WO2021217559A1 - Data protection method and apparatus - Google Patents

Data protection method and apparatus Download PDF

Info

Publication number
WO2021217559A1
WO2021217559A1 PCT/CN2020/088065 CN2020088065W WO2021217559A1 WO 2021217559 A1 WO2021217559 A1 WO 2021217559A1 CN 2020088065 W CN2020088065 W CN 2020088065W WO 2021217559 A1 WO2021217559 A1 WO 2021217559A1
Authority
WO
WIPO (PCT)
Prior art keywords
deflection
metric value
encryption unit
expected
credibility
Prior art date
Application number
PCT/CN2020/088065
Other languages
French (fr)
Chinese (zh)
Inventor
陈幼雷
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN202080004383.3A priority Critical patent/CN112543928B/en
Priority to PCT/CN2020/088065 priority patent/WO2021217559A1/en
Publication of WO2021217559A1 publication Critical patent/WO2021217559A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/606Protecting data by securing the transmission between two devices or processes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • This application relates to the technical fields of automatic driving and intelligent networked vehicles, and in particular to a data protection method and device.
  • the above method lacks an effective protection mechanism, which cannot prevent the coordinate data from being maliciously intercepted, resulting in lower vehicle data security.
  • the embodiments of the present application provide a data protection method and device to improve the security of vehicle data.
  • an embodiment of the present application provides a data protection method applied to a vehicle-mounted computing device, wherein the vehicle-mounted computing device includes a deflection encryption unit and a trusted measurement unit, and the deflection encryption unit and the trusted measurement unit operate on In a trusted execution environment, the method includes:
  • the deflection encryption unit obtains the expected metric value; and the deflection encryption unit requests to call the credibility measurement unit to execute the first credibility metric.
  • the deflection encryption unit may call the application program interface API , So as to call the trusted measurement unit to execute the first trusted measurement.
  • the credibility measurement unit executes the first credibility metric to generate an operation metric value; the credibility metric unit feeds back the operation metric value to the deflection encryption unit; the deflection encryption unit compares the The expected metric value and the operational metric value verify the safety of performing data operations in the vehicle.
  • the deflection encryption unit compares the obtained expected metric value with the operating metric value generated by the trusted measurement unit, thereby effectively verifying the security of data operations performed in the vehicle, thereby effectively ensuring the security of vehicle data.
  • the method before the deflection encryption unit obtains the expected metric value, the method further includes:
  • the deflection encryption unit determines the expected metric value that is not prefabricated locally.
  • the deflection encryption unit can be queried in a local hardware security module (HSM), or the deflection encryption unit can also be locally Query in the non-volatile storage of the device to determine the expected metric value of local non-prefabrication; or the deflection encryption unit also judges the expected metric value of local non-prefabricated according to the status flag.
  • HSM hardware security module
  • the deflection encryption unit may request to call the credibility measurement unit to execute a second credibility metric; the credibility metric unit executes the second credibility metric to generate an initial metric value;
  • acquiring the expected metric value by the deflection encryption unit includes: the deflection encryption unit acquiring the initial metric value.
  • the deflection encryption unit calls the trusted metric unit to generate an initial metric value, which can effectively improve the flexibility of obtaining the expected metric value.
  • the execution of the second credibility metric by the credibility measurement unit to generate an initial metric value includes:
  • the trusted measurement unit generates the initial measurement value by performing hash calculation on a predefined program module and operating environment.
  • the initial measurement value is obtained by performing hash calculation on the pre-defined program module and operating environment, which can effectively verify the integrity of the program and the environment.
  • the program module refers to a high-precision map application program used for processing sensitive data, which may be a whole program, or may be composed of multiple programs with relatively independent functions.
  • the operating environment refers to the system service components that run the high-precision map application program, such as library files (dynamic link library or static link library), middleware (such as database middleware), virtual machine environment (such as java virtual machine) Or operating system service components, etc.
  • library files dynamic link library or static link library
  • middleware such as database middleware
  • virtual machine environment such as java virtual machine
  • operating system service components etc.
  • the hash algorithm can use standard hash algorithms, such as SHA-1/SHA-256 or SM3, etc.
  • the method before the deflection encryption unit obtains the expected metric value, the method further includes:
  • the deflection encryption unit can perform mutual authentication with the supervision server and establish a secure channel. By establishing the secure channel, the security of subsequent data transmission can be guaranteed. At this time, the deflection encryption unit requests the server to obtain the expected metric value;
  • obtaining the expected metric value by the deflection encryption unit includes: the deflection encryption unit receiving the expected metric value returned by the server.
  • a secure channel can be established with the server, so as to obtain the expected metric value from the server in an online manner, so as not to reduce the security. , There is no need to perform the credibility measurement process during the startup phase, which reduces the computational overhead.
  • the method before the deflection encryption unit obtains the expected metric value, the method further includes:
  • the deflection encryption unit determines that the expected metric value prefabricated locally
  • Obtaining the expected metric value by the deflection encryption unit includes: the deflection encryption unit obtaining the locally pre-made expected metric value.
  • the local expected metric value is directly obtained, so that the acquisition of the expected metric value can be conveniently and efficiently achieved.
  • the method further includes:
  • the deflection encryption unit requests to call the credibility measurement unit to execute the third credibility measurement
  • the credibility measurement unit executes the third credibility metric to generate an initial metric value
  • the deflection encryption unit turns off the data operation function or alarms.
  • the subsequent processing is performed when the expected metric value is consistent with the initial metric value, which can effectively improve the security of the data and prevent the system from being offline.
  • the metric is expected to be updated or tampered with.
  • the deflection encryption unit by comparing the expected metric value and the operating metric value, to verify the security of performing data operations in the vehicle includes:
  • the deflection encryption unit determines that the expected metric value is equal to the operating metric value
  • the deflection encryption unit performs the data operation.
  • the data operation may be, for example, a deflection encryption module that performs processing procedures such as deflection and encryption of sensitive data such as coordinates, and sends the processed results to a high-precision map application program.
  • a deflection encryption module that performs processing procedures such as deflection and encryption of sensitive data such as coordinates, and sends the processed results to a high-precision map application program.
  • the deflection encryption unit by comparing the expected metric value and the operating metric value, to verify the security of performing data operations in the vehicle includes:
  • the deflection encryption unit turns off the data operation function or alarms.
  • the data operation is performed only when the deflection encryption unit determines that the expected metric value is equal to the operating metric value; when it is determined that the metric value is not equal, the data operation function is directly turned off or an alarm is issued, which can effectively ensure the program and environment. safety.
  • the execution of the first credibility metric by the credibility measurement unit, and generating the running metric value includes:
  • the trusted measurement unit generates the operating measurement value by performing hash calculation on a predefined program module and operating environment.
  • the initial measurement value is obtained by performing hash calculation on the pre-defined program module and operating environment, which can effectively verify the integrity of the program and the environment.
  • an embodiment of the present application provides a vehicle-mounted computing device, including a deflection encryption unit and a trusted measurement unit, where the deflection encryption unit and the trusted measurement unit operate in a trusted execution environment;
  • the deflection encryption unit is used to obtain the expected metric value, and request to call the credibility metric unit to execute the first credibility metric;
  • the credibility measurement unit is configured to execute the first credibility metric, generate an operating metric value, and feed back the operating metric value to the deflection encryption unit;
  • the deflection encryption unit is also used to verify the safety of data operations performed in the vehicle by comparing the expected metric value and the operating metric value.
  • the deflection encryption unit is further configured to determine the expected metric value that is not prefabricated locally before obtaining the expected metric value, and request to call the trusted metric module to execute the second trusted metric. ;
  • the credibility measurement unit is further configured to execute the second credibility metric to generate an initial metric value
  • the obtaining of the expected metric value by the deflection encryption unit includes: the deflection encryption unit obtaining the initial metric value.
  • the execution of the second credibility metric by the credibility measurement unit to generate an initial metric value includes:
  • the trusted measurement unit generates the initial measurement value by performing hash calculation on a predefined program module and operating environment.
  • the deflection encryption unit is further configured to determine the expected metric value that is not prefabricated locally before obtaining the expected metric value, and request the server to obtain the expected metric value;
  • the obtaining of the expected metric value by the deflection encryption unit includes: the deflection encryption unit receiving the expected metric value returned by the server.
  • the deflection encryption unit is further configured to determine that the expected metric value is prefabricated locally before obtaining the expected metric value;
  • Obtaining the expected metric value by the deflection encryption unit includes: the deflection encryption unit obtaining the locally pre-made expected metric value.
  • the deflection encryption unit is further configured to request to call the credibility metric module to execute the third credibility metric after obtaining the expected metric value;
  • the credibility measurement unit is further configured to execute the third credibility metric to generate an initial metric value
  • the deflection encryption unit is also used to determine that the expected metric value is not equal to the initial metric value, and then close the data operation function or give an alarm.
  • the deflection encryption unit is further configured to compare the expected metric value and the operating metric value to verify the security of performing data operations in the vehicle, including:
  • the deflection encryption unit is also used to determine that the expected metric value is equal to the operating metric value, and to execute the data operation.
  • the deflection encryption unit is further configured to compare the expected metric value and the operating metric value to verify the security of performing data operations in the vehicle, including:
  • the deflection encryption unit is also used to determine that the expected metric value is not equal to the operating metric value, and to close the data operation function, or to give an alarm.
  • the credibility measurement unit is configured to execute the first credibility metric, and generating a running metric value includes:
  • the trusted measurement unit is used to generate the operating measurement value by performing hash calculation on a predefined program module and operating environment.
  • an embodiment of the present application provides an in-vehicle computing device, which is characterized by including a memory and a processor, the memory stores computer program instructions, and the processor runs the computer program instructions to execute the above first aspect and The method of any one of the various possible implementations of the first aspect.
  • an embodiment of the present application provides a computer storage medium, which is characterized by including computer instructions.
  • the computer instructions are executed by a processor, the above first aspect and various possible implementation manners of the first aspect are implemented. Any method.
  • an embodiment of the present application provides a computer program product, characterized in that, when the computer program product runs on a processor, it implements any one of the first aspect and various possible implementation manners of the first aspect. Methods.
  • an embodiment of the present application provides a data processing system, which is characterized by including a server and the vehicle-mounted computing device as described in the second aspect and any of the various possible implementation manners of the second aspect.
  • an embodiment of the present application provides a smart car, including an in-vehicle communication device and an in-vehicle computing device as described in the second aspect and any of the various possible implementation manners of the second aspect.
  • the embodiments of the present application provide a data protection method and device.
  • the method includes: deflecting an encryption unit to obtain an expected metric value.
  • the deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement.
  • the credibility measurement unit executes the first credibility metric and generates a running metric value.
  • the trusted measurement unit feeds back the running measurement value to the deflection encryption unit.
  • the deflection encryption unit verifies the security of data operations performed in the car by comparing the expected metric value and the operating metric value.
  • the deflection encryption unit compares the acquired expected metric value with the operating metric value generated by the trusted measurement unit, thereby effectively verifying the security of data operations performed in the vehicle, thereby effectively ensuring the security of vehicle data.
  • FIG. 1 is a schematic diagram of an automatic driving system in a vehicle to which an embodiment of the application is applicable;
  • FIG. 2 is a schematic diagram of a high-precision map navigation system applicable to an embodiment of this application;
  • FIG. 3 is a flowchart of a data protection method provided by an embodiment of this application.
  • FIG. 4 is a flowchart of another data protection method provided by an embodiment of the application.
  • FIG. 5 is a flowchart of another data protection method provided by an embodiment of this application.
  • FIG. 6 is a flowchart of yet another data protection method provided by an embodiment of this application.
  • FIG. 7 is a structural block diagram of a vehicle-mounted computing device provided by an embodiment of the application.
  • FIG. 8 is a structural block diagram of another vehicle-mounted computing device provided by an embodiment of the application.
  • Global Navigation Satellite System Global Navigation Satellite System (GNSS) is the same name for a single satellite navigation and positioning system that currently exists.
  • the global navigation satellite system can provide all-weather services on the surface of the earth or anywhere in near-Earth space. 3D coordinates, speed, and time information.
  • Inertial measurement unit is a device that measures the three-axis attitude angle (or angular rate) and acceleration of an object.
  • IMU Inertial measurement unit
  • an IMU contains three single-axis accelerometers and three single-axis gyroscopes.
  • the accelerometer detects the acceleration signal of the object in the independent three-axis coordinate system of the carrier, while the gyroscope detects the angular velocity signal of the carrier relative to the navigation coordinate system, and measures the object in Angular velocity and acceleration in three-dimensional space, and to obtain the posture of the object, IMU has very important application value in navigation.
  • Telematics BOX Telematics BOX
  • T-BOX Telematics BOX
  • it can communicate with the back-end system, or it can also communicate with terminal equipment to display and display vehicle information. control.
  • WGS84 The full name is World Geodetic System 1984. WGS84 is a coordinate system established for the use of the Global Positioning System (GPS), which can be the coordinates output by GNSS.
  • GPS Global Positioning System
  • GCJ-02 is a coordinate format defined by the national surveying and mapping administration.
  • C-V2X Cellular V2X Internet of Vehicles based on cellular communication mechanism.
  • FIG. 1 is a schematic diagram of the application scenario of the data protection method provided by an embodiment of the application, as shown in FIG. 1:
  • the application scenario includes a vehicle 10.
  • the vehicle 10 can realize automatic driving.
  • the automatic driving system inside the vehicle 10 may include a sensor perception module (sensor perception) and a planning control module (planning). , High-precision map and positioning module (HD map/Localization), global navigation satellite system/inertial measurement unit (GNSS/IMU), sensor fusion module (sensor fusion), etc.
  • HD map/Localization High-precision map and positioning module
  • GNSS/IMU global navigation satellite system/inertial measurement unit
  • sensor fusion module sensor fusion
  • This embodiment has Not limited.
  • the automatic driving system in this embodiment can realize the coordinate processing of the vehicle.
  • the satellite system/inertial measurement unit can send the WGS84 coordinates of its own car to the high-precision map and positioning module, and the T-box can also obtain the GCJ-02 of other objects (such as external static objects or dynamic objects such as other vehicles) transmitted in the cloud. And send the acquired GCJ-02 coordinates of other objects to the high-precision map and positioning module.
  • the high-precision map and positioning module can convert the received WGS84 coordinates of the own vehicle and/or the GCJ-02 coordinates of other objects into the GCJ-02 coordinates of the own vehicle, and provide them to the sensor fusion module and the planning control module.
  • the sensor fusion module and the planning control module can control the vehicle according to the GCJ-02 coordinates of the vehicle, such as adjusting the position of the vehicle or changing the direction of the vehicle.
  • the processing of coordinates will be involved, such as the processing of WGS84 coordinates and GCJ-02 coordinates, including sensitive data such as coordinate data and coordinate data deflection processing methods.
  • the processing of the coordinates needs to be protected accordingly, and the deflection method of the coordinates also needs to be protected.
  • the deflection of the coordinates can be, for example, the conversion of WGS84 coordinates to GCJ-02 coordinates. Processing and coordinate deflection methods are protected, so as to ensure the security of coordinate data.
  • the program module used to process coordinates in the car can process GCJ-02 coordinates, but it must prevent the GCJ-02 coordinates from being stolen by illegal programs or directly exposed to the outside (such as coordinates). Transfer directly to the outside of the program).
  • the existing technical solutions are usually implemented by the supervisory authority (such as the Ministry of Natural Resources) when realizing the coordinate processing and coordinate deflection method.
  • the supervisory authority has designed a set of binding mechanism, namely It is said that all modules related to coordinate processing and modules that implement the deflection method will be compiled by the regulatory authority (source code level) to generate a large binary program module.
  • the module that implements the deflection method can be provided by the regulatory authority. of.
  • the regulatory authority provides the generated binary program module to the autonomous driving software developer (or navigation service provider), and the autonomous driving software developer can perform follow-up operations according to the received binary program module to realize the automatic driving process.
  • the above processing method has two purposes. The first is to prevent the coordinates from being exposed to the outside of the built module, and the second is to prevent the deflection of the deflection method, because the more the number of modules involved in the compilation, the more they are directly reversed and deflected. The more difficult the method is.
  • the sensor fusion module, planning control module, high-precision map, and positioning module in Figure 1 should participate in the binding as required.
  • the existing binding mechanism cannot prevent the data of each module participating in the binding from being intercepted by other malicious programs during the operation, and it lacks a dynamic protection mechanism.
  • the current build is an offline manual method, which means that the developer needs to provide the module to be built offline to the supervisory department, and the supervisory department will compile it in an offline state. After the compilation is completed, it needs to be generated.
  • the binary program modules are provided offline to developers, and there are a large number of developers who provide modules for linking, resulting in low efficiency in the development and application of autonomous driving.
  • this application proposes the following technical idea: when the program is tampered with, the credibility measurement unit is added to the on-board computing component according to the generated program, so as to realize the comparison of the measurement value and verify the security of the data. sex.
  • FIG. 2 is a schematic diagram of the data processing system provided by an embodiment of the present application.
  • the system includes: a vehicle-mounted computing device, a vehicle-mounted communication device, and a map application cloud platform.
  • the vehicle-mounted computing device is introduced.
  • the vehicle-mounted computing device can be used to run the high-precision map application unit and the deflection encryption unit as shown in FIG. 2.
  • the vehicle-mounted computing device can run an independent operating system (Operating System, OS), a trusted execution environment (Trusted Execution Environment, TEE), and a high-precision map application unit.
  • OS Operating System
  • TEE Trusted Execution Environment
  • the implementation of the high-precision map application unit can refer to the sensor fusion module, planning control module, high-precision map and positioning module introduced in Figure 1 above, or the high-precision map application unit can also include other processing modules, etc. The embodiment does not specifically limit this.
  • the vehicle-mounted computing device can obtain coordinate data from the vehicle-mounted sensor and the Global Navigation Satellite System (GNSS). See Figure 2.
  • GNSS Global Navigation Satellite System
  • the high-precision map application unit in the vehicle-mounted computing device can obtain the coordinate data from the vehicle-mounted sensor.
  • the relative position of the map OBJ is obtained, and the deflection encryption unit in the on-board computing device can obtain the WGS84 coordinates from the GNSS.
  • the coordinate data obtained by the vehicle-mounted computing device can be processed by the deflection encryption unit, and the coordinates of the self-vehicle GCJ-02 can be obtained after processing, and then the deflection encryption unit can send the coordinates of the self-vehicle GCJ-02 to the high-precision map application unit for processing.
  • the deflection encryption unit and the trusted measurement unit operate in a TEE environment, where the TEE environment can provide protection for the deflection encryption unit and the trusted measurement unit, and the TEE environment can also provide transmission of high-precision map application units. Protection of the channel of coordinate data.
  • the vehicle-mounted computing device also includes a hardware security module (Hardware Security Module, HSM), where the HSM can be used to store security parameters, for example.
  • HSM Hard Security Module
  • the deflection encryption unit before transmitting the coordinates, can call the credibility measurement module to verify the credibility of the high-precision map application unit, and transmit the coordinate data after the verification is passed, thereby effectively ensuring the security of the data. .
  • the vehicle-mounted communication module in this embodiment is used to establish a network connection between the vehicle-mounted computing device and the server on the map application cloud platform. See Figure 2.
  • the vehicle-mounted communication device includes a communication unit.
  • the communication unit may use, for example, the C-V2X mechanism, where C-V2X can provide a secure communication mechanism; or, the communication unit may also use any other communication mechanism, which is not in this embodiment. Make special restrictions.
  • the map application cloud platform includes a supervisory server and an application server.
  • the supervisory server is used to manage and configure the security parameters in the deflection encryption unit.
  • the security parameters may be, for example, Is the expected metric value; and, the application server is used to process the encrypted self-vehicle high-precision GCJ-02 coordinates uploaded by the deflection encryption unit.
  • the credibility verification process can be realized, thereby realizing the integrity measurement of the high-precision map application unit and the associated operating environment module.
  • the environment module may include, for example, the need to call System services, middleware, software libraries, etc.
  • a secure isolation environment can be established on the vehicle-mounted computing device through the TEE, where the programs in the ordinary operating system operating environment cannot access the isolation environment Resources, thereby preventing the deflection encryption unit and the credibility measurement unit from being damaged by malicious programs in the external system, effectively ensuring the security of the system.
  • FIG. 3 is a flowchart of the data protection method provided by one of the embodiments of this application.
  • the method provided in this application is applied to a vehicle-mounted computing device, where the vehicle-mounted computing device includes a deflection encryption unit and a trusted measurement unit, wherein the deflection encryption unit and the trusted measurement unit both operate in a trusted execution environment, and the deflection encryption unit and the trusted measurement unit are both operating in a trusted execution environment.
  • the measurement unit reference may be made to the content introduced in the embodiment in FIG. 2, which will not be repeated here.
  • the method includes:
  • the deflection encryption unit obtains an expected metric value.
  • the deflection encryption unit can obtain the expected metric value during the startup phase of the vehicle, for example.
  • the expected metric value may be, for example, pre-sent by the supervisory server to the vehicle-mounted computing device, and the deflection encryption unit may directly obtain the expected metric value locally.
  • the system or component manufacturer can submit the expected metric value to the management department for review in advance.
  • the supervisory server can issue the expected metric value to the deflection encryption unit through the secure channel, so that the deflection encryption unit can obtain the expected value.
  • the metric value where the expected metric value can be, for example, the integrity value of each unit in the system and the main operating environment ( Figure TEE, critical dependency library, etc.).
  • the system or component manufacturer can submit the updated value to the management department for review, and the supervision server updates the expected measurement value.
  • the expected metric value may be generated by the trusted metric unit executing the trusted metric, and the deflection encryption unit may receive the metric value fed back by the trusted metric unit to obtain the expected metric value.
  • This implementation The example does not limit the implementation of the deflection encryption unit to obtain the expected metric value.
  • the deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement.
  • the credibility measurement unit may perform the credibility measurement, where the deflection encryption unit may request, for example, to call the credibility measurement unit to execute the first credibility measurement during the verification phase of the vehicle.
  • the deflection encryption unit may call the application programming interface (API), thereby calling the trusted measurement unit to execute the first trusted measurement.
  • API application programming interface
  • the credibility measurement unit executes the first credibility metric to generate a running metric value.
  • the trusted measurement unit may execute the first trusted measurement in response to the call of the deflection encryption unit, thereby generating the operating measurement value. It is understandable that the expected measurement value and the operating measurement value in this embodiment may be the same or may not same.
  • the trusted measurement unit may perform hash calculation through a predefined program module and operating environment, thereby generating an operating measurement value.
  • a program module refers to a high-precision map application program used to process sensitive data. It can be a whole program, or it can be composed of multiple programs with relatively independent functions, and there is no order requirement among multiple program modules. .
  • the operating environment refers to the system service components that run the high-precision map application program, such as library files (dynamic link library or static link library), middleware (such as database middleware), virtual machine environment (such as java virtual machine) , And operating system service components, etc., and can be a list of program modules formed in a certain loading order.
  • library files dynamic link library or static link library
  • middleware such as database middleware
  • virtual machine environment such as java virtual machine
  • operating system service components etc., and can be a list of program modules formed in a certain loading order.
  • the first credibility metric can perform code hash calculation on each program in the list one by one in order according to the pre-configured list.
  • the hash calculation values obtained by the program are H1, H2, H3, H4,..., then the generated hash calculation values can be linked together in order to obtain the hash calculation value after the link: H1
  • the hash calculation value after the link can be hashed to obtain the running metric value, where the running metric value may satisfy the following formula one, for example:
  • M is the running metric value
  • Hash is the hash function
  • the hash algorithm can adopt, for example, a standard hash algorithm, such as SHA-1/SHA-256 or SM3, which is not limited in this embodiment.
  • the method of generating the expected metric value can be the same as the method of generating the running metric value. Therefore, if the program has not been tampered with and the data is not illegally output, the expected metric value and the running metric value should be the same.
  • the first credibility metric can also be implemented in a standard way, such as using the remote certification protocol of the Trusted Computing Group (TCG) standard, or using other lightweight For the integrity measurement framework (Integrity Measurement Architecture, IMA), etc.
  • TCG Trusted Computing Group
  • IMA Integral Measurement Architecture
  • the credibility measurement is performed by the credibility measurement unit, that is, the initial measurement value is obtained by performing a hash calculation on the pre-defined program module and the operating environment, which can effectively verify the integrity of the program and the environment, so that the integrity of the program and environment can be effectively verified. Find out whether the program has been tampered with or whether there is an illegal program, so it can prevent the data from being accessed by the illegal program during processing.
  • the trusted measurement unit feeds back the running measurement value to the deflection encryption unit.
  • the trusted measurement unit After the trusted measurement unit generates the operating measurement value, it feeds back the operating measurement value to the deflection encryption unit.
  • the deflection encryption unit verifies the safety of performing data operations in the vehicle by comparing the expected metric value and the operating metric value.
  • the expected metric value may be obtained during the vehicle startup phase, and the operating metric value may be generated during the vehicle verification phase. It is understandable that after the vehicle is started, if the program runs normally and there is If illegal output of data occurs, the running metric value and the expected metric value are the same; however, if the program is tampered with or the data is illegally output, the running metric will change accordingly, and the deflection encryption unit can pass Compare the expected metric value and the operational metric value to verify the safety of performing data operations in the car.
  • the deflection encryption unit determines that the expected metric value and the running metric value are equal, the deflection encryption unit can determine that there is no program tampering or illegal output of the data, and then the security of the current data and the program can be determined.
  • the deflection encryption unit can perform data operations.
  • the data operation performed by the deflection encryption unit may be, for example, deflection processing of sensitive data such as coordinates, encryption processing of sensitive data such as coordinates, and/or sending the processed result to the high-precision map application unit.
  • the deflection encryption unit determines that the expected metric value and the operating metric value are not equal, the deflection encryption unit can determine that the data and/or the program is not secure, and the deflection encryption unit can turn off the above data operation function, Or perform alarm processing, which can effectively ensure the safety of data processing.
  • the data protection method provided by the embodiment of the present application includes: deflecting an encryption unit to obtain an expected metric value.
  • the deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement.
  • the credibility measurement unit executes the first credibility metric and generates a running metric value.
  • the trusted measurement unit feeds back the running measurement value to the deflection encryption unit.
  • the deflection encryption unit verifies the security of data operations performed in the car by comparing the expected metric value and the operating metric value.
  • the deflection encryption unit compares the acquired expected metric value with the operating metric value generated by the trusted measurement unit, thereby effectively verifying the security of data operations performed in the vehicle, thereby effectively ensuring the security of vehicle data.
  • the deflection encryption unit can obtain the expected metric value through the trusted measurement unit; or the deflection encryption unit can also obtain the expected metric value locally.
  • the specific implementation is as follows The example further introduces the data protection method provided by the present application in detail, and is described with reference to FIG. 4, which is a flowchart of the data protection method provided by another embodiment of the application.
  • the method includes:
  • the deflection encryption unit judges whether there is a pre-made expected metric value locally, if yes, execute S402, if not, execute S403.
  • the deflection encryption unit when there is a preset expected metric value locally, the deflection encryption unit can obtain the expected metric value locally, and when the preset expected metric value does not exist locally, the deflection encryption unit can request to call the trusted metric unit to generate Measure value to obtain local metric value.
  • the deflection encryption unit judges whether there is a prefabricated expected metric value locally.
  • the deflection encryption unit can, for example, query whether there is a prefabricated expected metric value locally in the local hardware security module (HSM); or deflection
  • HSM hardware security module
  • the encryption unit can also inquire whether there is an expected metric value in the local non-volatile storage; or the deflection encryption unit can also determine whether there is a pre-made expected metric value locally based on the status flag.
  • the deflection encryption unit obtains a local prefabricated expected metric value.
  • the deflection encryption unit determines that there is a prefabricated expected metric value locally, then the deflection encryption unit can directly obtain the local prefabricated expected metric value.
  • the deflection encryption unit requests to call the trusted measurement unit to execute the second trusted measurement.
  • S404 The trusted measurement unit executes the second trusted measurement to generate an initial measurement value.
  • the trusted measurement unit feeds back the initial measurement value to the deflection encryption unit.
  • the deflection encryption unit determines that there is no pre-made expected metric value locally, the deflection encryption unit can call the trusted metric unit to generate the expected metric value.
  • the deflection encryption unit can request to call the trusted measurement unit to execute the second trusted measurement, thereby generating the initial measurement value.
  • the trusted measurement unit can execute the program module and operating environment in advance. Hash calculation to generate initial metric value.
  • the implementation of the second credibility metric is similar to the implementation of the first credibility metric introduced in step S303.
  • the difference lies in the pre-defined program modules and operating environment, that is, the input data for executing the credibility metric.
  • the difference is that the specific implementation of the second credibility metric is not described in detail in this embodiment.
  • the deflection encryption unit obtains an initial metric value.
  • the deflection encryption unit can obtain the preset metric value by obtaining the initial metric value, that is, determine the initial metric value as the preset metric value.
  • the deflection encryption unit can directly obtain the expected metric value locally when determining that there is a pre-made expected metric value locally; when determining the expected metric value without a local threshold, it can directly obtain the expected metric value.
  • the expected measurement value is generated and obtained.
  • the deflection encryption unit calls the trusted metric unit to generate the initial metric value, which can effectively improve the flexibility of obtaining the expected metric value.
  • the deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement.
  • the trustworthy measurement unit executes the first trustworthy metric to generate a running metric value.
  • the trusted measurement unit feeds back the running measurement value to the deflection encryption unit.
  • the deflection encryption unit judges whether the expected metric value and the running metric value are equal, if yes, execute S411, if not, execute S412.
  • the expected metric value may be obtained locally. It can be understood that the expected metric value obtained locally is sent to the deflection encryption unit in advance by the supervisory server, and the expected metric value sent by the server is the system or component. It is obtained by the manufacturer in advance by performing a hash calculation on a pre-defined program module and operating environment.
  • the expected metric value may also be obtained by the trustworthiness measurement unit executing the second trustworthiness metric, and the second trustworthiness metric is also obtained by performing hash calculation on a predefined program module and operating environment.
  • the running metric value in this embodiment is obtained by the credibility measurement unit executing the first credibility metric, and the first credibility metric is also obtained by performing hash calculation on a predefined program module and operating environment.
  • the deflection encryption unit performs data operations.
  • the deflection encryption unit determines that the expected metric value and the operating metric value are equal, then it can be determined that the predefined program module and operating environment have not changed, and the security of the current data and program can be determined, thereby deflection
  • the encryption unit can perform data operations.
  • the data operation performed by the deflection encryption unit may be, for example, deflection processing of sensitive data such as coordinates, encryption processing of sensitive data such as coordinates, and/or sending the processed result to the high-precision map application unit.
  • the deflection encryption unit closes the data operation function, or generates an alarm.
  • the deflection encryption unit determines that the expected metric value and the operating metric value are not equal, the deflection encryption unit can determine that the data and/or the program is not secure, and the deflection encryption unit can turn off the above data operation function, Or perform alarm processing, which can effectively ensure the safety of data processing.
  • the data protection method provided by the embodiment of the present application includes: a deflection encryption unit judging whether there is a prefabricated expected metric value locally, and if so, the deflection encryption unit obtains the local prefabricated expected metric value. If not, the deflection encryption unit requests to call the trusted measurement unit to execute the second trusted measurement.
  • the credibility measurement unit executes the second credibility metric to generate an initial metric value.
  • the trusted measurement unit feeds back the initial measurement value to the deflection encryption unit.
  • the deflection encryption unit obtains the initial metric value.
  • the deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement.
  • the credibility measurement unit executes the first credibility metric and generates a running metric value.
  • the trusted measurement unit feeds back the running measurement value to the deflection encryption unit.
  • the deflection encryption unit judges whether the expected metric value and the running metric value are equal, and if so, the deflection encryption unit executes the data operation. If not, the deflection encryption unit closes the data operation function, or alarms.
  • the data security can be verified, and sensitive data such as coordinates can be effectively protected from unauthorized access in a simple and efficient manner, and the data in the vehicle can be enhanced.
  • the method provided in this embodiment avoids the overall binding of processing units, so that the management and control of each processing unit can be realized in an online manner in a simple and efficient manner.
  • the deflection encryption unit determines the expected metric value that is not pre-made locally, in another possible implementation manner, it can also request the server to obtain the expected metric value, and the following is to request the server to obtain the expected metric value
  • FIG. 5 is a flowchart of a data protection method provided by another embodiment of the application.
  • the method includes:
  • the deflection encryption unit judges whether there is a prefabricated expected metric value locally, if yes, execute S502, if not, execute S503.
  • the deflection encryption unit obtains a local prefabricated expected metric value.
  • the deflection encryption unit performs mutual authentication with the supervision server and establishes a secure channel.
  • the deflection encryption unit requests the server to obtain the expected metric value.
  • the deflection encryption unit receives the expected metric value returned by the server.
  • the deflection encryption unit determines that there is no local pre-prepared expected metric value, it can request the server to obtain the expected metric value.
  • the deflection encryption unit performs mutual authentication with the supervisory server and establishes a secure channel, thereby ensuring subsequent data transmission Security.
  • the deflection encryption unit requests the supervisory server to obtain the expected metric value
  • the supervisory server can return the expected metric value to the deflection encryption unit through the secure channel, and the deflection encryption unit receives the expected metric value returned by the supervisory server to obtain the expected metric value.
  • the deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement.
  • the trustworthy measurement unit executes the first trustworthy metric to generate a running metric value.
  • the trusted measurement unit feeds back the running measurement value to the deflection encryption unit.
  • the deflection encryption unit judges whether the expected metric value and the running metric value are equal, if yes, execute S510, and if not, execute S511.
  • the deflection encryption unit performs data operations.
  • the deflection encryption unit closes the data operation function, or generates an alarm.
  • a secure channel can be established with the server, thereby obtaining the expected metric value from the server in an online manner, so as not to reduce In the case of security, there is no need to perform the credibility measurement process during the startup phase, which reduces the computational overhead.
  • the expected metric value is obtained online from the server, so there is no need to permanently store the expected metric value locally, which reduces the local storage overhead and can effectively increase the applicable scenarios, such as when the vehicle cannot pre-predetermine the expected metric value.
  • the method of obtaining from the server can be effectively flexible.
  • the verification process of the initial metric value at start-up can be added. Whether there is an expected measurement value, the trusted measurement unit must be called to perform the trusted measurement. At the same time, if there is no expected measurement value locally, the expected measurement value needs to be obtained online from the server, and the initial measurement value and the expected measurement value are compared. If they are consistent, In order to continue the subsequent process.
  • FIG. 6 is a flowchart of a data protection method provided by still another embodiment of this application.
  • the method includes:
  • the deflection encryption unit judges whether there is a pre-made expected metric value locally, if yes, execute S602, if not, execute S603.
  • the deflection encryption unit obtains a local prefabricated expected metric value.
  • the deflection encryption unit performs mutual authentication with the supervision server and establishes a secure channel.
  • the deflection encryption unit requests the server to obtain the expected metric value.
  • the deflection encryption unit receives the expected metric value returned by the server.
  • the deflection encryption unit requests to call the trustworthiness measurement module to execute the third trustworthiness measurement.
  • the trusted measurement unit executes a third trusted measurement to generate an initial measurement value.
  • the trusted metric unit can be requested to execute the third trusted metric, thereby generating the initial metric value, and The trust measurement unit can also feed back the initial measurement value to the encryption unit.
  • the trusted measurement unit may generate an initial measurement value by performing hash calculation on a pre-defined program module and operating environment.
  • the implementation of the third credibility metric is similar to the implementation of the first credibility metric introduced in step S303.
  • the difference lies in the pre-defined program modules and operating environment, that is, the input data for executing the credibility metric.
  • the difference is that the specific implementation of the third credibility metric is not described in detail in this embodiment.
  • the deflection encryption unit judges whether the expected metric value is equal to the initial metric value, if not, execute S609, and if yes, execute S610.
  • the deflection encryption unit judges whether the expected metric value and the initial metric value are equal. It can be understood that when the vehicle is not started, there may be system software updates or illegal refreshes. Therefore, when the vehicle is started, the expected metric value and the initial metric value are passed. The comparison of metric values can verify whether the system has changed since the last audit passed, which can effectively improve security.
  • the deflection encryption unit closes the data operation function, or generates an alarm.
  • the deflection encryption unit determines that the expected metric value and the initial metric value are not equal, the deflection encryption unit can turn off the data operation function or perform guarantees, thereby ensuring the security of the vehicle data.
  • the deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement.
  • the trustworthy measurement unit executes the first trustworthy metric, and generates a running metric value.
  • the trusted measurement unit feeds back the running measurement value to the deflection encryption unit.
  • the deflection encryption unit determines that the expected metric value is equal to the initial metric value, and then subsequent operations can be performed.
  • the deflection encryption unit judges whether the expected metric value and the running metric value are equal, if yes, execute S614, and if not, execute S615.
  • the deflection encryption unit performs data operations.
  • the deflection encryption unit closes the data operation function, or alarms.
  • the data protection method compares the expected metric value and the initial metric value during the startup phase, and performs subsequent processing only when it is determined that the expected metric value is consistent with the initial metric value, thereby effectively improving data security .
  • FIG. 7 is a schematic structural diagram of a vehicle-mounted computing device provided by an embodiment of the application. As shown in FIG. 7, the device 70 can be used to execute the data protection method described in any one of FIGS. 3-6.
  • the device 70 includes: a deflection encryption unit 701 and a credibility measurement unit 702, the deflection encryption unit 701 and a credibility
  • the measurement unit 702 runs in a trusted execution environment;
  • the deflection encryption unit 701 is configured to obtain an expected metric value, and request to call the credibility measurement unit 702 to execute the first credibility metric;
  • the credibility measurement unit 702 is configured to execute the first credibility metric, generate a running metric value, and feed back the running metric value to the deflection encryption unit 701;
  • the deflection encryption unit 701 is also used to verify the security of performing data operations in the vehicle by comparing the expected metric value and the operating metric value.
  • the deflection encryption unit 701 is further configured to determine the expected metric value that is not pre-made locally before obtaining the expected metric value, and request to call the trusted metric module to execute the second trusted metric value. measure;
  • the credibility measurement unit 702 is further configured to execute the second credibility metric to generate an initial metric value
  • the obtaining of the expected metric value by the deflection encryption unit 701 includes: the deflection encryption unit 701 obtaining the initial metric value.
  • the credibility measurement unit 702 executes the second credibility metric, and generating an initial metric value includes:
  • the trusted measurement unit 702 generates the initial measurement value by performing hash calculation on a predefined program module and operating environment.
  • the deflection encryption unit 701 is further configured to determine the expected metric value that is not prefabricated locally before obtaining the expected metric value, and request the server to obtain the expected metric value;
  • the obtaining of the expected metric value by the deflection encryption unit 701 includes: the deflection encryption unit 701 receives the expected metric value returned by the server.
  • the deflection encryption unit 701 is further configured to determine that the expected metric value is prefabricated locally before obtaining the expected metric value;
  • the deflection encryption unit 701 obtaining the expected metric value includes: the deflection encryption unit 701 obtains the local pre-made expected metric value.
  • the deflection encryption unit 701 is further configured to request to call the credibility metric module to execute the third credibility metric after obtaining the expected metric value;
  • the credibility measurement unit 702 is further configured to execute the third credibility metric to generate an initial metric value
  • the deflection encryption unit 701 is further configured to determine that the expected metric value is not equal to the initial metric value, and then turn off the data operation function, or issue an alarm.
  • the deflection encryption unit 701 is further configured to compare the expected metric value and the operating metric value to verify the security of performing data operations in the vehicle, including:
  • the deflection encryption unit 701 is further configured to determine that the expected metric value is equal to the operating metric value, and execute the data operation.
  • the deflection encryption unit 701 is further configured to compare the expected metric value and the operating metric value to verify the security of performing data operations in the vehicle, including:
  • the deflection encryption unit 701 is also used to determine that the expected metric value is not equal to the operating metric value, and to close the data operation function, or to give an alarm.
  • the credibility measurement unit 702 is configured to execute the first credibility metric, and generating a running metric value includes:
  • the trusted measurement unit 702 is configured to generate the operating measurement value by performing hash calculation on a predefined program module and operating environment.
  • the device provided in this embodiment can be used to implement the technical solutions of the foregoing method embodiments, and its implementation principles and technical effects are similar, and will not be repeated here in this embodiment.
  • the software or firmware includes but is not limited to computer program instructions or codes, and can be executed by a hardware processor.
  • the hardware includes, but is not limited to, various types of integrated circuits, such as a central processing unit (CPU), a digital signal processor (DSP), a field programmable gate array (FPGA), or an application specific integrated circuit (ASIC).
  • CPU central processing unit
  • DSP digital signal processor
  • FPGA field programmable gate array
  • ASIC application specific integrated circuit
  • FIG. 8 is a schematic diagram of the hardware structure of a vehicle-mounted computing device provided by an embodiment of the application. As shown in FIG. 8, the vehicle-mounted computing device 80 can be used to execute the data protection method described in any one of FIGS. 3-6.
  • the vehicle-mounted computing device 80 includes :Processor 801 and memory 802; among them
  • the memory 802 is used to store computer execution instructions
  • the processor 801 is configured to execute computer-executable instructions stored in the memory to implement each step performed by the data protection method in the foregoing embodiment. For details, please refer to the relevant description in the foregoing method embodiment.
  • the memory 802 may be independent or integrated with the processor 801.
  • the vehicle-mounted computing device further includes a bus 803 for connecting the memory 802 and the processor 801.
  • the foregoing processor may be a central processing unit (Central Processing Unit, CPU), or other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), and application specific integrated circuits (ASICs). )Wait.
  • the general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like.
  • the steps in the embodiment of the service processing method disclosed in the embodiment of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
  • An embodiment of the present application also provides a computer storage medium, including computer instructions, when the computer instructions are executed by a processor, implement the data protection method performed by the on-vehicle computing device.
  • the embodiments of the present application provide a computer program product, which when the computer program product runs on a processor, realizes the data protection method executed by the on-board computing device.
  • An embodiment of the present application also provides a smart car, including an in-vehicle communication device and the in-vehicle computing device described in the above embodiment.
  • All or part of the steps in the foregoing method embodiments may be implemented by a program instructing relevant hardware.
  • the aforementioned program can be stored in a readable memory.
  • the program executes the steps that include the foregoing method embodiments; and the foregoing memory (storage medium) includes: read-only memory (English: read-only memory, abbreviation: ROM), RAM, flash memory, hard disk, Solid state hard disk, magnetic tape (English: magnetic tape), floppy disk (English: floppy disk), optical disc (English: optical disc) and any combination thereof.
  • These computer program instructions can be provided to the processing unit of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processing unit of the computer or other programmable data processing equipment can be used to generate It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device.
  • the device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment.
  • the instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
  • the term “including” and its variations may refer to non-limiting inclusion; the term “or” and its variations may refer to “and/or”.
  • the terms “first”, “second”, etc. in the embodiments of the present application are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence.
  • “multiple” refers to two or more.
  • “And/or” describes the association relationship of the associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone.
  • the character “/” generally indicates that the associated objects before and after are in an "or” relationship.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Traffic Control Systems (AREA)

Abstract

A data protection method and apparatus. The method comprises: a deflection encryption unit acquiring an expected measurement value (S301); the deflection encryption unit making a request to call a trusted measurement unit to execute a first trusted measurement (S302); the trusted measurement unit executing the first trusted measurement to generate a running measurement value (S303); the trusted measurement unit feeding back the running measurement value to the deflection encryption unit (S304); and the deflection encryption unit verifying, by comparing the expected measurement value and the running measurement value, the security of data operation execution in a vehicle (S305). The deflection encryption unit compares the acquired expected measurement value with the running measurement value generated by the trusted measurement unit, such that the security of data operation execution in a vehicle is effectively verified, thereby effectively ensuring the security of vehicle data.

Description

数据保护方法及装置Data protection method and device 技术领域Technical field
本申请涉及自动驾驶和智能网联车技术领域,尤其涉及一种数据保护方法及装置。This application relates to the technical fields of automatic driving and intelligent networked vehicles, and in particular to a data protection method and device.
背景技术Background technique
随着自动驾驶技术的不断发展,车辆的坐标处理也取得了长足的进步,根据相关规定,需要对坐标的处理方法以及坐标的偏转方法进行保护,以保证数据的安全。With the continuous development of autonomous driving technology, vehicle coordinate processing has also made considerable progress. According to relevant regulations, coordinate processing methods and coordinate deflection methods need to be protected to ensure data security.
目前,在对坐标的处理方法以及坐标的偏转方法进行保护时,通常是将涉及到坐标处理的模块以及实现坐标偏转的模块,提供给监管部门,由监管部门进行统一编译,以生成一个大的二进制程序模块,接着系统可以根据所述二进制程序模块实现相关的坐标处理。At present, when protecting the coordinate processing method and the coordinate deflection method, it is usually to provide the module related to coordinate processing and the module to realize coordinate deflection to the supervisory department, and the supervisory department will perform unified compilation to generate a large Binary program module, and then the system can implement related coordinate processing according to the binary program module.
然而,上述方法缺乏有效的防护机制,其无法防止坐标数据被恶意截获,从而导致车辆数据的安全性较低。However, the above method lacks an effective protection mechanism, which cannot prevent the coordinate data from being maliciously intercepted, resulting in lower vehicle data security.
发明内容Summary of the invention
本申请实施例提供一种数据保护方法及装置,以提升车辆数据的安全性。The embodiments of the present application provide a data protection method and device to improve the security of vehicle data.
第一方面,本申请实施例提供一种数据保护方法,应用于车载计算装置,其中,所述车载计算装置包括偏转加密单元和可信度量单元,所述偏转加密单元和可信度量单元运行于可信执行环境,所述方法包括:In the first aspect, an embodiment of the present application provides a data protection method applied to a vehicle-mounted computing device, wherein the vehicle-mounted computing device includes a deflection encryption unit and a trusted measurement unit, and the deflection encryption unit and the trusted measurement unit operate on In a trusted execution environment, the method includes:
所述偏转加密单元获取预期度量值;并且所述偏转加密单元请求调用所述可信度量单元执行第一可信度量,在一种可能的实现方式中,偏转加密单元可以通过调用应用程序接口API,从而调用可信度量单元执行第一可信度量。The deflection encryption unit obtains the expected metric value; and the deflection encryption unit requests to call the credibility measurement unit to execute the first credibility metric. In a possible implementation manner, the deflection encryption unit may call the application program interface API , So as to call the trusted measurement unit to execute the first trusted measurement.
以及所述可信度量单元执行所述第一可信度量,生成运行度量值;所述可信度量单元将所述运行度量值反馈给所述偏转加密单元;所述偏转加密单元通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性。And the credibility measurement unit executes the first credibility metric to generate an operation metric value; the credibility metric unit feeds back the operation metric value to the deflection encryption unit; the deflection encryption unit compares the The expected metric value and the operational metric value verify the safety of performing data operations in the vehicle.
在上述过程中,偏转加密单元将获取的预期度量值和可信度量单元生成的运行度量值进行比较,从而有效验证在车内执行数据操作的安全性,从而能够有效保证车辆数据的安全性。In the above process, the deflection encryption unit compares the obtained expected metric value with the operating metric value generated by the trusted measurement unit, thereby effectively verifying the security of data operations performed in the vehicle, thereby effectively ensuring the security of vehicle data.
在一种可能的实施方式中,在所述偏转加密单元获取预期度量值之前,所述方法还包括:In a possible implementation manner, before the deflection encryption unit obtains the expected metric value, the method further includes:
所述偏转加密单元确定本地无预制的所述预期度量值,在一种可能的实现方式中,偏转加密单元例如可以在本地的硬件安全模块(HSM)中查询、或者偏转加密单元还可以在本地的非易失性存储中查询,从而确定本地无预制的预期度量值;或者偏转加密单元还根据状态标志来判断本地无预制的预期度量值。The deflection encryption unit determines the expected metric value that is not prefabricated locally. In a possible implementation, the deflection encryption unit can be queried in a local hardware security module (HSM), or the deflection encryption unit can also be locally Query in the non-volatile storage of the device to determine the expected metric value of local non-prefabrication; or the deflection encryption unit also judges the expected metric value of local non-prefabricated according to the status flag.
在确定本地无预期度量值时,所述偏转加密单元可以请求调用所述可信度量单元执行第二可信度量;所述可信度量单元执行所述第二可信度量,生成初始度量值;When it is determined that there is no expected metric value locally, the deflection encryption unit may request to call the credibility measurement unit to execute a second credibility metric; the credibility metric unit executes the second credibility metric to generate an initial metric value;
其中,所述偏转加密单元获取预期度量值包括:所述偏转加密单元获取所述初始度量值。Wherein, acquiring the expected metric value by the deflection encryption unit includes: the deflection encryption unit acquiring the initial metric value.
在上述过程中,在确定本地无预期度量值时,偏转加密单元调用可信度量单元生成初始度量值,从而能够有效提升获取预期度量值的灵活性。In the above process, when it is determined that there is no expected metric value locally, the deflection encryption unit calls the trusted metric unit to generate an initial metric value, which can effectively improve the flexibility of obtaining the expected metric value.
在一种可能的实施方式中,所述可信度量单元执行所述第二可信度量,生成初始度量值包括:In a possible implementation manner, the execution of the second credibility metric by the credibility measurement unit to generate an initial metric value includes:
所述可信度量单元通过对预先定义的程序模块和运行环境执行哈希计算,生成所述初始度量值。The trusted measurement unit generates the initial measurement value by performing hash calculation on a predefined program module and operating environment.
其中,通过对预先定义的程序模块和运行环境执行哈希计算,从而得到初始度量值,能够有效验证程序和环境的完整性。Among them, the initial measurement value is obtained by performing hash calculation on the pre-defined program module and operating environment, which can effectively verify the integrity of the program and the environment.
其中,程序模块是指用于对敏感数据处理的高精度地图应用程序,可以是一个程序整体,也可以由多个功能相对独立的程序构成。Among them, the program module refers to a high-precision map application program used for processing sensitive data, which may be a whole program, or may be composed of multiple programs with relatively independent functions.
其中,运行环境是指运行高精度地图应用程序所依赖的系统服务组件,如库文件(动态链接库或静态链接库)、中间件(如数据库中间件)、虚拟机环境(如java虚拟机)或者操作系统服务组件等。Among them, the operating environment refers to the system service components that run the high-precision map application program, such as library files (dynamic link library or static link library), middleware (such as database middleware), virtual machine environment (such as java virtual machine) Or operating system service components, etc.
其中,哈希算法可以采用标准哈希算法,如SHA-1/SHA-256或SM3等Among them, the hash algorithm can use standard hash algorithms, such as SHA-1/SHA-256 or SM3, etc.
在一种可能的实施方式中,在所述偏转加密单元获取预期度量值之前,所述方法还包括:In a possible implementation manner, before the deflection encryption unit obtains the expected metric value, the method further includes:
所述偏转加密单元确定本地无预制的所述预期度量值;Determining, by the deflection encryption unit, the expected metric value with no local prefabrication;
此时,偏转加密单元可以与监管服务器进行双向认证并建立安全通道,通过建立安全通道,可以保证后续数据传输的安全性,此时所述偏转加密单元向服务器请求获取所述预期度量值;At this time, the deflection encryption unit can perform mutual authentication with the supervision server and establish a secure channel. By establishing the secure channel, the security of subsequent data transmission can be guaranteed. At this time, the deflection encryption unit requests the server to obtain the expected metric value;
其中,所述偏转加密单元获取预期度量值包括:所述偏转加密单元接收所述服务器返回的所述预期度量值。Wherein, obtaining the expected metric value by the deflection encryption unit includes: the deflection encryption unit receiving the expected metric value returned by the server.
在上述实现中,在偏转加密单元确定本地无预制的预期度量值的情况下,可以与服务器建立安全通道,从而通过在线的方式从服务器获取预期度量值,从而在并不降低安全性的情况下,无需在启动阶段执行可信度量的过程,减少了计算开销。In the above implementation, in the case that the deflection encryption unit determines that there is no local prefabricated expected metric value, a secure channel can be established with the server, so as to obtain the expected metric value from the server in an online manner, so as not to reduce the security. , There is no need to perform the credibility measurement process during the startup phase, which reduces the computational overhead.
在一种可能的实施方式中,在所述偏转加密单元获取预期度量值之前,所述方法还包括:In a possible implementation manner, before the deflection encryption unit obtains the expected metric value, the method further includes:
所述偏转加密单元确定本地有预制的所述预期度量值;The deflection encryption unit determines that the expected metric value prefabricated locally;
所述偏转加密单元获取预期度量值包括:所述偏转加密单元获取本地的所述预制的所述预期度量值。Obtaining the expected metric value by the deflection encryption unit includes: the deflection encryption unit obtaining the locally pre-made expected metric value.
其中,在本地有预制的所述预期度量值的情况下,直接获取本地的预期度量值,从而可以方便高效的实现预期度量值的获取。Wherein, in the case where the expected metric value is prefabricated locally, the local expected metric value is directly obtained, so that the acquisition of the expected metric value can be conveniently and efficiently achieved.
在一种可能的实施方式中,在所述偏转加密单元获取预期度量值之后,所述方法还包括:In a possible implementation manner, after the deflection encryption unit obtains the expected metric value, the method further includes:
所述偏转加密单元请求调用所述可信度量单元执行第三可信度量;The deflection encryption unit requests to call the credibility measurement unit to execute the third credibility measurement;
所述可信度量单元执行所述第三可信度量,生成初始度量值;The credibility measurement unit executes the third credibility metric to generate an initial metric value;
所述偏转加密单元确定所述预期度量值与所述初始度量值不相等;Determining, by the deflection encryption unit, that the expected metric value is not equal to the initial metric value;
所述偏转加密单元关闭所述数据操作的功能,或者进行报警。The deflection encryption unit turns off the data operation function or alarms.
其中,通过在启动阶段比较预期度量值和初始度量值,在确定预期度量值和初始度量值一致时,才进行后续的处理,从而能给有效提升数据的安全性,防止系统处于离线状态时,预期度量值发生更新或发生篡改。Among them, by comparing the expected metric value and the initial metric value in the startup phase, the subsequent processing is performed when the expected metric value is consistent with the initial metric value, which can effectively improve the security of the data and prevent the system from being offline. The metric is expected to be updated or tampered with.
在一种可能的实施方式中,所述偏转加密单元通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性包括:In a possible implementation manner, the deflection encryption unit, by comparing the expected metric value and the operating metric value, to verify the security of performing data operations in the vehicle includes:
所述偏转加密单元确定所述预期度量值与所述运行度量值相等;The deflection encryption unit determines that the expected metric value is equal to the operating metric value;
所述偏转加密单元执行所述数据操作。The deflection encryption unit performs the data operation.
所述数据操作例如可以为偏转加密模块执行坐标等敏感数据的偏转、加密等处理过程,并将处理的结果发送给高精度地图应用程序The data operation may be, for example, a deflection encryption module that performs processing procedures such as deflection and encryption of sensitive data such as coordinates, and sends the processed results to a high-precision map application program.
在一种可能的实施方式中,所述偏转加密单元通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性包括:In a possible implementation manner, the deflection encryption unit, by comparing the expected metric value and the operating metric value, to verify the security of performing data operations in the vehicle includes:
所述偏转加密单元确定所述预期度量值与所述运行度量值不相等;Determining, by the deflection encryption unit, that the expected metric value is not equal to the operating metric value;
所述偏转加密单元关闭所述数据操作的功能,或者进行报警。The deflection encryption unit turns off the data operation function or alarms.
在上述过程中,在偏转加密单元确定预期度量值与所述运行度量值相等时,才执行数据操作;在确定不相等是,直接关闭数据操作的功能或者进行报警,能够有效保证程序和环境的安全性。In the above process, the data operation is performed only when the deflection encryption unit determines that the expected metric value is equal to the operating metric value; when it is determined that the metric value is not equal, the data operation function is directly turned off or an alarm is issued, which can effectively ensure the program and environment. safety.
在一种可能的实施方式中,所述可信度量单元执行所述第一可信度量,生成运行度量值包括:In a possible implementation manner, the execution of the first credibility metric by the credibility measurement unit, and generating the running metric value includes:
所述可信度量单元通过对预先定义的程序模块和运行环境执行哈希计算,生成所述运行度量值。The trusted measurement unit generates the operating measurement value by performing hash calculation on a predefined program module and operating environment.
其中,通过对预先定义的程序模块和运行环境执行哈希计算,从而得到初始度量值,能够有效验证程序和环境的完整性。Among them, the initial measurement value is obtained by performing hash calculation on the pre-defined program module and operating environment, which can effectively verify the integrity of the program and the environment.
第二方面,本申请实施例提供一种车载计算装置,包括偏转加密单元和可信度量单元,所述偏转加密单元和可信度量单元运行于可信执行环境;In a second aspect, an embodiment of the present application provides a vehicle-mounted computing device, including a deflection encryption unit and a trusted measurement unit, where the deflection encryption unit and the trusted measurement unit operate in a trusted execution environment;
其中,所述偏转加密单元,用于获取预期度量值,以及请求调用所述可信度量单元执行第一可信度量;Wherein, the deflection encryption unit is used to obtain the expected metric value, and request to call the credibility metric unit to execute the first credibility metric;
所述可信度量单元,用于执行所述第一可信度量,生成运行度量值,以及将所述运行度量值反馈给所述偏转加密单元;The credibility measurement unit is configured to execute the first credibility metric, generate an operating metric value, and feed back the operating metric value to the deflection encryption unit;
所述偏转加密单元还用于通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性。The deflection encryption unit is also used to verify the safety of data operations performed in the vehicle by comparing the expected metric value and the operating metric value.
在一种可能的实施方式中,所述偏转加密单元,还用于在获取预期度量值之前确定本地无预制的所述预期度量值,并请求调用所述可信度量模块执行第二可信度量;In a possible implementation manner, the deflection encryption unit is further configured to determine the expected metric value that is not prefabricated locally before obtaining the expected metric value, and request to call the trusted metric module to execute the second trusted metric. ;
所述可信度量单元,还用于执行所述第二可信度量,生成初始度量值;The credibility measurement unit is further configured to execute the second credibility metric to generate an initial metric value;
所述偏转加密单元获取预期度量值包括:所述偏转加密单元获取所述初始度量值。The obtaining of the expected metric value by the deflection encryption unit includes: the deflection encryption unit obtaining the initial metric value.
在一种可能的实施方式中,所述可信度量单元执行所述第二可信度量,生成初始度量值包括:In a possible implementation manner, the execution of the second credibility metric by the credibility measurement unit to generate an initial metric value includes:
所述可信度量单元通过对预先定义的程序模块和运行环境执行哈希计算,生成所述初始度量值。The trusted measurement unit generates the initial measurement value by performing hash calculation on a predefined program module and operating environment.
在一种可能的实施方式中,所述偏转加密单元,还用于在获取预期度量值之前,确定本地无预制的所述预期度量值,以及向服务器请求获取所述预期度量值;In a possible implementation manner, the deflection encryption unit is further configured to determine the expected metric value that is not prefabricated locally before obtaining the expected metric value, and request the server to obtain the expected metric value;
所述偏转加密单元获取预期度量值包括:所述偏转加密单元接收所述服务器返回的所述预期度量值。The obtaining of the expected metric value by the deflection encryption unit includes: the deflection encryption unit receiving the expected metric value returned by the server.
在一种可能的实施方式中,所述偏转加密单元,还用于在获取预期度量值之前,确定本地有预制的所述预期度量值;In a possible implementation manner, the deflection encryption unit is further configured to determine that the expected metric value is prefabricated locally before obtaining the expected metric value;
所述偏转加密单元获取预期度量值包括:所述偏转加密单元获取本地的所述预制的所述预期度量值。Obtaining the expected metric value by the deflection encryption unit includes: the deflection encryption unit obtaining the locally pre-made expected metric value.
在一种可能的实施方式中,所述偏转加密单元,还用于在获取预期度量值之后,请求调用所述可信度量模块执行第三可信度量;In a possible implementation manner, the deflection encryption unit is further configured to request to call the credibility metric module to execute the third credibility metric after obtaining the expected metric value;
所述可信度量单元,还用于执行所述第三可信度量,生成初始度量值;The credibility measurement unit is further configured to execute the third credibility metric to generate an initial metric value;
所述偏转加密单元,还用于确定所述预期度量值与所述初始度量值不相等,然后关闭所述数据操作的功能,或者进行报警。The deflection encryption unit is also used to determine that the expected metric value is not equal to the initial metric value, and then close the data operation function or give an alarm.
在一种可能的实施方式中,所述偏转加密单元还用于通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性包括:In a possible implementation manner, the deflection encryption unit is further configured to compare the expected metric value and the operating metric value to verify the security of performing data operations in the vehicle, including:
所述偏转加密单元还用于确定所述预期度量值与所述运行度量值相等,以及执行所述数据操作。The deflection encryption unit is also used to determine that the expected metric value is equal to the operating metric value, and to execute the data operation.
在一种可能的实施方式中,所述偏转加密单元还用于通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性包括:In a possible implementation manner, the deflection encryption unit is further configured to compare the expected metric value and the operating metric value to verify the security of performing data operations in the vehicle, including:
所述偏转加密单元还用于确定所述预期度量值与所述运行度量值不相等,以及关闭所述数据操作的功能,或者进行报警。The deflection encryption unit is also used to determine that the expected metric value is not equal to the operating metric value, and to close the data operation function, or to give an alarm.
在一种可能的实施方式中,所述可信度量单元用于执行所述第一可信度量,生成运行度量值包括:In a possible implementation manner, the credibility measurement unit is configured to execute the first credibility metric, and generating a running metric value includes:
所述可信度量单元,用于通过对预先定义的程序模块和运行环境执行哈希计算,生成所述运行度量值。The trusted measurement unit is used to generate the operating measurement value by performing hash calculation on a predefined program module and operating environment.
第三方面,本申请实施例提供一种车载计算装置,其特征在于,包括存储器和处理器,所述存储器存储计算机程序指令,所述处理器运行所述计算机程序指令以执行如上第一方面以及第一方面各种可能的实施方式中任一的方法。In a third aspect, an embodiment of the present application provides an in-vehicle computing device, which is characterized by including a memory and a processor, the memory stores computer program instructions, and the processor runs the computer program instructions to execute the above first aspect and The method of any one of the various possible implementations of the first aspect.
第四方面,本申请实施例提供一种计算机存储介质,其特征在于,包括计算机指令,当所述计算机指令在被处理器运行时,实现如上第一方面以及第一方面各种可能的实施方式中任一的方法。In a fourth aspect, an embodiment of the present application provides a computer storage medium, which is characterized by including computer instructions. When the computer instructions are executed by a processor, the above first aspect and various possible implementation manners of the first aspect are implemented. Any method.
第五方面,本申请实施例提供一种计算机程序产品,其特征在于,当所述计算机程序产品在处理器上运行时,实现如上第一方面以及第一方面各种可能的实施方式中任一的方法。In a fifth aspect, an embodiment of the present application provides a computer program product, characterized in that, when the computer program product runs on a processor, it implements any one of the first aspect and various possible implementation manners of the first aspect. Methods.
第六方面,本申请实施例提供一种数据处理系统,其特征在于,包括服务器和如上第二方面以及第二方面各种可能的实施方式中任一的车载计算装置。In a sixth aspect, an embodiment of the present application provides a data processing system, which is characterized by including a server and the vehicle-mounted computing device as described in the second aspect and any of the various possible implementation manners of the second aspect.
第七方面,本申请实施例提供一种智能车,包括车载通信装置和如上第二方面以及第二方面各种可能的实施方式中任一的车载计算装置。In a seventh aspect, an embodiment of the present application provides a smart car, including an in-vehicle communication device and an in-vehicle computing device as described in the second aspect and any of the various possible implementation manners of the second aspect.
本申请实施例提供一种数据保护方法及装置,该方法包括:偏转加密单元获取预期度 量值。偏转加密单元请求调用可信度量单元执行第一可信度量。可信度量单元执行第一可信度量,生成运行度量值。可信度量单元将运行度量值反馈给偏转加密单元。偏转加密单元通过比较预期度量值和运行度量值,验证在车内执行数据操作的安全性。其中偏转加密单元将获取的预期度量值和可信度量单元生成的运行度量值进行比较,从而有效验证在车内执行数据操作的安全性,从而能够有效保证车辆数据的安全性。The embodiments of the present application provide a data protection method and device. The method includes: deflecting an encryption unit to obtain an expected metric value. The deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement. The credibility measurement unit executes the first credibility metric and generates a running metric value. The trusted measurement unit feeds back the running measurement value to the deflection encryption unit. The deflection encryption unit verifies the security of data operations performed in the car by comparing the expected metric value and the operating metric value. The deflection encryption unit compares the acquired expected metric value with the operating metric value generated by the trusted measurement unit, thereby effectively verifying the security of data operations performed in the vehicle, thereby effectively ensuring the security of vehicle data.
附图说明Description of the drawings
图1为本申请实施例适用的车辆内部自动驾驶系统的示意图;FIG. 1 is a schematic diagram of an automatic driving system in a vehicle to which an embodiment of the application is applicable;
图2为本申请实施例适用的高精地图导航系统的示意图;FIG. 2 is a schematic diagram of a high-precision map navigation system applicable to an embodiment of this application;
图3为本申请实施例提供的一种数据保护方法的流程图;FIG. 3 is a flowchart of a data protection method provided by an embodiment of this application;
图4为本申请实施例提供的又一种数据保护方法的流程图;FIG. 4 is a flowchart of another data protection method provided by an embodiment of the application;
图5为本申请实施例提供的另一种数据保护方法的流程图;FIG. 5 is a flowchart of another data protection method provided by an embodiment of this application;
图6为本申请实施例提供的再一种数据保护方法的流程图;FIG. 6 is a flowchart of yet another data protection method provided by an embodiment of this application;
图7为本申请实施例提供的一种车载计算装置的结构框图;FIG. 7 is a structural block diagram of a vehicle-mounted computing device provided by an embodiment of the application;
图8为本申请实施例提供的另一种车载计算装置的结构框图。FIG. 8 is a structural block diagram of another vehicle-mounted computing device provided by an embodiment of the application.
具体实施方式Detailed ways
首先对本申请所涉及的相关概念进行介绍:First, introduce the related concepts involved in this application:
全球导航卫星系统:全球导航卫星系统(Global Navigation Satellite System,GNSS)是对目前存在的单个卫星导航定位系统的同一称谓,其中全球导航卫星系统能在地球表面或近地空间的任何地点,提供全天候的三维坐标、速度、时间信息。Global Navigation Satellite System: Global Navigation Satellite System (GNSS) is the same name for a single satellite navigation and positioning system that currently exists. The global navigation satellite system can provide all-weather services on the surface of the earth or anywhere in near-Earth space. 3D coordinates, speed, and time information.
惯性测量单元:惯性测量单元(Inertial measurement unit,IMU)是测量物体三轴姿态角(或角速率)以及加速度的装置。通常一个IMU包含三个单轴的加速度计和三个单轴的陀螺,加速度计检测物体在载体坐标系统独立三轴的加速度信号,而陀螺检测载体相对于导航坐标系的角速度信号,测量物体在三维空间中的角速度和加速度,并以此得到物体的姿态,IMU在导航中有着很重要的应用价值。Inertial measurement unit: Inertial measurement unit (IMU) is a device that measures the three-axis attitude angle (or angular rate) and acceleration of an object. Usually an IMU contains three single-axis accelerometers and three single-axis gyroscopes. The accelerometer detects the acceleration signal of the object in the independent three-axis coordinate system of the carrier, while the gyroscope detects the angular velocity signal of the carrier relative to the navigation coordinate system, and measures the object in Angular velocity and acceleration in three-dimensional space, and to obtain the posture of the object, IMU has very important application value in navigation.
远程信息处理器:远程信息处理器(Telematics BOX,T-BOX)用于实现车辆的通信,其例如可以与后台系统进行通信,或者还可以与终端设备进行通信,以实现对车辆信息的显示与控制。Telematics processor: Telematics BOX (T-BOX) is used to implement vehicle communication. For example, it can communicate with the back-end system, or it can also communicate with terminal equipment to display and display vehicle information. control.
WGS84:全称是World Geodetic System 1984,WGS84是为全球定位系统(Global Positioning System,GPS)使用而建立的坐标系统,其可以为GNSS输出的坐标。WGS84: The full name is World Geodetic System 1984. WGS84 is a coordinate system established for the use of the Global Positioning System (GPS), which can be the coordinates output by GNSS.
GCJ-02:GCJ-02是一种由国家测绘管理部门定义的坐标格式。GCJ-02: GCJ-02 is a coordinate format defined by the national surveying and mapping administration.
C-V2X:C-V2X(Cellular V2X)基于蜂窝通信机制的车联网。C-V2X: C-V2X (Cellular V2X) Internet of Vehicles based on cellular communication mechanism.
在对相关概念进行解释之后,下面结合图1对本实施例的应用场景进行说明,图1为本申请实施例提供的数据保护方法的应用场景示意图,如图1所示:After explaining related concepts, the following describes the application scenario of this embodiment with reference to FIG. 1. FIG. 1 is a schematic diagram of the application scenario of the data protection method provided by an embodiment of the application, as shown in FIG. 1:
该应用场景中包括车辆10,在本实施例中,车辆10可以实现自动驾驶,在自动驾驶场景下,车辆10内部的自动驾驶系统可以包括传感器感知模块(sensor perception)、规划控制模块(planning)、高精度地图和定位模块(HD map/Localization)、全球导航卫星系统/惯性测量单元(GNSS/IMU)、传感器融合模块(sensor fusion)等,本实施 例对自动驾驶系统中所包括的其余模块不做限定。The application scenario includes a vehicle 10. In this embodiment, the vehicle 10 can realize automatic driving. In an automatic driving scenario, the automatic driving system inside the vehicle 10 may include a sensor perception module (sensor perception) and a planning control module (planning). , High-precision map and positioning module (HD map/Localization), global navigation satellite system/inertial measurement unit (GNSS/IMU), sensor fusion module (sensor fusion), etc. This embodiment has Not limited.
本领域技术人员可以理解的是,在车辆自动驾驶过程中,确定自车的位置是非常重要的,因此本实施例中的自动驾驶系统可以实现对车辆的坐标处理,例如参见图1,全球导航卫星系统/惯性测量单元可以向高精度地图和定位模块发送自车的WGS84坐标,以及T-box还可以获取云端传输的其他物体(如外部静态物体、或其他车辆等动态物体)的GCJ-02坐标,并将获取的其他物体的GCJ-02坐标发送给高精度地图和定位模块。Those skilled in the art can understand that it is very important to determine the position of the vehicle during the automatic driving of the vehicle. Therefore, the automatic driving system in this embodiment can realize the coordinate processing of the vehicle. For example, see Figure 1, Global Navigation The satellite system/inertial measurement unit can send the WGS84 coordinates of its own car to the high-precision map and positioning module, and the T-box can also obtain the GCJ-02 of other objects (such as external static objects or dynamic objects such as other vehicles) transmitted in the cloud. And send the acquired GCJ-02 coordinates of other objects to the high-precision map and positioning module.
同时,高精度地图和定位模块可以将接收到的自车的WGS84坐标和/或其他物体的GCJ-02坐标转换为自车的GCJ-02坐标,并提供给传感器融合模块和规划控制模块,以使得传感器融合模块和规划控制模块可以根据自车的GCJ-02坐标对车辆进行控制,例如可以调整车辆位置,或者改变车辆方向等。At the same time, the high-precision map and positioning module can convert the received WGS84 coordinates of the own vehicle and/or the GCJ-02 coordinates of other objects into the GCJ-02 coordinates of the own vehicle, and provide them to the sensor fusion module and the planning control module. The sensor fusion module and the planning control module can control the vehicle according to the GCJ-02 coordinates of the vehicle, such as adjusting the position of the vehicle or changing the direction of the vehicle.
基于上述介绍可以确定的是,在车辆自动驾驶的应用过程中,会涉及到处理坐标的处理,例如涉及WGS84坐标以及GCJ-02坐标的处理,其中坐标数据、坐标数据的偏转处理方法等敏感数据,根据中国测绘部门的规定,对坐标的处理需要进行相应的保护,以及对坐标的偏转方法也需要进行保护,其中坐标的偏转例如可以为将WGS84坐标转换为GCJ-02坐标,通过对坐标的处理以及坐标的偏转方法进行保护,从而能够保证坐标数据的安全性。Based on the above introduction, it can be determined that in the application process of vehicle automatic driving, the processing of coordinates will be involved, such as the processing of WGS84 coordinates and GCJ-02 coordinates, including sensitive data such as coordinate data and coordinate data deflection processing methods. According to the regulations of the Chinese Surveying and Mapping Department, the processing of the coordinates needs to be protected accordingly, and the deflection method of the coordinates also needs to be protected. The deflection of the coordinates can be, for example, the conversion of WGS84 coordinates to GCJ-02 coordinates. Processing and coordinate deflection methods are protected, so as to ensure the security of coordinate data.
例如,在基于高精度地图的自动驾驶应用场景下,在车内用于处理坐标的程序模块可以处理GCJ-02坐标,但必须防止GCJ-02坐标被非法程序窃取或直接暴露在外部(比如坐标直接向程序外部传输)。For example, in a high-precision map-based autonomous driving application scenario, the program module used to process coordinates in the car can process GCJ-02 coordinates, but it must prevent the GCJ-02 coordinates from being stolen by illegal programs or directly exposed to the outside (such as coordinates). Transfer directly to the outside of the program).
目前,现有技术的方案在实现对坐标的处理以及坐标的偏转方法的保护时,通常是由监管部门(例如自然资源部)实现的,其中,监管部门设计了一套联编机制,也就是说将所有涉及到坐标处理的模块,以及实现偏转方法的模块由监管部门进行统一编译(源代码级别),以生成一个大的二进制程序模块,其中,实现偏转方法的模块可以是监管部门负责提供的。At present, the existing technical solutions are usually implemented by the supervisory authority (such as the Ministry of Natural Resources) when realizing the coordinate processing and coordinate deflection method. Among them, the supervisory authority has designed a set of binding mechanism, namely It is said that all modules related to coordinate processing and modules that implement the deflection method will be compiled by the regulatory authority (source code level) to generate a large binary program module. Among them, the module that implements the deflection method can be provided by the regulatory authority. of.
接着,监管部门将生成的二进制程序模块提供给自动驾驶软件的开发方(或导航服务提供方),自动驾驶软件的开发方可以根据接收到的二进制程序模块进行后续操作,以实现自动驾驶处理。Then, the regulatory authority provides the generated binary program module to the autonomous driving software developer (or navigation service provider), and the autonomous driving software developer can perform follow-up operations according to the received binary program module to realize the automatic driving process.
上述的处理方式有两个目的,第一是为了防止坐标暴露在联编后模块的外部,第二是能够防止对偏转方法的反编译,因为参与编译模块的数量越多,被直接逆向出偏转方法的难度就越大,例如图1中的传感器融合模块、规划控制模块、高精度地图和定位模块就应该按照规定参与联编。The above processing method has two purposes. The first is to prevent the coordinates from being exposed to the outside of the built module, and the second is to prevent the deflection of the deflection method, because the more the number of modules involved in the compilation, the more they are directly reversed and deflected. The more difficult the method is. For example, the sensor fusion module, planning control module, high-precision map, and positioning module in Figure 1 should participate in the binding as required.
上述通过监管部分联合编译以实现对坐标的保护的实现方式,在普通导航电子地图应用中已普及,因为普通导航电子地图精度要求低,功能相对单一,并不涉及自动驾驶功能,因此能够解决对偏转方法和坐标数据的保护。The above-mentioned method of implementing the protection of coordinates through the joint compilation of the supervision part has been popularized in ordinary navigation electronic map applications, because ordinary navigation electronic maps have low accuracy requirements, relatively single functions, and do not involve automatic driving functions, so they can solve the problem. Deflection method and protection of coordinate data.
然而,若将上述介绍的方式应用在基于高精度地图的自动驾驶应用场景下,上述方法就会存在如下问题:However, if the above-mentioned method is applied to the application scenario of autonomous driving based on high-precision maps, the above-mentioned method will have the following problems:
1、安全性不足,只能实现对坐标数据和偏转方法的静态保护。1. Insufficient security, only static protection of coordinate data and deflection methods can be achieved.
具体的,在实际运行过程中,现有的联编机制无法防止参与联编的各个模块在运行过程中的数据被其他恶意程序截获,其缺乏动态的防护机制。Specifically, in the actual operation process, the existing binding mechanism cannot prevent the data of each module participating in the binding from being intercepted by other malicious programs during the operation, and it lacks a dynamic protection mechanism.
并且,由于车载自动驾驶系统的功能模块众多,其运行环境包括完整的操作系统功能, 因此也给恶意程序的运行提供了环境,恶意程序更容易通过模块之间的接口调用,内存访问,系统组件漏洞等方式,对运行过程中程序进行攻击,从而造成坐标数据或者偏转方法泄露。Moreover, due to the numerous functional modules of the vehicle-mounted autopilot system and its operating environment including complete operating system functions, it also provides an environment for the operation of malicious programs. Malicious programs are easier to call through interfaces between modules, memory access, and system components. Vulnerabilities, etc., attack the program during operation, resulting in the leakage of coordinate data or deflection methods.
2、无法满足自动驾驶的更新需求。2. Unable to meet the update requirements of autonomous driving.
具体的,在自动驾驶的实际应用过程中,由于自动驾驶的各个功能,尤其是算法的更新较为频繁,并且这种更新通常会采用空中下载(Over the Air,OTA)方式进行在线更新,如果按照现有的联编模式,在每次更新之前,还需要将更新的各个模块提供给监管部门,则会导致自动驾驶的更新时间漫长,无法满足自动驾驶的更新需求。Specifically, in the actual application process of automatic driving, due to the various functions of automatic driving, especially the algorithm update is more frequent, and this update usually adopts the over-the-air (OTA) method for online update, if you follow In the existing binding model, each updated module needs to be provided to the supervisory department before each update, which will lead to a long update time for automatic driving and fail to meet the update requirements of automatic driving.
3、效率低,并且监管部门的监管手段较弱。3. The efficiency is low, and the supervision methods of the supervisory authority are weak.
具体的,目前的联编属于离线人工方式,也就是说开发方需要将进行联编的模块线下提供方给监管部门,由监管部门在离线的状态下进行编译,编译完成之后还需要将生成的二进制程序模块线下提供给开发方,并且提供模块进行联编的开发方数量较多,从而导致自动驾驶的开发和应用效率低下。Specifically, the current build is an offline manual method, which means that the developer needs to provide the module to be built offline to the supervisory department, and the supervisory department will compile it in an offline state. After the compilation is completed, it needs to be generated. The binary program modules are provided offline to developers, and there are a large number of developers who provide modules for linking, resulting in low efficiency in the development and application of autonomous driving.
同时,在联编完后监管部门也无法实现管控,存在失控的风险,从而无法有效实现对坐标数据和偏转方法的保护。At the same time, after the linking is completed, the supervisory department cannot achieve control, and there is a risk of loss of control, which makes it impossible to effectively protect the coordinate data and the deflection method.
针对现有技术中的问题,本申请提出了如下技术构思:当程序被篡改时,根据程序生成的通过在车载计算部件中增加可信度量单元,以实现根据度量值的比较,验证数据的安全性。In response to the problems in the prior art, this application proposes the following technical idea: when the program is tampered with, the credibility measurement unit is added to the on-board computing component according to the generated program, so as to realize the comparison of the measurement value and verify the security of the data. sex.
在上述介绍的内容的基础上,下面首先结合图2对本申请实施例提供的数据处理系统进行说明,图2为本申请实施例提供的数据处理系统的示意图。On the basis of the content described above, the data processing system provided by an embodiment of the present application will be described below with reference to FIG. 2. FIG. 2 is a schematic diagram of the data processing system provided by an embodiment of the present application.
如图2所示,该系统包括:车载计算装置、车载通信装置和地图应用云平台。As shown in Figure 2, the system includes: a vehicle-mounted computing device, a vehicle-mounted communication device, and a map application cloud platform.
首先对车载计算装置进行介绍,在本申请中,车载计算装置可以用于运行如图2中所示的高精度地图应用单元以及偏转加密单元。First, the vehicle-mounted computing device is introduced. In this application, the vehicle-mounted computing device can be used to run the high-precision map application unit and the deflection encryption unit as shown in FIG. 2.
在一种可能的实现方式中,车载计算装置可以运行独立的操作系统(Operating System,OS),可信执行环境(Trusted Execution Environment,TEE)以及高精地图应用单元,在一种可能的实施方式中,高精地图应用单元的实现方式例如可以参照如上图1中介绍的传感器融合模块、规划控制模块、高精度地图和定位模块,或者高精地图应用单元还可以包括其余的处理模块等,本实施例对此不做特别限制。In a possible implementation, the vehicle-mounted computing device can run an independent operating system (Operating System, OS), a trusted execution environment (Trusted Execution Environment, TEE), and a high-precision map application unit. In a possible implementation For example, the implementation of the high-precision map application unit can refer to the sensor fusion module, planning control module, high-precision map and positioning module introduced in Figure 1 above, or the high-precision map application unit can also include other processing modules, etc. The embodiment does not specifically limit this.
在实际实现过程中,车载计算装置可以从车载传感器和全球导航卫星系统(Global Navigation Satellite System,GNSS)中获取坐标数据,参见图2,例如车载计算装置中的高精地图应用单元可以从车载传感器获取地图OBJ相对位置,以及车载计算装置中的偏转加密单元可以从GNSS获取WGS84坐标。In the actual implementation process, the vehicle-mounted computing device can obtain coordinate data from the vehicle-mounted sensor and the Global Navigation Satellite System (GNSS). See Figure 2. For example, the high-precision map application unit in the vehicle-mounted computing device can obtain the coordinate data from the vehicle-mounted sensor. The relative position of the map OBJ is obtained, and the deflection encryption unit in the on-board computing device can obtain the WGS84 coordinates from the GNSS.
同时,车载计算装置获取的坐标数据可以经由偏转加密单元进行处理,处理后得到自车GCJ-02坐标,接着偏转加密单元可以将自车GCJ-02坐标发送给高精地图应用单元进行处理。At the same time, the coordinate data obtained by the vehicle-mounted computing device can be processed by the deflection encryption unit, and the coordinates of the self-vehicle GCJ-02 can be obtained after processing, and then the deflection encryption unit can send the coordinates of the self-vehicle GCJ-02 to the high-precision map application unit for processing.
在本实施例中,偏转加密单元和可信度量单元运行于TEE环境中,其中TEE环境可以提供对偏转加密单元、可信度量单元的保护,以及TEE环境还可以提供对高精地图应用单元传输坐标数据的通道的保护。In this embodiment, the deflection encryption unit and the trusted measurement unit operate in a TEE environment, where the TEE environment can provide protection for the deflection encryption unit and the trusted measurement unit, and the TEE environment can also provide transmission of high-precision map application units. Protection of the channel of coordinate data.
并且车载计算装置中还包括硬件安全模块(Hardware Security Module,HSM),其 中,HSM例如可以用于存储安全参数。In addition, the vehicle-mounted computing device also includes a hardware security module (Hardware Security Module, HSM), where the HSM can be used to store security parameters, for example.
在本实施例中,偏转加密单元在传输坐标事前,可以调用可信度量模块对高精地图应用单元进行可信验证,在验证通过后才进行坐标数据的传输,从而可以有效保证数据的安全型。In this embodiment, before transmitting the coordinates, the deflection encryption unit can call the credibility measurement module to verify the credibility of the high-precision map application unit, and transmit the coordinate data after the verification is passed, thereby effectively ensuring the security of the data. .
其次对本实施例中的车载通信装置进行介绍,本实施例中的车载通信模块用于建立车载计算装置和地图应用云平台上服务器的网络连接,参见图2,车载通信装置中包括通信单元,在一种可能的实现方式中,通信单元例如可以采用C-V2X机制,其中,C-V2X可提供安全的通信机制;或者,通信单元还可以采用其余任一种通信机制,本实施例对此不做特别限制。Next, the vehicle-mounted communication device in this embodiment will be introduced. The vehicle-mounted communication module in this embodiment is used to establish a network connection between the vehicle-mounted computing device and the server on the map application cloud platform. See Figure 2. The vehicle-mounted communication device includes a communication unit. In a possible implementation manner, the communication unit may use, for example, the C-V2X mechanism, where C-V2X can provide a secure communication mechanism; or, the communication unit may also use any other communication mechanism, which is not in this embodiment. Make special restrictions.
接着对本实施例中的地图应用云平台进行说明,参见图2,地图应用云平台包括监管服务器和应用服务器,其中,监管服务器用于管理并配置偏转加密单元中的安全参数,其中安全参数例如可以为预期度量值;以及,应用服务器用于处理偏转加密单元上传的加密后的自车高精度GCJ-02坐标。Next, the map application cloud platform in this embodiment will be described. Referring to Figure 2, the map application cloud platform includes a supervisory server and an application server. The supervisory server is used to manage and configure the security parameters in the deflection encryption unit. The security parameters may be, for example, Is the expected metric value; and, the application server is used to process the encrypted self-vehicle high-precision GCJ-02 coordinates uploaded by the deflection encryption unit.
在本实施例中,通过设置可信度量单元,可以实现可信验证流程,从而实现对高精地图应用单元以及相关联的运行环境模块等进行完整性度量,其中的环境模块例如可以包括需要调用的系统服务、中间件、软件库等。In this embodiment, by setting the credibility measurement unit, the credibility verification process can be realized, thereby realizing the integrity measurement of the high-precision map application unit and the associated operating environment module. The environment module may include, for example, the need to call System services, middleware, software libraries, etc.
以及,通过将需要保护的偏转加密单元和可信度量单元运行在TEE中,从而可以通过TEE在车载计算装置上建立安全隔离环境,其中普通的操作系统运行环境中的程序无法访问隔离环境中的资源,从而能够防止偏转加密单元和可信度量单元被外部系统中的恶意程序破坏,有效保证了系统的安全性。And, by running the deflection encryption unit and the trusted measurement unit that need to be protected in the TEE, a secure isolation environment can be established on the vehicle-mounted computing device through the TEE, where the programs in the ordinary operating system operating environment cannot access the isolation environment Resources, thereby preventing the deflection encryption unit and the credibility measurement unit from being damaged by malicious programs in the external system, effectively ensuring the security of the system.
同时,通过在云端设置监管服务器,能够实现在线配置偏转加密单元,例如可以接收偏转加密单元发起的配置请求,和/或,在线配置或者在线更新预期度量值,从而避免了现有的联编模式中的线下人工方式,有效提升了操作效率;并且在云端设置监管服务器,还可以在线提交的模块的完整性值进行审核,在审核通过之后生成预期度量值;并且监管服务器还可以对需要保护的偏转加密单元和相关的数据处理应用的状态进行实时监管,从而进一步提升系统和数据的安全性。At the same time, by setting up a supervisory server in the cloud, online configuration of the deflection encryption unit can be realized, for example, configuration requests initiated by the deflection encryption unit can be received, and/or online configuration or online update of expected metric values, thereby avoiding the existing binding mode The offline manual method in the Internet has effectively improved the operation efficiency; and the supervision server can be set up in the cloud, and the integrity value of the module submitted online can be reviewed, and the expected measurement value can be generated after the review is passed; and the supervision server can also protect the The state of the deflection encryption unit and related data processing applications are monitored in real time, thereby further improving the security of the system and data.
在上述介绍的系统的基础上,下面结合图3对本申请所提供的数据保护方法进行介绍,图3为本申请其中一实施例提供的数据保护方法的流程图。On the basis of the above-mentioned system, the data protection method provided by this application will be introduced below with reference to FIG. 3. FIG. 3 is a flowchart of the data protection method provided by one of the embodiments of this application.
本申请提供的方法应用于车载计算装置,其中车载计算装置包括偏转加密单元和可信度量单元,其中偏转加密单元和可信度量单元均运行于可信执行环境,其中,偏转加密单元和可信度量单元的具体实现可参照上述图2实施例介绍的内容,此处不再赘述。The method provided in this application is applied to a vehicle-mounted computing device, where the vehicle-mounted computing device includes a deflection encryption unit and a trusted measurement unit, wherein the deflection encryption unit and the trusted measurement unit both operate in a trusted execution environment, and the deflection encryption unit and the trusted measurement unit are both operating in a trusted execution environment. For the specific implementation of the measurement unit, reference may be made to the content introduced in the embodiment in FIG. 2, which will not be repeated here.
如图3所示,该方法包括:As shown in Figure 3, the method includes:
S301、偏转加密单元获取预期度量值。S301. The deflection encryption unit obtains an expected metric value.
在本实施例中,偏转加密单元例如可以在车辆的启动阶段获取预期度量值。In this embodiment, the deflection encryption unit can obtain the expected metric value during the startup phase of the vehicle, for example.
在一种可能的实现方式中,预期度量值例如可以为监管服务器预先发送给车载计算装置的,则偏转加密单元可以直接从本地获取预期度量值。In a possible implementation manner, the expected metric value may be, for example, pre-sent by the supervisory server to the vehicle-mounted computing device, and the deflection encryption unit may directly obtain the expected metric value locally.
其中,可以由系统或者部件生产商预先将预期度量值提交给管理部门进行审核,在审核通过之后,监管服务器可以通过安全通道将预期度量值下发给偏转加密单元,从而使得偏转加密单元获取预期度量值,其中,预期度量值例如可以为系统中的各个单元以及主要 运行环境(图TEE、关键依赖库等)的完整性值。Among them, the system or component manufacturer can submit the expected metric value to the management department for review in advance. After the audit is passed, the supervisory server can issue the expected metric value to the deflection encryption unit through the secure channel, so that the deflection encryption unit can obtain the expected value. The metric value, where the expected metric value can be, for example, the integrity value of each unit in the system and the main operating environment (Figure TEE, critical dependency library, etc.).
可以理解的是,在需要对度量的系统单元以及运行环境发生变化时,则系统或者部件生产商可以将更新值提交给管理部门进行审核,由监管服务器进行预期度量值的更新。It is understandable that when the system unit and the operating environment that need to be measured change, the system or component manufacturer can submit the updated value to the management department for review, and the supervision server updates the expected measurement value.
在另一种可能的实现方式中,预期度量值例如可以为可信度量单元执行可信度量生成的,则偏转加密单元可以接收可信度量单元反馈的度量值,从而获取预期度量值,本实施例对偏转加密单元获取预期度量值的实现方式不做限定。In another possible implementation manner, the expected metric value may be generated by the trusted metric unit executing the trusted metric, and the deflection encryption unit may receive the metric value fed back by the trusted metric unit to obtain the expected metric value. This implementation The example does not limit the implementation of the deflection encryption unit to obtain the expected metric value.
S302、偏转加密单元请求调用可信度量单元执行第一可信度量。S302. The deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement.
在本实施例中,可信度量单元可以执行可信度量,其中,偏转加密单元例如可以在车辆的验证阶段请求调用可信度量单元执行第一可信度量。In this embodiment, the credibility measurement unit may perform the credibility measurement, where the deflection encryption unit may request, for example, to call the credibility measurement unit to execute the first credibility measurement during the verification phase of the vehicle.
在一种可能的实现方式中,偏转加密单元可以通过调用应用程序接口(Application Programming Interface,API),从而调用可信度量单元执行第一可信度量。In a possible implementation manner, the deflection encryption unit may call the application programming interface (API), thereby calling the trusted measurement unit to execute the first trusted measurement.
S303、可信度量单元执行第一可信度量,生成运行度量值。S303. The credibility measurement unit executes the first credibility metric to generate a running metric value.
其中,可信度量单元可以响应偏转加密单元的调用,执行第一可信度量,从而生成运行度量值,可以理解的是,本实施例中的预期度量值和运行度量值可能相同,也可能不相同。Wherein, the trusted measurement unit may execute the first trusted measurement in response to the call of the deflection encryption unit, thereby generating the operating measurement value. It is understandable that the expected measurement value and the operating measurement value in this embodiment may be the same or may not same.
在一种可能的实现方式中,可信度量单元可以通过预先定义的程序模块和运行环境执行哈希计算,从而生成运行度量值。In a possible implementation manner, the trusted measurement unit may perform hash calculation through a predefined program module and operating environment, thereby generating an operating measurement value.
其中,程序模块是指用于对敏感数据处理的高精度地图应用程序,其可以是一个程序整体,或者还可以由多个功能相对独立的程序构成,其中多个程序模块之间并没有顺序要求。Among them, a program module refers to a high-precision map application program used to process sensitive data. It can be a whole program, or it can be composed of multiple programs with relatively independent functions, and there is no order requirement among multiple program modules. .
以及,运行环境是指运行高精度地图应用程序所依赖的系统服务组件,如库文件(动态链接库或静态链接库),中间件(如数据库中间件),虚拟机环境(如java虚拟机),以及操作系统服务组件等,并且可以按照一定的加载顺序形成的程序模块列表。And, the operating environment refers to the system service components that run the high-precision map application program, such as library files (dynamic link library or static link library), middleware (such as database middleware), virtual machine environment (such as java virtual machine) , And operating system service components, etc., and can be a list of program modules formed in a certain loading order.
例如,当前存在预配置的列表,列表中包括多个程序,则第一可信度量可以根据预配置的列表,按照顺序逐个对列表中的每个程序执行代码的哈希计算,假设针对多个程序得到的哈希计算值分别是H1、H2、H3、H4、…,则可以将生成的哈希计算值按照顺序链接在一起,得到链接后的哈希计算值:H1||H2||H3||H4||…。For example, there is currently a pre-configured list, and the list includes multiple programs, then the first credibility metric can perform code hash calculation on each program in the list one by one in order according to the pre-configured list. The hash calculation values obtained by the program are H1, H2, H3, H4,..., then the generated hash calculation values can be linked together in order to obtain the hash calculation value after the link: H1||H2||H3 ||H4||....
接着,可以对链接后的哈希计算值进行哈希计算,从而得到运行度量值,其中运行度量值例如可以满足如下公式一:Then, the hash calculation value after the link can be hashed to obtain the running metric value, where the running metric value may satisfy the following formula one, for example:
M=Hash(H1||H2||H3||H4||…)  公式一M=Hash(H1||H2||H3||H4||...) Formula One
其中,M为运行度量值,Hash为哈希函数,H1||H2||H3||H4||…为链接后的哈希计算值。Among them, M is the running metric value, Hash is the hash function, H1||H2||H3||H4||...is the hash calculation value after linking.
其中,哈希算法例如可以采用标准哈希算法,如SHA-1/SHA-256或SM3等,本实施例对此不做限制。Among them, the hash algorithm can adopt, for example, a standard hash algorithm, such as SHA-1/SHA-256 or SM3, which is not limited in this embodiment.
此处需要说明的是,生成预期度量值的实现方式可以与生成运行度量值的方式相同,因此若程序没有被篡改、数据没有非法输出的话,预期度量值和运行度量值应该是相同的。What needs to be explained here is that the method of generating the expected metric value can be the same as the method of generating the running metric value. Therefore, if the program has not been tampered with and the data is not illegally output, the expected metric value and the running metric value should be the same.
在另一种可能的实现方式中,第一可信度量还可以采用标准的实现方式,如采用可信计算国际组织(Trusted Computing Group,TCG)标准的远程证明协议,或采用其他轻量级的完整性度量框架(Integrity Measurement Architecture,IMA)等,本实施例度第 一可信度量的具体实现方式不做特别限制,只要第一可信度量可以生成运行度量值即可。In another possible implementation, the first credibility metric can also be implemented in a standard way, such as using the remote certification protocol of the Trusted Computing Group (TCG) standard, or using other lightweight For the integrity measurement framework (Integrity Measurement Architecture, IMA), etc., the specific implementation of the first credibility metric in this embodiment is not particularly limited, as long as the first credibility metric can generate a running metric value.
在本实施例中,通过可信度量单元执行可信度量,即通过对预先定义的程序模块和运行环境执行哈希计算,从而得到初始度量值,能够有效验证程序和环境的完整性,从而能够发现程序是否被篡改或者是否存在非法程序,因此能够防止数据在处理是被非法程序访问。In this embodiment, the credibility measurement is performed by the credibility measurement unit, that is, the initial measurement value is obtained by performing a hash calculation on the pre-defined program module and the operating environment, which can effectively verify the integrity of the program and the environment, so that the integrity of the program and environment can be effectively verified. Find out whether the program has been tampered with or whether there is an illegal program, so it can prevent the data from being accessed by the illegal program during processing.
S304、可信度量单元将运行度量值反馈给偏转加密单元。S304. The trusted measurement unit feeds back the running measurement value to the deflection encryption unit.
可信度量单元在生成运行度量值之后,将运行度量值反馈给偏转加密单元。After the trusted measurement unit generates the operating measurement value, it feeds back the operating measurement value to the deflection encryption unit.
S305、偏转加密单元通过比较预期度量值和运行度量值,验证在车内执行数据操作的安全性。S305. The deflection encryption unit verifies the safety of performing data operations in the vehicle by comparing the expected metric value and the operating metric value.
在本实施例中,预期度量值例如可以是在车辆的启动阶段获取的,运行度量值可以是在车辆的验证阶段生成的,可以理解的是,在车辆启动之后,若程序正常运行,并且没有发生数据的非法输出的话,则运行度量值和预期度量值是相同的;然而,若发生程序的篡改或者数据的非法输出的话,则运行度量值也会相应的发生变化,则偏转加密单元可以通过比较预期度量值和运行度量值,从而验证在车内执行数据操作的安全性。In this embodiment, the expected metric value may be obtained during the vehicle startup phase, and the operating metric value may be generated during the vehicle verification phase. It is understandable that after the vehicle is started, if the program runs normally and there is If illegal output of data occurs, the running metric value and the expected metric value are the same; however, if the program is tampered with or the data is illegally output, the running metric will change accordingly, and the deflection encryption unit can pass Compare the expected metric value and the operational metric value to verify the safety of performing data operations in the car.
在一种可能的实现方式中,偏转加密单元确定预期度量值和运行度量值相等,则偏转加密单元可以确定没有发生程序的篡改或者数据的非法输出,则可以确定当前数据和程序的安全性,从而偏转加密单元可以执行数据操作。In a possible implementation, the deflection encryption unit determines that the expected metric value and the running metric value are equal, the deflection encryption unit can determine that there is no program tampering or illegal output of the data, and then the security of the current data and the program can be determined. Thus, the deflection encryption unit can perform data operations.
其中,偏转加密单元执行的数据操作例如可以为坐标等敏感数据的偏转处理、坐标等敏感数据的加密处理,和/或,将处理的结果发送给高精地图应用单元。The data operation performed by the deflection encryption unit may be, for example, deflection processing of sensitive data such as coordinates, encryption processing of sensitive data such as coordinates, and/or sending the processed result to the high-precision map application unit.
在另一种可能的实现方式中,偏转加密单元确定预期度量值和运行度量值不相等,则偏转加密单元可以确定数据和/或程序不安全,则偏转加密单元可以关闭上述数据操作的功能,或者进行报警处理,从而能够有效保证数据处理的安全性。In another possible implementation manner, if the deflection encryption unit determines that the expected metric value and the operating metric value are not equal, the deflection encryption unit can determine that the data and/or the program is not secure, and the deflection encryption unit can turn off the above data operation function, Or perform alarm processing, which can effectively ensure the safety of data processing.
本申请实施例提供的数据保护方法,包括:偏转加密单元获取预期度量值。偏转加密单元请求调用可信度量单元执行第一可信度量。可信度量单元执行第一可信度量,生成运行度量值。可信度量单元将运行度量值反馈给偏转加密单元。偏转加密单元通过比较预期度量值和运行度量值,验证在车内执行数据操作的安全性。其中偏转加密单元将获取的预期度量值和可信度量单元生成的运行度量值进行比较,从而有效验证在车内执行数据操作的安全性,从而能够有效保证车辆数据的安全性。The data protection method provided by the embodiment of the present application includes: deflecting an encryption unit to obtain an expected metric value. The deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement. The credibility measurement unit executes the first credibility metric and generates a running metric value. The trusted measurement unit feeds back the running measurement value to the deflection encryption unit. The deflection encryption unit verifies the security of data operations performed in the car by comparing the expected metric value and the operating metric value. The deflection encryption unit compares the acquired expected metric value with the operating metric value generated by the trusted measurement unit, thereby effectively verifying the security of data operations performed in the vehicle, thereby effectively ensuring the security of vehicle data.
在上述实施例的基础上,在一种可能的实现方式中,偏转加密单元可以通过可信度量单元获取预期度量值;或者,偏转加密单元还可以从本地获取预期度量值,下面结合具体的实施例对本申请提供的数据保护方法进行进一步地详细介绍,结合图4进行说明,图4为本申请又一实施例提供的数据保护方法的流程图。On the basis of the above-mentioned embodiment, in a possible implementation, the deflection encryption unit can obtain the expected metric value through the trusted measurement unit; or the deflection encryption unit can also obtain the expected metric value locally. The specific implementation is as follows The example further introduces the data protection method provided by the present application in detail, and is described with reference to FIG. 4, which is a flowchart of the data protection method provided by another embodiment of the application.
如图4所示,该方法包括:As shown in Figure 4, the method includes:
S401、偏转加密单元判断本地是否存在预制的预期度量值,若是,则执行S402,若否,则执行S403。S401. The deflection encryption unit judges whether there is a pre-made expected metric value locally, if yes, execute S402, if not, execute S403.
在本实施例中,当本地存在预制的预期度量值时,偏转加密单元可以从本地获取预期度量值,当本地不存在预设的预期度量值时,偏转加密单元可以请求调用可信度量单元生成度量值,从而获取本地度量值。In this embodiment, when there is a preset expected metric value locally, the deflection encryption unit can obtain the expected metric value locally, and when the preset expected metric value does not exist locally, the deflection encryption unit can request to call the trusted metric unit to generate Measure value to obtain local metric value.
则偏转加密单元判断本地是否存在预制的预期度量值,在一种可能的实现方式中,偏 转加密单元例如可以在本地的硬件安全模块(HSM)中查询本地是否存在预制的预期度量值;或者偏转加密单元还可以在本地的非易失性存储中查询是否存在预期度量值;或者偏转加密单元还根据状态标志来判断本地是否存在预制的预期度量值。Then the deflection encryption unit judges whether there is a prefabricated expected metric value locally. In a possible implementation, the deflection encryption unit can, for example, query whether there is a prefabricated expected metric value locally in the local hardware security module (HSM); or deflection The encryption unit can also inquire whether there is an expected metric value in the local non-volatile storage; or the deflection encryption unit can also determine whether there is a pre-made expected metric value locally based on the status flag.
S402、偏转加密单元获取本地的预制的预期度量值。S402. The deflection encryption unit obtains a local prefabricated expected metric value.
在一种可能的情况下,偏转加密单元确定本地有预制的预期度量值,则偏转加密单元可以直接获取本地的预制的预期度量值。In a possible situation, the deflection encryption unit determines that there is a prefabricated expected metric value locally, then the deflection encryption unit can directly obtain the local prefabricated expected metric value.
S403、偏转加密单元请求调用可信度量单元执行第二可信度量。S403. The deflection encryption unit requests to call the trusted measurement unit to execute the second trusted measurement.
S404、可信度量单元执行第二可信度量,生成初始度量值。S404: The trusted measurement unit executes the second trusted measurement to generate an initial measurement value.
S405、可信度量单元将初始度量值反馈给偏转加密单元。S405. The trusted measurement unit feeds back the initial measurement value to the deflection encryption unit.
下面对S403~S405一起进行介绍:S403 ~ S405 are introduced together below:
在另一种可能的情况下,偏转加密单元确定本地无预制的预期度量值,则偏转加密单元可以调用可信度量单元,生成预期度量值。In another possible situation, if the deflection encryption unit determines that there is no pre-made expected metric value locally, the deflection encryption unit can call the trusted metric unit to generate the expected metric value.
其中,偏转加密单元可以请求调用可信度量单元执行第二可信度量,从而生成初始度量值,在一种可能的实现方式中,可信度量单元可以通过对预先定义的程序模块和运行环境执行哈希计算,生成初始度量值。Among them, the deflection encryption unit can request to call the trusted measurement unit to execute the second trusted measurement, thereby generating the initial measurement value. In a possible implementation, the trusted measurement unit can execute the program module and operating environment in advance. Hash calculation to generate initial metric value.
其中,第二可信度量的实现方式与上述步骤S303中介绍的第一可信度量的实现方式类似,不同之处在于预先定义的程序模块和运行环境,也就是说执行可信度量的输入数据不同,本实施例对第二可信度量的具体实现方式不再赘述。Among them, the implementation of the second credibility metric is similar to the implementation of the first credibility metric introduced in step S303. The difference lies in the pre-defined program modules and operating environment, that is, the input data for executing the credibility metric. The difference is that the specific implementation of the second credibility metric is not described in detail in this embodiment.
S406、偏转加密单元获取初始度量值。S406. The deflection encryption unit obtains an initial metric value.
在本实施例中,偏转加密单元可以通过获取初始度量值,从而获取预设度量值,也就是说将初始度量值确定为预设度量值。In this embodiment, the deflection encryption unit can obtain the preset metric value by obtaining the initial metric value, that is, determine the initial metric value as the preset metric value.
基于上述介绍的内容可以确定的是,本实施例中,偏转加密单元在确定本地有预制的预期度量值时,可以直接从本地获取预期度量值;在确定本地无阈值的预期度量值时,可以通过获取可信度量单元生成的初始度量值,从而生成获取预期度量值。Based on the above introduction, it can be determined that in this embodiment, the deflection encryption unit can directly obtain the expected metric value locally when determining that there is a pre-made expected metric value locally; when determining the expected metric value without a local threshold, it can directly obtain the expected metric value. By obtaining the initial measurement value generated by the trusted measurement unit, the expected measurement value is generated and obtained.
在本实施例中,在确定本地无预期度量值时,偏转加密单元调用可信度量单元生成初始度量值,从而能够有效提升获取预期度量值的灵活性。In this embodiment, when it is determined that there is no expected metric value locally, the deflection encryption unit calls the trusted metric unit to generate the initial metric value, which can effectively improve the flexibility of obtaining the expected metric value.
S407、偏转加密单元请求调用可信度量单元执行第一可信度量。S407. The deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement.
S408、可信度量单元执行第一可信度量,生成运行度量值。S408. The trustworthy measurement unit executes the first trustworthy metric to generate a running metric value.
S409、可信度量单元将运行度量值反馈给偏转加密单元。S409. The trusted measurement unit feeds back the running measurement value to the deflection encryption unit.
其中,S407~S409的实现方式与S302~S304的实现方式类似,此处不再赘述。Among them, the implementation manners of S407-S409 are similar to the implementation manners of S302-S304, and will not be repeated here.
S410、偏转加密单元判断预期度量值和运行度量值是否相等,若是,则执行S411,若否,则执行S412。S410. The deflection encryption unit judges whether the expected metric value and the running metric value are equal, if yes, execute S411, if not, execute S412.
在本实施例中,预期度量值可以是从本地获取的,可以理解的是,从本地获取的预期度量值是监管服务器预先发送给偏转加密单元的,而服务器发送的预期度量值是系统或者部件生产商预先通过对预先定义的程序模块和运行环境执行哈希计算得到的。In this embodiment, the expected metric value may be obtained locally. It can be understood that the expected metric value obtained locally is sent to the deflection encryption unit in advance by the supervisory server, and the expected metric value sent by the server is the system or component. It is obtained by the manufacturer in advance by performing a hash calculation on a pre-defined program module and operating environment.
或者,预期度量值还可以是可信度量单元执行第二可信度量得到的,第二可信度量同样是通过对预先定义的程序模块和运行环境执行哈希计算得到的。Alternatively, the expected metric value may also be obtained by the trustworthiness measurement unit executing the second trustworthiness metric, and the second trustworthiness metric is also obtained by performing hash calculation on a predefined program module and operating environment.
以及本实施例中的运行度量值是可信度量单元执行第一可信度量得到的,第一可信度量同样是通过对预先定义的程序模块和运行环境执行哈希计算得到的。And the running metric value in this embodiment is obtained by the credibility measurement unit executing the first credibility metric, and the first credibility metric is also obtained by performing hash calculation on a predefined program module and operating environment.
基于上述介绍可以确定的是,若预先定义的程序模块和运行环境没有发生变化,则预期度量值和运行度量值应该是相等的;反之,若预先定义的程序模块和运行环境发生了变化,则预期度量值和运行度量值会不相等。Based on the above introduction, it can be determined that if the predefined program module and operating environment have not changed, the expected measurement value and the operating measurement value should be equal; on the contrary, if the predefined program module and operating environment have changed, then It is expected that the metric value and the operational metric value will not be equal.
S411、偏转加密单元执行数据操作。S411. The deflection encryption unit performs data operations.
在一种可能的实现方式中,偏转加密单元确定预期度量值和运行度量值相等,则可以确定预先定义的程序模块和运行环境没有发生变化,则可以确定当前数据和程序的安全性,从而偏转加密单元可以执行数据操作。In a possible implementation, the deflection encryption unit determines that the expected metric value and the operating metric value are equal, then it can be determined that the predefined program module and operating environment have not changed, and the security of the current data and program can be determined, thereby deflection The encryption unit can perform data operations.
其中,偏转加密单元执行的数据操作例如可以为坐标等敏感数据的偏转处理、坐标等敏感数据的加密处理,和/或,将处理的结果发送给高精地图应用单元。The data operation performed by the deflection encryption unit may be, for example, deflection processing of sensitive data such as coordinates, encryption processing of sensitive data such as coordinates, and/or sending the processed result to the high-precision map application unit.
S412、偏转加密单元关闭数据操作的功能,或者进行报警。S412: The deflection encryption unit closes the data operation function, or generates an alarm.
在另一种可能的实现方式中,偏转加密单元确定预期度量值和运行度量值不相等,则偏转加密单元可以确定数据和/或程序不安全,则偏转加密单元可以关闭上述数据操作的功能,或者进行报警处理,从而能够有效保证数据处理的安全性。In another possible implementation manner, if the deflection encryption unit determines that the expected metric value and the operating metric value are not equal, the deflection encryption unit can determine that the data and/or the program is not secure, and the deflection encryption unit can turn off the above data operation function, Or perform alarm processing, which can effectively ensure the safety of data processing.
本申请实施例提供的数据保护方法,包括:偏转加密单元判断本地是否存在预制的预期度量值,若是,则偏转加密单元获取本地的预制的预期度量值。若否,则偏转加密单元请求调用可信度量单元执行第二可信度量。可信度量单元执行第二可信度量,生成初始度量值。可信度量单元将初始度量值反馈给偏转加密单元。偏转加密单元获取初始度量值。偏转加密单元请求调用可信度量单元执行第一可信度量。可信度量单元执行第一可信度量,生成运行度量值。可信度量单元将运行度量值反馈给偏转加密单元。偏转加密单元判断预期度量值和运行度量值是否相等,若是,则偏转加密单元执行数据操作。若否,则偏转加密单元关闭数据操作的功能,或者进行报警。通过判断预期度量值和可信度量单元生成的运行度量值是否相等,从而验证数据的安全性,能够以简单高效的方式,有效保护坐标等敏感数据不会被非法访问,增强了车内数据的安全性,同时,本实施例提供的方法避免了对处理单元的整体联编,从而能给简单高效的通过在线的方式实现对各个处理单元的管控。The data protection method provided by the embodiment of the present application includes: a deflection encryption unit judging whether there is a prefabricated expected metric value locally, and if so, the deflection encryption unit obtains the local prefabricated expected metric value. If not, the deflection encryption unit requests to call the trusted measurement unit to execute the second trusted measurement. The credibility measurement unit executes the second credibility metric to generate an initial metric value. The trusted measurement unit feeds back the initial measurement value to the deflection encryption unit. The deflection encryption unit obtains the initial metric value. The deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement. The credibility measurement unit executes the first credibility metric and generates a running metric value. The trusted measurement unit feeds back the running measurement value to the deflection encryption unit. The deflection encryption unit judges whether the expected metric value and the running metric value are equal, and if so, the deflection encryption unit executes the data operation. If not, the deflection encryption unit closes the data operation function, or alarms. By judging whether the expected measurement value is equal to the operating measurement value generated by the trusted measurement unit, the data security can be verified, and sensitive data such as coordinates can be effectively protected from unauthorized access in a simple and efficient manner, and the data in the vehicle can be enhanced. At the same time, the method provided in this embodiment avoids the overall binding of processing units, so that the management and control of each processing unit can be realized in an online manner in a simple and efficient manner.
在上述实施例的基础上,在偏转加密单元确定本地无预制的预期度量值时,在另一种可能的实现方式中,还可以向服务器请求获取预期度量值,下面对向服务器请求获取预期度量值的实现方式进行说明。结合图5进行介绍,图5为本申请另一实施例提供的数据保护方法的流程图。On the basis of the foregoing embodiment, when the deflection encryption unit determines the expected metric value that is not pre-made locally, in another possible implementation manner, it can also request the server to obtain the expected metric value, and the following is to request the server to obtain the expected metric value The implementation of the metric value is explained. It is introduced in conjunction with FIG. 5, which is a flowchart of a data protection method provided by another embodiment of the application.
如图5所示,该方法包括:As shown in Figure 5, the method includes:
S501、偏转加密单元判断本地是否存在预制的预期度量值,若是,则执行S502,若否,则执行S503。S501. The deflection encryption unit judges whether there is a prefabricated expected metric value locally, if yes, execute S502, if not, execute S503.
S502、偏转加密单元获取本地的预制的预期度量值。S502. The deflection encryption unit obtains a local prefabricated expected metric value.
其中,S501、S502的实现方式与S401、S402的实现方式相同,此处不再赘述。Among them, the implementation manners of S501 and S502 are the same as the implementation manners of S401 and S402, and will not be repeated here.
S503、偏转加密单元与监管服务器进行双向认证并建立安全通道。S503. The deflection encryption unit performs mutual authentication with the supervision server and establishes a secure channel.
S504、偏转加密单元向服务器请求获取预期度量值。S504. The deflection encryption unit requests the server to obtain the expected metric value.
S505、偏转加密单元接收服务器返回的预期度量值。S505: The deflection encryption unit receives the expected metric value returned by the server.
下面对S503~S505一起进行说明:S503 ~ S505 are described together below:
在本实施例中,偏转加密单元确定本地无预制的预期度量值,则可以向服务器请求获取预期度量值,首先,偏转加密单元与监管服务器进行双向认证并建立安全通道,从而可 以保证后续数据传输的安全性。In this embodiment, if the deflection encryption unit determines that there is no local pre-prepared expected metric value, it can request the server to obtain the expected metric value. First, the deflection encryption unit performs mutual authentication with the supervisory server and establishes a secure channel, thereby ensuring subsequent data transmission Security.
接着偏转加密单元向监管服务器请求获取预期度量值,监管服务器可以通过安全通道将预期度量值返回给偏转加密单元,偏转加密单元接收监管服务器返回的预期度量值,从而实现获取预期度量值。Then the deflection encryption unit requests the supervisory server to obtain the expected metric value, the supervisory server can return the expected metric value to the deflection encryption unit through the secure channel, and the deflection encryption unit receives the expected metric value returned by the supervisory server to obtain the expected metric value.
S506、偏转加密单元请求调用可信度量单元执行第一可信度量。S506. The deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement.
S507、可信度量单元执行第一可信度量,生成运行度量值。S507: The trustworthy measurement unit executes the first trustworthy metric to generate a running metric value.
S508、可信度量单元将运行度量值反馈给偏转加密单元。S508. The trusted measurement unit feeds back the running measurement value to the deflection encryption unit.
其中,S506~S508的实现方式与S302~S304的实现方式类似,此处不再赘述。Among them, the implementation manners of S506 to S508 are similar to the implementation manners of S302 to S304, and will not be repeated here.
S509、偏转加密单元判断预期度量值和运行度量值是否相等,若是,则执行S510,若否,则执行S511。S509. The deflection encryption unit judges whether the expected metric value and the running metric value are equal, if yes, execute S510, and if not, execute S511.
S510、偏转加密单元执行数据操作。S510. The deflection encryption unit performs data operations.
S511、偏转加密单元关闭数据操作的功能,或者进行报警。S511. The deflection encryption unit closes the data operation function, or generates an alarm.
其中,S509~S511的实现方式与S410~S412的实现方式类似,此处不再赘述。Among them, the implementation manners of S509-S511 are similar to the implementation manners of S410-S412, and will not be repeated here.
本申请实施例提供的数据保护方法,在偏转加密单元确定本地无预制的预期度量值的情况下,可以与服务器建立安全通道,从而通过在线的方式从服务器获取预期度量值,从而在并不降低安全性的情况下,无需在启动阶段执行可信度量的过程,减少了计算开销。In the data protection method provided by the embodiments of the present application, when the deflection encryption unit determines that there is no pre-made expected metric value locally, a secure channel can be established with the server, thereby obtaining the expected metric value from the server in an online manner, so as not to reduce In the case of security, there is no need to perform the credibility measurement process during the startup phase, which reduces the computational overhead.
同时,本实施例中通过在线从服务器获取预期度量值,从而无需将预期度量值永久的保存在本地,减少了本地存储开销,以及可以有效的增加适用场景,例如在车辆无法预制预期度量值的情况下,从服务器获取的方式能够有效灵活性。At the same time, in this embodiment, the expected metric value is obtained online from the server, so there is no need to permanently store the expected metric value locally, which reduces the local storage overhead and can effectively increase the applicable scenarios, such as when the vehicle cannot pre-predetermine the expected metric value. In this case, the method of obtaining from the server can be effectively flexible.
在上述实施例的基础上,为防止车辆在启动前系统被非法刷写或篡改等静态攻击场景,可以增加对启动时的初始度量值的验证过程,例如可以在启动阶段,无论判断是否有本地是否存在预期度量值,均要调用可信度量单元执行可信度量,同时,如果本地没有预期度量值,需要在线从服务器获取预期度量值,并将初始度量值和预期度量值比较,如果一致,才能继续后续流程。下面对该种实现方式进行详细介绍,结合图6进行说明,图6为本申请再一实施例提供的数据保护方法的流程图。On the basis of the above-mentioned embodiments, in order to prevent static attack scenarios such as illegal flashing or tampering of the system before the vehicle is started, the verification process of the initial metric value at start-up can be added. Whether there is an expected measurement value, the trusted measurement unit must be called to perform the trusted measurement. At the same time, if there is no expected measurement value locally, the expected measurement value needs to be obtained online from the server, and the initial measurement value and the expected measurement value are compared. If they are consistent, In order to continue the subsequent process. This implementation manner will be described in detail below, and will be described with reference to FIG. 6, which is a flowchart of a data protection method provided by still another embodiment of this application.
如图6所示,该方法包括:As shown in Figure 6, the method includes:
S601、偏转加密单元判断本地是否存在预制的预期度量值,若是,则执行S602,若否,则执行S603。S601. The deflection encryption unit judges whether there is a pre-made expected metric value locally, if yes, execute S602, if not, execute S603.
S602、偏转加密单元获取本地的预制的预期度量值。S602. The deflection encryption unit obtains a local prefabricated expected metric value.
其中,S601、S602的实现方式与S401、S402的实现方式相同,此处不再赘述。Among them, the implementation manners of S601 and S602 are the same as the implementation manners of S401 and S402, and will not be repeated here.
S603、偏转加密单元与监管服务器进行双向认证并建立安全通道。S603. The deflection encryption unit performs mutual authentication with the supervision server and establishes a secure channel.
S604、偏转加密单元向服务器请求获取预期度量值。S604. The deflection encryption unit requests the server to obtain the expected metric value.
S605、偏转加密单元接收服务器返回的预期度量值。S605. The deflection encryption unit receives the expected metric value returned by the server.
其中,S603~S605的实现方式与S503~S505的实现方式相同,此处不再赘述。Among them, the implementation manners of S603-S605 are the same as the implementation manners of S503-S505, and will not be repeated here.
S606、偏转加密单元请求调用可信度量模块执行第三可信度量。S606. The deflection encryption unit requests to call the trustworthiness measurement module to execute the third trustworthiness measurement.
S607、可信度量单元执行第三可信度量,生成初始度量值。S607: The trusted measurement unit executes a third trusted measurement to generate an initial measurement value.
在本实施例中,在偏转加密单元获取预期度量值之后,为了防止在车辆启动阶段预期度量值被篡改,可以请求调用可信度量单元执行第三可信度量,从而生成初始度量值,以及可信度量单元还可以将初始度量值反馈偏转加密单元。In this embodiment, after the deflection encryption unit obtains the expected metric value, in order to prevent the expected metric value from being tampered with during the vehicle startup phase, the trusted metric unit can be requested to execute the third trusted metric, thereby generating the initial metric value, and The trust measurement unit can also feed back the initial measurement value to the encryption unit.
在一种可能的实现方式中,可信度量单元可以通过对预先定义的程序模块和运行环境执行哈希计算,生成初始度量值。In a possible implementation manner, the trusted measurement unit may generate an initial measurement value by performing hash calculation on a pre-defined program module and operating environment.
其中,第三可信度量的实现方式与上述步骤S303中介绍的第一可信度量的实现方式类似,不同之处在于预先定义的程序模块和运行环境,也就是说执行可信度量的输入数据不同,本实施例对第三可信度量的具体实现方式不再赘述。Among them, the implementation of the third credibility metric is similar to the implementation of the first credibility metric introduced in step S303. The difference lies in the pre-defined program modules and operating environment, that is, the input data for executing the credibility metric. The difference is that the specific implementation of the third credibility metric is not described in detail in this embodiment.
S608、偏转加密单元判断预期度量值与初始度量值是否相等,若否,则执行S609,若是,则执行S610。S608. The deflection encryption unit judges whether the expected metric value is equal to the initial metric value, if not, execute S609, and if yes, execute S610.
接着,偏转加密单元判断预期度量值和初始度量值是否相等,可以理解的是,车辆在未启动时,可能存在系统软件更新或非法刷新的情况,因此在车辆启动时,通过预期度量值和初始度量值进行比较,能够验证系统是否在上一次审核通过后发生改变,从而能给有效提升安全性。Then, the deflection encryption unit judges whether the expected metric value and the initial metric value are equal. It can be understood that when the vehicle is not started, there may be system software updates or illegal refreshes. Therefore, when the vehicle is started, the expected metric value and the initial metric value are passed. The comparison of metric values can verify whether the system has changed since the last audit passed, which can effectively improve security.
S609、偏转加密单元关闭数据操作的功能,或者进行报警。S609. The deflection encryption unit closes the data operation function, or generates an alarm.
在一种可能的实现方式中,偏转加密单元确定预期度量值和初始度量值不相等,则偏转加密单元可以关闭数据操作的功能,或者进行保证,从而保证车辆数据的安全性。In a possible implementation manner, if the deflection encryption unit determines that the expected metric value and the initial metric value are not equal, the deflection encryption unit can turn off the data operation function or perform guarantees, thereby ensuring the security of the vehicle data.
S610、偏转加密单元请求调用可信度量单元执行第一可信度量。S610. The deflection encryption unit requests to call the trusted measurement unit to execute the first trusted measurement.
S611、可信度量单元执行第一可信度量,生成运行度量值。S611. The trustworthy measurement unit executes the first trustworthy metric, and generates a running metric value.
S612、可信度量单元将运行度量值反馈给偏转加密单元。S612. The trusted measurement unit feeds back the running measurement value to the deflection encryption unit.
在另一种可能的实现方式中,偏转加密单元确定预期度量值和初始度量值相等,则可以进行后续的操作。In another possible implementation manner, the deflection encryption unit determines that the expected metric value is equal to the initial metric value, and then subsequent operations can be performed.
其中,S610~S612的实现方式与S302~S304的实现方式类似,此处不再赘述。Among them, the implementation manners of S610 to S612 are similar to the implementation manners of S302 to S304, and will not be repeated here.
S613、偏转加密单元判断预期度量值和运行度量值是否相等,若是,则执行S614,若否,则执行S615。S613. The deflection encryption unit judges whether the expected metric value and the running metric value are equal, if yes, execute S614, and if not, execute S615.
S614、偏转加密单元执行数据操作。S614. The deflection encryption unit performs data operations.
S615、偏转加密单元关闭数据操作的功能,或者进行报警。S615. The deflection encryption unit closes the data operation function, or alarms.
其中,S613~S614的实现方式与S410~S412的实现方式类似,此处不再赘述。Among them, the implementation manners of S613-S614 are similar to the implementation manners of S410-S412, and will not be repeated here.
本申请实施例提供的数据保护方法,通过在启动阶段比较预期度量值和初始度量值,在确定预期度量值和初始度量值一致时,才进行后续的处理,从而能给有效提升数据的安全性,防止系统处于离线状态时,预期度量值发生更新或发生篡改,以及,对于监管部门而言,能够在车辆在启动时,验证目标对象是否发生改变,该验证的结果可以实时回传到监管服务端,从而为监管方提供了一种实现实时监管的机制,从而能够帮助监管部门进行实时监控。The data protection method provided by the embodiments of the present application compares the expected metric value and the initial metric value during the startup phase, and performs subsequent processing only when it is determined that the expected metric value is consistent with the initial metric value, thereby effectively improving data security , To prevent the expected metric value from being updated or tampered when the system is offline, and, for the supervisory authority, it can verify whether the target object has changed when the vehicle is started, and the result of the verification can be sent back to the supervisory service in real time Therefore, it provides a mechanism for the regulator to realize real-time supervision, which can help the supervisory department to carry out real-time monitoring.
图7为本申请一实施例提供的车载计算装置的结构示意图。如图7所示,装置70可用于执行上述图3-6任一项所描述的数据保护方法,装置70包括:偏转加密单元701和可信度量单元702,所述偏转加密单元701和可信度量单元702运行于可信执行环境;FIG. 7 is a schematic structural diagram of a vehicle-mounted computing device provided by an embodiment of the application. As shown in FIG. 7, the device 70 can be used to execute the data protection method described in any one of FIGS. 3-6. The device 70 includes: a deflection encryption unit 701 and a credibility measurement unit 702, the deflection encryption unit 701 and a credibility The measurement unit 702 runs in a trusted execution environment;
其中,所述偏转加密单元701,用于获取预期度量值,以及请求调用所述可信度量单元702执行第一可信度量;Wherein, the deflection encryption unit 701 is configured to obtain an expected metric value, and request to call the credibility measurement unit 702 to execute the first credibility metric;
所述可信度量单元702,用于执行所述第一可信度量,生成运行度量值,以及将所述运行度量值反馈给所述偏转加密单元701;The credibility measurement unit 702 is configured to execute the first credibility metric, generate a running metric value, and feed back the running metric value to the deflection encryption unit 701;
所述偏转加密单元701还用于通过比较所述预期度量值和所述运行度量值,验证在车 内执行数据操作的安全性。The deflection encryption unit 701 is also used to verify the security of performing data operations in the vehicle by comparing the expected metric value and the operating metric value.
在一种可能的实施方式中,所述偏转加密单元701,还用于在获取预期度量值之前确定本地无预制的所述预期度量值,并请求调用所述可信度量模块执行第二可信度量;In a possible implementation manner, the deflection encryption unit 701 is further configured to determine the expected metric value that is not pre-made locally before obtaining the expected metric value, and request to call the trusted metric module to execute the second trusted metric value. measure;
所述可信度量单元702,还用于执行所述第二可信度量,生成初始度量值;The credibility measurement unit 702 is further configured to execute the second credibility metric to generate an initial metric value;
所述偏转加密单元701获取预期度量值包括:所述偏转加密单元701获取所述初始度量值。The obtaining of the expected metric value by the deflection encryption unit 701 includes: the deflection encryption unit 701 obtaining the initial metric value.
在一种可能的实施方式中,所述可信度量单元702执行所述第二可信度量,生成初始度量值包括:In a possible implementation manner, the credibility measurement unit 702 executes the second credibility metric, and generating an initial metric value includes:
所述可信度量单元702通过对预先定义的程序模块和运行环境执行哈希计算,生成所述初始度量值。The trusted measurement unit 702 generates the initial measurement value by performing hash calculation on a predefined program module and operating environment.
在一种可能的实施方式中,所述偏转加密单元701,还用于在获取预期度量值之前,确定本地无预制的所述预期度量值,以及向服务器请求获取所述预期度量值;In a possible implementation manner, the deflection encryption unit 701 is further configured to determine the expected metric value that is not prefabricated locally before obtaining the expected metric value, and request the server to obtain the expected metric value;
所述偏转加密单元701获取预期度量值包括:所述偏转加密单元701接收所述服务器返回的所述预期度量值。The obtaining of the expected metric value by the deflection encryption unit 701 includes: the deflection encryption unit 701 receives the expected metric value returned by the server.
在一种可能的实施方式中,所述偏转加密单元701,还用于在获取预期度量值之前,确定本地有预制的所述预期度量值;In a possible implementation manner, the deflection encryption unit 701 is further configured to determine that the expected metric value is prefabricated locally before obtaining the expected metric value;
所述偏转加密单元701获取预期度量值包括:所述偏转加密单元701获取本地的所述预制的所述预期度量值。The deflection encryption unit 701 obtaining the expected metric value includes: the deflection encryption unit 701 obtains the local pre-made expected metric value.
在一种可能的实施方式中,所述偏转加密单元701,还用于在获取预期度量值之后,请求调用所述可信度量模块执行第三可信度量;In a possible implementation manner, the deflection encryption unit 701 is further configured to request to call the credibility metric module to execute the third credibility metric after obtaining the expected metric value;
所述可信度量单元702,还用于执行所述第三可信度量,生成初始度量值;The credibility measurement unit 702 is further configured to execute the third credibility metric to generate an initial metric value;
所述偏转加密单元701,还用于确定所述预期度量值与所述初始度量值不相等,然后关闭所述数据操作的功能,或者进行报警。The deflection encryption unit 701 is further configured to determine that the expected metric value is not equal to the initial metric value, and then turn off the data operation function, or issue an alarm.
在一种可能的实施方式中,所述偏转加密单元701还用于通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性包括:In a possible implementation manner, the deflection encryption unit 701 is further configured to compare the expected metric value and the operating metric value to verify the security of performing data operations in the vehicle, including:
所述偏转加密单元701还用于确定所述预期度量值与所述运行度量值相等,以及执行所述数据操作。The deflection encryption unit 701 is further configured to determine that the expected metric value is equal to the operating metric value, and execute the data operation.
在一种可能的实施方式中,所述偏转加密单元701还用于通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性包括:In a possible implementation manner, the deflection encryption unit 701 is further configured to compare the expected metric value and the operating metric value to verify the security of performing data operations in the vehicle, including:
所述偏转加密单元701还用于确定所述预期度量值与所述运行度量值不相等,以及关闭所述数据操作的功能,或者进行报警。The deflection encryption unit 701 is also used to determine that the expected metric value is not equal to the operating metric value, and to close the data operation function, or to give an alarm.
在一种可能的实施方式中,所述可信度量单元702用于执行所述第一可信度量,生成运行度量值包括:In a possible implementation manner, the credibility measurement unit 702 is configured to execute the first credibility metric, and generating a running metric value includes:
所述可信度量单元702,用于通过对预先定义的程序模块和运行环境执行哈希计算,生成所述运行度量值。The trusted measurement unit 702 is configured to generate the operating measurement value by performing hash calculation on a predefined program module and operating environment.
本实施例提供的装置,可用于执行上述方法实施例的技术方案,其实现原理和技术效果类似,本实施例此处不再赘述。The device provided in this embodiment can be used to implement the technical solutions of the foregoing method embodiments, and its implementation principles and technical effects are similar, and will not be repeated here in this embodiment.
图7中的各个模块的只一个或多个可以软件、硬件、固件或其结合实现。所述软件或固件包括但不限于计算机程序指令或代码,并可以被硬件处理器所执行。所述硬件包括但 不限于各类集成电路,如中央处理单元(CPU)、数字信号处理器(DSP)、现场可编程门阵列(FPGA)或专用集成电路(ASIC)。Only one or more of the various modules in FIG. 7 can be implemented by software, hardware, firmware or a combination thereof. The software or firmware includes but is not limited to computer program instructions or codes, and can be executed by a hardware processor. The hardware includes, but is not limited to, various types of integrated circuits, such as a central processing unit (CPU), a digital signal processor (DSP), a field programmable gate array (FPGA), or an application specific integrated circuit (ASIC).
图8为本申请实施例提供的车载计算装置的硬件结构示意图,如图8所示,车载计算装置80可用于执行上述图3-6任一项所描述的数据保护方法,车载计算装置80包括:处理器801以及存储器802;其中FIG. 8 is a schematic diagram of the hardware structure of a vehicle-mounted computing device provided by an embodiment of the application. As shown in FIG. 8, the vehicle-mounted computing device 80 can be used to execute the data protection method described in any one of FIGS. 3-6. The vehicle-mounted computing device 80 includes :Processor 801 and memory 802; among them
存储器802,用于存储计算机执行指令;The memory 802 is used to store computer execution instructions;
处理器801,用于执行存储器存储的计算机执行指令,以实现上述实施例中数据保护方法所执行的各个步骤。具体可以参见前述方法实施例中的相关描述。The processor 801 is configured to execute computer-executable instructions stored in the memory to implement each step performed by the data protection method in the foregoing embodiment. For details, please refer to the relevant description in the foregoing method embodiment.
可选地,存储器802既可以是独立的,也可以跟处理器801集成在一起。Optionally, the memory 802 may be independent or integrated with the processor 801.
当存储器802独立设置时,该车载计算装置还包括总线803,用于连接所述存储器802和处理器801。When the memory 802 is independently provided, the vehicle-mounted computing device further includes a bus 803 for connecting the memory 802 and the processor 801.
可选的,上述处理器可以是中央处理单元(Central Processing Unit,CPU),还可以是其他通用处理器、数字信号处理器(Digital Signal Processor,DSP)、专用集成电路(Application Specific Integrated Circuit,ASIC)等。通用处理器可以是微处理器或者该处理器也可以是任何常规的处理器等。结合本申请实施例所公开的业务处理方法实施例中的步骤可以直接体现为硬件处理器执行完成,或者用处理器中的硬件及软件模块组合执行完成。Optionally, the foregoing processor may be a central processing unit (Central Processing Unit, CPU), or other general-purpose processors, digital signal processors (Digital Signal Processor, DSP), and application specific integrated circuits (ASICs). )Wait. The general-purpose processor may be a microprocessor or the processor may also be any conventional processor or the like. The steps in the embodiment of the service processing method disclosed in the embodiment of the present application may be directly embodied as being executed and completed by a hardware processor, or executed and completed by a combination of hardware and software modules in the processor.
本申请实施例还提供一种计算机存储介质,包括计算机指令,当所述计算机指令在被处理器运行时,实现如上车载计算装置所执行的数据保护方法。An embodiment of the present application also provides a computer storage medium, including computer instructions, when the computer instructions are executed by a processor, implement the data protection method performed by the on-vehicle computing device.
本申请实施例提供一种计算机程序产品,当所述计算机程序产品在处理器上运行时,实现如上车载计算装置所执行的数据保护方法。The embodiments of the present application provide a computer program product, which when the computer program product runs on a processor, realizes the data protection method executed by the on-board computing device.
本申请实施例还提供一种智能车,包括车载通信装置和如上实施例所述的车载计算装置。An embodiment of the present application also provides a smart car, including an in-vehicle communication device and the in-vehicle computing device described in the above embodiment.
实现上述各方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成。前述的程序可以存储于一可读取存储器中。该程序在执行时,执行包括上述各方法实施例的步骤;而前述的存储器(存储介质)包括:只读存储器(英文:read-only memory,缩写:ROM)、RAM、快闪存储器、硬盘、固态硬盘、磁带(英文:magnetic tape)、软盘(英文:floppy disk)、光盘(英文:optical disc)及其任意组合。All or part of the steps in the foregoing method embodiments may be implemented by a program instructing relevant hardware. The aforementioned program can be stored in a readable memory. When the program is executed, it executes the steps that include the foregoing method embodiments; and the foregoing memory (storage medium) includes: read-only memory (English: read-only memory, abbreviation: ROM), RAM, flash memory, hard disk, Solid state hard disk, magnetic tape (English: magnetic tape), floppy disk (English: floppy disk), optical disc (English: optical disc) and any combination thereof.
本申请实施例是参照根据本申请实施例的方法、设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理设备的处理单元以产生一个机器,使得通过计算机或其他可编程数据处理设备的处理单元执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。The embodiments of the present application are described with reference to the flowcharts and/or block diagrams of the methods, equipment (systems), and computer program products according to the embodiments of the present application. It should be understood that each process and/or block in the flowchart and/or block diagram, and the combination of processes and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions can be provided to the processing unit of a general-purpose computer, a special-purpose computer, an embedded processor, or other programmable data processing equipment to generate a machine, so that the instructions executed by the processing unit of the computer or other programmable data processing equipment can be used to generate It is a device that realizes the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。These computer program instructions can also be stored in a computer-readable memory that can guide a computer or other programmable data processing equipment to work in a specific manner, so that the instructions stored in the computer-readable memory produce an article of manufacture including the instruction device. The device implements the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
这些计算机程序指令也可装载到计算机或其他可编程数据处理设备上,使得在计算机或其他可编程设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded on a computer or other programmable data processing equipment, so that a series of operation steps are executed on the computer or other programmable equipment to produce computer-implemented processing, so as to execute on the computer or other programmable equipment. The instructions provide steps for implementing the functions specified in one process or multiple processes in the flowchart and/or one block or multiple blocks in the block diagram.
显然,本领域的技术人员可以对本申请实施例进行各种改动和变型而不脱离本申请实施例的精神和范围。这样,倘若本申请实施例的这些修改和变型属于本申请实施例权利要求及其等同技术的范围之内,则本申请实施例也意图包含这些改动和变型在内。Obviously, those skilled in the art can make various changes and modifications to the embodiments of the present application without departing from the spirit and scope of the embodiments of the present application. In this way, if these modifications and variations of the embodiments of the present application fall within the scope of the claims of the embodiments of the present application and their equivalent technologies, the embodiments of the present application are also intended to include these changes and modifications.
在本申请实施例中,术语“包括”及其变形可以指非限制性的包括;术语“或”及其变形可以指“和/或”。本本申请实施例中术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。本申请实施例中,“多个”是指两个或两个以上。“和/或”,描述关联对象的关联关系,表示可以存在三种关系,例如,A和/或B,可以表示:单独存在A,同时存在A和B,单独存在B这三种情况。字符“/”一般表示前后关联对象是一种“或”的关系。In the embodiments of the present application, the term "including" and its variations may refer to non-limiting inclusion; the term "or" and its variations may refer to "and/or". The terms "first", "second", etc. in the embodiments of the present application are used to distinguish similar objects, and are not necessarily used to describe a specific sequence or sequence. In the embodiments of the present application, "multiple" refers to two or more. "And/or" describes the association relationship of the associated objects, indicating that there can be three types of relationships, for example, A and/or B, which can mean: A alone exists, A and B exist at the same time, and B exists alone. The character "/" generally indicates that the associated objects before and after are in an "or" relationship.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应所述以权利要求的保护范围为准。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application shall be subject to the protection scope of the claims.

Claims (23)

  1. 一种数据保护方法,其特征在于,应用于车载计算装置,其中,所述车载计算装置包括偏转加密单元和可信度量单元,所述偏转加密单元和可信度量单元运行于可信执行环境,所述方法包括:A data protection method, characterized by being applied to a vehicle-mounted computing device, wherein the vehicle-mounted computing device includes a deflection encryption unit and a trusted measurement unit, and the deflection encryption unit and the trusted measurement unit operate in a trusted execution environment, The method includes:
    所述偏转加密单元获取预期度量值;The deflection encryption unit obtains the expected metric value;
    所述偏转加密单元请求调用所述可信度量单元执行第一可信度量;The deflection encryption unit requests to call the credibility measurement unit to execute the first credibility measurement;
    所述可信度量单元执行所述第一可信度量,生成运行度量值;The credibility measurement unit executes the first credibility metric to generate a running metric value;
    所述可信度量单元将所述运行度量值反馈给所述偏转加密单元;The trustworthy measurement unit feeds back the operation measurement value to the deflection encryption unit;
    所述偏转加密单元通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性。The deflection encryption unit verifies the security of data operations performed in the vehicle by comparing the expected metric value and the operating metric value.
  2. 根据权利要求1所述的方法,其特征在于,在所述偏转加密单元获取预期度量值之前,所述方法还包括:The method according to claim 1, wherein before the deflection encryption unit obtains the expected metric value, the method further comprises:
    所述偏转加密单元确定本地无预制的所述预期度量值;Determining, by the deflection encryption unit, the expected metric value with no local prefabrication;
    所述偏转加密单元请求调用所述可信度量单元执行第二可信度量;The deflection encryption unit requests to call the trustworthiness measurement unit to execute the second trustworthiness measurement;
    所述可信度量单元执行所述第二可信度量,生成初始度量值;The credibility measurement unit executes the second credibility metric to generate an initial metric value;
    所述偏转加密单元获取预期度量值包括:所述偏转加密单元获取所述初始度量值。The obtaining of the expected metric value by the deflection encryption unit includes: the deflection encryption unit obtaining the initial metric value.
  3. 根据权利要求2所述的方法,其特征在于,所述可信度量单元执行所述第二可信度量,生成初始度量值包括:The method according to claim 2, wherein the trustworthiness measurement unit executes the second trustworthiness metric, and generating an initial metric value comprises:
    所述可信度量单元通过对预先定义的程序模块和运行环境执行哈希计算,生成所述初始度量值。The trusted measurement unit generates the initial measurement value by performing hash calculation on a predefined program module and operating environment.
  4. 根据权利要求1所述的方法,其特征在于,在所述偏转加密单元获取预期度量值之前,所述方法还包括:The method according to claim 1, wherein before the deflection encryption unit obtains the expected metric value, the method further comprises:
    所述偏转加密单元确定本地无预制的所述预期度量值;Determining, by the deflection encryption unit, the expected metric value with no local prefabrication;
    所述偏转加密单元向服务器请求获取所述预期度量值;The deflection encryption unit requests the server to obtain the expected metric value;
    所述偏转加密单元获取预期度量值包括:所述偏转加密单元接收所述服务器返回的所述预期度量值。The obtaining of the expected metric value by the deflection encryption unit includes: the deflection encryption unit receiving the expected metric value returned by the server.
  5. 根据权利要求1所述的方法,其特征在于,在所述偏转加密单元获取预期度量值之前,所述方法还包括:The method according to claim 1, wherein before the deflection encryption unit obtains the expected metric value, the method further comprises:
    所述偏转加密单元确定本地有预制的所述预期度量值;The deflection encryption unit determines that the expected metric value prefabricated locally;
    所述偏转加密单元获取预期度量值包括:所述偏转加密单元获取本地的所述预制的所述预期度量值。Obtaining the expected metric value by the deflection encryption unit includes: the deflection encryption unit obtaining the locally pre-made expected metric value.
  6. 根据权利要求4或5所述的方法,其特征在于,在所述偏转加密单元获取预期度量值之后,所述方法还包括:The method according to claim 4 or 5, wherein after the deflection encryption unit obtains the expected metric value, the method further comprises:
    所述偏转加密单元请求调用所述可信度量单元执行第三可信度量;The deflection encryption unit requests to call the credibility measurement unit to execute the third credibility measurement;
    所述可信度量单元执行所述第三可信度量,生成初始度量值;The credibility measurement unit executes the third credibility metric to generate an initial metric value;
    所述偏转加密单元确定所述预期度量值与所述初始度量值不相等;Determining, by the deflection encryption unit, that the expected metric value is not equal to the initial metric value;
    所述偏转加密单元关闭所述数据操作的功能,或者进行报警。The deflection encryption unit turns off the data operation function or alarms.
  7. 根据权利要求1-6任一项所述的方法,其特征在于,所述偏转加密单元通过比较 所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性包括:The method according to any one of claims 1 to 6, wherein the deflection encryption unit compares the expected metric value and the operating metric value to verify the safety of performing data operations in the vehicle comprises:
    所述偏转加密单元确定所述预期度量值与所述运行度量值相等;The deflection encryption unit determines that the expected metric value is equal to the operating metric value;
    所述偏转加密单元执行所述数据操作。The deflection encryption unit performs the data operation.
  8. 根据权利要求1-6任一项所述的方法,其特征在于,所述偏转加密单元通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性包括:The method according to any one of claims 1 to 6, wherein the deflection encryption unit compares the expected metric value and the operating metric value to verify the security of performing data operations in the vehicle comprises:
    所述偏转加密单元确定所述预期度量值与所述运行度量值不相等;Determining, by the deflection encryption unit, that the expected metric value is not equal to the operating metric value;
    所述偏转加密单元关闭所述数据操作的功能,或者进行报警。The deflection encryption unit turns off the data operation function or alarms.
  9. 根据权利要求1-8任一项所述的方法,其特征在于,所述可信度量单元执行所述第一可信度量,生成运行度量值包括:The method according to any one of claims 1-8, wherein the execution of the first credibility metric by the credibility measurement unit to generate a running metric value comprises:
    所述可信度量单元通过对预先定义的程序模块和运行环境执行哈希计算,生成所述运行度量值。The trusted measurement unit generates the operating measurement value by performing hash calculation on a predefined program module and operating environment.
  10. 一种车载计算装置,其特征在于,包括偏转加密单元和可信度量单元,所述偏转加密单元和可信度量单元运行于可信执行环境;A vehicle-mounted computing device, characterized by comprising a deflection encryption unit and a trusted measurement unit, the deflection encryption unit and the trusted measurement unit operating in a trusted execution environment;
    所述偏转加密单元,用于获取预期度量值,以及请求调用所述可信度量单元执行第一可信度量;The deflection encryption unit is used to obtain an expected metric value, and request to call the credibility metric unit to execute the first credibility metric;
    所述可信度量单元,用于执行所述第一可信度量,生成运行度量值,以及将所述运行度量值反馈给所述偏转加密单元;The credibility measurement unit is configured to execute the first credibility metric, generate an operating metric value, and feed back the operating metric value to the deflection encryption unit;
    所述偏转加密单元还用于通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性。The deflection encryption unit is also used to verify the safety of data operations performed in the vehicle by comparing the expected metric value and the operating metric value.
  11. 根据权利要求10所述的装置,其特征在于,The device according to claim 10, wherein:
    所述偏转加密单元,还用于在获取预期度量值之前确定本地无预制的所述预期度量值,并请求调用所述可信度量模块执行第二可信度量;The deflection encryption unit is further configured to determine the expected metric value that is not prefabricated locally before obtaining the expected metric value, and request to call the trusted metric module to execute the second trusted metric;
    所述可信度量单元,还用于执行所述第二可信度量,生成初始度量值;The credibility measurement unit is further configured to execute the second credibility metric to generate an initial metric value;
    所述偏转加密单元获取预期度量值包括:所述偏转加密单元获取所述初始度量值。The obtaining of the expected metric value by the deflection encryption unit includes: the deflection encryption unit obtaining the initial metric value.
  12. 根据权利要求11所述的装置,其特征在于,所述可信度量单元执行所述第二可信度量,生成初始度量值包括:The apparatus according to claim 11, wherein the trustworthiness measurement unit executes the second trustworthiness metric, and generating an initial metric value comprises:
    所述可信度量单元通过对预先定义的程序模块和运行环境执行哈希计算,生成所述初始度量值。The trusted measurement unit generates the initial measurement value by performing hash calculation on a predefined program module and operating environment.
  13. 根据权利要求10所述的装置,其特征在于,The device according to claim 10, wherein:
    所述偏转加密单元,还用于在获取预期度量值之前,确定本地无预制的所述预期度量值,以及向服务器请求获取所述预期度量值;The deflection encryption unit is further configured to determine the expected metric value that is not prefabricated locally before obtaining the expected metric value, and request the server to obtain the expected metric value;
    所述偏转加密单元获取预期度量值包括:所述偏转加密单元接收所述服务器返回的所述预期度量值。The obtaining of the expected metric value by the deflection encryption unit includes: the deflection encryption unit receiving the expected metric value returned by the server.
  14. 根据权利要求10所述的装置,其特征在于,The device according to claim 10, wherein:
    所述偏转加密单元,还用于在获取预期度量值之前,确定本地有预制的所述预期度量值;The deflection encryption unit is further configured to determine that there is a pre-made expected metric value locally before obtaining the expected metric value;
    所述偏转加密单元获取预期度量值包括:所述偏转加密单元获取本地的所述预制的所述预期度量值。Obtaining the expected metric value by the deflection encryption unit includes: the deflection encryption unit obtaining the locally pre-made expected metric value.
  15. 根据权利要求13或14所述的装置,其特征在于,The device according to claim 13 or 14, characterized in that:
    所述偏转加密单元,还用于在获取预期度量值之后,请求调用所述可信度量模块执行第三可信度量;The deflection encryption unit is further configured to request to call the credibility metric module to execute the third credibility metric after obtaining the expected metric value;
    所述可信度量单元,还用于执行所述第三可信度量,生成初始度量值;The credibility measurement unit is further configured to execute the third credibility metric to generate an initial metric value;
    所述偏转加密单元,还用于确定所述预期度量值与所述初始度量值不相等,然后关闭所述数据操作的功能,或者进行报警。The deflection encryption unit is also used to determine that the expected metric value is not equal to the initial metric value, and then close the data operation function or give an alarm.
  16. 根据权利要求10-15任一项所述的装置,其特征在于,所述偏转加密单元还用于通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性包括:The device according to any one of claims 10-15, wherein the deflection encryption unit is further configured to verify the safety of performing data operations in the vehicle by comparing the expected metric value and the operating metric value include:
    所述偏转加密单元还用于确定所述预期度量值与所述运行度量值相等,以及执行所述数据操作。The deflection encryption unit is also used to determine that the expected metric value is equal to the operating metric value, and to execute the data operation.
  17. 根据权利要求10-15任一项所述的装置,其特征在于,所述偏转加密单元还用于通过比较所述预期度量值和所述运行度量值,验证在车内执行数据操作的安全性包括:The device according to any one of claims 10-15, wherein the deflection encryption unit is further configured to verify the safety of performing data operations in the vehicle by comparing the expected metric value and the operating metric value include:
    所述偏转加密单元还用于确定所述预期度量值与所述运行度量值不相等,以及关闭所述数据操作的功能,或者进行报警。The deflection encryption unit is also used to determine that the expected metric value is not equal to the operating metric value, and to close the data operation function, or to give an alarm.
  18. 根据权利要求10-17任一项所述的装置,其特征在于,所述可信度量单元用于执行所述第一可信度量,生成运行度量值包括:The apparatus according to any one of claims 10-17, wherein the credibility measurement unit is configured to execute the first credibility metric, and generating a running metric value comprises:
    所述可信度量单元,用于通过对预先定义的程序模块和运行环境执行哈希计算,生成所述运行度量值。The trusted measurement unit is used to generate the operating measurement value by performing hash calculation on a predefined program module and operating environment.
  19. 一种车载计算装置,其特征在于,包括存储器和处理器,所述存储器存储计算机程序指令,所述处理器运行所述计算机程序指令以执行权利要求1-9任一项所述的操作。A vehicle-mounted computing device, characterized by comprising a memory and a processor, the memory storing computer program instructions, and the processor running the computer program instructions to perform the operation of any one of claims 1-9.
  20. 一种计算机存储介质,其特征在于,包括计算机指令,当所述计算机指令在被处理器运行时,实现如权利要求1-9任一项所述的方法。A computer storage medium, which is characterized by comprising computer instructions, which implement the method according to any one of claims 1-9 when the computer instructions are executed by a processor.
  21. 一种计算机程序产品,其特征在于,当所述计算机程序产品在处理器上运行时,实现如权利要求1-9任一项所述的方法。A computer program product, characterized in that, when the computer program product runs on a processor, the method according to any one of claims 1-9 is implemented.
  22. 一种数据处理系统,其特征在于,包括服务器和如权利要求10-19任一项所述的车载计算装置。A data processing system, characterized by comprising a server and the vehicle-mounted computing device according to any one of claims 10-19.
  23. 一种智能车,包括车载通信装置和如权利要求10-19任一项所述的车载计算装置。A smart car, comprising a vehicle-mounted communication device and the vehicle-mounted computing device according to any one of claims 10-19.
PCT/CN2020/088065 2020-04-30 2020-04-30 Data protection method and apparatus WO2021217559A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202080004383.3A CN112543928B (en) 2020-04-30 2020-04-30 Data protection method and device
PCT/CN2020/088065 WO2021217559A1 (en) 2020-04-30 2020-04-30 Data protection method and apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/088065 WO2021217559A1 (en) 2020-04-30 2020-04-30 Data protection method and apparatus

Publications (1)

Publication Number Publication Date
WO2021217559A1 true WO2021217559A1 (en) 2021-11-04

Family

ID=75017314

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/088065 WO2021217559A1 (en) 2020-04-30 2020-04-30 Data protection method and apparatus

Country Status (2)

Country Link
CN (1) CN112543928B (en)
WO (1) WO2021217559A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114827200A (en) * 2022-04-19 2022-07-29 中国测绘科学研究院 Intelligent automobile basic map data safety protection assembly

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101576944A (en) * 2008-11-20 2009-11-11 武汉大学 Computer secure startup system based on trusted platform module
CN103795717A (en) * 2014-01-23 2014-05-14 中国科学院计算技术研究所 Method and system for proving integrity of cloud computing platform
CN108573153A (en) * 2017-03-13 2018-09-25 中标软件有限公司 A kind of onboard operations system and its implementation

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016048177A1 (en) * 2014-09-26 2016-03-31 Intel Corporation Securely exchanging vehicular sensor information
CN104751063B (en) * 2014-12-31 2018-08-14 国家电网公司 A kind of operating system trusted bootstrap method based on real pattern technology
EP3445017B1 (en) * 2017-08-16 2019-10-09 Veoneer Sweden AB A method relating to a motor vehicle driver assistance system
CN111666133A (en) * 2019-03-05 2020-09-15 北京图森智途科技有限公司 Vehicle-mounted infrastructure for automatically driving vehicle
EP3716114A1 (en) * 2019-03-29 2020-09-30 General Electric Company Method and system for remote load of on-board certified software
CN110838919B (en) * 2019-11-01 2021-04-13 广州小鹏汽车科技有限公司 Communication method, storage method, operation method and device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101576944A (en) * 2008-11-20 2009-11-11 武汉大学 Computer secure startup system based on trusted platform module
CN103795717A (en) * 2014-01-23 2014-05-14 中国科学院计算技术研究所 Method and system for proving integrity of cloud computing platform
CN108573153A (en) * 2017-03-13 2018-09-25 中标软件有限公司 A kind of onboard operations system and its implementation

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114827200A (en) * 2022-04-19 2022-07-29 中国测绘科学研究院 Intelligent automobile basic map data safety protection assembly

Also Published As

Publication number Publication date
CN112543928A (en) 2021-03-23
CN112543928B (en) 2021-12-14

Similar Documents

Publication Publication Date Title
US10505919B2 (en) Program, method and system for authenticating control device
US10915115B2 (en) Method and apparatus for enabling map updates using a blockchain platform
US11209815B2 (en) Drone control registration
JP5818392B2 (en) Wireless communication device
US20180145991A1 (en) Efficient and secure method and apparatus for firmware update
JP6968134B2 (en) Data utilization device, data utilization program and data storage device
JP2022040171A (en) Method about motor vehicle driver assist system
CN110723151B (en) Intelligent driving system initialization method and device
WO2022087389A1 (en) Blockchain orchestrator computer system
US20210136578A1 (en) Data distribution from a movable object
EP3332349B1 (en) Apparatus and method for protection of critical embedded system components via hardware-isolated secure element-based monitor
US20230088197A1 (en) Systems, Methods, and Computer Program Products for Blockchain Secured Code Signing of Autonomous Vehicle Software Artifacts
Liu et al. Alidrone: Enabling trustworthy proof-of-alibi for commercial drone compliance
WO2021217559A1 (en) Data protection method and apparatus
US20220286305A1 (en) Secured hd map services using blockchain
US11134526B2 (en) Automatic update of connection to a movable object
CN110782693B (en) Positioning method, device and equipment
US20200110684A1 (en) Execution Sequence Integrity Monitoring System
US11561847B2 (en) Execution sequence integrity parameter monitoring system
US20190228170A1 (en) Supporting protocol independent movable object application development
CN114422940B (en) Positioning method, positioning device, electronic equipment and medium
US20230015693A1 (en) Restoration of corrupted keys in a secure storage system
EP3864544A1 (en) Execution sequence integrity monitoring system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20933453

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20933453

Country of ref document: EP

Kind code of ref document: A1