CN118445818B - System updating method and device based on multi-system isolation - Google Patents

Abstract

The invention provides a system updating method and device based on multi-system isolation, wherein the method comprises the following steps: running a system to be updated in a system domain to be updated, and running a slave updating system in a slave updating system domain; the system to be updated acquires an update instruction, evaluates the slave update system after passing the verification, and simultaneously maintains and manages the slave update system; the system to be updated sends the data of the main maintenance operation function to the slave updating system meeting the conditions, and the slave updating system operates the corresponding slave maintenance operation function according to the data; and the system to be updated performs updating operation, if the updating is successful, the slave updating system returns the current slave maintenance operation function data to the system to be updated, and the related hardware resources of the slave updating system are recovered to the system to be updated, so that the corresponding master maintenance operation function of the system to be updated is recovered. The invention has the advantages of strong stability, high flexibility and the like, can realize the stable operation and data safety of the operating system in the updating period, and can recover the normal operation after the updating is interrupted due to the power failure, abnormal restarting and the like of the system.

Description

System updating method and device based on multi-system isolation

Technical Field

The present invention relates to the field of operating system update technologies, and in particular, to a system update method and apparatus based on multi-system isolation.

Background

With the rapid development of information technology, the application of an operating system in various industries is deeper and wider, the requirements of function iteration and optimization upgrading are also increased, and the corresponding system updating frequency is improved continuously. At present, the operating system is updated mainly through offline media such as online network update, USB or hard disk, etc., and especially the network update mode is widely applied by virtue of the characteristics of convenience and high efficiency. Meanwhile, the modern microprocessor technology realizes the integration of a plurality of processor cores on one chip, greatly improves the hardware performance and provides richer possibility for the design and the realization of an operating system.

Existing operating system update mechanisms present significant limitations and potential risks. First, during an operating system update, it is often necessary to suspend the operation of the system and its associated functions, resulting in an inability to properly provide services during this period. Second, the operating system update process, once subject to unexpected interruption, may cause problems with update failures, which in extreme cases may result in the operating system failing to resume boot, forming what is known as a "catastrophic outcome". In addition, current operating system updates do not implement effective isolation measures, so that sensitive data and critical resources face potential security threats during the update process, and data leakage or other security events may be caused by the update operation.

Disclosure of Invention

The technical problem to be solved by the invention is as follows: aiming at the technical problems existing in the prior art, the invention provides a system updating method and device based on multi-system isolation, which have strong stability and high flexibility, so as to realize the continuous operation of related work of an operating system in the updating period and ensure the safety of related hardware and data resources.

In order to solve the technical problems, the technical scheme provided by the invention is as follows:

A system updating method based on multi-system isolation, applied to a multi-core chip, wherein hardware resources of the multi-core chip are isolated into a system domain to be updated and a slave updating system domain, a system to be updated is operated in the system domain to be updated, and a slave updating system is operated in the slave updating system domain, the method comprises the following steps:

S01, issuing an update instruction to a system to be updated, acquiring the update instruction by the system to be updated, verifying, and evaluating a slave update system after verification is passed, wherein the system to be updated maintains and manages the slave update system;

s02, the system to be updated sends the main maintenance operation function data to a slave updating system meeting the conditions, and the slave updating system operates the corresponding slave maintenance operation function according to the main maintenance operation function data and sets system updating abnormal parameters;

And S03, the system to be updated performs updating operation, if the updating is successful, the slave updating system returns the current slave maintenance operation function data to the system to be updated, the slave updating system stops operating and recovers related hardware resources of the slave updating system domain to the system to be updated, and the system to be updated recovers the corresponding main maintenance operation function according to the current slave maintenance operation function data.

Further, in step S01, when evaluating the slave update system, the method includes:

S201, judging whether a slave updating system exists, if so, executing a step S202, otherwise, isolating relevant hardware resources of the multi-core chip to create a new slave updating system domain, and operating the new slave updating system;

s202, judging whether a slave updating system of the slave updating system domain can operate a main maintenance operation function of the system to be updated, if so, taking the slave updating system as a slave updating system meeting the condition, otherwise, creating a new slave updating system domain, and operating the slave updating system capable of operating the main maintenance operation function of the system to be updated and serving as a slave updating system meeting the condition to operate a slave maintenance operation function corresponding to the main maintenance operation function.

Further, step S03 further includes: if the updating fails and the system updating abnormal parameters are parameters of a recovery system mode, the slave updating system continues to operate the slave maintenance operation function and restarts the system to be updated to recover the operation of the system to be updated, the slave updating system returns the current slave maintenance operation function data to the system to be updated, the system to be updated recovers the corresponding main maintenance operation function according to the current slave maintenance operation function data, and after the system to be updated recovers the normal operation, the operation of the slave updating system is stopped and the related hardware resources of the slave updating system domain are recovered to the system to be updated.

Further, step S03 further includes: if the updating fails, and the system updating abnormal parameter is a parameter assisting in the updating mode, the slave updating system continues to try to update the system to be updated according to the setting, and the method comprises the following steps: and the slave updating system acquires an updating mirror image of the system to be updated and updates the system to be updated, simultaneously continuously operates the slave maintenance operation function, and returns the current slave maintenance operation function data to the system to be updated after the updating of the system to be updated is completed, and the system to be updated recovers the corresponding master maintenance operation function according to the current maintenance operation function data, stops the operation of the slave updating system and recovers related hardware resources of the slave updating system domain to the system to be updated.

Further, in step S02, when setting the system update anomaly parameter, the method specifically includes:

The system to be updated reads the content of the corresponding system update abnormal setting structure body and forms a setting data packet to be sent to the slave updating system;

And acquiring and analyzing the data packet from the updating system, and filling the data of the data packet into a system updating abnormal setting structure corresponding to the updating system.

Further, step S03 further includes: when the system to be updated is abnormal in updating, the slave updating system informs the system to be updated of processing the abnormal updating, if the response of the system to be updated is received, the abnormal updating response time is ignored and reset, and if the response of the system to be updated is overtime, the system to be updated is set according to the content of the system updating abnormal setting structure corresponding to the slave updating system to process the abnormal updating.

Further, in step S02, when the system to be updated sends the master maintenance operation function data to the slave updating system, the method includes: after the system to be updated writes the main maintenance operation function data packet into the shared memory, triggering the interrupt of the corresponding slave updating system; in step S03, when the slave update system returns the current slave maintenance operation function data to the system to be updated, the method includes: after the slave updating system writes the slave maintenance operation function data packet into the shared memory, triggering the interrupt of the corresponding system to be updated.

Further, the system to be updated corresponds to one or more slave updating systems, the slave updating system corresponds to one or more slave updating systems, and when the system to be updated corresponds to a plurality of slave updating systems, the non-real-time task and the real-time task of the system to be updated respectively correspond to different slave updating systems.

Further, the master maintenance operation function and the slave maintenance operation function both maintain and manage corresponding tasks through a maintenance task linked list, and the stopping and hardware resource recovery of the slave updating system are maintained by the maintenance task linked list of the corresponding slave updating system.

A system updating device based on multi-system isolation, comprising:

the multi-system isolation module is used for isolating the hardware resources of the multi-core chip into a system domain to be updated and a slave updating system domain, running the system to be updated in the system domain to be updated, and running the slave updating system in the slave updating system domain;

The system to be updated is used for acquiring and verifying an updating instruction, evaluating the slave updating system after the updating instruction passes the verification, maintaining and managing the slave updating system, then sending the main maintenance operation function data to the slave updating system meeting the condition, and finally carrying out updating operation, if the updating is successful, acquiring the slave maintenance operation function data of the slave updating system and recovering the corresponding main maintenance operation function according to the current slave maintenance operation function data;

The slave updating system is used for running the corresponding slave maintenance operation function according to the master maintenance operation function data of the system to be updated, returning the current slave maintenance operation function data to the system to be updated after the system to be updated is successfully updated, and recovering the system to be updated or continuing the updating operation of the system to be updated according to the setting after the system to be updated fails to be updated.

Compared with the prior art, the invention has the advantages that:

The invention isolates the system domain to be updated and the slave updating system domain in a hardware isolation mode, queries or creates a slave updating system before the system is updated and acquires relevant system resources and data of the slave updating system, and maintains the main maintenance operation function of the slave updating system which needs to be operated after the system updating is started so as to ensure the normal use of the main maintenance operation function in the system updating and restarting stage. Meanwhile, after the update of the system to be updated is finished, related system resources and data are transferred from the updated system to the system to be updated, so that the corresponding main maintenance operation function of the system to be updated still operates normally after the update of the system to be updated is finished. The invention can realize the normal use of the main maintenance operation function and the safety of related data when the system is updated. And because of the independence of the slave updating system, the related data are still safe after the system is powered off, and the updating action can be recovered and continued, thereby realizing the power-down updating safety.

Drawings

FIG. 1 is a schematic flow chart of a system updating method based on multi-system isolation according to an embodiment of the present invention.

FIG. 2 is a detailed flow chart of a system update method based on multi-system isolation according to an embodiment of the present invention.

FIG. 3 is a schematic diagram of an overall frame according to an embodiment of the present invention.

FIG. 4 is a flow chart of the communication between the system to be updated and the slave updating system according to the embodiment of the invention.

Detailed Description

The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

The integration of multiprocessor cores in chip designs has become commonplace, and this technology has significantly enhanced the processing power and system flexibility of the chip. By integrating a plurality of CPU cores on the same chip, the parallel processing efficiency is improved, and design options are enriched so as to cope with increasing computing demands and complex application scenes. The hypervisor technology (a virtualization management program in a computer system) provides more functions for the system, different processor cores, memories, peripherals and other hardware are isolated in a jailhouse, kvisor hardware isolation mode, the isolated different system domains are used for running different operating systems, the system domains can be specifically divided into a master system domain and a slave system domain, the running operating systems of each system domain are not affected each other, and communication is performed through a shared memory. According to the invention, related hardware resources including processor cores, memories, peripherals and the like are isolated through jailhouse, kvisor and the like, and a new slave updating system is obtained or started to prepare for updating the operating system; acquiring a related data packet of the system to be updated after the normal operation of the secondary updating system, and smoothly and real-timely receiving a main maintenance operation function of the system to be updated so as to ensure that the main maintenance operation function is normally operated during the updating period of the operating system; and after the updating of the system to be updated is completed, a data packet is sent from the updating system to the system to be updated, and the system to be updated receives the data and smoothly and real-timely recovers the corresponding related main maintenance operation function. And when the updating of the system to be updated is abnormal, the slave updating system can restart the system to be updated and assist in completing the updating action of the system to be updated. The method ensures the stability and the flexibility of the updating of the operating system, ensures the safety of related hardware and data resources, and simultaneously can recover the normal operation of the system after the updating is interrupted due to the power failure, abnormal restarting and the like of the system.

As shown in fig. 1, fig. 2 and fig. 3, the system updating method based on multi-system isolation of the present embodiment is applied to a multi-core chip, where the multi-core chip includes a system domain to be updated and a slave updating system domain, and the system to be updated is operated in the system domain to be updated, and the system to be updated includes a main maintenance operation function and an updating processing unit; in a slave update system domain, the slave update system includes a slave maintenance run function and an assisted update unit, the method comprising the steps of:

s01, issuing an update instruction to a system to be updated, acquiring the update instruction by the system to be updated, verifying, evaluating the slave update system after verification is passed, and maintaining and managing the slave update system by the system to be updated;

s02, the system to be updated sends the main maintenance operation function data to a slave updating system meeting the conditions, and the slave updating system operates the corresponding slave maintenance operation function according to the main maintenance operation function data and sets system updating abnormal parameters;

S03, the system to be updated performs updating operation, if the updating is successful, the slave updating system returns the current slave maintenance operation function data to the system to be updated, the slave updating system stops operating and the related hardware resources of the slave updating system are recovered to the system to be updated, and the system to be updated recovers the corresponding main maintenance operation function according to the current slave maintenance operation function data.

As shown in fig. 3, in this embodiment, the system to be updated includes an update processing unit, a main maintenance operation function, and the like, where:

the update processing unit is used for updating an operating system of a system to be updated, processing a main maintenance operation function, communicating with a slave update system, managing the slave update system, creating a slave update system domain, operating the slave update system and the like, and the specific functions are as follows:

1. And after receiving the operation system updating command, the updating processing unit acquires the operation system updating mirror image and checks whether the operation system updating mirror image is legal, and if the operation system updating mirror image is legal, the updating processing unit inquires whether a slave updating system exists or not and judges whether a slave system domain can run a main maintenance running function of the system to be updated or not.

2. When the slave updating system is available and the main maintenance operation function of the system to be updated is met, the updating processing unit of the system to be updated sends main maintenance operation function data to the auxiliary updating unit of the slave updating system, and the auxiliary updating unit of the slave updating system prepares the corresponding slave maintenance operation function according to the received main maintenance operation function data.

3. When the slave updating system is available but cannot meet the main maintenance operation function of the system to be updated or the slave updating system is not available, an updating processing unit of the system to be updated creates a corresponding slave updating system domain and starts the slave updating system, after the slave updating system is normally started, the updating processing unit of the system to be updated sends main maintenance operation function data to an auxiliary updating unit of the slave updating system, the auxiliary updating unit of the slave updating system prepares a corresponding slave maintenance operation function according to the received main maintenance operation function data, meanwhile, the updating processing unit of the system to be updated sets system updating abnormal setting of the auxiliary updating unit of the slave updating system, and the auxiliary updating unit processes updating abnormal according to the setting after the system to be updated is updated abnormally.

4. After the update processing unit of the system to be updated confirms the system mirror image needing to be updated, the main maintenance operation function of the system to be updated is firstly connected to the auxiliary update unit of the auxiliary update system, and the auxiliary update unit operates the corresponding auxiliary maintenance operation function and then the system to be updated starts to update the operating system. And after the data packets corresponding to the system to be updated and the slave updating system are written into the shared memory, an interrupt is triggered, so that the instantaneity from the corresponding master maintenance operation function to the slave maintenance operation function is ensured.

5. When the system to be updated is updated successfully, the update processing unit sends an update completion data packet to an auxiliary update unit of the auxiliary update system, the auxiliary update unit confirms and then sends auxiliary maintenance operation function data to the update processing unit, and the update processing unit receives and restores the corresponding main maintenance operation function.

6. The auxiliary updating unit corresponding to the auxiliary updating system monitors whether the updating of the system to be updated is successful, and when the updating of the system to be updated fails, the auxiliary updating unit of the auxiliary updating system selects to continue to operate the auxiliary maintenance operation function and resumes the operation of the system to be updated according to the abnormal setting of the system updating; and may also assist in continuing to update the system to be updated.

7. The slave update system may be selected to be shut down and associated hardware resources reclaimed when the slave update system is not in use by other slave update systems after the update of the slave update system is completed.

8. The system to be updated can be flexibly selected or the operating system updating function of the system to be updated is dominant from the updating system, but after the system to be updated is abnormal, the updating action is dominant from the updating system or the corresponding system to be updated is restored. When a plurality of slave updating systems exist, determining the master updating action of each slave updating system or recovering the corresponding system to be updated according to the updating priority of the maintenance task linked list of each slave updating system.

9. The system to be updated can choose to send the related system data (the related system data comprises system settings, application data, secret data, backup data and the like) to the maintenance management of the slave updating system through the shared memory, and the related system data is returned to the corresponding system to be updated through the updated memory from the updating system after the system updating is completed.

The main maintenance operation function is a task which needs to be operated in the process of updating the operating system by the system to be updated, such as the task functions of current interface display, current operation program, network, keyboard input, mouse control, motor, sensor and the like. The main maintenance operation function maintains and manages the corresponding tasks through a main maintenance task linked list, for example, the main maintenance task linked list is as follows:

typedef struct k_host_task_s

{

uint8 type;// task type

Real-time performance of the user 8 time;// task

Uint8 status;// task status

Index 8 priority;// update priority

Uint8 os_num;// corresponding slave update system

structIxol task

struct k_host_task_t(I)/point to previous task

struct k_host_task_tI/point to the next task

} k_host_task_t;

The system to be updated sets different abnormal actions updated from the updated system through a system update abnormal setting structure body, and the system update abnormal setting structure body of the system to be updated is as follows:

typedef struct k_host_abnormal_s

{

uint64 time;// update exception response time

Uint8 set;// update exception handling settings

Uint8 os_num;// corresponding slave update system

struct k_host_abnormal_tI/point to the next setting

} k_host_abnormal_t;

The slave updating system comprises an auxiliary updating unit, a slave maintenance operation function and the like, wherein the auxiliary updating unit has the following specific functions:

1. And after receiving the query data of the update processing unit, the auxiliary update unit of the slave update system checks whether the corresponding slave maintenance operation function can be operated by the slave update system according to the acquired data. And replying corresponding data packets when the corresponding slave maintenance operation function cannot be operated, and rejecting connection. And replying corresponding data packets when the corresponding slave maintenance operation function can be operated, and establishing connection.

2. The auxiliary updating unit of the slave updating system analyzes the data after receiving the data packet of the main maintenance operation function of the updating processing unit and prepares the corresponding slave maintenance operation function according to the data, and can immediately operate the corresponding slave maintenance operation function or operate the corresponding slave maintenance operation function after waiting for the maintenance operation function start command of the updating processing unit after finishing the preparation, and meanwhile, receive the system updating abnormal setting of the updating processing unit from the auxiliary updating unit of the updating system to set the related processing behavior after the system updating abnormal of the system to be updated.

3. After receiving a data packet of successful updating of the system to be updated, the auxiliary updating unit of the auxiliary updating system starts to handover the auxiliary maintenance operation function of the auxiliary updating system, and the auxiliary updating unit forms data packets related to the auxiliary maintenance operation function and sends the data packets to the updating processing unit; the updating processing unit restores the main maintenance operation function according to the received data packet and assists the updating unit to close the corresponding auxiliary maintenance operation function; and the corresponding data packet is written into the shared memory to trigger interruption, so that the real-time performance from the corresponding maintenance operation function to the main maintenance operation function is ensured.

4. The related system data of the system to be updated can be received from the updating system, the received related system data is maintained during the updating of the system to be updated, and the related system data is sent to the corresponding system to be updated after the updating of the system to be updated is completed.

5. When one system to be updated corresponds to a plurality of slave updating systems, after the updating of the system to be updated is abnormal, the update priority of the task linked list maintained by each slave updating system determines the dominant updating action of the slave updating system or resumes the corresponding system to be updated. When the slave updating system corresponds to a plurality of systems to be updated, the slave updating system can not be stopped and the related hardware resources can not be recovered when the slave updating system maintains the task linked list and other slave maintaining and running functions exist, namely, when the other slave updating systems use the slave updating system, the slave updating system can not be stopped and the related hardware resources can not be recovered.

The slave maintenance operation functions are tasks corresponding to the master maintenance operation functions of the system to be updated one by one. The slave maintenance run function maintains and manages the corresponding task by a slave maintenance task linked list, for example, as follows:

typedef struct k_slave_task_s

{

uint8 type;// task type

Real-time performance of the user 8 time;// task

Uint8 status;// task status

Index 8 priority;// update priority

Uint8 os_num;// corresponds to the system to be updated

structIxol task

struct k_slave_task_t(I)/point to previous task

struct k_slave_task_tI/point to the next task

} k_slave_task_t;

The system update abnormality setting structure of the slave update system is set by the corresponding system to be updated, the update unit is assisted to read the content of the system update abnormality setting structure to process the system abnormality update, and the system update abnormality setting structure of the slave update system is as follows:

typedef struct k_slave_abnormal_s

{

uint64 time;// update exception response time

Uint8 set;// update exception handling settings

Uint8 os_num;// corresponds to the system to be updated

struct k_slave_abnormal_tI/point to the next setting

} k_slave_abnormal_t;

The system to be updated and the slave updating system can be linux or rtos (Real-time operating system) and other operating systems, and can operate in an isolated master system domain or slave system domain. Meanwhile, the number of the systems to be updated is not limited, and one or more slave updating systems can be corresponding, and the specific number is determined according to the requirements and hardware resources. The slave update system may be available to one or more systems to be updated, as determined by the requirements and hardware resources.

For example, when the system to be updated is a linux system and the main maintenance operation function has a non-real-time task (such as audio and video playing, video recording, interface displaying, etc.) and a real-time task (such as motor control, sensor, action control, etc.), two slave update systems may be selectively started, one linux slave update system is provided to operate the non-real-time task, and one rtos slave update system is provided to operate the real-time task. And when the operating system is updated, the system to be updated smoothly hands over the non-real-time task of the main maintenance operation function to the linux slave updating system, hands over the real-time task of the main maintenance operation function to rtos in real time, and when the operating system is updated too long or abnormal, the slave updating system ensures the normal use of the corresponding slave maintenance operation function during the updating period of the operating system. After the operation system of the system to be updated is updated, the corresponding linux is smoothly handed over to the system to be updated from a non-real-time task of maintaining the operation function of the updating system; and the corresponding rtos is handed over from the updating system to the system to be updated in real time from the real-time task of maintaining the running function. Meanwhile, maintenance operation functions with higher requirements on real-time and related hardware resources can be directly operated when the system is started up from the update, and related data are transferred before the system is started up. For the hardware isolation starting, the main maintenance operation function before the hardware isolation is handed over to the slave updating system, and the slave updating system is started in real time to receive the corresponding main maintenance operation function.

In step S01 of the present embodiment, the evaluation of the slave update system includes:

s201, judging whether a slave updating system exists, if so, executing a step S202, otherwise, isolating relevant hardware resources of the multi-core chip to create a new slave updating system domain and running the new slave updating system;

S202, judging whether a slave updating system of the slave updating system domain can operate a master maintenance operation function of a system to be updated, if so, the slave updating system is a slave updating system meeting the conditions, the system to be updated transmits a master maintenance operation function data packet to the slave updating system, and the slave updating system operates the corresponding slave maintenance operation function according to the received master maintenance operation function data packet, otherwise, a new slave updating system domain is created, and the slave updating system capable of operating the master maintenance operation function of the system to be updated is operated as a slave updating system meeting the conditions, so that the slave maintenance operation function corresponding to the master maintenance operation function is operated.

In a specific application embodiment, as shown in fig. 4, after receiving an operating system update instruction, an update processing unit of a system to be updated obtains an operating system update image and verifies whether the operating system update image is legal. If the operation system update mirror image check is legal, the update processing unit inquires whether a slave update system exists and judges whether the slave system domain can operate the main maintenance operation function of the system to be updated.

The method comprises the steps that whether a slave system domain can operate a main maintenance operation function of a system to be updated or not is judged, wherein the step of judging whether the slave system domain can operate the main maintenance operation function of the system to be updated comprises the step of checking whether the slave system can operate the corresponding slave maintenance operation function according to the acquired data after an auxiliary updating unit of the slave updating system receives query data of an updating processing unit. And replying corresponding data packets when the corresponding slave maintenance operation function cannot be operated, and rejecting connection. And replying corresponding data packets when the corresponding slave maintenance operation function can be operated, and establishing connection.

Further, when the slave updating system exists and the master maintenance operation function of the system to be updated is satisfied, the update processing unit of the system to be updated transmits the master maintenance operation function data packet and the related system data packet to the auxiliary updating unit of the slave updating system, the auxiliary updating unit of the slave updating system analyzes the data after receiving the master maintenance operation function data packet and the related system data packet of the update processing unit, prepares the corresponding slave maintenance operation function according to the analyzed data and processes the related system data, and can immediately operate the corresponding slave maintenance operation function after the preparation is completed or can wait for the maintenance operation function of the update processing unit to start the command and then operate the corresponding slave maintenance operation function.

When a slave updating system exists but the slave updating system cannot meet the main maintenance operation function of the system to be updated or does not meet the requirement of the slave updating system, an updating processing unit of the system to be updated creates a slave updating system domain and starts the slave updating system of the system domain, after the slave updating system is normally started, an updating processing unit of the system to be updated sends a main maintenance operation function data packet and a related system data packet to an assisting updating unit of the slave updating system, the assisting updating unit of the slave updating system prepares a corresponding slave maintenance operation function and processes related system data according to the received data packet, and meanwhile, an updating processing unit of the system to be updated sets system updating abnormality setting of an assisting updating unit of the slave updating system, and the assisting updating unit processes updating abnormality according to the setting after the system to be updated is abnormal.

Thus, in step S02, setting the system update abnormality parameter specifically means updating the abnormality setting from the system of the updated system, including the steps of:

1. And the update processing unit of the system to be updated reads the content of the abnormal setting structure corresponding to the system update, forms a setting data packet and sends the setting data packet to the auxiliary update unit of the slave update system.

2. The auxiliary updating unit acquires and analyzes the data packet sent by the updating processing unit, and fills the data into the system updating abnormal setting structure corresponding to the updating system. The update exception handling setting includes an assist update mode in which the system update exception of the system to be updated is dominated by the system update of the system to be updated from the update system, and a recovery system mode in which the system to be updated is recovered from the update system to a pre-system update state when the system update exception of the system to be updated is detected, and other modes can be defined.

In step S03 of this embodiment, after the system to be updated is updated successfully, the update processing unit of the system to be updated sends an update completion data packet to the auxiliary update unit of the slave update system, and the auxiliary update unit packages and sends the current slave maintenance operation function data and the related system data packet to the update processing unit, and the update processing unit receives the slave maintenance operation function data and restores the corresponding master maintenance operation function, and simultaneously receives the new related system data packet to update the related system data.

Specifically, after receiving a data packet of successful updating of the system to be updated, the auxiliary updating unit of the auxiliary updating system starts to handover the auxiliary maintenance operation function of the auxiliary updating system, and the auxiliary updating unit forms data packets related to the auxiliary maintenance operation function and sends the data packets to the updating processing unit; the updating processing unit restores the main maintenance operation function according to the received data packet and assists the updating unit to close the corresponding auxiliary maintenance operation function.

After the update failure of the system to be updated, the secondary update system ensures the normal maintenance of the operation function of the secondary needs and collects the update failure log. And simultaneously, continuously attempting to update the system to be updated or recovering the system to be updated according to the setting, and handing over related slave maintenance operation functions, system resources and data to the system to be updated after recovering. Therefore, in this embodiment, after the update of the system to be updated fails, the auxiliary updating unit of the slave updating system may continue to operate the slave maintenance operation function and resume the operation of the system to be updated; and may also assist in continuing to update the system to be updated.

Specifically, in step S03, the auxiliary updating unit of the updating system monitors whether the updating is normal according to the updating abnormal response time set by the system updating abnormality, and when the updating abnormal response time is exceeded, determines that the system to be updated is abnormal; the assisting update unit determines whether to continue to attempt to update the system to be updated or restart the system to be updated and resume operation according to the exception setting of the system update exception setting, and step S03 further includes the steps of:

1. If the auxiliary updating unit of the updating system does not receive the updating completion data packet sent by the updating processing unit of the system to be updated within the appointed time, the system to be updated is considered to be updated abnormally, when the system to be updated is updated abnormally, the auxiliary updating unit of the updating system tries to inform the updating processing unit of the system to be updated of the updating abnormality, and if the updating processing unit has response, the abnormality is ignored and the response time of the updating abnormality is reset.

2. When the response of the update processing unit of the system to be updated is not acquired from the auxiliary update unit of the update system, the system to be updated is considered to be failed to update, if the system update abnormal parameter is the parameter of the auxiliary update mode, namely the update abnormal processing is set to the auxiliary update mode from the system update abnormal setting structure corresponding to the update system, the auxiliary update unit dominates the update of the system to be updated, the update mirror image of the system to be updated starts to be acquired, the system to be updated is updated, after the update is completed, the current maintenance operation function data and the related system data are returned to the update processing unit of the system to be updated, so that the maintenance operation task and the related system data are handed over, and when no other system to be updated uses the slave update system, the operation of the slave update system is stopped, and related hardware resources of the slave update system domain are recovered to the system to be updated, so that the related hardware resources are handed over.

3. When the response of the update processing unit of the to-be-updated system is not acquired from the auxiliary update unit of the update system, the to-be-updated system is considered to be failed to update, if the system update abnormal parameter is the parameter of the recovery system mode, namely, the update abnormal processing setting is set to the recovery system mode from the system update abnormal setting structure corresponding to the update system, the auxiliary update unit restarts the to-be-updated system to recover the operation of the to-be-updated system, and after the restart of the to-be-updated system is completed, the current maintenance operation function data and the related system data are returned to the update processing unit of the to-be-updated system, so that the maintenance operation task and the related system data are handed over, and when no other to-be-updated system uses the to-be-updated system, the operation of the to-be-updated system is stopped from the update system and the related hardware resources of the update system are recovered, so that the related hardware resources are handed over.

The embodiment can flexibly select the system to be updated or dominant the updating function of the operating system of the system to be updated from the updating system, but after the updating of the operating system is abnormal, the updating action is dominant from the updating system. Monitoring the update state of the system to be updated from the update system, and collecting update failure information after the system to be updated fails to update; the running state before the system to be updated can be restored through setting, and the system can also be assisted to be updated continuously.

In this embodiment, the systems running in each system domain communicate with each other through a shared memory, and in step S02, when the system to be updated sends the main maintenance operation function data to the slave updating system, the method includes: after the system to be updated writes the main maintenance operation function data packet into the shared memory, triggering the interrupt of the corresponding slave updating system; in step S03, when the slave update system returns the current slave maintenance operation function data to the system to be updated, the method includes: after the slave updating system writes the slave maintenance operation function data packet into the shared memory, triggering the interrupt of the corresponding system to be updated.

Specifically, after writing a corresponding data packet composed of related data of a main maintenance operation function of a system to be updated into a shared memory, triggering interruption of a slave updating system so as to ensure real-time performance from the corresponding main maintenance operation function to the slave maintenance operation function;

After writing the corresponding data packet formed by the related data of the slave maintenance operation function of the slave updating system into the shared memory, triggering the interruption of the system to be updated so as to ensure the real-time performance from the corresponding slave maintenance operation function to the main maintenance operation function.

The embodiment also provides a system updating device based on multi-system isolation, which comprises:

The multi-system isolation module is used for isolating hardware resources of the multi-core chip into different system domains, wherein the different system domains comprise a system domain to be updated and a slave updating system domain, the system to be updated is operated in the system domain to be updated, and the slave updating system is operated in the slave updating system domain;

The system to be updated is used for acquiring and verifying an updating instruction, evaluating the slave updating system after the updating instruction passes the verification, maintaining and managing the slave updating system, then sending the main maintenance operation function data to the slave updating system meeting the condition, and finally carrying out updating operation, if the updating is successful, acquiring the slave maintenance operation function data of the slave updating system and recovering the corresponding main maintenance operation function according to the current slave maintenance operation function data;

the slave updating system is used for running the corresponding slave maintenance operation function according to the master maintenance operation function data of the system to be updated, returning the current slave maintenance operation function data to the system to be updated after the system to be updated is successfully updated, and recovering the system to be updated or continuing the updating operation of the system to be updated according to the setting after the system to be updated fails to be updated.

In summary, the present invention provides a system updating method and device based on multi-system isolation, which has the following advantages:

1. A new system updating mode is provided, two system domains (not software isolation) are isolated by a hardware isolation mode, and two system domain resources are invisible. The method comprises the steps of inquiring or creating a 'slave updating system' before updating the system, acquiring relevant system resources and data of the 'system to be updated', and maintaining the 'system to be updated' in real time by the 'slave updating system' after the system updating starts to operate main maintenance operation functions (such as desktop display, database operation, motor control, sensors and the like) required to operate. The normal use of the main maintenance operation function required to be operated in the system updating and restarting stage is ensured. Meanwhile, after the updating of the system to be updated is finished, related system resources and data are transferred from the updated system to the system to be updated, so that the main maintenance operation function required to be operated after the updating of the system to be updated is ensured to still normally operate. I.e. system updates will not affect the use of the functions requiring primary maintenance and related data will not be lost. Due to the independence of the secondary updating system, the related data are still safe after the system is powered off, the updating action can be recovered and continued, and the power-down updating safety is ensured. And peripheral devices (a mouse, a keyboard, a u-disk and the like) cannot influence system updating.

2. The "system to be updated" may be selected to be updated by "from the update system" to dominate the "system to be updated", i.e. by "from the update system" being isolated. The slave updating system reads the system image data from the slave updating system and updates the system image storage equipment of the system to be updated, such as a network, a u-disk and the like, isolated to the slave updating system according to the possession of relevant system resources and data and ensuring the normal operation of the slave maintenance operation function. After the update is completed, the related slave maintains the running functions, system resources and data to the system to be updated. The flexibility and the safety of the new-following are increased.

3. After the update of the system to be updated fails, the slave update system ensures the normal maintenance of the running function of the slave which needs to move, and collects an update failure log. And simultaneously, continuously attempting to update the system to be updated or recovering the system to be updated according to the setting, and delivering the maintenance operation functions, system resources and data of related operations to the system to be updated after recovering. The update failure does not affect the operation of the system, and the safety of related data is ensured.

4. In the updating process, related data is handed over from a system to be updated to a slave updating system, so that the data safety is ensured. Meanwhile, the security of the system to be updated is verified by the slave updating system, so that the updating system is ensured not to be tampered. The relevant settings after the update of the system to be updated can be guaranteed to be unique, private and secret (thousands of node settings are different) by recovering from the update system to the update.

5. Meanwhile, the 'slave updating system' of the isolation system can be flexibly used as operating systems such as linux and rtos, and can be used as a plurality of 'slave updating systems', and the stability, the realizability and the reliability of the operation function to be maintained are ensured by sharing the memory and interrupting the real-time communication.

The foregoing is merely a preferred embodiment of the present invention and is not intended to limit the present invention in any way. While the invention has been described with reference to preferred embodiments, it is not intended to be limiting. Therefore, any simple modification, equivalent variation and modification of the above embodiments according to the technical substance of the present invention shall fall within the scope of the technical solution of the present invention.

Claims (9)

1. The system updating method based on multi-system isolation is characterized by being applied to a multi-core chip, wherein hardware resources of the multi-core chip are isolated into a system domain to be updated and a slave system domain by means of hardware isolation, the systems operated by each system domain are operated in the system domain to be updated through shared memory communication, the slave system is operated in the slave system domain to be updated, the system to be updated corresponds to one or more slave updating systems, and the slave updating system corresponds to one or more systems to be updated, and the method comprises the following steps:

S01, issuing an update instruction to a system to be updated, acquiring the update instruction by the system to be updated, verifying, and evaluating a slave update system after verification is passed, wherein the system to be updated maintains and manages the slave update system;

S02, the system to be updated sends the data of the main maintenance operation function to the slave updating system meeting the conditions, specifically, after the system to be updated writes the data packet of the main maintenance operation function into the shared memory, the interrupt of the corresponding slave updating system is triggered, the slave updating system operates the corresponding slave maintenance operation function according to the data of the main maintenance operation function, and sets the abnormal parameters of system updating, and the main maintenance operation function is a task which needs to be operated in the process of updating the operating system by the system to be updated;

S03, the system to be updated performs updating operation, if the updating is successful, the slave updating system returns the current slave maintenance operation function data to the system to be updated, specifically, after the slave updating system writes the slave maintenance operation function data packet into the shared memory, the interrupt of the corresponding system to be updated is triggered, the system to be updated restores the corresponding master maintenance operation function according to the current slave maintenance operation function data, the slave maintenance operation function is a task corresponding to the master maintenance operation function of the system to be updated one by one, and if the slave updating system does not have other slave maintenance operation functions, the operation of the slave updating system is stopped and related hardware resources of the slave updating system domain are recovered to the system to be updated.

2. The system updating method based on multi-system isolation according to claim 1, wherein in step S01, when evaluating the slave updating system, comprising:

S201, judging whether a slave updating system exists, if so, executing a step S202, otherwise, isolating relevant hardware resources of the multi-core chip to create a new slave updating system domain, and operating the new slave updating system;

s202, judging whether a slave updating system of the slave updating system domain can operate a main maintenance operation function of the system to be updated, if so, taking the slave updating system as a slave updating system meeting the condition, otherwise, creating a new slave updating system domain, and operating the slave updating system capable of operating the main maintenance operation function of the system to be updated and serving as a slave updating system meeting the condition to operate a slave maintenance operation function corresponding to the main maintenance operation function.

3. The system updating method based on multi-system isolation according to claim 1, wherein step S03 further comprises: if the updating fails and the system updating abnormal parameters are parameters of a recovery system mode, the slave updating system continues to operate the slave maintenance operation function and restarts the system to be updated to recover the operation of the system to be updated, the slave updating system returns the current slave maintenance operation function data to the system to be updated, the system to be updated recovers the corresponding main maintenance operation function according to the current slave maintenance operation function data, and after the system to be updated recovers the normal operation, the operation of the slave updating system is stopped and the related hardware resources of the slave updating system domain are recovered to the system to be updated.

4. The system updating method based on multi-system isolation according to claim 1, wherein step S03 further comprises: if the updating fails, and the system updating abnormal parameter is a parameter assisting in the updating mode, the slave updating system continues to try to update the system to be updated according to the setting, and the method comprises the following steps: and the slave updating system acquires an updating mirror image of the system to be updated and updates the system to be updated, simultaneously continuously operates the slave maintenance operation function, and returns the current slave maintenance operation function data to the system to be updated after the updating of the system to be updated is completed, and the system to be updated recovers the corresponding master maintenance operation function according to the current maintenance operation function data, stops the operation of the slave updating system and recovers related hardware resources of the slave updating system domain to the system to be updated.

5. The system updating method based on multi-system isolation according to claim 1, wherein in step S02, when setting the system updating exception parameter, specifically comprising:

The system to be updated reads the content of the corresponding system update abnormal setting structure body and forms a setting data packet to be sent to the slave updating system;

And acquiring and analyzing the data packet from the updating system, and filling the data of the data packet into a system updating abnormal setting structure corresponding to the updating system.

6. The system updating method based on multi-system isolation according to claim 1, wherein step S03 further comprises: when the system to be updated is abnormal in updating, the slave updating system informs the system to be updated of processing the abnormal updating, if the response of the system to be updated is received, the abnormal updating response time is ignored and reset, and if the response of the system to be updated is overtime, the system to be updated is set according to the content of the system updating abnormal setting structure corresponding to the slave updating system to process the abnormal updating.

7. The system updating method based on multi-system isolation according to claim 1, wherein when the system to be updated corresponds to a plurality of slave updating systems, the non-real-time task and the real-time task of the system to be updated respectively correspond to different slave updating systems.

8. The system updating method based on multi-system isolation according to claim 1, wherein the master maintenance operation function and the slave maintenance operation function each maintain and manage corresponding tasks through a maintenance task linked list, and the stopping and hardware resource recycling of the slave updating system are maintained by the maintenance task linked list of the corresponding slave updating system.

9. A system updating apparatus based on multi-system isolation, comprising:

The multi-system isolation module is used for isolating hardware resources of the multi-core chip into a system domain to be updated and a slave updating system domain in a hardware isolation mode, running the system to be updated in the system domain to be updated, and running the slave updating system in the slave updating system domain, wherein the system to be updated corresponds to one or more slave updating systems, and the slave updating system corresponds to one or more systems to be updated;

The system to be updated is used for acquiring an updating instruction and verifying, evaluating the slave updating system after the verification is passed, maintaining and managing the slave updating system, then sending main maintenance operation function data to the slave updating system meeting the condition, specifically, after writing a main maintenance operation function data packet into a shared memory, triggering interruption of the corresponding slave updating system, wherein the main maintenance operation function is a task required to be operated in the process of updating an operating system of the system to be updated, finally, updating, if the updating is successful, acquiring the slave maintenance operation function data of the slave updating system and recovering the corresponding main maintenance operation function according to the current slave maintenance operation function data, wherein the slave maintenance operation function is a task corresponding to the main maintenance operation function of the system to be updated one by one, and if the slave updating system does not have other slave maintenance operation functions, stopping the operation of the slave updating system and recovering related hardware resources of a slave updating system domain to the system to be updated;

The slave updating system is used for running the corresponding slave maintenance operation function according to the master maintenance operation function data of the system to be updated, setting system updating abnormal parameters, returning the current slave maintenance operation function data to the system to be updated after the system to be updated is successfully updated, specifically triggering the interruption of the corresponding system to be updated after the slave maintenance operation function data packet is written into the shared memory by the slave updating system, and recovering the system to be updated or continuing the updating operation of the system to be updated according to the set system updating abnormal parameters after the system to be updated fails to update.