CN116243862A - Space allocation method, device and equipment for secure storage and storage medium - Google Patents

Space allocation method, device and equipment for secure storage and storage medium Download PDF

Info

Publication number
CN116243862A
CN116243862A CN202310141855.5A CN202310141855A CN116243862A CN 116243862 A CN116243862 A CN 116243862A CN 202310141855 A CN202310141855 A CN 202310141855A CN 116243862 A CN116243862 A CN 116243862A
Authority
CN
China
Prior art keywords
access
memory
space
storage space
secure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310141855.5A
Other languages
Chinese (zh)
Inventor
孟凡兴
刘奇浩
颜港
杨雪敏
王瑞
程希光
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Yunhai Guochuang Cloud Computing Equipment Industry Innovation Center Co Ltd
Original Assignee
Shandong Yunhai Guochuang Cloud Computing Equipment Industry Innovation Center Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Yunhai Guochuang Cloud Computing Equipment Industry Innovation Center Co Ltd filed Critical Shandong Yunhai Guochuang Cloud Computing Equipment Industry Innovation Center Co Ltd
Priority to CN202310141855.5A priority Critical patent/CN116243862A/en
Publication of CN116243862A publication Critical patent/CN116243862A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • G06F3/0644Management of space entities, e.g. partitions, extents, pools
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0629Configuration or reconfiguration of storage systems
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a space allocation method, device and equipment for secure storage and a storage medium. The central processing unit divides the memory space of the memory into a plurality of storage spaces, and sets the storage spaces into a local shared storage space, an unsafe shared storage space, a safe storage space and an unsafe storage space in a mode of configuring safety and sharing attributes; when the central processing unit initiates the memory access, the bus identifies the access type of the memory access, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, the memory access is allowed, otherwise, the memory access is refused. The control of access authority is realized by matching the access type and the storage space attribute, the access instruction of the non-secure storage space is different from the access instruction of the secure storage space, and the data in the secure storage space is protected.

Description

Space allocation method, device and equipment for secure storage and storage medium
Technical Field
The present invention relates to the field of secure storage design, and in particular, to a secure storage space allocation method, apparatus, device, and storage medium.
Background
The codes participating in the function construction of the memory chip comprise kernel codes and third party codes, and in the research and development process of the memory chip, the kernel codes and the third party codes are often required to cooperate to realize some functions, and the situation of version replacement of the kernel codes or the third party codes is often encountered. In an actual research and development scenario, frequent modification and compiling of the third party code are often required, and modification of the kernel code is reduced as much as possible. In order to reduce the influence of third-party code modification on the kernel and ensure the security of the kernel, the partition management is required for different code types. For codes (such as kernel codes) which do not want to be modified, the codes need to be placed in a safe storage area to realize the protection of the codes; for third party code (e.g., test code) that is frequently modified, placement in an unsecure storage area is required. In order to meet the above needs, there is a need for a method, apparatus, device and storage medium for secure storage space allocation.
Disclosure of Invention
In order to solve the above technical problems or at least partially solve the above technical problems, the present invention provides a method, an apparatus, a device and a storage medium for secure storage.
In a first aspect, the present invention provides a method for allocating a secure memory space, which is applied to an architecture formed by a central processing unit and a memory interconnected by a bus, and includes:
the central processing unit divides the memory space of the memory into a plurality of memory spaces, and sets the memory spaces as a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space in a mode of configuring safety and sharing attributes;
when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
Still further, the local shared memory space supports access by the central processor, the unsecure shared memory space, and the secure shared memory space; the method is used for realizing specified data exchange of the non-secure shared storage space and the secure shared storage space and sharing the specified data of the non-secure shared storage space and the secure shared storage space.
Still further, the unsecure shared memory space supports access to the central processor, the local shared memory space, and all of the unsecure memory space; and allowing any unsafe storage space to acquire specified data from the unsafe shared storage space as a shared storage area of all the unsafe storage spaces, and allowing any unsafe storage space to store the specified data into the unsafe shared storage space for other unsafe storage spaces to acquire.
Still further, the secure shared memory space supports access to the central processing unit, the local shared memory space, and all of the secure memory space; and allowing any secure storage space to acquire content from the secure shared storage space as a shared storage area of all the secure storage spaces, and allowing any secure storage space to store content into the secure shared storage space for other secure storage space acquisition.
Further, the safe storage space is used for storing codes and/or data with safety requirements; the non-secure storage space is used to store code and/or data that is frequently accessed by a user for modification.
Further, when the central processing unit generates the access instruction, a flag bit for indicating that the access type belongs to safe access or unsafe access is configured in the access instruction including a read access instruction and a write access instruction;
before responding to the access instruction to carry out memory access, the bus identifies whether the memory access initiated by the access instruction belongs to safe access or unsafe access through the flag bit; acquiring the security attribute of the target storage space of the memory access request; and if the access type of the memory access is safe access and the security attribute of the target storage space is safe or the access type of the memory access is unsafe and the security attribute of the target storage space is unsafe, judging that the access type of the memory access accords with the attribute of the accessed storage space.
Furthermore, the central processing unit divides the memory space of the memory into a plurality of memory spaces with set sizes according to the memory space allocation configuration.
In a second aspect, the present invention provides a space allocation apparatus for secure storage, and a space allocation method for implementing the secure storage, including:
the memory division module divides the memory space of the memory into a plurality of storage spaces;
the memory attribute configuration module configures the security attribute and the sharing attribute of the storage space to set the storage space as a local shared storage space, an unsafe shared storage space, a safe storage space and an unsafe storage space;
and the access control module identifies the access type of the memory access through the flag bit in the access instruction, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
In a third aspect, the present invention provides a space allocation apparatus for secure storage, comprising: the system comprises at least one processing unit, a storage unit and a bus unit, wherein the storage unit stores a computer program, and the computer program realizes the space allocation method of the safe storage when being executed by the processing unit.
In a fourth aspect, the present invention provides a computer-readable storage medium storing a computer program which, when executed, implements the space allocation method for secure storage.
Compared with the prior art, the technical scheme provided by the embodiment of the invention has the following advantages:
the central processing unit divides the memory space of the memory into a plurality of memory spaces, and sets the memory spaces as a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space in a mode of configuring safety and sharing attributes; when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information. And realizing control of access authority by matching the access type and the storage space attribute, wherein the access instruction of the non-secure storage space is different from the access instruction of the secure storage space, protecting the data in the secure storage space from the influence of the azimuth instruction of the non-secure storage space, and providing security guarantee for the data in the secure storage space. The local shared storage space, the unsafe shared storage space and the safe shared storage space are introduced into the invention, so that data sharing and data exchange can be realized between any safe storage space and any unsafe storage space, between any different safe storage spaces and between any different unsafe storage spaces.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a schematic diagram of a architecture of a CPU and a memory connected by a bus to which the present invention is applied;
FIG. 2 is a flowchart of a method for allocating space in a secure storage according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a space allocation device for secure storage according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a space allocation apparatus for secure storage according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Example 1
The embodiment of the invention provides a secure storage space allocation method, which is applied to an architecture formed by a central processing unit and a memory which are interconnected through a bus as shown in fig. 1, and specifically, referring to fig. 2, the secure storage space allocation method comprises the following steps:
s100, the central processing unit divides the memory space of the memory into a plurality of storage spaces.
The method comprises the steps of presetting a storage space allocation configuration, recording configuration parameters for controlling the division of storage space, such as configuration parameters for controlling the size of the division of the storage space, and dividing the memory space of the memory into a specified number of storage spaces with a set size by the central processing unit according to the storage space allocation configuration.
S200, the central processing unit sets the storage space as a local shared storage space, an unsafe shared storage space, a safe storage space and an unsafe storage space in a mode of configuring safety and sharing attributes. Specifically, the central processing unit divides the storage space into a safe storage space and a non-safe storage space by configuring the safety attribute in the memory page table, and divides the storage space into a shared storage space and a non-shared storage space by configuring the sharing attribute in the memory page table.
In the implementation process, the safe storage space is used for storing codes and/or data with safety requirements, and access instructions with safety access types are allowed to access so as to ensure the safety of the content stored in the safe storage space. Such as: and storing the kernel code in a safe storage space to realize the protection of the code. The non-secure storage space is used for storing codes and/or data which are frequently accessed and modified by a user, and allows access to access instructions with secure access types. Such as placing frequently altered third party code that cooperates with the kernel code in the unsecure storage space.
Since the access operation initiated by the central processor may involve access to a secure memory space and to the non-secure memory space, access to a different secure memory space may be involved, as well as access to a different non-secure memory space, such as: and storing the used codes in the safe storage space in the process of carrying the memory contents through DMA, wherein the source address of the carried memory contents is in the unsafe storage space, and the target address of the carried memory contents is in the safe storage space. Thus, there is a need to enable data sharing and data exchange between any of the secure storage spaces and any of the non-secure storage spaces, between any of the different secure storage spaces, and between any of the different non-secure storage spaces. In order to achieve the above object, the present application configures the local shared memory space, the non-secure shared memory space, and the secure shared memory space in addition to the secure memory space and the non-secure memory space.
Aiming at the requirement that data sharing and data exchange can be realized between any secure storage spaces, the application designs the secure shared storage spaces, and the secure shared storage spaces allow access to access instructions with secure access types. The secure shared memory space supports access to the central processor, the local shared memory space, and all of the secure memory space. On the one hand, as a shared storage area of all the safe storage spaces, any safe storage space is allowed to acquire content from the safe shared storage space, any safe storage space is allowed to store content into the safe shared storage space for other safe storage space acquisition, and in this way, data sharing and data exchange of different safe storage spaces are realized. In another aspect, the secure shared memory space also provides support for data exchange and data sharing between the non-secure memory space and the secure memory space.
Aiming at the requirement that data sharing and data exchange can be realized between any non-secure storage spaces, the application designs the non-secure shared storage spaces, and the non-secure shared storage spaces allow access instructions with non-secure access types to access. The unsecure shared memory space supports access to the central processor, the local shared memory space, and all of the unsecure memory space. On the one hand, as a shared storage area of all the non-secure storage spaces, any non-secure storage space is allowed to acquire specified data from the non-secure shared storage space, and any non-secure storage space is allowed to store the specified data into the non-secure shared storage space so as to be acquired by other non-secure storage spaces, thereby realizing data sharing and data exchange of different non-secure storage spaces. In another aspect, the unsecure shared memory space also provides support for data exchange and data sharing between the unsecure memory space and the secure memory space.
The local shared memory space is configured to support the central processing unit, the non-secure shared memory space and the secure shared memory space to access, namely the local shared memory space does not limit the access type; the method is used for realizing the appointed data exchange of the non-secure shared storage space and the secure shared storage space, sharing the appointed data of the non-secure shared storage space and the secure shared storage space, thereby realizing the data sharing and data exchange between any different secure storage spaces and any different non-secure storage spaces.
And S300, when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit and acquires the attribute of the accessed storage space. When the central processing unit generates the access instruction, a flag bit used for indicating that the access type belongs to safe access or unsafe access is configured in the access instruction comprising a read access instruction and a write access instruction. Taking the AXI bus protocol as an example for illustration, the AXI bus protocol defines a read address channel, a read data channel, a write address channel, a write data channel, and a write response channel. The read process and the write process respectively have own address channels, and the corresponding address channels carry all addresses and control information required by the read process and the write process once. The reading process and the writing process respectively have own data channels, the data channels carry data and response information transmitted from the slave device to the master device, the data channels are divided into two parts, one part is a data bus with a set bit width, and the other part is a reading response signal for indicating the completion state of the reading process; the write data channel carries data transmitted from the master device to the slave device, and comprises two parts, wherein one part is a data bus with a set bit width, and the other part is a byte strobe signal for executing valid bytes in the data. The write response channel is used for responding the completion of the whole write process from the slave device to the master device. In the AXI bus protocol, the signals transmitted in the write data channel include an AWPROT signal defining write access rights, and the signals transmitted in the read data channel include an ARPROT signal defining write access rights. The AxPROT (x is W or R) signal contains three bits, the bit with index number 0 defines non-privileged access or privileged access, the bit with index number 1 defines secure access or non-secure access, the bit with index number 2 defines data access or instruction access, and the bit with index number 1 in the AxPROT signal is the flag bit in the application.
S400, judging whether the access type of the memory access accords with the attribute of the accessed storage space, if so, executing S500, and if not, executing S600. In the implementation process, before responding to the access instruction to perform memory access, the bus identifies whether the memory access initiated by the access instruction belongs to safe access or unsafe access through the flag bit; acquiring the security attribute of the target storage space of the memory access request; and if the access type of the memory access is safe access and the security attribute of the target storage space is safe or the access type of the memory access is unsafe and the security attribute of the target storage space is unsafe, judging that the access type of the memory access accords with the attribute of the accessed storage space.
S500, allowing the memory access to obtain an access result of the memory access.
S600, refusing to access the memory and returning error information.
In one embodiment, the process of storing the specified data in the target secure storage space into the target non-secure storage space is implemented using the local shared storage space, the non-secure shared storage space, and the secure shared storage space as follows: when the central processing unit initiates an access operation of transferring specified data in a target safe storage space into a target unsafe storage space, the specified data in the target safe storage space is stored into the safe shared storage space through a safe type access instruction, then the specified data is stored into the local shared storage space from the safe shared storage space through the safe type access instruction, the specified data in the local shared storage space is stored into the unsafe shared storage space through an unsafe type access instruction, and the specified data in the unsafe shared storage space is stored into the target unsafe storage space through the unsafe type access instruction.
In one embodiment, the process of storing the specified data in the first target non-secure storage space into the second target non-secure storage space is implemented by using the non-secure shared storage space as follows: when the central processing unit initiates an access operation of transferring the specified data in the first target unsafe storage space into the second target unsafe storage space, the specified data in the first target unsafe storage space is stored into the unsafe shared storage space through an unsafe type access instruction, and then the specified data is read into the second target unsafe storage space from the unsafe shared storage space through the unsafe type access instruction.
In one embodiment, the process of storing the specified data in the first target secure storage space into the second target secure storage space is implemented by using the secure shared storage space as follows: when the central processing unit initiates an access operation of transferring the specified data in the first target safe storage space into the second target safe storage space, the specified data in the first target safe storage space is stored into the safe shared storage space through a safe type access instruction, and then the specified data is read into the second target safe storage space from the safe shared storage space through the safe type access instruction.
Example 2
Referring to fig. 3, an embodiment of the present invention provides a secure storage space allocation apparatus, which implements the secure storage space allocation method described in embodiment 1, including:
the memory division module divides the memory space of the memory into a plurality of storage spaces; in the implementation process, the memory division module divides the memory space of the memory into a specified number of memory spaces with a set size according to a preset memory space allocation configuration.
The memory attribute configuration module configures the security attribute and the sharing attribute of the divided storage space to set the storage space as a local shared storage space, an unsafe shared storage space, a safe storage space and an unsafe storage space; the memory attribute configuration module divides the storage space into a safe storage space and a non-safe storage space by configuring the safety attribute in the memory page table, and the central processing unit divides the storage space into a shared storage space and a non-shared storage space by configuring the sharing attribute in the memory page table.
And the access control module identifies the access type of the memory access through the flag bit in the access instruction, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
Example 3
Referring to fig. 4, an embodiment of the present invention provides a space allocation apparatus for secure storage, including: the system comprises at least one processing unit, a storage unit and a bus unit, wherein the processing unit comprises a central processing unit, the storage unit comprises a memory, the storage unit stores a computer program, and the computer program realizes the space allocation method of safe storage when being executed by the processing unit, and the method comprises the following steps:
dividing the memory space of the memory into a plurality of memory spaces, and setting the memory spaces into a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space by configuring safety and sharing attributes;
when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
Example 4
An embodiment of the present invention provides a computer-readable storage medium storing a computer program that when executed by a central processing unit implements the secure storage space allocation method, the method including:
dividing the memory space of the memory into a plurality of memory spaces, and setting the memory spaces into a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space by configuring safety and sharing attributes;
when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
The central processing unit divides the memory space of the memory into a plurality of memory spaces, and sets the memory spaces as a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space in a mode of configuring safety and sharing attributes; when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information. And realizing control of access authority by matching the access type and the storage space attribute, wherein the access instruction of the non-secure storage space is different from the access instruction of the secure storage space, protecting the data in the secure storage space from the influence of the azimuth instruction of the non-secure storage space, and providing security guarantee for the data in the secure storage space. The local shared storage space, the unsafe shared storage space and the safe shared storage space are introduced into the invention, so that data sharing and data exchange can be realized between any safe storage space and any unsafe storage space, between any different safe storage spaces and between any different unsafe storage spaces.
From the above description of embodiments, it will be clear to a person skilled in the art that the present invention may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, etc., and include several instructions for causing an electronic device (which may be a mobile phone, a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed structures and methods may be implemented in other manners. For example, the structural embodiments described above are merely illustrative, and for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via interfaces, structures or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is only a specific embodiment of the invention to enable those skilled in the art to understand or practice the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (10)

1. The space allocation method for safe storage is applied to an architecture formed by a central processing unit and a memory which are interconnected through a bus, and is characterized by comprising the following steps:
the central processing unit divides the memory space of the memory into a plurality of memory spaces, and sets the memory spaces as a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space in a mode of configuring safety and sharing attributes;
when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
2. The method of claim 1, wherein the local shared memory space supports access to the central processing unit, the non-secure shared memory space, and the secure shared memory space; the method is used for realizing specified data exchange of the non-secure shared storage space and the secure shared storage space and sharing the specified data of the non-secure shared storage space and the secure shared storage space.
3. The method of claim 1, wherein the unsecure shared memory space supports access to the central processing unit, the local shared memory space, and all of the unsecure memory space; and allowing any unsafe storage space to acquire specified data from the unsafe shared storage space as a shared storage area of all the unsafe storage spaces, and allowing any unsafe storage space to store the specified data into the unsafe shared storage space for other unsafe storage spaces to acquire.
4. The method of claim 1, wherein the secure shared memory space supports access to the central processing unit, the local shared memory space, and all of the secure memory space; and allowing any secure storage space to acquire content from the secure shared storage space as a shared storage area of all the secure storage spaces, and allowing any secure storage space to store content into the secure shared storage space for other secure storage space acquisition.
5. A method of allocating space for secure storage according to claim 1, wherein the secure storage space is used for storing codes and/or data of security requirements; the non-secure storage space is used to store code and/or data that is frequently accessed by a user for modification.
6. The space allocation method according to claim 1, wherein when the central processing unit generates the access instruction, a flag bit for indicating that an access type belongs to a secure access or a non-secure access is configured in the access instruction including a read access instruction and a write access instruction;
before responding to the access instruction to carry out memory access, the bus identifies whether the memory access initiated by the access instruction belongs to safe access or unsafe access through the flag bit; acquiring the security attribute of the target storage space of the memory access request; and if the access type of the memory access is safe access and the security attribute of the target storage space is safe or the access type of the memory access is unsafe and the security attribute of the target storage space is unsafe, judging that the access type of the memory access accords with the attribute of the accessed storage space.
7. The space allocation method according to claim 1, wherein the cpu divides the memory space of the memory into a plurality of storage spaces of a set size according to a storage space allocation configuration.
8. A space allocation apparatus for secure storage, implementing the space allocation method for secure storage according to any one of claims 1 to 7, comprising:
the memory division module divides the memory space of the memory into a plurality of storage spaces;
the memory attribute configuration module configures the security attribute and the sharing attribute of the storage space to set the storage space as a local shared storage space, an unsafe shared storage space, a safe storage space and an unsafe storage space;
and the access control module identifies the access type of the memory access through the flag bit in the access instruction, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
9. A space allocation apparatus for secure storage, comprising: at least one processing unit, a memory unit and a bus unit, said memory unit storing a computer program which, when executed by said processing unit, implements the space allocation method for secure storage according to any one of claims 1-7.
10. A computer readable storage medium storing a computer program which when executed by a central processor implements the space allocation method of secure storage according to any one of claims 1-7.
CN202310141855.5A 2023-02-17 2023-02-17 Space allocation method, device and equipment for secure storage and storage medium Pending CN116243862A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310141855.5A CN116243862A (en) 2023-02-17 2023-02-17 Space allocation method, device and equipment for secure storage and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310141855.5A CN116243862A (en) 2023-02-17 2023-02-17 Space allocation method, device and equipment for secure storage and storage medium

Publications (1)

Publication Number Publication Date
CN116243862A true CN116243862A (en) 2023-06-09

Family

ID=86623739

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310141855.5A Pending CN116243862A (en) 2023-02-17 2023-02-17 Space allocation method, device and equipment for secure storage and storage medium

Country Status (1)

Country Link
CN (1) CN116243862A (en)

Similar Documents

Publication Publication Date Title
CN100580642C (en) Universal serial bus storage device and access control method thereof
US6163834A (en) Two level address translation and memory registration system and method
EP1938190B1 (en) Method and apparatus to clear semaphore reservation
EP2199918B1 (en) Virtualised interface functions
US7277972B2 (en) Data processing system with peripheral access protection and method therefor
US20170185345A1 (en) System-on-chip incuding access control unit and mobile device including system-on-chip
US20040177266A1 (en) Data processing system with peripheral access protection and method therefor
KR20090065531A (en) Memory access security management
JP4945053B2 (en) Semiconductor device, bus interface device, and computer system
US10140462B2 (en) Stackable file system with user space policy management
CN112099903B (en) Memory management method and device of virtual machine, CPU chip and server
US20220180009A1 (en) Peripheral component interconnect express protection controller
US20230297725A1 (en) Technologies for filtering memory access transactions received from one or more i/o devices
JP5338435B2 (en) Information processing program, information processing apparatus, and information processing method
US20110225387A1 (en) Unified Virtual Contiguous Memory Manager
EP3007067B1 (en) Method of memory access, buffer scheduler and memory module
US7565464B2 (en) Programmable transaction initiator architecture for systems with secure and non-secure modes
US10387681B2 (en) Methods and apparatus for controlling access to secure computing resources
KR101460451B1 (en) Apparatus and method for controlling process address space
JPH0133857B2 (en)
CN116243862A (en) Space allocation method, device and equipment for secure storage and storage medium
US20190286327A1 (en) Memory Objects
CN110929304A (en) RISC-V based memory protection method
US10481951B2 (en) Multi-queue device assignment for application groups
JP2005515536A (en) Method and apparatus for accessing an input / output device using desired security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination