then the priority level in the microprocessor core or interrupt control to this value set, if not already a higher priority level is set. When all interrupts a priority level by the processor are processed, the value of the priority level in the microprocessor core or the interrupt control is lowered to the next lower level, for the there are still pending interrupts that have not yet been processed. Lies no interrupt that still needs to be processed, so becomes the priority level in the microprocessor core or the interrupt control to less than the lowest value of the priority levels set.

Of the Value of the priority level in the microprocessor core or the interrupt control is the variable the stop condition for the ILST time counter. For each counter is exactly one value of the priority level firmly assigned; thus n counters exist for n levels.

If Interrupts triggered become, the higher priority levels have, are the counters the lower levels did not stop. This corresponds to the fact that the processing of these interrupts in this case deferred and thus the net duration of these interruptions increases accordingly. Thus it is e.g. possible for a low Interrupt priority level a protection violation is triggered because too many interrupts with higher ones priority triggered were.

in the In case of a protection violation, the alarm will be sent to the integrating Subfunction PVH forwarded. It will be for the three meter types one alarm each. For the ILST time counter will also one bit per priority level set whose duration exceeded has been.

Claims (18)

System monitoring unit for a control device with microprocessor, comprising the following components: a Peripheral monitoring unit which monitors accesses to individual peripherals of the microprocessor and unauthorized access attempts (protection violations) prevented and / or reports; a protection violation management unit which reported Classified violations and with more information about the Protection infringement stores and outputs; and an operation mode monitoring unit, which at reported protection violations the microprocessor into a Supervisor mode toggles. System monitoring unit according to claim 1, wherein the peripheral monitoring unit for each one peripheral Accesses dependent monitored by the operating mode of the microprocessor. System monitoring unit according to claim 1 or 2, wherein the peripheral monitoring unit for each single peripheral device Accesses dependent monitored by the data direction of the access. System monitoring unit according to one of the claims 1 to 3, in which the peripheral monitoring unit access to sensitive peripherals of the system only after the Write a security sequence allowed. System monitoring unit according to one of the claims 1 to 4, in addition a memory access monitoring unit includes which unauthorized access attempts (protection violations) on protected storage areas prevents and / or reports. System monitoring unit according to claim 5, wherein the memory access monitoring unit additionally comprises alternative registers which stores alternative configurations for the protected storage areas which are contrary to the normal configurations of the protected memory areas are interchangeable. System monitoring unit according to claim 5 or 6, wherein the memory access monitoring unit comparators for one further subdivision protected Has areas in subareas and has access to one accordingly configured sub-range only reports, so the operating mode monitoring unit switches the microprocessor to supervisor mode and jumps into the operating system. System monitoring unit according to one of the claims 1 to 7, in addition a runtime monitoring unit which shows the runtimes of programs, interrupt routines and / or interrupts monitored and an overrun specified transit times as a protection violation reports. System monitoring unit according to claim 8, wherein the run-time monitoring unit the durations of Interrupt routines for each interrupt priority level monitored separately. System monitoring procedures for a control device with microprocessor, which includes the following steps: Monitor of accesses to individual peripherals of the microprocessor and Preventing and / or reporting unauthorized access attempts (protection violations); Classify as well as storing and issuing notified protection violations with others Information about the Protection fault; and Switching the microprocessor into one Supervisor mode for reported protection violations. System monitoring procedures according to claim 10, wherein the accesses to each individual peripheral device depend on the Operating mode of the microprocessor to be monitored. System monitoring procedures according to claim 10 or 11, wherein the accesses to each one peripheral dependent be monitored by the data direction of the access. System monitoring procedures according to one of the claims 10 to 12, in which the accesses to sensitive peripherals of the system allowed only after writing a security sequence. System monitoring procedures according to one of the claims 10 to 13, in addition Unauthorized access attempts (protection violations) to protected storage areas prevents and / or reports. System monitoring procedures according to claim 14, wherein the normal configurations of the protected memory areas interchangeable with alternative configurations for the protected storage areas where the alternative configurations are in alternate registers are stored. System monitoring procedures according to claim 14 or 15, wherein the protected areas are another Subdivision into subregions and have access to one correspondingly configured subarea is only reported, so that the microprocessor is switched to the supervisor mode and allows a jump in the operating system. System monitoring procedures according to one of the claims 10 to 16, in addition monitors the runtimes of programs, interrupt routines and / or interrupts and an overrun specified transit times as a protection violation reports. System monitoring procedures Claim 17, wherein the runtimes of interrupt routines are for each interrupt priority level monitored separately become.