The present application claims priority from Japanese application JP 2007-018701 filed on Jan. 30, 2007, the content of which is hereby incorporated by reference into this application.
The present invention relates to control of invocation authorization of data processing performed under the control of another operating system and to control of access authorization with respect to a shared hardware resource. Further, the present invention relates to a technique effective for improvement of reliability and security provided when an application program is executed in a data processing system using a microcomputer such as a multi-core processor in which multiple operating systems are operated on multiple central processing units, for example.
Recent years, integration in microprocessors has been advanced, and a multi-core processor having multiple individual central processing units (CPUs) has been developed as a multi-core system. In order to operate an application program on the multi-core processor having the multiple CPUs, it is necessary to have multiple operating systems (OSs), which are basic systems, and a method is required to exchange data between the OSs and to execute, in one of the OSs, a function belonging to another one of the OSs without paying attention to the existence of the multiple CPUs and OSs. To handle such cases, JP-A No. 2003-345614 proposes a technique in which an OS for a single processor and an existing application program are operated in a multiprocessor system and parallel processing performed by the multiprocessor system is realized for the application program. For example, a unit of process that can be handled in parallel in an application program executed in a first CPU is operated as a new unit of process in a second CPU.
In a multi-core processor in which a number of CPUs and other circuit modules are integrated on a single chip, complicated functions are associated with each other, and, therefore, reliability of the execution of an application needs to be assured. For example, when a memory space is partitioned into logical domains, invocation of data processing from an OS belonging to one of the domains needs to be partially restricted. However, if such restriction is fixed, flexibility which allows invocation of data processing over the domains, which have different OSs, is impaired. Therefore, it is necessary to achieve both the invocation of data processing over the domains, which have different OSs, and assured security for the execution of an application. Further, the inventors of the present invention have found out that, in order to improve the security, it is necessary not only to control the invocation of data processing belonging to a different OS from an application, but also to control access enable/disable with respect to a shared resource such as a memory, based on access authorization.
An object of the present invention is to provide a data processing system which can realize, in a multi-CPU system in which multiple OSs each used for single CPU are operated, parallel data processing performed by one application program and improvement of security for invocation of a function over the multiple OSs.
Another object of the present invention is to provide a data processing system which can improve security for access to a shared resource in a multi-CPU system in which multiple OSs each used for single CPU are operated.
The above-mentioned and other objects and new characteristics of the present invention will be apparent from the description of the specification and the accompanying drawings.
An outline of a representative form of the present invention will be briefly described below.
In the present invention, a system configuration is divided into multiple layers and authorization is determined at two levels, an upper level and a lower level. At the upper level, a function invocation authorization management table managed by the multiple OSs is provided. The function invocation authorization management table describes for a functional feature which function, task, or the like can be used to call the functional feature. An invocation sequence changing means which handles function invocation from a certain OS to another OS determines whether the function invocation has been authorized by referring to invocation authorization information described in the function invocation authorization management table. Further, at the lower level, access authorization for access to a hardware resource such as a memory eventually reached when the invocation processing is converted is checked using hardware.
Effects of the representative form of the present invention will be briefly described below.
It is possible to realize, in a multi-CPU system in which multiple OSs each used for single CPUs are operated, parallel data processing performed by one application program and improvement of security for invocation of a function over the multiple OSs.
Further, it is possible to improve security for access to a shared resource in a multi-CPU system in which multiple OSs each used for single CPUs are operated.
First, outlines of representative forms of embodiment of the present invention will be described. In the description of the representative forms of the embodiment, reference numerals in the drawings, which are referred in parentheses merely and partially indicate the concepts of the components to which they are given.
[1] A data processing system according to one representative form of the present invention includes: a memory area (100) used to store data and a program; multiple central processing units (101 to 103) for executing the program stored in the memory area; and an access authorization management module (140) for managing resource access authorization with respect to a hardware resource available for the multiple central processing units. When one central processing unit of the multiple central processing units performs data processing under the control of an operating system, the central processing unit controls invocation enable/disable of another data processing function performed under the control of another operating system, by referring to a function invocation authorization management table (151). This control performed based on the function invocation authorization assures security in an upper layer. The access authorization management module receives access authorization control information (250, 240) for the hardware resource, and controls access enable/disable with respect to the hardware resource corresponding to the access authorization control information, according to an entry that is included in an access authorization management table (261) and corresponds to the received access authorization control information. This control performed based on the access authorization assures security in a lower layer.
According to the above-mentioned data processing system, it is possible to restrict access to a hardware resource such as a memory based on access authorization used in the lower layer stronger than authorization used in the upper layer that is set by an OS, by using a function provided by hardware at the time of system design. At the time of application development, function invocation authorization used in the upper layer can be set flexibly by services or procedures/functions to be used by an application, without paying attention to the restriction provided at the time of system design. Significant access authorization which may have a large influence on a system behavior is checked by a lower-layer mechanism using hardware, so that high-level security is assured by eliminating an influence caused by unauthorized function invocation through an application program.
Accordingly, function invocation enable/disable can be desirably designed for each function in an application program at the time of software development. High-level security is assured by control of function invocation authorization and control of access authorization performed in domains as units in each of which one CPU performs data processing under the control of one OS. As a result, a high-reliable data processing system can be realized.
As one concrete form of the present invention, the memory area includes a shared area (100_3) accessible in a privileged mode in which the central processing unit executes the operating system, and the shared area stores the function invocation authorization management table. It is hard to falsify the function invocation authorization management table through an unauthorized application program.
As another concrete form of the present invention, the function invocation authorization management table contains a name of a procedure/function which identifies data processing, information on an operating system which has the procedure/function and controls execution of the procedure/function, and invocation authorization information on invocation authorization of an operating system other than the operating system which has the procedure/function, with respect to the procedure/function. Function invocation authorization can be managed with such a small amount of information.
As still another concrete form of the present invention, the access authorization management table is rewritable in a higher-level privileged mode which is superior to the privileged mode, in which the central processing unit executes the operating system. Even when the function invocation authorization management in the upper level is violated in an unauthorized manner, the access authorization management in the lower level can be prevented from being violated at the same time.
As still another concrete form of the present invention, the access authorization management table contains an address range and access authorization information with respect to the address range. The access authorization information contains information on the type of an operating system for which access is allowed and access type information indicating whether the allowed access is read or write. Access authorization can be managed with such a small amount of information.
[2] A data processing system according to another representative form of the present invention includes: a memory area used to store data and a program; and multiple central processing units for executing the program stored in the memory area. When an operating system (OS1) calls one procedure/function (F) executed under the control of another operating system (OS2), one central processing unit of the central processing units that operates under the control of the operating system refers to a first data section (the name of the procedure/function, and an OS which has the procedure/function) of a function invocation authorization management table (151) to find out an operating system on which the procedure/function is executed, and, when the procedure/function is executed under the control of the other operating system, determines whether to allow the operating system to call the procedure/function, by referring to a second data section (authorization) of the function invocation authorization management table.
With the above-mentioned configuration, it is possible to set function invocation authorization used in the upper layer, in a flexible manner by services or procedures/functions to be used by an application, and also to assure security by eliminating an influence caused by unauthorized function invocation through an application program.
As one concrete form of the present invention, an access authorization management module for managing resource access authorization with respect to a hardware resource available for the multiple central processing units is further provided. The access authorization management module receives access authorization control information for the hardware resource, and controls access enable/disable with respect to the hardware resource corresponding to the access authorization control information, according to an entry that is included in an access authorization management table and corresponds to the received access authorization control information.
With the above-mentioned configuration, it is possible to restrict access to a hardware resource such as a memory based on access authorization used in the lower layer stronger than authorization used in the upper layer that is set by an OS. Significant access authorization which may have a large influence on a system behavior is checked by a lower-layer mechanism in a hardware manner, so that high-level security can be assured by eliminating an influence caused by unauthorized function invocation through an application program.
[3] A data processor according to still another representative form of the present invention includes: multiple central processing units for executing a program; and an access authorization management module for managing resource access authorization with respect to a hardware resource available for the multiple central processing units, and is formed on a single chip. When an operating system calls one procedure/function and parameters of the procedure/function executed under the control of another operating system, one central processing unit of the central processing units that operates under the control of the operating system refers to a first data section of a function invocation authorization management table to find out an operating system on which the procedure/function and the parameters are executed, and, when the procedure/function and the parameters are executed under the control of the other operating system, determines whether to allow the operating system to call the procedure/function and its parameters, by referring to a second data section of the function invocation authorization management table.
A first embodiment will be described in detail.
Each of the operating systems (OS1, OS2, and OS3) 171 to 173 is used for a single CPU. The data processing system according to the present invention realizes a multi-CPU system in which the multiple operating systems (OS1, OS2, and OS3) 171 to 173 are operated. In the data processing system, when data processing is performed according to one application program, the central processing units (CPU1, CPU2, and CPU3) 101 to 103 use the invocation authorization database (TCADB) 151 and the invocation authorization management program (TCACNT) 152 to call a data processing function over the multiple operating systems (OS1, OS2, and OS3) 171 to 173 and to maintain security. In addition to the above security maintenance performed in the upper layer, security maintenance in the lower layer is performed by the access authorization management module (AACNT) 140 based on an access address and the like, when the central processing units (CPU1, CPU2, and CPU3) 101 to 103 access resources such as the memory (MRY) 100 under the control of the operating systems (OS1, OS2, and OS3) 171 to 173. Hereinafter, a detailed description will be given of a configuration for the security maintenance in the upper layer and the lower layer.
The invocation authorization management program (TCACNT) 152 refers to the invocation authorization database (TCADB) 151 to decide whether to allow data reference or function invocation such as invocation of an application or a utility on a certain operating system from an application of another operating system. The invocation authorization database (TCADB) 151 is only one invocation authorization database built in the memory (MRY) 100, for the entire data processing system.
The resource partitioning utility (CRDD) 120 adds a proper offset value to the value of a memory address to be referred by the application program (APPL) 180 and the operating systems (OS1, OS2, and OS3) 171 to 173, in cooperation with a hardware circuit such as an address computing unit, to allow an actual reference location on the memory (MRY) 100 to be physically shifted without being known by the application program (APPL) 180 and the operating systems (OS1, OS2, and OS3) 171 to 173. Therefore, even when the storage area of the memory (MRY) 100 is partitioned into areas for CPU1, CPU2, and the like, the application program (APPL) 180 and the operating systems (OS1, OS2, and OS3) 171 to 173 just need to manage an address space starting at address “0”. The central processing units (CPU1, CPU2, and CPU3) 101 to 103 access resources via the resource partitioning utility (CRDD) 120.
The access authorization management module (AACNT) 140 is a hardware circuit and checks a memory address output to the transfer bus (BUS) 130. A range of memory addresses and access authorization are specified in advance in the access authorization management module (AACNT) 140, so that it is possible to check whether a memory address accessed when the application program (APPL) 180 and the operating systems (OS1, OS2, and OS3) 171 to 173 are executed is permitted.
The entry data included in the access authorization management table (AATLB) 261 is used to check a violation of access authorization, and cannot be written by the operating systems (OS1, OS2, and OS3) 171 to 173 or the application program (APPL) 180, serving as a user program. In general, a CPU is operated in one of multiple operation modes classified into a user mode and a privileged mode. When the CPU is operated in the user mode, there are CPU resources that are not accessible and instructions that cannot be executed. The central processing units (CPU1, CPU2, and CPU3) 101 to 103 are provided with a higher-level privileged mode which is superior to the privileged mode. The entry data of the address range (ADRSFLD) and the access authorization (ACCA), included in the access authorization management table (AATLB) 261, is a resource that cannot be written in the privileged mode but can be rewritten only in the higher-level privileged mode. The utility program (FRM) 110 such as the resource partitioning utility (CRDD) 120 is software to be executed in the higher-level privileged mode. The utility program (FRM) 110 is executed when operation processing in the higher-level privileged mode is requested.
In the invocation authorization database (TCADB) 151, the name of a procedure/function, parameters, an OS that contains the procedure/function and the parameters, and authorization are registered, which is not particularly limited. In the authorization, for example, “OS1:R” indicates that invocation is allowed for the operating system (OS1) 171, that is, execution of a procedure/function F is allowed for the operating system (OS1) 171. The same applies to parameters “P1” and “P2”.
In
The task invocation processing procedure will be described based on
Referring to
In Step S23, when it is determined that the authorization of the operating system (OS1) 171 with respect to the procedure/function F does not indicate “R”, invocation of the procedure/function F is not allowed for the operating system (OS1) 171 and error processing is performed in the operating system (OS1) 171 (S28).
In addition to the control of enable/disable of task invocation, performed by the invocation authorization management program (TCACNT) 152, which has been described based on
In the above-described data processing system, it is possible to flexibly control access authorization for invocation for each procedure/function as a unit, depending on the configuration of an application. Further, for each procedure/function, higher-level check of access authorization based on hardware can be realized without overhead. The former access authorization control is realized by the invocation authorization database (TCADB) 151 and the invocation authorization management program (TCACNT) 152, and the latter access authorization control is realized by the access authorization management module (AACNT) 140.
The present invention has been specifically described based on the embodiment. The present invention is not limited to the embodiment. It is needless to say that various changes may be made without departing from the scope of the invention.
For example, the data processor (MCU) 190 is not limited to a single chip but may have a multi-chip configuration. Further, the number of CPUs used for the data processor (MCU) 190 is not limited to three. A target to be managed based on access authorization by the access authorization management module (AACNT) 140 is not limited to a memory. An accessible resource from CPU, i/o circuit for example, may be such a target. The structure of the access authorization management table (AATLB) 261 is not limited to that shown in
Number | Date | Country | Kind |
---|---|---|---|
2007-018701 | Jan 2007 | JP | national |