CN116243862A - Space allocation method, device and equipment for secure storage and storage medium - Google Patents
Space allocation method, device and equipment for secure storage and storage medium Download PDFInfo
- Publication number
- CN116243862A CN116243862A CN202310141855.5A CN202310141855A CN116243862A CN 116243862 A CN116243862 A CN 116243862A CN 202310141855 A CN202310141855 A CN 202310141855A CN 116243862 A CN116243862 A CN 116243862A
- Authority
- CN
- China
- Prior art keywords
- access
- memory
- space
- storage space
- secure
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0638—Organizing or formatting or addressing of data
- G06F3/0644—Management of space entities, e.g. partitions, extents, pools
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0629—Configuration or reconfiguration of storage systems
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Human Computer Interaction (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a space allocation method, device and equipment for secure storage and a storage medium. The central processing unit divides the memory space of the memory into a plurality of storage spaces, and sets the storage spaces into a local shared storage space, an unsafe shared storage space, a safe storage space and an unsafe storage space in a mode of configuring safety and sharing attributes; when the central processing unit initiates the memory access, the bus identifies the access type of the memory access, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, the memory access is allowed, otherwise, the memory access is refused. The control of access authority is realized by matching the access type and the storage space attribute, the access instruction of the non-secure storage space is different from the access instruction of the secure storage space, and the data in the secure storage space is protected.
Description
Technical Field
The present invention relates to the field of secure storage design, and in particular, to a secure storage space allocation method, apparatus, device, and storage medium.
Background
The codes participating in the function construction of the memory chip comprise kernel codes and third party codes, and in the research and development process of the memory chip, the kernel codes and the third party codes are often required to cooperate to realize some functions, and the situation of version replacement of the kernel codes or the third party codes is often encountered. In an actual research and development scenario, frequent modification and compiling of the third party code are often required, and modification of the kernel code is reduced as much as possible. In order to reduce the influence of third-party code modification on the kernel and ensure the security of the kernel, the partition management is required for different code types. For codes (such as kernel codes) which do not want to be modified, the codes need to be placed in a safe storage area to realize the protection of the codes; for third party code (e.g., test code) that is frequently modified, placement in an unsecure storage area is required. In order to meet the above needs, there is a need for a method, apparatus, device and storage medium for secure storage space allocation.
Disclosure of Invention
In order to solve the above technical problems or at least partially solve the above technical problems, the present invention provides a method, an apparatus, a device and a storage medium for secure storage.
In a first aspect, the present invention provides a method for allocating a secure memory space, which is applied to an architecture formed by a central processing unit and a memory interconnected by a bus, and includes:
the central processing unit divides the memory space of the memory into a plurality of memory spaces, and sets the memory spaces as a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space in a mode of configuring safety and sharing attributes;
when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
Still further, the local shared memory space supports access by the central processor, the unsecure shared memory space, and the secure shared memory space; the method is used for realizing specified data exchange of the non-secure shared storage space and the secure shared storage space and sharing the specified data of the non-secure shared storage space and the secure shared storage space.
Still further, the unsecure shared memory space supports access to the central processor, the local shared memory space, and all of the unsecure memory space; and allowing any unsafe storage space to acquire specified data from the unsafe shared storage space as a shared storage area of all the unsafe storage spaces, and allowing any unsafe storage space to store the specified data into the unsafe shared storage space for other unsafe storage spaces to acquire.
Still further, the secure shared memory space supports access to the central processing unit, the local shared memory space, and all of the secure memory space; and allowing any secure storage space to acquire content from the secure shared storage space as a shared storage area of all the secure storage spaces, and allowing any secure storage space to store content into the secure shared storage space for other secure storage space acquisition.
Further, the safe storage space is used for storing codes and/or data with safety requirements; the non-secure storage space is used to store code and/or data that is frequently accessed by a user for modification.
Further, when the central processing unit generates the access instruction, a flag bit for indicating that the access type belongs to safe access or unsafe access is configured in the access instruction including a read access instruction and a write access instruction;
before responding to the access instruction to carry out memory access, the bus identifies whether the memory access initiated by the access instruction belongs to safe access or unsafe access through the flag bit; acquiring the security attribute of the target storage space of the memory access request; and if the access type of the memory access is safe access and the security attribute of the target storage space is safe or the access type of the memory access is unsafe and the security attribute of the target storage space is unsafe, judging that the access type of the memory access accords with the attribute of the accessed storage space.
Furthermore, the central processing unit divides the memory space of the memory into a plurality of memory spaces with set sizes according to the memory space allocation configuration.
In a second aspect, the present invention provides a space allocation apparatus for secure storage, and a space allocation method for implementing the secure storage, including:
the memory division module divides the memory space of the memory into a plurality of storage spaces;
the memory attribute configuration module configures the security attribute and the sharing attribute of the storage space to set the storage space as a local shared storage space, an unsafe shared storage space, a safe storage space and an unsafe storage space;
and the access control module identifies the access type of the memory access through the flag bit in the access instruction, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
In a third aspect, the present invention provides a space allocation apparatus for secure storage, comprising: the system comprises at least one processing unit, a storage unit and a bus unit, wherein the storage unit stores a computer program, and the computer program realizes the space allocation method of the safe storage when being executed by the processing unit.
In a fourth aspect, the present invention provides a computer-readable storage medium storing a computer program which, when executed, implements the space allocation method for secure storage.
Compared with the prior art, the technical scheme provided by the embodiment of the invention has the following advantages:
the central processing unit divides the memory space of the memory into a plurality of memory spaces, and sets the memory spaces as a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space in a mode of configuring safety and sharing attributes; when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information. And realizing control of access authority by matching the access type and the storage space attribute, wherein the access instruction of the non-secure storage space is different from the access instruction of the secure storage space, protecting the data in the secure storage space from the influence of the azimuth instruction of the non-secure storage space, and providing security guarantee for the data in the secure storage space. The local shared storage space, the unsafe shared storage space and the safe shared storage space are introduced into the invention, so that data sharing and data exchange can be realized between any safe storage space and any unsafe storage space, between any different safe storage spaces and between any different unsafe storage spaces.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.
In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.
FIG. 1 is a schematic diagram of a architecture of a CPU and a memory connected by a bus to which the present invention is applied;
FIG. 2 is a flowchart of a method for allocating space in a secure storage according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a space allocation device for secure storage according to an embodiment of the present invention;
fig. 4 is a schematic diagram of a space allocation apparatus for secure storage according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Example 1
The embodiment of the invention provides a secure storage space allocation method, which is applied to an architecture formed by a central processing unit and a memory which are interconnected through a bus as shown in fig. 1, and specifically, referring to fig. 2, the secure storage space allocation method comprises the following steps:
s100, the central processing unit divides the memory space of the memory into a plurality of storage spaces.
The method comprises the steps of presetting a storage space allocation configuration, recording configuration parameters for controlling the division of storage space, such as configuration parameters for controlling the size of the division of the storage space, and dividing the memory space of the memory into a specified number of storage spaces with a set size by the central processing unit according to the storage space allocation configuration.
S200, the central processing unit sets the storage space as a local shared storage space, an unsafe shared storage space, a safe storage space and an unsafe storage space in a mode of configuring safety and sharing attributes. Specifically, the central processing unit divides the storage space into a safe storage space and a non-safe storage space by configuring the safety attribute in the memory page table, and divides the storage space into a shared storage space and a non-shared storage space by configuring the sharing attribute in the memory page table.
In the implementation process, the safe storage space is used for storing codes and/or data with safety requirements, and access instructions with safety access types are allowed to access so as to ensure the safety of the content stored in the safe storage space. Such as: and storing the kernel code in a safe storage space to realize the protection of the code. The non-secure storage space is used for storing codes and/or data which are frequently accessed and modified by a user, and allows access to access instructions with secure access types. Such as placing frequently altered third party code that cooperates with the kernel code in the unsecure storage space.
Since the access operation initiated by the central processor may involve access to a secure memory space and to the non-secure memory space, access to a different secure memory space may be involved, as well as access to a different non-secure memory space, such as: and storing the used codes in the safe storage space in the process of carrying the memory contents through DMA, wherein the source address of the carried memory contents is in the unsafe storage space, and the target address of the carried memory contents is in the safe storage space. Thus, there is a need to enable data sharing and data exchange between any of the secure storage spaces and any of the non-secure storage spaces, between any of the different secure storage spaces, and between any of the different non-secure storage spaces. In order to achieve the above object, the present application configures the local shared memory space, the non-secure shared memory space, and the secure shared memory space in addition to the secure memory space and the non-secure memory space.
Aiming at the requirement that data sharing and data exchange can be realized between any secure storage spaces, the application designs the secure shared storage spaces, and the secure shared storage spaces allow access to access instructions with secure access types. The secure shared memory space supports access to the central processor, the local shared memory space, and all of the secure memory space. On the one hand, as a shared storage area of all the safe storage spaces, any safe storage space is allowed to acquire content from the safe shared storage space, any safe storage space is allowed to store content into the safe shared storage space for other safe storage space acquisition, and in this way, data sharing and data exchange of different safe storage spaces are realized. In another aspect, the secure shared memory space also provides support for data exchange and data sharing between the non-secure memory space and the secure memory space.
Aiming at the requirement that data sharing and data exchange can be realized between any non-secure storage spaces, the application designs the non-secure shared storage spaces, and the non-secure shared storage spaces allow access instructions with non-secure access types to access. The unsecure shared memory space supports access to the central processor, the local shared memory space, and all of the unsecure memory space. On the one hand, as a shared storage area of all the non-secure storage spaces, any non-secure storage space is allowed to acquire specified data from the non-secure shared storage space, and any non-secure storage space is allowed to store the specified data into the non-secure shared storage space so as to be acquired by other non-secure storage spaces, thereby realizing data sharing and data exchange of different non-secure storage spaces. In another aspect, the unsecure shared memory space also provides support for data exchange and data sharing between the unsecure memory space and the secure memory space.
The local shared memory space is configured to support the central processing unit, the non-secure shared memory space and the secure shared memory space to access, namely the local shared memory space does not limit the access type; the method is used for realizing the appointed data exchange of the non-secure shared storage space and the secure shared storage space, sharing the appointed data of the non-secure shared storage space and the secure shared storage space, thereby realizing the data sharing and data exchange between any different secure storage spaces and any different non-secure storage spaces.
And S300, when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit and acquires the attribute of the accessed storage space. When the central processing unit generates the access instruction, a flag bit used for indicating that the access type belongs to safe access or unsafe access is configured in the access instruction comprising a read access instruction and a write access instruction. Taking the AXI bus protocol as an example for illustration, the AXI bus protocol defines a read address channel, a read data channel, a write address channel, a write data channel, and a write response channel. The read process and the write process respectively have own address channels, and the corresponding address channels carry all addresses and control information required by the read process and the write process once. The reading process and the writing process respectively have own data channels, the data channels carry data and response information transmitted from the slave device to the master device, the data channels are divided into two parts, one part is a data bus with a set bit width, and the other part is a reading response signal for indicating the completion state of the reading process; the write data channel carries data transmitted from the master device to the slave device, and comprises two parts, wherein one part is a data bus with a set bit width, and the other part is a byte strobe signal for executing valid bytes in the data. The write response channel is used for responding the completion of the whole write process from the slave device to the master device. In the AXI bus protocol, the signals transmitted in the write data channel include an AWPROT signal defining write access rights, and the signals transmitted in the read data channel include an ARPROT signal defining write access rights. The AxPROT (x is W or R) signal contains three bits, the bit with index number 0 defines non-privileged access or privileged access, the bit with index number 1 defines secure access or non-secure access, the bit with index number 2 defines data access or instruction access, and the bit with index number 1 in the AxPROT signal is the flag bit in the application.
S400, judging whether the access type of the memory access accords with the attribute of the accessed storage space, if so, executing S500, and if not, executing S600. In the implementation process, before responding to the access instruction to perform memory access, the bus identifies whether the memory access initiated by the access instruction belongs to safe access or unsafe access through the flag bit; acquiring the security attribute of the target storage space of the memory access request; and if the access type of the memory access is safe access and the security attribute of the target storage space is safe or the access type of the memory access is unsafe and the security attribute of the target storage space is unsafe, judging that the access type of the memory access accords with the attribute of the accessed storage space.
S500, allowing the memory access to obtain an access result of the memory access.
S600, refusing to access the memory and returning error information.
In one embodiment, the process of storing the specified data in the target secure storage space into the target non-secure storage space is implemented using the local shared storage space, the non-secure shared storage space, and the secure shared storage space as follows: when the central processing unit initiates an access operation of transferring specified data in a target safe storage space into a target unsafe storage space, the specified data in the target safe storage space is stored into the safe shared storage space through a safe type access instruction, then the specified data is stored into the local shared storage space from the safe shared storage space through the safe type access instruction, the specified data in the local shared storage space is stored into the unsafe shared storage space through an unsafe type access instruction, and the specified data in the unsafe shared storage space is stored into the target unsafe storage space through the unsafe type access instruction.
In one embodiment, the process of storing the specified data in the first target non-secure storage space into the second target non-secure storage space is implemented by using the non-secure shared storage space as follows: when the central processing unit initiates an access operation of transferring the specified data in the first target unsafe storage space into the second target unsafe storage space, the specified data in the first target unsafe storage space is stored into the unsafe shared storage space through an unsafe type access instruction, and then the specified data is read into the second target unsafe storage space from the unsafe shared storage space through the unsafe type access instruction.
In one embodiment, the process of storing the specified data in the first target secure storage space into the second target secure storage space is implemented by using the secure shared storage space as follows: when the central processing unit initiates an access operation of transferring the specified data in the first target safe storage space into the second target safe storage space, the specified data in the first target safe storage space is stored into the safe shared storage space through a safe type access instruction, and then the specified data is read into the second target safe storage space from the safe shared storage space through the safe type access instruction.
Example 2
Referring to fig. 3, an embodiment of the present invention provides a secure storage space allocation apparatus, which implements the secure storage space allocation method described in embodiment 1, including:
the memory division module divides the memory space of the memory into a plurality of storage spaces; in the implementation process, the memory division module divides the memory space of the memory into a specified number of memory spaces with a set size according to a preset memory space allocation configuration.
The memory attribute configuration module configures the security attribute and the sharing attribute of the divided storage space to set the storage space as a local shared storage space, an unsafe shared storage space, a safe storage space and an unsafe storage space; the memory attribute configuration module divides the storage space into a safe storage space and a non-safe storage space by configuring the safety attribute in the memory page table, and the central processing unit divides the storage space into a shared storage space and a non-shared storage space by configuring the sharing attribute in the memory page table.
And the access control module identifies the access type of the memory access through the flag bit in the access instruction, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
Example 3
Referring to fig. 4, an embodiment of the present invention provides a space allocation apparatus for secure storage, including: the system comprises at least one processing unit, a storage unit and a bus unit, wherein the processing unit comprises a central processing unit, the storage unit comprises a memory, the storage unit stores a computer program, and the computer program realizes the space allocation method of safe storage when being executed by the processing unit, and the method comprises the following steps:
dividing the memory space of the memory into a plurality of memory spaces, and setting the memory spaces into a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space by configuring safety and sharing attributes;
when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
Example 4
An embodiment of the present invention provides a computer-readable storage medium storing a computer program that when executed by a central processing unit implements the secure storage space allocation method, the method including:
dividing the memory space of the memory into a plurality of memory spaces, and setting the memory spaces into a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space by configuring safety and sharing attributes;
when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
The central processing unit divides the memory space of the memory into a plurality of memory spaces, and sets the memory spaces as a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space in a mode of configuring safety and sharing attributes; when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information. And realizing control of access authority by matching the access type and the storage space attribute, wherein the access instruction of the non-secure storage space is different from the access instruction of the secure storage space, protecting the data in the secure storage space from the influence of the azimuth instruction of the non-secure storage space, and providing security guarantee for the data in the secure storage space. The local shared storage space, the unsafe shared storage space and the safe shared storage space are introduced into the invention, so that data sharing and data exchange can be realized between any safe storage space and any unsafe storage space, between any different safe storage spaces and between any different unsafe storage spaces.
From the above description of embodiments, it will be clear to a person skilled in the art that the present invention may be implemented by means of software and necessary general purpose hardware, but of course also by means of hardware, although in many cases the former is a preferred embodiment. Based on such understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, etc., and include several instructions for causing an electronic device (which may be a mobile phone, a personal computer, a server, or a network device, etc.) to execute the method according to the embodiments of the present invention.
In the embodiments provided in the present invention, it should be understood that the disclosed structures and methods may be implemented in other manners. For example, the structural embodiments described above are merely illustrative, and for example, the division of the units is merely a logical function division, and there may be other manners of division in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via interfaces, structures or units, which may be in electrical, mechanical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The foregoing is only a specific embodiment of the invention to enable those skilled in the art to understand or practice the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. The space allocation method for safe storage is applied to an architecture formed by a central processing unit and a memory which are interconnected through a bus, and is characterized by comprising the following steps:
the central processing unit divides the memory space of the memory into a plurality of memory spaces, and sets the memory spaces as a local shared memory space, an unsafe shared memory space, a safe memory space and an unsafe memory space in a mode of configuring safety and sharing attributes;
when the central processing unit initiates memory access through an access instruction containing a flag bit, the bus identifies the access type of the memory access through the flag bit, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
2. The method of claim 1, wherein the local shared memory space supports access to the central processing unit, the non-secure shared memory space, and the secure shared memory space; the method is used for realizing specified data exchange of the non-secure shared storage space and the secure shared storage space and sharing the specified data of the non-secure shared storage space and the secure shared storage space.
3. The method of claim 1, wherein the unsecure shared memory space supports access to the central processing unit, the local shared memory space, and all of the unsecure memory space; and allowing any unsafe storage space to acquire specified data from the unsafe shared storage space as a shared storage area of all the unsafe storage spaces, and allowing any unsafe storage space to store the specified data into the unsafe shared storage space for other unsafe storage spaces to acquire.
4. The method of claim 1, wherein the secure shared memory space supports access to the central processing unit, the local shared memory space, and all of the secure memory space; and allowing any secure storage space to acquire content from the secure shared storage space as a shared storage area of all the secure storage spaces, and allowing any secure storage space to store content into the secure shared storage space for other secure storage space acquisition.
5. A method of allocating space for secure storage according to claim 1, wherein the secure storage space is used for storing codes and/or data of security requirements; the non-secure storage space is used to store code and/or data that is frequently accessed by a user for modification.
6. The space allocation method according to claim 1, wherein when the central processing unit generates the access instruction, a flag bit for indicating that an access type belongs to a secure access or a non-secure access is configured in the access instruction including a read access instruction and a write access instruction;
before responding to the access instruction to carry out memory access, the bus identifies whether the memory access initiated by the access instruction belongs to safe access or unsafe access through the flag bit; acquiring the security attribute of the target storage space of the memory access request; and if the access type of the memory access is safe access and the security attribute of the target storage space is safe or the access type of the memory access is unsafe and the security attribute of the target storage space is unsafe, judging that the access type of the memory access accords with the attribute of the accessed storage space.
7. The space allocation method according to claim 1, wherein the cpu divides the memory space of the memory into a plurality of storage spaces of a set size according to a storage space allocation configuration.
8. A space allocation apparatus for secure storage, implementing the space allocation method for secure storage according to any one of claims 1 to 7, comprising:
the memory division module divides the memory space of the memory into a plurality of storage spaces;
the memory attribute configuration module configures the security attribute and the sharing attribute of the storage space to set the storage space as a local shared storage space, an unsafe shared storage space, a safe storage space and an unsafe storage space;
and the access control module identifies the access type of the memory access through the flag bit in the access instruction, judges whether the access type of the memory access accords with the attribute of the accessed storage space, if so, allows the memory access to obtain the access result of the memory access, and otherwise, refuses the memory access and returns error information.
9. A space allocation apparatus for secure storage, comprising: at least one processing unit, a memory unit and a bus unit, said memory unit storing a computer program which, when executed by said processing unit, implements the space allocation method for secure storage according to any one of claims 1-7.
10. A computer readable storage medium storing a computer program which when executed by a central processor implements the space allocation method of secure storage according to any one of claims 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310141855.5A CN116243862A (en) | 2023-02-17 | 2023-02-17 | Space allocation method, device and equipment for secure storage and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202310141855.5A CN116243862A (en) | 2023-02-17 | 2023-02-17 | Space allocation method, device and equipment for secure storage and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN116243862A true CN116243862A (en) | 2023-06-09 |
Family
ID=86623739
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202310141855.5A Pending CN116243862A (en) | 2023-02-17 | 2023-02-17 | Space allocation method, device and equipment for secure storage and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN116243862A (en) |
-
2023
- 2023-02-17 CN CN202310141855.5A patent/CN116243862A/en active Pending
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN100580642C (en) | Universal serial bus storage device and access control method thereof | |
US6163834A (en) | Two level address translation and memory registration system and method | |
EP1938190B1 (en) | Method and apparatus to clear semaphore reservation | |
EP2199918B1 (en) | Virtualised interface functions | |
US7277972B2 (en) | Data processing system with peripheral access protection and method therefor | |
US20170185345A1 (en) | System-on-chip incuding access control unit and mobile device including system-on-chip | |
US20040177266A1 (en) | Data processing system with peripheral access protection and method therefor | |
KR20090065531A (en) | Memory access security management | |
JP4945053B2 (en) | Semiconductor device, bus interface device, and computer system | |
US10140462B2 (en) | Stackable file system with user space policy management | |
CN112099903B (en) | Memory management method and device of virtual machine, CPU chip and server | |
US20220180009A1 (en) | Peripheral component interconnect express protection controller | |
US20230297725A1 (en) | Technologies for filtering memory access transactions received from one or more i/o devices | |
JP5338435B2 (en) | Information processing program, information processing apparatus, and information processing method | |
US20110225387A1 (en) | Unified Virtual Contiguous Memory Manager | |
EP3007067B1 (en) | Method of memory access, buffer scheduler and memory module | |
US7565464B2 (en) | Programmable transaction initiator architecture for systems with secure and non-secure modes | |
US10387681B2 (en) | Methods and apparatus for controlling access to secure computing resources | |
KR101460451B1 (en) | Apparatus and method for controlling process address space | |
JPH0133857B2 (en) | ||
CN116243862A (en) | Space allocation method, device and equipment for secure storage and storage medium | |
US20190286327A1 (en) | Memory Objects | |
CN110929304A (en) | RISC-V based memory protection method | |
US10481951B2 (en) | Multi-queue device assignment for application groups | |
JP2005515536A (en) | Method and apparatus for accessing an input / output device using desired security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |