Abstract
The present invention relates to a method, to a computer program containing instructions and to an apparatus for performing a boot process for a system that supports redundant copies of boot images. In a first step, an active copy of the boot images is determined (S1). Then the active copy of the boot images is processed (S2). In response to a successful boot process, another copy of the boot images is then set (S3) as the active copy for a subsequent boot process.
Claims
1. A method for performing a boot process for a system that supports redundant copies of boot images (BI.sub.Ai, BI.sub.Bi), having the steps: determining an active copy of the boot images (BI.sub.Ai, BI.sub.Bi); processing the active copy of the boot images (BI.sub.Ai, BI.sub.Bi); and setting another copy of the boot images (BI.sub.Ai, BI.sub.Bi) as the active copy for a subsequent boot process in response to a successful boot process.
2. The method as claimed in claim 1, wherein at least one flag (F, F.sub.i) is used to indicate the active copy of the boot images (BI.sub.Ai, BI.sub.Bi).
3. The method as claimed in claim 2, wherein the at least one flag (F, F.sub.i) is stored in a memory of the system or is provided by an external unit.
4. The method as claimed in claim 3, wherein the at least one flag (F, F.sub.i) is set for individual stages of a boot sequence or globally for the boot sequence.
5. The method as claimed in claim 4, wherein, in response to ascertaining corruption of an active copy of a boot image (BI.sub.Ai, BI.sub.Bi), a corresponding redundant copy of the affected boot image (BI.sub.Ai, BI.sub.Bi) is processed.
6. The method as claimed in claim 5, wherein, after the processing of the redundant copy of the boot image (BI.sub.Ai, BI.sub.Bi), the corrupted active copy of the boot image (BI.sub.Ai, BI.sub.Bi) is repaired.
7. The method as claimed in claim 6, wherein redundant copies of the boot images (BI.sub.Ai, BI.sub.Bi) are available only for individual stages of a boot sequence.
8. The method as claimed in claim 7, wherein, in response to an update process for a loadable software component or a loadable firmware component, the method is suspended until successful completion of the update process.
9. A non-transitory computer-readable medium having stored there on a computer program containing instructions that, when executed by a computer, cause the computer to perform a boot process for a system that supports redundant copies of boot images (BI.sub.Ai, BI.sub.Bi), the boot process having operations comprising: determining an active copy of the boot images (BI.sub.Ai, BI.sub.Bi); processing the active copy of the boot images (BI.sub.Ai, BI.sub.Bi); and setting another copy of the boot images (BI.sub.Ai, BI.sub.Bi) as the active copy for a subsequent boot process in response to a successful boot process.
10. An apparatus for performing a boot process for a system that supports redundant copies of boot images (BI.sub.Ai, BI.sub.Bi), having: an analysis unit for determining an active copy of the boot images (BI.sub.Ai, BI.sub.Bi); and a processing unit for processing the active copy of the boot images (BI.sub.Ai, BI.sub.Bi) and for setting another copy of the boot images (BI.sub.Ai, BI.sub.Bi) as the active copy for a subsequent boot process in response to a successful boot process.
11. The non-transitory computer-readable medium as claimed in claim 9, wherein at least one flag (F, F.sub.i) is used to indicate the active copy of the boot images (BI.sub.Ai, BI.sub.Bi).
12. The non-transitory computer-readable medium as claimed in claim 11, wherein the at least one flag (F, F.sub.i) is stored in a memory of the system or is provided by an external unit.
13. The non-transitory computer-readable medium as claimed in claim 12, wherein the at least one flag (F, F.sub.i) is set for individual stages of a boot sequence or globally for the boot sequence.
14. The non-transitory computer-readable medium as claimed in claim 13, wherein, in response to ascertaining corruption of an active copy of a boot image (BI.sub.Ai, BI.sub.Bi), a corresponding redundant copy of the affected boot image (BI.sub.Ai, BI.sub.Bi) is processed.
15. The non-transitory computer-readable medium as claimed in claim 14, wherein, after the processing of the redundant copy of the boot image (BI.sub.Ai, BI.sub.Bi), the corrupted active copy of the boot image (BI.sub.Ai, BI.sub.Bi) is repaired.
16. The non-transitory computer-readable medium as claimed in claim 15, wherein redundant copies of the boot images (BI.sub.Ai, BI.sub.Bi) are available only for individual stages of a boot sequence.
17. The non-transitory computer-readable medium as claimed in claim 16, wherein, in response to an update process for a loadable software component or a loadable firmware component, the method is suspended until successful completion of the update process.
Description
BRIEF DESCRIPTION OF THE DRAWINGS
[0033] FIG. 1 shows schematically a method for performing a boot process for a system;
[0034] FIG. 2 shows schematically a first embodiment of an apparatus for performing a boot process for a system;
[0035] FIG. 3 shows schematically a second embodiment of an apparatus for performing a boot process for a system;
[0036] FIG. 4 shows schematically a means of transport in which a solution according to the invention is implemented;
[0037] FIG. 5 shows schematically a multi-stage boot sequence according to the prior art when no corrupted boot image is present;
[0038] FIG. 6 shows schematically a multi-stage boot sequence according to the prior art when a corrupted boot image is present;
[0039] FIG. 7 shows schematically a multi-stage boot sequence according to the invention when no corrupted boot image is present;
[0040] FIG. 8 shows schematically a multi-stage boot sequence according to the invention after a changeover of the active copy when a corrupted boot image is present.
DETAILED DESCRIPTION
[0041] For a better understanding of the principles of the present invention, embodiments of the invention will be explained in more detail below with reference to the figures. The same reference signs will be used in the figures for identical or functionally identical elements and are not necessarily described again for each figure. It is to be understood that the invention is not restricted to the illustrated embodiments and that the features described can also be combined or modified without departing from the scope of protection of the invention as defined in the appended claims.
[0042] FIG. 1 shows schematically a method for performing a boot process for a system that supports redundant copies of boot images. In this case, redundant copies of the boot images may be available for all the stages or only for individual stages of a boot sequence. In a first step, an active copy of the boot images is determined S1. This can be indicated, for example, by at least one flag. The at least one flag may be stored, for example, in a memory of the system, or can be provided by an external unit, and may be set for individual stages of the boot sequence or globally for the boot sequence. Then the active copy of the boot images is processed S2. In response to a successful boot process, another copy of the boot images is then set S3 as the active copy for a subsequent boot process. If corruption of an active copy of a boot image is ascertained during the boot process, then preferably a corresponding redundant copy of the affected boot image is processed. After the processing of the redundant copy, the corrupted active copy of the boot image can then be repaired. In response to an update process for a loadable software component or a loadable firmware component, the method is preferably suspended until successful completion of the update process.
[0043] FIG. 2 shows a simplified schematic diagram of a first embodiment of an apparatus 20 for performing a boot process for a system that supports redundant copies of boot images. In this case, redundant copies of the boot images may be available for all the stages or only for individual stages of a boot sequence. The apparatus 20 has an input 21, via which can be received, for example, updated software components or firmware components or data provided by an external unit. An analysis unit 22 is designed to determine an active copy of the boot images. This can be indicated, for example, by at least one flag. The at least one flag may be stored, for example, in a memory of the system, or can be provided by an external unit, and may be set for individual stages of the boot sequence or globally for the boot sequence. A processing unit 23 is designed to process the active copy of the boot images. This usually includes checking the boot image of the currently next stage of the boot sequence, for instance using a signature check to establish its validity. The processing unit 23 is also designed to set, in response to a successful boot process, another copy of the boot images as the active copy for a subsequent boot process. In the case of externally provided flag(s), this would also be performed by a higher-level external supervisor instance. Data for further use can be output via an output 26 of the apparatus 20. If corruption of an active copy of a boot image is ascertained by the processing unit 23 during the boot process, then preferably a corresponding redundant copy of the affected boot image is processed. After the processing of the redundant copy, the corrupted active copy of the boot image can then be repaired. In response to an update process for a loadable software component or a loadable firmware component, the method is preferably suspended until successful completion of the update process.
[0044] The analysis unit 22 and the processing unit 23 can be controlled by a control unit 24. Settings for the analysis unit 22, the processing unit 23 or the control unit 24 can be altered, if applicable, via a user interface 27. The data that accrues in the apparatus 20 can be stored in a memory 25 of the apparatus 20 if necessary, for example for later analysis or for use by the components of the apparatus 20. The analysis unit 22, the processing unit 23 and the control unit 24 can be implemented as dedicated hardware, for example as integrated circuits. However, they can of course also be implemented partly or fully in combination or as software that runs on a suitable processor, for example on a GPU or a CPU. The input 21 and the output 26 can be implemented as separate interfaces or as a combined interface.
[0045] FIG. 3 shows a simplified schematic diagram of a second embodiment of an apparatus 30 for performing a boot process for a system that supports redundant copies of boot images. The apparatus 30 has a processor 32 and a memory 31. For example, the apparatus 30 is a control module. Stored in the memory 31 are instructions which, when executed by the processor 32, cause the apparatus 30 to perform the steps according to one of the methods described. The instructions stored in the memory 31 thus embody a program which is executable by the processor 32 and which realizes the method according to the invention. The apparatus 30 has an input 33 for receiving information from a component of a control system. Data generated by the processor 32 is provided via an output 34. Furthermore, said data can be stored in the memory 31. The input 33 and the output 34 can be combined to form a bidirectional interface.
[0046] The processor 32 can comprise one or more processor units, for example microprocessors, digital signal processors or combinations thereof.
[0047] The memories 25, 31 of the described apparatuses may contain both volatile and nonvolatile memory areas and may comprise a wide variety of storage devices and storage media, for example hard disks, optical storage media or semiconductor memories.
[0048] FIG. 4 shows schematically a means of transport 40 in which a solution according to the invention is implemented. The means of transport 40 is a motor vehicle in this example. The motor vehicle comprises at least one computer unit 41 that supports redundant copies of boot images. The computer unit 41 comprises an apparatus 20, 30 according to the invention for performing a boot process. The motor vehicle also comprises at least one assistance system 42, which assists an operator of the motor vehicle during driving. In this example, further elements of the motor vehicle are a navigation system 43 and a data transfer unit 44. A connection to a back-end, for instance for receiving updated software for the computer unit 41 or other components of the motor vehicle, can be established by means of the data transfer unit 44. A memory 45 is present for storing data. Alternatively, this may also be present locally at the various units 41-44 in distributed form. Data is exchanged between the various components of the motor vehicle via a network 46.
[0049] FIG. 5 shows schematically a multi-stage boot sequence according to the prior art when a corrupted boot image is not present. In the example shown, the system supports redundant copies of boot images BI.sub.Ai, BI.sub.Bi for all the stages of the boot sequence. In addition, a global flag F is used, by means of which the same active copy (copy A or B) is selected for all the stages. It is also possible to use individual flags F.sub.i for individual stages or all the stages. In this example, the stages comprise two bootloader stages (BL1 and BL2), a hypervisor stage (HV) and a series of stages of virtual machines (VM1 to VMn). Two copies of the boot images BI.sub.Ai, BI.sub.Bi are stored in a flash memory 51 for all the stages of the boot sequence. The active copy that is meant to be used for the multi-stage boot sequence is defined by setting the global flag. In FIG. 5, copy A is selected as the active copy and accordingly retrieved by a controller 50. In each stage of the boot sequence, the boot image BI.sub.Ai, BI.sub.Bi of the next stage is read from the flash memory 51 and, in the case of a secure boot, validated. Therefore the boot code of each stage can identify a corrupted active copy of the boot image BI.sub.Ai, BI.sub.Bi of the next stage, for instance from information about read errors during access to the flash memory 51, or from a failed validation of the boot image BI.sub.Ai, BI.sub.Bi. In FIG. 5, none of the boot images BI.sub.Ai, BI.sub.Bi is corrupted, and therefore the boot sequence can be executed without accessing the redundant copies of the images BI.sub.Ai, BI.sub.Bi.
[0050] FIG. 6 shows schematically the multi-stage boot sequence from FIG. 5 for the case when a corrupted boot image BI.sub.Ai, BI.sub.Bi is present. In the example shown, the copy A of the boot image BI.sub.Ai of the second bootloader stage is corrupt. The boot code of the first bootloader stage identifies this corruption, with the result that instead of copy A, copy B of the boot image BI.sub.Bi of the second bootloader stage is accessed. Access then returns to copy A for the subsequent stages. In the example shown, the hypervisor stage carries out a repair to the boot image BI.sub.Ai of the second bootloader stage by replacing the corrupted copy A of the boot image BI.sub.Ai with the intact copy B of the boot image BI.sub.Bi.
[0051] FIG. 7 shows schematically a multi-stage boot sequence according to the invention when no corrupted boot image BI.sub.Ai, BI.sub.Bi is present. In the solution according to the invention, after every boot process, or at least after a defined number of boot processes, another copy of a boot image BI.sub.Ai, BI.sub.Bi is set as the active copy for the next boot process. This can be done simply by setting the global flag F, or the individual flags F.sub.i, to a new value. During the next boot process, the other copies of the boot images BI.sub.Ai, BI.sub.Bi are then accessed, with the result that these are now checked and, if necessary, repaired. This is illustrated by way of example in FIG. 8.
