1. Field of the Invention
The present invention relates generally to image forming apparatuses, and more particularly to an image forming apparatus with increased security against a change in module configuration.
2. Description of the Related Art
Image forming apparatuses with multiple functions such as copying, printing, scanning, and facsimile tend to have more and more functions in order to meet users' requirements. Further, the functions of image forming apparatuses are modularized. Such modularization enables modular-basis apparatus development. Each module operates on corresponding individual firmware, and its operation is controlled by the firmware of a system controller that performs overall control.
In these years, it has been possible to add functions to image forming apparatuses using various media in order to increase the extensibility of firmware or applications of image forming apparatuses brought on the market. For example, it is possible to expand the functions of an image forming apparatus by adding thereto a third-party application not manufactured by the manufacturer of the image forming apparatus. It is also possible to strengthen the security function of the image forming apparatus. Further, it is possible to update the firmware of the image forming apparatus through various media or networks. In the case of occurrence of some kind of trouble, updating a function, or strengthening a security function in such an image forming apparatus, the configuration of the image forming apparatus may be changed by its manager. A description is given below of some examples of the conventional technology related to this.
Japanese Laid-Open Patent Application No. 2004-165734 discloses an image forming apparatus capable of reducing loss of productivity when it is urgently required to update firmware as in the case of occurrence of a problem. The firmware is updated (to a new one) upon detection of occurrence of a problem originating in the firmware. Of control modules such as the control modules of an image reading part and the control modules of an image forming part, a control module to be controlled by the new firmware is determined. The operation of a part to be controlled by the new firmware is stopped, while the other parts are allowed to continue their operations.
Japanese Laid-Open Patent Application No. 2004-318838 discloses a software updating apparatus that reduces the workload of updating while ensuring high security. The firmware of an apparatus to be updated (image forming apparatus) that can communicate with the software updating apparatus (intermediary apparatus) is updated by the software updating apparatus. The intermediary apparatus generates a one-time password, and transmits the generated one-time password to the image forming apparatus through a communications path using SSL so as to have the password stored in the image forming apparatus. Then, the intermediary apparatus transmits the one-time password to the image forming apparatus through a communications path using FTP, whose processing workload is less than that of SSL, so as to have the image forming apparatus perform authentication. If the authenticity is established, the intermediary apparatus transmits firmware for updating to the image forming apparatus through an FTP communications path so as to have the firmware updated. If a successful update is confirmed, the one-time password is nullified.
Japanese Laid-Open Patent Application No. 2004-318871 discloses a communications device. In the case of updating an OS by downloading an OS for updating from an external apparatus such as a managing apparatus, even if the update fails because of power supply interruption, the communications device can determine the failure with ease and certainty at the time of a subsequent restart by turning on power. The CPU of the communications device downloads firmware for updating (rewriting) from the managing apparatus in response to a request to update firmware (including an OS) from the managing apparatus. If the downloading succeeds, a firmware updating flag in a flash ROM is set to “1.” At the time of a subsequent startup of the communications device (a startup of a boot loader), the status of the firmware updating flag is checked, and if the flag is “0,” the OS and applications in a card memory are successively loaded into a DRAM and started. If the firmware updating flag is “1,” the OS and a recovery program in the flash ROM are successively loaded into the DRAM and started.
However, the conventional image forming apparatus has the following problem regarding security. If the configuration of an application module or a service module of an image forming apparatus that has been connected to a network and operating in a secure state is illegally changed, there is a risk that a user may not be able to detect the change and continue to use a vulnerable system. Usually, modules can be changed only by a manager, but it is not impossible to illegally change modules with malicious intent. If the illegal modular change is overlooked, confidential image data may escape through a network.