CN102521166B - Information safety coprocessor and method for managing internal storage space in information safety coprocessor - Google Patents
Information safety coprocessor and method for managing internal storage space in information safety coprocessor Download PDFInfo
- Publication number
- CN102521166B CN102521166B CN201110398177.8A CN201110398177A CN102521166B CN 102521166 B CN102521166 B CN 102521166B CN 201110398177 A CN201110398177 A CN 201110398177A CN 102521166 B CN102521166 B CN 102521166B
- Authority
- CN
- China
- Prior art keywords
- space
- security
- coprocessor
- safe
- safety
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a method for managing an internal storage space in an information safety coprocessor. The method comprises the following steps of: dividing a local address space into a safety space and a non-safety space, wherein the safety space is used for storing confidential information; initializing the sizes of the safety space and the non-safety space; by using the local address space, storing the confidential information in the safety space, and configuring the sizes of the safety space and the non-safety space as required; and processing data in the information safety coprocessor, wherein when at least one input datum exists in the safety space and the input can be calculated by the output, corresponding output data are not allowed to be written in the non-safety space or an external storage space. By adoption of the method, important data are protected, and the information safety coprocessor can be conveniently used. Meanwhile, the size of the safety space can be changed as required, so that different application requirements are met, and system development is facilitated.
Description
Technical field
The present invention relates to information security process field, particularly relating to accesses to your password learns the information security coprocessor of algorithm and the management method of internal storage space thereof.
Background technology
Along with the fast development of network technology, information security technology becomes particularly important current.For growing network traffics, utilize merely software mode to encrypt data stream or decrypt operation can not satisfy the demands, therefore build and be called a kind of new trend by the method for hard-wired special purpose system chip.Current information security chip comprises single functional form (such as DES, 3DES, AES, RSA etc.), Mobyneb, high-end chip, SOC, ASIC etc.In embedded system (Embedded System) application, the chip of information security solution is provided to be widely adopted.And in a SOC system, information security processor occurs with the form of coprocessor.
But a coprocessor providing protecting information safety function, simply just can carry out some cryptographic algorithms, and not provide other protection; Also can be a complicated subsystem, the execution environment of complete scheme and safety is provided.The coprocessor ratio of the first type is easier to be embedded in different system, but the safeguard protection of system level is difficult and complicated.The coprocessor of the second type provides good security protection scheme, but limits the design flexibility of the system using it.
Be different from above-mentioned two types, be necessary very much to provide a kind of coprocessor possessing safety prevention measure newly, to realize, while the dirigibility of keeping system design, the burden of system level information protection can being reduced.
Summary of the invention
For solving the problems of the technologies described above, the object of the present invention is to provide a kind of information security coprocessor, it is by providing a storage that outside is visible, local storage space that is that comprise configurable safe and dangerous two regions of size carries out information, and the information being wherein stored in safety zone can not be obtained by processor outside.While realizing information privacy, this information security processor can facilitate different application demands and system development.
Correspondingly, the present invention also aims to the management method that internal storage space in a kind of above-mentioned information security coprocessor is provided.
One of for achieving the above object, a kind of information security coprocessor of the present invention, comprises as lower unit:
Home address space unit: comprise a safe space and a non-security space, both are all configurable, the data being stored in safe space can not by direct read-out processor;
Control module: for carrying out Row control by certain steering logic;
Mathematical operation unit: for realizing mathematical operation;
Cryptographic algorithm engine: for performing cryptographic algorithm, to realize encryption or decipher function.
As a further improvement on the present invention, described information security coprocessor also comprises a DMA engine transmitted for data between responsible ahb bus and home address space unit.
As a further improvement on the present invention, described information security coprocessor also comprises a register file.
As a further improvement on the present invention, described register file comprises control register and status register.
As a further improvement on the present invention, described mathematical operation comprises and copying or XOR or both combination above.
For realizing another goal of the invention of the present invention, the management method of internal storage space in a kind of information security coprocessor, described information security coprocessor has an outside visible home address space, and described method comprises the steps:
S1, described home address space is divided into a safe space and a non-security space, wherein, the data being stored in safe space can not by direct read-out processor;
The size in safe space and non-security space described in S2, initialization;
S3, use described home address space, by confidential information storage in safe space, configure the size in described safe space and non-security space as required;
S4, in described information security coprocessor, carry out data processing, wherein, when there being at least one input data to be present in safe space, and when input can be obtained by output calculation, the corresponding data that export all do not allow to write non-security space or external memory space.
As a further improvement on the present invention, the mode of described data processing comprises mathematical operation, and wherein, described mathematical operation comprises and copying or XOR or both combination above.
As a further improvement on the present invention, the step " configuring the size in described safe space and non-security space as required " in described step S3 is specially:
The division in described safe space and non-security space can be changed, and wherein, the size of safe space can only increase, and the region originally belonging to safe space can not be modified as non-security space.
As a further improvement on the present invention, the method also comprises and between ahb bus and home address space, transmits data by DMA engine.
Compared with prior art, the present invention carries out the storage of security information by providing configurable, an outside visible safe space, while protecting significant data, also facilitate the use to coprocessor.Meanwhile, in the present invention, the size of safe space can be changed as required, thus facilitates different application demands and system development.
Accompanying drawing explanation
Fig. 1 be in an embodiment of the present invention information security coprocessor fundamental diagram;
Fig. 2 is the use schematic flow sheet of the safe space of information security processor in an embodiment of the present invention;
Shown in Fig. 3 is that the safe space of information security processor in an embodiment of the present invention and four kinds of non-security space configure;
Fig. 4 is the workflow diagram of the management method of information security coprocessor internal storage space in an embodiment of the present invention.
Embodiment
Describe the present invention below with reference to embodiment shown in the drawings.But these embodiments do not limit the present invention, the structure that those of ordinary skill in the art makes according to these embodiments, method or conversion functionally are all included in protection scope of the present invention.
Please refer to shown in Fig. 1, in the embodiment of the invention, a kind of information security coprocessor, comprise as lower unit: home address space unit 10, control module 20, mathematical operation unit, cryptographic algorithm engine 40, DMA (Direct Memory Access, direct memory access) engine 50 and register file 60.A coprocessor often needs certain internal storage space, and the important safety related data left in wherein needs strict protection.On the other hand, the storage space of coprocessor also requires that certain external visibility is with easy to use.The present invention proposes the Managed Solution of a set of coprocessor internal storage space, while protecting significant data, also facilitate the use to coprocessor.
Wherein, in the present embodiment, DMA (Direct Memory Access, direct memory access) engine 50 is for data transmission between responsible ahb bus and home address space unit, in other embodiments, DMA engine can be replaced the parts that other can realize similar functions.Wherein, the present invention adopts two kinds of buses to carry out data transmission: AHB (Advanced High performance Bus) system bus and APB (Advanced Peripheral Bus) peripheral bus, and AHB is mainly used in the connection between high-performance module (as CPU, DMA and DSP etc.); APB is mainly used in the connection between the periphery peripheral hardware of low bandwidth, such as UART, 1284 etc.
Register file 60 comprises for the control register for controlling and determine the operator scheme of processor and current characteristic of executing the task, for various status information status registers embodying present instruction execution result etc.Register file 60 can carry out data transmission between APB bus.
Home address space unit 10 comprises a safe space and a non-security space, and both are all configurable, and the data being stored in safe space can not by direct read-out processor; Coprocessor home address space is outside visible, is divided into safe and dangerous two pieces.Leaked to prevent the information being stored in safety zone, for following two paths: (one) by home address space through DMA engine to ahb bus, (two) by home address space after "=" (the copying) in mathematical operation unit or " xor " (XOR) computing to home address space, when there being input data to be present in security address space, do not allow to export data and write non-security address space or external memory space, the rule of depositing through the data of cryptographic algorithm engine is solidified by hardware.
About the outside non-availability of data in external visibility and safety zone, these two not contradictions.Whole local storage is outside visible, but the data of safety zone forbid being read out.Same address, when being divided into safety zone, this address is visible but can not be read.When being divided into insecure area, this address is visible also can be read.
Control module 20 is for carrying out Row control by certain steering logic;
Mathematical operation unit 30 is for realizing mathematical operation, and wherein, in the present embodiment, mathematical operation can comprise and copying or XOR or both combination above.
Cryptographic algorithm engine 40 for performing cryptographic algorithm, with realize encryption or decipher function.Cryptographic algorithm is the mathematical function for encryption and decryption, and cryptographic algorithm is the basis of cipher protocol.
In the present invention, visible (directly or indirectly) address space in the outside due to coprocessor is divided into safe and dangerous two kinds.If the data processing of coprocessor inside is used (y1 ..., yM) and=f (x1,, xN), M>0, N>0, represents, when the input parameter of function can be released by result is counter, as long as the input parameter xi of function, i=1 ..., N, in have at least one all or part of from security address space, all function result all can not all or part ofly be present in non-security address space or external address space.
Shown in ginseng Fig. 2, when after system hard reset, start secure launch process, in execution secure launch process, initializing secure space size, after clean boot terminates, the ratio (safe space can only increase) in safe space and non-security space can be adjusted, bring into use coprocessor.Safe space ratio can be again increased as required in process.After a hard reset, the security address space of coprocessor and the division of non-security address space can be changed, but the size of security address space can only increase, and the region originally belonging to security address space can not be modified as non-security address space.
Shown in ginseng Fig. 3, in the present embodiment, home address space is the storage space of 4KB, and for the home address space of 4KB herein, place of safety and non-security district allow four kinds of configurations as shown in the figure, and corresponding four configurations are numbered respectively: 0,1,2,3.After a hard reset, configuration 0 is used.There is a mark in register file, when it is set to 1, then change to the configuration corresponding to next one numbering of current number, and by clear for this mark 0.
As shown in Figure 4, in an embodiment of the present invention, the management method of internal storage space in a kind of information security coprocessor, the method uses the above-mentioned information security coprocessor mentioned to realize, described information security coprocessor has an outside visible home address space, and the method comprises the steps:
S1, described home address space is divided into a safe space and a non-security space, wherein, the data being stored in safe space can not by direct read-out processor; Safe space and non-security space are outside visible, so more convenient use, and both are also configurable, are so also convenient to do corresponding change according to demand.
About the outside non-availability of data in external visibility and safety zone, these two not contradictions.Whole local storage is outside visible, but the data of safety zone forbid being read out.Same address, when being divided into safety zone, this address is visible but can not be read.When being divided into insecure area, this address is visible also can be read.
The size in safe space and non-security space described in S2, initialization; Preferably, carry out initialization by hard reset, the safe space after initialization be [0KB, 0KB), non-security space [0KB, 4KB), correspond to configuration numbering 0.
S3, use described home address space, be stored in safe space after security information being encrypted by cryptographic algorithm, configure the size in described safe space and non-security space as required; Here say refer to safe space can suitably increase space with adaption demand.
S4, in described information security coprocessor, carry out data processing, wherein, when there being at least one input data to be present in safe space, and when input can be obtained by output calculation, the corresponding data that export all do not allow to write non-security space or external memory space.Visible (directly or indirectly) address space in outside due to coprocessor is divided into safe and dangerous two kinds.If the data processing of coprocessor inside is used (y1 ..., yM) and=f (x1,, xN), M>0, N>0, represents, when the input parameter of function can be released by result is counter, as long as the input parameter xi of function, i=1 ..., N, in have at least one all or part of from security address space, all function result all can not all or part ofly be present in non-security address space or external address space.
Wherein, preferably, the mode of described data processing comprises mathematical operation, and wherein, described mathematical operation comprises and copying or XOR or both combination above.
Wherein, preferably, the step " configuring the size in described safe space and non-security space as required " in described step S3 is specially:
The division in described safe space and non-security space can be changed, and wherein, the size of safe space can only increase, and the region originally belonging to safe space can not be modified as non-security space.
Wherein, preferably, the method also comprises and between ahb bus and home address space, transmits data by DMA engine.
Compared with prior art, the present invention carries out the storage of security information by providing configurable, an outside visible safe space, while protecting significant data, also facilitate the use to coprocessor.Meanwhile, in the present invention, the size of safe space can be changed as required, thus facilitates different application demands and system development.
Device embodiments described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
For convenience of description, various unit is divided into describe respectively with function when describing above device.Certainly, the function of each unit can be realized in same or multiple software and/or hardware when implementing the application.
Device embodiments described above is only schematic, the wherein said unit illustrated as separating component or can may not be and physically separates, parts as unit display can be or may not be physical location, namely can be positioned at a place, or also can be distributed in multiple network element.Some or all of module wherein can be selected according to the actual needs to realize the object of present embodiment scheme.Those of ordinary skill in the art, when not paying creative work, are namely appreciated that and implement.
The application can describe in the general context of computer executable instructions, such as program module.Usually, program module comprises the routine, program, object, assembly, data structure etc. that perform particular task or realize particular abstract data type.Also can put into practice the application in a distributed computing environment, in these distributed computing environment, be executed the task by the remote processing devices be connected by communication network.In a distributed computing environment, program module can be arranged in the local and remote computer-readable storage medium comprising memory device.
Be to be understood that, although this instructions is described according to embodiment, but not each embodiment only comprises an independently technical scheme, this narrating mode of instructions is only for clarity sake, those skilled in the art should by instructions integrally, technical scheme in each embodiment also through appropriately combined, can form other embodiments that it will be appreciated by those skilled in the art that.
A series of detailed description listed is above only illustrating for feasibility embodiment of the present invention; they are also not used to limit the scope of the invention, all do not depart from the skill of the present invention equivalent implementations done of spirit or change all should be included within protection scope of the present invention.
Claims (3)
1. the management method of internal storage space in information security coprocessor, it is characterized in that, described information security coprocessor has an outside visible home address space, and described method comprises the steps:
S1, described home address space is divided into a safe space and a non-security space, wherein, the data being stored in safe space can not by direct read-out processor;
The size in safe space and non-security space described in S2, initialization;
S3, use described home address space, by confidential information storage in safe space, configure the size in described safe space and non-security space as required; The division in described safe space and non-security space can be changed, and the size of safe space can only increase, and the region originally belonging to safe space can not be modified as non-security space;
S4, in described information security coprocessor, carry out data processing, wherein, when there being at least one input data to be present in safe space, and when input can be obtained by output calculation, the corresponding data that export all do not allow to write non-security space or external memory space.
2. method according to claim 1, is characterized in that, the mode of described data processing comprises mathematical operation, and wherein, described mathematical operation comprises and copying or XOR or copy the combination with XOR.
3. method according to claim 1, is characterized in that, the method also comprises transmits data by DMA engine between ahb bus and home address space.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110398177.8A CN102521166B (en) | 2011-12-05 | 2011-12-05 | Information safety coprocessor and method for managing internal storage space in information safety coprocessor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201110398177.8A CN102521166B (en) | 2011-12-05 | 2011-12-05 | Information safety coprocessor and method for managing internal storage space in information safety coprocessor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102521166A CN102521166A (en) | 2012-06-27 |
| CN102521166B true CN102521166B (en) | 2015-02-11 |
Family
ID=46292095
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201110398177.8A Active CN102521166B (en) | 2011-12-05 | 2011-12-05 | Information safety coprocessor and method for managing internal storage space in information safety coprocessor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102521166B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112181879B (en) * | 2020-08-28 | 2022-04-08 | 珠海欧比特宇航科技股份有限公司 | APB interface module for DMA controller, DMA controller and chip |
| CN112148791B (en) * | 2020-09-15 | 2024-05-24 | 张立旭 | Distributed data dynamic adjustment storage method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1451117A (en) * | 2000-06-30 | 2003-10-22 | 英特尔公司 | Method and apparatus for secure execution using a secure memory partition |
| CN1711525A (en) * | 2002-11-18 | 2005-12-21 | Arm有限公司 | Virtual to physical memory address mapping within a data processing system having a secure domain and a non-secure domain |
| CN102064942A (en) * | 2010-11-30 | 2011-05-18 | 南京理工大学 | Credible integrated security processing platform |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8775824B2 (en) * | 2008-01-02 | 2014-07-08 | Arm Limited | Protecting the security of secure data sent from a central processor for processing by a further processing device |
-
2011
- 2011-12-05 CN CN201110398177.8A patent/CN102521166B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1451117A (en) * | 2000-06-30 | 2003-10-22 | 英特尔公司 | Method and apparatus for secure execution using a secure memory partition |
| CN1711525A (en) * | 2002-11-18 | 2005-12-21 | Arm有限公司 | Virtual to physical memory address mapping within a data processing system having a secure domain and a non-secure domain |
| CN102064942A (en) * | 2010-11-30 | 2011-05-18 | 南京理工大学 | Credible integrated security processing platform |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102521166A (en) | 2012-06-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230110230A1 (en) | Technologies for secure i/o with memory encryption engines | |
| US11088846B2 (en) | Key rotating trees with split counters for efficient hardware replay protection | |
| CN107851151B (en) | Protecting state information of virtual machines | |
| KR102013841B1 (en) | Method of managing key for secure storage of data, and and apparatus there-of | |
| US10097349B2 (en) | Systems and methods for protecting symmetric encryption keys | |
| CN103221961B (en) | Comprise the method and apparatus of the framework for the protection of multi-ser sensitive code and data | |
| EP3326105B1 (en) | Technologies for secure programming of a cryptographic engine for secure i/o | |
| EP2577474B1 (en) | Virtual machine memory compartmentalization in multi-core architectures | |
| EP2577449B1 (en) | Method and apparatus for trusted execution in infrastructure as a service cloud environments | |
| US10810138B2 (en) | Enhanced storage encryption with total memory encryption (TME) and multi-key total memory encryption (MKTME) | |
| US20070101158A1 (en) | Security region in a non-volatile memory | |
| US8498418B2 (en) | Conversion of cryptographic key protection | |
| JP5153887B2 (en) | Method and apparatus for transfer of secure operating mode access privileges from a processor to a peripheral device | |
| EP2803012B1 (en) | Using storage controller bus interfaces to secure data transfer between storage devices and hosts | |
| EP3329416B1 (en) | Secure input/output device management | |
| US20140157404A1 (en) | Virtualizing a hardware monotonic counter | |
| WO2014098998A1 (en) | Securing data transmissions between processor packages | |
| EP4086802A1 (en) | Dynamic memory protection device system and method | |
| CN102521166B (en) | Information safety coprocessor and method for managing internal storage space in information safety coprocessor | |
| CN103150523B (en) | A kind of easy embedded credible terminal system and method | |
| WO2016053407A2 (en) | Speculative cryptographic processing for out of order data | |
| CN113449349A (en) | Platform security mechanism | |
| KR20180074967A (en) | Software security method based on virtualization technologies to ensure the security level equivalent to hardware and system using the same | |
| US8935771B2 (en) | System, method, and computer security device having virtual memory cells | |
| CN117194286B (en) | Micro control unit, processor, access method and access system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| ASS | Succession or assignment of patent right |
Owner name: SOLOMON-SYSTECH (SHENZHEN) CO., LTD. Free format text: FORMER OWNER: SUZHOU XITU SHIDING MICROELECTRONICS CO., LTD. Effective date: 20130829 |
|
| C41 | Transfer of patent application or patent right or utility model | ||
| COR | Change of bibliographic data |
Free format text: CORRECT: ADDRESS; FROM: 215021 SUZHOU, JIANGSU PROVINCE TO: 518057 SHENZHEN, GUANGDONG PROVINCE |
|
| TA01 | Transfer of patent application right |
Effective date of registration: 20130829 Address after: 518057, No. six building, No. two Shenzhen Software Park, central science and technology zone, Nanshan District hi tech Zone, Shenzhen, Guangdong, two Applicant after: Solomon Systech (Shenzhen) Limited Address before: Xinghu Street Industrial Park of Suzhou city in Jiangsu province 215021 No. 328 Creative Industry Park 2-B702 unit Applicant before: Suzhou Xitu Shiding Microelectronics Co.,Ltd. |
|
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |