CN107103251A - The processor of containment mapping access interface - Google Patents

The processor of containment mapping access interface Download PDF

Info

Publication number
CN107103251A
CN107103251A CN201710282701.2A CN201710282701A CN107103251A CN 107103251 A CN107103251 A CN 107103251A CN 201710282701 A CN201710282701 A CN 201710282701A CN 107103251 A CN107103251 A CN 107103251A
Authority
CN
China
Prior art keywords
resource
mode
memory cell
processor
resource memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710282701.2A
Other languages
Chinese (zh)
Other versions
CN107103251B (en
Inventor
李春强
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou C Sky Microsystems Co Ltd
Original Assignee
Hangzhou C Sky Microsystems Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou C Sky Microsystems Co Ltd filed Critical Hangzhou C Sky Microsystems Co Ltd
Priority to CN201710282701.2A priority Critical patent/CN107103251B/en
Publication of CN107103251A publication Critical patent/CN107103251A/en
Application granted granted Critical
Publication of CN107103251B publication Critical patent/CN107103251B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems

Abstract

The present invention provides a kind of processor of containment mapping access interface.The processor includes:Instruction execution unit, first mode resource memory cell, second mode resource memory cell, mapping access interface, wherein, instruction execution unit, it is connected with the first mode resource memory cell, the second mode resource memory cell and the mapping access interface, first mode resource memory cell, for storing the resource information that processor is under first mode;Second mode resource memory cell, for storing the resource information that processor is under second mode;Access interface is mapped, is connected with second mode resource memory cell.The present invention can improve the operating efficiency of processor, reduce power consumption of processing unit.

Description

The processor of containment mapping access interface
Technical field
The present invention relates to communication technical field, more particularly to a kind of processor of containment mapping access interface.
Background technology
As informationization is continued to develop, it is more and more important that system credibility becomes, traditional based on the credible of software view Property protection degree of safety it is more and more lower because hacker can cross the direct attack operation system of software protection and then to sensitive soft Hardware resource is stolen;Therefore, for the deficiency of the credible protection that makes up software view, it is proposed that a kind of credible framework, The credible framework is it is intended that system provides the bottom hardware protection mechanism outside software.
The concrete thought of the credible frame design is:Increase a kind of trusted mode newly in the operational mode of processor, and Take out a trusted kernel in systems, by the processor in trusted mode, the system IP of credible attribute and other be Sensitive in system, important software and hardware resources are divided into trusted kernel;Further, ensured by hardware mechanisms in trusted kernel Resource can only be accessed by trusted mode, so as to realize isolating for trusted kernel and untrusted kernel, it is ensured that the machine of trusted resource Close property and integrality.
Meanwhile, mapping access interface is provided with processor, the mapping access interface can make trusted kernel visit safely The resource under untrusted kernel is asked, so as to realize the secure interactive of kernel resources;Wherein, the processor of containment mapping access interface Trusted kernel and untrusted kernel are blurred out in physics kernel, and super use respectively is isolated by two kernels blurred out Family pattern and user EXEC.Under normal circumstances, the resource of each pattern can not access the resource under other patterns, so that Ensure the security of system on hardware.When processor is needed from the resource of high other patterns of credible mode access, it is necessary to After the Context switches pattern that is saved under present mode to other patterns, the resource under other patterns is conducted interviews.
During the present invention is realized, inventor has found at least there is following technical problem in the prior art:Processor The resource under other patterns, inefficiency are read by way of continuous switch mode, and makes power consumption of processing unit larger.
The content of the invention
A kind of processor for containment mapping access interface that the present invention is provided, it is possible to increase the operating efficiency of processor, drop Low processor power consumption.
In a first aspect, the present invention provides a kind of processor of containment mapping access interface, including:
Instruction execution unit, first mode resource memory cell, second mode resource memory cell and mapping access interface, Wherein,
Instruction execution unit, with the first mode resource memory cell, the second mode resource memory cell and The mapping access interface is connected, for read according to the extraneous instruction received the mapping access interface resource information or Rewrite the resource information of the mapping access interface;
First mode resource memory cell, for storing the resource information that processor is under first mode, and if only if place When managing device in first mode, the resource of first mode resource memory cell described in the instruction execution unit Internet access;
Second mode resource memory cell, for storing the resource information that processor is under second mode, and if only if place When managing device in second mode, the resource of second mode resource memory cell described in the instruction execution unit Internet access;
Access interface is mapped, is connected with second mode resource memory cell, for reading the second mode resource in real time The resource of memory cell and preservation, and the rewriting sent when processor is in first mode according to the instruction execution unit Information rewrites the resource of resource register in the second mode resource memory cell.
Alternatively, the first mode resource memory cell is credible superuser mode resource memory cell, described the Two modes resource memory cell is credible user EXEC resource memory cell.
Alternatively, the first mode resource memory cell is credible superuser mode resource memory cell, described the Two modes resource memory cell is untrusted superuser mode resource memory cell.
Alternatively, the first mode resource memory cell is credible superuser mode resource memory cell, described the Two modes resource memory cell is untrusted user EXEC resource memory cell.
Alternatively, the first mode resource memory cell is untrusted superuser mode resource memory cell, described Second mode resource memory cell is untrusted user EXEC resource memory cell.
Alternatively, the resource register is abnormal base register, abnormal back-up registers or stack register.
Alternatively, the mapping access interface is at least one control register or at least one memory address.
The processor of containment mapping access interface provided in an embodiment of the present invention, instruction execution unit is in the high use of authority Under the pattern of family, by mapping the resource that access interface can be directly under the low user model of access rights, and without making processing again Device carries out the operation of pattern switching, so as to improve the operating efficiency of processor, reduces power consumption of processing unit.
Brief description of the drawings
Fig. 1 is the structural representation of the processor of one embodiment of the invention containment mapping access interface;
Fig. 2 is one embodiment of the invention processor program status register pattern switching schematic diagram;
Fig. 3 is the mapping relations figure of the processor of one embodiment of the invention containment mapping access interface;
Fig. 4 is the schematic diagram of the rudimentary permission mode private resource of one embodiment of the invention super-ordinate right mode access.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is only Only it is a part of embodiment of the invention, rather than whole embodiments.Based on the embodiment in the present invention, ordinary skill The every other embodiment that personnel are obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.
The present invention provides a kind of processor of containment mapping access interface, as shown in figure 1, the processor includes:
Instruction execution unit 11, first mode resource memory cell 12, second mode resource memory cell 13 and mapping are visited Interface 14 is asked, wherein,
Instruction execution unit 11, with the first mode resource memory cell 12, the second mode resource memory cell 13 and the mapping access interface 14 be connected, for reading the mapping access interface 14 according to the extraneous instruction received Resource information or the resource information for rewriting the mapping access interface 14;
First mode resource memory cell 12, for storing the resource information that processor is under first mode, and if only if When processor is in first mode, the money of first mode resource memory cell 12 described in the Internet access of instruction execution unit 11 Source;
Second mode resource memory cell 13, for storing the resource information that processor is under second mode, and if only if When processor is in second mode, the money of second mode resource memory cell 13 described in the Internet access of instruction execution unit 11 Source;
Access interface 14 is mapped, is connected with second mode resource memory cell 13, for reading the second mode in real time The resource of resource memory cell 13 and preservation, and sent out when processor is in first mode according to the instruction execution unit 11 The rewriting information sent rewrites the resource of resource register in the second mode resource memory cell 13.
The processor of containment mapping access interface provided in an embodiment of the present invention, instruction execution unit is in the high use of authority Under the pattern of family, by mapping the resource that access interface can be directly under the low user model of access rights, and without making processing again Device carries out the operation of pattern switching, so as to improve the operating efficiency of processor, reduces power consumption of processing unit.
Alternatively, as shown in Fig. 2 being processor program status register pattern switching schematic diagram;Wherein, processor has The kernel that trusted kernel and untrusted kernel two are logically independent, according to two standards of programming mode, trusted kernel is drawn It is divided into credible superuser mode and credible user EXEC;By untrusted kernel be divided into untrusted superuser mode and Untrusted user EXEC.When the SE positions of program status register are 1, show that processor is currently under trusted kernel, Now processor will be using credible state program status register (SEPSR) as program status register, when credible state program shape When the S positions of state register are 1, show that processor is currently under credible superuser mode, when the deposit of credible state program state When the S positions of device are 0, show that processor is currently under credible user EXEC;When the SE positions of program status register are 0 When, show that processor is currently under untrusted kernel, now processor will use untrusted program status register (NSPSR) As program status register, when the S positions of untrusted program status register are 1, show that processor is currently in untrusted Under superuser mode, when the S positions of untrusted program status register are 0, show that processor is currently in untrusted common Under user model.
Alternatively, as shown in figure 3, four patterns of processor:Credible superuser mode, credible user EXEC, Untrusted superuser mode and untrusted user EXEC have different authorities, wherein, credible superuser mode is gathered around Have five-star authority, can by map access interface access credible user EXEC, untrusted superuser mode and Resource under untrusted user EXEC;The authority of untrusted superuser mode is higher than untrusted user EXEC, energy Enough resources by mapping under access interface access untrusted user EXEC;Credible user EXEC can only access credible Resource under user EXEC, the resource under other patterns is accessed without authority;Untrusted user EXEC can only be visited The resource under untrusted user model is asked, the resource under other patterns is accessed without authority.
Alternatively, when processor operates in credible superuser mode and has the storehouse for reading credible user EXEC to post During the demand of storage, the instruction execution unit of processor is obtained and recognized after instruction, is directly reflected by mapping access interface and obtaining Resource is penetrated, the mapping resource is the resource of the stack register of credible user EXEC, maps access interface and in real time will The resource of the stack register of credible user EXEC is stored in the control register of itself, so as to reach credible super The purpose of credible domestic consumer's stack register is read under user model.
Alternatively, when processor operates in credible superuser mode and has the storehouse for reading untrusted user EXEC During the demand of register, the instruction execution unit of processor is obtained and recognized after instruction, is directly obtained by mapping access interface Resource is mapped, the mapping resource is the resource of the stack register of untrusted user EXEC, maps access interface real-time The resource of the stack register by untrusted user EXEC be stored in the control register of itself, so as to reach credible The purpose of untrusted domestic consumer stack register is read under superuser mode.
Alternatively, when processor operates in credible superuser mode and has the storehouse for reading untrusted superuser mode During the demand of register, the instruction execution unit of processor is obtained and recognized after instruction, is directly obtained by mapping access interface Resource is mapped, the mapping resource is the resource of the stack register of untrusted superuser mode, maps access interface real-time The resource of the stack register by untrusted superuser mode be stored in the control register of itself, so as to reach credible The purpose of untrusted power user's stack register is read under superuser mode.
Alternatively, when processor operates in the untrusted superuser mode under untrusted kernel and has in reading untrusted During the demand of the stack register of the untrusted user EXEC under core, the instruction execution unit of processor, which is obtained and recognized, to be referred to After order, mapping resource directly is obtained by mapping access interface, the mapping resource is the storehouse of untrusted user EXEC The resource of the stack register of untrusted user EXEC is stored in certainly by the resource of register, mapping access interface in real time The control register of body, so as to reach the mesh that untrusted power user's stack register is read under credible superuser mode 's.
Alternatively, when processor operates in credible superuser mode or untrusted superuser mode, and there is rewriting non- During the demand of credible domestic consumer's stack register, instruction execution unit sends write address and writes data to mapping access interface, After the mapping access interface rewrites the content in control register, revised content is sent to untrusted domestic consumer heap Stack register.So that processor reaches the purpose for rewriting resource.
Alternatively, when processor operates in credible superuser mode, and there is rewriting untrusted power user storehouse deposit During the demand of device, instruction execution unit sends write address and writes data to mapping access interface, and the mapping access interface will be controlled After content in register processed is rewritten, revised content is sent to untrusted power user's stack register.So that processing Device reaches the purpose for rewriting resource.
Alternatively, when processor operates in credible superuser mode, and there is the credible domestic consumer's stack register of rewriting Demand when, instruction execution unit sends write address and writes data to mapping access interface, and the mapping access interface will be controlled After content in register is rewritten, revised content is sent to credible domestic consumer's stack register.So that processor reaches To the purpose for rewriting resource.
Alternatively, the stack register can also be abnormal base register, abnormal back-up registers or storehouse deposit Device.
Alternatively, the first mode resource memory cell is credible superuser mode resource memory cell, described the Two modes resource memory cell is credible user EXEC resource memory cell.
Alternatively, the first mode resource memory cell is credible superuser mode resource memory cell, described the Two modes resource memory cell is untrusted superuser mode resource memory cell.
Alternatively, the first mode resource memory cell is credible superuser mode resource memory cell, described the Two modes resource memory cell is untrusted user EXEC resource memory cell.
Alternatively, the first mode resource memory cell is untrusted superuser mode resource memory cell, described Second mode resource memory cell is untrusted user EXEC resource memory cell.
Alternatively, the resource register is abnormal base register, abnormal back-up registers or stack register, but not It is limited to this.
Specifically, trusted kernel has exception service mechanism independent of each other with untrusted kernel, and SEVBR is that trusted kernel is special Abnormal base register, all entry addresses are stored in the exception vector table that SEVBR is plot;NSVBR for it is non-can Believe the special abnormal entry mechanism register of kernel, all entry addresses are stored in the exception vector table that NSVBR is plot. When processor operates in credible superuser mode, can by access under credible superuser mode map access interface come Have access to the abnormal entrance base register of untrusted kernel.
Specifically, SEEPSR is that the special abnormality of trusted kernel retains register, occurs security interrupt in processor Or during security exception, the PSR information for preserving trusted kernel operation, in order to the in-situ FTIR spectroelectrochemitry of processor;NSEPSR is non- The special abnormality of trusted kernel retains register, when processor occurs non-security interruption or be non-security abnormal, preserves non- The PSR information of trusted kernel operation, in order to the in-situ FTIR spectroelectrochemitry of processor.When processor operates in credible superuser mode When, access interface can be mapped under credible superuser mode have access to the abnormal reserved state of untrusted kernel by accessing Register.
Specifically, SEEPC is the special abnormal prewired program counter of trusted kernel, when CPU occurs under trusted kernel When exception or security interrupt, CPU can be saved in the information under trusted kernel in SEEPC, the in-situ FTIR spectroelectrochemitry for CPU; NSEPC is the special abnormal prewired program counter of untrusted kernel, when abnormal or safety occurs under untrusted kernel for CPU During interruption, CPU can be saved in the information under untrusted kernel in SEEPC, the in-situ FTIR spectroelectrochemitry for CPU;When processor operation In credible superuser mode, access interface can be mapped under credible superuser mode have access to untrusted by accessing The abnormal prewired program counter of kernel.
Alternatively, the mapping access interface is at least one control register or at least one memory address.
Alternatively, as shown in figure 4, being the schematic diagram of the rudimentary permission mode private resource of super-ordinate right mode access;
Wherein, when processor is under the first user model, and when having the demand for reading second user mode resource, pass through Private resource is stored in general register by mapping access interface, by instruction execution unit to being stored in general register Private resource is handled.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, the change or replacement that can be readily occurred in, all should It is included within the scope of the present invention.Therefore, protection scope of the present invention should be defined by scope of the claims.

Claims (7)

1. a kind of processor of containment mapping access interface, it is characterised in that including:Instruction execution unit, first mode resource Memory cell, second mode resource memory cell and mapping access interface, wherein,
Instruction execution unit, with the first mode resource memory cell, the second mode resource memory cell and described Map access interface to be connected, resource information or rewriting for reading the mapping access interface according to the extraneous instruction received The resource information of the mapping access interface;
First mode resource memory cell, for storing the resource information that processor is under first mode, and if only if processor During in first mode, the resource of first mode resource memory cell described in the instruction execution unit Internet access;
Second mode resource memory cell, for storing the resource information that processor is under second mode, and if only if processor During in second mode, the resource of second mode resource memory cell described in the instruction execution unit Internet access;
Access interface is mapped, is connected with second mode resource memory cell, for reading the second mode resource storage in real time The resource of unit and preservation, and the rewriting information sent when processor is in first mode according to the instruction execution unit Rewrite the resource of resource register in the second mode resource memory cell.
2. processor according to claim 1, it is characterised in that the first mode resource memory cell is credible super User model resource memory cell, the second mode resource memory cell is credible user EXEC resource memory cell.
3. processor according to claim 1, it is characterised in that the first mode resource memory cell is credible super User model resource memory cell, the second mode resource memory cell is that untrusted superuser mode resource stores list Member.
4. processor according to claim 1, it is characterised in that the first mode resource memory cell is credible super User model resource memory cell, the second mode resource memory cell is that untrusted user EXEC resource stores list Member.
5. processor according to claim 1, it is characterised in that the first mode resource memory cell is super for untrusted Level user model resource memory cell, the second mode resource memory cell is that untrusted user EXEC resource stores list Member.
6. processor according to claim 1, it is characterised in that the resource register is abnormal base register, different Normal back-up registers or stack register.
7. processor according to claim 1, it is characterised in that the mapping access interface is at least one control deposit Device or at least one memory address.
CN201710282701.2A 2017-04-26 2017-04-26 Processor including a mapping access interface Active CN107103251B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710282701.2A CN107103251B (en) 2017-04-26 2017-04-26 Processor including a mapping access interface

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710282701.2A CN107103251B (en) 2017-04-26 2017-04-26 Processor including a mapping access interface

Publications (2)

Publication Number Publication Date
CN107103251A true CN107103251A (en) 2017-08-29
CN107103251B CN107103251B (en) 2020-04-21

Family

ID=59657017

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710282701.2A Active CN107103251B (en) 2017-04-26 2017-04-26 Processor including a mapping access interface

Country Status (1)

Country Link
CN (1) CN107103251B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020198224A1 (en) 2019-03-27 2020-10-01 Alibaba Group Holding Limited Processor having multiple operating modes

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102859530A (en) * 2010-06-03 2013-01-02 株式会社东芝 Access control device and recording medium
CN105356998A (en) * 2015-09-28 2016-02-24 宇龙计算机通信科技(深圳)有限公司 TrustZone-based domain space switching system and method
CN106156618A (en) * 2015-04-17 2016-11-23 国民技术股份有限公司 A kind of safety chip, mobile terminal and the method realizing mobile terminal system safety
CN106156044A (en) * 2015-03-26 2016-11-23 阿里巴巴集团控股有限公司 Data base's changing method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102859530A (en) * 2010-06-03 2013-01-02 株式会社东芝 Access control device and recording medium
CN106156044A (en) * 2015-03-26 2016-11-23 阿里巴巴集团控股有限公司 Data base's changing method and device
CN106156618A (en) * 2015-04-17 2016-11-23 国民技术股份有限公司 A kind of safety chip, mobile terminal and the method realizing mobile terminal system safety
CN105356998A (en) * 2015-09-28 2016-02-24 宇龙计算机通信科技(深圳)有限公司 TrustZone-based domain space switching system and method

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2020198224A1 (en) 2019-03-27 2020-10-01 Alibaba Group Holding Limited Processor having multiple operating modes
CN111752604A (en) * 2019-03-27 2020-10-09 阿里巴巴集团控股有限公司 Processor with multiple operation modes
EP3948548A4 (en) * 2019-03-27 2022-05-11 Alibaba Group Holding Limited Processor having multiple operating modes
US11409531B2 (en) 2019-03-27 2022-08-09 C-Sky Microsystems Co., Ltd. Processor having multiple operating modes

Also Published As

Publication number Publication date
CN107103251B (en) 2020-04-21

Similar Documents

Publication Publication Date Title
CN108027779B (en) Processors, methods, systems, and instructions to enable secure communication between protected container memory and input/output devices
EP1939754B1 (en) Providing protected access to critical memory regions
CN105787360A (en) Method for technically controlling secure access to embedded system memory
CN104881596A (en) Modifying memory permissions in a secure processing environment
CN107667350A (en) Platform protection technique based on virtualization
CN102184366B (en) External program security access architecture based on system on chip (SoC) and control method
CN102184365A (en) External data security memory architecture based on system on chip (SoC) and access control method
CN103383667A (en) Memory protection circuit, processing unit, and memory protection method
TW201409236A (en) Memory protection
CN103946824A (en) Access control for non-volatile random access memory across platform agents
KR20130036189A (en) Restricting memory areas for an instruction read in dependence upon a hardware mode and a security flag
TWI796414B (en) Apparatus, method, computer program, and storage medium for region fusing
CN113434453A (en) System on chip and operation method thereof
CN106970823A (en) Efficient secure virtual machine guard method and system based on nested virtualization
WO2019237866A1 (en) Method for controlling access at runtime and computing device
CN109947666A (en) Credible performing environment caching partition method and device, electronic equipment and storage medium
CN110532767A (en) Internal insulation method towards SGX security application
CN103309819B (en) Embedded system and internal memory method for managing security therein
CN208848330U (en) A kind of double-core POS machine safety chip
CN202102449U (en) SoC (System on Chip) chip-based external program security access framework
CN107643943A (en) The management method and device of a kind of task stack
CN107103251A (en) The processor of containment mapping access interface
CN202102448U (en) SoC (System on Chip)-based external-data safe-storing framework
CN103425563A (en) Online input/output (I/O) electronic evidence obtaining system and method based on virtualization technology
CN100354829C (en) Exception types within a secure processing system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant