The access method of mobile terminal and the embedded safety module based on the mobile terminal
Technical field
The present invention relates to safety communication technology field, and in particular to a kind of mobile terminal and being embedded in based on the mobile terminal
The access method of formula security module.
Background technology
With the fast development of the mobile terminals such as smart mobile phone, mobile phone has no longer been simple means of communication, based on hand
The new demand of machine, mobile payment is arisen at the historic moment, and be increasingly becoming mobile operator, mobile-phone manufacturers, SIM manufacturer research
Hot issue, with the popularization and application of mobile payment, the safety problem of mobile payment is also increasingly taken seriously.
At present, a mobile payment part is the noncontact small amount payment based near field communication (NFC) NFC, such as one
Cartoon, another part is based on the bank paying of mobile interchange, such as various wallets.Wherein, based on close range wireless communication skill
The scheme of art NFC mainly includes SIM, single-wire-protocol SWP card, information encryption safe chip SD card, embedded safety module eSE
Deng it represents behind the different benefit clusters such as operator, bank, cell phone manufacturer.For realizing from mobile phone side, and including base
Various schemes in HCE (main frame snap gauge plan) and based on eSE.Comparatively, the scheme based on HCE, implements simple, and it lacks
Point is based entirely on software, there is the safety problem being difficult to avoid that, the full terminal scheme based on eSE still compares advantageous,
It is also that numerous smart mobile phone manufacturers push.
Fig. 1 shows the structural representation of the interior of mobile phone of the full terminal scheme for being currently based on eSE, mobile phone primary processor
Operating system framework in Mobile Processor includes two large divisions, and Part I is REE ends (Rich Execution
Environment, refers generally to general operating system), comprising user side application CA, Part II is credible performing environment TEE
End, comprising trusted application TA, the access for eSE, mobile phone (such as be able to can be convinced by application installation package APK and external data
Business management platform TSM) interaction, set up with eSE based on SWP interfaces by OpenMobileAPI and communicated, support TSM to eSE's
Remote content management, or can be by NFC controller i.e. NFC Controller (based on NFC control interface specifications NCI)
Realize with it is outside it is non-connects interacting for equipment (such as POS), complete that outside is non-to connect interacting for equipment and eSE based on SWP interfaces, in order to
Ensure the security for accessing, the access to eSE is typically all to complete under the credible running environment TEE control of mobile phone, and TEE is solid
Some security mechanisms can forbid the unauthorized access to eSE.It can be seen that, at present for the access mode of embedded safety module eSE
It is relatively simple, finally completed based on SWP interfaces all between NFC controller and eSE, the application is exactly for the problem
The mobile terminal of proposition and the embedded safety module access method based on the mobile terminal.
The content of the invention
For defect present in prior art, it is an object of the invention to provide a kind of new can realize to embedded
Security module eSE realizes the mobile terminal and the embedded safety module access method based on the terminal of secure access.
For achieving the above object, the technical solution used in the present invention is as follows:
A kind of mobile terminal, possesses credible running environment module TEE in the mobile terminal, be built-in with mobile terminal embedding
Enter formula security module eSE, credible running environment module TEE is communicated by SPI interface with embedded safety module eSE, can
Letter running environment module TEE is the main equipment of SPI communication, and embedded safety module eSE is from equipment.
Further, a kind of mobile terminal as above, credible running environment module TEE and embedded safety module
Carry out data transmission according to default Data Transport Protocol between eSE.
Further, a kind of mobile terminal as above, the Frame of the default Data Transport Protocol includes address
Information byte NAD, protocol integrated test system byte PCB, data length LEN, data block DATA and check code CRC;The address information word
Section NAD is directly used in the transmission direction of mark data.
Further, a kind of mobile terminal as above, the mobile terminal includes smart mobile phone.
The access based on a kind of embedded safety module of any of the above-described mobile terminal is additionally provided in the embodiment of the present invention
Method, comprises the following steps:
Credible running environment module TEE sends request data based on SPI interface to embedded safety module eSE, and passes through
The SPI interface receives the response data that embedded safety module eSE is returned according to the request data.
Further, the access method of embedded safety module as above, the request data please including safety applications
Ask or the Content Management of embedded safety module eSE is asked.
Further, the access method of embedded safety module as above, the safety applications request includes mobile whole
General purpose execution environment module REE at end is sent to the safety applications request of credible running environment module TEE and credible running environment
The safety applications request of module TEE itself.
Further, the access method of embedded safety module as above, credible running environment module TEE with it is embedded
Carry out data transmission according to default Data Transport Protocol between security module eSE.
Further, the access method of embedded safety module as above, the number of the default Data Transport Protocol
Include address information byte N AD, protocol integrated test system byte PCB, data length LEN, data block DATA and check code CRC according to frame;Institute
State the transmission direction that address information byte N AD is directly used in mark data.
Further, the access method of embedded safety module as above, credible running environment module TEE passes through poll
Reception mode interrupts the response data that reception mode receives embedded safety module eSE returns;
The poll receives mode:Credible running environment module TEE to embedded safety module eSE sends request data
Afterwards, actively data are obtained to embedded safety module according to setting interval, until receiving response data;
It is described interruption reception mode be:Credible running environment module TEE to embedded safety module eSE sends request data
Afterwards, the communication process with embedded safety module eSE is exited, and is monitoring to come from the wait of embedded safety module eSE
During the interrupt signal of receiving data, the communication process is re-introduced into, receives the number of responses that embedded safety module eSE sends
According to.
The beneficial effects of the present invention is:Mobile terminal provided by the present invention and the embedded peace based on the mobile terminal
The access method of full module eSE, is realized a kind of new being accessed by SPI interface under credible running environment module TEE and is embedded in
The scheme of formula security module eSE, is provided more choices by application of the program for mobile security payment technical field.
Description of the drawings
Fig. 1 is the structural representation of each module of existing interior of mobile phone;
Fig. 2 is a kind of structural representation of the mobile terminal provided in the specific embodiment of the invention.
Specific embodiment
With reference to Figure of description, the present invention is described in further detail with specific embodiment.
Fig. 2 shows a kind of structural representation of the mobile terminal provided in the specific embodiment of the invention, by can in figure
To find out, possess credible running environment module TEE in the mobile terminal, embedded safety module eSE be built-in with mobile terminal,
Credible running environment module TEE is communicated by SPI interface with embedded safety module eSE, credible running environment module TEE
For the main equipment of SPI communication, embedded safety module eSE is from equipment.
SPI interface generally uses four lines, including serial clock signal line SCK, main frame input/slave output data line
MISO, main frame output/slave input data line MOSI and enable signal CS lines from equipment, according to the polarity of serial clock signal and
The difference of phase place, SP interfaces have four kinds of mode of operations, i.e. mode0/1/2/3.But SPI interface does not define the transmission control of data
Agreement processed, is to solve the problem, in present embodiment, is pressed between credible running environment module TEE and embedded safety module eSE
Carry out data transmission according to default Data Transport Protocol, to ensure the complete, accurately and stable of data transfer.
In one embodiment of the present of invention, the structure of the Frame of the default Data Transport Protocol is as shown in the table,
Including address information byte N AD, protocol integrated test system byte PCB, data length LEN, data block DATA and check code CRC.
NAD(1B) |
PCB(1B) |
LEN(2B) |
DATA |
CRC(2B) |
Wherein,
NAD:To the transmission direction for distinguishing data, transmission direction includes main equipment to from equipment and from equipment to main equipment
Two kinds, i.e. main equipment Master<---->From equipment Slave.
PCB:To define different frame formats.Such as Normal Frame, Reject Frame, Timeout
Frame,....
LEN:The data length of transmission
DATA:Transmission data
CRC:Frame check, checks the correctness of data transfer
Mobile terminal provided by the present invention, realizes a kind of new between mobile terminal and its embedded safety module
Data transfer mode, and the program is completed under the control of credible running environment module TEE, it is ensured that the safety to eSE
Access, such as mobile terminal is to the Content Management in eSE, key safety certification and data access etc..Specification is needed,
In the mobile terminal in addition to credible performing environment module TEE and embedded safety module eSE, it can also be included
The general each functional module of his terminal device, general purpose execution environment module REE as shown in Figure 2, NFC controller etc., and this
For those skilled in the art are clearly.In present embodiment, the mobile terminal includes but is not limited to smart mobile phone, also
Can be Intelligent bracelet, intelligent watch etc..
Based on the mobile terminal shown in Fig. 2, present invention also offers a kind of embedded safety module access method, the party
Method is mainly included the following steps that:
Credible running environment module TEE sends request data based on SPI interface to embedded safety module eSE, and passes through
The SPI interface receives the response data that embedded safety module eSE is returned according to the request data.
Wherein, the request data includes that safety applications are asked or the Content Management of embedded safety module eSE is asked.Institute
General purpose execution environment module REE for stating safety applications request including but not limited to mobile terminal is sent to credible running environment module
The safety applications request of TEE and the safety applications of credible running environment module TEE itself are asked, such as general purpose execution environment module
Client application CA in REE needs eSE to be applied to data carries out safe handling, and general purpose execution environment module REE will be processed
Request is sent to TEE with it with the interface API of credible running environment module TEE, and TEE is sent to eSE by the SPI interface;
Or the application data of trusted application TA of credible running environment module TEE itself, when needing eSE to carry out safe handling, TEE is then
Safety applications request is sent to eSE.Certainly, for a person skilled in the art it is clear that all operations in mobile terminal
Complete to be run in terminal handler and complete.
In present embodiment, according to default data between credible running environment module TEE and embedded safety module eSE
Host-host protocol carries out data transmission.The Frame of the default Data Transport Protocol includes address information byte N AD, agreement control
Byte PCB processed, data length LEN, data block DATA and check code CRC;Address information byte N AD is directly used in mark number
According to transmission direction.
In present embodiment, credible running environment module TEE by SPI interface receive embedded safety module eSE according to
During the response data that the request data is returned, credible running environment module TEE can be by polling mode or interruption recipient
Formula receives the response data that embedded safety module eSE is returned.Wherein, the poll receives being implemented as mode:It is credible
Running environment module TEE is that main equipment master is sent after order data, can be spaced continuous time delay according to setting and poll (connects
Receive) data that transmit from equipment of embedded safety module eSE, then continue time delay if not valid data and receive, Zhi Daojie
Receive valid data.This scheme, it is fairly simple, it is not necessary to which that main equipment master increases the hardware and soft outside SPI data wires
Part expense.But, in poll phase the cpu resource of mobile phone side can be taken.
It is described to interrupt being implemented as reception mode:Credible running environment module TEE to embedded safety module eSE sends out
After sending request data, the communication process with embedded safety module eSE is exited, and monitoring to come from embedded safety module
During the interrupt signal of the wait receiving data of eSE, the communication process is re-introduced into, receives embedded safety module eSE and send out
The response data sent.The interrupt scheme is after main equipment sends order data, to be not required to poll again, can exit processing routine, when
When eSE is disposed and gets out response data, to TEE an interrupt signal, the TEE hardware (primary processor of mobile terminal are sent
When CPU) monitoring the interrupt signal, can trigger and enter into corresponding interrupt service routine to receive the response message from eSE.
This scheme, can reduce the occupancy to CPU, but some additional demands are proposed to hardware-software, and (it is right that main equipment needs to realize
From the monitoring of equipment).
Mobile terminal of the present invention and embedded safety module access method, realize running environment credible in TEE
Access the mechanism of eSE by SPI interface down, increased a kind of eSE security access mechanisms, can push away in mobile security payment technical field
Wide application.For example, sensitive data (such as key) can be deposited inside eSE, user data is by TEE and incoming based on SPI
ESE, eSE carry out data encryption or key dispersion, and return result to terminal, the data that preserved due to eSE and are carried out
Operation, the external world cannot learn, the higher safe level of mobile payment or other related Mobile solutions can be realized based on this
Not.
Obviously, those skilled in the art can carry out the essence of various changes and modification without deviating from the present invention to the present invention
God and scope.So, if these modifications of the present invention and modification belong to the scope of the claims in the present invention and its equivalent technology
Within, then the present invention is also intended to comprising these changes and modification.