CN1545023A - Flushbonding CPU for information safety - Google Patents
Flushbonding CPU for information safety Download PDFInfo
- Publication number
- CN1545023A CN1545023A CNA2003101064036A CN200310106403A CN1545023A CN 1545023 A CN1545023 A CN 1545023A CN A2003101064036 A CNA2003101064036 A CN A2003101064036A CN 200310106403 A CN200310106403 A CN 200310106403A CN 1545023 A CN1545023 A CN 1545023A
- Authority
- CN
- China
- Prior art keywords
- block
- address
- access
- programme
- mepu
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 230000005540 biological transmission Effects 0.000 claims description 8
- 230000002093 peripheral effect Effects 0.000 claims description 8
- 238000003860 storage Methods 0.000 claims description 8
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 238000005192 partition Methods 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 3
- 230000007246 mechanism Effects 0.000 abstract description 14
- 238000013500 data storage Methods 0.000 abstract description 5
- 230000001681 protective effect Effects 0.000 abstract 1
- 239000013598 vector Substances 0.000 description 15
- 238000000034 method Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 7
- 230000008569 process Effects 0.000 description 6
- 230000005856 abnormality Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 238000000151 deposition Methods 0.000 description 4
- 238000013461 design Methods 0.000 description 4
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 4
- 238000007726 management method Methods 0.000 description 3
- 238000005457 optimization Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000008901 benefit Effects 0.000 description 1
- 230000007812 deficiency Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000002349 favourable effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 230000000717 retained effect Effects 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Abstract
The invention is an embedded CPU for information safety and its characteristic: there is a MEPU (memory encryption protective unit) gate set between the CPU kernel and the memory. Its characters are as follows: 1, adopting data encryption and breaking up data storage addresses implements advanced back tracking mechanism; 2, dividing users into super and ordinary ones, where the super have a special authority to configure the MEPU and set the authority for the ordinary; 3, dividing the memory space into a system block, a MEPU control block and several super user programmable blocks, and the super user can set the size and position of all the programmable blocks and designate the authority to access them and if they are encrypted; 4, applying soft secret key encryption to these programmable blocks, where each of them has a different secret key, and applying hard secret key encryption to the system block, where only the chip manufacturer knows the hard secret key; 5, setting the mechanisms of judging and counting the illegal types of access, able to detect external malicious attack and decipherment and taking measures to protect the system.
Description
Technical field
The present invention relates to a kind of embedded type CPU, be specifically related to a kind of embedded type CPU that is used for information security.
Background technology
In the present information security field, a most important problem that part is exactly an embedded system security, and an important component part in the embedded system is exactly CPU, thereby the security of CPU nuclear has then determined the height of the security performance of whole embedded system.
Because what at present common embedded type CPU nuclear was mainly considered in structural design is the factor of some non-safeties such as speed, reliability, power consumption, the security breaches of product are a lot, can not satisfy the requirement that makes up information safety system, the information security chip of the specific (special) requirements design specialized in therefore will using according to information security at all.Present domestic safety information product, with card series products such as bank card, social security card, SIM cards of mobile phones is example, most levels that still rest on 8 machines, and most market is also controlled by some external major companies (as Atmel, Philips, Infineon etc.).Product power consumption and cost that 8 bit CPUs constitute are relatively low, but in the application of aspects such as current government affairs net safety, e-commerce security, network media safety, network security management, 8 machines have all seemed unable to do what one wishes in various aspects such as processing power, securities.
In 32 high-end machine products, the ARM company of Britain has released SC100, SC200 and SC210 three dedicated cpu at information security, and MIPS has also released the information security CPU of its 4Ks system example.What but these products did not meet State Encryption Management Committee regulation in use must use the requirement of independent intellectual property right about China's commercial cipher; Aspect security, still there are some leaks, just do not have the encryption and decryption functions of address date such as the MPU among the SC200 of ARM company, and have only simple memory protect function.At home, announced 32 machines have Godson, Noah's ark etc., but these companies also do not have to release the dedicated cpu at information security at present.Therefore, present domestic product or blank out aspect 32 information security dedicated cpus.
In view of this, the present invention proposes a kind of embedded type CPU that is used for information security.This embedded type CPU is by being provided with memory encryption protected location (Memory Encryption and Protection Unit; abbreviation MEPU) realized advanced data/address encryption and decryption mechanism and counteroffensive mechanism; system data is carried out the protection of different levels, improved the security of system's operation greatly.Wherein, the design concept of MEPU is suitable for various information security CPU such as 32,16,8.
Summary of the invention
For achieving the above object; the technical solution used in the present invention is: a kind of embedded type CPU that is used for information security; be provided with a special memory encryption protected location (hereinafter to be referred as MEPU) between the original CPU nuclear that does not adopt safety precautions and storer and external unit, CPU nuclear is linked up by address, control, data three buses process MEPU and storer and external unit communication.After the system reset internal memory logical space is divided into three class zones, promptly several super user block able to programme, a system region, a storage protection unit controls district are divided into calling party two kinds of power user and domestic consumers simultaneously.
Include an access attribute protected location, a memory block ciphering unit and a system region ciphering unit among the MEPU, wherein:
(1), the access attribute protected location, be used for the protection that conducts interviews of above-mentioned three class blocks, its content comprises.
1., the address realm register, be used to deposit the address realm information of corresponding each block of recognition memory and peripheral hardware.
2., the access attribute register, be used to deposit the access attribute information of corresponding each block of storer and peripheral hardware.
3., address comparator, an address that is used for CPU is authorized out compares with the address realm of corresponding each block, if one or more blocks comprise this address, comprise the signal of block with producing corresponding these, if the address will produce an address abnormal signal not in each block address scope.
4., attribute is differentiated logic, the correspondence that the response address comparer produces comprises the block signal, select the strictest access attribute to determine the attribute reference standard according to priority principle, and the attribute of exporting corresponding block compares with current attribute of visiting, if attributes match will produce a visit normal signal, if do not match access exception signal of generation.
5., door switch, response address comparer and attribute are differentiated the signal of logic, correspondence is made the reaction of closing or opening address, control and data bus.
(2), the memory block ciphering unit, be used for several super user block able to programme is carried out encipherment protection, its content comprises:
1., encrypt enable register, the encryption that is used for disposing each power user block able to programme enables.
2., key register, but be used to deposit the key of software programming.
3., the data encryption/decryption device, use the soft key in the key register that the data that CPU nuclear outputs to each power user block able to programme are encrypted, the data that each power user block able to programme are input to CPU nuclear are decrypted.
4., the address encryption device, use the soft key in the key register that the address that CPU nuclear outputs to each power user block able to programme is broken up.
(3), the system region ciphering unit, be used for system region is carried out encipherment protection, its content comprises:
1., hard key, this key is the key of hardware programming, is used for system region is encrypted.
2., the data encryption/decryption device, use hard key that the data that CPU nuclear outputs to system region are encrypted, the data that system region are input to CPU nuclear are decrypted.
3., the address encryption device, use hard key that the address that CPU nuclear outputs to system region is broken up.
The content interpret of technique scheme is as follows:
1, in the such scheme, realize counteroffensive mechanism, also comprise Access status register sum counter in the access attribute protected location in order to advance one, wherein:
The Access status register is used to write down block and the access type information that unauthorized access takes place, and wherein comprises:
The Access status position, the Access status in all blocks of corresponding record is legal/and illegal;
The transmission code signal is deposited in the TC position, and this signal and last unauthorized access interrelate;
The RW position, read/write leg signal during record unauthorized access last time;
Counter is used to write down same type unauthorized access number of times, if after the number of times of record arrived set point number, system detected outside malicious attack and cracks, and produces a signal with choke system.
2, in the such scheme; realize effectively protection in order to make power user's block able to programme; MEPU also comprises the control register that enables of corresponding power user block able to programme, and the power user's block able to programme that is in the disable access state when being used for system reset enables.
3, in the such scheme, have better encryption in order to make each power user block able to programme, when power user's block able to programme was encrypted, the encryption key of each block all was different.
4, in the such scheme, adopting soft key to several super user during the data encryption in the block able to programme, with 1 byte is that unit carries out, in the 1K byte regions, be that unit carries out then during to address encryption with four bytes, promptly the highest 22 and minimum 2 do not encrypt in 32 bit address, and middle 8 bit address will be encrypted by upsetting.
5, in the such scheme, the access attribute of described several super user block able to programme can be selected following a kind of in dissimilar:
Visit supervisor access of access attribute code domestic consumer
0000????????????RWX?????????????RWX
0001????????????R-X?????????????RWX
0010????????R----?????????RWX
0011????????----X?????????RWX
0100????????------????????RWX
0101????????------????????R-X
0110????????------????????R----
0111????????------????????----X
1000????????R-X???????????R-X
1001????????R----?????????R----
1010????????----X?????????----X
1011????????------????????------
1100????????RW--??????????RW-
1101????????------????????RW-
Wherein: R represents read operation, and W represents write operation, and X represents executable operations,---expression does not allow.
6, in the such scheme, the quantity of set configuration register in power user's block counts able to programme≤storage protection unit, each configuration register is corresponding one by one with each block.
7, in the such scheme, for the ease of realizing, the size of each power user block able to programme is in 1K byte~4G bytes range, and changes with the multiple of 2 power.
8, in the such scheme, the base address of each power user block able to programme can be arranged in the optional position of logical space, and becomes the integral multiple of this partition size automatically.In several super user block arrangement able to programme, allow overlappingly between each block, the access attribute of overlapping region is selected the strictest corresponding access attribute.
9, in the such scheme, flexibly, effectively control block able to programme in order to make the power user, the power user can by related register to base address, the size of each power user block able to programme, whether encrypt and access attribute is configured.
Safeguard protection principle of the present invention is: MEPU provides following three kinds of safety precautions after system reset:
(1), MEPU is divided into two kinds of power user and domestic consumers by software with calling party, whether the power user has access rights to system region and MEPU control zone, base address, the size of power user by one group of block arrangement register pair several super user block able to programme, encrypt and access attribute is configured.
(2), MEPU adopts hard key to encrypt to system region; Adopt soft key to encrypt to several super user block able to programme, and the cipher mode employing is: data are encrypted simultaneously data storage addresses is broken up, soft key leaves in the above-mentioned key register.
(3), MEPU is provided with unauthorized access type decision and counter mechanism, this mechanism is formed by address comparator, each block arrangement register, control and status register and corresponding software cooperation, and address comparator compares address and all blocks of visit to determine residing block; Software compares the legitimacy that detects this visit with access attribute that is provided with in the respective block configuration register and the attribute of attempting to visit; Block and access type that control and the unauthorized access of status register record take place, the type information of unauthorized access will upgrade a counter, after counter records same type unauthorized access number of times arrived set point number, system detected outside malicious attack and cracks, and MEPU is with locking system.
Because the technique scheme utilization, the present invention compared with prior art has following advantage:
1, the present invention adopts data is encrypted the way of simultaneously data storage addresses being broken up, in MEPU, realized advanced antitracking mechanism (anti-trace), guaranteed that so illegal follower can not be by seeking and visiting the sensitive information of internal system to the tracking of system program.
2, the present invention divides the user for two kinds of power user and domestic consumers, and the power user has specific authority can dispose MEPU, and the authority of domestic consumer is set, thereby has guaranteed the systematically management of access rights well.
3, the present invention has been divided into system's block, MEPU control block and several super user block able to programme with whole memory headroom, wherein several super user block able to programme is its size and residing position to be set by the power user, and specify the access rights of its each block and whether need and encrypt, therefore make these blocks have access attribute and data/address encryption characteristic flexibly.
4, the present invention has adopted the key of two types, promptly hard key (hard-code key) and soft key (soft-code key).Adopt soft key for several super user block able to programme, have only the power user to be provided with, and the encryption key of each block all can be set as different.Adopt the hardware encipher programming for system's block, the programmable block of this key and several super user is different, has only chip manufacturer to know, thereby has guaranteed security of system greatly.
5, be provided with visit illegal type decision and counter mechanism among the MEPU of the present invention, can detect outside malicious attack and crack, thereby choke system prevents illegal attack, protection system.
Description of drawings
Accompanying drawing 1 is system chart of the present invention;
Accompanying drawing 2 is an embodiment of the invention CS320-32 position information security dedicated cpu chip system structural drawing;
Accompanying drawing 3 is MEPU system initialization process flow diagram of the present invention;
Accompanying drawing 4 is that figure is implemented in MEPU memory headroom configuration of the present invention, wherein, and system configuration situation after Fig. 4 (a) expression resets; Fig. 4 (b) represents an exemplary systems application configuration situation; A kind of configuring condition that Fig. 4 (c) expression is similar to Fig. 4 (b); A kind of configuring condition of Fig. 4 (d) expression when system detects rogue attacks.
Embodiment
Below in conjunction with drawings and Examples the present invention is further described:
Embodiment: referring to accompanying drawing 1, shown in Figure 2, a kind of CS320-32 position embedded information security dedicated cpu chip, be made up of original CPU nuclear, MEPU, storer and external unit, CPU nuclear is linked up by address, control, data three buses process MEPU and storer and external unit communication.
Original CPU nuclear is 32 risc cores of a low-power consumption, adopts the framework of load/store, can support the byte/halfword/word visit, and has done performance optimization at 16 peripheral hardware.Comprise 16 32 general-purpose registers in the original CPU nuclear, 13 32 control registers and 16 32 bit interleaving register files are used for quick interrupt procedure and preserve contextual information.Cpu chip has the pipeline organization of height optimization, most instructions is to finish the monocycle, and jump instruction needs two instruction cycles, and 16 bit instruction systems of its optimization can improve the code density of CPU greatly, in the intelligent card chip product of Price Sensitive, this seems particularly important.The bit manipulation instruction that has enhancing in the CPU nuclear also has monocycles 32 * 16 hardware multiplier in addition, can improve the performance of CS320 when realizing information security field algorithms most in use such as RSA, ECC.
At the special applications of information security, in the embedded information security dedicated cpu chip of CS320-32 position specialized designs a MEPU.MEPU is a whole C PU chip safeguard protection core texture, and it is the gate of CPU nuclear between storer and external unit.Communication between CPU nuclear and storer and the peripheral hardware will be permitted through address comparison, access attribute, the processing of the links such as encryption and decryption of memory encryption unit just can be finished.The situation if access attribute does not match etc., MEPU can close the bus signals of all and storer and peripheral hardware communication, prevents extraneous by repeatedly souning out the information that obtains CPU nuclear.
One, MEPU characteristic
1, safety precautions
MEPU is divided into the internal memory logical space three class zones after system reset, i.e. a system region, a MEPU control zone, 8 power user's blocks able to programme, and following three kinds of safety precautions are provided:
(1), MEPU is divided into two kinds of power user and domestic consumers by software with calling party, whether the power user has access rights to system region and MEPU control zone, base address, the size of power user by 8 power user's blocks able to programme of 8 block arrangement register pairs, encrypt and access attribute is configured.
(2), MEPU adopts hardware encryption circuit that system region is carried out hardware encryption separately; Adopt key register and software key that 8 power user's blocks able to programme are carried out soft encryption.
(3), MEPU is provided with unauthorized access type decision and counter mechanism, this mechanism is formed by address comparator, each block arrangement register, control and status register and corresponding software cooperation, after counter records same type unauthorized access number of times arrives set point number, system detects outside malicious attack and cracks, and MEPU is with locking system.
2,8 power user districts able to programme
MEPU has 8 power user's blocks able to programme, that is to say that the power user can be by programming to the MEPU configuration register and being 8 blocks flexibly with the Installed System Memory spatial division after system reset, the size of each block is variable, but minimum is the 1K byte, be the 4G byte to the maximum, specifically the size of the block that can be provided with and corresponding codes thereof are as shown in table 1.
Block size and corresponding codes thereof that table 1 can be provided with
| Size [9:5] value | The block size |
| ????00000-01000 | Keep (1Kbyte) |
| ????01001 | ????1Kbyte |
| ????01010 | ????2Kbyte |
| ????01011 | ????4Kbyte |
| ????01100 | ????8Kbyte |
| ????01101 | ????16Kbyte |
| ????01110 | ????32Kbyte |
| ????01111 | ????64Kbyte |
| ????10000 | ????128Kbyte |
| ????10001 | ????256Kbyte |
| ????10010 | ????512Kbyte |
| ????10011 | ????1Mbyte |
| ????10100 | ????2Mbyte |
| ????10101 | ????4Mbyte |
| ????10110 | ????8Mbyte |
| ????10111 | ????16Mbyte |
| ????11000 | ????32Mbyte |
| ????11001 | ????64Mbyte |
| ????11010 | ????128Mbyte |
| ????11011 | ????256Mbyte |
| ????11100 | ????512Mbyte |
| ????11101 | ????1Gbyte |
| ????11110 | ????2Gbyte |
| ????11111 | ????4Gbyte |
The base address of each block can be positioned at any position of 4G byte of memory map, and the integral multiple that can become this partition size automatically (for example, the size of a block is the 4K byte, then the base address of this block can be automatically becomes multiple for 4K according to setting, as 0x0000000,0x00001000 ...).
The address of each block and data can be independent specify by the power user whether encrypted, if it is encrypted, then the data in this region memory are encrypted upsets data storage addresses simultaneously, but can be decrypted automatically during the data of this block of CPU nuclear read-write execution, like this in the imperceptible encryption and decryption process wherein of user, but effectively prevented disabled user's reading to the internal system data, these 8 subregions can be by the power user to register AP[3:0 in addition] programming and specify separately the attribute of asking, these attributes mainly comprise supervisor access, domestic consumer's visit, write operation, read operation, carry out key elements such as (getting finger) operation, 8 access attributes that block had are as shown in table 2 among the MEPU.
The block access attribute table that table 2 MEPU can set
| AP[3:0] value | Domestic consumer | The power user |
| ????0000 | ????R?W?X | ????R?W?X |
| ????0001 | ????R?---?X | ????R?W?X |
| ????0010 | ????R?---?-- | ????R?W?X |
| ????0011 | ????--?---?X | ????R?W?X |
| ????0100 | ????--?---?-- | ????R?W?X |
| ????0101 | ????--?---?-- | ????R?---?X |
| ????0110 | ????--?---?-- | ????R---?-- |
| ????0111 | ????--?---?-- | ????--?---?X |
| ????1000 | ????R?---?X | ????R?---?X |
| ????1001 | ????R?---?-- | ????R?---?-- |
| ????1010 | ????--?---?X | ????--?---?X |
| ????1011 | ????--?---?-- | ????--?---?-- |
| ????1100 | ????R?W?-- | ????R?W?-- |
| ????1101 | ????--?---?-- | ????R?W?-- |
| 1110-1111 (reservation) | --?---?-- | --?---?-- |
Wherein: R represents read operation, and W represents write operation, and X represents executable operations,---expression does not allow.
It should be appreciated that: when 8 memory headroom blocks are set, can be overlapping between each block, when overlapping, the access attribute of overlapping region will adopt the strictest access attribute, and when there being one to be will encrypt the time in the overlapping block, then this overlapping part will be encrypted.
3, system region
MEPU has the block of a 4K byte fixed size, the base address of this block is 0x00000000, it is to be used for depositing exception vector table and operating system (OS), encrypt the data and the address of this block, the access attribute of this block is power user's read/write/execution visit, promptly this block can only be carried out visits such as reading and writing, execution command by the power user, and domestic consumer haves no right to visit this block.In the space of this 4K byte, block 0x00000000~the 0x000001FF of 512 bytes is mainly used to deposit 128 exception vectors, and 0x00000200-0x00000FFF is used for the deposit operation system program, notice that this part program has been through encrypting, therefore having only the power user to pass through deciphering and could correctly visit this zone.But operating system program might be greater than the 3.5K byte, words if this occurs, then can be in the space of this 3.5K byte the initialize routine of storage system, block to provide one can deposit all operations system program in 8 power user districts able to programme is provided MEPU, and this block is encrypted.
4, MEPU control zone
MEPU also has the block of the fixed size of a 64K byte, the base address of this block is 0xFFFF0000, it is used for carrying out MEPU control, there is not the encryption of data and address in this block, its access attribute is power user's read, that is to say to have only the power user to carry out read to this regional address.
For encryption and decryption, also has data/address key of one 32 able to programme among the MEPU, this key leaves in the MEPU key register in this block (MEPU Encryption Key Register), when MEPU encrypts data, with 1 byte is that unit carries out, be that unit carries out with four bytes in the 1K byte regions then during to address encryption, that is to say that the highest in 32 bit address 22 and minimum 2 do not upset, middle 8 bit address will be encrypted.
In order to write down the situation of unauthorized access; control and status register also are provided among the MEPU; then CPU endorses to judge according to the record case in this register whether system is subjected to illegal attack and cracks; if produced above-mentioned situation CPU nuclear with choke system; only take the manufacturer place by special messenger's release, like this with the better protection system data.
5, MEPU duty
After system reset, MEPU will be in enabled state all the time, and abnormality processing vector table/operating system block (system region) and MEPU control block will be to be in guard mode all the time, just have only the power user to conduct interviews to this zone.And those programmable blocks will be forbidden after system reset, have only by the power user these 8 blocks are configured and enable.
Two, MEPU memory headroom
MEPU itself has taken the address space of 64K byte as the part of CS320 system, and this space is the control space of MEPU just.Following table 3 is whole C PU processor address spaces.
Table 3:CPU processor address space
| Logical address | Purposes | Supervisor access | Domestic consumer's visit |
| 0x00000000-0x000001FF | Exception vector table | Read/write/execution | Forbid |
| 0x00000200-0x00000FFF | Operating system | Read/write/execution | Forbid |
| 0x00001000-0xFFFEFFFF | Common/power user's address space | Can select | Can select |
| 0xFFFF0000-0xFFFFFFFF | MEPU controls the space | Read/write | Forbid |
The power user can visit all address spaces (except what programmed), and the maximum address scope that domestic consumer can visit is 0x00001000 to 0xFFFEFFFF.Domestic consumer visits this extraneous address will produce access errors.
The address space of 4G byte can be divided into ten address blocks altogether, have two address blocks to fix, and other 8 subregions is to set by the zone configuration register of writing among the MEPU.Two fixing subregions are as follows:
1, system region is used to deposit exception vector table and operating system
Address realm: 0x00000000~0x00000FFF;
Size: 4Kbyte;
Access rights and attribute: only allow power user's read/write/execution visit;
Enable: always enable;
Encryption measures adopts hard secret key encryption data, simultaneously data storage addresses is broken up.
2, the MEPU control zone is used for carrying out the control of storage protection unit
Address realm: 0xFFFF0000~0xFFFFFFFF;
Size: 64Kbyte;
Access rights and attribute only allow power user's read;
Enable always to enable;
Encryption measures is not encrypted.
Three, MEPU programming
The programming of MEPU comprises following 10 registers altogether, sees Table 4:
Table 4 MEPU programming model table
| The address | Register | Describe |
| ??0xFFFF_0000 | ??MPUCSR | MEPU control and status register |
| ??0xFFFF_0004 | ??MPUEKR | The MEPU key register |
| ??0xFFFF_0008 | ??MPURR0 | MEPU block arrangement register 0 |
| ??0xFFFF_000C | ??MPURR1 | MEPU block arrangement register 1 |
| ??0xFFFF_0010 | ??MPURR2 | MEPU block arrangement register 2 |
| ??0xFFFF_0014 | ??MPURR3 | MEPU block arrangement register 3 |
| ??0xFFFF_0018 | ??MPURR4 | MEPU block arrangement register 4 |
| ??0xFFFF_001C | ??MPURR5 | MEPU block arrangement register 5 |
| ??0xFFFF_0020 | ??MPURR6 | MEPU block arrangement register 6 |
| ??0xFFFF_0024 | ??MPURR7 | MEPU block arrangement register 7 |
Memory headroom 0xFFFF_0028~0xFFFF_FFFF is retained, and is 0 to this zone read access with the data that obtain, and also will be without any effect to this regional write operation, and will produce a transmission answer signal.Any to MEPU control space block visit no matter be effectively or invalid all addresses and the gating signal of will making closed immediately.And mpu_tbusy_b, mpu_data_out signal will be closed in the data transfer cycle of visit.
1, MEPU control and status register (MPUCSR)
MEPU control and status register have two purposes: the effect of enabling that provides MEPU, another is the status information of preserving last internal storage access.Table 5 has provided the details of register.
Table 5 MEPU control and status register
| ?Bit | ??31:16 | ?15 | ?14 | ?13 | ?12 | ?11 | ?10 | ?9 | ?8 | ?7 | ?6 | ?5:3 | ?2 | ??1 | ?0 |
| ?Name | ??Reserved | ?R9V | ?R8V | ?R7V | ?R6V | ?R5V | ?R4V | ?R3V | ?R2V | ?R1V | ?R0V | ?TC | ?RW | ??Reserved | ?EN |
| ?Access | ??Read ??Only | ?Read ?Only | ?Read ?Only | ?Read ?Only | ?Read ?Only | ?Read ?Only | ?Read ?Only | ?Read ?Only | ?Read ?Only | ?Read ?Only | ?Read ?Only | ?Read ?Only | ?Read ?Only | ??Read ??Only | ?Read ?Write |
| ?Reset ?Value | ??16b0 | ?1b0 | ?1b0 | ?1b0 | ?1b0 | ?1b0 | ?1b0 | ?1b0 | ?1b0 | ?1b0 | ?1b0 | ?3b0 | ?1b0 | ??1b0 | ?1b0 |
RnV????Region?Violation?n
1: it is illegal to occur visit in block n
0: it is illegal not occur visit in block n
Notice the corresponding system's block (0x00000000 to 0x00000FFF) of R8V, and
R9V
It is corresponding MEPU control block (0xFFFF0000 to 0xFFFFFFFF).
TC?????Transfer?Code
Transmission code signal Transfer Code signal is then being deposited in the TC position
(rce_tc[2:01),
This signal is to want to get in touch with the unauthorized access of last time.
RW????????Read/Write
Read/write leg signal when the last time unauthorized access is then being write down in the RW position.
EN????????MEPU?Enable
The block able to programme of 1:MEPU is enabled
The block able to programme of 0:MEPU is forbidden
Notice that the MEPU enable bit can only programmable 8 blocks of enable/disable, and in advance
Fixed
System's block (Exception Vector and OS Region) of justice and MEPU control
System
Block (MEPU Control Space Region) enables all the time.
2, MEPU key register (MEPU Encryption Key Register)
MEPU key register MPUEKR is used for depositing one 32 key, can carry out encrypt/decrypt to the external data input/output bus by this key, also can encrypt 8 programmable regional address buses, the encryption enable bit that certain precondition is a respective block is (introduction of concrete visible next part) effectively.
The encryption of data bus is carried out on the byte basis, the visit that is to say half-word or whole word is also encrypted separately, to the encryption of address bus then is to be that unit carries out with whole word in the block of 1K byte, the highest 22 and minimum 2 that is to say address bus remain unchanged in ciphering process, and in the middle of having only 8 are encrypted.Certain block in 8 blocks enables if encrypt; then when this block of CPU nuclear visit; MEPU also can be decrypted; the existence of imperceptible this encryption and decryption process of meeting concerning validated user like this; but the data in the Installed System Memory have but well been protected, this very favourable just concerning information safety system.Table 6 has provided MEPU key register details.
Table 6 MEPU key register
| ????Bit | ????31:0 |
| ????Name | ????MPUEKR |
| ????Access | ????Read/Write |
| ????Reset?Value | ????0x00000000 |
What be worth proposition is that the encryption and decryption hard key of employing (hard-code key) of system's block (Exception Vector and OS Region) is encrypted; this key is when chip manufacturing; it is one 32 key by hardware programming; be used for encryption to system's block; have only chip manufacturer to know, just more reliable to the protection of system's block like this.
Though the encryption and decryption of 8 blocks able to programme all is to adopt key register, the encryption key of each block is inequality, has therefore further improved the safety practice of system.This key is a soft key (softcode key), promptly by one can software programming 32 key, have only the power user just can know.This key is used for the encryption of 8 blocks able to programme.
The control block of MEPU (MEPU Control Space Region) is not then encrypted.
3, MEPU block arrangement register 0-7 (MEPU Region Configuration Register 0-7)
MEPU block arrangement register (MPURRn) has 8 32 register, respectively programmable 8 blocks of corresponding power user.These 8 registers be used for respectively disposing 8 programmable zones base address, size, whether encrypt and attribute.And system's block (Exception Vector and OSRegion) is not need corresponding configuration register by hardware controls with MEPU control block (MEPU Control Space Region).Table 7 has provided the details of this register.
Table 7 MEPU block arrangement register MPURR0-MPPURR7
| ?Bit | ????31:10 | ????9:5 | ????4 | ????3:0 |
| ?Name | ????ADDRESS | ????SIZE | ????EE | ????AP |
| ?Access | ????Read/Write | ????Read/Write | ????Read/Write | ????Read/Write |
| ?Reset?Value | ????22b0000_0000_0000_0000_0001_00 | ????5b01001 | ????1b1 | ????4b0000 |
ADDRESS????Region?Base?Address
The base address of block is noticed when the address relatively and will be got the whole of block size automatically
Several times, and the size of block defines in the SIZE item.
SIZE???????Region?Size
The size of the block of definition, details sees Table 1
EE?????????Region?Encryption?Enable
1: the address of this block also with encrypted/deciphering, is encrypted encrypted and data to conciliate
Closely will use the key of depositing among the key register MPUEKR.
0: address and data in this block will be not encrypted.
AP?????????Region?Access?Permissions
This part value will determine the concrete rank (read/write/execution) of this block protection, in detail
Definition can provide the pairing access right of relative set in the table referring to table 2
Limit.
Four, MEPU principle of work
1, visits illegal testing mechanism
When the MLB bus of processor by CPU nuclear internally deposits into row when once visiting, MEPU will compare the address of the address of visit and 10 blocks of MEPU (8 the programmable block of power user and system's block and MEPU control space block) determining the residing block of reference address, anyly once all will carry out 10 comparisons.Having under the situation of a plurality of overlapping blocks, might find that the address of visiting can belong to a plurality of blocks simultaneously relatively, therefore at this moment just adopt the strictest block of access attribute, the attribute that to visit specifically (mainly being transmission code and read/write indicator signal) compares with the attribute in zone of living in then, if do not match with the generation access exception, if finding the address of visit is not the address realm in these ten zones, then can cause a visit illegal, the all addresses and the signal of control bus all will be closed immediately, and produce an error of transmission abnormal signal TEA, and data bus also will be by Close All in next cycle.
When error of transmission takes place, will deposit into MEPU control and status register MPUCSR to the attribute of visit.And judge the type that visit is illegal according to the content of this register by software.If certain reason has continuous a plurality of visit illegally to produce (after illegal a generation of visit, and then the access exception vector reads and also causes the visit illegal), have only the transmission property of the last unauthorized access will be recorded in TC and RW among the MEPU state of a control register MPUCSR.Notice that under normal circumstances when two or more access exception occurring, system will carry out expendable abnormality processing subroutine, rather than general access exception is handled subroutine.Have again when carrying out expendable abnormality processing subroutine that visit is illegal to produce, then system will quit work probably.When each visit, if visit illegal, then the RnV among the corresponding M EPU state of a control register MPUCSR will be set up.
2, the judgement of illegal type
Software should be able to be judged the illegal type of visit and the block at place, so MEPU provides the last time visit that is recorded in MEPU state of a control register MPUCSR invalid information.The illegal block that takes place of RnV bit representation visit, and TC[5:3] and RW[2] type of the visit carried out of bit representation attempt, and the illegal unusual subroutine of visit should be checked the zone configuration register MPURRn that those RnV positions are set up, AP[3:0 as MPURRn] position type that the visit that the attempt of access right information and preservation carries out is set compares, so just might judge and visit illegal type.The illegal type information of this visit will be used to upgrade an inner counter, this counter is with the number of times of record access same type unauthorized access, after arriving certain number of times, to show that system might receive the attack of malice, MEPU is with choke system, attack is received by the system that so just effectively prevented, has improved the security of system.
3, locking MEPU
Locking MEPU just makes MEPU keep current state not change, and for example when a read-only MEPU control space block of power user being programmed and enable MEPU, then will lock MEPU.Has only the locking that after system reset, just can untie MEPU.
4, antitracking mechanism (anti-trace)
Also realized advanced antitracking mechanism in CS320, in common CPU, what deposit in 0 address that generally resets is the address of exception handler that resets, such as is one 32 bit address Addr_data1.Then according to this address, program jumps to corresponding address and carries out the initialize routine that resets, general illegal follower just may follow the tracks of reset routine by the content in 0 address in the internal memory, thereby seek and visit the work of CPU inside, in CS320, because address bus and data bus all are through encrypting, therefore reseting vector storage addresses 0 has become another address after encrypting, and the first address of the initialize routine of depositing in this address is not because the reason of data encryption is original Addr_data1 yet, for example become Addr_data2, therefore illegal follower just is difficult to by the work of following the tracks of CPU of detecting to internal memory 0 address.
5, the initialization of security system
CS320 has adopted the key of two types; be hard key (hard-code key) and soft key (soft-code key); hard key (hard-code key) is to have only the IC deviser to know and be used for encrypting to 4K system block (Exception Vector and OS Region); power user (Supervisor) does not know this key yet; and the specific hard key of every CPU (hard-code key) also is different, so farthest the data in the protection system block.And soft key (soft-code key) is to be specified and left among the key register MPUEKR by supervisor, and in order to 8 blocks are encrypted, domestic consumer can't visit this key.
In order to make MEPU that the security performance of maximum possible can be provided in the information security chip system, system's block (Exception Vector and OS Region) will be the block of 4K byte-sized of being encrypted a power user's read/write/execution of programming by hardware, and the base address of this block is at 0x00000000.
When system initialization begins, at first obtain the exception vector that resets from 0x00000000, this vector points to the first address of the abnormality processing subroutine that resets, this logical address should be deposited in address 0x00000200 between the 0x0000FFF, the abnormality processing that resets subroutine will enable MEPU (promptly MEPU control and the status register MPUCSR to address 0xFFFF0000 writes 1) at the beginning, then write suitable data in key register MPUEKR and MEPU zone configuration register MPURR0-MPURR7 8 power user's blocks able to programme are configured.One of them or more block will be used to deposit additional operating system, to remedy the deficiency of system's block (Exception Vector and OS Region).These subregions adopt different keys to encrypt, and they will be programmed by the program in system's block (ExceptionVector and OS Region).Whole initialization procedure is represented by Fig. 3.
Be the example of MEPU configuration below:
Fig. 4 has provided different MEPU profile instance.Provided the system configuration situation after resetting among Fig. 4 (a), had only two blocks to be enabled: the MEPU control block of power user's read/write/execution block that mapping graph bottom 4K byte is encrypted and napex 64K byte, remaining part can not be accessed.At this moment system will not carry out the MEPU configuration at the security of system application of using.
Fig. 4 (b) has provided an exemplary systems application configuration.4K byte space below will be expanded to placing additional system program.The memory block of Fu Jia two encryptions is used to place user application in addition.Zone in addition can not be accessed to.
Fig. 4 (c) has provided the similar configuring condition to Fig. 4 (b), and different is that different blocks is enabled.This will make a different user application, Fig. 4 (b) and (c) enjoy power user's cryptographic block (supervisor encrypted) jointly.
Fig. 4 (d) has provided a kind of configuration when system detects rogue attacks, has for example recurred the unauthorized access with a kind of particular type, and the power user will forbid whole memory headroom, notices that this will be the nonvolatil whole memory headroom of forbidding.
The foregoing description only is explanation technical conceive of the present invention and characteristics, and its purpose is to allow the personage who is familiar with this technology can understand content of the present invention and enforcement according to this, can not limit the protection domain of invention with this.All equivalences that spirit is done according to the present invention change or modify, and all should be encompassed within protection scope of the present invention.
Claims (10)
1, a kind of embedded type CPU that is used for information security, it is characterized in that: a memory encryption protected location is set between CPU nuclear and storer and peripheral hardware, after the system reset internal memory logical space is divided into three class zones, be several super user block able to programme, a system region, a storage protection unit controls district, simultaneously calling party be divided into two kinds of power user and domestic consumers;
Include an access attribute protected location, a memory block ciphering unit and a system region ciphering unit in the memory encryption protected location, wherein:
(1), the access attribute protected location, be used for the protection that conducts interviews of above-mentioned three class blocks, its content comprises:
1., the address divides block register, is used to deposit the address realm information of recognition memory and corresponding each block of peripheral hardware;
2., the access attribute register, be used to deposit the access attribute information of corresponding each block of storer and peripheral hardware;
3., address comparator, an address that is used for CPU is authorized out compares with the address realm of corresponding each block, if one or more blocks comprise this address, comprise the signal of block with producing corresponding these, if the address will produce an address abnormal signal not in each block address scope;
4., attribute is differentiated logic, the correspondence that produces according to address comparator comprises the block signal, select the strictest access attribute to determine the attribute reference standard according to priority principle, and the attribute of exporting corresponding block compares with current attribute of visiting, if attributes match will produce a visit normal signal, if do not match access exception signal of generation;
5., door switch, response address comparer and attribute are differentiated the signal of logic, correspondence is made the reaction of closing or opening address, control and data bus;
(2), the memory block ciphering unit, be used for several super user block able to programme is carried out encipherment protection, its content comprises:
1., encrypt enable register, the encryption that is used for disposing each power user block able to programme enables;
2., key register, but be used to deposit the key of software programming;
3., the data encryption/decryption device, use the soft key in the key register that the data that CPU nuclear outputs to each power user block able to programme are encrypted, the data that each power user block able to programme are input to CPU nuclear are decrypted;
4., the address encryption device, use the soft key in the key register that the address that CPU nuclear outputs to each power user block able to programme is broken up;
(3), the system region ciphering unit, be used for system region is carried out encipherment protection, its content comprises:
1., hard key, this key is the key of hardware programming, is used for system region is encrypted;
2., the data encryption/decryption device, use hard key that the data that CPU nuclear outputs to system region are encrypted, the data that system region are input to CPU nuclear are decrypted;
3., the address encryption device, use hard key that the address that CPU nuclear outputs to system region is broken up.
2, embedded type CPU according to claim 1 is characterized in that: also comprise Access status register sum counter in the above-mentioned access attribute protected location, wherein:
The Access status register is used to write down block and the access type information that unauthorized access takes place, and wherein comprises:
The Access status position, the Access status in all blocks of corresponding record is legal/and illegal;
The transmission code signal is deposited in the TC position, and this signal and last unauthorized access interrelate;
The RW position, read/write leg signal during record unauthorized access last time;
Counter is used to write down same type unauthorized access number of times, if after the number of times of record arrived set point number, system detected outside malicious attack and cracks, and produces a signal with locking system.
3, embedded type CPU according to claim 1; it is characterized in that: above-mentioned memory encryption protected location also comprises the control register that enables of corresponding power user block able to programme, and the power user's block able to programme that is in the disable access state when being used for system reset enables.
4, embedded type CPU according to claim 1 is characterized in that: during above-mentioned power user block able to programme was encrypted, the encryption key of each block was set as different.
5, embedded type CPU according to claim 1, it is characterized in that: described soft key is during to the data encryption in the several super user block able to programme, with 1 byte is that unit carries out, in the 1K byte regions, be that unit carries out then during to address encryption with four bytes, promptly the highest 22 and minimum 2 do not encrypt in 32 bit address, and middle 8 bit address will be encrypted by upsetting.
6, embedded type CPU according to claim 1 is characterized in that: the access attribute of described several super user block able to programme can be selected following a kind of in dissimilar:
Visit supervisor access of access attribute code domestic consumer
0000?????????????RWX??????????????RWX
0001?????????????R-X??????????????RWX
0010?????????????R----????????????RWX
0011?????????????----X????????????RWX
0100??????????????????------?????????????????RWX
0101??????????????????------?????????????????R-X
0110??????????????????------?????????????????R----
0111??????????????????------?????????????????----X
1000??????????????????R-X????????????????????R-X
1001??????????????????R----??????????????????R----
1010??????????????????----X??????????????????----X
1011??????????????????------?????????????????------
1100??????????????????RW--???????????????????RW---
1101??????????????????------?????????????????RW--
Wherein: R represents read operation, and W represents write operation, and X represents executable operations,---expression does not allow.
7, embedded type CPU according to claim 1 is characterized in that: the quantity of set configuration register in above-mentioned power user block counts able to programme≤storage protection unit, each configuration register is corresponding one by one with each block.
8, embedded type CPU according to claim 1 is characterized in that: in the above-mentioned power user block able to programme, the size of each block is in 1K byte~4G bytes range, and changes with the multiple of 2 power.
9, embedded type CPU according to claim 1 is characterized in that: in the above-mentioned power user block able to programme, the base address of each block can be arranged in the optional position of logical space, and becomes the integral multiple of this partition size automatically,
10, embedded type CPU according to claim 1 is characterized in that: above-mentioned power user by related register to base address, the size of several super user block able to programme, whether encrypt and access attribute is configured.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200310106403 CN1251065C (en) | 2003-11-21 | 2003-11-21 | Flushbonding CPU for information safety |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 200310106403 CN1251065C (en) | 2003-11-21 | 2003-11-21 | Flushbonding CPU for information safety |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1545023A true CN1545023A (en) | 2004-11-10 |
| CN1251065C CN1251065C (en) | 2006-04-12 |
Family
ID=34334150
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 200310106403 Expired - Lifetime CN1251065C (en) | 2003-11-21 | 2003-11-21 | Flushbonding CPU for information safety |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1251065C (en) |
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007121616A1 (en) * | 2006-04-26 | 2007-11-01 | Bo He | A method for protecting the program information of a program processor |
| CN101276309B (en) * | 2007-03-31 | 2011-12-21 | 珠海天威技术开发有限公司 | Method for ciphering, deciphering and rewriting external data memory |
| CN101097630B (en) * | 2006-06-29 | 2012-08-29 | 联发科技股份有限公司 | Systems and methods for texture management |
| CN103699434A (en) * | 2013-12-17 | 2014-04-02 | 天津国芯科技有限公司 | MPU (Microprocessor Unit) suitable for secure access among multiple applications and method for performing secure access among multiple applications |
| CN104579689A (en) * | 2015-01-20 | 2015-04-29 | 中城智慧科技有限公司 | Soft secret key system and implementation method |
| WO2015188299A1 (en) * | 2014-06-09 | 2015-12-17 | 华为技术有限公司 | Data processing method and apparatus |
| CN109417471A (en) * | 2016-06-23 | 2019-03-01 | 马恩德优尔帕斯控股有限公司 | Password generating device and password authentification equipment |
| CN109697174A (en) * | 2018-12-14 | 2019-04-30 | 中国航空工业集团公司西安航空计算技术研究所 | A kind of airborne computer storage system sensitivity zoning means of defence |
| CN109766165A (en) * | 2018-11-22 | 2019-05-17 | 海光信息技术有限公司 | A kind of memory access control method, device, Memory Controller Hub and computer system |
| WO2019109967A1 (en) * | 2017-12-06 | 2019-06-13 | C-Sky Microsystems Co., Ltd. | Storage apparatus and method for address scrambling |
| US10430586B1 (en) * | 2016-09-07 | 2019-10-01 | Fireeye, Inc. | Methods of identifying heap spray attacks using memory anomaly detection |
| US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
| CN111291425A (en) * | 2020-05-09 | 2020-06-16 | 南京芯驰半导体科技有限公司 | Chip protection method and device, storage medium and vehicle-mounted chip |
| CN111737773A (en) * | 2020-06-10 | 2020-10-02 | 深圳欣迪军融科技有限公司 | Embedded secure memory with SE security module function |
| CN111984410A (en) * | 2020-08-18 | 2020-11-24 | 上海睿赛德电子科技有限公司 | Memory protection system with low resource occupation in embedded system |
-
2003
- 2003-11-21 CN CN 200310106403 patent/CN1251065C/en not_active Expired - Lifetime
Cited By (19)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007121616A1 (en) * | 2006-04-26 | 2007-11-01 | Bo He | A method for protecting the program information of a program processor |
| CN101097630B (en) * | 2006-06-29 | 2012-08-29 | 联发科技股份有限公司 | Systems and methods for texture management |
| CN101276309B (en) * | 2007-03-31 | 2011-12-21 | 珠海天威技术开发有限公司 | Method for ciphering, deciphering and rewriting external data memory |
| CN103699434B (en) * | 2013-12-17 | 2018-05-08 | 天津国芯科技有限公司 | A kind of method being had secure access between the MPU for being suitable for having secure access between more applications and its more applications |
| CN103699434A (en) * | 2013-12-17 | 2014-04-02 | 天津国芯科技有限公司 | MPU (Microprocessor Unit) suitable for secure access among multiple applications and method for performing secure access among multiple applications |
| WO2015188299A1 (en) * | 2014-06-09 | 2015-12-17 | 华为技术有限公司 | Data processing method and apparatus |
| US10353896B2 (en) | 2014-06-09 | 2019-07-16 | Huawei Technologies Co., Ltd. | Data processing method and apparatus |
| CN104579689A (en) * | 2015-01-20 | 2015-04-29 | 中城智慧科技有限公司 | Soft secret key system and implementation method |
| CN104579689B (en) * | 2015-01-20 | 2018-02-13 | 中城智慧科技有限公司 | A kind of soft cipher key system and implementation method |
| CN109417471A (en) * | 2016-06-23 | 2019-03-01 | 马恩德优尔帕斯控股有限公司 | Password generating device and password authentification equipment |
| US10430586B1 (en) * | 2016-09-07 | 2019-10-01 | Fireeye, Inc. | Methods of identifying heap spray attacks using memory anomaly detection |
| US10503904B1 (en) | 2017-06-29 | 2019-12-10 | Fireeye, Inc. | Ransomware detection and mitigation |
| WO2019109967A1 (en) * | 2017-12-06 | 2019-06-13 | C-Sky Microsystems Co., Ltd. | Storage apparatus and method for address scrambling |
| CN109766165A (en) * | 2018-11-22 | 2019-05-17 | 海光信息技术有限公司 | A kind of memory access control method, device, Memory Controller Hub and computer system |
| CN109697174A (en) * | 2018-12-14 | 2019-04-30 | 中国航空工业集团公司西安航空计算技术研究所 | A kind of airborne computer storage system sensitivity zoning means of defence |
| CN111291425A (en) * | 2020-05-09 | 2020-06-16 | 南京芯驰半导体科技有限公司 | Chip protection method and device, storage medium and vehicle-mounted chip |
| CN111291425B (en) * | 2020-05-09 | 2020-12-25 | 南京芯驰半导体科技有限公司 | Chip protection method and device, storage medium and vehicle-mounted chip |
| CN111737773A (en) * | 2020-06-10 | 2020-10-02 | 深圳欣迪军融科技有限公司 | Embedded secure memory with SE security module function |
| CN111984410A (en) * | 2020-08-18 | 2020-11-24 | 上海睿赛德电子科技有限公司 | Memory protection system with low resource occupation in embedded system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1251065C (en) | 2006-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1251065C (en) | Flushbonding CPU for information safety | |
| CN1189819C (en) | Interference-free microprocessor | |
| TWI334130B (en) | Embedded system insuring security and integrity, and method of increasing security thereof | |
| CN1276363C (en) | Method of actualizing safety data storage and algorithm storage in virtue of semiconductor memory device | |
| CN1197014C (en) | Internal memory type anti-falsification processor and security method | |
| CN101853363B (en) | File protection method and system | |
| US9400890B2 (en) | Method and devices for selective RAM scrambling | |
| CN101490687B (en) | Control system and method using identity objects | |
| CN101533441B (en) | Device for providing secure execution environment and method for executing secure code thereof | |
| CN101281468B (en) | Method and apparatus for generating firmware update file and updating firmware by using the firmware update file | |
| CN1130627C (en) | Information processing apparatus and method and recording medium | |
| US7971017B1 (en) | Memory card with embedded identifier | |
| CN1280737C (en) | Safety authentication method for movable storage device and read and write identification device | |
| CN1668990A (en) | Open type general-purpose attack-resistant CPU and application system thereof | |
| US20210089684A1 (en) | Controlled access to data stored in a secure partition | |
| CN1947082A (en) | Method and device for controlling an access to peripherals | |
| CN101076969A (en) | Electrical transmission system in secret environment between virtual disks and electrical transmission method thereof | |
| CN1410876A (en) | Microprocessor | |
| CN101971186A (en) | Information leak prevention device, and method and program thereof | |
| US8793785B2 (en) | Revokeable MSR password protection | |
| WO2015154469A1 (en) | Database operation method and device | |
| CN101587723B (en) | Anti-copy optical storage medium and manufacturing method thereof | |
| CN102087683A (en) | Password management and verification method suitable for trusted platform module (TPM) | |
| CN107688729A (en) | Protection system of application program and method based on trusted host | |
| CN107122678A (en) | Protect the method and device of product parameters |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 215011 Zhuyuan Road 209, Suzhou High-tech Zone, Jiangsu Province (23, 24 floors, Building 3, Pioneer Park) Patentee after: SUZHOU C*CORE TECHNOLOGY Co.,Ltd. Address before: 215011 Binhe Road 233, Suzhou New District, Suzhou City, Jiangsu Province Patentee before: C*CORE TECHNOLOGY (SUZHOU) Co.,Ltd. |
|
| CX01 | Expiry of patent term | ||
| CX01 | Expiry of patent term |
Granted publication date: 20060412 |