CN116126753B - Protective memory and storage method - Google Patents
Protective memory and storage method Download PDFInfo
- Publication number
- CN116126753B CN116126753B CN202211697246.XA CN202211697246A CN116126753B CN 116126753 B CN116126753 B CN 116126753B CN 202211697246 A CN202211697246 A CN 202211697246A CN 116126753 B CN116126753 B CN 116126753B
- Authority
- CN
- China
- Prior art keywords
- memory
- protection
- write
- key
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000015654 memory Effects 0.000 title claims abstract description 93
- 238000000034 method Methods 0.000 title claims abstract description 26
- 230000001681 protective effect Effects 0.000 title claims description 7
- 238000013500 data storage Methods 0.000 claims abstract description 10
- 238000010511 deprotection reaction Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000013073 enabling process Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1408—Protection against unauthorised use of memory or access to memory by using cryptography
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1458—Protection against unauthorised use of memory or access to memory by checking the subject access rights
- G06F12/1466—Key-lock mechanism
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a protection memory and a storage method, and belongs to the field of memory chips. Aiming at the problems that a flash memory unit of the eMMC is easy to leak and a protection scheme is complex in the prior art, the invention provides a protection memory and a storage method, wherein a preset secret key is arranged in a data storage area of a security chip and the protection memory; initializing a protection memory, and sending encrypted write protection key information and an initialization instruction to a security chip by the protection memory; the security chip obtains the encrypted write-protection key information and decrypts the encrypted write-protection key information to obtain a write-protection key; transmitting the write protection key to the protection memory; the protection memory receives the write protection key and stores the write protection key into the data storage area, and the initialization starting of the protection memory is completed. The method can realize the targeted write protection of the flash memory unit of the eMMC, and has the advantages of simple scheme, low cost and low requirement on hardware.
Description
Technical Field
The present invention relates to the field of memories, and more particularly, to a protection memory and a storage method.
Background
eMMC (Embedded Multi Media Card) is an embedded memory standard specification defined by the MMC society and mainly aimed at products such as mobile phones and tablet computers. The eMMC integrates a controller in the package, providing a standard interface and managing the flash memory. Flash memory data is easy to tamper, which leads to important information leakage, tampering and the like. In addition, data stored in different memory units in the flash memory unit are easy to attack, and information stored in corresponding addresses needs to be subjected to write protection to prevent malicious tampering of the data. Therefore, how to improve the existing emmc to implement write protection of the flash memory unit of the emmc on the designated partition is a problem to be solved.
In the prior art, protection is generally performed through some plug-ins, for example, a Chinese patent application, application number 201910953814.X, publication date of year 2020, 1 month and 24 days, discloses a flash write protection-based method for preventing flash from being tampered accidentally, the method comprises the following steps: s1, starting a Bootloader and setting write protection for a partition to be protected; s2, judging whether the intelligent equipment needs to be upgraded or not; A1. step S3 is carried out when the updating is needed; A2. step S4 is carried out without upgrading; s3, performing deprotection by the deprotection method set in the step S1 and restarting the equipment after writing the flash; s4, starting a kernel and a core service program; s5, judging whether the intelligent equipment needs to be upgraded or not; B1. the following steps are executed when the updating is needed; B2. if no upgrade is needed, polling detection is carried out; s6, calling a kernel driver added deprotection method to carry out deprotection; s7, restarting the equipment after writing the flash; the prior art realizes write protection and deprotection only in uboot, upgrade service of intelligent equipment, most of upgrade service can be operated after the system is started, the prior scheme cannot be satisfied, and equipment in which upgrade logic operates after kernel realizes write protection and deprotection can be satisfied. However, the method is complex, has high cost and high requirement on hardware, and is not suitable for a system of emmc storage units like a black box.
Disclosure of Invention
1. Technical problem to be solved
Aiming at the problems that the flash memory unit of the emmc is easy to leak and the protection scheme is complex in the prior art, the invention provides a protection memory and a storage method, which can realize the targeted write protection of the flash memory unit of the emmc, and has simple scheme, low cost and low requirement on hardware.
2. Technical proposal
The aim of the invention is achieved by the following technical scheme.
A protection storage method comprises the following steps:
the preset secret key is built in a data storage area of the security chip and the protection memory;
initializing a protection memory, and sending encrypted write protection key information and an initialization instruction to a security chip by the protection memory;
the security chip obtains the encrypted write-protection key information and decrypts the encrypted write-protection key information to obtain a write-protection key; transmitting the write protection key to the protection memory;
the protection memory receives the write protection key transmitted by the security chip, confirms whether the write protection key is consistent with the write protection key transmitted to the security chip, and stores the write protection key into the data storage area if the write protection key is consistent with the write protection key, so that the initialization starting of the protection memory is completed.
Further, the preset key is set when leaving the factory.
Further, the guard memory sends encrypted write protect key information as a write protect key encrypted by a built-in key.
Further, the secure chip decrypts the encrypted write-protect key with the built-in key.
Furthermore, the protection memory is in a write-protection state after each power-on, is in a read-only state before unlocking, and enters a writable state after obtaining the decrypted write-protection key.
Furthermore, after the system is electrified, the system sends an unlocking instruction of the protection memory to the security chip, the security chip receives the unlocking instruction and transmits a write protection unlocking instruction to the protection memory.
Further, the write protection unlock command is "protection memory head directory flag" + "key round" + "current time" + "random byte" + "write protection key".
Further, after the protection memory receives the decryption information, the memory chip controller judges whether the decryption data is correct or not, whether the decryption data is a mark of a head catalog of the protection memory or not, judges whether an unlocking round is larger than a last stored unlocking round or not, judges whether the unlocking time is after the last unlocking time or not, judges whether the data abstract value of the write protection key SM3 is correct or not, stores the unlocking round, the current time and the random character in the memory chip under the condition that the judgment is met, and informs the driving recorder that the protection memory is unlocked successfully, can write data, and the driving recorder starts writing the data into the protection memory, if any item is not met, the unlocking fails, cannot write the data, and judges again.
A guarded memory comprising a stored application, wherein the application performs any one of the guarded storage methods described above.
Furthermore, the guard memory is an eMMC memory.
3. Advantageous effects
Compared with the prior art, the invention has the advantages that:
the memory of the scheme can effectively ensure that the protection memory cannot be modified under the condition of not decrypting by running the method, can ensure the security of data, and has very important significance especially when the memory is used for a traveling data recorder and is similar to the condition that high security cannot be tampered. The scheme is simple, the data security of the protection memory is effectively ensured by combining the comprehensive encryption and decryption of the security chip and the protection memory, the required resources are few, the operation is quick, the method is particularly suitable for the use scene of a running recorder with high-speed storage, and the data security under the condition of not missing corresponding storage data can be ensured.
Drawings
FIG. 1 is a schematic diagram of an initialization start-up procedure of the present scheme;
fig. 2 is a schematic diagram of a single unlocking procedure in the present scheme.
Detailed Description
The invention will now be described in detail with reference to the drawings and the accompanying specific examples.
Example 1
The data stored in different memory cells in the existing eMMC flash memory cell is easy to tamper with and be extracted. The eMMC memory introduced by the patent can well prevent the data stored in the flash memory unit from being extracted or tampered.
The scheme is mainly suitable for being used in scenes needing encryption such as a black box, and because the special requirements of the black box generally have more limitations on the corresponding storage space and the processing system, for example, the corresponding storage space is only KB level, and resources allocated to corresponding storage control are not too much, if a more complex control scheme cannot be suitable for the scenes, the scheme adopts an encryption and decryption mode to carry out write protection on corresponding units.
As shown in fig. 1, in the initialization enabling process stage, a "preset key" is built in the data storage areas of the secure chip and the guard memory, and is used to encrypt the key of the initialization information (including the "write protection key"). The guard memory herein refers to eMMC memory.
The automobile data recorder sends an initialization command to the protection memory, the protection memory encrypts 'write protection key' information by using a 'built-in key', and sends the initialization command to the security chip, the security chip is generally a security chip with high confidentiality, and is generally used in a black box and other systems, the security chip obtains the 'write protection key' information encrypted by the 'built-in key' in the command, decrypts by using a preset 'built-in key' of the security chip, successfully obtains the 'write protection key', transmits the 'write protection key' to the protection memory, stores the 'write protection key', namely, the protection memory receives the 'write protection key', stores the 'write protection key' in a data storage area, and completes initialization starting of the protection memory.
As shown in fig. 2, the protection memory is in a write-protection state after each power-on, is in a read-only state before unlocking, and cannot upgrade or cover the firmware of the storage controller, so as to ensure that the memory content cannot be modified externally, and can be correspondingly covered or modified only after decryption by the security chip. The present embodiment is used in the aspect of storage of an automobile tachograph, where the tachograph is an automobile black box, is a digital electronic recording device that records and stores the running speed, time, mileage and other status information related to the running of the automobile, and can realize data output through an interface, and is not a common tachograph. After the automobile traveling recorder is electrified and started, an unlocking instruction of the protection memory is sent to the safety chip, the safety chip receives the unlocking instruction, and the writing protection unlocking instruction transmitted to the protection memory is encrypted information through AES128 (the encryption key is a writing protection key stored in the chip by the safety chip after the initialization and the starting are successful). The guard memory receives the encrypted information and decrypts it, and the decryption key is a "write-protect key" stored inside the memory. The decrypted data format is: "|! GA-! "+" key round "+" current time "+" random byte "+" SM3". This embodiment is "+| -! GA-! The "+" key round "+" current time "+" random byte "+" write protection key ", that is, SM3 is write protection key, and the protection memory storage chip controller judges whether the first four bytes of decrypted data are" |! GA-! "! GA-! "i.e. guard memory head directory flag-! GA-! The header byte is also a flag for identifying whether the header byte is a header directory of the protection memory, and it is determined whether the "unlock round" is greater than the last stored "unlock round", and the "unlock round" must be incremented each time, and it is determined whether the unlock time is after the last unlock time, and it is determined whether the data digest value of the write protection key SM3 is correct. And under the condition that the judgment accords with the judgment, the unlocking round, the current time and the random character are stored in the chip, the protection memory is successfully unlocked, the driving recorder is informed that the protection memory is unlocked, the data can be written, and the driving recorder starts to write the data into the protection memory. If any item is not matched, the unlocking fails, the data cannot be written in, and the judgment is carried out again.
The memory of the scheme can effectively ensure that the protection memory cannot be modified under the condition of not decrypting by running the method, can ensure the security of data, and has very important significance especially when the memory is used for a traveling data recorder and is similar to the condition that high security cannot be tampered. The scheme is simple, the data security of the protection memory is effectively ensured by combining the comprehensive encryption and decryption of the security chip and the protection memory, the required resources are few, the operation is quick, the method is particularly suitable for the use scene of a running recorder with high-speed storage, and the data security under the condition of not missing corresponding storage data can be ensured.
The foregoing has been described schematically the invention and embodiments thereof, which are not limiting, but are capable of other specific forms of implementing the invention without departing from its spirit or essential characteristics. The drawings are also intended to depict only one embodiment of the invention, and therefore the actual construction is not intended to limit the claims, any reference number in the claims not being intended to limit the claims. Therefore, if one of ordinary skill in the art is informed by this disclosure, a structural manner and an embodiment similar to the technical scheme are not creatively designed without departing from the gist of the present invention, and all the structural manners and the embodiment are considered to be within the protection scope of the present patent. In addition, the word "comprising" does not exclude other elements or steps, and the word "a" or "an" preceding an element does not exclude the inclusion of a plurality of such elements. The various elements recited in the product claims may also be embodied in software or hardware. The terms first, second, etc. are used to denote a name, but not any particular order.
Claims (6)
1. A protection storage method comprises the following steps:
the preset secret key is built in a data storage area of the security chip and the protection memory;
initializing a protection memory, encrypting a write protection key by using a built-in key, transmitting the encrypted write protection key information and transmitting an initialization instruction to a security chip;
the security chip obtains write protection key information encrypted by the built-in key in the initialization instruction, and uses the built-in key preset by the security chip to decrypt, and the decryption succeeds in obtaining the write protection key; transmitting the write protection key to the protection memory;
the protection memory receives the write protection secret key transmitted by the security chip, and confirms whether the write protection secret key is consistent with the write protection secret key transmitted to the security chip, and the judging method specifically comprises the following steps:
after the protective memory receives the information encrypted by the write-protection key, the memory chip controller decrypts and judges whether the decrypted data is correct or not, whether the decrypted data is a mark of a head catalog of the protective memory or not, whether the unlocking round is larger than the last stored unlocking round or not is judged, whether the unlocking time is after the last unlocking time or not is judged, whether the data abstract value of the write-protection key SM3 is correct or not is judged, under the condition that the judgment is met, the unlocking round, the current time and the random character are stored in the memory chip, the protective memory is successfully unlocked, the traveling recorder is informed that the protective memory is unlocked and can write data, the traveling recorder starts writing the data into the protective memory, if any item is not met, the unlocking fails, the data cannot be written, and the judgment is carried out again;
if the data storage area is consistent with the data storage area, the write protection key is stored in the data storage area, and the initialization starting of the protection memory is completed; the preset key is set when leaving the factory.
2. The method of claim 1, wherein the secure memory is in a write-protected state after each power-up, is in a read-only state before unlocking, and is in a writable state after obtaining the decrypted write-protected key.
3. The method of claim 2, wherein the system sends a guard memory unlock command to the secure chip after power is applied, the secure chip receives the unlock command, and transmits a write guard unlock command to the guard memory.
4. A guarded storage method according to claim 1, 2 or 3, wherein the write-protected unlock instruction is a "guarded memory head directory flag" + "key round" + "current time" + "random byte" + "write-protected key".
5. A guarded memory comprising a stored application, wherein the application performs the guarded storage method of any one of claims 1-4.
6. The memory of claim 5, wherein the memory is an eMMC memory.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211697246.XA CN116126753B (en) | 2022-12-28 | 2022-12-28 | Protective memory and storage method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211697246.XA CN116126753B (en) | 2022-12-28 | 2022-12-28 | Protective memory and storage method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116126753A CN116126753A (en) | 2023-05-16 |
| CN116126753B true CN116126753B (en) | 2024-02-02 |
Family
ID=86311083
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211697246.XA Active CN116126753B (en) | 2022-12-28 | 2022-12-28 | Protective memory and storage method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116126753B (en) |
Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1663172A (en) * | 2002-06-25 | 2005-08-31 | 皇家飞利浦电子股份有限公司 | Round key generation for AES RIJNDAEL block cipher |
| CN101082883A (en) * | 2006-05-31 | 2007-12-05 | 朴显泽 | Storage apparatus having multiple layer encrypting protection |
| CN102204158A (en) * | 2008-10-30 | 2011-09-28 | 高通股份有限公司 | Low latency block cipher |
| CN103903042A (en) * | 2014-03-25 | 2014-07-02 | 杭州晟元芯片技术有限公司 | Data flow encryption SD card |
| CN104951405A (en) * | 2014-03-28 | 2015-09-30 | 三星电子株式会社 | Storage system and method for performing and authenticating write-protection thereof |
| CN106662981A (en) * | 2014-06-27 | 2017-05-10 | 日本电气株式会社 | Storage device, program, and information processing method |
| CN108171018A (en) * | 2017-12-26 | 2018-06-15 | 广州路派电子科技有限公司 | A kind of software cryptography of vehicle-mounted decoder and decryption method |
| CN109471809A (en) * | 2018-09-29 | 2019-03-15 | 上海东软载波微电子有限公司 | A kind of FLASH encryption protecting method, device, FLASH controller and the chip of chip |
| CN111092716A (en) * | 2018-10-24 | 2020-05-01 | 北京嘉楠捷思信息技术有限公司 | Encryption mode realization method, device, equipment and medium of AES (advanced encryption Standard) algorithm |
| CN111444553A (en) * | 2020-04-01 | 2020-07-24 | 中国人民解放军国防科技大学 | Secure storage implementation method and system supporting TEE extension |
| CN111444528A (en) * | 2020-03-31 | 2020-07-24 | 海信视像科技股份有限公司 | Data security protection method, device and storage medium |
| CN111625295A (en) * | 2020-05-22 | 2020-09-04 | 苏州浪潮智能科技有限公司 | Embedded system starting method, device, equipment and storage medium |
| CN114266083A (en) * | 2021-12-24 | 2022-04-01 | 杭州万高科技股份有限公司 | Secure storage method of key in chip |
| CN114793159A (en) * | 2022-05-09 | 2022-07-26 | 长春汽车工业高等专科学校 | Random encryption method applied to automobile ECU controller |
| CN218038105U (en) * | 2022-09-14 | 2022-12-13 | 江苏都万电子科技有限公司 | Automatic driving data multi-scene recording system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140032867A1 (en) * | 2012-07-26 | 2014-01-30 | Yuji Nagai | Storage system in which information is prevented |
-
2022
- 2022-12-28 CN CN202211697246.XA patent/CN116126753B/en active Active
Patent Citations (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1663172A (en) * | 2002-06-25 | 2005-08-31 | 皇家飞利浦电子股份有限公司 | Round key generation for AES RIJNDAEL block cipher |
| CN101082883A (en) * | 2006-05-31 | 2007-12-05 | 朴显泽 | Storage apparatus having multiple layer encrypting protection |
| CN102204158A (en) * | 2008-10-30 | 2011-09-28 | 高通股份有限公司 | Low latency block cipher |
| CN103903042A (en) * | 2014-03-25 | 2014-07-02 | 杭州晟元芯片技术有限公司 | Data flow encryption SD card |
| CN104951405A (en) * | 2014-03-28 | 2015-09-30 | 三星电子株式会社 | Storage system and method for performing and authenticating write-protection thereof |
| CN106662981A (en) * | 2014-06-27 | 2017-05-10 | 日本电气株式会社 | Storage device, program, and information processing method |
| CN108171018A (en) * | 2017-12-26 | 2018-06-15 | 广州路派电子科技有限公司 | A kind of software cryptography of vehicle-mounted decoder and decryption method |
| CN109471809A (en) * | 2018-09-29 | 2019-03-15 | 上海东软载波微电子有限公司 | A kind of FLASH encryption protecting method, device, FLASH controller and the chip of chip |
| CN111092716A (en) * | 2018-10-24 | 2020-05-01 | 北京嘉楠捷思信息技术有限公司 | Encryption mode realization method, device, equipment and medium of AES (advanced encryption Standard) algorithm |
| CN111444528A (en) * | 2020-03-31 | 2020-07-24 | 海信视像科技股份有限公司 | Data security protection method, device and storage medium |
| CN111444553A (en) * | 2020-04-01 | 2020-07-24 | 中国人民解放军国防科技大学 | Secure storage implementation method and system supporting TEE extension |
| CN111625295A (en) * | 2020-05-22 | 2020-09-04 | 苏州浪潮智能科技有限公司 | Embedded system starting method, device, equipment and storage medium |
| CN114266083A (en) * | 2021-12-24 | 2022-04-01 | 杭州万高科技股份有限公司 | Secure storage method of key in chip |
| CN114793159A (en) * | 2022-05-09 | 2022-07-26 | 长春汽车工业高等专科学校 | Random encryption method applied to automobile ECU controller |
| CN218038105U (en) * | 2022-09-14 | 2022-12-13 | 江苏都万电子科技有限公司 | Automatic driving data multi-scene recording system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116126753A (en) | 2023-05-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1594030B1 (en) | Program update method and server | |
| AU2002326226B2 (en) | Method and device for encryption/decryption of data on mass storage device | |
| TWI407745B (en) | Secure and replay protected memory storage | |
| EP2115655B1 (en) | Virtual secure on-chip one time programming | |
| US8370645B2 (en) | Protection of security parameters in storage devices | |
| CN109542334B (en) | Memory device | |
| AU2002326226A1 (en) | Method and device for encryption/decryption of data on mass storage device | |
| US20100058073A1 (en) | Storage system, controller, and data protection method thereof | |
| CN108108631A (en) | A kind of root key processing method and relevant apparatus | |
| US6330624B1 (en) | Access limiting to only a planar by storing a device public key only within the planar and a planar public key only within the device | |
| CN107508801B (en) | Method and device for preventing file from being tampered | |
| US20090024784A1 (en) | Method for writing data into storage on chip and system thereof | |
| US20080076355A1 (en) | Method for Protecting Security Accounts Manager (SAM) Files Within Windows Operating Systems | |
| CN101123507A (en) | A protection method and storage device for data information in storage device | |
| CN109214204B (en) | Data processing method and storage device | |
| US8601282B2 (en) | Program and device for using second uncorrupted MBR data stored in an external storage | |
| WO2008071222A1 (en) | Protecting a programmable memory against unauthorized modification | |
| CN111539042B (en) | Safe operation method based on trusted storage of core data files | |
| CN116126753B (en) | Protective memory and storage method | |
| CN111274555B (en) | Code protection method and protection device in Flash memory | |
| CN113486399B (en) | Data storage method and system based on RISC-V architecture | |
| CN109815711B (en) | Storage device, data storage method and data reading method | |
| JP2000250818A (en) | Storage system, storage device and stored data protecting method | |
| AU2017370818B2 (en) | Secure storage device | |
| CN115361140B (en) | Method and device for verifying security chip key |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |