Summary of the invention
Technical problems based on background technology, the invention proposes a kind of reliability real-time guard sides of SoC chipMethod proposes that hardware machine is protected on system on chip basis from time domain, spatial domain respectively according to the reliability requirement of SoC Embedded ApplicationSystem, it is ensured that reliability when system is run.In addition, improving SoC insertion by error hardware real-time detection and error handle strategyFormula real-time system guarantees the reliability of system on chip to the adaptibility to response of mistake.
A kind of reliability real-time protection method of SoC chip proposed by the present invention, comprising the following steps:
S1: a kind of system on chip time domain protection mechanism based on hardware counter is proposed;By time-out error detection function,Prevent processor from excessively being occupied by some concrete application;
Field object when determining system on chip to be protected;
System on chip hardware timing function is realized by hardware counter, guarantees the real-time of SoC system;On piece system is providedThe hardware counter of system encryption, meets following functions:
1., have multiple timing channels, field object provides hardware real-time monitoring and control when can be different types of;
2., each timing channel, independent overtime interrupt can be generated, to distinguish system on chip specifically overtime type;
For when field object settling time monitoring mechanism, if when field object occur mistake at runtime, trigger at time domain errorReason system;
S2, the system on chip protection mechanism for proposing a kind of spatial domain;The mechanism can both prevent the generation of mistake, while canTo prevent diffusion of the mistake in embedded real time system;
1., propose a kind of application partition model, by memory management unit be system establish partitioned storage protection, junctionPrivileged mode and the application partition for managing device, trusted application and insincere application are kept apart, realize the insulation blocking of subregion;
2., establish region of memory and page table entry for application partition, realize the distribution of physical memory area;
It to the region of memory of operating system and application, is divided, and is realized by compiler in the following manner;
A, in program compilation process, the division of input section is carried out to all source codes;
B, it during program chains, is followed up by compiler and links step, the division of section is carried out to source code;
3., increase, modification embedded real-time operating system code, realize the protection mechanism of spatial domain;
4., propose a kind of MMU hardware management frame, it is ensured that the real-time of automotive electronics SoC protection mechanism;MMU hardware pipeReason frame includes the displacement of the initialization of MMU, the abnormality processing of internal storage access and TLB page table;
S3, propose that a kind of hardware error detects and real-time processor system;When system protection mechanism detects that mistake occurs,First time calling system error processing system, then error processing system carries out error handle according to frequency converter strategy;
1., the mistake that may occur is detected and is classified;The main object of error detection include numerical value class mistake, whenBetween class mistake and spatial class mistake;
2., to it is different types of mistake formulate processing strategie;System provides corresponding error handle and determines according to error codePlan.
Preferably, in the step S1, the time-out error in real-time system mainly has task execution time mistake, interruption to holdRow time-out, shared resource occupy time-out etc., specifically include:
1., Runtime;
2., task reach interval time;
3., task close global interrupt time;
4., interrupt the time;
5., interrupt reach interval time;
6., interrupt service routine close global interrupt time;
7., task hold time of shared resource.
Preferably, in the step S2, in the operating system of not space protection, in task, interruption and operating systemCore runs on identical prerogative grade, is able to use whole memory headrooms;After space protection mechanism, it is necessary to by task,The operation with operating system is interrupted to keep apart.
Preferably, in the step S3, data class mistake is the value mistake of parameter, variable and message, pointer parameter be it is empty,Task status mistake;Time class mistake be system passed through hardware counter be task/interrupt operation time, close the break period withAnd resource occupation time establishes protection mechanism, spatial error has following two situation: since the address of read-write data is not belonging to answerTLB data miss mistake caused by data area;Since the code region that the address executed instruction is not belonging to application is drawnThe TLB instruction miss mistake risen.
The invention has the advantages that;
1, propose that a kind of time domain protection mechanism based on hardware timer prevents from handling by time-out error detection functionDevice is excessively occupied by some application, is specifically included:
1., when field object clearly to be protected, the time-out error in real-time system mainly have task execution time mistake, inIt is disconnected to execute time-out, shared resource occupancy time-out etc.;
2., pass through hardware counter realize timing function, guarantee SoC system real-time;
3., for when field object settling time monitoring mechanism, if when field object occur mistake at runtime, trigger time domain errorProcessing system;
2, it proposes a kind of spatial domain protection mechanism, can both prevent the generation of mistake, while mistake can be prevented in systemIn diffusion;
1., propose a kind of application partition model, by memory management unit be system establish partitioned storage protection, junctionPrivileged mode and the application partition for managing device, trusted application and insincere application are kept apart, realize the insulation blocking of subregion;
2., establish region of memory and page table entry for application partition, realize the distribution of physical memory area;
3., increase, modification embedded real-time operating system code, realize the protection mechanism of spatial domain;
4., propose a kind of MMU hardware management frame, it is ensured that the real-time of automotive electronics SoC protection mechanism, MMU hardware pipeReason frame includes the displacement of the initialization of MMU, the abnormality processing of internal storage access and TLB page table;
3, propose that a kind of hardware error detects and real-time processor system;When system protection mechanism detects that mistake occurs,First time calling system error processing system, then error processing system carries out error handle according to frequency converter strategy.
Specific embodiment
Combined with specific embodiments below the present invention is made further to explain.
A kind of reliability real-time protection method towards SoC chip, comprising the following steps:
The following steps are included:
S1: a kind of system on chip time domain protection mechanism based on hardware counter is proposed;By time-out error detection function,Prevent processor from excessively being occupied by some application;
Field object when determining system on chip to be protected;
Timing function is realized by system on chip hardware counter, guarantees the real-time of SoC system;Encryption is providedHardware counter meets following functions:
1., have multiple timing channels, field object provides monitoring function when can be different types of;
2., each timing channel, independent overtime interrupt can be generated, to distinguish specific overtime type;
Task and interrupt as in operating system can run entity, processor is only possible to execution task journey at any timeSequence executes interrupt service routine, and these two types of bodies that execute are impossible to run simultaneously, therefore, for its runing timeProtection, can share a counting channel.
The time monitoring for closing global interrupt, need to use a counting channel;And the time monitoring of holding of resource uses solelyVertical counting channel.
Due to the arrival of task and interruption be it is random, in mission-enabling or when interrupting first reach, recordCurrent counter (time) value, and recorded as last arrival time;When task or interruption arrive again at, remember againCurrent counter time value is recorded, and is made comparisons with last arrival time, if meeting the requirement of guardtime, allows to appointBusiness or the execution interrupted, and last arrival time record will be saved as arrival time.So arrival time Monito ping at intervals is not required toWant additional counting channel.
For when field object settling time monitoring mechanism, if when field object occur mistake at runtime, trigger at time domain errorReason system;
S2, a kind of spatial domain system on chip protection mechanism is proposed;The mechanism can both prevent the generation of mistake, while can be withPrevent the diffusion of mistake in systems;
1., propose a kind of application partition model, by memory management unit be system establish partitioned storage protection, junctionPrivileged mode and the application partition for managing device, trusted application and insincere application are kept apart, realize the insulation blocking of subregion;
To realize space protection mechanism, first corresponding to the division for carrying out subregion with operating system and establishing protection for subregionMechanism.In embedded real-time operating system, OS-Application is for supporting partition protecting mechanism.OS-ApplicationIt is the basic functional units in embedded real-time operating system, it may include one or more tasks, ISR, Alarm, schedulingThe operating systems object such as table, counter.
All tasks, ISR, Alarm, dispatch list in operating system etc. must belong to some OS-Application,Operating system object inside the same OS-Application can access mutually.And between difference OS-ApplicationAccess authority needs user configuration, if an OS-Application has accessed the OS-Application that permission is not configured,It is so exactly access errors.
As shown in figure 4, OS-Application points are believable and incredible:
1., credible OS-Application can be closing monitoring or defencive function in the case where run, can be to memoryUnrestricted access, credible OS-Application allow to run the privileged mode of processor;
2., insincere OS-Application do not allow to run in the case of closing defencive function, the access to memoryIt is restricted, they should run on the nonprivileged mode of processor.
Region of memory and page table entry are established for application partition, realizes the distribution of physical memory area;
It to the region of memory of operating system and application, is divided, and is realized by compiler in the following manner;
A, in program compilation process, the division of input section is carried out to all source codes;
B, it during program chains, is followed up by compiler and links step, the division of section is carried out to source code;
In practical operation, source code realizes the division of input section, after compiling, data segment and generation by pretreatment orderCode section is stored in respectively in the Section of .o file;In the link stage, according to program chains script, all input sections are protectedIt is stored in correct deferent segment, determines the final storage address of each subregion.It is specific as shown in table 1.
After determining that operating system and application partition divide, it is also necessary to which table is carried out in these regions in a manner of memory pagesShow.The set of memory pages constitutes page table, and a page table describes the address range of each region and visit on memory headroomAsk the information such as permission.In system starting, these information are loaded into the protective effect realized in TLB unit to internal storage access.
The code of system, configuration data, are stored in the Flash of SoC chip;And data when running, then it is stored in SoCIn the SRAM of chip.It is specific as shown in table 2.
It after the memory allocation for the system that determines, next also needs to save these regions in a manner of page table, sideJust operating system is used and is managed, and realizes space protection mechanism.It is specific as shown in table 3.
Content due to reliable part comprising the systems such as operating system basis the most, access frequency highest, therefore in pageAn individual page table is established in table for this part.It is simultaneously the hit rate for improving TLB, MMU will be in the page table in initializationInformation be loaded into TLB, and resident TLB, in the operational process of whole system, relevant entries will not be all paged out.
In system operation, the page info if necessary to access can then generate TLB exception not in TLB.In exceptionIn reason, according to the page address of access, its corresponding page table entry is found, then page table entry is loaded into TLB
3., increase, modification embedded real-time operating system code, realize the protection mechanism of spatial domain;
In the operating system of not space protection, task, interruption and operating system nucleus run on identical privilege etc.Grade, is able to use whole memory headrooms.After space protection mechanism, it is necessary to by the operation of task, interruption and operating systemKeep apart.
As in operating system can moving body, task and interrupt and have oneself executable code.And task and interruptionExecutable is really a function, must be the stack architecture of task, interrupt distribution for operation.Realizing space protection mechanismLater, need to modify original stack design to adapt to the demand of space protection.On the other hand, run entity may belong to believableOS-Application, it is also possible to belong to incredible OS-Application, the credible operation privilege etc. with insincere applicationGrade is different, therefore, when carrying out task context switching, it is also necessary to according to its credibility, carry out necessary privileged mode switching.
It will be using the clothes that after being divided into trusted application and insincere application, trusted application can be provided freely using systemBusiness.And for insincere application, since it runs on user mode, if it is desired that must then be introduced into kernel with system serviceMode, finally by operating system on behalf of execution.
Embedded trusted application itself may be that other in system are answered other than privilege when enjoying operationWith the service of offer, this service provided by trusted application is known as trusted function.The service that trusted function and operating system provideEqually, it is also necessary to run on privileged mode.
4., propose a kind of MMU hardware management frame, it is ensured that the real-time of SoC protection mechanism;MMU hardware management frame packetInclude the displacement of the initialization of MMU, the abnormality processing of internal storage access and TLB page table;
(1) MMU is initialized, including address mapping table initialization, TLB initialization.
Address mapping table initialization: the code of each insincere OS-Application, data page table letter in scanning systemBreath, and according to the subscript for corresponding to page in the information initializing corresponding address mapping table in page table.
TLB initialization: being stored in residing in item in TLB unit for the list item in system reliable part page table, and TLBIn other remaining items leave for after the insincere OS-Application that runs use.
(2) TLB abnormality processing
If the page table entry in system is more than the capacity of TLB, system cannot disposably be protected all page table informationThere are in TLB, when running TLB miss exception may occur for program;If the address of application access is in TLB, but the addressIt is not belonging to apply and TLB exception can also occur, it is this different normally due to caused by illegal memory access.Therefore in two kinds of following situationsUnder, it may occur that TLB is abnormal:
1. the corresponding page in the address of application access is not in TLB;
2. the corresponding page in application access address is buffered in TLB, but the value and tlb entry of the PID0 of current applicationIn TID value it is different, and the value of TID is not 0.
For situation 1, it is the normal class exception for belonging to TLB, corresponding information can be written by exception handlerInto TLB, abnormal generation again is prevented.And for the illegal memory access of situation 2 exception, then locate in the way of spatial errorReason.
TLB miss exception is divided into data miss and instruction miss.Data miss exception refers to the number that needs accessAccording to page information not in TLB;Instruction miss refers to the code page information where the instruction that needs are read not in TLB extremely.NumberIt is different with instruction exception type according to exception, but the two is almost the same in process flow and in logic.
Since the page information of reliable part has resided in TLB, causing abnormal application necessarily to belong to can notLetter application.If it is instruction miss, then more in conjunction with the code page table of insincere OS-Application and corresponding Hash tableNew TLB;If it is data miss exception, then insincere OS-Application data page table and corresponding Hash table are combined moreNew TLB.
TLB exception handler calculates under corresponding Hash table according to the 4K page address where the address of miss firstMark.If subscript exceeds the size of Hash table, then it represents that the address of access has exceeded the address space of current system, carries out illegalThe error handle of access.
(3) displacement of TLB page table
If the address of access belongs to current application, indicates to lack corresponding page information in current TLB, cope withThe displacement of TLB progress page.
S3, propose that a kind of hardware error detects and real-time processor system;When system protection mechanism detects that mistake occurs,First time calling system error processing system, then error processing system carries out error handle according to frequency converter strategy;
1., the mistake that may occur is detected and is classified;The main object of error detection include numerical value class mistake, whenBetween class mistake and spatial class mistake;
(1) data class mistake
It is empty, task status mistake that data class mistake, which is mainly the value mistake of parameter, variable and message, pointer parameter,.Such asFruit operating system receives these data, and is operated in these data, then then may cause the output for generating mistake, veryTo the generation for leading to system mistake, the reliability of system is caused to reduce.
The method for solving error in data is to examine when user transmits data to operating system to the validity of dataIt looks into.The method of general transmitting data is the data transmitting based on parameter, therefore when realizing data error detection, all to be related toThe parameter of similar ID class is transmitted, and validity check code should be all added.
(2) time class mistake
It is that task/interrupt operation time, pass break period and resource occupation time are built that system, which has passed through hardware counter,Vertical protection mechanism.It for task/interruption arrival time mistake, is recorded by last time activationary time, can judge that task/interruption swashsWhether work is too fast.For other times mistake, if hardware counter does not generate interruption, then it is assumed that there is no it is corresponding whenBetween mistake.
(3) spatial class mistake
The detection of spatial error realizes that, if application correctly carries out memory read-write operation, MMU is not by MMU unitException can be generated;The address space for being not belonging to oneself is written and read if application is illegal, MMU will be generated accordinglyIt is abnormal.Main spatial error has following two situation: since the data area that the address of read-write data is not belonging to application causesTLB data miss mistake;Since the address executed instruction is not belonging to TLB instruction miss caused by the code region of applicationMistake.
2., to it is different types of mistake formulate processing strategie;System provides corresponding error handle and determines according to error codePlan.
The foregoing is only a preferred embodiment of the present invention, but scope of protection of the present invention is not limited thereto,Anyone skilled in the art in the technical scope disclosed by the present invention, according to the technique and scheme of the present invention and itsInventive concept is subject to equivalent substitution or change, should be covered by the protection scope of the present invention.