阅读说明：本技术 一种bmc固件启动方法及电路 (BMC firmware starting method and circuit ) 是由 马永昊 于 2021-07-09 设计创作，主要内容包括：本申请公开了一种BMC固件启动方法及电路,包括：BMC利用与其连接的第一闪存中的固件启动；判断BMC是否启动成功；如果BMC启动失败,则FPGA控制切换开关断开BMC与第一闪存的连接,FPGA将与其连接的第二闪存中的固件通过通信串口发送至BMC,以使BMC利用第二闪存中的固件启动。本申请通过将第一闪存与第二闪存分别连接BMC与FPGA,对第一闪存与第二闪存进行了物理隔离,并且FPGA能够在第一闪存无法支持对BMC启动时,利用第二闪存中的固件辅助BMC启动,实现了冗余设计,确保在第一闪存遭到入侵后,能够继续依靠第二闪存启动,提高了可靠性,并且通过BMC启动状态判断第一闪存是否遭到入侵,判断结果可靠性也更高。(The application discloses a BMC firmware starting method and a circuit, which comprise: the BMC is started by using firmware in a first flash memory connected with the BMC; judging whether the BMC is started successfully; if the BMC is failed to be started, the FPGA controls the change-over switch to disconnect the BMC from the first flash memory, and the FPGA sends the firmware in the second flash memory connected with the FPGA to the BMC through the communication serial port so that the BMC can be started by using the firmware in the second flash memory. BMC and FPGA are connected respectively through first flash memory and second flash memory to this application, physical isolation has been carried out to first flash memory and second flash memory, and FPGA can't support when starting to BMC in first flash memory, utilize the supplementary BMC in the second flash memory to start, the redundant design has been realized, ensure to suffer after the invasion at first flash memory, can continue to rely on the second flash memory to start, the reliability has been improved, and judge through BMC start-up state whether first flash memory suffers the invasion, the judgement result reliability is also higher.)

1. A BMC firmware starting method is characterized by comprising the following steps:

the BMC is started by using firmware in a first flash memory connected with the BMC;

the FPGA judges whether the BMC is started successfully;

if the BMC fails to be started, the FPGA controls the change-over switch to disconnect the BMC from the first flash memory, and the FPGA sends the firmware in the second flash memory connected with the FPGA to the BMC through the communication serial port so that the BMC can be started by using the firmware in the second flash memory.

2. The BMC firmware boot method of claim 1, wherein the step of the FPGA determining whether the BMC was booted successfully comprises:

the FPGA judges whether a heartbeat signal and a safety check signal between the BMC and the FPGA are normal or not;

if the signals are all normal, the starting is successful, and if any signal is abnormal, the starting is failed;

the safety check signal is generated according to a result of safety check of the firmware in the first flash memory by the BMC.

3. The BMC firmware boot method of claim 1, wherein the step of the FPGA determining whether the BMC was booted successfully comprises:

the FPGA judges whether a heartbeat signal and a fixed safety verification character between the BMC and the FPGA are normal or not;

if the data are all normal, the starting is successful, otherwise, the starting is failed;

and the fixed security verification character is a preset character generated by the BMC according to the firmware in the first flash memory.

4. The BMC firmware boot method of claim 1, wherein the step of the FPGA determining whether the BMC was booted successfully comprises:

the FPGA judges whether the line monitoring signal, the heartbeat signal and/or the safety verification signal are normal or not;

if the data are all normal, the starting is successful, otherwise, the starting is failed;

the circuit monitoring signal is a signal of an abnormal signal on a communication bus between the BMC and the FPGA, the circuit monitoring signal is a signal of an abnormal signal on the communication bus between the BMC and the first flash memory monitored by the FPGA, the safety verification signal is a fixed safety verification character or a safety verification signal, the fixed safety verification character is a preset character generated by the BMC according to firmware in the first flash memory, and the safety verification signal is generated according to a result of safety verification performed on the firmware in the first flash memory by the BMC.

5. The BMC firmware boot method of claim 1, further comprising:

and after the BMC fails to start, the FPGA generates and sends a BMC exception log to the BMC.

6. The BMC firmware boot method of claim 1, wherein the second flash memory has write protection.

7. The BMC firmware boot method of any of claims 1 to 6, further comprising, after the BMC successfully boots with the firmware in the second flash memory:

the FPGA controls the change-over switch to reconnect the BMC and the first flash memory;

and the FPGA resets the firmware in the first flash memory by utilizing the firmware in the second flash memory through a communication serial port.

8. A BMC firmware circuit, comprising: the device comprises an FPGA, a BMC, a first flash memory, a second flash memory and a change-over switch;

the BMC is sequentially connected with the change-over switch and the first flash memory through an SPI bus, the BMC is connected with the FPGA through a communication serial port, and the FPGA is respectively connected with the second flash memory and the change-over switch.

9. The BMC firmware circuit of claim 8, wherein the BMC is unidirectionally connected with the FPGA through a USB interface to backup firmware in the first flash memory to the second flash memory through the FPGA.

Technical Field

The invention relates to the technical field of computers, in particular to a BMC firmware starting method and a circuit.

Background

With the development of information technology, the application of the server is more and more extensive. BMCs (baseboard management controllers) are server-specific and can manage the operating state of a server. The firmware of the BMC is generally stored in the FLASH, and can be upgraded according to actual needs to add some new functions or solve problems, and can be upgraded out-of-band through a network or upgraded off-line.

The security of the firmware of the BMC is very important and could cause significant loss if hacked. Although some of the existing solutions have adopted the spare FLASH and the installation start function, the FLASH is hung under a bus, and once the FLASH is invaded successfully and the firmware is rewritten, the state is difficult to recover.

In the existing designs, the following disadvantages are summarized: 1. referring to fig. 1, two redundant flashes are usually set to be hung on the same bus, and once the bus is invaded, the FLASH on the bus is at risk of being rewritten as long as the invading device is still in the bus. 2. The FLASH of the BMC needs to be switched when the BMC is hung up, the working state of the BMC needs to be accurately judged, the working state is monitored by using signals such as a watchdog and the like in the existing scheme, and the monitoring state is not comprehensive enough.

Therefore, a more secure and reliable BMC firmware boot method is needed.

Disclosure of Invention

In view of the above, the present invention is directed to a method and a circuit for starting a BMC firmware, which can improve the security and reliability. The specific scheme is as follows:

a BMC firmware boot method, comprising:

the BMC is started by using firmware in a first flash memory connected with the BMC;

the FPGA judges whether the BMC is started successfully;

if the BMC fails to be started, the FPGA controls the change-over switch to disconnect the BMC from the first flash memory, and the FPGA sends the firmware in the second flash memory connected with the FPGA to the BMC through the communication serial port so that the BMC can be started by using the firmware in the second flash memory.

Optionally, the process of determining, by the FPGA, whether the BMC is successfully started includes:

the FPGA judges whether a heartbeat signal and a safety check signal between the BMC and the FPGA are normal or not;

if the signals are all normal, the starting is successful, and if any signal is abnormal, the starting is failed;

the safety check signal is generated according to a result of safety check of the firmware in the first flash memory by the BMC.

Optionally, the process of determining, by the FPGA, whether the BMC is successfully started includes:

the FPGA judges whether a heartbeat signal and a fixed safety verification character between the BMC and the FPGA are normal or not;

if the data are all normal, the starting is successful, otherwise, the starting is failed;

and the fixed security verification character is a preset character generated by the BMC according to the firmware in the first flash memory.

Optionally, the process of determining, by the FPGA, whether the BMC is successfully started includes:

the FPGA judges whether the line monitoring signal, the heartbeat signal and/or the safety verification signal are normal or not;

if the data are all normal, the starting is successful, otherwise, the starting is failed;

the circuit monitoring signal is a signal of an abnormal signal on a communication bus between the BMC and the FPGA, the circuit monitoring signal is a signal of an abnormal signal on the communication bus between the BMC and the first flash memory monitored by the FPGA, the safety verification signal is a fixed safety verification character or a safety verification signal, the fixed safety verification character is a preset character generated by the BMC according to firmware in the first flash memory, and the safety verification signal is generated according to a result of safety verification performed on the firmware in the first flash memory by the BMC.

Optionally, the method further includes:

and after the BMC fails to start, the FPGA generates and sends a BMC exception log to the BMC.

Optionally, the second flash memory has write protection.

Optionally, after the BMC successfully starts using the firmware in the second flash memory, the method further includes:

the FPGA controls the change-over switch to reconnect the BMC and the first flash memory;

and the FPGA resets the firmware in the first flash memory by utilizing the firmware in the second flash memory through a communication serial port.

The invention also discloses a BMC firmware circuit, comprising: the device comprises an FPGA, a BMC, a first flash memory, a second flash memory and a change-over switch;

the BMC is sequentially connected with the change-over switch and the first flash memory through an SPI bus, the BMC is connected with the FPGA through a communication serial port, and the FPGA is respectively connected with the second flash memory and the change-over switch.

Optionally, the BMC is unidirectionally connected to the FPGA through a USB interface, and is configured to backup the firmware in the first flash memory to the second flash memory through the FPGA.

In the invention, the BMC firmware starting method comprises the following steps: the BMC is started by using firmware in a first flash memory connected with the BMC; judging whether the BMC is started successfully; if the BMC is failed to be started, the FPGA controls the change-over switch to disconnect the BMC from the first flash memory, and the FPGA sends the firmware in the second flash memory connected with the FPGA to the BMC through the communication serial port so that the BMC can be started by using the firmware in the second flash memory.

According to the invention, the first flash memory and the second flash memory are respectively connected with the BMC and the FPGA, the first flash memory and the second flash memory are physically isolated, and the FPGA can assist the BMC to start by using the firmware in the second flash memory when the first flash memory can not support the starting of the BMC, so that a redundancy design is realized, the second flash memory can be continuously started after the first flash memory is invaded, the reliability is improved, and whether the first flash memory is invaded or not is judged by the starting state of the BMC, and the reliability of the judgment result is higher.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.

FIG. 1 is a prior art BMC firmware boot circuit topology;

FIG. 2 is a schematic flowchart of a BMC firmware boot method according to an embodiment of the invention;

FIG. 3 is a schematic diagram of a BMC firmware boot circuit according to an embodiment of the invention;

FIG. 4 is a schematic flowchart of another BMC firmware boot method according to the embodiment of the invention;

fig. 5 is a topology diagram of a BMC firmware boot circuit according to an embodiment of the present invention.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

The embodiment of the invention discloses a BMC firmware starting method, which is shown in a figure 2 and a figure 3 and comprises the following steps:

s11: the BMC1 boots using firmware in the first flash memory 2 connected to it.

Specifically, by default, the firmware required for the boot process of the BMC1 is stored in the first flash memory 2, and therefore, the BMC1 needs to boot using the firmware in the first flash memory 2 connected thereto.

S12: the FPGA3 judges whether the BMC1 is started successfully.

Specifically, if the first flash memory 2 is invaded and rewritten, the BMC1 cannot be normally started by the rewritten firmware in the first flash memory 2, and therefore, in order to determine whether the first flash memory 2 is invaded, it is necessary to determine whether the BMC1 is successfully started, and meanwhile, by determining whether the BMC1 is successfully started, it can be accurately determined whether the first flash memory 2 is invaded and modified, because once the BMC1 is not started, the maximum probability is that the firmware in the first flash memory 2 is invaded and modified, so that the accuracy of determination can be ensured.

S13: if the BMC1 fails to start, the FPGA3 controls the switch 4 to disconnect the BMC1 from the first flash memory 2, and the FPGA3 sends the firmware in the second flash memory 5 connected with the FPGA3 to the BMC1 through a communication serial port, so that the BMC1 starts by using the firmware in the second flash memory 5.

Specifically, if the BMC1 fails to boot, it is determined that the first flash memory 2 is invaded, and the firmware stored in the first flash memory is modified, and the BMC1 cannot continue to use the first flash memory 2 to boot, so that the FPGA3 immediately controls the switch 4 to disconnect the BMC1 from the first flash memory 2 after detecting that the BMC1 fails to boot, and stops the BMC1 from attempting to boot by using the wrong firmware in the first flash memory 2, and the FPGA3 simultaneously sends the firmware in the second flash memory 5 connected to the FPGA to the BMC1 through the communication serial port, so that the BMC1 boots by using the firmware in the second flash memory 5, and a redundant design is implemented, and the first flash memory 2 is only connected to the BMC1, so that even if the first flash memory 2 is invaded, the second flash memory 5 only connected to the FPGA3 is not affected, and it is ensured that the BMC1 can be booted even after the invasion is invaded, thereby improving reliability.

Specifically, of course, if the boot is successful, the FPGA3 and the BMC1 may operate normally without any steps.

It can be seen that, in the embodiment of the present invention, the first flash memory 2 and the second flash memory 5 are respectively connected to the BMC1 and the FPGA3, so that the first flash memory 2 and the second flash memory 5 are physically isolated, and the FPGA3 can assist the BMC1 to start by using the firmware in the second flash memory 5 when the first flash memory 2 cannot support the start of the BMC1, so as to implement a redundancy design, ensure that the first flash memory 2 can continue to be started by the second flash memory 5 after being invaded, improve reliability, and judge whether the first flash memory 2 is invaded by using the start state of the BMC1, and the reliability of the judgment result is also higher.

The embodiment of the invention discloses a specific BMC1 firmware starting method, and compared with the previous embodiment, the embodiment further describes and optimizes the technical scheme. Referring to fig. 4, specifically:

s21: the BMC1 is started using firmware in the first flash memory 2 connected thereto;

s22: the FPGA3 judges whether the BMC1 is started successfully.

Specifically, the process of judging whether the BMC1 is successfully started by the S22FPGA3 may include multiple judgment methods, and the embodiment of the present invention introduces specific three judgment methods as follows.

Specifically, the first: the FPGA3 determines whether the BMC1 is successfully started, and may specifically be the FPGA3 that determines whether a heartbeat signal and a security check signal between the BMC1 and the FPGA3 are both normal.

Specifically, a heartbeat signal is established between the FPGA3 and the BMC1, and the heartbeat signal can be maintained only after the BMC1 is normally started, so that the heartbeat signal transmitted by the BMC1 is not received by the FPGA3 within a certain time after the BMC1 starts to start, which can be considered as a BMC1 start failure, and meanwhile, a security check signal is additionally provided, a security check module can be arranged inside the BMC1, and is used for performing security check on firmware transmitted to the BMC1 in the first flash memory 2, if the firmware in the first flash memory 2 is modified, the security check signal cannot pass the security check, at this time, the security check signal will feed back a check failure to the FPGA3, and the FPGA3 knows that the BMC1 start failure, of course, if the security check is successful, the security check signal can feed back a check success signal to the FPGA 3.

Specifically, only when the heartbeat signal and the safety check signal are normal, the FPGA3 may determine that the BMC1 is successfully started, and when any one of the heartbeat signal and the safety check signal is abnormal, the FPGA3 may determine that the BMC1 is failed to start.

When the security check is passed, the BMC1 may output a high-level signal to express that the security check in the security check signal passes through to the designated port of the FPGA3, and when the security check does not pass, the BMC1 may output a low-level signal to express that the security check in the security check signal fails to the designated port of the FPGA3, so that the FPGA3 confirms the state of the BMC 1.

Specifically, the second: the FPGA3 determines whether the BMC1 is successfully started, and may specifically be the FPGA3 that determines whether a heartbeat signal and a fixed security verification character between the BMC1 and the FPGA3 are both normal.

Specifically, the BMC1 may not be provided with a security check module, and therefore, a fixed security verification character is used for replacement, when the firmware in the first flash memory 2 is correct, the BMC1 may continuously send a preset fixed security verification character corresponding to the firmware in the first flash memory 2 to the FPGA3 after the firmware in the first flash memory 2 is normally started, when the FPGA3 can continuously receive the fixed security verification character, it may be determined that the BMC1 is normally started, once the firmware in the first flash memory 2 is modified, the BMC1 cannot send the fixed security verification character to the FPGA3 by using the modified firmware in the first flash memory 2, the FPGA3 may not receive the fixed security verification character for a long time after the BMC1 attempts to start, and may know that the BMC1 fails to start.

Specifically, the FPGA3 may identify the BMC1 as successfully enabled only when the heartbeat signal and the fixed security check character are both normal, and the FPGA3 may identify the BMC1 as failed to enable when any one of the heartbeat signal and the fixed security check character is not normal.

Specifically, the third: the FPGA3 determines whether the BMC1 is successfully started, and may specifically be the FPGA3 determines whether a line monitoring signal, a heartbeat signal, and/or a security verification signal are normal.

The safety verification signal is a fixed safety verification character or a safety verification signal.

Specifically, FPGA3 can be through monitoring BMC1 with unusual signal obtains the line monitoring signal on the communication bus between the first flash memory 2, when BMC1 with communication bus between the first flash memory 2 suffers the invasion, FPGA3 alright suffer the invasion with confirming through the line monitoring signal, in case suffer the invasion, FPGA3 just can regard BMC1 unable normal boot.

Specifically, the three signals, namely the line monitoring signal, the heartbeat signal and/or the safety verification signal, can be freely combined and selected, so that the state of the BMC1 can be judged.

S23: if the boot of the BMC1 fails, the FPGA3 controls the switch 4 to disconnect the BMC1 from the first flash memory 2, and the FPGA3 sends the firmware in the second flash memory 5 connected to the FPGA3 to the BMC1 through the communication serial port, so that the BMC1 is booted by using the firmware in the second flash memory 5.

S24: after the boot failure of the BMC1, the FPGA3 generates and sends a BMC1 exception log to the BMC 1.

Specifically, in order to facilitate the operation and maintenance personnel to check that the fault FPGA3 generates and sends a BMC1 exception log to the BMC1 after the BMC1 fails to start, the BMC1 exception log records the current start failure, so that the subsequent operation and maintenance personnel can prevent the next intrusion.

S25: the FPGA3 controls the switch 4 to reconnect the BMC1 to the first flash memory 2.

Specifically, after the BMC1 is successfully started, the BMC1 does not need to use the firmware in the flash memory, so the FPGA3 controls the switch 4 to reconnect the BMC1 to the first flash memory 2, and establishes a path between the FPGA3, the BMC1 and the first flash memory 2, so as to modify the first flash memory 2 in the following.

S24, S25 and S26 are not in sequence, and may be executed simultaneously or sequentially, for example, S25 and S26 may be executed first, and then S24 may be executed, which is not limited herein.

S26: the FPGA3 resets the firmware in the first flash memory 2 via the communication serial port using the firmware in the second flash memory 5.

Specifically, after the firmware in the first flash memory 2 is modified, the FPGA3 may move the normal firmware in the second flash memory 5 into the first flash memory 2 through the communication serial port to replace the modified firmware in the first flash memory 2, and restore the firmware in the first flash memory 2 to the normal state again.

It should be noted that, under normal conditions, the firmware in the first flash memory 2 and the firmware in the second flash memory 5 are the same, so the firmware in the first flash memory 2 can be recovered by using the firmware in the second flash memory 5.

Further, in order to ensure the security of the second flash memory 5, write protection is set for the second flash memory 5, and the second flash memory 5 is kept in a read-only state and is prevented from being modified.

In addition, an embodiment of the present invention further discloses a BMC1 firmware circuit, as shown in fig. 5, including: the flash memory comprises an FPGA3, a BMC1, a first flash memory 2, a second flash memory 5 and a change-over switch 4;

the BMC1 is sequentially connected to the switch 4 and the first flash memory 2 through an SPI _1 port by using an SPI bus, the BMC1 is connected to the FPGA3 through communication serial ports (UART _ BMC and UART _ FPGA), and the FPGA3 is connected to the second flash memory 5 and the switch 4, respectively.

Specifically, the BMC1 is unidirectionally connected to the FPGA3 through a USB interface, and is configured to backup the firmware in the first flash memory 2 to the second flash memory 5 through the FPGA 3.

Specifically, the BMC1 transmits a heartbeat signal to a GPIO1 port of the FPGA3 through an HB port, the FPGA3 transmits a BMC abnormality LOG to a GPIO3 port of the BMC1 through a GPIO2 port, the BMC1 transmits a security check signal to a GPIO4 port of the FPGA3 through a BMC _ Ready port, the FPGA3 controls the switch 4 through a SW port, and the FPGA3 monitors whether an SPI bus between the BMC1 and the first flash memory 2 is abnormal through an SPI _ SPY port.

Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.

The technical content provided by the present invention is described in detail above, and the principle and the implementation of the present invention are explained in this document by applying specific examples, and the above description of the examples is only used to help understanding the method of the present invention and the core idea thereof; meanwhile, for a person skilled in the art, according to the idea of the present invention, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present invention.