TWI806736B - Bridge device and method for transferring data between buses - Google Patents
Bridge device and method for transferring data between buses Download PDFInfo
- Publication number
- TWI806736B TWI806736B TW111130821A TW111130821A TWI806736B TW I806736 B TWI806736 B TW I806736B TW 111130821 A TW111130821 A TW 111130821A TW 111130821 A TW111130821 A TW 111130821A TW I806736 B TWI806736 B TW I806736B
- Authority
- TW
- Taiwan
- Prior art keywords
- terminal
- transaction request
- security
- bus access
- target
- Prior art date
Links
Images
Abstract
Description
本發明是有關於一種電子裝置的資料安全技術,且特別是有關於一種橋接裝置及在匯流排之間傳遞資料的方法。 The invention relates to a data security technology of an electronic device, and in particular to a bridge device and a method for transferring data between busbars.
按照指令集的複雜程度區分,中央處理器(CPU)可區分為複雜指令集計算機(CISC)架構以及精簡指令集計算機(RISC)架構。屬於精簡指令集計算機架構的中央處理器經常應用在智慧型手機、平板電腦等消費型電子裝置中。另一方面,現今的生活愈發仰賴消費型電子裝置,使得消費型電子裝置中多多少少會保存有使用者的保密資料、不能被改動的裝置運作資訊...等,從而對於資料安全的要求愈加嚴謹。 According to the complexity of the instruction set, the central processing unit (CPU) can be divided into a complex instruction set computer (CISC) architecture and a reduced instruction set computer (RISC) architecture. CPUs belonging to the RISC architecture are often used in consumer electronic devices such as smartphones and tablet computers. On the other hand, today's life is increasingly dependent on consumer electronic devices, so that the consumer electronic devices will more or less store the user's confidential information, device operation information that cannot be changed, etc., so that the data security more stringent requirements.
電子裝置中具備多個匯流排,以方便電子裝置中多個元件之間相互傳遞資訊。然而,這些匯流排所執行的協定可能互不相同。在將執行不同協定的匯流排相互連接時,可能會產生兼容性的問題。雖然部分的協定已發展出資料安全技術(如,基於與RISC架構相同家族的進階精簡指令集機器(ARM)結構的信任區(TrustZone)技 術),但其他的協定(如,快速周邊組件互連(PCI-E))可能無法相應地支援前述資料安全技術。 There are multiple bus bars in the electronic device to facilitate mutual information transfer between multiple components in the electronic device. However, the protocols implemented by these buses may differ from each other. Compatibility issues may arise when interconnecting buses that implement different protocols. Although some protocols have developed data security technologies (for example, TrustZone technology based on the Advanced Reduced Instruction Set Machine (ARM) architecture of the same family as the RISC architecture) technology), but other protocols (eg, Peripheral Component Interconnect Express (PCI-E)) may not be able to support the aforementioned data security technology accordingly.
本發明實施例提供一種橋接裝置及在匯流排之間傳遞資料的方法,可使PCI-E協定的終端透過前述橋接裝置而支援基於ARM結構的信任區技術,擴大信任區技術的應用範圍以實現資料安全。 The embodiment of the present invention provides a bridge device and a method for transferring data between bus bars, which can enable the terminal of the PCI-E protocol to support the trust zone technology based on the ARM structure through the aforementioned bridge device, and expand the application range of the trust zone technology to achieve Data security.
本發明實施例的橋接裝置包括第一匯流排存取端、至少一第二匯流排存取端以及處理器。第一匯流排存取端耦接至一第一協定的一第一匯流排。至少一第二匯流排存取端分別選擇性地耦接至一第二協定的至少一終端。處理器耦接該第一匯流排存取端以及該至少一第二匯流排存取端,其中全部或是部分的該至少一第二匯流排存取端對應各自的一安全狀態識別符。處理器從該第一匯流排存取端獲得一第一交易請求,其中該第一交易請求包括一第一安全標記。處理器依據該第一交易請求的該第一安全標記以及耦接至一目標終端的該至少一第二匯流排存取端所對應的該安全狀態識別符來決定是否將該第一交易請求基於該第二協定轉譯並傳遞至該目標終端,其中該目標終端為該至少一終端的其中之一。 The bridging device according to the embodiment of the present invention includes a first bus access terminal, at least one second bus access terminal, and a processor. The first bus access terminal is coupled to a first bus of a first protocol. The at least one second bus access port is selectively coupled to at least one terminal of a second protocol respectively. The processor is coupled to the first bus access terminal and the at least one second bus access terminal, wherein all or part of the at least one second bus access terminal corresponds to a respective security state identifier. The processor obtains a first transaction request from the first bus access terminal, wherein the first transaction request includes a first security token. The processor determines whether the first transaction request is based on the first security flag of the first transaction request and the security state identifier corresponding to the at least one second bus access terminal coupled to a target terminal. The second protocol is translated and delivered to the target terminal, wherein the target terminal is one of the at least one terminal.
本發明實施例所述在匯流排之間傳遞資料的方法包括下列步驟。從該橋接裝置的一第一匯流排存取端獲得一第一交易請求,其中該第一交易請求包括一第一安全標記,該第一匯流排存取端耦接至一第一協定的一第一匯流排,該至少一第二匯流排存取端分別選擇性 地耦接至一第二協定的該至少一終端,全部或是部分的該至少一第二匯流排存取端對應各自的一安全狀態識別符;以及,依據該第一交易請求的該第一安全標記以及耦接至該目標終端的該至少一第二匯流排存取端所對應的該安全狀態識別符來決定是否將該第一交易請求基於該第二協定轉譯並傳遞至該目標終端,其中該目標終端為該至少一終端的其中之一。 The method for transferring data between bus bars according to the embodiment of the present invention includes the following steps. obtain a first transaction request from a first bus access port of the bridge device, wherein the first transaction request includes a first security token, the first bus access port coupled to a first protocol The first bus bar, the at least one second bus bar access terminals are respectively selective ground coupled to the at least one terminal of a second protocol, all or part of the at least one second bus access terminal corresponding to a respective security state identifier; and, according to the first transaction request of the first a security flag and the security state identifier corresponding to the at least one second bus access terminal coupled to the target terminal to determine whether to translate and deliver the first transaction request to the target terminal based on the second protocol, Wherein the target terminal is one of the at least one terminal.
基於上述,本發明實施例所述的橋接裝置及在匯流排間進行資料安全的方法使屬於PCI-E協定的終端透過橋接裝置而可支援基於ARM結構的信任區技術。換句話說,橋接裝置透過屬於PCI-E協定的匯流排存取端所對應的安全狀態識別符以及用於資料存取的交易請求中的安全標記來對交易請求進行轉譯並傳遞,從而使得耦接至橋接裝置且屬於PCI-E協定的終端能夠透過信任區技術與ARM結構下的元件相互進行資料存取,擴大信任區技術的應用範圍以實現資料安全。 Based on the above, the bridging device and the method for performing data security between buses in the embodiments of the present invention enable the terminals belonging to the PCI-E protocol to support the trust zone technology based on the ARM structure through the bridging device. In other words, the bridge device translates and transmits the transaction request through the security status identifier corresponding to the bus access terminal belonging to the PCI-E protocol and the security flag in the transaction request for data access, so that the coupling Terminals connected to the bridge device and belonging to the PCI-E protocol can access data with components under the ARM structure through the trust zone technology, expanding the application range of the trust zone technology to achieve data security.
100、800:電子裝置 100, 800: electronic device
102:中央處理器 102: CPU
105:系統記憶體 105: System memory
107:第一匯流排 107: The first bus bar
110:橋接裝置 110: Bridge device
112:第一匯流排存取端 112: the first bus access terminal
115:交換器 115: switch
116:處理器 116: Processor
118:橋接器終端 118: Bridge terminal
120-1~120-3:終端 120-1~120-3: terminal
200、610、620、630:表 200, 610, 620, 630: table
210:資料區塊 210: data block
AxPROT、AxPROT[1]:安全標記 AxPROT, AxPROT[1]: safety mark
M:主要存取端 M: main access port
S:從屬存取端 S: slave access terminal
RP1~RP3:第二匯流排存取端 RP1~RP3: The second bus access port
310:根埠安全狀態表 310: root port security status table
320:記憶體位址區間表 320:Memory address range table
S410~S448、S440’、S440”、S510~S550、S710~S760、S935、S942~S948:步驟 S410~S448, S440’, S440”, S510~S550, S710~S760, S935, S942~S948: steps
816:安全層級確認器 816: Security level confirmer
815-1~815-3:安全狀態判斷器 815-1~815-3: Safety status judge
TYPE:安全狀態查找表的類型 TYPE: The type of security state lookup table
TYPE1:安全狀態查找表的第一類型 TYPE1: The first type of security status lookup table
TYPE2:安全狀態查找表的第二類型 TYPE2: The second type of security status lookup table
RSV:保留區域 RSV: reserved area
Device_ID:裝置識別符 Device_ID: device identifier
SIZE_RANGE:尺寸範圍 SIZE_RANGE: Size range
MBR:記憶體基底位址 MBR: memory base address
Bit63-24、Bit23-8、Bit7-1、Bit0、Bit63-6、Bit5-1、Bit63-56、Bit55-48、Bit47-40、Bit39-32、Bit31-24、Bit23-16、Bit15-8、Bit7-0:位元 Bit63-24, Bit23-8, Bit7-1, Bit0, Bit63-6, Bit5-1, Bit63-56, Bit55-48, Bit47-40, Bit39-32, Bit31-24, Bit23-16, Bit15-8, Bit7-0: bit
圖1是依照本發明的實施例的一種電子裝置100的示意圖。
FIG. 1 is a schematic diagram of an
圖2是基於ARM結構的信任區(TrustZone)協定的訊號示意圖。 FIG. 2 is a schematic diagram of signals of the TrustZone protocol based on the ARM structure.
圖3是依照本發明第一實施例中說明橋接裝置如何進行符合信任區協定的資料存取的示意圖。 FIG. 3 is a schematic diagram illustrating how the bridging device performs data access according to the trust zone protocol according to the first embodiment of the present invention.
圖4是依照本發明第一實施例在匯流排之間傳遞資料的方法的流程圖。 FIG. 4 is a flowchart of a method for transferring data between buses according to the first embodiment of the present invention.
圖5是依照本發明第一至第三實施例在匯流排之間傳遞資料的方法的另一流程圖。 FIG. 5 is another flowchart of a method for transferring data between buses according to the first to third embodiments of the present invention.
圖6是依照本發明第二實施例中說明橋接裝置記錄作為安全狀態的終端的安全狀態查找表及其舉例的示意圖。 FIG. 6 is a schematic diagram illustrating a security state lookup table and an example thereof for a bridge device recording a terminal as a security state according to a second embodiment of the present invention.
圖7是依照本發明第二實施例在匯流排之間傳遞資料的方法的流程圖。 FIG. 7 is a flowchart of a method for transferring data between buses according to a second embodiment of the present invention.
圖8是依照本發明第三實施例的一種電子裝置的示意圖。 FIG. 8 is a schematic diagram of an electronic device according to a third embodiment of the present invention.
圖9是依照本發明第三實施例在匯流排之間傳遞資料的方法的流程圖。 FIG. 9 is a flowchart of a method for transferring data between buses according to a third embodiment of the present invention.
本發明實施例是屬於PCI-E協定的終端透過橋接裝置而可支援基於ARM結構的信任區技術。圖1是依照本發明的實施例的一種電子裝置100的示意圖。電子裝置100主要包括中央處理器102、系統記憶體105、第一匯流排107、橋接裝置110、屬於PCI-E協定的交換器115以及屬於PCI-E協定的終端120-1~120-3。
In the embodiment of the present invention, the terminal belonging to the PCI-E protocol can support the trust zone technology based on the ARM structure through the bridging device. FIG. 1 is a schematic diagram of an
本實施例的中央處理器102為進階精簡指令集機器(ARM)結構的處理器。中央處理器102、系統記憶體105以及屬於第一協定的第一匯流排107皆是基於ARM結構而實現。換句話說,第一匯流排107屬於第一協定,本實施例的第一協定可以是基於
ARM結構的匯流排協定。例如,此第一協定可以是AXI、ACE或ACE-lite協定。
The
橋接裝置110耦接至第一匯流排107、屬於PCI-E協定的一至多個交換器115以及一至多個終端120-1~120-3。橋接裝置110用於將屬於第一協定的第一匯流排107的資料與指令橋接轉換為屬於第二協定(本實施例為PCI-E協定)的資料與指令,使得中央處理器102能夠透過橋接裝置110與交換器115以及終端120-1~120-3存取資料。並且,橋接裝置110將屬於第二指令的資料與指令橋接轉換為屬於第一協定的第一匯流排107的資料與指令,使得終端120-1~120-3透過橋接裝置110與中央處理器102或系統記憶體105存取資料。本實施例的橋接裝置110可以是符合PCI-E協定的根複合體(root complex;RC)。
The
交換器115以及終端120-1~120-3的數量與這些元件之間的連接關係僅為本實施例的舉例,應用本實施例者可依其需求調整交換器與終端的數量以及這些元件的連接關係,例如,某個終端可以透過多個交換器連接到橋接裝置110。另一方面,應用本實施例者可依其需求選擇性地將交換器115或終端120-1~120-3連接到橋接裝置110。
The number of
於符合本發明的其他實施例中,第一匯流排107除了可以直接耦接到橋接裝置110以外,第一匯流排107還可以透過ARM結構中系統記憶體控制單元(SMMU)間接耦接到橋接裝置110,本實施例並不限制第一匯流排107與橋接裝置110之間的連接是否透過其
他元件來實現。
In other embodiments consistent with the present invention, in addition to the
橋接裝置110包括第一匯流排存取端112、至少一個第二匯流排存取端RP1~RP3以及處理器116。第一匯流排存取端112耦接至屬於第一協定的第一匯流排107。本實施例的第一匯流排存取端112還可以區分為用於將橋接裝置110所發出的訊息提供至第一匯流排107的主要存取端M以及用於將第一匯流排107所提供的訊息接收到橋接裝置110的從屬存取端S。詳細來說,橋接裝置110能夠將第一匯流排107所提供的訊息(如,傳入的記憶體交易資料)根據前述訊息中的記憶體位置,透過檢索橋接裝置110中關於每個終端對應的記憶體位置區間(例如,以記憶體基底(memory base)以及記憶體限制(memory limit)所設定的記憶體位置區間)的暫存器(register)設定,藉以找尋到與此訊息相應的終端並進行主要介面(Primary interface)(例如,基於ARM結構的第一匯流排協定)與次要介面(Secondary interface)(例如,PCI-E協定)的位置參照,從而將前述訊息(記憶體交易資料)提供到屬於第二協定的相應匯流排或是相應終端中。換句話說,橋接裝置110在利用訊息(記憶體交易資料)來找尋屬於第二協定的目標終端時,並不需要進行記憶體位置的轉換,橋接裝置110可將屬於第二協定的相應終端皆設定有與第一協定相對應的記憶體位置區間,便不需要進行記憶體位址的轉換。
The
第二匯流排存取端RP1~RP3分別選擇性地耦接至屬於第二協定(PCI-E協定)的至少一個終端120-1~120-3。例如,第二匯流排存取端RP1可透過交換器115耦接至終端120-1,第二匯流排存取
端RP2~RP3則直接耦接至終端120-2~120-3。本實施例的第二匯流排存取端RP1~RP3可稱為是根埠(root port)。應用本實施例者依其需求調整第二匯流排存取端RP1~RP3的數量。交換器115以及終端120-1~120-3為屬於第二協定(PCI-E協定)的裝置。處理器116耦接第一匯流排存取端112以及第二匯流排存取端PR1~PR3,並藉由前述元件實現在匯流排之間傳遞資料的方法與相應技術。
The second bus access ports RP1 - RP3 are respectively selectively coupled to at least one terminal 120 - 1 - 120 - 3 belonging to the second protocol (PCI-E protocol). For example, the second bus access port RP1 can be coupled to the terminal 120-1 through the
橋接裝置110還包括橋接器終端118。本實施例的橋接器終端118可以是根複合體(Root-Complex)整合式終端(integrated End-Point)。
The
在此說明基於ARM結構的信任區技術。圖2是基於ARM結構的信任區協定的訊號示意圖。信任區協定是由ARM系統的架構所定義,其係為了達成安全性延展的目標。信任區協定主要是會對每個組件分別定義這些組件各自的安全狀態識別符,並且在進行資料存取的交易請求中設置用於呈現其安全層級(即,交易請求區分為『安全存取』以及『非安全存取』)的安全標記。安全狀態識別符會將對應的組件區分為『安全狀態』以及『非安全狀態』。交易請求中的安全標記則會將交易請求區分為『安全存取』以及『非安全存取』。本實施例的交易請求是作為進行資料存取的相關指令。 The trust zone technology based on the ARM structure is described here. FIG. 2 is a schematic diagram of signals of the trust zone protocol based on the ARM structure. The trust zone protocol is defined by the architecture of the ARM system for the purpose of extending security. The trust zone agreement mainly defines the respective security status identifiers of these components for each component, and sets them in the transaction request for data access to present its security level (that is, the transaction request is divided into "secure access" and the security flag "unsecure access"). The security state identifier will distinguish the corresponding component into "safe state" and "non-safe state". The security flag in the transaction request will distinguish the transaction request into "secure access" and "non-secure access". The transaction request in this embodiment is a related instruction for data access.
依據圖2繪示的訊號示意圖,並配合高級微控制器匯流排結構(Advanced Microcontroller Bus Architecture;AMBA)中AXI與ACE協定說明書第A4.7節的相應描述,圖2示意表200的資料區塊210中呈現安全標記AxPROT[1],其用於表示當前交易
(transaction)的安全層級。當AxPROT[1]數值為”0”時,表示此交易為『安全存取』;當AxPROT[1]數值為”1”時,表示此交易為『非安全存取』。也就是說,AxPROT[1]數值為”0”所對應的交易請求能夠對安全狀態識別符為『安全狀態』以及『非安全狀態』的組件皆可進行資料存取。然而,AxPROT[1]數值為”1”所對應的交易請求僅能夠對安全狀態識別符為『非安全狀態』的組件進行資料存取,但AxPROT[1]數值為”1”所對應的交易請求不能對安全狀態識別符為『安全狀態』的組件進行資料存取。因此,本發明諸多實施例會在橋接裝置110中記錄全部或是部分的第二匯流排存取端RP1~RP3對應各自的安全狀態識別符,從而依據這些安全狀態識別符判斷與這些第二匯流排存取端RP1~RP3相連接的終端120-1~120-3是『安全狀態』或是『非安全狀態』。
According to the signal schematic diagram shown in FIG. 2 , and in conjunction with the corresponding description in Section A4.7 of the AXI and ACE protocol specifications in the Advanced Microcontroller Bus Architecture (AMBA), FIG. 2 shows the data block of the table 200 A security token AxPROT[1] is presented in 210, which is used to represent the current transaction
(transaction) security level. When the value of AxPROT[1] is "0", it means that the transaction is "secure access"; when the value of AxPROT[1] is "1", it means that the transaction is "non-secure access". That is to say, the transaction request corresponding to the value of AxPROT[1] being "0" can perform data access to components whose security status identifiers are "secure status" and "non-secure status". However, the transaction request corresponding to the value of AxPROT[1] is "1" can only perform data access to the component whose security state identifier is "non-secure state", but the transaction corresponding to the value of AxPROT[1] is "1" The request cannot perform data access to a component whose security status identifier is "secure status". Therefore, many embodiments of the present invention will record in the
藉此,若有交易請求從第一匯流排107傳遞到橋接裝置110,橋接裝置110便可依據第二匯流排存取端RP1~RP3對應的安全狀態識別符以及檢測交易請求中的安全標記來決定是否將此交易請求傳遞到對應的目標終端,從而進行符合信任區協定的資料存取。相對地,若有交易請求從終端120-1~120-3其中之一傳遞到橋接裝置110,橋接裝置110亦可依據耦接至發出交易請求的終端的第二匯流排存取端所對應的安全狀態識別符來調整此交易請求中的安全標記,便可將調整後的交易請求傳遞到第一匯流排107,從而進行符合信任區協定的資料存取。
In this way, if a transaction request is transmitted from the
圖3是依照本發明第一實施例中說明橋接裝置110如何進
行符合信任區協定的資料存取的示意圖。圖3中除了包括圖1中所述的多個元件以外,還繪示用於進行信任區協定的資料存取所需的資料,例如,根埠安全狀態表310以及記憶體位址區間表320。
Fig. 3 illustrates how the
根埠安全狀態表310用以記錄橋接器終端118以及第二匯流排存取端RP1~RP3中的每個所對應各自的安全狀態識別符。根埠安全狀態表310所述的埠編號為橋接器終端118以及第二匯流排存取端RP1~RP3的對應編號。圖3所示的根埠安全狀態表310表示橋接器終端118與第二匯流排存取端RP3對應的安全狀態識別符的數值為”0”,因此橋接器終端118以及跟第二匯流排存取端RP3相連接的終端120-3為『安全狀態』的組件;第二匯流排存取端RP1、RP2對應的安全狀態識別符的數值為”1”,因此跟第二匯流排存取端RP1、RP2相連接的終端120-1、120-2為『非安全狀態』的組件。
The root port security state table 310 is used to record the respective security state identifiers corresponding to each of the
在第一實施例中,記憶體位址區間表320用以記錄橋接器終端118以及跟第二匯流排存取端RP1~RP3中的每個相對應的記憶體位址區間。換句話說,橋接器終端118與第二匯流排存取端RP1~RP3中的每個被分配各自的記憶體位址區域並記錄於記憶體位址區間表320。例如,橋接器終端118所對應的記憶體位址區間為”0xA000_0000~0xAFFF_FFFF”,第二匯流排存取端RP1相連的終端120-1所對應的記憶體位址區間為”0xB000_0000~0xBFFF_FFFF”,並依此類推。
In the first embodiment, the memory address range table 320 is used to record the
圖4是依照本發明第一實施例在匯流排之間傳遞資料的方法的流程圖。圖4的方法主要適用於圖3橋接裝置110,且依照圖3
中所繪示的組件及相應資料進行說明。另一方面,圖4的方法主要是圖3橋接裝置110從第一匯流排107獲得用於資料存取的交易請求,並希望與屬於第二協定的終端120-1~120-3或橋接器終端118進行資料存取的處理流程。請同時參見圖3與圖4,於步驟S410中,橋接裝置110從第一匯流排存取端112處獲得第一匯流排107的第一交易請求。本實施例的描述係將從第一匯流排存取端112處獲得第一匯流排107的交易請求稱為是第一交易請求。換句話說,此第一交易請求是希望從第一匯流排107透過橋接裝置110傳遞到屬於第二協定的終端或橋接器終端以進行資料存取的交易。
FIG. 4 is a flowchart of a method for transferring data between buses according to the first embodiment of the present invention. The method in FIG. 4 is mainly applicable to the
於步驟S420中,當獲得前述第一交易請求時,橋接裝置110的處理器116判斷第一交易請求所對應的目標終端是否為與橋接裝置110連接的終端120-1~120-3的其中之一。
In step S420, when the aforementioned first transaction request is obtained, the
本實施例的橋接裝置110依據第一交易請求中的目標位址來檢索記憶體位址區間表320,從而判斷前述目標地址是否有落入橋接器終端118或第二匯流排存取端RP1~RP3的記憶體位置區間,藉此判斷第一交易請求所對應的目標終端是否為橋接器終端118或為終端120-1120-3的其中之一。
The
例如,當第一交易請求中的目標位址為”0xF000_0011”時,表示第一交易請求的目標位址並沒有落入記憶體位址區間表320中的任何一個記憶體位置區間,因此便從步驟S420進入步驟S430(即,步驟S420為否),橋接裝置110透過第一匯流排存取端112以對第一匯流排107回應錯誤訊息。此時的第一交易請求便為失敗。
For example, when the target address in the first transaction request is "0xF000_0011", it means that the target address of the first transaction request does not fall into any memory location interval in the memory address interval table 320, so from the step S420 proceeds to step S430 (ie, step S420 is NO), the
相對地,當第一交易請求中的目標位址有落入記憶體位址區間表320中相對應特定終端的記憶體位置區間時,表示第一交易請求的目標終端便為此特定終端,因此便從步驟S420進入步驟S440(即,步驟S420為是),橋接裝置110的處理器116便依據第一交易請求的第一安全標記以及耦接至目標終端的第二匯流排存取端所對應的安全狀態識別符來決定是否將第一交易請求基於第二協定轉譯並傳遞至所述目標終端。如此一來,目標終端便會從橋接裝置110獲得轉譯後的第一交易請求,從而依據第一交易請求進行資料存取。
In contrast, when the target address in the first transaction request falls into the memory location range corresponding to the specific terminal in the memory address range table 320, it means that the target terminal of the first transaction request is the specific terminal, so it will From step S420 to step S440 (that is, step S420 is yes), the
因步驟S440在符合本發明的多個實施例中可以有不同操作,在此便以圖3與圖4的內容詳細說明圖4步驟S440中的細節步驟S442、S444、S446以及S448。 Because step S440 may have different operations in multiple embodiments of the present invention, the details of steps S442, S444, S446 and S448 in step S440 in FIG.
請同時參照圖3與圖4,於步驟S442中,處理器116判斷第一交易請求的第一安全標記是否是第一數值(本實施例的第一數值設定為”0”)。當第一安全標記是第一數值(”0”)時,表示第一交易請求為『安全存取』,且第一交易請求無論目標終端的安全狀態為何皆可進行資料存取,因此從步驟S442進入步驟S448,處理器116將第一交易請求基於第二協定(PCI-E協定)轉譯並傳遞至步驟S420所知悉的目標終端。相對地,當第一安全標記不是第一數值(”0”)時,例如,第一安全標記的數值為”1”,表示第一交易請求為『非安全存取』,因此從步驟S442進入步驟S444,處理器116繼續判斷目標終端的第二匯流排存取端所對應的安全狀態識別符是否是第一數值(”0”),從而判斷目標終端是否屬於『安全狀態』或『非安全狀
態』。
Please refer to FIG. 3 and FIG. 4 at the same time. In step S442, the
於步驟S444中,當目標終端所對應的安全狀態識別符是第一數值(”0”)時,表示目標終端為『安全狀態』。由於第一交易請求為『非安全存取』且不能夠對『安全狀態』的目標終端進行資料存取,因此將從步驟S444進入步驟S446,處理器116回傳錯誤訊息以告知發出第一交易請求的組件,其資料存取失敗。相對地,於步驟S444中,當目標終端所對應的安全狀態識別符不是第一數值(”0”)時,例如,目標終端所對應的安全狀態識別符的數值為”1”,表示目標終端為『非安全狀態』。由於第一交易請求為『非安全存取』,且能夠對『非安全狀態』的目標終端進行資料存取,因此將從步驟S444進入步驟S448,處理器116將第一交易請求基於第二協定(PCI-E協定)轉譯並傳遞至目標終端。
In step S444, when the security state identifier corresponding to the target terminal is the first value ("0"), it means that the target terminal is in a "safe state". Since the first transaction request is "non-secure access" and cannot perform data access to the target terminal in the "secure state", it will enter step S446 from step S444, and the
舉例來說,若圖1中央處理器102透過第一匯流排107對終端120-1提出第一交易請求的話,圖3處理器116在獲得第一交易請求(步驟S410)後,便會利用第一交易請求的目標地址查詢記憶體位置區間表320以判斷此目標地址是否位在與橋接裝置110相連的終端120-1~120-3或橋接器終端118相對應的記憶體位置區間中,從而判斷第一交易請求所對應的目標終端是否為橋接裝置110所知悉(步驟S420)。此處的目標終端為終端120-1,因此目標地址便會落在第二匯流排存取端RP1對應的記憶體位址區間”0xB000_0000~0xBFFF_FFFF”當中。
For example, if the
在獲知目標終端為終端120-1之後,圖3處理器116判斷此
第一交易請求中的安全標記已知悉其為『安全存取』或是『非安全存取』,並配合與終端120-1相連的第二匯流排存取端RP1所對應的安全狀態識別符(數值”1”)所呈現其為『非安全狀態』,從而判斷是否將第一交易請求轉譯並傳遞給終端120-1(步驟S440)。詳細來說,若第一交易請求為『安全存取』,則橋接裝置110基於信任區協定而將第一交易請求傳遞給終端120-1(經步驟S442而進入步驟S448);若第一交易請求為『非安全存取』,由於終端120-1相對應的安全狀態識別符表明終端120-1為『非安全狀態』,則橋接裝置110基於信任區協定而將第一交易請求傳遞給終端120-1(經步驟S442、步驟S444而進入步驟S448)。
After learning that the target terminal is the terminal 120-1, the
在此基於圖4另舉一例,若圖1中央處理器102透過第一匯流排107對終端120-3提出第一交易請求的話,由於終端120-3為『安全狀態』,若是第一交易請求為『非安全存取』的話,則橋接裝置110基於信任區協定而回傳錯誤信息給圖1中央處理器102(經步驟S442、步驟S444而進入步驟S446)。
Here is another example based on FIG. 4. If the
圖5是依照本發明第一實施例在匯流排之間傳遞資料的方法的另一流程圖。圖5的方法主要是圖3橋接裝置110從終端120-1~120-3或橋接器終端118獲得用於資料存取的交易請求,並希望與第一匯流排107上的組件進行資料存取的處理流程。請同時參照圖3與圖5,於步驟S510中,處理器116從第二匯流排存取端RP1~RP3的其中之一獲得第二交易請求,此第二交易請求是由耦接至第二匯流排存取端RP1~RP3的主要終端提供。主要終端是屬於第二協定的終
端120-1~120-3的其中之一或橋接器終端118。本實施例的描述係將從與第二匯流排存取端RP1~RP3其中之一相連的終端120-1~120-3處所獲得的交易請求稱為是第二交易請求。換句話說,此第二交易請求是希望從屬於第二協定的終端或橋接器終端透過橋接裝置110傳遞到第一匯流排107的對應組件以進行資料存取的交易。
FIG. 5 is another flow chart of the method for transferring data between buses according to the first embodiment of the present invention. The method in FIG. 5 is mainly that the
步驟S520至S550則是當獲得前述第二交易請求時,橋接裝置110的處理器116依據耦接至主要終端的第二匯流排存取端RP1~RP3其中之一所對應的安全狀態識別符調整第二交易請求中的第二安全標記,並基於第一協定將經調整的第二交易請求轉譯並傳遞至第一匯流排存取端112,以使第二交易請求能夠透過橋接裝置110傳遞至第一匯流排107。
In steps S520 to S550, when the aforementioned second transaction request is obtained, the
詳細來說,於步驟S520中,橋接裝置110的處理器116判斷耦接至主要終端的第二匯流排存取端RP1~RP3其中之一所對應的安全狀態識別符是否為第一數值(”0”)。若步驟S520中主要終端所對應的安全狀態識別符為第一數值(”0”)的話(即,步驟S520為是),表示此主要終端為『安全狀態』,而且由此主要終端所發出的交易請求亦為『安全存取』,因此,當步驟S520中主要終端所對應的安全狀態識別符為第一數值(”0”)時,則由步驟S520進入步驟S540,處理器116將第二交易請求中的第二安全標記設定為第一數值(”0”)。相對地,步驟S520中主要終端所對應的安全狀態識別符不為第一數值(”0”)的話(步驟S520為否),亦即安全狀態識別符為第二數值(”1”),表示此主要終端為『非安全狀態』,而且由此主要
終端所發出的交易請求為『非安全存取』。因此,當步驟S520中主要終端所對應的安全狀態識別符不為第一數值(”0”)時,則由步驟S520進入步驟S530,處理器116將第二交易請求中的第二安全標記設定為第二數值(”1”)。
Specifically, in step S520, the
在完成步驟S530或是步驟S540後,於步驟S550中,處理器116將經調整的第二交易請求轉譯並傳遞至第一匯流排存取端112,以使第二交易請求能夠透過橋接裝置110傳遞至第一匯流排107。因此,圖5的方法是橋接裝置110在獲得終端120-1~120-3或是橋接器終端118的交易請求的執行步驟。
After completing step S530 or step S540, in step S550, the
在本發明第一實施例中,圖3的記憶體體位置區間表320主要是記錄橋接器終端118以及第二匯流排存取端RP1~RP3各自對應的記憶位址區間,橋接裝置110可依據交易請求中的目標位址查詢記憶體體位置區間表320而得知交易請求對應的目標終端。若是與單個第二匯流排存取端(如,第二匯流排存取端RP1)連接多個終端的話,則這些終端所對應各自的安全狀態識別符則因為連接到同第二匯流排存取端而相同。
In the first embodiment of the present invention, the memory location interval table 320 in FIG. 3 mainly records the corresponding memory address intervals of the
於符合本發明的其他實施例中,橋接裝置110亦可以透過記錄橋接器終端118以及與第二匯流排存取端RP1~RP3相連的終端120-1~120-3所對應的其他資訊(例如,各個終端的裝置識別符)來得知交易請求對應的目標終端。並且,於符合本發明的其他實施例中,橋接裝置110亦可以僅記錄橋接器終端118以及與第二匯流排存取端RP1~RP3相連的終端120-1~120-3中作為『安全狀態』的相關
資訊來判斷交易請求對應的目標終端,而不記錄作為『非安全狀態』的相應終端。以下以第二實施例進行說明。
In other embodiments consistent with the present invention, the
圖6是依照本發明第二實施例中說明橋接裝置記錄作為安全狀態的終端的安全狀態查找表及其舉例的示意圖。在此將用以記錄『安全狀態』終端的相應資訊稱為是安全狀態查找表。本實施例的安全狀態查找表可以具備兩種類型,其第一類型可如圖6的表610所示,表610用於記錄位於『安全狀態』的終端的裝置識別符;第二類型可如圖6的表620所示,表620用於紀錄位於『安全狀態』的終端所分配的記憶體位址區域。詳細來說,表610是以64位元呈現,在此以第0位元至第63位元進行說明。第0位元用於表示此安全狀態查找表的類型TYPE,例如,第0位元為”0”時表示為第一類型TYPE1,即為記錄終端的裝置識別符的類型;第1至7位元Bit7-1以及第24到63位元Bit63-24屬於保留區域RSV;第8至23位元Bit23-8則是儲存符合第二協定(PCI-E協定)的裝置識別符Device_ID。本實施例中符合PCI-E協定的裝置識別符Device_ID是以16位元的匯流排/裝置/功能(Bus/Device/Function;BDF)作為舉例。表620亦是以64位元呈現,在此以第0位元至第63位元進行說明。第0位元Bit0用於表示此安全狀態查找表的類型TYPE,例如,第0位元為”1”時表示為第二類型,即為記錄終端的記憶體位址區間的類型;第1至5位元Bit5-1用於表示記憶體位址區間的尺寸範圍SIZE_RANGE為何,本實施例的尺寸範圍可以在4KB至4GB之間;第6至63位元Bit63-6則是儲存與此終端相對應的記憶體基底
位址(Memory Base Address)MBR。
FIG. 6 is a schematic diagram illustrating a security state lookup table and an example thereof for a bridge device recording a terminal as a security state according to a second embodiment of the present invention. Here, the corresponding information for recording the "security status" terminal is called a security status lookup table. The security state lookup table of this embodiment can have two types, the first type can be shown in the table 610 of Figure 6, and the table 610 is used to record the device identifier of the terminal in the "safe state"; the second type can be as follows As shown in the table 620 in FIG. 6 , the table 620 is used to record the memory address area allocated by the terminal in the "safe state". In detail, the table 610 is represented by 64 bits, and the 0th bit to the 63rd bit are described here. The 0th bit is used to indicate the type TYPE of this security status lookup table, for example, when the 0th bit is "0", it is expressed as the first type TYPE1, which is the type of the device identifier of the recording terminal; the 1st to 7th bits The bit Bit7-1 and the 24th to 63rd bits Bit63-24 belong to the reserved area RSV; the 8th to 23rd bits Bit23-8 store the device identifier Device_ID conforming to the second protocol (PCI-E protocol). The device identifier Device_ID conforming to the PCI-E protocol in this embodiment is an example of a 16-bit bus/device/function (Bus/Device/Function; BDF). The table 620 is also represented by 64 bits, and the 0th bit to the 63rd bit are used for illustration here. The 0th bit Bit0 is used to represent the type TYPE of this security status lookup table, for example, when the 0th bit is "1", it represents the second type, which is the type of the memory address interval of the recording terminal;
表630則為前述表610與表620的舉例。表630的第一列(row)為屬於第二協定(PCI-E協定)的第二匯流排存取端RP1所對應的相關資訊,表示第二匯流排存取端RP1為『安全狀態』(因表630不會記錄『非安全狀態』的組件),且第一列的第0位元為”0”而為前述第一類型。表630的第三列為屬於第二協定(PCI-E協定)的終端(在此舉例為讀卡機)所對應的相關資訊,表示讀卡機為『安全狀態』。另一方面,雖然橋接裝置110有連接到一個終端(在此舉例為PCI-E協定的音效卡),但因為此終端(音效卡)為『非安全狀態』,因此並未記錄於表630。
The table 630 is an example of the aforementioned table 610 and table 620 . The first column (row) of the table 630 is related information corresponding to the second bus access port RP1 belonging to the second protocol (PCI-E protocol), indicating that the second bus access port RP1 is in a "safe state" ( Because the table 630 does not record the "non-safe state" components), and the 0th bit of the first column is "0", it is the aforementioned first type. The third column of the table 630 is related information corresponding to a terminal (for example, a card reader) belonging to the second protocol (PCI-E protocol), indicating that the card reader is in a "secure state". On the other hand, although the
圖7是依照本發明第二實施例在匯流排之間傳遞資料的方法的流程圖。圖7的方法主要適用於圖1橋接裝置110,且依照圖6中所繪示的相應資料進行說明。第二實施例所述圖7的方法是圖1橋接裝置110從第一匯流排107獲得用於資料存取的交易請求,並希望與屬於第二協定的終端120-1~120-3或橋接器終端118進行資料存取的處理流程。
FIG. 7 is a flowchart of a method for transferring data between buses according to a second embodiment of the present invention. The method in FIG. 7 is mainly applicable to the
於圖7的步驟S410中,橋接裝置110從第一匯流排存取端112處獲得第一匯流排107的第一交易請求。特別說明的是,第二實施例圖7與第一實施例圖4中多個步驟較大的不同處在於,第一實施例圖4步驟S420以及步驟S430會判斷第一交易請求的目標終端是否為橋接裝置110所連接的終端,但第二實施例圖7是將圖4步驟S420以及步驟S430的相應技術內容融入到圖7步驟S440’中,且以
下詳細說明圖7步驟S440’。
In step S410 of FIG. 7 , the
於圖7步驟S440’中,橋接裝置110的處理器116依據第一交易請求的第一安全標記以及耦接至目標終端的第二匯流排存取端所對應的安全狀態識別符來決定是否將第一交易請求基於第二協定轉譯並傳遞至第一交易請求的目標終端。詳細來說,於圖7步驟S710中,處理器116判斷第一交易請求的第一安全標記是否是第一數值(”0”)。當第一安全標記是第一數值(”0”)時,表示第一交易請求為『安全存取』,且第一交易請求無論目標終端的安全狀態為何皆可進行資料存取,因此從步驟S710進入步驟S720,處理器116將第一交易請求基於第二協定(PCI-E協定)轉譯並傳遞至第一交易請求的目標終端。相對地,當第一安全標記不是第一數值(”0”)時,例如,第一安全標記的數值為”1”,表示第一交易請求為『非安全存取』,因此從步驟S710進入步驟S730,處理器116判斷第一交易請求的類別是否為周邊組件互連(PCI)記憶體交易類別(亦即,圖6所述的第二類別)。
In step S440' in FIG. 7, the
如果第一交易請求的類別為周邊組件互連(PCI)記憶體交易類別(即,步驟S730為是),則從步驟S730進入步驟S740,處理器116依據第一交易請求的目標位址來檢索安全狀態查找表(在此以圖6表630為例),以判斷是否有從安全狀態查找表中找到相應資料。如果處理器116並未依據目標位址而從安全狀態查找表找到相應資料,表示第一交易請求的目標終端為『非安全狀態』且第一交易請求為『非安全存取』,因此,便從步驟S740進入步驟S720,處理器
116將第一交易請求基於第二協定轉譯並傳遞至目標終端。相對地,處理器116有依據目標位址而從安全狀態查找表找到相應資料,表示第一交易請求的目標終端為『安全狀態』且第一交易請求為『非安全存取』,因此,便從步驟S740進入步驟S760,處理器116回傳錯誤訊息,此時第一交易請求並未傳遞到目標終端。
If the category of the first transaction request is Peripheral Component Interconnect (PCI) memory transaction category (that is, step S730 is yes), then enter step S740 from step S730, and the
相對地,如果第一交易請求的類別不是周邊組件互連(PCI)記憶體交易類別(即,步驟S730為否),則從步驟S730進入步驟S750,處理器116依據第一交易請求的目標裝置識別符來檢索圖6安全狀態查找表(在此以表630為例)。如果處理器116並未依據目標位址而從安全狀態查找表找到相應資料,表示第一交易請求的目標終端為『非安全狀態』且第一交易請求為『非安全存取』,因此,便從步驟S750進入步驟S720,處理器116將第一交易請求基於第二協定轉譯並傳遞至目標終端。相對地,處理器116有依據目標位址而從安全狀態查找表找到相應資料,表示第一交易請求的目標終端為『安全狀態』且第一交易請求為『非安全存取』,因此,便從步驟S750進入步驟S760,處理器116回傳錯誤訊息,此時第一交易請求並未傳遞到目標終端。
Relatively, if the category of the first transaction request is not a Peripheral Component Interconnect (PCI) memory transaction category (that is, step S730 is No), then from step S730, enter step S750, and the
另外,第二實施例中,從終端120-1~120-3或橋接器終端118獲得用於資料存取的交易請求,並希望與第一匯流排107上的組件進行資料存取的處理流程與第一實施例中圖5所述的方法相同。
In addition, in the second embodiment, the transaction request for data access is obtained from the terminals 120-1~120-3 or the
第一實施例在圖3與圖4與相應說明中呈現能夠記錄第二匯流排存取端RP1~RP3所對應的的安全狀態識別符,但無法記錄各個 終端的安全狀態識別符。另一方面,第二實施例圖6的安全狀態查找表可以選擇性地以交易請求的目標位址或是目標裝置識別符來記錄對應資料,因此第二實施例可以記錄各個終端的安全狀態識別符。並且,第二實施例圖6的安全狀態查找表只記錄位於『安全狀態』的終端或橋接器終端的對應資料,而不記錄位於『非安全狀態』的終端或橋接器終端的對應資料。應用本實施例者亦可使第二實施例圖6的安全狀態查找表只記錄位於『非安全狀態』的終端或橋接器終端的對應資料,而不記錄位於『安全狀態』的終端或橋接器終端的對應資料,從而達成前述效果。 In the first embodiment, in Fig. 3 and Fig. 4 and the corresponding explanations, it is possible to record the security state identifiers corresponding to the second bus access terminals RP1~RP3, but it is not possible to record each The endpoint's security state identifier. On the other hand, the security status lookup table in FIG. 6 of the second embodiment can selectively record the corresponding information with the target address of the transaction request or the target device identifier, so the second embodiment can record the security status identification of each terminal symbol. Moreover, the security state lookup table in FIG. 6 of the second embodiment only records the corresponding data of the terminal or bridge terminal in the "safe state", but does not record the corresponding data of the terminal or bridge terminal in the "non-secure state". Those who apply this embodiment can also make the security state lookup table in Figure 6 of the second embodiment only record the corresponding data of terminals or bridge terminals in the "non-secure state", but not record the terminals or bridges in the "safe state" Corresponding information of the terminal, so as to achieve the aforementioned effects.
圖8是依照本發明第三實施例的一種電子裝置800的示意圖。與圖3的主要不同處在於,第三實施例將第一實施例中圖3處理器116的功能拆分給圖8的安全層級確認器816以及位於每個第二匯流排存取端RP1~RP3中的安全狀態判斷器815-1~815-3。第一實施例圖3中記憶體位置區間表320紀錄於第三實施例圖8安全層級確認器816可存取的相應記憶體或儲存元件中,但根埠安全狀態表310中橋接器終端118以及第二匯流排存取端RP1~RP3中的每個所對應各自的安全狀態識別符則分別由對應的安全狀態判斷器815-1~815-3所記錄。例如,第三實施例所述圖8中,安全狀態判斷器815-1記錄第二匯流排存取端RP1對應的安全狀態識別符;安全狀態判斷器815-2記錄第二匯流排存取端RP2對應的安全狀態識別符;安全狀態判斷器815-3記錄第二匯流排存取端RP3對應的安全狀態識別符。
FIG. 8 is a schematic diagram of an
圖9是依照本發明第三實施例在匯流排之間傳遞資料的方
法的流程圖。圖9的方法主要適用於圖1橋接裝置110,且依照圖6中所繪示的相應資料進行說明。第二實施例所述圖7的方法是圖1橋接裝置110從第一匯流排107獲得用於資料存取的交易請求,並希望與屬於第二協定的終端120-1~120-3或橋接器終端118進行資料存取的處理流程。圖9步驟S410、步驟S420與步驟S430皆與圖4相應步驟相同,僅差異在於圖9步驟S410、步驟S420與步驟S430由圖8安全層級確認器816來實現。當步驟S420為是(第一交易請求所對應的目標終端是圖8電子裝置800相連的終端的其中之一),則從步驟S420進入步驟S935中,安全層級確認器816將第一交易請求提供給耦接至目標終端(假設為圖8終端120-1)的第二匯流排存取端(假設為圖8第二匯流排存取端RP1)中的目標安全狀態判斷器(假設為安全狀態判斷器815-1)。
Fig. 9 is a method for transferring data between bus bars according to a third embodiment of the present invention
law flowchart. The method in FIG. 9 is mainly applicable to the
圖9的步驟S440”與圖4步驟S440相近似,兩者主要在於,圖9的步驟S440”是由目標安全狀態判斷器(假設為安全狀態判斷器815-1)來實現,並且,目標安全狀態判斷器會記錄與其對應的第二匯流排存取端的安全狀態識別符。以下以安全狀態判斷器815-1作為舉例說明步驟S440”的細節。 Step S440" of Fig. 9 is similar to step S440 of Fig. 4, the two mainly lie in that step S440" of Fig. 9 is realized by the target security state determiner (assumed to be the security state determiner 815-1), and the target security The state determiner records the corresponding security state identifier of the access terminal of the second bus. The details of step S440" will be described below using the security state determiner 815-1 as an example.
於步驟S942中,安全狀態判斷器815-1判斷第一交易請求的第一安全標記是否是第一數值(”0”)。當第一安全標記是第一數值(”0”)時,表示第一交易請求為『安全存取』,且第一交易請求無論目標終端的安全狀態為何皆可進行資料存取,因此從步驟S942進入步驟S948,安全狀態判斷器815-1將第一交易請求基於第二協定 (PCI-E協定)轉譯並傳遞至終端120-1。相對地,當第一安全標記不是第一數值(”0”)時,例如,第一安全標記的數值為”1”,表示第一交易請求為『非安全存取』,因此從步驟S942進入步驟S944,安全狀態判斷器815-1繼續判斷第二匯流排存取端RP1所對應的安全狀態識別符是否是第一數值(”0”),從而判斷目標終端是否屬於『安全狀態』或『非安全狀態』。 In step S942, the security state determiner 815-1 determines whether the first security token of the first transaction request is a first value (“0”). When the first security flag is the first value ("0"), it means that the first transaction request is "secure access", and the first transaction request can perform data access regardless of the security status of the target terminal. Therefore, from the step S942 enters step S948, and the security state determiner 815-1 bases the first transaction request on the second agreement (PCI-E protocol) is translated and delivered to the terminal 120-1. Relatively, when the first security flag is not the first value ("0"), for example, the value of the first security flag is "1", indicating that the first transaction request is "non-secure access", so enter from step S942 In step S944, the security status determiner 815-1 continues to determine whether the security status identifier corresponding to the second bus access terminal RP1 is the first value ("0"), thereby determining whether the target terminal belongs to "safe status" or " unsafe state".
於步驟S944中,當安全狀態識別符RP1是第一數值(”0”)時,表示終端120-1為『安全狀態』。由於第一交易請求為『非安全存取』且不能夠對『安全狀態』的目標終端進行資料存取,因此將從步驟S944進入步驟S946,安全狀態判斷器815-1回傳錯誤訊息以告知發出第一交易請求的組件,其資料存取失敗。相對地,於步驟S944中,當終端120-1所對應的安全狀態識別符不是第一數值(”0”)時,例如,終端120-1所對應的安全狀態識別符的數值為”1”,表示終端120-1為『非安全狀態』。由於第一交易請求為『非安全存取』,且能夠對『非安全狀態』的終端120-1進行資料存取,因此將從步驟S944進入步驟S948,安全狀態判斷器815-1將第一交易請求基於第二協定(PCI-E協定)轉譯並傳遞至終端120-1。 In step S944, when the security status identifier RP1 is the first value ("0"), it means that the terminal 120-1 is in the "safe status". Since the first transaction request is "non-secure access" and cannot perform data access to the target terminal in the "secure state", it will enter step S946 from step S944, and the security state determiner 815-1 returns an error message to inform The component that issued the first transaction request failed to access its data. In contrast, in step S944, when the security state identifier corresponding to the terminal 120-1 is not the first value ("0"), for example, the value of the security state identifier corresponding to the terminal 120-1 is "1". , indicating that the terminal 120-1 is in a "non-secure state". Since the first transaction request is "non-secure access" and data access can be performed on the terminal 120-1 of "non-secure state", it will enter step S948 from step S944, and the security state determiner 815-1 will first The transaction request is translated and delivered to the terminal 120-1 based on the second protocol (PCI-E protocol).
另外,第三實施例中,從終端120-1~120-3或橋接器終端118獲得用於資料存取的交易請求,並希望與第一匯流排107上的組件進行資料存取的處理流程與第一實施例中圖5所述的方法相同。第三實施例中圖5所述的方法可由圖8安全層級確認器816或是圖8安全狀態判斷器815-1~815-3來實現。
In addition, in the third embodiment, the transaction request for data access is obtained from the terminals 120-1~120-3 or the
綜上所述,本發明實施例所述的橋接裝置及在匯流排間進行資料安全的方法使屬於PCI-E協定的終端透過橋接裝置而可支援基於ARM結構的信任區技術。換句話說,橋接裝置透過屬於PCI-E協定的匯流排存取端所對應的安全狀態識別符以及用於資料存取的交易請求中的安全標記來對交易請求進行轉譯並傳遞,從而使得耦接至橋接裝置且屬於PCI-E協定的終端能夠透過信任區技術與ARM結構下的元件相互進行資料存取,擴大信任區技術的應用範圍以實現資料安全。 To sum up, the bridging device and the method for data security between buses described in the embodiments of the present invention enable the terminals belonging to the PCI-E protocol to support the trust zone technology based on the ARM structure through the bridging device. In other words, the bridge device translates and transmits the transaction request through the security status identifier corresponding to the bus access terminal belonging to the PCI-E protocol and the security flag in the transaction request for data access, so that the coupling Terminals connected to the bridge device and belonging to the PCI-E protocol can access data with components under the ARM structure through the trust zone technology, expanding the application range of the trust zone technology to achieve data security.
S410~S448:步驟 S410~S448: steps
Claims (18)
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US202263315094P | 2022-03-01 | 2022-03-01 | |
| US63/315,094 | 2022-03-01 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| TWI806736B true TWI806736B (en) | 2023-06-21 |
| TW202336604A TW202336604A (en) | 2023-09-16 |
Family
ID=87803241
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| TW111130821A TWI806736B (en) | 2022-03-01 | 2022-08-16 | Bridge device and method for transferring data between buses |
Country Status (1)
| Country | Link |
|---|---|
| TW (1) | TWI806736B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6636927B1 (en) * | 1999-09-24 | 2003-10-21 | Adaptec, Inc. | Bridge device for transferring data using master-specific prefetch sizes |
| US6675251B1 (en) * | 2000-03-13 | 2004-01-06 | Renesas Technology Corp. | Bridge device for connecting multiple devices to one slot |
| TW201308200A (en) * | 2011-08-12 | 2013-02-16 | Ite Tech Inc | Bridge, system and the method for prefetching and discarding data thereof |
| US20190340136A1 (en) * | 2017-01-09 | 2019-11-07 | Pure Storage, Inc. | Storage efficiency of encrypted host system data |
| US20200136836A1 (en) * | 2018-10-29 | 2020-04-30 | Pensando Systems Inc. | Authorization with a preloaded certificate |
| TW202203048A (en) * | 2020-07-10 | 2022-01-16 | 日商索尼半導體解決方案公司 | Communication device, communication method, and program |
-
2022
- 2022-08-16 TW TW111130821A patent/TWI806736B/en active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6636927B1 (en) * | 1999-09-24 | 2003-10-21 | Adaptec, Inc. | Bridge device for transferring data using master-specific prefetch sizes |
| US6675251B1 (en) * | 2000-03-13 | 2004-01-06 | Renesas Technology Corp. | Bridge device for connecting multiple devices to one slot |
| TW201308200A (en) * | 2011-08-12 | 2013-02-16 | Ite Tech Inc | Bridge, system and the method for prefetching and discarding data thereof |
| US20190340136A1 (en) * | 2017-01-09 | 2019-11-07 | Pure Storage, Inc. | Storage efficiency of encrypted host system data |
| US20200136836A1 (en) * | 2018-10-29 | 2020-04-30 | Pensando Systems Inc. | Authorization with a preloaded certificate |
| TW202203048A (en) * | 2020-07-10 | 2022-01-16 | 日商索尼半導體解決方案公司 | Communication device, communication method, and program |
Also Published As
| Publication number | Publication date |
|---|---|
| TW202336604A (en) | 2023-09-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7127541B2 (en) | Automatically establishing a wireless connection between adapters | |
| US7739487B2 (en) | Method for booting a host device from an MMC/SD device, a host device bootable from an MMC/SD device and an MMC/SD device method a host device may booted from | |
| US6654818B1 (en) | DMA access authorization for 64-bit I/O adapters on PCI bus | |
| US6684283B1 (en) | Method for interfacing a cardbay card to the host system by indicating a 16-bit or cardbus PC card insertion to host software | |
| US7007127B2 (en) | Method and related apparatus for controlling transmission interface between an external device and a computer system | |
| US6779052B2 (en) | Electronic apparatus, system and method for controlling communication among devices coupled through different interfaces | |
| WO2003019841A2 (en) | Enhanced protocol conversion system | |
| JPH10187594A (en) | Method and system for supporting equal access among plural pct host/bridges inside data processing system | |
| JP2018523217A (en) | Transmission of transaction-specific attributes in the peripheral component interconnect express (PCIE) system | |
| US20200192838A1 (en) | Extended message signaled interrupts (msi) message data | |
| US6161178A (en) | Data processing system and method for specification of one of a plurality of password requirements for each boot device | |
| EP1894117B1 (en) | A remote node index mapping mechanism for serial attached storage devices | |
| JP2000172639A (en) | Remote operation method and data processing system | |
| JP2000172388A (en) | Data processing system and method for disabling remote operation of client computer system | |
| US7047343B2 (en) | System and method for communication of keyboard and touchpad inputs as HID packets embedded on a SMBus | |
| US7395365B2 (en) | Data transfer control system, electronic instrument, program, and data transfer control method | |
| TWI806736B (en) | Bridge device and method for transferring data between buses | |
| WO2014017761A1 (en) | Storage device reader having security function and security method using same | |
| JP2002032324A (en) | System for controlling pci bus device connection | |
| TWI246008B (en) | Integrated expansion card | |
| US6883043B2 (en) | Information processing apparatus incorporated in a control unit storing an authentication information and transmitting a command to request an access right when a first mode is set | |
| CN114925386A (en) | Data processing method, computer device, data processing system and storage medium | |
| US20060095626A1 (en) | Multifunction adapter | |
| JP2000172606A (en) | Remote access method and data processing system | |
| TW200413940A (en) | Method and apparatus for handling data transfers |