The present subject matter relates to automotive production-line and in particular relates to End of Line (EOL) configuration of embedded systems in the automobile.

Background
A bootloader is stored in a protected ECU memory area and is started as a first instance in the boot phase after a reset. It then checks whether a flash request or valid application software exists. If the ECU is to be reprogrammed, the boot-loader starts reprogramming and after verifying access authorization-loads the flash driver from a bus system to the ECU’s RAM memory or internal flash. Then it erases the old ECU software and programs the ECU’s internal flash memory with the new-data it receives over the bus system.

As a part of industrial practices as represented in Fig. 1, a Tier-1 supplier provides a device (e.g. ECU) and respective firmware to an Original Equipment Manufacturer (OEM). During production-phase, a valid Firmware needs to be flashed or on that device, this is referred as End of Line Flashing (EOL) of that device. The device has a mechanism to keep a backup of current running Firmware so that it has a choice to reload last working copy, if required. A technical-limitation during EOL is that a Firmware can be flashed only in internal flash memory. A boot-loader on very first boot, will create current Firmware’s another copy in External flash as a backup.

However, the bootloader cannot keep raw (unencrypted Firmware) on external flash due to security measures. To avoid any possible attack and as shown in Fig. 2, a conventional solution requires that Bootloader should encrypt and then place firmware on external-flash. This is however an additional overhead for a boot loader during first boot. Moreover, encrypting a firmware will be an internal-process of the device on first-boot. This is however a security- violation as unencrypted Firmware is shared with EOL, which is a production-plant.

As an alternate solution shown in Fig. 3, encrypted firmware may be already present on external-flash. Hence, a boot-loader is at least prevented from encrypting the firmware present in internal-flash. Now, the supplier for the external-flash could be any market silicon supplier and accordingly an unverified third-party. If ECU devices are to be produced in bulk to the tune of millions, then equivalent quantity of external flash memory will have to be flashed with encrypted copy of Firmware. At least a drawback is that all details about a) memory-mapping with the internal flash memory of the device, and b) the encrypted Firmware copy will have to be shared with the third party vendor or external flash supplier. Accordingly, the threat to security in Fig. 3’s solution is all but apparent. At least in view of the aforesaid constraints, a Non Discloser Agreement with external flash supplier and a gang programming of external flash has to be resorted. The same at least leads to an additional cost of setting a process to have non discloser agreement with flash memory supplier and sharing encrypted copy of a Firmware.

Summary of the invention
This summary is provided to introduce a selection of concepts in a simplified format that are further described in the detailed description of the present disclosure. This summary is not intended to identify key or essential inventive concepts of the claimed subject matter, nor is it intended for determining the scope of the claimed subject matter.

The present subject matter refers an end of line (EOL) flashing and booting method for an electronic control unit (ECU). The method comprises storing a binary file comprising a boot loader and an encrypted firmware in to an internal memory in response to an end of line (EOL) flashing performed upon the internal memory. Further, the method comprises performing a boot operation by the boot loader. Upon an initial boot, the encrypted firmware is copied into an external memory. The encrypted firmware is authenticated in the external memory. The authenticated and encrypted firmware is decoded to generate a raw firmware. The raw firmware is stored into the internal memory. A control is transferred to the raw firmware in the internal memory for execution as an application firmware.
The present subject matter refers to maintaining firmware security objectives while keeping complexity of the EOL process as simple as possible and having cost effective solution. A combined kit referred by big binary is created, for example, by using a python script. Combined big binary comprises a bootloader and signed and encrypted firmware. This binary is perfectly secure to be shared with EOL production environment and to be flashed on device internal flash.

A bootloader on very first boot will copy encrypted Firmware as it is on external flash. This process takes care of maintaining a backup on external flash without bothering about provider of the external flash. Also no need to have additional process like NDA with external flash provider as current solution internally takes care of it.

After verifying authenticity (confidentiality will be taken care with it) and integrity of the Firmware present on external flash, bootloader will decrypt and copy that Firmware in internal flash and handover control to application firmware. This completes a secure and successful EOL and boot process.
To further clarify advantages and features of the present invention, a more particular description of the invention will be rendered by reference to specific embodiments thereof, which is illustrated in the appended drawings. It is appreciated that these drawings depict only typical embodiments of the invention and are therefore not to be considered limiting of its scope. The invention will be described and explained with additional specificity and detail with the accompanying drawings.

Brief description of the drawings
These and other features, aspects, and advantages of the present invention will become better understood when the following detailed description is read with reference to the accompanying drawings in which like characters represent like parts throughout the drawings, wherein:

Fig. 1 illustrates a state of the art EOL flashing process;
Fig. 2 illustrates a conventional EOL flashing of device;
Fig. 3 illustrates another conventional EOL flashing of device;
Fig. 4 illustrates method steps according to an embodiment of the present subject matter;
Fig. 5 illustrates an EOL flashing system according to an embodiment of the present subject matter; and
Fig. 6 illustrates an implementation of the present subject matter in accordance with an embodiment of the present subject matter.

Further, skilled artisans will appreciate that elements in the drawings are illustrated for simplicity and may not have been necessarily been drawn to scale. For example, the flow charts illustrate the method in terms of the most prominent steps involved to help to improve understanding of aspects of the present invention. Furthermore, in terms of the construction of the device, one or more components of the device may have been represented in the drawings by conventional symbols, and the drawings may show only those specific details that are pertinent to understanding the embodiments of the present invention so as not to obscure the drawings with details that will be readily apparent to those of ordinary skill in the art having benefit of the description herein.

Detailed Description
For the purpose of promoting an understanding of the principles of the invention, reference will now be made to the embodiment illustrated in the drawings and specific language will be used to describe the same. It will nevertheless be understood that no limitation of the scope of the invention is thereby intended, such alterations and further modifications in the illustrated system, and such further applications of the principles of the invention as illustrated therein being contemplated as would normally occur to one skilled in the art to which the invention relates.

It will be understood by those skilled in the art that the foregoing general description and the following detailed description are explanatory of the invention and are not intended to be restrictive thereof.

Reference throughout this specification to “an aspect”, “another aspect” or similar language means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrase “in an embodiment”, “in another embodiment” and similar language throughout this specification may, but do not necessarily, all refer to the same embodiment.

The terms "comprises", "comprising", or any other variations thereof, are intended to cover a nonexclusive inclusion, such that a process or method that comprises a list of steps does not include only those steps but may include other steps not expressly listed or inherent to such process or method. Similarly, one or more devices or subsystems or elements or structures or components proceeded by "comprises... a" does not, without more constraints, preclude the existence of other devices or other sub-systems or other elements or other structures or other components or additional devices or additional sub-systems or additional elements or additional structures or additional components.

Unless otherwise defined, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. The system, methods, and examples provided herein are illustrative only and not intended to be limiting.
Figure 4 illustrates an end of line (EOL) flashing and booting method for an electronic control unit (ECU). The method comprises storing (step 402) a binary file comprising a boot loader and an encrypted firmware into an internal memory in response to an end of line (EOL) flashing performed upon the internal memory. Prior to the EOL flashing, a microcontroller is further configured for receiving a binary-script as the binary file comprising the bootloader and the encrypted firmware. The EOL flashing comprises flashing the binary script to an internal flash corresponding to the internal memory.

Further, the method comprises performing (step 404) a boot operation by the boot loader. Upon an initial boot, the encrypted firmware is copied into external memory. More specifically, the bootloader is configured to copy (step 406) the encrypted firmware to an external flash corresponding to the external memory at the initial boot to maintain a backup. Thereafter, the encrypted firmware is authenticated (step 408) in the external memory. For such purposes, the bootloader is configured to perform (step 410) security checks with the encrypted firmware for authentication.

Thereafter, the authenticated and encrypted firmware is decoded (step 412) to generate a raw firmware. For such purposes, the bootloader decrypts the encrypted firmware to generate the raw firmware, and copies the decrypted firmware into the internal memory. The raw firmware is stored into the internal memory.

Further, a control is transferred (step 414) to the raw firmware in the internal memory for execution as an application firmware. The bootloader is configured to transfer control to application-firmware corresponding to the decrypted firmware to conclude a boot process.

Figure 5 illustrates an EOL flashing system according to an embodiment of the present subject matter.

As a precursor to EOL, a script creates a combined big binary file 508 for sharing with the EOL environment. The combined big binary 508 is created by using a python script. The combined big binary comprises boot-loader and signed and encrypted firmware. This binary 508 is perfectly secure to be shared with EOL production environment and to be flashed on the device internal flash 510.

At step 502, the EOL will flash big binary to internal-flash 510 of the device.

At step 504, on very first boot, the bootloader copies encrypted firmware (as it was part of big binary) to external flash memory 512 to maintain a backup. This process takes care of maintaining a backup on external flash 512 irrespective of contacting the provider of the external flash 512. The same also does away with the requirement to have additional process like NDA with external flash provider.

At step 506, the bootloader performs security checks with firmware, decrypts and copies to internal flash 510. The control is transferred to application-firmware (which is now unencrypted) within the internal flash 510. More specifically, after verifying authenticity (confidentiality will be taken care with it) and integrity of the firmware present on external flash 512, the bootloader decrypts and copies that firmware in internal flash 510 and hands over control to application firmware. This completes a secure and successful EOL and boot process.

In an embodiment, an electronic control unit (ECU) comprises a microcontroller (shown in Fig. 6) and the internal memory 510 storing one or more module executed by the microcontroller. Such said modules 508 may be defined by a binary file comprising the boot loader and an encrypted firmware. The modules are installed in the internal memory 510 in response to an end of line (EOL) flashing performed upon the internal memory 510.
The boot loader is configured for performing the steps 402 till 414.

Figure 6 shows an example implementation in accordance with the embodiment of the invention, and yet another typical hardware configuration in preceding figures in the form of a computer-system and architecture 600. The computer system 600 can include a set of instructions that can be executed to cause the computer system 600 to perform any one or more of the methods disclosed. The computer system 600 may operate as a standalone-device or may be connected, e.g., using a network, to other computer systems or peripheral devices.

In a networked deployment, the computer system 600 may operate in the capacity of a server or as a client user computer in a server-client user network environment, or as a peer computer system in a peer-to-peer (or distributed) network environment. The computer system 600 can also be implemented as or incorporated across various devices, such as a personal computer (PC), a tablet PC, a personal digital assistant (PDA), a mobile device, a palmtop computer, a laptop computer, a desktop computer, a communications device, a wireless telephone, a land-line telephone, a web appliance, a network router, switch or bridge, or any other machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while a single computer system 600 is illustrated, the term "system" shall also be taken to include any collection of systems or sub-systems that individually or jointly execute a set, or multiple sets, of instructions to perform one or more computer functions.

The computer system 600 may include a processor 602 e.g., a central processing unit (CPU), a graphics processing unit (GPU), or both. The processor 602 may be a component in a variety of systems. For example, the processor 602 may be part of a standard personal computer or a workstation. The processor 602 may be one or more general processors, digital signal processors, application specific integrated circuits, field programmable gate arrays, servers, networks, digital circuits, analog circuits, combinations thereof, or other now known or later developed devices for analysing and processing data. The processor 602 may implement a software program, such as code generated manually (i.e., programmed).

The computer system 600 may include a memory 604, such as a memory 604 that can communicate via a bus 608. The memory 604 may include, but is not limited to computer readable storage media such as various types of volatile and non-volatile storage media, including but not limited to random access memory, read-only memory, programmable read-only memory, electrically programmable read-only memory, electrically erasable read-only memory, flash memory, magnetic tape or disk, optical media and the like. In one example, the memory 604 includes a cache or random access memory for the processor 602. In alternative examples, the memory 604 is separate from the processor 602, such as a cache memory of a processor, the system memory, or other memory. The memory 604 may be an external storage device or database for storing data. The memory 604 is operable to store instructions executable by the processor 602. The functions, acts or tasks illustrated in the figures or described may be performed by the programmed processor 602 for executing the instructions stored in the memory 604. The functions, acts or tasks are independent of the particular type of instructions set, storage media, processor or processing strategy and may be performed by software, hardware, integrated circuits, firm-ware, micro-code and the like, operating alone or in combination. Likewise, processing strategies may include multiprocessing, multitasking, parallel processing and the like.

As shown, the computer system 600 may or may not further include a display unit 610, such as a liquid crystal display (LCD), an organic light emitting diode (OLED), a flat panel display, a solid state display, a cathode ray tube (CRT), a projector, a printer or other now known or later developed display device for outputting determined information. The display 610 may act as an interface for the user to see the functioning of the processor 602, or specifically as an interface with the software stored in the memory 604 or in the drive unit 616.

Additionally, the computer system 600 may include an input device 612 configured to allow a user to interact with any of the components of system 600. The computer system 600 may also include a disk or optical drive unit 616. The disk drive unit 616 may include a computer-readable medium 622 in which one or more sets of instructions 624, e.g. software, can be embedded. Further, the instructions 624 may embody one or more of the methods or logic as described. In a particular example, the instructions 624 may reside completely, or at least partially, within the memory 604 or within the processor 602 during execution by the computer system 600.

The present invention contemplates a computer-readable medium that includes instructions 624 or receives and executes instructions 624 responsive to a propagated signal so that a device connected to a network 626 can communicate voice, video, audio, images or any other data over the network 626. Further, the instructions 624 may be transmitted or received over the network 626 via a communication port or interface 620 or using a bus 608. The communication port or interface 620 may be a part of the processor 602 or may be a separate component. The communication port 620 may be created in software or may be a physical connection in hardware. The communication port 620 may be configured to connect with a network 626, external media, the display 610, or any other components in system 600, or combinations thereof. The connection with the network 626 may be a physical connection, such as a wired Ethernet connection or may be established wirelessly as discussed later. Likewise, the additional connections with other components of the system 600 may be physical connections or may be established wirelessly. The network 626 may alternatively be directly connected to the bus 608.

The network 626 may include wired networks, wireless networks, Ethernet AVB networks, or combinations thereof. The wireless network may be a cellular telephone network, an 802.11, 802.16, 802.20, 802.1Q or WiMax network. Further, the network 626 may be a public network, such as the Internet, a private network, such as an intranet, or combinations thereof, and may utilize a variety of networking protocols now available or later developed including, but not limited to TCP/IP based networking protocols. The system is not limited to operation with any particular standards and protocols. For example, standards for Internet and other packet switched network transmission (e.g., TCP/IP, UDP/IP, HTML, HTTP) may be used.

The aforesaid process achieves firmware security objectives while keeping complexity of the EOL process as simple as possible and having cost effective solution. In an example, the advantages may be summarized as follows:

• No additional process NDA with flash supplier
• Cost effective
• Increased level of security as no need to share unencrypted Firmware with EOL production environment.
• Combined Big binary assures a complete security of the firmware.
• No additional cost involved with respect to have external flash gang programming (flashing millions of external flash with encrypted firmware before reaching to EOL) and eliminated process overhead.
• No open window for security attacks as memory map is secret Tier 1 supplier and OEM.
• No need to provide unencrypted Firmware to EOL production environment. This adds more level of security in the process.

The present subject matter at-least achieves a firmware security during EOL flashing of the device, while maintaining simplicity and cost-effectiveness of the EOL process. A combined big binary based kit is created which comprises bootloader, and signed/encrypted firmware. Such binary is shared with EOL production environment for flashing on the device internal-flash.

Overall, the present subject matter at-least achieves security of the Firmware at End of Line (EOL) flashing during production, in terms of Integrity, Authenticity and Confidentiality. This needs to be achieved with less complexity and should be cost effective at the same time without compromising security goals.

The figures and the forgoing description give examples of embodiments. Those skilled in the art will appreciate that one or more of the described elements may well be combined into a single functional element. Alternatively, certain elements may be split into multiple functional elements. Elements from one embodiment may be added to another embodiment. For example, orders of processes described herein may be changed and are not limited to the manner described herein. Moreover, the actions of any flow diagram need not be implemented in the order shown; nor do all of the acts necessarily need to be performed. Also, those acts that are not dependent on other acts may be performed in parallel with the other acts. The scope of the embodiments is by no means limited by these specific examples. Numerous variations, whether explicitly given in the specification or not, such as differences in structure, dimension, and use of material, are possible. The scope of the embodiments is at least as broad as given by the following claims.

WE CLAIM

1. An end of line (EOL) flashing and booting method for an electronic control unit (ECU) comprising:
storing (step 402) a binary file comprising a boot loader and an encrypted firmware in to an internal memory in response to an end of line (EOL) flashing performed upon the internal memory;
performing (step 404) a boot operation by the boot loader through the steps of:
a) upon an initial boot, copying (step 406) the encrypted firmware into an external memory;
b) authenticating (step 408) the encrypted firmware in the external memory;
c) decoding (step 410) the authenticated and encrypted firmware to generate a raw firmware;
d) storing (step 412) the raw firmware into the internal memory; and
e) transferring (step 414) a control to the raw firmware in the internal memory for execution as an application firmware.
2. The method as claimed in claim 1, prior to the EOL flashing, the ECU is further configured for:
receiving a binary script as the binary file comprising the boot loader and the encrypted firmware.
3. The method as claimed in claim 2, wherein the EOL flashing comprises flashing the binary script to an internal flash corresponding to the internal memory (510).
4. The method as claimed in claim 1, wherein the bootloader is configured to copy the encrypted firmware to an external flash (512) corresponding to the external memory at the initial boot to maintain a backup.
5. The method as claimed in claim 1, wherein the bootloader is configured to:
perform security checks with the encrypted firmware for authentication;
decrypt the encrypted firmware to generate the raw firmware; and
copy the decrypted firmware to the internal memory (510).
6. The method as claimed in claim 1, wherein the bootloader is configured to transfer control to application-firmware corresponding to the decrypted firmware to conclude a boot process.
7. An electronic control unit (ECU) (600) comprising:
a microcontroller (602);
an internal memory (510) storing one or more module executed by the microcontroller, said modules defined by a binary file comprising a boot loader and an encrypted firmware, wherein the modules are installed in the internal memory (510) in response to an end of line (EOL) flashing performed upon the internal memory (510);
wherein the boot loader is configured for performing the steps of:
a) upon an initial boot, copying the encrypted firmware into an external memory (512);
b) authenticating the encrypted firmware in the external memory (512);
c) decoding the authenticated and encrypted firmware to generate a raw firmware;
d) storing the raw firmware into the internal memory (510); and
e) transferring a control to the raw firmware in the internal memory (510) for execution as an application firmware.
8. The ECU as claimed in claim 7, prior to the EOL flashing, the microcontroller (602) is further configured for:
receiving a binary script as the binary file comprising the boot loader and the encrypted firmware.

9. The ECU as claimed in claim 8, wherein the EOL flashing comprises flashing the binary script to an internal flash (510).
10. The ECU as claimed in claim 7, wherein the bootloader is configured to copy the encrypted firmware to an external flash memory (512) at the initial boot to maintain a backup.