CN-122018946-A - Firmware security upgrading method and system for industrial switch

Abstract

The invention discloses a firmware security upgrading method and system of an industrial switch, wherein the method comprises the steps of dividing an independent area with the same size as a physical sector into SPI Flash to serve as an environment variable area, dividing a first system partition and a second system partition with the same functions in eMMC or NAND FLASH, detecting a system partition currently operated by eMMC or NAND FLASH when the industrial switch receives a firmware upgrading instruction, taking the other system partition as a target upgrading partition, acquiring data of a new version firmware and writing the data into the target upgrading partition, carrying out firmware integrity verification after writing is completed, executing an atomic switching operation after the firmware integrity verification is passed, executing an unattended rollback operation, and executing a service health confirmation operation. The invention effectively solves the problem that equipment is not available in the industrial field caused by power-off brick change or zombie online, and realizes high-reliability remote operation and maintenance with zero manual intervention.

Inventors

• LI ZHENJUN
• WU MINHUA

Assignees

• 深圳市厚石网络科技有限公司

Dates

Publication Date

20260512

Application Date

20251226

Claims (10)

1. 1. A method for firmware security upgrade of an industrial switch, wherein the industrial switch is configured with a dual medium storage architecture including SPI Flash as a first storage medium and eMMC or NAND FLASH as a second storage medium, the method comprising the steps of: Dividing an independent area with the same size as a physical sector in the SPI Flash as an environment variable area, and dividing a first system partition and a second system partition with equivalent functions in the eMMC or NAND FLASH; when the industrial switch receives a firmware upgrade instruction, detecting a system partition currently operated by the eMMC or NAND FLASH, and taking the other system partition as a target upgrade partition; Obtaining data of the firmware of the new version, writing the data into the target upgrading partition, and checking the integrity of the firmware after writing is completed; After the firmware integrity check passes, performing an atomic switching operation, namely calculating a cyclic redundancy check code containing a partition identification variable, and performing one-time erasing and writing operation on a physical sector where the environment variable area is located by utilizing the physical sector erasing characteristic of the SPIFASH; the boot program reads and increments a start attempt counter stored in the SPIFAsh when being started, and when the count of the start attempt counter reaches a preset threshold value, the partition identification variable is automatically switched back to a system partition which normally operates last time, and the start attempt counter is reset; And executing service health confirmation operation, namely running a monitoring daemon in a user space after the operation system is started, polling a state register of a switch chip driver and a port state of a network management protocol, and judging that detection is passed and resetting the start attempt counter only when the switch chip driver is successfully loaded and the port state of the network management protocol is reachable.
2. 2. The firmware security upgrade method of an industrial switch according to claim 1, wherein the atomic switching operation comprises the steps of: before performing a write operation, calculating a cyclic redundancy check code of the environment variable data to be written; combining the partition identification variable with the cyclic redundancy check code to fill one physical sector of the SPIFASH; When the boot program reads the environment variable area, firstly calculating and comparing the cyclic redundancy check code, if the cyclic redundancy check code fails to check, judging that power failure occurs in the atomic writing process, and automatically loading a preset safe partition or a partition which is successfully started last time.
3. 3. The firmware security upgrade method of an industrial switch of claim 1, wherein the eMMC or NAND FLASH is further divided into a shared data partition independent of the first system partition and the second system partition; the shared data partition is independent of the first system partition and the second system partition and is used for storing port configuration files, VLAN configuration data and system logs of the industrial switch; when the operating system is started, the shared data partition is mounted under the same fixed logic path of the file system by reading partition table information.
4. 4. A method of firmware security upgrade for an industrial switch as described in claim 3 wherein said writing to said target upgrade partition comprises the steps of: the industrial switch receives the binary differential packet generated by the server; Reading an image of the old version firmware from the target upgrading partition to a memory buffer of the operating system; And recombining the mirror image of the old version firmware and the binary differential packet in the memory buffer area by utilizing a binary differential synthesis algorithm, restoring the mirror image of the complete new version firmware, and writing the mirror image into the target upgrading partition.
5. 5. The firmware security upgrade method of an industrial switch of claim 3, wherein the bootstrap program is configured to: After each power-on reset of the equipment, firstly reading an environment variable area in the SPIFASH; If the read data check fails or the read count of the start attempt counter exceeds the preset threshold, ignoring the indication of the partition identification variable, forcedly loading a preset safe partition or a partition successfully started last time, and recording the forcedly loading event in a system log of the shared data partition.
6. 6. The firmware security upgrade method of an industrial switch of claim 1, wherein the business health validation operation further comprises a watchdog linkage mechanism: The monitoring daemon starts a watchdog timer when starting; if the monitoring daemon fails to confirm that the loading of the switch chip drive is successful and the port state of the network management protocol is normal within a preset time window, stopping sending a watchdog feeding signal to the watchdog; the industrial switch is forcibly restarted by utilizing the overtime reset function of the watchdog, so that the increment and automatic rollback flow of the starting attempt counter by a bootstrap program is triggered.
7. 7. A firmware security upgrade system of an industrial switch for performing the firmware security upgrade method of an industrial switch according to any one of claims 1 to 6, comprising: The dual-medium storage module comprises a SPIflash which is connected through an SPI bus and serves as a first storage medium and an eMMC or NAND FLASH which is connected through an eMMC or NAND interface and serves as a second storage medium, wherein an environment variable area with the same size as a physical sector is divided in the SPIflash, and a first system partition and a second system partition which are functionally equivalent are divided in the eMMC or NAND FLASH; the firmware downloading module is used for detecting a system partition currently operated by the eMMC or NAND FLASH when the industrial switch receives a firmware upgrading instruction, taking the other system partition as a target upgrading partition, and starting to download new version firmware; The firmware verification module is used for acquiring the data of the new version firmware downloaded by the firmware downloading module and writing the data into the target upgrading partition, and carrying out firmware integrity verification after the writing is completed; The partition switching control module is used for calculating a cyclic redundancy check code containing a partition identification variable after the firmware integrity check is passed, and executing one-time erasing and writing operation on a physical sector where the environment variable area is located by utilizing the physical sector erasing characteristic of the SPIFASH; The intelligent guiding module is operated in a guiding program and used for managing a starting attempt counter stored in the SPIFASH and executing starting count accumulation, threshold judgment and fault automatic rollback logic; The health monitoring module runs in the user space of the operating system in a daemon mode and is used for polling the state register of the switch chip driver and the port state of the network management protocol, and only when the switch chip driver is successfully loaded and the port state of the network management protocol is reachable, the detection is judged to pass and the start attempt counter is cleared.
8. 8. The firmware security upgrade system of the industrial switch of claim 7, wherein the hardware connection of the dual media storage module is configured to: The SPIFASH is used as a unique guiding source of the operating system, and a guiding program area and the environment variable area are stored; And the eMMC or NAND FLASH is used as a mass storage source for storing the Linux kernel mirror image, the root file system and the independently divided shared data partition.
9. 9. The firmware security upgrade system of the industrial switch of claim 7, wherein the firmware verification module is configured with an delta synthesis unit configured to: And loading the old version firmware read from the target upgrading partition and the acquired binary differential packet into a memory buffer area of the operating system, restoring the mirror image of the complete new version firmware by utilizing a differential algorithm, and directly writing the mirror image into the target upgrading partition.
10. 10. The firmware security upgrade system of the industrial switch of claim 7, wherein the health monitoring module is configured with a watchdog interface unit: the watchdog interface unit activates a watchdog when the operating system is started; if the health monitoring module fails to confirm that the service is normal within a preset time window, the watchdog interface unit stops sending a watchdog feeding signal to the watchdog, and waits for the watchdog to reset overtime to trigger the automatic rollback logic of the intelligent guiding module.

Description

Firmware security upgrading method and system for industrial switch Technical Field The invention relates to the technical field of embedded systems and network communication, in particular to a firmware security upgrading method and system of an industrial switch. Background With the rapid development of industrial internet and internet of things technologies, industrial switches are widely applied to complex environments such as smart grids, rail transit, utility tunnel and the like as key infrastructure for network communication. In order to repair security holes, add new functions or optimize performance, remote firmware upgrades to the switch have become a normalized requirement for device maintenance. Conventional embedded device firmware upgrades typically employ the following schemes: 1. The single partition covers the upgrade scheme, writing new firmware directly into the current running partition. This solution is simple to implement, but the risk is extremely high. Once a power outage, network disruption, or Flash write error occurs during the write process, the device will fail to start (commonly known as "brick change") due to firmware corruption and must be returned to service, which is unacceptable in the industrial setting. 2. And (3) an independent Recovery partition scheme, namely reserving a miniature Recovery system in Flash. The recovery mode is entered when the primary system is damaged. However, this solution requires additional storage space (usually 5-10 MB), and the recovery mode has limited functionality, and cannot maintain normal network traffic, and still requires manual intervention to re-operate after the upgrade fails. 3. A traditional double-partition (A/B) switching scheme is to divide two system partitions in a memory and upgrade the two system partitions in turn. Although this solution solves a certain backup problem, there are three problems: 1) The existing Boot flags (Boot flags) are typically stored directly in the file system (e.g., EXT4 or UBIFS) of the high-capacity NAND FLASH or eMMC, lacking an atomized switching mechanism. Because metadata update of a file system is not atomic operation, and Bit inversion (Bit Flip) risk exists in the bottom Flash, if power failure occurs at the moment of modifying a flag Bit, file system damage or flag Bit data loss is easy to occur, so that a boot program (Bootloader) cannot read starting parameters, and the device is completely paralyzed. 2) The real unattended capability is lacking, and the existing scheme only detects whether the Linux kernel is successfully loaded. However, the core functionality of industrial switches relies on application specific switching chips (ASICs). If the new firmware kernel starts normally, but the switch chip driver fails to initialize or the configuration is issued in error, the device can Ping through the management port, but the data forwarding plane fails completely (i.e. a "zombie state"). At this time, the equipment cannot automatically fall back to the old version, so that the production network is interrupted for a long time, operation and maintenance personnel must carry the serial port line to go to a remote industrial site for manual recovery, and the maintenance cost is extremely high. 3) Storage and bandwidth resources are limited-industrial switches are typically deployed in bandwidth limited network environments (e.g., 4G/5G backhaul or low-speed private networks), and downloading tens of megabits of firmware in full takes very long and is prone to failure. In addition, the dual-system architecture often causes configuration files to be scattered, complex configuration migration scripts are needed after upgrading, and service configuration is easy to lose. Therefore, a firmware security upgrade method combining advantages of dual-medium hardware, having an atomization power-off protection capability and a service-level automatic rollback mechanism aiming at an industrial switch scene is needed. Disclosure of Invention The invention provides a firmware security upgrading method and system for an industrial switch, which aims to solve the technical problems that the lack of a hardware partition switching mechanism in the existing firmware upgrading technology of the industrial switch is easy to cause equipment brick change, the lack of deep service state sensing capability after upgrading failure is required to be manually and field intervention is required, service configuration data under a dual-system architecture is difficult to synchronize and the like. The technical scheme of the invention is as follows: In a first aspect, the present invention provides a firmware security upgrade method of an industrial switch, where the industrial switch is configured with a dual-medium storage architecture, the dual-medium storage architecture includes a SPIFlash as a first storage medium and eMMC or NAND FLASH as a second storage medium, and the method includes the following steps: Dividi