Method for Checking the Integrity of Reloadable Functional Units

Abstract

A method for checking the integrity of functional units that are reloadable during runtime of an electronic component in a dynamically reconfigurable region of the electronic component, wherein the electronic component, which is formed as a programmable logic circuit, has, in addition to a static region, a dynamically reconfigurable region and the reloadable functional units have predefined interfaces, where an associated twin functional unit is configured in a specified subregion of the dynamically reconfigurable region for each reloadable functional unit, a reloadable functional unit is loaded into a specified subregion of the dynamically reconfigurable region, supplied with identical input data to the associated twin functional unit, and executed in parallel with the twin functional unit, and where output data of the reloaded functional unit and associated twin functional unit are compared and the reloaded functional unit is enabled if a match between the two output data is found.

Claims

1-10. (canceled)

11. A method for checking an integrity of reloadable functional units which are reloaded, as configuration files during a runtime of an electronic component formed as a programmable integrated circuit, into sub-regions of a dynamically reconfigurable region of the electronic component, the reloadable functional units including predefined interfaces which match corresponding interfaces of those sub-regions of the dynamically reconfigurable region of the electronic component into which the reloadable functional units are loadable, the method comprising: preconfiguring, for each reloadable functional unit, a predetermined sub-region of the dynamically reconfigurable region is preconfigured with a corresponding, associated, functionally identical twin functional unit, which has a basic structure of reloadable functional units of the electronic component formed as logic circuit functions; loading a reloadable functional unit into a predetermined sub-region of the dynamically reconfigurable region at the runtime of the electronic component; supplying the loaded reloadable functional unit and the associated twin functional unit with identical input data and executed the loaded reloadable functional unit and an associated twin functional unit in parallel; comparing output data of the loaded reloadable functional unit and output data of the associated twin functional unit are compared; and enabling the loaded reloadable functional unit and forwarding the output data of the loaded reloadable functional unit when a match is detected between the output data of the reloadable functional unit and the output data of the associated twin functional unit.

12. The method as claimed in claim 11, wherein the loaded reloadable functional unit is disabled and an alarm message is output if the output data of the loaded reloadable functional unit deviates from the output data of the associated twin functional unit.

13. The method as claimed in claim 11, wherein the output data of the reloadable functional unit and the output data of the associated twin functional unit are forwarded to a comparison logic for comparison.

14. The method as claimed in claim 12, wherein the output data of the reloadable functional unit and the output data of the associated twin functional unit are forwarded to a comparison logic for comparison.

15. The method as claimed in claim 13, wherein the comparison logic is statically configured in the dynamically reconfigurable region of the electronic component.

16. The method as claimed in claim 11, wherein the output data of the reloadable functional unit and the output data of the associated twin functional unit are compared for a predetermined time duration.

17. The method as claimed in claim 11, wherein a predetermined test data sequence is used as input data for the comparison of the output data of the reloadable functional unit and the output data of the associated twin functional unit.

18. The method as claimed in claim 11, wherein the twin functional unit, which is configured for each reloadable functional unit, is loaded from a secure and trusted memory region into the predetermined sub-region of the dynamically reconfigurable region of the electronic component.

19. The method as claimed in claim 11, wherein the respective configuration file for the respective reloadable functional unit is executed as a bitstream file, which is reloaded from an internal or external storage unit at the runtime of the electronic component.

20. The method as claimed in claim 11, wherein the electronic component comprises a field programmable gate array.

21. The method as claimed in claim 11, wherein the electronic component comprises a system-on-chip field programmable gate array.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

[0027] The invention is explained below in an exemplary manner with reference to the accompanying figures, in which:

[0028] FIG. 1 shows a schematic and exemplary structure of an electronic component which is set up to perform the method in accordance with the invention for checking the integrity of reloadable functional units;

[0029] FIG. 2 shows an exemplary sequence of the method in accordance with the invention for checking the integrity of reloadable functional units in an electrical component; and

[0030] FIG. 3a and FIG. 3b show an exemplary data flow during and after the method in accordance with the invention for checking the integrity of reloadable functional units in an exemplary electronic component set up to carry out the method according to the invention.

DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS

[0031] FIG. 1 schematically shows an exemplary structure or an exemplary configuration of an electronic component BE, which is set up to perform the method in accordance with the invention for checking the integrity of reloadable functional units HWAA1, HWAA2. The electronic component BE is formed, for example, as a programmable or reconfigurable integrated circuit, such as a field programmable gate array (FPGA) or a system-on-chip FPGA (SoC FPGA).

[0032] The exemplary electronic component BE shown in FIG. 1 has a static region SBE and also has a dynamically reconfigurable region DPR. In a design phase of the electronic component BE, for example, it is possible to determine which region of the electronic component BE is to be dynamically reconfigurable. In the static region SBE of the electronic component BE, for example, there can be provided at least one or more processor units, units for memory management, etc., as well as a control unit for reloading the reloadable functional units or hardware applications HWAA1, HWAA2 in the form of configuration files and for reconfiguring the dynamically reconfigurable region DPR.

[0033] The dynamically reconfigurable region DPR represents a part of the electronic component BE that can be at least partially reconfigured at runtime of the electronic component BE, which due to its basic structure can be changed as required by reloading individual functional units or hardware applications HWAA1, HWAA2 in the form of configuration files. Here, the dynamically reconfigurable region can be divided into a plurality of sub-regions C1, C2, Ct, which can also be referred to as containers, slots or partitions. The containers C1, C2, Ct have predetermined interfaces IIF, OIF, via which, for example, input and output data (e.g., signals, control signals, and/or register contents) can be exchanged with units of the static part SBE of the electronic component BE. The subdivision of the dynamically reconfigurable region DPR into predefined containers C1, C2, Ct as well as the definition of the interfaces IIF, OIF are, e.g., also defined in the design phase of the component BE, e.g., by the manufacturer, and are usually static.

[0034] At runtime of the electronic component BE, functional units or hardware applications HWAA1, HWAA2 can then be loaded into the predefined sub-regions or containers C1, C2 in the form of a configuration file, which then determines the functionality of the respective sub-region C1, C2. The configuration files of the hardware applications HWAA1, HWAA2 are usually executed as bitstream files and can be reloaded, for example, from an internal or external storage unit with the aid of the control unit into the respective container C1, C2 during operation of the component BE. The reloadable hardware applications HWAA1, HWAA2 have predefined interfaces, which must match the interfaces IIF, OIF of the containers C1, C2. This means that a certain reloadable functional unit or hardware application HWAA1, HWAA2 can only be reloaded into a certain type of container C1, C2. This container type C1, C2 must have the correspondingly defined interfaces IIF, OIF for the input data to be processed by the reloadable functional unit HWAA1, HWAA2 and for the output data to be supplied by the reloadable functional unit HWAA1, HWAA2.

[0035] In the exemplary electronic component BE shown in FIG. 1, the dynamically reconfigurable region DPR is divided, for example, into three exemplary containers C1, C2, Ct, where, for example, reloadable functional units HWAA1, HWAA2 can be dynamically loaded into a first and second container C1, C2, which have the interfaces matching the containers C1, C2. Here, the reloadable functional units HWAA1, HWAA2 have, for example, the same function type, i.e., the functional units HWAA1, HWAA2 process, for example, the same input data and supply the same output data. If the first and second containers C1, C2 have, for example, the same corresponding predefined input and output interfaces IFF, OIF, then the hardware applications HWAA1, HWAA2 can be reloaded into the first and/or second containers C1, C2 during the runtime of the electronic component BE, depending on the use of the component BE.

[0036] In the third exemplary container Ct of the dynamically reconfigurable region DPR, a twin functional unit or twin hardware application HWAAT is preconfigured for performing the method in accordance with the invention, which has the same standard functionality as the hardware applications HWAA1, HWAA2 that can be reloaded at runtime. That is, the logical function or algorithm of the twin functional unit HWAAT corresponds to the logical function or algorithm of the reloadable functional units HWAA1, HWAA2. The twin functional unit HWAAT therefore processes the same input data or supplies the same output data as the reloadable functional units HWAA1, HWAA2. For this purpose, the container Ct specified for the twin functional unit HWAAT in the dynamically reconfigurable region DPR has the same interfaces IIF, OIF for the input and output data as the first and second containers C1, C2. However, the twin functional unit HWAAT is defined, e.g., by the manufacturer as early as in the design phase and predetermined by a configuration of the electronic component BE, e.g., as fixed or static in the dynamically reconfigurable region DPR of the electronic component BE. As a result, the twin functional unit HWAAT is considered trustworthy by the electronic component BE or its logic.

[0037] Furthermore, the electronic component BE has comparison logic CL in the dynamically reconfigurable region DPR. The comparison logic CL can also be predetermined in the design phase as a non-changeable or fixed sub-region in the dynamically reconfigurable region DPR (similar to the interfaces IIF, OIF of the containers C1, C2, Ct). With the comparison logic CL, the output data of a functional unit HWAA1, HWAA2 reloaded at runtime can be compared with the output data of the corresponding, predefined twin functional unit HWAAT. The comparison logic CL here is arranged with respect to a data flow between the output interfaces OIF of the containers C1, C2, Ct and a further output interface OIFe, via which, for example, output data from the dynamically reconfigurable region DPR is forwarded to the units in the static region SBE. The output data of the reloadable functional units HWAA1, HWAA2 can be routed via the output interfaces OIF of the associated containers C1, C2 either to the comparison logic CL or directly to the output interface OIFe after checking the integrity. The output interface OIF of the container Ct of the twin functional unit HWAAT can, for example, be connected both to the comparison logic CL and directly to the output interface OIFe for integrity check.

[0038] FIG. 2 shows an exemplary sequence of the method in accordance with the invention for checking the integrity of reloadable functional units in an electrical component BE with a dynamically reconfigurable region DPR, which has at least one sub-region or container C1, C2, into which a corresponding reloadable functional unit HWAA1, HWAA2 can be reloaded in the form of a configuration file at runtime of the electronic component BE.

[0039] For the method in accordance with the invention, in a configuration step 101 predetermined sub-regions Ct of the dynamically reconfigurable region DPR are occupied by twin functional units HWAAT that have the same functionalities as the functional units HWAA1, HWAA2 that can be reloaded at runtime of the electronic component BE. That is, in the configuration step 101, for each reloadable functional unit or hardware application HWAA1, HWAA2, a predetermined sub-region or container Ct is configured with an associated twin functional unit HWAAT, where the occupancy of the sub-regions or containers Ct in the respective twin functional units HWAAT is static (i.e., cannot be changed during the runtime of the electronic component BE) and is predetermined, for example, by the manufacturer. The respective twin functional units HWAAT here are loaded, for example, during a boot phase of the electronic component BE in the form of corresponding configuration files or with a configuration for the electronic component BE from a secure and trusted memory region into the respective specified containers Ct. For example, the output interface OIF of the container Ct of the twin functional unit HWAAT may be connected both to a comparison logic CL for integrity check, and also directly to the output interface OIFe for forwarding data to other units of the electronic component BE.

[0040] In a loading step 102, which is executed during runtime or during operation of the electronic component BE, one or more reloadable functional units HWAA1, HWAA2 are loaded into the corresponding sub-regions or containers C1, C2 of the dynamically reconfigurable part DPR of the electronic component BE. This means that a functional unit HWAA1, HWAA2 is loaded, generally from an external storage unit (e.g., flash memory, SD card, manufacturer-specific application store) in the form of a configuration file (i.e., in the form of a bitstream file) into a sub-region or container C1, C2 of the dynamically reconfigurable region DPR, which has the interfaces IIF, OIF for input and output data suitable for the functional unit HWAA1, HWAA2. The container C1, C2 with the configuration file of the loaded reloadable functional unit HWAA1, HWAA2 is then configured accordingly to make the executable reloadable functional unit HWAA1, HWAA2 available in the electronic component BE for ongoing operation. Furthermore, for example, an output interface OIF of the container C1, C2 of the reloaded functional unit HWAA1, HWAA2 is for the time being only connected to the comparison logic CL.

[0041] For an execution step 103, the reloaded functional unit HWAA1, HWAA2, and the associated twin unit HWAAT are reset and started. In the execution step 103, the loaded reloadable functional unit HWAA1, HWAA2 and its associated twin unit HWAAT are then executed in parallel while being supplied with the same input data via the respective input interface IIF of the respective container C1, C2, Ct. Input data may be, for example, the input data occurring during normal operation of the electronic component BE. Ideally, a predefined test data sequence (e.g., test sequence, and/or test vector) is used for checking the integrity.

[0042] During the execution step 103, output data is then generated by the loaded reloadable functional unit HWAA1, HWAA2, and the associated twin functional unit HWAAT according to their functionality and according to the implemented algorithm, respectively. These output data are then compared in a comparison step 104. For this purpose, the output data of the reloaded functional unit HWAA1, HWAA2 and the output data of the associated, functionally identical twin functional unit HWAAT are fed to the comparison logic CL, which is also provided in the dynamically reconfigurable region DPR. To ensure that the reloaded functional unit HWAA1, HWAA2 executes its functionality as expected, a time duration can be specified for the comparison with the output data of the associated twin functional unit HWAAT, during which the output data of the reloaded functional unit HWAA1, HWAA2 should match the output data. This time duration can be determined, for example, by the length of the specified test data sequence.

[0043] If a match between the output data of the loaded reloadable functional unit HWAA1, HWAA2 and the associated, functionally identical twin functional unit HWAAT is detected by the comparison logic CL in the comparison step 104, for example, for the duration of the predetermined time duration, then the functional unit HWAA1, HWAA2 reloaded at runtime is enabled in an enabling step 105. That is, the output data of the functional unit HWAA1, HWAA2 will then be forwarded, e.g., directly to the output interface OIFe for forwarding data to other units of the electronic component BE. A connection of the functional unit HWAA1, HWAA2 to the comparison logic CL can be disconnected, for example, and instead a corresponding connection to the output interface OIFe for forwarding data to other units of the electronic component BE can be established.

[0044] Furthermore, the connections of the associated twin functional unit HWAAT to the comparison logic CL and to the output interface OIFe for forwarding data to other units of the electronic component BE can also be disconnected. Alternatively, the twin functional unit HWAAT may remain in communication with the output interface OIFe for forwarding data to other units of the electronic component BE. After the enabling step 105, the twin functional unit HWAAT can be used for making further integrity checks of reloaded functional units HWAA1, HWAA2 with the same functionality.

[0045] If it is detected in the comparison step 104 that the output data of the loaded reloadable functional unit HWAA1, HWAA2 deviate from the output data of the corresponding twin functional unit HWAAT, e.g., during the predetermined time duration, then the loaded reloadable functional unit HWAA1, HWAA2 is disabled or not enabled in an alarm step 106. Furthermore, an alarm or error message may be output in the alarm step 106, which provides an alert about the failed integrity check of the functional unit HWAA1, HWAA2.

[0046] An exemplary representation of a data flow during the execution step 103 and the subsequent comparison step 104 is shown in FIG. 3a, with the dynamically reconfigurable region DPR of the electronic component BE shown schematically as an example in FIG. 1, which is set up to perform the method in accordance with the invention. For checking the integrity, a twin functional unit HWAAT is provided in the container Ct, which has the same standard functionality as a functional unit HWAA1 reloaded into the first container C1 at runtime of the component BE.

[0047] In the execution step 103, identical or the same input data IN (e.g., test sequence, test vector) are supplied via the respective input interface IIF to the reloaded functional unit HWAA1 and to the associated twin functional unit HWAAT, which are processed in parallel by the functional unit HWAA1 and the twin functional unit HWAAT. The functional unit HWAA1 generates the output data O_HWAA1 based on the input data IN in accordance with its functionality, and the output data O_HWAA1 is then forwarded to the comparison logic CL via the output interface OIF of the container C1. The twin functional unit HWAAT generates the output data O_HWAAT from the input data IN in accordance with its functionality, which corresponds to the functionality of the functional unit HWAA1. The output data O_HWAAT from the twin functional unit HWAAT are forwarded via the output interface OIF both to the comparison logic CL and directly to the output interface OIFe of the dynamically reconfigurable region DPR or from there as output data OUT to system units of the electronic component BE, which are arranged, e.g., in the static region SBE.

[0048] In the comparison step 104, the comparison logic compares the output data O_HWAA1 from the reloaded functional unit HWAA1 and the output data O_HWAAT from the associated twin functional unit HWAAT. If the respective output data O_HWAA1, O_HWAAT match, then a change in the data flow occurs in the enabling step 105, by enabling the loaded, reloadable functional unit HWAA1. FIG. 3b shows an exemplary data flow after the loaded, reloadable functional unit HWAA1 is enabled via the dynamically reconfigurable region DPR of the electronic component BE shown schematically as an example in FIG. 1, which is set up to implement the method in accordance with the invention.

[0049] After the loaded, reloadable functional unit HWAA1 has been enabled, it is connected directly to the output interface OIFe of the dynamically reconfigurable region DPR or from there to system units of the electronic component BE. The connection to the comparison logic CL established in loading step 102 is disconnected. This means that the output data O_HWAA1 generated from the input data IN by the functional unit HWAA1 is now forwarded directly as output data OUT to the system units of the electronic component BE, because the integrity of the functional unit HWAA1 has been checked and established. Furthermore, the connection of the twin functional unit HWAAT, associated with the functional unit HWAA1, to the comparison logic CL is disconnected. In addition, the connection of the twin unit HWAAT to the output interface OIFe of the dynamically reconfigurable region DPR or from there to system units of the electronic component BE can also be disconnected. Alternatively, however, this connection can also be retained, as shown by way of example in FIG. 3b. The trustworthy twin unit HWAAT can now be used for further integrity checks of functional units HWAA1, HWAA2 that can be reloaded into the dynamically reconfigurable region DPR of the electronic component BE and have the same standard functionality as the twin functional unit HWAAT.

[0050] Thus, while there have been shown, described and pointed out fundamental novel features of the invention as applied to a preferred embodiment thereof, it will be understood that various omissions and substitutions and changes in the form and details of the methods described, and in their operation, may be made by those skilled in the art without departing from the spirit of the invention. For example, it is expressly intended that all combinations of those method steps which perform substantially the same function in substantially the same way to achieve the same results are within the scope of the invention. Moreover, it should be recognized that method steps shown and/or described in connection with any disclosed form or embodiment of the invention may be incorporated in any other disclosed or described or suggested form or embodiment as a general matter of design choice. It is the intention, therefore, to be limited only as indicated by the scope of the claims appended hereto.