CN115755665A - Monitoring management module and method, microcontroller, computer program and storage medium - Google Patents
Monitoring management module and method, microcontroller, computer program and storage medium Download PDFInfo
- Publication number
- CN115755665A CN115755665A CN202211275464.4A CN202211275464A CN115755665A CN 115755665 A CN115755665 A CN 115755665A CN 202211275464 A CN202211275464 A CN 202211275464A CN 115755665 A CN115755665 A CN 115755665A
- Authority
- CN
- China
- Prior art keywords
- virtual machine
- monitoring management
- monitoring
- security mechanism
- microcontroller
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 179
- 238000000034 method Methods 0.000 title claims abstract description 25
- 238000004590 computer program Methods 0.000 title claims abstract description 16
- 230000007246 mechanism Effects 0.000 claims abstract description 234
- 230000004044 response Effects 0.000 claims abstract description 94
- 230000006870 function Effects 0.000 claims abstract description 79
- 238000005192 partition Methods 0.000 claims abstract description 40
- 238000007726 management method Methods 0.000 claims description 130
- 230000000737 periodic effect Effects 0.000 claims description 15
- 230000008569 process Effects 0.000 claims description 15
- 230000002452 interceptive effect Effects 0.000 claims description 5
- 238000012545 processing Methods 0.000 abstract description 6
- 238000011161 development Methods 0.000 abstract description 5
- 238000003745 diagnosis Methods 0.000 description 6
- 238000007689 inspection Methods 0.000 description 4
- 230000010354 integration Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000009467 reduction Effects 0.000 description 2
- 230000009897 systematic effect Effects 0.000 description 2
- 206010063385 Intellectualisation Diseases 0.000 description 1
- 230000004913 activation Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
Images
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The invention provides a monitoring management module and method, a microcontroller, a computer program and a storage medium. The monitoring management module uniformly operates a safety mechanism irrelevant to the functions of the virtual machines or operates a safety mechanism corresponding to the started virtual machines; when the safety mechanism monitoring error occurs, if the safety mechanism monitoring error is irrelevant to the functions of the virtual machine, executing a global response or a partition response; and if the virtual machine function is related, executing fault response of the corresponding virtual machine. Therefore, by uniformly managing each safety mechanism, the safe operation environment of each virtual machine can be ensured to the maximum extent, the virtual machines do not need to carry out safety guarantee by themselves, the development workload of the monitoring software of the virtual machines is reduced, hardware resources in the microcontroller and computing resources of the central processing unit are saved, and the cost is effectively reduced. In addition, the fault responses are respectively managed so as to ensure that the virtual machines irrelevant to the fault can normally run as far as possible, and the system availability is improved while the system safety is ensured.
Description
Technical Field
The invention relates to the technical field of intelligent automobiles, in particular to a monitoring management module and method, a microcontroller, a computer program and a storage medium.
Background
The automobile modernization refers to electromotion, intellectualization, networking and sharing, and is a great revolution direction of the automobile industry at present. With the advancement of new technologies, the functions in the vehicle become increasingly complex, and the traditional distributed Electronic and Electrical Architecture (EEA) cannot adapt to the trend. Thus, the electronic-electrical architecture evolves from the original distributed, step-by-step, towards domain-centralized, central-centralized, to achieve the vision of a "software-defined car".
In a domain-centralized and central-centralized electrical and electronic architecture, the number of controllers is reduced, and the form and responsibility of the controllers are changed dramatically. The functions of the traditional embedded controller show an integration trend so as to reduce communication overhead and hardware mechanical cost and improve the automation degree of production and manufacturing. In order to meet the demand of Controller integration, virtualization technology is gradually applied to embedded controllers of automobiles, which is an advanced technology and powerful means for integrating functions of a plurality of controllers in a Micro-Controller Unit (MCU). That is, originally, a plurality of controller software may run on the same microcontroller in the form of Virtual Machines (VMs), and coordinate management of each VM through a Virtual Machine monitor (Hypervisor), and configure hardware resources.
However, with the integration of the microcontroller becoming higher and the number of virtual machines becoming larger and larger, convenience and diversity are controlled, and certain risks are brought to the safety of the whole vehicle because of unavoidable systematic failure and random hardware failure. Although the existing software and hardware modules in the microcontroller have mature safety mechanisms for carrying out corresponding safety monitoring, the high integration of the software and hardware integrates a large number of safety mechanisms, and if the safety mechanisms are not managed in a unified and coordinated manner, various safety problems are inevitable, and the requirement of the safety integrity level of the automobile cannot be met. Meanwhile, the security monitoring of the virtual machine in the current stage is also in the primary stage, and no systematic management exists yet.
Therefore, a monitoring management module and a monitoring management method applied to virtual machines are needed to ensure the functional safety of each virtual machine and the controller.
Disclosure of Invention
The invention aims to provide a monitoring management module and method, a microcontroller, a computer program and a storage medium, which are used for solving the problem of how to monitor and manage a safety mechanism in a virtual machine and the microcontroller.
In order to solve the above technical problem, the present invention provides a monitoring management method, which is applicable to an electronic device having a virtual machine, and includes:
running a security mechanism unrelated to the virtual machine function; or, running the security mechanism irrelevant to the functions of the virtual machine and running the security mechanism corresponding to the started virtual machine;
judging whether the monitoring error of the safety mechanism exists or not; if the virtual machine function is not related, executing a global response or a partition response; and if the virtual machine function is related, executing the fault response of the corresponding virtual machine.
Optionally, in the monitoring management method, the process of running a security mechanism unrelated to the virtual machine function includes:
and performing initialization operation on part of the safety mechanism which is irrelevant to the virtual machine function, and performing periodic operation on part of the safety mechanism which is irrelevant to the virtual machine function.
Optionally, in the monitoring management method, the process of running a security mechanism unrelated to the virtual machine function includes:
configuring relevant registers of the safety mechanism realized by hardware in a microcontroller to activate the corresponding safety mechanism and execute one-time monitoring or periodic monitoring; and the number of the first and second groups,
the security mechanism implemented by software in the microcontroller is activated to perform one-time monitoring or periodic monitoring.
Optionally, in the monitoring management method, the security mechanism unrelated to the virtual machine function includes:
the security mechanism comprises a first security mechanism covering failure of shared software and hardware resources between more than two virtual machines, a second security mechanism preventing mutual interference between the virtual machines, and a security mechanism covering failure of the first security mechanism and the second security mechanism.
Optionally, in the monitoring management method, the process of running the security mechanism corresponding to the started virtual machine includes:
and judging whether each virtual machine is started or not, if so, operating a safety mechanism corresponding to the virtual machine.
Optionally, in the monitoring management method, the security mechanism corresponding to the started virtual machine includes:
the virtual machine safety protection method comprises a third safety mechanism for covering the function failure of the running virtual machine, a fourth safety mechanism for covering the exclusive software and hardware resources of the virtual machine, a fifth safety mechanism for preventing the software and hardware resources from interfering with each other in the virtual machine, and a safety mechanism for covering the failure of the third safety mechanism, the fourth safety mechanism and the fifth safety mechanism.
Optionally, in the monitoring management method, the started virtual machine configures or runs the corresponding security mechanism by itself.
Optionally, in the monitoring management method, the global response at least includes: causing all of said virtual machines in the microcontroller to enter a safe state or a fail-operable state, and/or shutting down or restarting said microcontroller;
or, the microcontroller includes a plurality of partitions, and at least some of the partitions have a number of virtual machines therein, the partition response at least includes: all the virtual machines in the corresponding partitions are made to enter a safe state or a fault operable state, and/or the corresponding partitions are restarted or shut down.
Optionally, in the monitoring management method, the executing the fault response by the corresponding virtual machine at least includes:
the corresponding virtual machine is enabled to enter a safe state or a fault operable state, the virtual machine with the fault is restarted or closed, the microcontroller where the virtual machine is located is restarted or closed, and/or the partition in the microcontroller where the virtual machine is located is restarted or closed.
Optionally, in the monitoring management method, the monitoring management method further includes: and sending the interaction information to a monitoring module outside the microcontroller where the virtual machine is located at regular time.
Based on the same inventive concept, the invention also provides a monitoring management module which is used for operating at least part of the monitoring management method.
Optionally, in the monitoring management module, the monitoring management module is configured to operate a security mechanism unrelated to the function of the virtual machine; or, running the security mechanism irrelevant to the functions of the virtual machine and running the security mechanism corresponding to the started virtual machine; and the number of the first and second groups,
the monitoring management module is also used for judging whether the security mechanism corresponding to the software and hardware resources is related to the functions of the virtual machine when the monitoring report is wrong, and if not, executing global response or partition response; if so, executing the fault response of the corresponding virtual machine, or executing the fault response by the corresponding virtual machine.
Optionally, in the monitoring management module, when there is the security mechanism corresponding to the hardware resource that monitors the fault, the monitoring management module and/or the virtual machine is further configured to determine whether a fault response of the security mechanism corresponding to the hardware resource runs through the configuration of the monitoring management module and/or the virtual machine, and if so, the security mechanism corresponding to the hardware resource performs the fault response by itself; if not, executing fault response by the monitoring management module and/or software in the virtual machine for reading back the safety mechanism monitoring state corresponding to the hardware resource.
Optionally, in the monitoring management module, when the monitoring management module runs at least part of the monitoring management method, if there is a monitoring error in a security mechanism corresponding to a soft-hard resource of the monitoring management module, a global response or a partition response is executed.
Based on the same inventive concept, the invention also provides a microcontroller which comprises a plurality of virtual machines and the monitoring management module.
Optionally, in the microcontroller, a virtual machine monitor is stored in the microcontroller, wherein the running of part of the processes in the monitoring management module is executed in the virtual machine monitor, and/or the running of part of the processes in the monitoring management module is executed in a plurality of virtual machines managed by the virtual machine monitor.
Optionally, in the microcontroller, the microcontroller further includes a plurality of kernels, and the operation of part of the processes in the monitoring management module is executed in the kernels not in the monitoring jurisdiction of the virtual machine.
Based on the same inventive concept, the present invention also provides a computer program comprising instructions for executing the monitoring management method when the computer program is executed on a suitable computer device.
Based on the same inventive concept, the present invention also provides a computer-readable storage medium on which the computer program is encoded.
In summary, the present invention provides a monitoring management module and method, a microcontroller, a computer program, and a storage medium. The invention divides the safety mechanism corresponding to the software and hardware resources in the microcontroller into two types, one type is related to the functions of the virtual machine, and the other type is unrelated to the functions of the virtual machine so as to respectively manage the functions. Namely, a security mechanism irrelevant to the functions of the virtual machines is uniformly operated through the monitoring management module; or, the security mechanisms irrelevant to the functions of the virtual machines and the security mechanisms corresponding to the started virtual machines are operated in a unified mode; when the safety mechanism monitoring error occurs, if the safety mechanism monitoring error is irrelevant to the functions of the virtual machine, executing a global response or a partition response; and if the virtual machine function is related, executing the fault response of the corresponding virtual machine. Further, if a monitoring error exists in a security mechanism corresponding to the soft and hard resources of the monitoring management module, a global response or a partition response is preferentially executed to ensure the security of the system. Therefore, through unified management of each safety mechanism, the diagnosis coverage rate of each software and hardware resource is improved, a higher safety level is realized, the safe operation environment of each virtual machine is ensured to the maximum extent, the virtual machine does not need to perform safety guarantee by itself, the development workload of the virtual machine monitoring software is greatly reduced, hardware resources in a microcontroller and computing resources of a central processing unit are saved, and the cost is effectively reduced. In addition, the fault responses are respectively managed so as to ensure that the virtual machine or other software and hardware resources irrelevant to the fault can normally run as far as possible, and the system availability is improved while the system safety is ensured.
Drawings
Fig. 1 is a flowchart of a monitoring management method according to an embodiment of the present invention.
Fig. 2 is a flowchart of a monitoring management method according to an embodiment of the present invention.
Fig. 3 is a flowchart of a monitoring management method according to an embodiment of the present invention.
Fig. 4 is a flow chart of a hardware resource security mechanism reporting an error fault response according to an embodiment of the present invention.
Detailed Description
To further clarify the objects, advantages and features of the present invention, a more particular description of the invention will be rendered by reference to specific embodiments thereof which are illustrated in the appended drawings. It is to be noted that the drawings are in simplified form and are not to scale, but are provided for the purpose of facilitating and clearly illustrating embodiments of the present invention. Further, the structures illustrated in the drawings are often part of actual structures. In particular, the drawings may have different emphasis points and may sometimes be scaled differently. It should also be understood that the terms "first," "second," "third," and the like in the description are used for distinguishing between various components, elements, steps, and the like, and not for describing a sequential or logical relationship between various components, elements, steps, or the like, unless otherwise specified or indicated.
Referring to fig. 1, the present embodiment provides a monitoring management method, which is applicable to an electronic device with a virtual machine, and the monitoring management method includes:
step one S10: running a security mechanism unrelated to the virtual machine function; or, running the security mechanism irrelevant to the functions of the virtual machine and running the security mechanism corresponding to the started virtual machine;
step two S20: judging whether the monitoring error of the safety mechanism exists or not; if the virtual machine function is not related, executing a global response or a partition response; and if the virtual machine function is related, executing the fault response of the corresponding virtual machine.
Therefore, through unified management of each safety mechanism, the diagnosis coverage rate of each software and hardware resource is improved, a higher safety level is realized, the safe operation environment of each virtual machine is ensured to the maximum extent, the virtual machine does not need to perform safety guarantee by itself, the development workload of the virtual machine monitoring software is greatly reduced, hardware resources in a microcontroller and computing resources of a central processing unit are saved, and the cost is effectively reduced. In addition, the fault responses are respectively managed so as to ensure that the virtual machines irrelevant to the fault can normally run as far as possible, and the system availability is improved while the system safety is ensured.
The monitoring management method provided by the present embodiment is specifically described below with reference to fig. 1 to 4.
It should be noted that, the vehicle-mounted controller generally includes several microcontrollers, and each microcontroller includes a plurality of hardware devices and a plurality of software devices running on the hardware. Wherein most of the hardware devices have a security mechanism for monitoring security of the hardware devices; the software device also has a security mechanism for monitoring its own security. Based on this, the software resource and the hardware resource corresponding to the virtual machine also respectively have a security mechanism for monitoring the security of the virtual machine. Therefore, for the microcontroller with a virtual machine, the present embodiment divides the security mechanisms corresponding to its internal software and hardware resources into two types: one class is associated with virtual machine functionality and the other class is associated with virtual machines. Specifically, the security mechanism related to the virtual machine function refers to a security mechanism corresponding to a dedicated software and hardware resource of a virtual machine; the security mechanism unrelated to the functions of the virtual machines refers to a security mechanism corresponding to software and hardware resources which are used by more than two virtual machines, namely a security mechanism corresponding to resources shared by a plurality of virtual machines.
Further, the security mechanism unrelated to the virtual machine function includes, but is not limited to: the security mechanism comprises a first security mechanism for covering failure of shared software and hardware resources between more than two virtual machines, a second security mechanism for preventing mutual interference between the virtual machines, and a security mechanism for covering failure of the first security mechanism and the second security mechanism. Specifically, the first security mechanism may be a single point of failure and common cause of failure, or a security mechanism for managing shared resources between virtual machines. The single-point failure and common cause failure safety mechanism refers to a safety monitoring module for single-point failure and common cause failure, and is a safety mechanism for safety monitoring of power supply, clocks, buses, cores, storage and the like. It will be appreciated that the resources supervised by these security mechanisms are the resources that are used by each virtual machine. And the safety mechanism of the management of the shared resources among the virtual machines monitors the use faults among the shared resources of the virtual machines. For example, a security mechanism for end-to-end protection of a security-related packet shared by a plurality of virtual machines, a security mechanism for diagnosis of a hardware signal shared by a plurality of virtual machines, and the like. The second security mechanism is to ensure independence between the virtual machines and avoid interference with each other. For example, a pointer in the first virtual machine originally points to one register of the first virtual machine, but points to a register in the second virtual machine due to crosstalk, and calls data in the second virtual machine, so that the first virtual machine operates in a failure. Thus, the tamper-proof security mechanism between the virtual machines, i.e. the second security mechanism, will respond to the failure. And the safety mechanism for covering the failure of the first safety mechanism and the second safety mechanism is used for preventing the self failure of the safety mechanism module, namely monitoring the condition that the first safety mechanism and/or the second safety mechanism fails. For example, a safety mechanism for supervising a single point of failure and a common cause failure, i.e., a supervision for a double point of failure problem.
Further, the security mechanisms related to the virtual machine functions, i.e. the security mechanisms corresponding to the opened virtual machines, include but are not limited to: the safety protection method comprises a third safety mechanism for covering the function failure of the running of the virtual machine, a fourth safety mechanism for covering exclusive software and hardware resources of the virtual machine, a fifth safety mechanism for preventing the software and hardware resources from interfering with each other in the virtual machine, and a safety mechanism for covering the failure of the third safety mechanism, the fourth safety mechanism and the fifth safety mechanism. The third security mechanism refers to a certain function executed by the virtual machine, or security mechanisms corresponding to certain functions respectively. It will be appreciated that the third security mechanism is used to supervise the execution of a particular function. The fourth security mechanism is a security supervision for dedicated software and hardware resources of a certain virtual machine. The fifth safety mechanism is responsible for the supervision of the interference problem between the internal resources of the virtual machines. The safety mechanism covering the failure of the third safety mechanism, the fourth safety mechanism and the fifth safety mechanism is also double-point fault monitoring, and is used for preventing the self failure of the safety mechanism module. It will be appreciated that the security mechanisms associated with virtual machine functionality are security mechanisms specific to each virtual machine.
Based on this, referring to fig. 1 and fig. 2 to 3, the first step S10: running a security mechanism unrelated to the virtual machine function; or, the safety mechanism irrelevant to the functions of the virtual machines is operated, and the safety mechanism corresponding to the started virtual machines is operated.
As shown in fig. 2, only the security mechanisms unrelated to the virtual machine functions are operated, which indicates that the monitoring management method only performs unified management on the security mechanisms corresponding to the software and hardware resources unrelated to the virtual machine functions, and the security mechanisms corresponding to the software and hardware resources related to the virtual machine functions may be configured or operated by the virtual machine. As shown in fig. 3, when the security mechanism unrelated to the function of the virtual machine is operated and the security mechanism corresponding to the started virtual machine is operated, it indicates that the monitoring management method is to perform unified management on the security mechanisms corresponding to all software and hardware resources in the microcontroller.
Further, the security mechanism that operates independently of the virtual machine functionality includes: and performing initialization operation on part of the safety mechanism which is irrelevant to the virtual machine function, and performing periodic operation on part of the safety mechanism which is irrelevant to the virtual machine function. The initialization operation corresponds to a safety mechanism which only needs to execute once power-on monitoring; the periodic operation corresponds to a safety mechanism that is executed circularly after starting. The security mechanism that generally only needs to perform power-on monitoring once is a hardware security mechanism that is independent of the virtual machine functionality. Of course, hardware security mechanisms that are partially unrelated to virtual machine functionality may also run periodically. Furthermore, since the hardware security mechanism unrelated to the virtual machine function is the global hardware and is the operation basis of each software, the hardware security mechanism unrelated to the virtual machine function needs to be configured first to activate the corresponding security mechanism and perform one-time monitoring or periodic monitoring. Specifically, the security monitoring for the hardware resources may be checking of pure hardware, or checking of combination of hardware and software. When the hardware is provided with a corresponding safety mechanism, only a register of each hardware safety mechanism needs to be configured to activate the corresponding hardware safety mechanism, and once power-on inspection or periodic inspection is executed; when the hardware is not provided with a preset safety mechanism, the software is required to read back the diagnosis result, and the diagnosis software corresponding to the hardware is operated to execute once power-on inspection or periodic inspection.
After the activation of the security mechanism corresponding to the hardware resource irrelevant to the virtual machine is completed, the security mechanism corresponding to the software resource irrelevant to the virtual machine is started, and one power-on check or periodic check is executed. Similarly, the security mechanism corresponding to the software resource may be a one-time power-on monitoring or a periodic monitoring. For example, a security mechanism for tamper prevention between virtual machines and a security mechanism for shared resource management between virtual machines are run, and a power-on check or a periodic check is performed.
Further, when the monitoring management method is to uniformly manage the security mechanisms corresponding to all software and hardware resources in the microcontroller, the monitoring management method further includes, while or after running the security mechanism unrelated to the virtual machine function: and judging whether each virtual machine is started, if so, configuring or operating a safety mechanism corresponding to the started virtual machine, and executing periodic check.
The specific manner of determining whether the virtual machine is started is not limited in this embodiment, and the determination may be performed sequentially in a loop program, or may be performed by means of virtual machine monitor recognition or the like. When the virtual machine runs a specific function, a security mechanism corresponding to a peripheral resource or a hardware resource used by the virtual machine needs to be configured to activate a corresponding security mechanism to run and check. And operating a safety mechanism corresponding to the function operated by the virtual machine, and a safety mechanism corresponding to software such as a safety mechanism used for judging the program flow checking result of the virtual machine.
Further, security mechanisms associated with the virtual machine functionality may also be configured or run by the virtual machine itself. It can be understood that the monitoring management method may be only applicable to management of security mechanisms of all software and hardware in the microcontroller, or may also be only a security mechanism that is unrelated to a function of running the virtual machine, and the security mechanism related to the virtual machine may be run and managed by the virtual machine, which is not specifically limited in this embodiment.
After all the security mechanisms are configured or run, step two S20 is executed: judging whether the monitoring error of the safety mechanism exists or not; if the virtual machine function is not related, executing a global response or a partition response; and if the virtual machine function is related, executing the fault response of the corresponding virtual machine.
Specifically, whether the fault is related to the function of the virtual machine is judged, and if so, the corresponding virtual machine executes fault response; if not, according to the fault condition, executing global response or partial region response. Further, the corresponding virtual machine executing the fault response at least includes: the corresponding virtual machine is enabled to enter a safe state or a fault operable state, the virtual machine with the fault is restarted or closed, the microcontroller where the virtual machine is located is restarted or closed, and/or the partition in the microcontroller where the virtual machine is located is restarted or closed. Wherein, which fault response is specifically executed depends on the influence range of the function executed by the virtual machine. And if the influence range is very large, restarting or shutting down the microcontroller where the virtual machine is located, and if the influence range is very small, enabling the corresponding virtual machine to enter a safe state or a fault operable state. Also, when a fault is not related to the function of a virtual machine, the main factor in deciding whether to perform a global response or a local response is because of the scope of influence of the fault, and if the scope of influence is large, a global response is performed, and if the scope of influence is small, a partition response is performed. Further, the global response includes at least: causing all of said virtual machines in the microcontroller to enter a safe state or a fail-operable state, and/or shutting down or restarting said microcontroller. For example, if a global hardware resource of the microcontroller fails, a global response is executed.
It should be noted that the partition response execution is premised on that management of each software and hardware resource in the microcontroller is performed by a partition, for example, the microcontroller has a plurality of cores, and power-on and power-off or other function management of each core can be performed independently without affecting other cores. Thus, when the microcontroller is partition managed, and partitioned into multiple partitions, the partition response includes at least: all the virtual machines in the corresponding partitions are made to enter a safe state or a fault operable state, and/or the corresponding partitions are restarted or shut down. For example, if a common sensor of multiple virtual machines fails, a reboot or shutdown is performed only for that sensor. After the fault response processing is completed, each of the safety mechanisms reconfigures or starts to operate to continue to perform safety monitoring of the microcontroller.
Further, the monitoring management method further includes: and sending the interactive information to a monitoring module outside the microcontroller where the virtual machine is positioned at regular time. For example, an external watchdog feeding is performed.
Based on the same inventive concept, the embodiment also provides a monitoring management module for operating at least part of the monitoring management method.
In one embodiment, the monitoring management module is configured to run all of the monitoring management methods. That is, from the configuration and the start of all safety mechanisms in the microcontroller to the fault response, the monitoring management module manages the safety mechanisms in a unified way, which is beneficial to improving the diagnosis coverage rate of each software and hardware resource, realizing higher safety level, ensuring the safe operation environment of each virtual machine to the maximum extent, avoiding the need of the virtual machine to carry out safety guarantee by itself, greatly reducing the development workload of the virtual machine monitoring software, saving the hardware resource in the microcontroller and the computing resource of the central processing unit, and effectively realizing the cost reduction. In another embodiment, the operation of the security mechanism related to the virtual machine function in the monitoring management method can be configured and operated by the virtual machine. And other monitoring and management steps are executed by the monitoring and management module.
In other embodiments, the monitoring management module runs a security mechanism that is independent of virtual machine functionality; or, running the security mechanism irrelevant to the functions of the virtual machine and running the security mechanism corresponding to the started virtual machine; the monitoring management module is also used for judging whether the security mechanism corresponding to the software resource is related to the functions of the virtual machine when monitoring errors exist, and if not, executing global response or partition response; if so, executing the fault response of the corresponding virtual machine, or executing the fault response by the corresponding virtual machine.
It should be noted that, referring to fig. 4, when there is an error reported by monitoring the security mechanism corresponding to the hardware resource, the monitoring management module and/or the virtual machine is further configured to determine whether a fault response of the security mechanism corresponding to the hardware resource runs through the configuration of the monitoring management module and/or the virtual machine, and if so, the security mechanism corresponding to the hardware resource executes a fault response by itself; if not, executing fault response by the monitoring management module and/or software used for reading back the safety mechanism monitoring state corresponding to the hardware resource in the virtual machine. In other words, in the fault response link, the security mechanism corresponding to the hardware resource may respond by itself, or may be uniformly executed by the monitoring management module. And when the fault response of the safety mechanism corresponding to the hardware resource runs through the configuration of the monitoring management module and/or the virtual machine, the safety mechanism corresponding to the hardware resource can execute the fault response by itself, and when the fault response of the safety mechanism corresponding to the hardware resource does not run through the configuration of the monitoring management module and/or the virtual machine, the fault response needs to be executed by software, that is, the monitoring management module and/or the software in the virtual machine for reading back the monitoring state of the safety mechanism corresponding to the hardware resource executes the fault response. The fault response is not limited to a partition response or a global response, and may be determined according to the range or degree of influence of the fault.
Further, please continue to refer to fig. 2 to 3, if the security mechanism corresponding to the software and hardware resources of the monitoring management module itself has a monitoring error, a global response or a partition response is executed. It can be understood that the security mechanisms corresponding to the software and hardware resources of the monitoring management module are not specific to a virtual machine, that is, belong to security mechanisms unrelated to functions of the virtual machine. However, the monitoring management module is the basis for monitoring various security mechanisms, and the problem of global security of each security mechanism is involved. Therefore, when the security mechanism corresponding to the software and hardware resources of the monitoring management module has a monitoring error, which is the highest priority level of the fault response, the global response or the partition response is preferentially executed. When the resource partition inside the microcontroller is managed, a partition response can be executed aiming at the error report of the safety mechanism of the monitoring management module. It can be understood that, when the monitoring management method is operated, because the monitoring priority of the security mechanism corresponding to the software and hardware resources of the monitoring management module is the highest, when an error occurs in the security mechanism, it is determined whether the security mechanism is related to the monitoring management module, if so, it is determined whether a fault response corresponding to the monitoring management module is preferentially executed, and if not, it is determined whether the security mechanism is related to the functions of the virtual machine, and then, it is determined whether the subsequent fault response work is executed. Therefore, when two or three security mechanisms report errors at the same time, the fault response related to the monitoring management module needs to be executed first.
Based on the same inventive concept, the embodiment also provides a microcontroller, which comprises a plurality of virtual machines and the monitoring management module.
Wherein, a virtual machine monitor (Hypervisor) is also stored in the microcontroller. The virtual machine monitor may be used to create and run the virtual machine, as well as to configure the resources required by the virtual machine. When the monitoring management module corresponds to a higher access right, the monitoring management module may request that the virtual machine monitor be implemented cooperatively. Further, the running of a part of processes in the monitoring management module is executed in the virtual machine monitor, and/or the running of a part of processes in the monitoring management module is executed in a plurality of virtual machines managed by the virtual machine monitor. Or, the microcontroller further includes a plurality of kernels, and the operation of a part of the processes in the monitoring management module is executed in the kernels which are not in the monitoring jurisdiction of the virtual machine. Preferably, the program of the monitoring management module is run in the kernel, and the kernel has a lockstep function, so as to further ensure the security of the running environment of the monitoring management method. The embodiment does not limit in which component the monitoring management module operates the monitoring management method.
Based on the same inventive concept, the present embodiment also provides a computer program comprising instructions for executing the monitoring management method when the computer program is executed on a suitable computer device.
Based on the same inventive concept, the present embodiment also provides a computer-readable storage medium on which the computer program is encoded.
In summary, the present embodiments provide a monitoring management module and method, a microcontroller, a computer program, and a storage medium. In this embodiment, security mechanisms corresponding to software and hardware resources in the microcontroller are divided into two types, one type is related to the virtual machine function, and the other type is unrelated to the virtual machine function so as to be managed respectively. The monitoring management module is used for uniformly operating a safety mechanism irrelevant to the functions of the virtual machines, or uniformly operating the safety mechanism irrelevant to the functions of the virtual machines and a safety mechanism corresponding to the started virtual machines; when the safety mechanism monitoring error reporting occurs, if the safety mechanism monitoring error reporting is irrelevant to the functions of the virtual machine, executing global response or partition response; and if the virtual machine function is related, executing the fault response of the corresponding virtual machine. Further, if a monitoring error exists in a security mechanism corresponding to the soft and hard resources of the monitoring management module, a global response or a partition response is preferentially executed to ensure the security of the system. Therefore, the unified management of the safety mechanisms is beneficial to improving the diagnosis coverage rate of each software and hardware resource, and realizing higher safety level, so as to ensure the safe operation environment of each virtual machine to the maximum extent, and the virtual machine is not required to carry out safety guarantee by itself, thereby greatly reducing the development workload of the monitoring software of the virtual machine, saving the hardware resource in the microcontroller and the computing resource of the central processing unit, and effectively realizing the cost reduction. In addition, the fault responses are respectively managed so as to ensure that the virtual machine irrelevant to the fault can normally run as far as possible, and the system availability is improved while the system safety is ensured.
It should be understood, however, that the intention is not to limit the invention to the particular embodiments described. It will be apparent to those skilled in the art that many changes and modifications can be made, or equivalents employed, to the presently disclosed embodiments without departing from the intended scope of the invention. Therefore, any simple modification, equivalent change and modification made to the above embodiments according to the technical essence of the present invention are still within the protection scope of the technical solution of the present invention, unless the content of the technical solution of the present invention is departed from.
Claims (19)
1. A monitoring management method is suitable for electronic equipment with a virtual machine, and is characterized by comprising the following steps:
running a security mechanism unrelated to the virtual machine function; or, running the security mechanism irrelevant to the functions of the virtual machine and running the security mechanism corresponding to the started virtual machine;
judging whether the monitoring error of the safety mechanism exists or not; if the virtual machine function is not related, executing a global response or a partition response; and if the virtual machine function is related, executing the fault response of the corresponding virtual machine.
2. The monitoring management method of claim 1, wherein the process of running a security mechanism independent of virtual machine functionality comprises:
and performing initialization operation on part of the safety mechanism which is irrelevant to the virtual machine function, and performing periodic operation on part of the safety mechanism which is irrelevant to the virtual machine function.
3. The monitoring management method according to claim 2, wherein the process of running a security mechanism independent of virtual machine functionality comprises:
configuring relevant registers of the safety mechanisms realized by hardware in the microcontroller to activate the corresponding safety mechanisms and execute one-time monitoring or periodic monitoring; and (c) a second step of,
the security mechanism implemented by software in the microcontroller is activated to perform one-time monitoring or periodic monitoring.
4. The monitoring management method of claim 1, wherein the security mechanism unrelated to virtual machine functionality comprises:
the security mechanism comprises a first security mechanism covering failure of shared software and hardware resources between more than two virtual machines, a second security mechanism preventing mutual interference between the virtual machines, and a security mechanism covering failure of the first security mechanism and the second security mechanism.
5. The monitoring management method according to claim 1, wherein the process of running the security mechanism corresponding to the started virtual machine includes:
and judging whether each virtual machine is started or not, if so, operating a safety mechanism corresponding to the virtual machine.
6. The monitoring management method according to claim 1, wherein the security mechanism corresponding to the started virtual machine comprises:
the safety protection method comprises a third safety mechanism for covering the function failure of the running of the virtual machine, a fourth safety mechanism for covering exclusive software and hardware resources of the virtual machine, a fifth safety mechanism for preventing the software and hardware resources from interfering with each other in the virtual machine, and a safety mechanism for covering the failure of the third safety mechanism, the fourth safety mechanism and the fifth safety mechanism.
7. The monitoring management method according to claim 1, wherein the started virtual machine configures or runs the corresponding security mechanism by itself.
8. The monitoring management method according to claim 1, wherein the global response comprises at least: causing all of said virtual machines in a microcontroller to enter a safe state or a fail-operable state, and/or shutting down or restarting said microcontroller;
or, the microcontroller includes a plurality of partitions, and at least some of the partitions have a number of virtual machines therein, then the partition response includes at least: all the virtual machines in the corresponding partitions are made to enter a safe state or a fault operable state, and/or the corresponding partitions are restarted or shut down.
9. The monitoring management method according to claim 1, wherein the corresponding virtual machine executing the fault response at least comprises:
the corresponding virtual machine is enabled to enter a safe state or a fault operable state, the virtual machine with the fault is restarted or closed, a microcontroller where the virtual machine is located is restarted or closed, and/or a partition in the microcontroller where the virtual machine is located is restarted or closed.
10. The monitoring management method according to claim 1, further comprising: and sending the interactive information to a monitoring module outside the microcontroller where the virtual machine is positioned at regular time.
11. A monitoring management module, characterized in that it is adapted to run at least part of the monitoring management method according to any one of claims 1 to 10.
12. The monitoring management module of claim 11, wherein the monitoring management module is configured to run a security mechanism independent of virtual machine functionality; or, running the security mechanism irrelevant to the functions of the virtual machine and running the security mechanism corresponding to the started virtual machine; and the number of the first and second groups,
the monitoring management module is also used for judging whether the security mechanism corresponding to the software and hardware resources is related to the functions of the virtual machine when the monitoring report is wrong, and if not, executing global response or partition response; if so, executing the fault response of the corresponding virtual machine, or executing the fault response by the corresponding virtual machine.
13. The monitoring management module according to claim 12, wherein when there is an error in the security mechanism monitoring corresponding to the hardware resource, the monitoring management module and/or the virtual machine is further configured to determine whether a fault response of the security mechanism corresponding to the hardware resource is configured to run through the monitoring management module and/or the virtual machine, if so, the security mechanism corresponding to the hardware resource performs a fault response by itself; if not, executing fault response by the monitoring management module and/or software used for reading back the safety mechanism monitoring state corresponding to the hardware resource in the virtual machine.
14. The monitoring management module according to claim 11, wherein when the monitoring management module runs at least part of the monitoring management method, if there is a monitoring error in a security mechanism corresponding to a soft or hard resource of the monitoring management module, a global response or a partition response is executed.
15. A microcontroller characterized by comprising a number of virtual machines and a monitoring management module according to any of claims 11-14.
16. The microcontroller according to claim 15, wherein a virtual machine monitor is stored in the microcontroller, wherein the running of part of the processes in the monitoring management module is executed in the virtual machine monitor, and/or the running of part of the processes in the monitoring management module is executed in a number of virtual machines managed by the virtual machine monitor.
17. The microcontroller according to claim 16, wherein the microcontroller further comprises a plurality of cores, and wherein the running of a part of the process in the monitoring management module is performed in the cores that are not in the monitoring jurisdiction of the virtual machine.
18. A computer program, characterized in that it comprises means for carrying out the monitoring management method according to any one of claims 1 to 10 when said computer program is executed on a suitable computer device.
19. A computer-readable storage medium, characterized in that a computer program according to claim 18 is encoded on the computer-readable storage medium.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211275464.4A CN115755665A (en) | 2022-10-18 | 2022-10-18 | Monitoring management module and method, microcontroller, computer program and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211275464.4A CN115755665A (en) | 2022-10-18 | 2022-10-18 | Monitoring management module and method, microcontroller, computer program and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115755665A true CN115755665A (en) | 2023-03-07 |
Family
ID=85352556
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211275464.4A Pending CN115755665A (en) | 2022-10-18 | 2022-10-18 | Monitoring management module and method, microcontroller, computer program and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115755665A (en) |
-
2022
- 2022-10-18 CN CN202211275464.4A patent/CN115755665A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1077410B1 (en) | Intelligent fault management | |
| US20180111626A1 (en) | Method and device for handling safety critical errors | |
| US5764882A (en) | Multiprocessor system capable of isolating failure processor based on initial diagnosis result | |
| US8656217B2 (en) | Method for error detection during execution of a real-time operating system | |
| WO2020239060A1 (en) | Error recovery method and apparatus | |
| CN113064748B (en) | Process succession method, device, electronic equipment and storage medium | |
| US20140032962A1 (en) | System and Methods for Self-Healing From Operating System Faults in Kernel/Supervisory Mode | |
| CN115658321A (en) | Method and device for acquiring fault information of automobile instrument, electronic equipment and storage medium | |
| CN115826393A (en) | Dual-redundancy management method and device of flight control system | |
| US8060778B2 (en) | Processor controller, processor control method, storage medium, and external controller | |
| CN114355802A (en) | Synchronous debugging method for processors with multiple cores in parallel | |
| CN115755665A (en) | Monitoring management module and method, microcontroller, computer program and storage medium | |
| CN116627702A (en) | Method and device for restarting virtual machine in downtime | |
| US11951999B2 (en) | Control unit for vehicle and error management method thereof | |
| JP2018112977A (en) | Microcomputer | |
| JP3746957B2 (en) | Control method of logical partitioning system | |
| CN117827547B (en) | Method and system for recovering touch abnormality of vehicle-mounted display screen, electronic equipment and medium | |
| Brewerton et al. | Hardware based paravirtualization: simplifying the co-hosting of legacy code for mixed criticality applications | |
| WO2022239331A1 (en) | Electronic controller and abnormality determination method | |
| US20090006893A1 (en) | Information processing apparatus, diagnosis method, and computer program product | |
| CN115599498A (en) | Virtual machine management module and method, controller and peripheral resource multiplexing method | |
| CN118245296A (en) | ADAS-oriented super-heterogeneous chip security mechanism testing method and device | |
| Niimi et al. | Virtualization Technology and Using Virtual CPU in the Context of ISO26262: The E-Gas Case Study | |
| CN115686892A (en) | Integrated controller based on multiple monitoring channels | |
| CN116501343A (en) | Program upgrading method, power supply and computing device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |