The present disclosure is in the field of computer memory and more particularly in the field of functional safety of data in embedded component memory.
Increasing numbers of electromechanical components include some computer processing capability and memory for storing data and computer program instructions. The data and stored program instructions in the memory can be susceptible to unauthorized access or corruption at various stages of production and thereafter.
Complex systems including advanced automobiles and trucks include numerous electronic control units in communication with on-board sensor and actuators, for example. Advanced automotive systems may also communicate wirelessly to an operator's mobile device, or to a wireless network for communicating system status or for updating software and date in the electronic control units.
Complex systems that include electronic control units, and other dedicated electronic apparatus, especially those that include wireless communication capabilities, can be susceptible to unauthorized access that could degrade system safety and performance. Such unauthorized access may be possible during the system's operation, or even in the manufacturing process of the system or system components.
In some industries, including the automotive industry, components that store data are subject to functional safety standards and other regulations that require manufacturers to assure that data and program instructions stored in component memory is protected from unauthorized access. Component manufacturers can comply with these standards and regulations by implementing component circuitry that locks down component memory and prevents unauthorized reading or alteration of data and program instructions after they are stored in the memory.
Blocking further access to component memory after a manufacturing process is complete becomes problematic when downstream manufacturing processes could benefit from access to the memory. As component electronics become more sophisticated, system level manufacturers and other downstream processes involving a component may need to use memory space in the component for different tasks within their system. Multiple levels of manufacturing processes may require write access to component memory to store different data and program instructions. However, memory that is locked down after an upstream manufacturing process will not be available for use by the downstream processes.
Traditionally, component manufacturers have included separate blocks of memory in a component in which one block of memory can be locked down after an upstream manufacturing process so that data stored in that block cannot be altered. Another block of the memory in the component remains accessible to downstream processes. Multiple downstream processes may sequentially write to and then lock down their own block of memory in the component, for example. However, providing separate blocks of memory for different access during sequential manufacturing processes is inefficient from both a cost and data storage perspective.
According to an aspect of the present disclosure a device includes a single memory space that can be dynamically partitioned by the device to provide separate memory partitions for access by different processes along a production stream. Providing multiple partitions in the single memory space is much less costly than providing separate memory blocks. Moreover, dynamically partitioned memory can be sized more appropriately according to the amount of memory needed by a corresponding process. The more appropriately sized partitions provide for more efficient use of memory space.
Firmware in the device, which controls the overall functionality of the device, also controls partitioning of the memory space. According to an aspect of the present disclosure, the firmware also controls how each of the partitions may be accessed. For example, in order to comply with functional safety standard ISO 26262, the firmware of a device may include a number of different safety features for protecting data in the device. The firmware can apply each of the safety features utilized by the device to each of the memory partitions. This ensures that each of the memory safety features that are in place to ensure data security are implemented independently for each partition in order to maintain functional safety compliance of the device.
The different partitions can be created and accessed at different points in a production stream by different entities such as a device manufacturer, its customers and suppliers or other entities along the supply chain. The different entities can write whatever data, program instructions or whatever information they need into the component and activate the security features they need in order for the device to meet ISO 26262 requirements.
A better understanding of aspects of the present disclosure will be facilitated upon reference to the following detailed description when read in conjunction with the accompanying drawings wherein like reference characters refer to like parts throughout the drawings, in which:
Referring to
Instructions are stored on the firmware 204 and are executable by the processor 202 to configure a first partition 208 of the programmable non-volatile memory 206. The instructions implement a first set of safety features of the programmable non-volatile memory 206 with respect to the first partition 208. The first set of safety features includes preventing alteration of data in the first partition 208 after completion of a first manufacturing process, for example.
According to an aspect of the present disclosure the firmware 204 also includes instructions that are executable by the processor 202 to facilitate performance of the dedicated function of the apparatus 200 using the data stored in the programmable non-volatile memory 206.
The firmware 204 also includes instructions executable by the processor 202 to configure a second partition 210 of the programmable non-volatile memory 206 and to implement a second set of safety features of the programmable non-volatile memory 206 with respect to the second partition 210. The second set of safety features includes preventing alteration of data in the second partition after completion of a second manufacturing process, for example.
According to an aspect of the present disclosure, a programmable operational characteristic of the programmable non-volatile memory determines partition boundaries of the first partition and the second partition based on data storage requirements of the first manufacturing process and the second manufacturing process.
According to an aspect of the present disclosure, a programmable operational characteristic of the programmable non-volatile memory determines partition boundaries of the first partition and the second partition based on data storage requirements of the first manufacturing process and the second manufacturing process.
In an illustrative embodiment, the instructions stored on the firmware are executable by the processor to configure an nth partition of the programmable non-volatile memory, and to implement an nth set of safety features of the programmable non-volatile memory in the nth partition, wherein the nth of safety features includes preventing alteration of data in the nth partition after completion of an nth manufacturing process. A programmable operational characteristic of the programmable non-volatile memory determines partition boundaries of the nth partition based on data storage requirements of the nth manufacturing process.
In a particular illustrative embodiment, the dedicated function of the apparatus is sensing a pressure. In another illustrative embodiment, the dedicated function of the apparatus is switching an electrical pathway.
According to an aspect of the present disclosure, the programmable non-volatile memory comprises an electrically erasable programmable read-only memory (EEPROM), a flash memory, or a one-time programmable memory, for example. According to another aspect of the present disclosure, the first set of safety features include instructions in the firmware configured to prevent unauthorized alteration of the firmware. The first set of safety features and the second set of safety features comply with a standard of functional safety for electrical and/or electronic systems in production automobiles. In an illustrative embodiment, the standard of functional safety comprises International Organization for Standardization (ISO) standard 26262.
At least one of the first manufacturing process and the second manufacturing process comprises writing instructions for performing the dedicated function in the firmware.
Another aspect of the present disclosure includes a method 300 for securing data on an apparatus for performing a dedicated function. The method includes operating firmware instruction of the apparatus to perform the procedural steps shown in
At step 304, the method includes executing the firmware instructions of the apparatus to implement a first set of safety features of the programmable non-volatile memory in the first partition, wherein the first set of safety features includes preventing alteration of data in the first partition after completion of a first manufacturing process. At step 306, the method includes executing the firmware instructions of the apparatus to facilitate performance of the dedicated function using the data stored in the programmable non-volatile memory. At step 308, the method includes executing the firmware instructions of the apparatus to configure a second partition of the programmable non-volatile memory. At step 310, the method includes executing the firmware instructions of the apparatus to implement a second set of safety features of the programmable non-volatile memory in the second partition, wherein the second set of safety features includes preventing alteration of data in the second partition after completion of a second manufacturing process.
In an embodiment, the method includes determining partition boundaries of the first partition and the second partition based on data storage requirements of the first manufacturing process and the second manufacturing process. According to an aspect of the present disclosure, the configuration of petition boundaries to prevent alteration of data in the first partition after completion of a first manufacturing process and to prevent alteration of data in the second partition after the second manufacturing process is a programmable operational characteristic of the programmable non-volatile memory.
In an illustrative embodiment, the method may include executing the firmware instructions of the apparatus to configure an nth partition of the programmable non-volatile memory at step 312 and to implement an nth set of safety features of the programmable non-volatile memory in the third partition at step 314, wherein the nth of safety features includes preventing alteration of data in the third partition after completion of an nth manufacturing process. The programmable operational characteristic of the programmable non-volatile memory determines partition boundaries of the nth partition based on data storage requirements of the nth manufacturing process.
In the method 300 for securing data on an apparatus for performing a dedicated function, the dedicated function of the apparatus may include sensing a pressure, or switching an electrical pathway, for example. In an illustrative embodiment, the first set of safety features may include instructions in the firmware configured to prevent unauthorized alteration of the firmware. At least one of the first manufacturing process and the second manufacturing process comprises writing instructions to the firmware for performing the dedicated function.
In the method 300, the first set of safety features and the second set of safety features may comply with a standard of functional safety for electrical and/or electronic systems in production automobiles, such as International Organization for Standardization (ISO) standard 26262, for example.
The disclosed apparatus for performing a dedicated function may include a computer program product that when executed on the apparatus causes the apparatus to perform the dedicated function, to partition a programmable non-volatile memory of the apparatus, and to separately secure functional safety of multiple partitions of the programmable non-volatile memory.
An illustrative embodiment according to an aspect of the present disclosure includes a non-transitory computer readable medium that includes computer executable program code embodied thereon. The program code includes executable instructions for performing a dedicated function of the apparatus, in addition to executable instructions for implementing safety features to comply with functional safety standards. The executable instructions include instructions to configure a first partition of a programmable non-volatile memory of the apparatus and to implement a first set of safety features of the programmable non-volatile memory in the first partition. According to an aspect of the present disclosure the first set of safety features includes preventing alteration of data in the first partition after completion of a first manufacturing process.
The executable instructions also include instructions to facilitate performance of the dedicated function using the data stored in the programmable non-volatile memory, to configure a second partition of the programmable non-volatile memory and to implement a second set of safety features of the programmable non-volatile memory in the second partition. According to an aspect of the present disclosure, the second set of safety features includes preventing alteration of data in the second partition after completion of a second manufacturing process.
In an illustrative embodiment, the program code further comprises instructions executable to configure an nth partition of the programmable non-volatile memory, and to implement an nth set of safety features of the programmable non-volatile memory in the third partition, wherein the nth of safety features includes preventing alteration of data in the third partition after completion of an nth manufacturing process. In an illustrative embodiment, a programmable operational characteristic of the programmable non-volatile memory determines partition boundaries of the nth partition based on data storage requirements of the nth manufacturing process.
Alternatively and/or additionally, in some embodiments, special purpose logic circuitry, e.g., an FPGA (field programmable gate array), a DSP processor (as in the case of, for example, some of the programmable sensors described herein), or an ASIC (application-specific integrated circuit) may be used in the implementation of the disclosed apparatus.
Computer programs (also known as programs, software, software applications or code) include machine instructions for a programmable processor, and may be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly/machine language. As used herein, the term “computer-readable medium” refers to any non-transitory computer program product, apparatus and/or device (e.g., magnetic discs, optical disks, memory, EPROMS, Programmable Logic Devices (PLDs) and the like) used to provide machine instructions and/or data to a programmable processor, including a non-transitory machine-readable medium that receives machine instructions as a machine-readable signal.
While particular embodiments have been disclosed herein in detail, this has been done by way of example for purposes of illustration only, and is not intended to be limiting with respect to the scope of the appended claims, which follow. In particular, it is contemplated that various substitutions, alterations, and modifications may be made without departing from the scope of the invention as defined by the claims. Other aspects, advantages, and modifications are considered to be within the scope of the following claims. The claims presented are representative of the embodiments and features disclosed herein. Other unclaimed embodiments and features are also contemplated. Accordingly, other embodiments are within the scope of the following claims.