SYSTEM, DEVICE AND METHOD FOR ANTI-ROLLBACK PROTECTION OF OVER-THE-AIR UPDATED DEVICE IMAGES
First Claim
1. A device comprising:
- a first memory for storing a first device image;
a second memory for storing at least one boot loader;
a communication interface for receiving a second device image; and
a processing circuit coupled to the first memory, the second memory, and the communication interface, wherein the processing circuit is configured toinitiate a first boot for the device,instruct the at least one hoot loader to perform security processing on the second device image and set and execute the second device image as a trial image after security processing on the second device image is successful,monitor the executed second device image to determine if predetermined operational parameters in the device are met, andset the second device image as a current image and deactivate the first device image if the predetermined operational parameters in the device are met.
1 Assignment
0 Petitions
Accused Products
Abstract
Technologies for updating a processing device, where a first device image is stored in a first (non-volatile) memory. When a new second device image is received via a communication interface, a first boot of the device is performed and a boot loader performs security processing on the second device image. Once security processing has passed, the second device image is set as a trial image and executed. The executed image is monitored to determine if predetermined operational parameters in the device are met. If the parameters are met, the second device image is set as a current image and the first device image is deactivated. A second boot is performed to make the new image operational for the device and the anti-rollback version one-time programmable fuses are blown. If the parameters are not met, the device revers to the first device image.
-
Citations
20 Claims
-
1. A device comprising:
-
a first memory for storing a first device image; a second memory for storing at least one boot loader; a communication interface for receiving a second device image; and a processing circuit coupled to the first memory, the second memory, and the communication interface, wherein the processing circuit is configured to initiate a first boot for the device, instruct the at least one hoot loader to perform security processing on the second device image and set and execute the second device image as a trial image after security processing on the second device image is successful, monitor the executed second device image to determine if predetermined operational parameters in the device are met, and set the second device image as a current image and deactivate the first device image if the predetermined operational parameters in the device are met. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for updating a device, comprising:
-
storing a first device image and at least one boot loader in a first memory; receiving a second device image via a communication interface; initiating a first boot of the device; instructing the at least one boot loader to perform security processing on the second device image and setting and executing the second device image as a trial image after security processing on the second device image is successful; monitoring the executed second device image to determine if predetermined operational parameters in the device are met; and setting the second device image as a current image and deactivate the first device image if the predetermined operational parameters in the device are met. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A machine-readable storage medium having instructions stored thereon which when executed by a processing circuit causes the processing circuit to:
-
store a first device image in a first memory; receive a second device image via a communication interface; initiate a first boot of the processing circuit; instruct at least one boot loader to perform security processing on the second device image and set and execute the second device image as a trial image after security processing on the second device image is successful; monitor the executed second device image to determine if predetermined operational parameters in a device are met; and set the second device image as a current image and deactivate the first device image if the predetermined operational parameters in the device are met. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification