CN110135202B - NVM self-destruction device and method in safe MCU - Google Patents
NVM self-destruction device and method in safe MCU Download PDFInfo
- Publication number
- CN110135202B CN110135202B CN201910249196.0A CN201910249196A CN110135202B CN 110135202 B CN110135202 B CN 110135202B CN 201910249196 A CN201910249196 A CN 201910249196A CN 110135202 B CN110135202 B CN 110135202B
- Authority
- CN
- China
- Prior art keywords
- self
- nvm
- destruction
- signal
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Alarm Systems (AREA)
Abstract
The invention provides an NVM self-destruction device in a security MCU, belongs to the technical field of security chips, and aims at the problem that sensitive information can be leaked when the security MCU is attacked. The technical scheme includes that the system comprises an alarm detection module, an NVM self-destruction control module and an alarm information recording module, wherein the alarm detection module, the NVM self-destruction control module and the alarm information recording module are arranged between a sensor and an NVM controller. The alarm detection module stores a specific sensor signal, the NVM self-destruction control module enables the alarm detection module, the alarm detection module receives the sensor signal and judges whether the sensor signal is matched with the specific sensor signal, when the sensor signal is successfully matched, the alarm information recording module records the sensor signal, meanwhile, the NVM self-destruction control module sends an NVM control signal to the NVM controller, the NVM controller receives the NVM control signal and erases the content in an NVM self-destruction address range corresponding to the self-destruction signal, and therefore sensitive information is prevented from being leaked even if the safety MCU is attacked. The invention also provides a self-destruction method of the NVM in the safe MCU, which is combined with the self-destruction device.
Description
Technical Field
The invention relates to the technical field of security chips, in particular to an NVM self-destruction device and method in a security MCU.
Background
With more and more devices of the internet of things, the demand for a safe MCU is also increasing. The security MCU is used for protecting the security of sensitive information, and the most important of the sensitive information is the sensitive information. Sensitive information is typically stored in NVM (non-volatile memory) inside the secure MCU.
Currently, methods for stealing sensitive information aiming at a security chip include methods such as side channel analysis, fault injection attack, physical intrusion attack and the like.
When the existing security chip is used for coping with the attacks, the main measures adopted are measures such as redundancy operation, power consumption interference, random time sequence, bus shielding and the like, which are added in the process of using the sensitive information, and the measures are mainly used for analyzing the side channel.
Protection against fault injection in a security chip is mainly achieved by adding a sensor for detecting environmental changes in which the security chip is located, such as temperature, voltage and light detection. When the environmental change exceeds the threshold, the sensor gives an alarm, so that the use of sensitive information in the security chip is stopped to prevent leakage.
For intrusion attack, the main protection measure of the security chip is to add an active shielding layer and data encryption storage, wherein the active shielding layer is positioned at the topmost layer of the chip, and when the chip is cut into slices, the damage of the active shielding layer can generate an alarm, so that the security chip can generate an alarm without using sensitive information. The encrypted storage refers to that when sensitive information is stored in the NVM, the sensitive information is scrambled by address and data, and an attacker wants to read the sensitive information from the actual NVM, so that the difficulty is high. However, when an attacker knows the encryption storage algorithm of the NVM and knows the storage location of the sensitive information, the sensitive information can be read out from the NVM by means of a probe or FIB.
Existing NVM self-destruct circuits are mainly used on SSDs or hard disks and are mainly prone to physical damage to the NVM. For example, a fuse is blown by detecting an attack, internally generating a high voltage; the technical proposal is that a circuit wafer and a piece of toughened glass are attached together, and the circuit wafer and the toughened glass are cracked after being heated, so that the whole circuit wafer is destroyed together; also, by applying +28v high voltage or high voltage pulse to the core circuit of the memory, the controller of the memory or the memory itself is burnt out, so that the hardware structure is completely broken down, and any repair can not be performed.
The method for destroying the memory can also ensure the safety of data in the memory, but has two defects, namely, a circuit is destroyed, high voltage is generally required, the power supply of a system of a security chip is external, an attacker can not connect the high voltage, and if the high voltage is generated inside the security chip, the design difficulty and the stability of the chip can be increased. The other method is a physical damage method, which can cause the whole NVM to be completely damaged, so that the whole NVM cannot be used completely, and the error triggering situation is not checked up, and the failure analysis is not facilitated.
Disclosure of Invention
The invention aims to solve the defects of the prior art, and provides a self-destruction device and a self-destruction method for NVM (non-volatile memory) in a secure MCU (micro control Unit) aiming at the problem that sensitive information is leaked when the secure MCU is attacked, and when the chip is detected to be attacked, the data in the NVM can be destroyed, so that the sensitive information is ensured not to be leaked.
Firstly, one technical scheme adopted by the invention for solving the technical problems is as follows:
an NVM self-destruction device within a secure MCU is disposed between a sensor of the secure MCU and an NVM controller. The device comprises an alarm detection module, an NVM self-destruction control module and an alarm information recording module, wherein the NVM self-destruction control module sends an enabling signal to the alarm detection module in a manual enabling or MCU power-on automatic enabling mode.
The alarm detection module is used for receiving the sensor signal output by the sensing module and the enabling signal sent by the NVM self-destruction control module and judging whether the received sensor signal belongs to the appointed sensor signal or not; when the received sensor signal belongs to the appointed sensor signal, the alarm detection module sends a self-destruction signal to the NVM self-destruction control module, and meanwhile, the alarm detection module sends the sensor signal corresponding to the self-destruction signal as alarm source information to the alarm information recording module for recording; when the received sensor signal does not belong to the appointed sensor signal, no effective signal interaction exists among the alarm detection module, the NVM self-destruction control module and the alarm information recording module;
the NVM self-destruction control module is used for receiving the self-destruction signal output by the alarm detection module and sending a record information enabling signal outwards;
the alarm information recording module is used for receiving alarm source information sent by the alarm detection module and a record information enabling signal sent by the NVM self-destruction control module, the alarm information recording module is also used for sending an NVM control signal I outwards, the NVM controller receives the NVM control signal and programs an NVM record address range corresponding to the self-destruction signal, meanwhile, the NVM controller records the alarm source information in the NVM record address range corresponding to the self-destruction signal, and after programming is completed, the alarm information recording module sends a record completion signal outwards;
the NVM self-destruction control module is also used for receiving the record completion signal sent by the alarm information record module, then the NVM self-destruction control module sends an NVM control signal II outwards, the NVM controller receives the NVM control signal II and erases the content in the NVM self-destruction address range corresponding to the self-destruction signal, and after the erasing is completed, the NVM self-destruction control module sends a prohibition signal to the alarm detection module.
Specifically, the alarm detection module involved includes:
the self-destruction source setting sub-module is used for setting and storing specified sensor signals which can trigger the NVM to perform self destruction, wherein the specified sensor signals belong to at least one sensor signal output by various sensors in the safety MCU;
the alarm matching sub-module is used for receiving the sensor signals output by the sensor, judging whether the received sensor signals have an alarm or not, and outputting alarm signals when the received sensor signals are matched with at least one appointed sensor signal stored by the self-destruction source setting sub-module;
the parameter setting sub-module is used for setting the filtering delay and the filtering times of the alarm signal;
the filtering processing sub-module is used for receiving the alarm signal output by the alarm matching sub-module, processing the alarm signal according to the parameter setting condition of the parameter setting sub-module, transmitting a self-destruction signal to the NVM self-destruction control module when the alarm signal still exists after the processing is finished, and transmitting alarm source information corresponding to the self-destruction signal to the alarm information recording module.
Preferably, the self-destructing source setup submodule concerned stores the specified sensor signal in a register, RAM or NVM.
Specifically, the related alarm information recording module comprises:
the information recording address setting sub-module is used for setting the recording address of the alarm source information;
the information recording enabling submodule is used for receiving the recording information enabling signal sent outwards by the NVM self-destruction control module and further enabling the recording submodule;
the recording sub-module is used for receiving the alarm source information transmitted by the alarm detection module and generating an NVM control signal I, the NVM controller receives the NVM control signal and programs an NVM recording address range corresponding to the self-destruction signal, and simultaneously, the NVM controller records the alarm source information in the NVM recording address range corresponding to the self-destruction signal, and after programming is completed, the alarm information recording module sends out a programming completion signal;
and the recording completion signal generation module is used for receiving the programming completion signal of the recording sub-module and generating a recording completion signal.
Specifically, the related NVM self-destruction control module includes:
the self-destruction signal processing sub-module is used for receiving the self-destruction signal output by the filtering processing sub-module and the record completion signal output by the alarm information recording module, and when only the self-destruction signal is received, the self-destruction signal processing sub-module transmits a record information enabling signal to the information record enabling sub-module, and when the record completion signal is received, the self-destruction signal processing sub-module transmits the self-destruction enabling signal outwards;
the self-destruction address range setting submodule is used for setting an NVM self-destruction address range corresponding to the appointed sensor signal;
the self-destruction sub-module is used for receiving the self-destruction enabling signal sent outwards by the self-destruction signal processing sub-module, reading the self-destruction address range matched with the self-destruction signal in the self-destruction address range setting sub-module, further generating an NVM control signal II, receiving the control signal II by the NVM controller, erasing the content in the NVM self-destruction address range read by the self-destruction sub-module in the secure MCU, and generating a self-destruction completion signal by the self-destruction sub-module after the erasing is completed;
the signal generation module is used for receiving the self-destruction completion signal generated by the self-destruction submodule and further generating a prohibition signal to prohibit the alarm detection module; the signal generation module sends an enabling signal to the alarm matching submodule in a manual enabling mode or an MCU power-on automatic enabling mode.
Specifically, the set addresses of the NVM recording address range and the NVM recording address range involved are arbitrary addresses in the NVM, respectively.
In particular, the sensors involved include, but are not limited to, active shielding layers, light sensors, temperature sensors, voltage sensors, frequency sensors, power glitch sensors, memory protection units.
Specifically, the related NVM self-destruction control module and the alarm information recording module directly or respectively perform signal interaction with the NVM controller through buses.
Secondly, another technical scheme adopted by the invention for solving the technical problems is as follows:
based on the NVM self-destruction device, the method for self-destruction of the NVM in the secure MCU comprises the following implementation processes:
1) Setting an enabling mode of the NVM self-destruction control module to be manual enabling or MCU power-on automatic enabling; after the NVM self-destruction control module is enabled, an enabling signal is sent to the alarm detection module;
2) Setting a specified sensor capable of triggering the NVM self-destruction in the alarm detection module, setting an NVM self-destruction address range corresponding to the specified sensor signal in the NVM self-destruction control module, and setting an NVM recording address range corresponding to the specified sensor signal in the alarm information recording module;
3) Enabling the NVM self-destruction control module according to an enabling mode of the NVM self-destruction control module, and sending an enabling signal to the alarm detection module by the NVM self-destruction control module;
4) The enabling signal enables the alarm detection module, the alarm detection module receives a sensor signal transmitted by a sensor in the safety MCU, and judges whether the received sensor signal belongs to a specified sensor signal or not:
4a) When the received sensor signal belongs to the appointed sensor signal, the alarm detection module sends a self-destruction signal to the NVM self-destruction control module, and meanwhile, the alarm detection module sends the sensor signal corresponding to the self-destruction signal as alarm source information to the alarm information recording module for recording, and the step 5) is executed;
4b) When the received sensor signal does not belong to the appointed sensor signal, no effective signal interaction exists among the alarm detection module, the NVM self-destruction control module and the alarm information recording module;
5) At this time, the NVM self-destruction control module only receives the self-destruction signal, the NVM self-destruction control module sends a recording information enabling signal to the alarm information recording module, the recording information enabling signal enables the alarm information recording module to send an NVM control signal one outwards, the NVM controller receives the NVM control signal and programs the NVM recording address range corresponding to the self-destruction signal, the NVM controller records the alarm source information in the NVM recording address range corresponding to the self-destruction signal, and after programming is completed, the alarm information recording module sends a recording completion signal to the NVM self-destruction control module;
6) After the NVM self-destruction control module receives the recording completion signal, the NVM self-destruction control module sends an NVM control signal II outwards, an NVM controller receives the NVM control signal II and erases the content in an NVM self-destruction address range corresponding to the self-destruction signal, and after the erasing is completed, the NVM self-destruction control module sends a prohibition signal to the alarm detection module;
7) And (3) circularly executing the steps 3) -6), detecting the sensor signal received by the alarm detection module at any time, performing self-destruction of the corresponding NVM self-destruction address range according to the sensor signal, finishing the protection of the safety MCU, and simultaneously recording alarm source information related to the sensor signal, and tracing and analyzing the self-destruction reason.
In step 2), the specified sensor signal is stored in a register, RAM or NVM;
the set self-destruction address range of the NVM is any address in the NVM;
the set NVM recording address range is any address in the NVM.
Compared with the prior art, the NVM self-destruction device and method in the safe MCU have the beneficial effects that:
1) The NVM self-destruction device comprises an alarm detection module, an NVM self-destruction control module and an alarm information recording module which are additionally arranged between a sensor of a safety MCU and an NVM controller, can set a designated sensor signal for triggering the NVM self-destruction, can set an NVM self-destruction address range and an NVM recording address range corresponding to the designated sensor signal, can detect the sensor signal for attacking the safety MCU when the NVM self-destruction device works, then performs self-destruction of the corresponding NVM self-destruction address range when the sensor signal is detected to belong to the designated sensor signal, and records the sensor signal as alarm source information in the corresponding NVM recording address range, so that sensitive information is prevented from being leaked when the safety MCU is attacked, and the tracing and the depth analysis of the alarm source information are facilitated in the later period;
2) The NVM self-destruction method is combined with the NVM self-destruction device, so that the safety of sensitive information is ensured; compared with physical damage to the NVM, the NVM self-destruction method is easy to realize without external high voltage, high voltage pulse generation and heat generation, and the NVM self-destruction method erases data in an address range specified in the NVM, rather than destroys the whole NVM, and is easy to control the destroyed range;
3) The NVM self-destruction method is combined with the NVM self-destruction device, does not need CPU participation, does not need CPU to set and read the sensor state, does not need CPU to erase the NVM, and effectively prevents the situation that the self-destruction cannot be completed due to the fact that the CPU is attacked to execute error instructions.
Drawings
FIG. 1 is a block diagram of a connection to a NVM controller according to an embodiment of the present invention;
FIG. 2 is a block diagram of a sub-module connection according to a first embodiment of the present invention;
FIG. 3 is a block diagram of a connection of an NVM controller over a bus according to an embodiment of the present invention.
The reference numerals in the drawings represent:
A. an alarm detection module, a B, NVM self-destruction control module,
C. the alarm information recording module is D and a bus;
1. a self-destruction source is provided with a sub-module, 2, an alarm matching sub-module,
3. a parameter setting sub-module, a signal generating module,
5. a self-destruction signal processing sub-module, 6, a self-destruction address range setting sub-module,
7. a self-destruction sub-module 8, an information recording enabling sub-module,
9. a recording sub-module 10, an information recording address setting sub-module,
11. the recording completion signal generation module, 12, the filtering processing sub-module;
13. NVM control signals one, 14, NVM control signals two.
Detailed Description
Specific embodiments of the present invention will be described in detail and fully, it being apparent that the embodiments described are only some, but not all, of the embodiments of the present invention. All embodiments obtained by a person skilled in the art without making any inventive effort are within the scope of the present invention based on the embodiments of the present invention.
Embodiment one:
referring to fig. 1, an NVM self-destruction device in a secure MCU of the present embodiment is disposed between a sensor of the secure MCU and an NVM controller. The device comprises an alarm detection module A, NVM self-destruction control module B and an alarm information recording module C, wherein the NVM self-destruction control module B sends an enabling signal to the alarm detection module A in a manual enabling or MCU power-on automatic enabling mode.
Referring to fig. 1 and 2, an alarm detection module a stores a specified sensor signal for triggering NVM self-destruction, and is configured to receive the sensor signal output by the sensing module and an enable signal sent by an NVM self-destruction control module B, and determine whether the received sensor signal belongs to the specified sensor signal; when the received sensor signal belongs to a specified sensor signal, the alarm detection module A sends a self-destruction signal to the NVM self-destruction control module B, and meanwhile, the alarm detection module A sends the sensor signal corresponding to the self-destruction signal as alarm source information to the alarm information recording module C for recording; when the received sensor signal does not belong to the specified sensor signal, no effective signal interaction exists between the alarm detection module A, NVM self-destruction control module B and the alarm information recording module C.
The NVM self-destruction control module B is used for receiving the self-destruction signal output by the alarm detection module A and sending a record information enabling signal outwards;
the alarm information recording module C is used for receiving alarm source information sent by the alarm detection module A and a record information enabling signal sent by the NVM self-destruction control module B, the alarm information recording module C is also used for sending an NVM control signal I13 outwards, the NVM controller receives the NVM control signal I13 and programs an NVM record address range corresponding to the self-destruction signal, meanwhile, the NVM controller records the alarm source information in the NVM record address range corresponding to the self-destruction signal, and after programming is completed, the alarm information recording module C sends a record completion signal outwards;
the NVM self-destruction control module B is also used for receiving the record completion signal sent by the alarm information recording module C, then the NVM self-destruction control module B sends an NVM control signal II 14 outwards, the NVM controller receives the NVM control signal II 14 and erases the content in the NVM self-destruction address range corresponding to the self-destruction signal, and after the erasing is completed, the NVM self-destruction control module B sends a prohibition signal to the alarm detection module A.
Referring to fig. 2, in the present embodiment, the alarm detection module a includes:
the self-destruction source setting submodule 1 is used for setting and storing specified sensor signals which can trigger the NVM to perform self destruction, wherein the specified sensor signals belong to at least one sensor signal output by various sensors in the safety MCU;
the alarm matching sub-module 2 is used for receiving the sensor signal output by the sensor, judging whether the received sensor signal has an alarm or not, and outputting an alarm signal when the received sensor signal is matched with at least one appointed sensor signal stored in the self-destruction source setting sub-module 1;
the parameter setting submodule 3 is used for setting the filtering delay and the filtering times of the alarm signal;
the filtering processing sub-module 12 is configured to receive the alarm signal output by the alarm matching sub-module 2, process the alarm signal according to the parameter setting condition of the parameter setting sub-module 3, transmit a self-destruction signal to the NVM self-destruction control module B when the alarm signal still exists after the processing is completed, and transmit alarm source information corresponding to the self-destruction signal to the alarm information recording module C.
In the present embodiment, the related self-destruct source setting submodule 1 stores a specified sensor signal in a register, RAM or NVM.
Referring to fig. 2, in the present embodiment, the alarm information recording module C includes:
an information recording address setting sub-module 10 for setting a recording address of the alarm source information;
the information recording enabling submodule 8 is used for receiving the recording information enabling signal sent outwards by the NVM self-destruction control module B and further enabling the recording submodule 9;
the recording sub-module 9 is used for receiving the alarm source information transmitted by the alarm detection module A and generating an NVM control signal I13, the NVM controller receives the NVM control signal I13 and programs an NVM recording address range corresponding to the self-destruction signal, and simultaneously, the NVM controller records the alarm source information in the NVM recording address range corresponding to the self-destruction signal, and after programming is completed, the alarm information recording module C sends a programming completion signal outwards;
the recording completion signal generating module 11 is configured to receive the programming completion signal of the recording sub-module 9 and generate a recording completion signal.
In this embodiment, the recording address set by the related information recording address setting sub-module 10 is an NVM address range, and may be any address in the whole NVM, where the information recording address setting sub-module 10 sets the recording start address and the occupied length, for example, the occupied start address is 0x00039000, the occupied length is 0x80 bytes, and the actual recording address range is 0x 00039000-0 x0003907F.
Referring to fig. 2, in this embodiment, the NVM self-destruction control module B includes:
the self-destruction signal processing sub-module 5 is used for receiving the self-destruction signal output by the filtering processing sub-module 12 and the recording completion signal output by the alarm information recording module C, when only the self-destruction signal is received, the self-destruction signal processing sub-module 5 sends a recording information enabling signal to the information recording enabling sub-module 8, and when the recording completion signal is received, the self-destruction signal processing sub-module 5 sends the self-destruction enabling signal outwards;
the self-destruction address range setting submodule 6 is used for setting an NVM self-destruction address range corresponding to the appointed sensor signal;
the self-destruction sub-module 7 is used for receiving the self-destruction enabling signal sent outwards by the self-destruction signal processing sub-module 5, reading the self-destruction address range matched with the self-destruction signal in the self-destruction address range setting sub-module 6, further generating an NVM control signal II 14, receiving the control signal II by the NVM controller, erasing the content in the NVM self-destruction address range read by the self-destruction sub-module 7 in the secure MCU, and generating a self-destruction completion signal by the self-destruction sub-module 7 after the erasing is completed;
the signal generating module 4 is configured to receive the self-destruction completion signal generated by the self-destruction sub-module 7, and further generate a prohibition signal to prohibit the alarm detection module a; the signal generating module 4 sends an enabling signal to the alarm matching sub-module 2 in a mode of manual enabling or MCU power-on automatic enabling.
In this embodiment, the self-destruction address set by the related self-destruction address range setting sub-module 6 is the NVM address range, which may be any address in the whole NVM, and this module sets the starting address of the record and the occupied length, for example, the occupied starting address is 0x00030000, the occupied length is 0x8000 bytes, and the actual recording address range is 0x 00030000-0 x00037FFF.
In this embodiment, the sensors involved include, but are not limited to, active shielding layers, light sensors, temperature sensors, voltage sensors, frequency sensors, power glitch sensors, memory protection units.
Referring to fig. 1, in this embodiment, the NVM self-destruction control module B and the alarm information recording module C directly interact with the NVM controller.
When the embodiment works, the NVM self-destruction control module B can be specifically set to send an enabling signal to the alarm detection module A in a manual power-on mode, the NVM self-destruction control module B can be specifically set to set the NVM self-destruction address ranges of the voltage sensor signal and the light sensor signal to be in the same interval based on the fact that all sensor signals in the MCU include, but are not limited to, the light sensor signal, the voltage sensor signal, the temperature sensor signal, the frequency sensor signal, the active shielding layer signal, the memory protection unit signal and the power burr sensor signal, the designated sensor signal triggering the NVM self-destruction is set to have the voltage sensor signal and the light sensor signal, the NVM self-destruction address ranges of the voltage sensor signal and the light sensor signal are set to be in the same interval, the NVM recording address ranges of the voltage sensor signal and the light sensor signal are set to be in the same interval, and the NVM recording address ranges of the voltage sensor signal and the light sensor signal are set to be 0x 00039000-0 x0003907F of the FLASH.
Embodiment two:
referring to fig. 1, an NVM self-destruction device in a secure MCU of the present embodiment is disposed between a sensor of the secure MCU and an NVM controller. The device comprises an alarm detection module A, NVM self-destruction control module B and an alarm information recording module C, wherein the NVM self-destruction control module B sends an enabling signal to the alarm detection module A in a manual enabling or MCU power-on automatic enabling mode.
Referring to fig. 1 and 2, an alarm detection module a stores a specified sensor signal for triggering NVM self-destruction, and is configured to receive the sensor signal output by the sensing module and an enable signal sent by an NVM self-destruction control module B, and determine whether the received sensor signal belongs to the specified sensor signal; when the received sensor signal belongs to a specified sensor signal, the alarm detection module A sends a self-destruction signal to the NVM self-destruction control module B, and meanwhile, the alarm detection module A sends the sensor signal corresponding to the self-destruction signal as alarm source information to the alarm information recording module C for recording; when the received sensor signal does not belong to the specified sensor signal, no effective signal interaction exists between the alarm detection module A, NVM self-destruction control module B and the alarm information recording module.
The NVM self-destruction control module B is used for receiving the self-destruction signal output by the alarm detection module A and sending a record information enabling signal outwards;
the alarm information recording module C is used for receiving alarm source information sent by the alarm detection module A and a record information enabling signal sent by the NVM self-destruction control module B, the alarm information recording module C is also used for sending an NVM control signal I13 outwards, the NVM controller receives the NVM control signal I13 and programs an NVM record address range corresponding to the self-destruction signal, meanwhile, the NVM controller records the alarm source information in the NVM record address range corresponding to the self-destruction signal, and after programming is completed, the alarm information recording module C sends a record completion signal outwards;
the NVM self-destruction control module B is also used for receiving the record completion signal sent by the alarm information recording module C, then the NVM self-destruction control module B sends an NVM control signal II 14 outwards, the NVM controller receives the NVM control signal II 14 and erases the content in the NVM self-destruction address range corresponding to the self-destruction signal, and after the erasing is completed, the NVM self-destruction control module B sends a prohibition signal to the alarm detection module A.
Referring to fig. 2, in the present embodiment, the alarm detection module a includes:
the self-destruction source setting submodule 1 is used for setting and storing specified sensor signals which can trigger the NVM to perform self destruction, wherein the specified sensor signals belong to at least one sensor signal output by various sensors in the safety MCU;
the alarm matching sub-module 2 is used for receiving the sensor signal output by the sensor, judging whether the received sensor signal has an alarm or not, and outputting an alarm signal when the received sensor signal is matched with at least one appointed sensor signal stored in the self-destruction source setting sub-module 1;
the parameter setting submodule 3 is used for setting the filtering delay and the filtering times of the alarm signal;
the filtering processing sub-module 12 is configured to receive the alarm signal output by the alarm matching sub-module 2, process the alarm signal according to the parameter setting condition of the parameter setting sub-module 3, transmit a self-destruction signal to the NVM self-destruction control module B when the alarm signal still exists after the processing is completed, and transmit alarm source information corresponding to the self-destruction signal to the alarm information recording module C.
In the present embodiment, the related self-destruct source setting submodule 1 stores a specified sensor signal in a register, RAM or NVM.
Referring to fig. 2, in the present embodiment, the alarm information recording module C includes:
an information recording address setting sub-module 10 for setting a recording address of the alarm source information;
the information recording enabling submodule 8 is used for receiving the recording information enabling signal sent outwards by the NVM self-destruction control module B and further enabling the recording submodule 9;
the recording sub-module 9 is used for receiving the alarm source information transmitted by the alarm detection module A and generating an NVM control signal I13, the NVM controller receives the NVM control signal I13 and programs an NVM recording address range corresponding to the self-destruction signal, and simultaneously, the NVM controller records the alarm source information in the NVM recording address range corresponding to the self-destruction signal, and after programming is completed, the alarm information recording module C sends a programming completion signal outwards;
the recording completion signal generating module 11 is configured to receive the programming completion signal of the recording sub-module 9 and generate a recording completion signal.
In this embodiment, the recording address set by the related information recording address setting sub-module 10 is an NVM address range, and may be any address in the whole NVM, where the information recording address setting sub-module 10 sets the recording start address and the occupied length, for example, the occupied start address is 0x00039000, the occupied length is 0x80 bytes, and the actual recording address range is 0x 00039000-0 x0003907F.
Referring to fig. 2, in this embodiment, the NVM self-destruction control module B includes:
the self-destruction signal processing sub-module 5 is used for receiving the self-destruction signal output by the filtering processing sub-module 12 and the recording completion signal output by the alarm information recording module C, when only the self-destruction signal is received, the self-destruction signal processing sub-module 5 sends a recording information enabling signal to the information recording enabling sub-module 8, and when the recording completion signal is received, the self-destruction signal processing sub-module 5 sends the self-destruction enabling signal outwards;
the self-destruction address range setting submodule 6 is used for setting an NVM self-destruction address range corresponding to the appointed sensor signal;
the self-destruction sub-module 7 is used for receiving the self-destruction enabling signal sent outwards by the self-destruction signal processing sub-module 5, reading the self-destruction address range matched with the self-destruction signal in the self-destruction address range setting sub-module 6, further generating an NVM control signal II 14, receiving the control signal II by the NVM controller, erasing the content in the NVM self-destruction address range read by the self-destruction sub-module 7 in the secure MCU, and generating a self-destruction completion signal by the self-destruction sub-module 7 after the erasing is completed;
the signal generating module 4 is configured to receive the self-destruction completion signal generated by the self-destruction sub-module 7, and further generate a prohibition signal to prohibit the alarm detection module a; the signal generating module 4 sends an enabling signal to the alarm matching sub-module 2 in a mode of manual enabling or MCU power-on automatic enabling.
In this embodiment, the self-destruction address set by the related self-destruction address range setting sub-module 6 is an NVM address range, which may be any address in the whole NVM, and the self-destruction address range setting sub-module 6 sets the starting address and the occupied length of the record, for example, the occupied starting address is 0x00030000, the occupied length is 0x8000 bytes, and the actual recording address range is 0x 00030000-0 x00037FFF.
In this embodiment, the sensors involved include, but are not limited to, active shielding layers, light sensors, temperature sensors, voltage sensors, frequency sensors, power glitch sensors, memory protection units.
Referring to fig. 3, the NVM self-destruction control module B and the alarm information recording module C interact with the NVM controller through a bus D. The bus D may be any one or more of AMBA of ARM, address data bus inside 8051 chip, wishbone bus maintained by OpenCores organization.
When the embodiment works, the NVM self-destruction control module B can be specifically set to send an enabling signal to the alarm detection module A in a manual power-on mode, all sensor signals in the MCU include, but are not limited to, an optical sensor signal, a voltage sensor signal, a temperature sensor signal, a frequency sensor signal, an active shielding layer signal, a memory protection unit signal and a power burr sensor signal, the appointed sensor signal triggering NVM self-destruction is set to have the voltage sensor signal and the optical sensor signal, the NVM self-destruction address range of the set voltage sensor signal is 0x 00030000-0 x00033FFF of FLASH, the NVM self-destruction address range of the set optical sensor signal is 0x 00034000-0 x00034FFF of FLASH, the NVM recording address range of the set voltage sensor signal is 0x 00036000-0 x00036007 of FLASH, and the NVM recording address range of the set optical sensor signal is 0x 00036200-0 x000362FF of FLASH.
Embodiment III:
referring to fig. 1 and 2, an NVM self-destruction method in a secure MCU according to the present embodiment, based on the NVM self-destruction device according to the first embodiment, the implementation process of the NVM self-destruction method includes:
1) Setting an enabling mode of the NVM self-destruction control module B to be manual enabling or MCU power-on automatic enabling; after the NVM self-destruction control module B is enabled, an enabling signal is sent to the alarm detection module A;
2) Setting a specified sensor capable of triggering the NVM self-destruction in the alarm detection module A, setting an NVM self-destruction address range corresponding to the specified sensor signal in the NVM self-destruction control module B, and setting an NVM recording address range corresponding to the specified sensor signal in the alarm information recording module C;
3) Enabling the NVM self-destruction control module B according to the enabling mode of the NVM self-destruction control module B, and sending an enabling signal to the alarm detection module A by the NVM self-destruction control module B;
4) Enabling the signal to enable the alarm detection module A, receiving a sensor signal transmitted by a sensor in the safety MCU by the alarm detection module A, and judging whether the received sensor signal belongs to a specified sensor signal or not:
4a) When the received sensor signal belongs to the appointed sensor signal, the alarm detection module A sends a self-destruction signal to the NVM self-destruction control module B, and meanwhile, the alarm detection module A sends the sensor signal corresponding to the self-destruction signal as alarm source information to the alarm information recording module C for recording, and the step 5) is executed;
4b) When the received sensor signal does not belong to the appointed sensor signal, no effective signal interaction exists between the alarm detection module A, NVM self-destruction control module B and the alarm information recording module C;
5) At this time, the NVM self-destruction control module B only receives the self-destruction signal, the NVM self-destruction control module B sends a recording information enabling signal to the alarm information recording module C, the recording information enabling signal enables the alarm information recording module C to send an NVM control signal 13 outwards, the NVM controller receives the NVM control signal 13 and programs the NVM recording address range corresponding to the self-destruction signal, the NVM controller records the alarm source information in the NVM recording address range corresponding to the self-destruction signal, and after programming is completed, the alarm information recording module C sends a recording completion signal to the NVM self-destruction control module B;
6) After the NVM self-destruction control module B receives the recording completion signal, the NVM self-destruction control module B sends an NVM control signal II 14 outwards, an NVM controller receives the NVM control signal II 14 and erases the content in an NVM self-destruction address range corresponding to the self-destruction signal, and after the erasing is completed, the NVM self-destruction control module B sends a prohibition signal to the alarm detection module A;
7) And (3) circularly executing the steps 3) -6), detecting the sensor signal received by the alarm detection module A at any time, performing self-destruction of the corresponding NVM self-destruction address range according to the sensor signal, finishing the protection of the safety MCU, and simultaneously recording alarm source information related to the sensor signal, and tracing and analyzing the self-destruction reason.
In step 2) of the present embodiment, the specified sensor signal is stored in a register, RAM or NVM;
the set self-destruction address range of the NVM is 0x 00030000-0 x00038000 of FLASH;
the set NVM recording address range is 0x00039000 to 0x0003907F of FLASH.
The foregoing describes the principles and embodiments of the present invention in detail using specific examples, which are only for aiding in understanding the core technical content of the present invention, and are not intended to limit the scope of the present invention, but the technical solutions of the present invention are not limited to the foregoing specific embodiments. Based on the above-mentioned embodiments of the present invention, any improvements and modifications made by those skilled in the art without departing from the principles of the present invention should fall within the scope of the present invention.
Claims (7)
1. The NVM self-destruction device in the safety MCU is arranged between a sensor of the safety MCU and an NVM controller, and is characterized by comprising an alarm detection module, an NVM self-destruction control module and an alarm information recording module, wherein the NVM self-destruction control module sends an enabling signal to the alarm detection module in a manual enabling or MCU power-on automatic enabling mode;
the alarm detection module comprises: the self-destruction source setting sub-module is used for setting and storing a specified sensor signal which can trigger the NVM to perform self-destruction, and the specified sensor signal belongs to at least one sensor signal output by various sensors in the safety MCU; the alarm matching sub-module is used for receiving a sensor signal output by the sensor and an enabling signal sent by the NVM self-destruction control module, judging whether the received sensor signal has an alarm, outputting an alarm signal when the received sensor signal is matched with at least one appointed sensor signal stored by the self-destruction source setting sub-module, and enabling the alarm detection module, the NVM self-destruction control module and the alarm information recording module to have no effective signal interaction when the received sensor signal cannot be matched with at least one appointed sensor signal stored by the self-destruction source setting sub-module; the parameter setting sub-module is used for setting the filtering delay and the filtering times of the alarm signal; the filtering processing sub-module is used for receiving the alarm signal output by the alarm matching sub-module, processing the alarm signal according to the parameter setting condition of the parameter setting sub-module, transmitting a self-destruction signal to the NVM self-destruction control module when the alarm signal still exists after the processing is finished, and transmitting alarm source information corresponding to the self-destruction signal to the alarm information recording module;
the NVM self-destruction control module is used for receiving the self-destruction signal output by the alarm detection module and sending a record information enabling signal outwards;
the alarm information recording module comprises: the information recording address setting sub-module is used for setting the recording address of the alarm source information; the information recording enabling submodule is used for receiving a recording information enabling signal sent outwards by the NVM self-destruction control module and further enabling the recording submodule; the recording sub-module is used for receiving the alarm source information transmitted by the alarm detection module and generating an NVM control signal I, the NVM controller receives the NVM control signal and programs an NVM recording address range corresponding to the self-destruction signal, and simultaneously, the NVM controller records the alarm source information in the NVM recording address range corresponding to the self-destruction signal, and after programming is completed, the alarm information recording module sends a programming completion signal outwards; the recording completion signal generation module is used for receiving the programming completion signal of the recording sub-module and generating a recording completion signal;
the NVM self-destruction control module includes: the self-destruction signal processing sub-module is used for receiving the self-destruction signal output by the filtering processing sub-module and the record completion signal output by the alarm information recording module, and when only the self-destruction signal is received, the self-destruction signal processing sub-module transmits a record information enabling signal to the information record enabling sub-module, and when the record completion signal is received, the self-destruction signal processing sub-module transmits the self-destruction enabling signal outwards; the self-destruction address range setting submodule is used for setting an NVM self-destruction address range corresponding to the appointed sensor signal; the self-destruction sub-module is used for receiving the self-destruction enabling signal sent outwards by the self-destruction signal processing sub-module, reading the self-destruction address range matched with the self-destruction signal in the self-destruction address range setting sub-module, further generating an NVM control signal II, receiving the control signal II by the NVM controller, erasing the content in the NVM self-destruction address range read by the self-destruction sub-module in the secure MCU, generating a self-destruction completion signal by the self-destruction sub-module after the erasing is completed, and sending a prohibition signal to the alarm detection module.
2. The NVM self-destruct device within a secure MCU of claim 1, wherein the self-destruct source setup submodule stores a specified sensor signal in a register, RAM or NVM.
3. The NVM self-destruction device in a secure MCU of claim 1, wherein the NVM recording address range and the set address of the NVM recording address range are each any address in the NVM.
4. The NVM self-destruction device within a secure MCU of claim 1, wherein the sensor includes, but is not limited to, an active shielding layer, a light sensor, a temperature sensor, a voltage sensor, a frequency sensor, a power supply glitch sensor, a memory protection unit.
5. The NVM self-destruction device in a secure MCU of claim 1, wherein the NVM self-destruction control module and the alarm information recording module interact with the NVM controller directly or separately through a bus.
6. The method for self-destroying the NVM in the secure MCU is characterized in that the method is based on the NVM self-destroying device in the secure MCU according to claim 1, and the realization process of the NVM self-destroying method comprises the following steps:
1) Setting an enabling mode of the NVM self-destruction control module to be manual enabling or MCU power-on automatic enabling; after the NVM self-destruction control module is enabled, an enabling signal is sent to the alarm detection module;
2) Setting a specified sensor capable of triggering the NVM self-destruction in the alarm detection module, setting an NVM self-destruction address range corresponding to the specified sensor signal in the NVM self-destruction control module, and setting an NVM recording address range corresponding to the specified sensor signal in the alarm information recording module;
3) Enabling the NVM self-destruction control module according to an enabling mode of the NVM self-destruction control module, and sending an enabling signal to the alarm detection module by the NVM self-destruction control module;
4) The enabling signal enables the alarm detection module, the alarm detection module receives a sensor signal transmitted by a sensor in the safety MCU, and judges whether the received sensor signal belongs to a specified sensor signal or not:
4a) When the received sensor signal belongs to the appointed sensor signal, the alarm detection module sends a self-destruction signal to the NVM self-destruction control module, and meanwhile, the alarm detection module sends the sensor signal corresponding to the self-destruction signal as alarm source information to the alarm information recording module for recording, and the step 5) is executed;
4b) When the received sensor signal does not belong to the appointed sensor signal, no effective signal interaction exists among the alarm detection module, the NVM self-destruction control module and the alarm information recording module;
5) At this time, the NVM self-destruction control module only receives the self-destruction signal, the NVM self-destruction control module sends a recording information enabling signal to the alarm information recording module, the recording information enabling signal enables the alarm information recording module to send an NVM control signal one outwards, the NVM controller receives the NVM control signal and programs the NVM recording address range corresponding to the self-destruction signal, the NVM controller records the alarm source information in the NVM recording address range corresponding to the self-destruction signal, and after programming is completed, the alarm information recording module sends a recording completion signal to the NVM self-destruction control module;
6) After the NVM self-destruction control module receives the recording completion signal, the NVM self-destruction control module sends an NVM control signal II outwards, an NVM controller receives the NVM control signal II and erases the content in an NVM self-destruction address range corresponding to the self-destruction signal, and after the erasing is completed, the NVM self-destruction control module sends a prohibition signal to the alarm detection module;
7) And (3) circularly executing the steps 3) -6), detecting the sensor signal received by the alarm detection module at any time, performing self-destruction of the corresponding NVM self-destruction address range according to the sensor signal, finishing the protection of the safety MCU, and simultaneously recording alarm source information related to the sensor signal, and tracing and analyzing the self-destruction reason.
7. The method of claim 6, wherein in step 2), the specified sensor signal is stored in a register, RAM or NVM; the set NVM self-destruction address range and NVM recording address range are any addresses in the NVM.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910249196.0A CN110135202B (en) | 2019-03-29 | 2019-03-29 | NVM self-destruction device and method in safe MCU |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910249196.0A CN110135202B (en) | 2019-03-29 | 2019-03-29 | NVM self-destruction device and method in safe MCU |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110135202A CN110135202A (en) | 2019-08-16 |
| CN110135202B true CN110135202B (en) | 2023-08-25 |
Family
ID=67568622
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910249196.0A Active CN110135202B (en) | 2019-03-29 | 2019-03-29 | NVM self-destruction device and method in safe MCU |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110135202B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101777100A (en) * | 2009-11-24 | 2010-07-14 | 西安奇维测控科技有限公司 | Electronic hardware with function of quick self-destruction and data erasing method thereof |
| CN107231245A (en) * | 2016-03-23 | 2017-10-03 | 阿里巴巴集团控股有限公司 | Report method and device, the method and device of processing monitoring daily record of monitoring daily record |
| CN108595951A (en) * | 2018-04-19 | 2018-09-28 | 深圳鼎智通讯股份有限公司 | The guard method of POS machine intrusion attack self-destruction sensitive information |
| CN109460665A (en) * | 2018-10-25 | 2019-03-12 | 石生花微电子(南京)有限公司 | It is a kind of for protecting the device and method of sensitive information in chip |
-
2019
- 2019-03-29 CN CN201910249196.0A patent/CN110135202B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101777100A (en) * | 2009-11-24 | 2010-07-14 | 西安奇维测控科技有限公司 | Electronic hardware with function of quick self-destruction and data erasing method thereof |
| CN107231245A (en) * | 2016-03-23 | 2017-10-03 | 阿里巴巴集团控股有限公司 | Report method and device, the method and device of processing monitoring daily record of monitoring daily record |
| CN108595951A (en) * | 2018-04-19 | 2018-09-28 | 深圳鼎智通讯股份有限公司 | The guard method of POS machine intrusion attack self-destruction sensitive information |
| CN109460665A (en) * | 2018-10-25 | 2019-03-12 | 石生花微电子(南京)有限公司 | It is a kind of for protecting the device and method of sensitive information in chip |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110135202A (en) | 2019-08-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| TWI614638B (en) | Secure access to peripheral devices over a bus | |
| KR101484331B1 (en) | Verifying data integrity in a data storage device | |
| US10691807B2 (en) | Secure system boot monitor | |
| TWI420397B (en) | Detecting radiation-based attacks | |
| US8489888B2 (en) | Processor apparatus having a security function | |
| US20090288161A1 (en) | Method for establishing a trusted running environment in the computer | |
| US20170364683A1 (en) | Computing device secure boot | |
| CN107818245A (en) | For preventing the storage device and method and computing system of virus/Malware | |
| TWI509405B (en) | Method, system, and computer program product for one-time programmable integrated circuit security | |
| JP2006155620A (en) | Operation-protected micro controller system | |
| EP3780489A1 (en) | Memory device providing data security | |
| CN110135202B (en) | NVM self-destruction device and method in safe MCU | |
| EP3987423A1 (en) | Undefined lifecycle state identifier for managing security of an integrated circuit device | |
| EP1435558A1 (en) | On-device random number generator | |
| JP2018022486A5 (en) | ||
| TWI756156B (en) | Monitor system booting security device and method thereof | |
| JP2005292959A (en) | Nonvolatile memory module and nonvolatile memory system | |
| WO2005029272A2 (en) | Method and device for data protection and security in a gaming machine | |
| CN110275845B (en) | Memory control method and device and electronic equipment | |
| JP6363926B2 (en) | Information processing system | |
| CN108292260B (en) | Apparatus and method for software self-test | |
| TW201944281A (en) | Secure access to peripheral devices over a bus | |
| TWI818126B (en) | Micro-processing circuit and data protection method for memory thereof | |
| JP2003203012A (en) | Microcomputer device | |
| US20230076714A1 (en) | Integrated circuit (ic) and electronic apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20230620 Address after: 100085 303, Block B, Jinyu International Center, Longyu East 1st Road, Changping District, Beijing Applicant after: Beijing Folding Future Technology Co.,Ltd. Address before: Room 307, floor 3, block B, No. 9 Xinghuo Road, Jiangbei new area, Nanjing, Jiangsu 211800 Applicant before: SHISHENGHUA MICROELECTRONICS (NANJING) Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |