CN114329543A - Data isolation encryption system based on FSMC and AXI bus - Google Patents
Data isolation encryption system based on FSMC and AXI bus Download PDFInfo
- Publication number
- CN114329543A CN114329543A CN202111617478.5A CN202111617478A CN114329543A CN 114329543 A CN114329543 A CN 114329543A CN 202111617478 A CN202111617478 A CN 202111617478A CN 114329543 A CN114329543 A CN 114329543A
- Authority
- CN
- China
- Prior art keywords
- module
- data
- fsmc
- smx
- zynq
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a data isolation encryption system based on FSMC and AXI buses, which comprises an STM32, a conversion module, a DBram module, a Bram Controller module, an SMX module and a ZYNQ CPU module, wherein the STM32 is connected with the conversion module through an FSMC interface, the conversion module is connected with the DBram module, the other end of the DBram module is connected with the Bram Controller module, the Bram Controller module is used for controlling access time sequence, the Bram Controller module is connected with an AXIM interface of the SMX module through an AXI bus, an AXIS interface of the SMX module is connected with the ZYNQ CPU module through an AXI bus, and the SMX module encrypts data and transmits the encrypted data to the ZYNQ CPU module. The invention ensures the physical isolation of the plaintext and ciphertext of the data, can ensure higher throughput in mass data transmission and is difficult to monitor, thereby realizing the data isolation encryption method with high safety, high performance and portability.
Description
Technical Field
The invention relates to the field of storage, in particular to a data isolation encryption system based on FSMC and AXI buses.
Background
With the increasing importance of the requirements on privacy protection and data security in daily life and work, the requirements on data security management and information confidentiality become more and more important in government offices, national defense and military industry and the core security field, and in addition, the requirements on data security and confidentiality are also more and more emphasized when the specific implementation of the 2.0 standard is met. In the SOC field, AXI bus is currently applied in a large scale, and the current FSMC bus mode of inter-chip communication has higher advantages in throughput, cost performance and universal portability. Based on the advantages of the AXI bus and the FSMC bus, the method can be applied to the aspects of data security management and information confidentiality, thereby realizing a high-security, high-performance and portable data isolation encryption method.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a data isolation encryption system based on FSMC and AXI buses, wherein the data stream of the whole system is based on the AXI bus and the FSMC bus, and the two buses are high-speed parallel buses, so that the physical isolation of data plaintext and ciphertext can ensure higher throughput in mass data transmission and difficulty in monitoring, and a high-safety, high-performance and transplantable data isolation encryption method is realized.
In order to solve the technical problem, the technical scheme adopted by the invention is as follows: a data isolation encryption system based on FSMC and AXI buses comprises an STM32, a conversion module, a DBram module, a Bram Controller module, an SMX module and a ZYNQ CPU module, wherein an STM32 is connected with the conversion module through an FSMC interface, the conversion module is connected with the DBram module, the conversion module converts data sent by an STM32 into Bram time sequences and stores the Bram time sequences in the DBram module, the other end of the DBram module is connected with the Bram Controller module, the Bram Controller module is used for controlling access time sequences, the Bram Controller module is connected to an AXIM interface of the SMX module through an AXI bus, an AXIS interface of the SMX module is connected to the ZYNQ CPU module through an AXI bus, and the SMX module encrypts the data and transmits the encrypted data to the ZYNQ CPU module.
Furthermore, the SMX module is provided with a register configuration interface, the register configuration interface is connected with the ZYNQ CPU module through a Bram Controller module, the Bram Controller module simulates the configuration register of the SMX as a Bram for configuration, and the Bram Controller is connected to an AXI bus as an AXI Slave device and is controlled by the ZYNQ CPU.
Further, the data buses of FSMC and DBram are laid out to the middle layer in the Layout stage.
Furthermore, a plurality of control signals are arranged to identify the data state, and the level signal is adopted to control the data communication process.
Furthermore, the control signal comprises an encryption identifier, a decryption identifier, a data completion identifier and a data busy identifier, data transmission is initiated by the FSMC terminal, the ZYNQ CPU passively receives data, the FSMC terminal configures a data communication mode and state, and the ZYNQ CPU sets the SMX module register according to the state of the control signal of the FSMC terminal.
Furthermore, the data processing adopts streaming mode transmission, and the DBram is logically divided into a plurality of areas for data parallel buffering.
Furthermore, two partitions are set as data buffer areas, the two partitions are identified through level signals, data busy identification is detected during FSMC transmission, data can be cached in an idle partition for data buffering, when an SMX module processes data, the data is processed according to data completion identification at the FSMC end of each partition, and the FSMC and the SMX are guaranteed to be processed in parallel in data processing.
Further, during the migration process, the partition size and the cache capacity of each partition are dynamically adjusted according to the module rates of the FSMC and the SMX.
The invention has the beneficial effects that: the invention provides a data isolation encryption system based on FSMC and AXI buses. The scheme has strong portability and universal interfaces, can be used in various fields such as military cipher, commercial cipher and the like by replacing the algorithm core, is a universal data isolation encryption method, can be dynamically matched according to different algorithms, chip frequencies, speeds and bus widths by a multi-buffer ping-pong mechanism, has good production prospect, and has good application prospect in the field of data security cores.
Drawings
FIG. 1 is a functional block diagram of the present invention;
FIG. 2 is a schematic diagram of a SMX configuration register configured by emulating a Bram;
FIG. 3 is a flow chart of data encryption;
FIG. 4 is a schematic diagram of data transmission according to control signal identification;
fig. 5 is a diagram illustrating the arrangement of two data buffers.
Detailed Description
The invention is further described with reference to the following figures and specific embodiments.
Example 1
The embodiment provides a data isolation method based on an FSMC (static memory control interface) and an AXI (advanced extensible interface) bus, and data communication is carried out by adopting ZYNQ 7000 series FPGA and an STM32 chip. STM32 is the bright area, produces the data plain text, and the data that ZYNQ's CPU terminal visited are secret district, and the result after SMX module operation can't carry out the reverse crack of algorithm from the system level promptly, and algorithm IP core is quick nimble to be replaced, has better commonality. The whole module data stream is based on an AXI bus and an FSMC bus, the two buses are high-speed parallel buses, and the data plaintext and ciphertext physical isolation is guaranteed, so that high throughput in mass data transmission can be guaranteed, and monitoring is difficult. Therefore, the high-safety, high-performance and portable data isolation encryption method is realized, can be widely applied to the field of data safety, can be used as a general IP core in the field of SOC, and has wide market prospect.
The AXI system Bus is the most important part in the amba (advanced Microcontroller Bus architecture)3.0 protocol, is an on-chip Bus oriented to high performance, high bandwidth and low delay, and connects a plurality of AXI Master devices to a plurality of AXI Slave devices to realize address and data transmission among a plurality of memory-mapped devices. The SMX of the method is provided with a data communication interface AXIS, an AXIM and a Register configuration interface Register, the data communication interface AXIS and the AXIM are connected to an AXI bus through an AXI Slave and a Master port, and a ZYNQ CPU accesses the AXI Master port of the SMX through the AXI bus to read or send data. The SMX module register configuration is controlled by using a Bram (Block RAM) access timing sequence (called a Bram controller for short), namely the SMX configuration register is configured by simulating the Bram (figure 2). The Bram Controller is connected to the AXI bus as an AXI Slave device and is controlled by the ZYNQ CPU. Because the register configuration does not need high throughput, the Bram access is simpler compared with the AXI bus time sequence, so the design can be realized by internal access of the AXI bus according to the method, the Bram time sequence can be directly constructed and configured by external access, and the method has higher flexibility and expansibility.
As shown in fig. 1, this embodiment includes an STM32, a conversion module, a DBram module, a Bram Controller module, an SMX module, and a ZYNQ CPU module, where the STM32 is connected to the conversion module through an FSMC interface, the conversion module is connected to the DBram module, the conversion module converts data sent by the STM32 into Bram timing sequences and stores the Bram timing sequences in the DBram module, the other end of the DBram module is connected to the Bram Controller module, the Bram Controller module is used to control access timing sequences, the Bram Controller module is connected to an AXIM interface of the SMX module through an AXI bus, an AXIs interface of the SMX module is connected to the ZYNQ CPU module through an AXI bus, and the SMX module encrypts the data and transmits the encrypted data to the ZYNQ CPU module.
The SMX module is provided with a register configuration interface, the register configuration interface is connected with the ZYNQ CPU module through a Bram Controller module, the Bram Controller module simulates a configuration register of the SMX as a Bram to configure, and the Bram Controller is connected to an AXI bus as an AXI Slave device and is controlled by the ZYNQ CPU. As shown in fig. 2, a schematic diagram of configuring a configuration register of an SMX by simulating it as a Bram is shown, so that the configuration can be performed through internal access of an AXI bus according to the method, or through external access by directly constructing a Bram timing sequence, and the method has high flexibility and extensibility.
In this embodiment, the DBram module is a dual-port Block storage ram (dual Block ram), the port a is connected to the Bram Controller, and the Bram Controller is connected to the AXI Master of the SMX through an AXI bus. The B port of the DBram is connected with the FSMC through a conversion module, and thus a complete data path is formed. Taking data encryption as an example in fig. 3, data is sent from the outside through an FSMC interface, then converted into a Bram time sequence through a conversion module and stored into a DBram through a port B, a ZYNQ CPU confirms that the data is stored into the DBram according to the state of a custom control port, and then an SMX register is configured, and setting data is input from the DBram end and is transmitted to the ZYNQ CPU through SMX encryption. The data is sent to a Bram Controller from an A port of the DBram, then is encrypted and operated by an SMX Master to an SMX Slave, and a ZYNQ CPU reads an operated result of the SMX module. The ZYNQ CPU and the DBram have no data path, so that the DBram cannot be directly accessed, the data must pass through the SMX module, and the data is a ciphertext after passing through the SMX module, so that the plaintext and the ciphertext are physically isolated, and the ZYNQ CPU and the FSMC cannot obtain the plaintext and the ciphertext at the same time. The FSMC is a 32-bit high-speed parallel bus, and when a PCB is designed, the data buses of the FSMC and the DBram are suggested to be distributed to the middle layer at the Layout stage (bus connection when the PCB is designed), so that the difficulty of data monitoring and cracking is improved, and the data safety is ensured.
In the data communication process, because the signal response speed is higher than the reading of the content in the DBram, the efficiency can be greatly improved by adopting level signal control, and therefore a plurality of control signals are required to identify the data state. That is, a plurality of control signals are provided to identify the data state, and the level signal is used to control the data communication process.
Specifically, the control signal comprises an encryption identifier, a decryption identifier, a data completion identifier and a data busy identifier, data transmission is initiated by an FSMC (home location register) terminal, a ZYNQ CPU (central processing unit) passively receives data, the FSMC terminal configures a data communication mode and state, and the ZYNQ CPU sets the SMX module register according to the state of the control signal of the FSMC terminal.
As shown in fig. 4, taking a primary encryption communication as an example, the FSMC side sets a communication mode (state S00), the ZYNQ CPU side configures the SMX as an encryption mode according to the state set by the FSMC, the data direction is from AXI Master to AXI Slave of the SMX (state S01), after the configuration is completed (state S02), the FSMC performs plaintext data transmission according to the state set by the ZYNQ CPU (state S03), and after the transmission is completed, a Finish signal corresponding to the FSMC side is set (state S04). The ZYNQ CPU sets a Busy signal at the SMX end according to the Finish signal of the FSMC, reads data through the SMX module (state S05), at the moment, the data become a ciphertext, and after the ZYNQ takes the data away (state S06), the Finish signal set at the FSMC end is set to continue processing data transmission to complete \ continue transmission. And the FSMC carries out jumping S02/S00 according to the Finish signal at the ZYNQ end, so that the whole data transmission process is completed.
In this embodiment, data processing adopts streaming mode transmission, and the DBram is logically divided into a plurality of areas for data parallel buffering.
As shown in fig. 5, two partitions are set as Data buffers, the two partitions are identified by level signals, the Data Busy flag is detected during FSMC transmission to determine that Data can be cached in an idle partition for Data buffering, when the SMX module processes Data, the Data is processed according to the Data completion flag at the FSMC end of each partition, so that the FSMC and SMX are ensured to be processed in parallel in Data processing, and the Data communication efficiency is greatly improved (as shown in fig. 5). In the transplanting process, the size of the partition and the cache capacity of each partition can be dynamically adjusted according to the module rates of the FSMC and the SMX, so that the highest utilization rate and the highest throughput are achieved.
The embodiment simultaneously verifies the method.
Firstly, reading DBram data through a ZYNQ CPU, and in a Linux configuration file generated according to an HDF file (a description file generated according to hardware design), hardware resources related to the DBram cannot be seen, so that the DBram must read or send data through SMX, and the plaintext and ciphertext of the data are confirmed to be physically isolated.
And verifying the reading and writing of the SMX register in the figure 2, configuring the SMX register through a Bram Controller connected with a ZYNQ CPU, and achieving the expected state requirement after configuration, thereby proving that the SMX register method is feasible through the Bram Controller.
The SMX (SM 4 algorithm) standard data is tested through the script, and the SMX module works normally and the data path is normal after being verified to be consistent with the national password standard data.
Verifying that the single-packet data in fig. 4 (S06 jumps to S00) and the multi-packet data (S06 jumps to S02) can all complete all data transmission normally, confirming that the state machine jumps normally, and combining the state register of SMX, performing identification processing for data exception, thus proving that the module has usability and robustness.
The performance (480 Mbps) of the Data Flow1 and the Data Flow4 in the double buffering mechanism of FIG. 5 is verified, and compared with the single buffering mechanism, namely, the Data is buffered only by using Buffer1 (83Mbps), the performance is improved by 6 times.
The foregoing description is only for the basic principle and the preferred embodiments of the present invention, and modifications and substitutions by those skilled in the art are included in the scope of the present invention.
Claims (8)
1. A data isolation encryption system based on FSMC and AXI buses, characterized by: the system comprises an STM32, a conversion module, a DBram module, a Bram Controller module, an SMX module and a ZYNQ CPU module, wherein the STM32 is connected with the conversion module through an FSMC interface, the conversion module is connected with the DBram module, the conversion module converts data sent by an STM32 into Bram time sequences and stores the Bram time sequences into the DBram module, the other end of the DBram module is connected with the Bram Controller module, the Bram Controller module is used for controlling access time sequences, the Bram Controller module is connected to an AXIM interface of the SMX module through an AXI bus, an AXIS interface of the SMX module is connected to the ZYNQ CPU module through an AXI bus, and the SMX module encrypts the data and transmits the encrypted data to the ZYNQ CPU module.
2. The FSMC and AXI bus based data isolation encryption system of claim 1, wherein: the SMX module is provided with a register configuration interface, the register configuration interface is connected with the ZYNQ CPU module through a Bram Controller module, the Bram Controller module simulates a configuration register of the SMX as a Bram to configure, and the Bram Controller is connected to an AXI bus as an AXI Slave device and is controlled by the ZYNQ CPU.
3. The FSMC and AXI bus based data isolation encryption system of claim 1, wherein: the data buses for FSMC and DBram are laid out to the middle layer during the Layout phase.
4. The FSMC and AXI bus based data isolation encryption system of claim 1, wherein: a plurality of control signals are provided to identify the data state, and level signals are used to control the data communication process.
5. The FSMC and AXI bus based data isolation encryption system of claim 4, wherein: the control signal comprises an encryption identifier, a decryption identifier, a data completion identifier and a data busy identifier, data transmission is initiated by the FSMC terminal, the ZYNQ CPU passively receives data, the FSMC terminal configures a data communication mode and state, and the ZYNQ CPU sets the SMX module register according to the state of the control signal of the FSMC terminal.
6. The FSMC and AXI bus based data isolation encryption system of claim 1, wherein: the data processing adopts streaming mode transmission, and the DBram is logically divided into a plurality of areas for data parallel buffering.
7. The FSMC and AXI bus based data isolation encryption system of claim 6, wherein: two partitions are set as data buffer areas, the two partitions are identified through level signals, data busy identification is detected during FSMC transmission, data can be cached in an idle partition for data buffering, when an SMX module processes data, identification is completed according to data at the FSMC end of each partition to process the data, and parallel processing of the FSMC and the SMX is guaranteed in data processing.
8. The FSMC and AXI bus based data isolation encryption system of claim 6, wherein: during the migration process, the partition size and the cache capacity of each partition are dynamically adjusted according to the module rates of the FSMC and the SMX.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111617478.5A CN114329543A (en) | 2021-12-28 | 2021-12-28 | Data isolation encryption system based on FSMC and AXI bus |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111617478.5A CN114329543A (en) | 2021-12-28 | 2021-12-28 | Data isolation encryption system based on FSMC and AXI bus |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114329543A true CN114329543A (en) | 2022-04-12 |
Family
ID=81014519
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111617478.5A Pending CN114329543A (en) | 2021-12-28 | 2021-12-28 | Data isolation encryption system based on FSMC and AXI bus |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114329543A (en) |
-
2021
- 2021-12-28 CN CN202111617478.5A patent/CN114329543A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109902043B (en) | FPGA-based national cryptographic algorithm accelerated processing system | |
| US7634650B1 (en) | Virtualized shared security engine and creation of a protected zone | |
| KR100555394B1 (en) | Methodology and mechanism for remote key validation for ngio/infiniband applications | |
| CN112329038B (en) | Data encryption control system and chip based on USB interface | |
| US8683221B2 (en) | Configurable memory encryption with constant pipeline delay in a multi-core processor | |
| JP2000295274A (en) | Packet exchange | |
| CN108345806A (en) | A kind of hardware encryption card and encryption method | |
| US20230071723A1 (en) | Technologies for establishing secure channel between i/o subsystem and trusted application for secure i/o data transfer | |
| JP2021507343A (en) | High-performance peripheral bus-based serial peripheral interface communication device | |
| US9612934B2 (en) | Network processor with distributed trace buffers | |
| CN112035900B (en) | High-performance password card and communication method thereof | |
| CN112035899B (en) | Data communication system and method based on password card | |
| US20180188321A1 (en) | Device, system and method for providing on-chip test/debug functionality | |
| CN112084138A (en) | SoC (system on chip) security disk control chip architecture design method for trusted storage | |
| CN112052483B (en) | Data communication system and method of password card | |
| WO2017105768A1 (en) | Technologies for protecting audio data with trusted i/o | |
| CN112217630A (en) | Overhead reduction for link protection | |
| JP2021507569A (en) | High-performance peripheral bus-based integrated circuit communication device | |
| CN116070292B (en) | SM4 encryption heterogeneous acceleration system based on FPGA | |
| CN114329543A (en) | Data isolation encryption system based on FSMC and AXI bus | |
| CN114553411B (en) | Distributed memory encryption device and distributed memory decryption device | |
| Tang et al. | Towards high-performance packet processing on commodity multi-cores: current issues and future directions | |
| US8954623B2 (en) | Universal Serial Bus devices supporting super speed and non-super speed connections for communication with a host device and methods using the same | |
| Kundel et al. | Host bypassing: Let your gpu speak ethernet | |
| US20090268794A1 (en) | Communication system and method for operating a communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |