Summary of the invention
For solving the problems of the technologies described above, the object of the present invention is to provide a kind of information security coprocessor, it is by providing a storage that outside is visible, local storage space that is that comprise configurable safe and dangerous two regions of size carries out information, and the information being wherein stored in safety zone can not be obtained by processor outside.While realizing information privacy, this information security processor can facilitate different application demands and system development.
Correspondingly, the present invention also aims to the management method that internal storage space in a kind of above-mentioned information security coprocessor is provided.
One of for achieving the above object, a kind of information security coprocessor of the present invention, comprises as lower unit:
Home address space unit: comprise a safe space and a non-security space, both are all configurable, the data being stored in safe space can not by direct read-out processor;
Control module: for carrying out Row control by certain steering logic;
Mathematical operation unit: for realizing mathematical operation;
Cryptographic algorithm engine: for performing cryptographic algorithm, to realize encryption or decipher function.
As a further improvement on the present invention, described information security coprocessor also comprises a DMA engine transmitted for data between responsible ahb bus and home address space unit.
As a further improvement on the present invention, described information security coprocessor also comprises a register file.
As a further improvement on the present invention, described register file comprises control register and status register.
As a further improvement on the present invention, described mathematical operation comprises and copying or XOR or both combination above.
For realizing another goal of the invention of the present invention, the management method of internal storage space in a kind of information security coprocessor, described information security coprocessor has an outside visible home address space, and described method comprises the steps:
S1, described home address space is divided into a safe space and a non-security space, wherein, the data being stored in safe space can not by direct read-out processor;
The size in safe space and non-security space described in S2, initialization;
S3, use described home address space, by confidential information storage in safe space, configure the size in described safe space and non-security space as required;
S4, in described information security coprocessor, carry out data processing, wherein, when there being at least one input data to be present in safe space, and when input can be obtained by output calculation, the corresponding data that export all do not allow to write non-security space or external memory space.
As a further improvement on the present invention, the mode of described data processing comprises mathematical operation, and wherein, described mathematical operation comprises and copying or XOR or both combination above.
As a further improvement on the present invention, the step " configuring the size in described safe space and non-security space as required " in described step S3 is specially:
The division in described safe space and non-security space can be changed, and wherein, the size of safe space can only increase, and the region originally belonging to safe space can not be modified as non-security space.
As a further improvement on the present invention, the method also comprises and between ahb bus and home address space, transmits data by DMA engine.
Compared with prior art, the present invention carries out the storage of security information by providing configurable, an outside visible safe space, while protecting significant data, also facilitate the use to coprocessor.Meanwhile, in the present invention, the size of safe space can be changed as required, thus facilitates different application demands and system development.
Embodiment
Describe the present invention below with reference to embodiment shown in the drawings.But these embodiments do not limit the present invention, the structure that those of ordinary skill in the art makes according to these embodiments, method or conversion functionally are all included in protection scope of the present invention.
Please refer to shown in Fig. 1, in the embodiment of the invention, a kind of information security coprocessor, comprise as lower unit: home address space unit 10, control module 20, mathematical operation unit, cryptographic algorithm engine 40, DMA (Direct Memory Access, direct memory access) engine 50 and register file 60.A coprocessor often needs certain internal storage space, and the important safety related data left in wherein needs strict protection.On the other hand, the storage space of coprocessor also requires that certain external visibility is with easy to use.The present invention proposes the Managed Solution of a set of coprocessor internal storage space, while protecting significant data, also facilitate the use to coprocessor.
Wherein, in the present embodiment, DMA (Direct Memory Access, direct memory access) engine 50 is for data transmission between responsible ahb bus and home address space unit, in other embodiments, DMA engine can be replaced the parts that other can realize similar functions.Wherein, the present invention adopts two kinds of buses to carry out data transmission: AHB (Advanced High performance Bus) system bus and APB (Advanced Peripheral Bus) peripheral bus, and AHB is mainly used in the connection between high-performance module (as CPU, DMA and DSP etc.); APB is mainly used in the connection between the periphery peripheral hardware of low bandwidth, such as UART, 1284 etc.
Register file 60 comprises for the control register for controlling and determine the operator scheme of processor and current characteristic of executing the task, for various status information status registers embodying present instruction execution result etc.Register file 60 can carry out data transmission between APB bus.
Home address space unit 10 comprises a safe space and a non-security space, and both are all configurable, and the data being stored in safe space can not by direct read-out processor; Coprocessor home address space is outside visible, is divided into safe and dangerous two pieces.Leaked to prevent the information being stored in safety zone, for following two paths: (one) by home address space through DMA engine to ahb bus, (two) by home address space after "=" (the copying) in mathematical operation unit or " xor " (XOR) computing to home address space, when there being input data to be present in security address space, do not allow to export data and write non-security address space or external memory space, the rule of depositing through the data of cryptographic algorithm engine is solidified by hardware.
About the outside non-availability of data in external visibility and safety zone, these two not contradictions.Whole local storage is outside visible, but the data of safety zone forbid being read out.Same address, when being divided into safety zone, this address is visible but can not be read.When being divided into insecure area, this address is visible also can be read.
Control module 20 is for carrying out Row control by certain steering logic;
Mathematical operation unit 30 is for realizing mathematical operation, and wherein, in the present embodiment, mathematical operation can comprise and copying or XOR or both combination above.
Cryptographic algorithm engine 40 for performing cryptographic algorithm, with realize encryption or decipher function.Cryptographic algorithm is the mathematical function for encryption and decryption, and cryptographic algorithm is the basis of cipher protocol.
In the present invention, visible (directly or indirectly) address space in the outside due to coprocessor is divided into safe and dangerous two kinds.If the data processing of coprocessor inside is used (y1 ..., yM) and=f (x1,, xN), M>0, N>0, represents, when the input parameter of function can be released by result is counter, as long as the input parameter xi of function, i=1 ..., N, in have at least one all or part of from security address space, all function result all can not all or part ofly be present in non-security address space or external address space.
Shown in ginseng Fig. 2, when after system hard reset, start secure launch process, in execution secure launch process, initializing secure space size, after clean boot terminates, the ratio (safe space can only increase) in safe space and non-security space can be adjusted, bring into use coprocessor.Safe space ratio can be again increased as required in process.After a hard reset, the security address space of coprocessor and the division of non-security address space can be changed, but the size of security address space can only increase, and the region originally belonging to security address space can not be modified as non-security address space.
Shown in ginseng Fig. 3, in the present embodiment, home address space is the storage space of 4KB, and for the home address space of 4KB herein, place of safety and non-security district allow four kinds of configurations as shown in the figure, and corresponding four configurations are numbered respectively: 0,1,2,3.After a hard reset, configuration 0 is used.There is a mark in register file, when it is set to 1, then change to the configuration corresponding to next one numbering of current number, and by clear for this mark 0.
As shown in Figure 4, in an embodiment of the present invention, the management method of internal storage space in a kind of information security coprocessor, the method uses the above-mentioned information security coprocessor mentioned to realize, described information security coprocessor has an outside visible home address space, and the method comprises the steps:
S1, described home address space is divided into a safe space and a non-security space, wherein, the data being stored in safe space can not by direct read-out processor; Safe space and non-security space are outside visible, so more convenient use, and both are also configurable, are so also convenient to do corresponding change according to demand.
About the outside non-availability of data in external visibility and safety zone, these two not contradictions.Whole local storage is outside visible, but the data of safety zone forbid being read out.Same address, when being divided into safety zone, this address is visible but can not be read.When being divided into insecure area, this address is visible also can be read.
The size in safe space and non-security space described in S2, initialization; Preferably, carry out initialization by hard reset, the safe space after initialization be [0KB, 0KB), non-security space [0KB, 4KB), correspond to configuration numbering 0.
S3, use described home address space, be stored in safe space after security information being encrypted by cryptographic algorithm, configure the size in described safe space and non-security space as required; Here say refer to safe space can suitably increase space with adaption demand.
S4, in described information security coprocessor, carry out data processing, wherein, when there being at least one input data to be present in safe space, and when input can be obtained by output calculation, the corresponding data that export all do not allow to write non-security space or external memory space.Visible (directly or indirectly) address space in outside due to coprocessor is divided into safe and dangerous two kinds.If the data processing of coprocessor inside is used (y1 ..., yM) and=f (x1,, xN), M>0, N>0, represents, when the input parameter of function can be released by result is counter, as long as the input parameter xi of function, i=1 ..., N, in have at least one all or part of from security address space, all function result all can not all or part ofly be present in non-security address space or external address space.
Wherein, preferably, the mode of described data processing comprises mathematical operation, and wherein, described mathematical operation comprises and copying or XOR or both combination above.
Wherein, preferably, the step " configuring the size in described safe space and non-security space as required " in described step S3 is specially:
The division in described safe space and non-security space can be changed, and wherein, the size of safe space can only increase, and the region originally belonging to safe space can not be modified as non-security space.
Wherein, preferably, the method also comprises and between ahb bus and home address space, transmits data by DMA engine.
Compared with prior art, the present invention carries out the storage of security information by providing configurable, an outside visible safe space, while protecting significant data, also facilitate the use to coprocessor.Meanwhile, in the present invention, the size of safe space can be changed as required, thus facilitates different application demands and system development.
Device embodiments described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
For convenience of description, various unit is divided into describe respectively with function when describing above device.Certainly, the function of each unit can be realized in same or multiple software and/or hardware when implementing the application.
Device embodiments described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
The application can describe in the general context of computer executable instructions, such as program module.Usually, program module comprises the routine, program, object, assembly, data structure etc. that perform particular task or realize particular abstract data type.Also can put into practice the application in a distributed computing environment, in these distributed computing environment, be executed the task by the remote processing devices be connected by communication network.In a distributed computing environment, program module can be arranged in the local and remote computer-readable storage medium comprising memory device.
Be to be understood that, although this instructions is described according to embodiment, but not each embodiment only comprises an independently technical scheme, this narrating mode of instructions is only for clarity sake, those skilled in the art should by instructions integrally, technical scheme in each embodiment also through appropriately combined, can form other embodiments that it will be appreciated by those skilled in the art that.
A series of detailed description listed is above only illustrating for feasibility embodiment of the present invention; they are also not used to limit the scope of the invention, all do not depart from the skill of the present invention equivalent implementations done of spirit or change all should be included within protection scope of the present invention.