CN101901629B

CN101901629B - Nonvolatile memory protecting system and method

Info

Publication number: CN101901629B
Application number: CN 200910098918
Authority: CN
Inventors: 徐国柱
Original assignee: Hangzhou Silan Microelectronics Co Ltd
Current assignee: Hangzhou Silan Microelectronics Co Ltd
Priority date: 2009-05-25
Filing date: 2009-05-25
Publication date: 2013-12-25
Anticipated expiration: 2029-05-25
Also published as: CN101901629A

Abstract

The invention provides nonvolatile memory protecting system and method. The method comprises the following steps of: calling a protecting code from a memory by a control unit; and limiting an unauthorized user to program or verify data/program of a protecting area. Meanwhile, the data input into the memory is encrypted data; the nonvolatile memory protecting system realizes that different memories have different keys, is not limited to one encrypting method and can provide different key protections for different addresses; if the key needs to be modified, the operation is carried out just by programming without replacing hardware; in the invention, an address encrypting key is used for encrypting the memory address, and the data of the unauthorized user for accessing the memory address is scrambling data; and a data/program decrypting key is used for decrypting the data/program of the memory, thereby preventing the unauthorized user from illegally obtaining the data and resolving.

Description

Nonvolatile memory protection system and guard method

Technical field

The present invention relates to protection system and the guard method of the data/programming, data/program verification, address encryption, data of nonvolatile memory/program deciphering.

Background technology

Traditional nonvolatile memory cipher mode mainly contains following three classes: (1) carries out software cryptography by compiler to the data of storer, and the memory encryption that the method realizes is easily cracked by the parsing of signal and communications protocol; (2) by hardware encryption module is set in storer, encrypting module adopts fixing particular encryption algorithm to realize, the memory encryption underaction that the method realizes, used identical cipher mode for different memory code; (3) mode by mask is solidificated in a ROM memory inside by key, if the memory encryption that the method realizes needs to revise, must be revised in chip-scale, the relative second way, the cost that changes method modification encryption key is much smaller, can accomplish only to revise mask, thereby change key, but hardware modifications, for bulk article, can not accomplish that each product is used different keys, key modification simultaneously needs must time and cost.

Summary of the invention

The present invention is intended to solve the deficiencies in the prior art; proposed to memory data/programming, memory data/program verification, storage address encryption and memory data/program deciphering is carried out classification, multiple protective, is convenient to the Nonvolatile memory protection system of realizing in batches.

The invention allows for the guard method of nonvolatile memory.

The invention allows for the control module for storage protection system and guard method simultaneously.

A kind of Nonvolatile memory protection system is memory program/calibration equipment, and it comprises: programming/verification unit, control module and storer:

Described control module comprises memory control module, key/protected code register group, storage address selection module and protection module, wherein:

Memory control module is connected programming/verification unit by the control inputs port one of control module with the first input control signal line (W15c), receives memory program or storer checking command that programming/verification unit is sent;

Memory control module is connected programming/verification unit by the address input end mouth one of control module with the first Input Address line (W16a), receives the memory addressing address that programming/verification unit is sent;

Storage address selects module to be connected programming/verification unit by the address input end mouth one of control module with the first Input Address line (W16a), receives the memory addressing address that programming/verification unit is sent;

Protection module is connected programming/verification unit by the data-in port one of control module with the first input data line (w13d), receives the programming data/program of programming/verification unit output;

Protection module is by data-out port one and the first output data line (w37d) connected storage of control module, protected code according to the correspondence programming address that key/the protection register provides, carry out a kind of in following operation: when (1) allows access when protected code, to storer output programming data/program; (2), when the protected code disable access, change after the protected code protection to storer output, and do not change the data/program of memory content; (3) when the protected code disable access, not to storer output programming data/program;

Protection module, by data-in port two and the second input data line (w07d) connected storage of control module, is selected the verification address of module output according to storage address, reception memorizer provides checking data/program;

Key/protected code register group is by data-in port two and the second input data line (w07d) connected storage of control module, select the protected code address of module output according to storage address, the protected code of the corresponding address that reception memorizer provides, perhaps before programmed/verification, from storer, obtain the protected code of corresponding address, protected code passes to protection module by protected code data line (w43d) again;

Protection module is connected programming/verification unit by the data-out port two of control module with the second output data line (w31d), the protected code of the corresponding verification address provided according to key/protection register, carry out a kind of in following operation: when (1) allows access when protected code, to programming/verification unit output verification data/program; (2) when the protected code disable access, to the data of programming/verification unit output change after the protected code protection; (3) when the protected code disable access, not to programming/verification unit output verification data/program;

Memory control module is by control output end mouth one and first output control signal wire (w57c) connected storage of control module, and control store is programmed or verification; Further, when the address of programming or verification is the address in storage protection district, memory control module can also be forbidden the first input control signal line (W15c) effect;

Storage address selects module by address output end mouth one and first OPADD line (w67a) connected storage of control module, and the address output end mouth is selected output protection code address or programming address/verification addressing address to storer;

Memory control module, by selecting control line (w56c) and selecting address wire (w56a) connected storage address selection module, is controlled address selection module and is selected output protection code address, programming address or verification address;

Memory control module connects key/protected code register group by register control line (w54c), and control key/protected code register group is upgraded the protected code order;

Key/protected code register group, by register data line (w45d) connected storage control module, offers memory control module by the protected code after upgrading.

A kind of Nonvolatile memory protection system is memory encryption/decryption device, and it comprises: CPU, encryption/decryption element, control module and storer:

Described encryption/decryption element connects CPU by CPU control signal wire (w02c), receives the instruction that CPU sends; Encryption/decryption element connects CPU by cpu address line (W02a), the address that the storer address to be encrypted that reception CPU sends or storer are treated data decryption/program; Encryption/decryption element offers CPU by cpu data line (w02d) by the memory data/program after deciphering;

Described control module comprises memory control module, key/protected code register group and storage address selection module, wherein:

Memory control module is connected encryption/decryption element by the control inputs port two of control module with the second input control signal line (W25c), receives storage address encryption or memory data decryption instructions that encryption/decryption element is sent;

Memory control module is connected encryption/decryption element by the address input end mouth two of control module with the second Input Address line (W25a), receives the memory addressing address that encryption/decryption element is sent;

Storage address selects module to be connected encryption/decryption element by the address input end mouth three of control module with the 3rd Input Address line (W26a), receives the memory addressing address that encryption/decryption element is sent;

Key/protected code register group is by data-in port two and the second input data line (w07d) connected storage of control module, select the cipher key address of module output according to storage address, the storage address encryption key that reception memorizer provides or memory data/program decruption key;

Key/protected code register group is connected encryption/decryption element by the data-out port three of control module with the 3rd output data line (w42d), to encryption/decryption element, provides data/program decruption key or address encryption key;

Memory control module is by control output end mouth one and first output control signal wire (w57c) connected storage of control module, and control store carries out storage address encryption or memory data/program deciphering;

Storage address selects module by address output end mouth one and first OPADD line (w67a) connected storage of control module, the control signal that the address output end mouth sends to it according to memory control module and address signal, to storer output encryption address or data decryption/program address;

Memory control module, by selecting control line (w56c) and selecting address wire (w56a) connected storage address selection module, is controlled address selection module and is selected output encryption address or data decryption/program address;

Memory control module connects key/protected code register group by register control line (w54c), and control key/protected code register group is upgraded cipher key command;

Key/protected code register group, by register data line (w45d) connected storage control module, offers memory control module by the key after upgrading;

Storer connects encryption/decryption element by the second input data line (w07d), to encryption/decryption element, provides and needs data decryption/program.

Further; encryption/decryption element obtains protected code from key/protected code register group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and cpu address line (W02a); if not the user program of authorizing, forbidden storage device access.

A kind of Nonvolatile memory protection system comprises: programming/verification unit, CPU, encryption/decryption element, control module and storer:

Key/protected code register group is by data-in port two and the second input data line (w07d) connected storage of control module, select protected code, the cipher key address of module output according to storage address, reception memorizer provides corresponding protected code, key, perhaps being programmed, obtain programming data/program or corresponding protected code, address encryption key, the memory data decruption key of checking data/program from storer before verification, deciphering, encryption, protected code passes to protection module by protected code data line (w43d) again;

Memory control module is by control output end mouth one and first output control signal wire (w57c) connected storage of control module, control store is programmed, verification, address encryption or memory data/program deciphering, further, when the address of programming or verification is the address in storage protection district, memory control module can also be forbidden the first input control signal line (W15c) effect;

Storage address selects module by address output end mouth one and first OPADD line (w67a) connected storage of control module, the control signal that the address output end mouth sends to it according to memory control module and address signal, under programming/verification state to storer output protection code address or programming/verification addressing address, under storage address encryption/data deciphering state to storer output encryption address or data decryption/program address;

Memory control module is by selecting control line (w56c) and selecting address wire (w56a) connected storage address selection module, control address selection module and select output protection code address, programming address or verification address under programming/verification state, control address selection module and select output encryption address or data decryption/program address under storage address encryption or data/program decrypted state;

Key/protected code register group, by register data line (w45d) connected storage control module, offers memory control module by the protected code after upgrading;

Further; encryption/decryption element obtains protected code from key/protected code register group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and address wire (W02a); if not the user program of authorizing, forbidden storage device access.

A kind of nonvolatile memory guard method is memory data/programming method, and it comprises the steps:

(1) programming/verification unit, by the memory control module of the first input control signal line (W15c) connection control unit, is sent programming instruction to control module; Programming/verification unit is selected module and memory control module by the storage address of the first Input Address line (W16a) connection control unit, output addressing address corresponding to programming data/program; The programming data of programming/verification unit/program output terminal, by the protection module of the first input data line (w13d) connection control unit, is exported programming data/program;

(2) after the memory control module of control module receives programming instruction, memory control module is by selecting address wire (w56a) to select module output protection code memory address to storage address, memory control module is by selecting control line (w56c) control store address selection module to the first protected code memory address corresponding to OPADD line (w67a) output addressing address, the simultaneous memory control module provides the protected code of corresponding address by the second input data line (w07d) to key/protected code register group by control line (w57c) control store, key/protected code register group is upgraded protected code under the control of register control line (w54c), protected code after renewal offers memory control module by register data line (w45d), and provide protection module by data line (w43d),

(3) whether the addressing address that memory control module is sent according to the protected code judgement programming/verification unit received is the address in storage protection district: if address, Bu Shi protected location, addressing address, memory control module is by the programming address of selecting control line (w56c) notice storage address to select module to select the first Input Address line (W16a) to send, storage address selects module to offer storer by the first OPADD line (w67a) address of programming, protection module offers storer by programming data/program by the first output data line (w37d), storer is under the control of control line (w57c), programming data/program is stored in corresponding storage address, if the addressing address is the address in storage protection district, the programming control signal that memory control module shielding programming/verification unit the first input control signal line (W15c) sends, perhaps programming data/the program of key/protected code register group output protection code interference protection module output, and do not change the content of storer.

Further, programming data/program that programming/verification unit provides is enciphered data/program.

A kind of nonvolatile memory guard method is the checking memory data method, and it comprises the steps:

(1) programming/verification unit, by the memory control module of the first input control signal line (W15c) connection control unit, is sent checking command to control module; Programming/verification unit is selected module and memory control module, the addressing address that output verification data/program is corresponding by the storage address of the first Input Address line (W16a) connection control unit;

(2) after the memory control module of control module receives checking command, memory control module is by selecting address wire (w56a) to select module output protection code memory address to storage address, memory control module is by selecting control line (w56c) control store address selection module to the first protected code memory address corresponding to OPADD line (w67a) output addressing address, the simultaneous memory control module provides the protected code of corresponding address by the second input data line (w07d) to key/protected code register group by control line (w57c) control store, key/protected code register group is upgraded protected code under the control of register control line (w54c), protected code after renewal offers memory control module by register data line (w45d), and offer protection module by data line (w43d),

(3) whether the addressing address that memory control module is sent according to the protected code judgement programming/verification unit received is the address in storage protection district: as the address of Bu Shi protected location, addressing address, memory control module is by the verification address of selecting control line (w56c) notice storage address to select module to select the first Input Address line (W16a) to send, storage address selects module, by the first OPADD line (w67a), the verification address is offered to storer, under the control of control line (w57c), by the addressing address, corresponding checking data/program offers protection module by data line (w07d) to storer, protection module offers programming/verification unit by the second output data line (w31d) and carries out verification, if the addressing address is the address in storage protection district, the verification control signal that memory control module shielding programming/verification unit is sent by the first input control signal line (W15c), or the checking data/program of key/protected code register group output protection code interference protection module output.

The checking memory data method can be carried out separately, also can after memory program data/program, carry out.

A kind of memory-protection method is the storage address encryption method, and it comprises the steps:

(1) encryption/decryption element connects CPU by CPU control signal wire (w02c), receives the instruction that CPU sends; Encryption/decryption element connects CPU by cpu address line (W02a), receives the storer address to be encrypted that CPU sends;

(2) encryption/decryption element obtains the encryption key of corresponding address from the key of control module/protected code register group, the storer that utilizes the address encryption key to send CPU address to be encrypted is encrypted, encryption/decryption element is exported to memory control module by the address after encrypting by the second Input Address signal wire (w25a), exports to storage address by the 3rd Input Address line (w26a) and selects module; Encryption/decryption element, by the storage control module of the second input control signal line (W25c) connection control unit, is sent instruction to memory control module;

(3) if the address that the address after the encryption that memory control module receives is the storage protection district, memory control module is interrupted the encryption address that the second OPADD signal wire (w25a) sends, if the address that after the encryption that memory control module receives, address is the storer non-protection area, address after the encryption that memory control module selects module selection encryption/decryption element to provide by the 3rd Input Address line (W26a) by selection control line (w56c) notice storage address, storage address selects module that encryption address is offered to storer by the first OPADD line (w67a),

Further; step (1) also comprises that encryption/decryption element obtains protected code from key/protected code register group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and cpu address line (W02a); if not the user program of authorizing; forbidden storage device access; if user's running program of authorizing continues step (2).

A kind of nonvolatile memory guard method is memory data/program decryption method, and it comprises the steps:

(1) encryption/decryption element connects CPU by CPU control signal wire (w02c), receives the reading memory data instruction that CPU sends; Encryption/decryption element connects CPU by cpu address line (W02a), in the storer that reception CPU sends, needs addressing address corresponding to data decryption/program;

(2) encryption/decryption element, by the memory control module of the second input control signal line (W25c) connection control unit, is sent reading memory data/programmed instruction to control module; Encryption/decryption element is by the memory control module of the second Input Address line (W25a) connection control unit, by the 3rd Input Address line (w26a) connected storage address selection module, output needs addressing address corresponding to data decryption/program;

(3) memory control module is by selecting control line (w56c) control store address selection module to select encryption/decryption element by the addressing address of the 3rd Input Address line (W26a) output, storage address selects module, by the first OPADD line (w67a), the addressing address is offered to storer, storer, under the control of the first output control signal wire (w57c), the storage data corresponding to the addressing address provides by the second input data line (w07d) to encryption/decryption element;

(4) encryption/decryption element is deciphered the data of the 3rd output data line (w42d) output/program decruption key and the memory data received according to predefined mode, and the data/program after deciphering offers CPU.

Further; step (1) also comprises that encryption/decryption element obtains protected code from key/protected code register group group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control line (W02c) and cpu address line (W02a); if not the user program of authorizing; forbidden storage device access; if user's running program of authorizing continues step (2).

The renewal of key of the present invention and protected code, except the present invention's renewal described above, can also in following any situation, upgrade:

(1) system reset or when reading sequence and restarting, the protected code of readout memory protected location or key, call in the key that control module is corresponding/protected code register group by each protected code of protected location or key;

(2) carry out protected code or the key of memory data/program verification, storage address encryption, the memory data/front readout memory of program deciphering protected location, each protected code of protected location or key are called in to the key that control module is corresponding/protected code register group, and the more new demand operating process in this kind of situation can be tolerated the acquisition time of key and protected code;

(3) utilize free time; this free time is long a period of time; as system pattern in dormancy or standby etc. does not take the occasion of storer; the protected code of readout memory protected location or key, call in the key that control module is corresponding/protected code register group by each protected code of protected location or key.

Programming of the present invention/verification unit connects external control, and described external control is any one in PC, CPU, FPGA, CPLD.

The invention has the beneficial effects as follows: carried out cascade protection by memory data/programming, memory data/program verification, storage address encryption and memory data/program deciphering, wherein:

Memory data provided by the invention/programming device and programmed method thereof, the control by control module recalls protected code from storer, and restricting unauthorized user is to the data/programming in the address, protected location of storer; The data of input store are enciphered data; the process of encrypting is undertaken by host computer; and key together is programmed into to storer; can realize that different storeies has different keys; encryption method also is not limited to a kind of, for different addresses, also can provide different cryptographic key protections, if need to modify to key; do not need to change hardware, only need to be undertaken by programming.

Memory data provided by the invention/program calibration equipment and method of calibration thereof, the control by control module recalls protected code from storer, and restricting unauthorized user is to the data in the address, protected location of storer/program verification effectively.

Storage address encryption device provided by the invention and encryption method thereof, the encryption by the address encryption key to storage address, make the data of unauthorized user reference-to storage addressed memory for upsetting data.

Memory data provided by the invention/program decryption device and decryption method thereof, the deciphering by data/program decruption key to memory data/program, prevent from resolving after the ill-gotten data of unauthorized user.

The storage control unit of the nonvolatile memory that utilizes invention to provide can be realized above-mentioned various protections simultaneously, and it controls simple, saving cost.

The accompanying drawing explanation

Fig. 1 is a kind of Nonvolatile memory protection system that the present invention proposes, in fact existing reservoir programming/verification;

Fig. 2 is a kind of Nonvolatile memory protection system that the present invention proposes, in fact existing reservoir encrypt/decrypt;

Fig. 3 is a kind of Nonvolatile memory protection system that the present invention proposes, in fact existing reservoir programming/verification and memory encryption/deciphering;

The key that Fig. 4 is a kind of Nonvolatile memory protection system of proposing of the present invention/register protected code register group

Embodiment

Below in conjunction with accompanying drawing, content of the present invention is further illustrated.

A kind of Nonvolatile memory protection system be memory program/calibration equipment as shown in Figure 1, it comprises: programming/verification unit (01), control module (02) and storer (07):

Described control module (02) comprises memory control module (05), key/protected code register group (04), storage address selection module (06) and protection module (03), wherein:

Memory control module (05) is connected programming/verification unit (01) by the control inputs port one of control module (02) with the first input control signal line (W15c), receives memory program or storer checking command that programming/verification unit (01) is sent;

Memory control module (05) is connected programming/verification unit (01) by the address input end mouth one of control module (02) with the first Input Address line (W16a), receives the memory addressing address that programming/verification unit (01) is sent;

Storage address selects module (06) to be connected programming/verification unit (01) by the address input end mouth one of control module (02) with the first Input Address line (W16a), receives the memory addressing address that programming/verification unit (01) is sent;

Protection module (03) is connected programming/verification unit (01) by the data-in port one of control module (02) with the first input data line (w13d), receives the programming data/program of programming/verification unit (01) output;

Protection module (03) is by data-out port one and the first output data line (w37d) connected storage of control module (02), protected code according to the correspondence programming address that key/the protection register provides, carry out a kind of in following operation: when (1) allows access when protected code, to storer output programming data/program; (2), when the protected code disable access, change after the protected code protection to storer output, and do not change the data/program of memory content; (3) when the protected code disable access, not to storer output programming data/program;

Protection module (03) is by data-in port two and the second input data line (w07d) connected storage of control module (02), select the verification address of module (06) output according to storage address, reception memorizer provides checking data/program;

Key/protected code register group (04) is by data-in port two and the second input data line (w07d) connected storage of control module (02); select the protected code address of module (06) output according to storage address; the protected code of the corresponding address that reception memorizer provides; perhaps before programmed/verification, from storer, obtain the protected code of corresponding address, protected code passes to protection module (03) by protected code data line (w43d) again.

Protection module (03) is connected programming/verification unit (01) by the data-out port two of control module (02) with the second output data line (w31d), the protected code of the corresponding verification address provided according to key/protection register, carry out a kind of in following operation: when (1) allows access when protected code, to programming/verification unit (01) output verification data/program; (2) when the protected code disable access, to the data of programming/verification unit (01) output change after the protected code protection; (3) when the protected code disable access, not to programming/verification unit (01) output verification data/program;

Memory control module (05) is by control output end mouth one and first output control signal wire (w57c) connected storage of control module (02), and control store is programmed or verification; Further, when the address of programming or verification is the address in storage protection district, memory control module (05) can also be forbidden the first input control signal line (W15c) effect;

Storage address selects module (06) by address output end mouth one and first OPADD line (w67a) connected storage of control module (02), and the address output end mouth is selected output protection code address or programming address/verification addressing address to storer;

Memory control module (05), by selecting control line (w56c) and selecting address wire (w56a) connected storage address selection module (06), is controlled address selection module and is selected output protection code address, programming address or verification address.

Memory control module (05) connects key/protected code register group (04) by register control line (w54c), and control key/protected code register group (04) is upgraded the protected code order;

Key/protected code register group (04), by register data line (w45d) connected storage control module (05), offers memory control module (05) by the protected code after upgrading.

A kind of Nonvolatile memory protection system is memory encryption/decryption device, and it comprises: CPU, encryption/decryption element, control module (02) and storer:

Described control module (02) comprises memory control module (05), key/protected code register group (04) and storage address selection module (06), wherein:

Memory control module (05) is connected encryption/decryption element by the control inputs port two of control module (02) with the second input control signal line (W25c), receives storage address encryption or memory data decryption instructions that encryption/decryption element is sent;

Memory control module (05) is connected encryption/decryption element by the address input end mouth two of control module (02) with the second Input Address line (W25a), receives the memory addressing address that encryption/decryption element is sent;

Storage address selects module (06) to be connected encryption/decryption element by the address input end mouth three of control module (02) with the 3rd Input Address line (W26a), receives the memory addressing address that encryption/decryption element is sent;

Key/protected code register group (04) is by data-in port two and the second input data line (w07d) connected storage of control module (02); select the cipher key address of module (06) output according to storage address, the storage address encryption key that reception memorizer provides or memory data/program decruption key.

Key/protected code register group (04) is connected encryption/decryption element by the data-out port three of control module (02) with the 3rd output data line (w42d), to encryption/decryption element, provides data/program decruption key or address encryption key;

Memory control module (05) is by control output end mouth one and first output control signal wire (w57c) connected storage of control module (02), and control store carries out storage address encryption or memory data/program deciphering;

Storage address selects module (06) by address output end mouth one and first OPADD line (w67a) connected storage of control module (02), control signal and address signal that the address output end mouth sends to it according to memory control module (05), to storer output encryption address or data decryption/program address;

Memory control module (05), by selecting control line (w56c) and selecting address wire (w56a) connected storage address selection module (06), is controlled address selection module and is selected output encryption address or data decryption/program address.

Memory control module (05) connects key/protected code register group (04) by register control line (w54c), and control key/protected code register group (04) is upgraded cipher key command;

Key/protected code register group (04), by register data line (w45d) connected storage control module (05), offers memory control module (05) by the key after upgrading.

Further; encryption/decryption element obtains protected code from key/protected code register group (04); judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and cpu address line (W02a); if not the user program of authorizing, forbidden storage device access.

A kind of Nonvolatile memory protection system comprises: programming/verification unit (01), CPU, encryption/decryption element, control module (02) and storer:

Key/protected code register group (04) is by data-in port two and the second input data line (w07d) connected storage of control module (02), select the protected code of module (06) output according to storage address, cipher key address, reception memorizer provides corresponding protected code, key, perhaps programmed, verification, deciphering, obtain programming data/program or protected code corresponding to checking data/program from storer before encrypting, the address encryption key, the memory data decruption key, protected code passes to protection module (03) by protected code data line (w43d) again.

Memory control module (05) is by control output end mouth one and first output control signal wire (w57c) connected storage of control module (02), control store is programmed, verification, address encryption or memory data/program deciphering, further, when the address of programming or verification is the address in storage protection district, memory control module (05) can also be forbidden the first input control signal line (W15c) effect;

Storage address selects module (06) by address output end mouth one and first OPADD line (w67a) connected storage of control module (02), control signal and address signal that the address output end mouth sends to it according to memory control module (05), under programming/verification state to storer output protection code address or programming/verification addressing address, under storage address encryption/data deciphering state to storer output encryption address or data decryption/program address;

Memory control module (05) is by selecting control line (w56c) and selecting address wire (w56a) connected storage address selection module (06); control address selection module and select output protection code address, programming address or verification address under programming/verification state;, control address selection module and select output encryption address or data decryption/program address under storage address encryption or data/program decrypted state.

Further; encryption/decryption element obtains protected code from key/protected code register group (04); judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and address wire (W02a); if not the user program of authorizing, forbidden storage device access.

(4) programming/verification unit (01), by the memory control module (05) of the first input control signal line (W15c) connection control unit (02), is sent programming instruction to control module (02); Programming/verification unit (01) is selected module (06) and memory control module (05) by the storage address of the first Input Address line (W16a) connection control unit (02), output addressing address corresponding to programming data/program; The programming data of programming/verification unit (01)/program output terminal, by the protection module (03) of the first input data line (w13d) connection control unit (02), is exported programming data/program;

(5) after the memory control module (05) of control module (02) receives programming instruction, memory control module (05) is by selecting address wire (w56a) to select module (06) output protection code memory address to storage address, memory control module (05) is by selecting control line (w56c) control store address selection module (06) to the first protected code memory address corresponding to OPADD line (w67a) output addressing address, simultaneous memory control module (05) provides the protected code of corresponding address by the second input data line (w07d) to key/protected code register group (04) by control line (w57c) control store, key/protected code register group (04) is upgraded protected code under the control of register control line (w54c), protected code after renewal offers memory control module (05) by register data line (w45d), and provide protection module (03) by data line (w43d),

(6) whether the addressing address that memory control module (05) is sent according to the protected code judgement programming/verification unit (01) received is the address in storage protection district: if address, Bu Shi protected location, addressing address, memory control module (05) is by the programming address of selecting control line (w56c) notice storage address to select module (06) to select the first Input Address line (W16a) to send, storage address selects module (06) to offer storer by the first OPADD line (w67a) address of programming, protection module (03) offers storer by programming data/program by the first output data line (w37d), storer is under the control of control line (w57c), programming data/program is stored in corresponding storage address, if the addressing address is the address in storage protection district, the programming control signal that memory control module (05) shielding programming/verification unit (01) first input control signal line (W15c) sends, perhaps programming data/the program of key/protected code register group (04) output protection code interference protection module (03) output, and do not change the content of storer.

Further, programming data/program that programming/verification unit (01) provides is enciphered data/program.

(4) programming/verification unit (01), by the memory control module (05) of the first input control signal line (W15c) connection control unit (02), is sent checking command to control module (02); Programming/verification unit (01) is selected module (06) and memory control module (05), the addressing address that output verification data/program is corresponding by the storage address of the first Input Address line (W16a) connection control unit (02);

(5) after the memory control module (05) of control module (02) receives checking command, memory control module (05) is by selecting address wire (w56a) to select module (06) output protection code memory address to storage address, memory control module (05) is by selecting control line (w56c) control store address selection module (06) to the first protected code memory address corresponding to OPADD line (w67a) output addressing address, simultaneous memory control module (05) provides the protected code of corresponding address by the second input data line (w07d) to key/protected code register group (04) by control line (w57c) control store, key/protected code register group (04) is upgraded protected code under the control of register control line (w54c), protected code after renewal offers memory control module (05) by register data line (w45d), and offer protection module (03) by data line (w43d),

(6) whether the addressing address that memory control module (05) is sent according to the protected code judgement programming/verification unit (01) received is the address in storage protection district: as the address of Bu Shi protected location, addressing address, memory control module (05) is by the verification address of selecting control line (w56c) notice storage address to select module (06) to select the first Input Address line (W16a) to send, storage address selects module (06), by the first OPADD line (w67a), the verification address is offered to storer, under the control of control line (w57c), by the addressing address, corresponding checking data/program offers protection module (03) by data line (w07d) to storer, protection module (03) offers programming/verification unit (01) by the second output data line (w31d) and carries out verification, if the addressing address is the address in storage protection district, the verification control signal that memory control module (05) shielding programming/verification unit (01) is sent by the first input control signal line (W15c), or the checking data/program of key/protected code register group (04) output protection code interference protection module (03) output.

(2) encryption/decryption element obtains the encryption key of corresponding address from the key of control module (02)/protected code register group (04), the storer that utilizes the address encryption key to send CPU address to be encrypted is encrypted, encryption/decryption element is exported to memory control module (05) by the address after encrypting by the second Input Address signal wire (w25a), exports to storage address by the 3rd Input Address line (w26a) and selects module (06); Encryption/decryption element, by the storage control module of the second input control signal line (W25c) connection control unit (02), is sent instruction to memory control module (05);

(3) if the address that the address after the encryption that memory control module (05) receives is the storage protection district, memory control module (05) is interrupted the encryption address that the second OPADD signal wire (w25a) sends, if the address that after the encryption that memory control module (05) receives, address is the storer non-protection area, address after the encryption that memory control module (05) selects module (06) selection encryption/decryption element to provide by the 3rd Input Address line (W26a) by selection control line (w56c) notice storage address, storage address selects module (06) that encryption address is offered to storer by the first OPADD line (w67a),

Further; step (1) also comprises that encryption/decryption element obtains protected code from key/protected code register group (04); judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and cpu address line (W02a); if not the user program of authorizing; forbidden storage device access; if user's running program of authorizing continues step (2).

(2) encryption/decryption element, by the memory control module (05) of the second input control signal line (W25c) connection control unit (02), is sent reading memory data/programmed instruction to control module (02); Encryption/decryption element is by the memory control module (05) of the second Input Address line (W25a) connection control unit (02), by the 3rd Input Address line (w26a) connected storage address selection module (06), output needs addressing address corresponding to data decryption/program; (3) memory control module (05) is by selecting control line (w56c) control store address selection module (06) to select encryption/decryption element by the addressing address of the 3rd Input Address line (W26a) output, storage address selects module (06), by the first OPADD line (w67a), the addressing address is offered to storer, storer, under the control of the first output control signal wire (w57c), the storage data corresponding to the addressing address provides by the second input data line (w07d) to encryption/decryption element;

Further; step (1) also comprises that encryption/decryption element obtains protected code from key/protected code register group (04) group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control line (W02c) and cpu address line (W02a); if not the user program of authorizing; forbidden storage device access; if user's running program of authorizing continues step (2).

As shown in Figure 4, the present invention's storer as above is nonvolatile memory, and as disposable programmable memory, Flash etc., it is divided into:

---protected location, for memory data/program decruption key, storage address encryption key and protected code;

---non-protection area, the data that do not need protection for storage.

The data that need protection or program that described protected location can also further protect the user to make by oneself.

Described memory data/program decruption key, storage address encryption key and protected code are programmed in certain storer that pre-determines address;

The data of the address storage that described storer is different or corresponding different protected code and the keys of program; data or corresponding identical protected code and the key of program of the storage of also can part different addresses, data or corresponding identical protected code and the key of program of all addresses storage that can certainly storer.

Should be understood that, above-described embodiment is just to explanation of the present invention, rather than limitation of the present invention, and any innovation and creation that do not exceed in connotation scope of the present invention, within all falling into protection domain of the present invention.

Claims

1. Nonvolatile memory protection system, is characterized in that realizing memory program/verification, and it comprises: programming/verification unit, control module and storer:

Memory control module is by control output end mouth one and first output control signal wire (w57c) connected storage of control module, and control store is programmed or verification;

2. Nonvolatile memory protection system as claimed in claim 1, is characterized in that when the address of programming or verification is the address in storage protection district, and memory control module is forbidden the first input control signal line (W15c) effect.

3. Nonvolatile memory protection system as claimed in claim 1, is characterized in that programming data/program that described programming/verification unit provides is enciphered data/program.

4. Nonvolatile memory protection system is characterized in that it comprises for memory encryption/deciphering: CPU, encryption/decryption element, control module and storer:

5. Nonvolatile memory protection system as claimed in claim 4; it is characterized in that encryption/decryption element obtains protected code from key/protected code register group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and cpu address line (W02a); if not the user program of authorizing, forbidden storage device access.

6. Nonvolatile memory protection system is characterized in that comprising: programming/verification unit, CPU, encryption/decryption element, control module and storer:

7. Nonvolatile memory protection system as claimed in claim 6, is characterized in that when the address of programming or verification is the address in storage protection district, and memory control module is forbidden the first input control signal line (W15c) effect.

8. Nonvolatile memory protection system as claimed in claim 6, is characterized in that programming data/program that described programming/verification unit provides is enciphered data/program.

9. Nonvolatile memory protection system as claimed in claim 6; it is characterized in that described encryption/decryption element obtains protected code from key/protected code register group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and address wire (W02a); if not the user program of authorizing, forbidden storage device access.

10. nonvolatile memory guard method, is characterized in that carrying out memory data/programming, and it comprises the steps:

11. nonvolatile memory guard method as claimed in claim 10, is characterized in that programming data/program that programming/verification unit provides is enciphered data/program.

12. the nonvolatile memory guard method, is characterized in that carrying out the checking memory data method, it comprises the steps:

13. nonvolatile memory guard method as claimed in claim 12, any one replacement in the update method of the described key of step (2)/protected code register group is done following three kinds of its feature:

(1) system reset or when reading sequence and restarting, the protected code of readout memory protected location, call in the key that control module is corresponding/protected code register group by each protected code of protected location or key;

(2) carry out protected code or the key of the front readout memory of memory data/program verification protected location, each protected code of protected location is called in to the key that control module is corresponding/protected code register group;

(3) utilize free time, the protected code of readout memory protected location, call in the key that control module is corresponding/protected code register group by each protected code of protected location.

14. nonvolatile memory guard method as claimed in claim 12, is characterized in that the method is to carry out after the memory program data/program of claim 10.

15. one kind for the nonvolatile memory guard method of Nonvolatile memory protection system as claimed in claim 4, it is characterized in that carrying out the storage address encryption, it comprises the steps:

(3) if the address that the address after the encryption that memory control module receives is the storage protection district, memory control module is interrupted the encryption address that the second OPADD signal wire (w25a) sends, if the address that after the encryption that memory control module receives, address is the storer non-protection area, address after the encryption that memory control module selects module selection encryption/decryption element to provide by the 3rd Input Address line (W26a) by selection control line (w56c) notice storage address, storage address selects module that encryption address is offered to storer by the first OPADD line (w67a).

16. nonvolatile memory guard method as claimed in claim 15; it is characterized in that step (1) also comprises that encryption/decryption element obtains protected code from key/protected code register group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and cpu address line (W02a); if not the user program of authorizing; forbidden storage device access; if user's running program of authorizing continues step (2).

17. one kind for the nonvolatile memory guard method of Nonvolatile memory protection system as claimed in claim 4, it is characterized in that carrying out memory data/program decryption method, it comprises the steps:

(2) encryption/decryption element, by the memory control module of the second input control signal line (W25c) connection control unit, is sent reading memory data/programmed instruction to control module; Encryption/decryption element is by the memory control module of the second Input Address line (W25a) connection control unit, and by the 3rd Input Address line (w26a) connected storage address selection module, output needs addressing address corresponding to data decryption/program;

18. nonvolatile memory guard method as claimed in claim 17; step (1) also comprises that encryption/decryption element obtains protected code from key/protected code register group group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control line (W02c) and cpu address line (W02a); if not the user program of authorizing; forbidden storage device access; if user's running program of authorizing continues step (2).