CN107194284A - A kind of method and system based on the user-isolated data of TrustZone - Google Patents
A kind of method and system based on the user-isolated data of TrustZone Download PDFInfo
- Publication number
- CN107194284A CN107194284A CN201710481894.4A CN201710481894A CN107194284A CN 107194284 A CN107194284 A CN 107194284A CN 201710481894 A CN201710481894 A CN 201710481894A CN 107194284 A CN107194284 A CN 107194284A
- Authority
- CN
- China
- Prior art keywords
- trustzone
- secure
- memory region
- isolated
- region
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2105—Dual mode as a secondary aspect
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a kind of method and system based on the user-isolated data of Trustzone, method includes:Trustzone coprocessors are set in intelligent terminal and common memory region, shared drive region and secure memory region are set on the internal memory of intelligent terminal;The common domain operating system for running on common memory region stores user data to be isolated to shared drive region, fast interrupt signal is sent to the interrupt control unit of Trustzone coprocessors, so that Trustzone coprocessors enter monitoring mode;Run using the Trustzone coprocessor control secure domain operation systems for entering monitoring mode in secure memory region;The secure domain operation system for running on secure memory region reads user data to be isolated from shared drive region, and the user data to be isolated of reading is loaded into secure memory region.By technical scheme, the security of user data can be improved.
Description
Technical field
The present invention relates to intelligent terminal technical field, more particularly to a kind of side based on the user-isolated data of TrustZone
Method and system.
Background technology
With continuing to develop for mobile network, the application of the mobile intelligent terminal such as mobile phone and notebook computer also obtains band extensively
Popularization.For user data higher to security requirement in mobile terminal, it usually needs carry out security isolation to it.
At present, mainly different pieces of information is stored respectively to realize by virtual technologies such as virtual machines, so as to realize pair
Different user data data are isolated, to improve the security of relative users data.
But, virtualization can not defining application to the access rights of internal memory, segregate user data is loaded
To intelligent terminal internal memory when, it is easy to stolen by corresponding application program, the security of user data is relatively low.
The content of the invention
The embodiments of the invention provide a kind of method and system based on the user-isolated data of TrustZone, use can be improved
The security of user data.
In a first aspect, the invention provides a kind of method based on the user-isolated data of Trustzone, including:
Trustzone coprocessors are set in intelligent terminal in advance, and set on the internal memory of the intelligent terminal
Common memory region, shared drive region and secure memory region;
The common domain operating system for running on the common memory region stores user data to be isolated to described shared
Region of memory;
The common domain operating system in the common memory region is run on to the interruption control of the Trustzone coprocessors
Device processed sends fast interrupt signal, so that the Trustzone coprocessors enter monitoring mode;
Using the Trustzone coprocessor controls secure domain operation system into monitoring mode in the safety
Deposit in region and run;
Run on the secure domain operation system in the secure memory region read from the shared drive region described in treat every
The secure memory region is loaded into from user data, and by the user data to be isolated of reading.
Preferably,
The Trustzone coprocessor controls secure domain operation system using into monitoring mode is in the peace
Run in full region of memory, including:
The NS positions that the secure configuration registers of the Trustzone coprocessors of monitoring mode will be entered are revised as 0, so that
Secure domain operation system described in Trustzone coprocessor controls is run in the secure memory region.
Preferably,
The user data to be isolated, including:At least one application program;
Then, it is described that the user data to be isolated of reading is loaded into the secure memory region, including:Control each
The application program is run on the secure memory region.
Preferably,
The user data to be isolated, including:At least one data to be stored;
Then, it is described that the user data to be isolated of reading is loaded into the secure memory region, including:By reading
Each described data to be stored writes the secure memory region.
Preferably,
It is described that each described data to be stored of reading are write into the secure memory region, including:According to pre-setting
Each described data to be stored that encryption secret key pair in the Trustzone coprocessors is read are encrypted close to be formed
Text, and the ciphertext of formation is write to described secure memory region.
Second aspect, the embodiments of the invention provide a kind of system based on the user-isolated data of Trustzone, including:
Trustzone coprocessors, setup module, control module, common domain operating system and secure domain operation system;Its
In,
The setup module, for setting the Trustzone coprocessors in intelligent terminal, and in the intelligence
Common memory region, shared drive region and secure memory region are set on the internal memory of terminal;
The common domain operating system, for running on the common memory region, by user data to be isolated store to
The shared drive region;Fast interrupt signal is sent to the interrupt control unit of the Trustzone coprocessors, so that described
Trustzone coprocessors enter monitoring mode;
The control module, for being grasped using the Trustzone coprocessor controls security domain for entering monitoring mode
Make system to run in the secure memory region;
The secure domain operation system, for running on the safety under the control of the Trustzone coprocessors
Region of memory, the user data to be isolated is read from the shared drive region, and by the number of users to be isolated of reading
According to being loaded into the secure memory region.
Preferably,
The control module, the secure configuration registers for the Trustzone coprocessors by monitoring mode is entered
NS are revised as 0, so that secure domain operation system described in Trustzone coprocessor controls is transported in the secure memory region
OK.
Preferably,
When the user data to be isolated includes at least one application program, the secure domain operation system, for controlling
Each described application program is made to run on the secure memory region.
Preferably,
When the user data to be isolated includes at least one data to be stored, the secure domain operation system is used for
Each described data to be stored of reading are write into the secure memory region.
Preferably,
The secure domain operation system, for secret according to the encryption being set in advance in the Trustzone coprocessors
Key is encrypted to form ciphertext to each described data to be stored of reading, and the ciphertext of formation is write in described safety
Deposit region.
The embodiments of the invention provide a kind of method and system based on the user-isolated data of Trustzone, in this method,
By setting common memory region, shared drive region and secure memory region on the internal memory of intelligent terminal, while in intelligence
Trustzone coprocessors are set, and common domain operating system is only capable of operating in common memory region, when needs are to operation in terminal
When the data to be isolated that application program in common memory region is provided are isolated, then it can be incited somebody to action by common domain operating system
Data to be isolated are written to shared drive region, then send quick-speed interruption to the interrupt control unit of Trustzone coprocessors
Signal so that Trustzone coprocessors enter monitoring mode, subsequently can then pass through the Trustzone under monitoring mode
Coprocessor control secure domain operation system is switched to security domain in secure memory area operation, realization from common domain operating system
Operating system, secure domain operation system can then read corresponding data to be isolated, and treating reading from shared drive region
Isolated data is loaded into secure memory region.In summary, by providing the internal memory of intelligent terminal hardware protection with will be intelligently
The memory setting of terminal is multiple region of memorys, and data to be isolated are loaded into after secure memory region, general due to running on
Application program in logical region of memory can not direct access safety region of memory so that run on common memory region each
Application program can not steal the user data being loaded into secure memory region, so as to improve the security of user data.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention
Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis
These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of flow chart for method based on the user-isolated data of TrustZone that one embodiment of the invention is provided;
Fig. 2 is the flow for another method based on the user-isolated data of TrustZone that one embodiment of the invention is provided
Figure;
Fig. 3 is that a kind of structure for system based on the user-isolated data of TrustZone that one embodiment of the invention is provided is shown
It is intended to.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention
In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is
A part of embodiment of the present invention, rather than whole embodiments, based on the embodiment in the present invention, those of ordinary skill in the art
The every other embodiment obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
As shown in figure 1, the embodiments of the invention provide a kind of method based on the user-isolated data of Trustzone,
Including:
Step 101, Trustzone coprocessors are set in intelligent terminal in advance, and in the intelligent terminal
Deposit setting common memory region, shared drive region and secure memory region;
Step 102, run on the common domain operating system in the common memory region by user data to be isolated store to
The shared drive region;
Step 103, the common domain operating system in the common memory region is run on to the Trustzone coprocessors
Interrupt control unit send fast interrupt signal so that the Trustzone coprocessors enter monitoring mode;
Step 104, using the Trustzone coprocessor controls secure domain operation system into monitoring mode in institute
State in secure memory region and run;
Step 105, the secure domain operation system for running on the secure memory region is read from the shared drive region
The user data to be isolated, and the user data to be isolated of reading is loaded into the secure memory region.
In the above embodiment of the present invention, by setting common memory region, shared section key on the internal memory of intelligent terminal
Domain and secure memory region, while setting Trustzone coprocessors in intelligent terminal, common domain operating system is only capable of operation
In common memory region, when the data to be isolated that needs are provided the application program for running on common memory region are isolated
When, then data to be isolated can be written to by shared drive region by common domain operating system, then be handled to Trustzone associations
The interrupt control unit of device sends fast interrupt signal so that Trustzone coprocessors enter monitoring mode, subsequently can then pass through
Trustzone coprocessor control secure domain operation systems under monitoring mode in secure memory area operation, realize from
Common domain operating system is switched to secure domain operation system, and secure domain operation system can then be read accordingly from shared drive region
Data to be isolated, and the data to be isolated of reading are loaded into secure memory region.In summary, by intelligent terminal
Internal memory provides hardware protection so that the memory setting of intelligent terminal, as multiple region of memorys, data to be isolated is loaded into safety
, can not direct access safety region of memory due to running on application program in common memory region after depositing region so that
The user data being loaded into secure memory region can not be stolen by running on each application program in common memory region, so as to carry
The security of high user data.
It is described to be pacified using the Trustzone coprocessor controls for entering monitoring mode in one embodiment of the invention
Universe operating system is run in the secure memory region, including:The Trustzone coprocessors of monitoring mode will be entered
The NS positions of secure configuration registers are revised as 0, so that secure domain operation system is described described in Trustzone coprocessor controls
Run in secure memory region.
In the above embodiment of the present invention, pass through ARM (Advanced RISC Machines) processor to intelligent terminal
It is extended, to increase carrying Trustzone coprocessor (such as CP15 coprocessors) in intelligent terminal.Carry
Having in Trustzone coprocessors has one NS in a secure configuration registers, the register, this NS indicates current
The state of intelligent terminal, if NS are 0, current intelligent terminal is in safe state, can pacify in secure memory area operation
Universe operating system;If NS are 1, current intelligent terminal is in non-security state, can be general in common memory area operation
Logical domain operating system.Simultaneously as the NS positions of secure configuration registers are only in monitoring mode in Trustzone coprocessors
Shi Caineng is modified, therefore, can be at Trustzone associations when the operating system environment for intelligent terminal is switched over
On the premise of reason device is in monitoring mode, the common of switching intelligent terminal is realized by changing the NS positions of secure configuration registers
Domain operating system and secure domain operation system.
Because the application program in secure memory region directly sets the NS positions of secure configuration registers under non-monitor mode
1 is set to, then intelligent terminal is directly entered non-secure states, this application program for run on common memory region is able to access that
The instruction that processor is being received, and the data in register so that user data has the risk being stolen.Cause
This, either needs to be switched to secure domain operation system from common domain operating system, or be switched to from secure domain operation system
Common domain operating system, only could directly change security configuration in the case where Trustzone coprocessors are in monitoring mode and post
The NS positions of storage.
In one embodiment of the invention, the type of user data to be isolated can specifically include application program or number to be stored
According to.
Specifically, it is described to be treated described in reading when the user data to be isolated includes at least one application program
User-isolated data are loaded into the secure memory region, including:Each described application program is controlled in the secure memory area
Run on domain.The application journey for operating in secure memory region can not directly be accessed by running on the application program in common memory region
Sequence, can improve the security for each application program for running on secure memory region.
Accordingly, it is described to be treated described in reading when the user data to be isolated includes at least one application program
User-isolated data are loaded into the secure memory region, including:Each described application program is controlled in the secure memory area
Run on domain.Run on the application program in common memory region and can not directly access and be stored in each of secure memory region and wait to deposit
Data are stored up, the security for each data to be stored for being stored in secure memory region can be improved.
It is described by reading in order to further improve in the security of each data to be stored, one embodiment of the invention
Each described data to be stored writes the secure memory region, including:Handled according to the Trustzone associations are set in advance in
Each described data to be stored that encryption secret key pair in device is read are encrypted to form ciphertext, and the ciphertext of formation are write
Described secure memory region.
Specifically, corresponding AES can be pre-set in Trustzone coprocessors here and decryption is calculated
Method, such as AES (Advanced Encryption Standard, Advanced Encryption Standard) AES and AES decipherment algorithms, lead to
The reading and writing data request crossed in read-write monitoring function pair security domain region of memory is monitored.There are data to be stored when listening to
When needing to be written into secure memory region, data storage can be treated by AES encryption algorithm and is encrypted to form ciphertext, so
Ciphertext is written to secure memory region afterwards;Need to be read out when listening to the ciphertext in the presence of write-in secure memory region, then
The ciphertext of reading can be parsed by AES decipherment algorithms to obtain corresponding data to be stored.
In order to more clearly illustrate technical scheme and advantage, it is based on the embodiments of the invention provide another
The method of the user-isolated data of Trustzone, is isolated into the user data received with reference to user's request to smart mobile phone
Example, such as Fig. 2 so, can specifically include each following step:
Step 201, Trustzone coprocessors are set in smart mobile phone.
Step 202, common memory region, shared drive region and secure memory area are set on the internal memory of smart mobile phone
Domain.
Step 203, mutually corresponding AES encryption module and AES decryption moulds are set respectively in Trustzone coprocessors
Block.
Step 204, user operates smart mobile phone by running on the common domain operating system in common memory region.
Step 205, control the relative client program on smart mobile phone to receive by the common domain operating system of operation to use
User data, and the user data of reception is stored to shared drive region.
Step 206, send fast to the interrupt control unit of Trustzone coprocessors by the common domain operating system of operation
Fast interrupt signal.
Step 207, interrupt control unit is when receiving terminal signaling, and control Trustzone coprocessors enter monitoring mould
Formula.
Step 208, it is revised as the NS positions that the secure configuration registers of the Trustzone coprocessors of monitoring mode will be entered
0 so that Trustzone coprocessor control secure domain operation systems are run in secure memory region.
Step 209, the secure domain operation system of operation reads user data to be isolated from shared drive region.
Step 210, the reading and writing data in function pair security domain region of memory is monitored by the read-write of secure domain operation system
Request is monitored, and when listening to secure domain operation system and needing the user data of reading writing secure memory region, is led to
Cross the AES encryption module being set in advance in Trustzone coprocessors and treat data storage and be encrypted to form ciphertext, and
The ciphertext of formation is written to secure memory region.
Step 211, the reading and writing data in function pair security domain region of memory is monitored by the read-write of secure domain operation system
Request is monitored, when listening to secure domain operation system and have read the ciphertext in write-in secure memory region, by setting in advance
The AES deciphering modules in Trustzone coprocessors are put the ciphertext of reading is decrypted to obtain corresponding user data.
In the embodiment of the present invention, user can realize controls corresponding application program in intelligent hand by common domain operating system
The common memory area operation of machine, by each higher application program of secure domain operation system control security requirement in intelligence
The secure memory area operation of mobile phone, at the same time it can also by being cut from common domain operating system to secure domain operation system
Change, while switching operating system, user can combine practical business demand by number of users to be stored in common domain operating system
According to secure memory region is isolated to, so as to improve the security of corresponding application programs and data to be stored.
As shown in figure 3, the embodiments of the invention provide a kind of system based on the user-isolated data of Trustzone, including:
Trustzone coprocessors 301, setup module 302, control module 303, common domain operating system 304 and safety
Domain operating system 305;Wherein,
The setup module 302, for setting the Trustzone coprocessors 301 in intelligent terminal, and in institute
State and common memory region, shared drive region and secure memory region are set on the internal memory of intelligent terminal;
The common domain operating system 304, for running on the common memory region, user data to be isolated is stored
To the shared drive region;Fast interrupt signal is sent to the interrupt control unit of the Trustzone coprocessors 301, with
The Trustzone coprocessors 301 are made to enter monitoring mode;
The control module 303, for controlling peace using the Trustzone coprocessors 301 for entering monitoring mode
Universe operating system 305 is run in the secure memory region;
The secure domain operation system 305, for running on institute under the control of the Trustzone coprocessors 301
Secure memory region is stated, the user data to be isolated is read from the shared drive region, and by the described to be isolated of reading
User data is loaded into the secure memory region.
In a preferred embodiment of the invention, the control module 303, for the Trustzone by monitoring mode is entered
The NS positions of the secure configuration registers of coprocessor 301 are revised as 0, so that Trustzone coprocessors 301 control the safety
Domain operating system 305 is run in the secure memory region.
In a preferred embodiment of the invention, when the user data to be isolated includes at least one application program, institute
Secure domain operation system 305 is stated, for controlling each described application program to be run on the secure memory region.
In a preferred embodiment of the invention, when the user data to be isolated includes at least one data to be stored,
The secure domain operation system 305, for each described data to be stored of reading to be write into the secure memory region.
In a preferred embodiment of the invention, the secure domain operation system 305, for according to being set in advance in
Each described data to be stored that encryption secret key pair in Trustzone coprocessors 301 is read are encrypted to form ciphertext,
And the ciphertext of formation is write to described secure memory region.
The contents such as the information exchange between each unit, implementation procedure in said apparatus, due to implementing with the inventive method
Example is based on same design, and particular content can be found in the narration in the inventive method embodiment, and here is omitted.
In summary, each embodiment of the invention at least has the advantages that:
1st, in one embodiment of the invention, by setting common memory region, shared section key on the internal memory of intelligent terminal
Domain and secure memory region, while setting Trustzone coprocessors in intelligent terminal, common domain operating system is only capable of operation
In common memory region, when the data to be isolated that needs are provided the application program for running on common memory region are isolated
When, then data to be isolated can be written to by shared drive region by common domain operating system, then be handled to Trustzone associations
The interrupt control unit of device sends fast interrupt signal so that Trustzone coprocessors enter monitoring mode, subsequently can then pass through
Trustzone coprocessor control secure domain operation systems under monitoring mode in secure memory area operation, realize from
Common domain operating system is switched to secure domain operation system, and secure domain operation system can then be read accordingly from shared drive region
Data to be isolated, and the data to be isolated of reading are loaded into secure memory region.In summary, by intelligent terminal
Internal memory provides hardware protection so that the memory setting of intelligent terminal, as multiple region of memorys, data to be isolated is loaded into safety
, can not direct access safety region of memory due to running on application program in common memory region after depositing region so that
The user data being loaded into secure memory region can not be stolen by running on each application program in common memory region, so as to carry
The security of high user data.
2nd, in one embodiment of the invention, either need to be switched to secure domain operation system from common domain operating system, also
It is to be switched to common domain operating system from secure domain operation system, is only in monitoring mode in Trustzone coprocessors
It is lower directly to change the NS positions of secure configuration registers, prevent that the application program in secure memory region is straight under non-monitor mode
Tap into non-secure states, it is to avoid run on the instruction that the application program access process device in common memory region is being received, with
And the data in register, prevent user data to be stolen.
3rd, in one embodiment of the invention, by corresponding AES to needing to be isolated in the user in secure memory region
Storage is encrypted in data, further improves the security of user data.
It should be noted that herein, such as first and second etc relational terms are used merely to an entity
Or operation makes a distinction with another entity or operation, and not necessarily require or imply exist between these entities or operation
Any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant be intended to it is non-
It is exclusive to include, so that process, method, article or equipment including a series of key elements not only include those key elements,
But also other key elements including being not expressly set out, or also include solid by this process, method, article or equipment
Some key elements.In the absence of more restrictions, by sentence " including the key element that a 〃 〃 " is limited, it is not excluded that
Also there is other identical factor in the process including the key element, method, article or equipment.
It is last it should be noted that:Presently preferred embodiments of the present invention is the foregoing is only, the skill of the present invention is merely to illustrate
Art scheme, is not intended to limit the scope of the present invention.Any modification for being made within the spirit and principles of the invention,
Equivalent substitution, improvement etc., are all contained in protection scope of the present invention.
Claims (10)
1. a kind of method based on the user-isolated data of Trustzone, it is characterised in that including:
Trustzone coprocessors are set in intelligent terminal in advance, and set common on the internal memory of the intelligent terminal
Region of memory, shared drive region and secure memory region;
The common domain operating system for running on the common memory region stores user data to be isolated to the shared drive
Region;
The common domain operating system in the common memory region is run on to the interrupt control unit of the Trustzone coprocessors
Fast interrupt signal is sent, so that the Trustzone coprocessors enter monitoring mode;
Using the Trustzone coprocessor controls secure domain operation system into monitoring mode in the secure memory area
Run in domain;
The secure domain operation system for running on the secure memory region reads the use to be isolated from the shared drive region
User data, and the user data to be isolated of reading is loaded into the secure memory region.
2. according to the method described in claim 1, it is characterised in that
The Trustzone coprocessor controls secure domain operation system using into monitoring mode is in the safety
Deposit in region and run, including:
The NS positions that the secure configuration registers of the Trustzone coprocessors of monitoring mode will be entered are revised as 0, so that
Secure domain operation system described in Trustzone coprocessor controls is run in the secure memory region.
3. according to the method described in claim 1, it is characterised in that
The user data to be isolated, including:At least one application program;
Then, it is described that the user data to be isolated of reading is loaded into the secure memory region, including:Control described in each
Application program is run on the secure memory region.
4. according to the method described in claim 1, it is characterised in that
The user data to be isolated, including:At least one data to be stored;
Then, it is described that the user data to be isolated of reading is loaded into the secure memory region, including:By each of reading
The data to be stored write the secure memory region.
5. method according to claim 4, it is characterised in that
It is described that each described data to be stored of reading are write into the secure memory region, including:According to being set in advance in
Each the described data to be stored for stating the reading of the encryption secret key pair in Trustzone coprocessors are encrypted to form ciphertext,
And the ciphertext of formation is write to described secure memory region.
6. a kind of system based on the user-isolated data of Trustzone, it is characterised in that including:
Trustzone coprocessors, setup module, control module, common domain operating system and secure domain operation system;Wherein,
The setup module, for setting the Trustzone coprocessors in intelligent terminal, and in the intelligent terminal
Internal memory on common memory region, shared drive region and secure memory region are set;
The common domain operating system, for running on the common memory region, user data to be isolated is stored to described
Shared drive region;Fast interrupt signal is sent to the interrupt control unit of the Trustzone coprocessors, so that described
Trustzone coprocessors enter monitoring mode;
The control module, for utilizing the Trustzone coprocessor controls secure domain operation system for entering monitoring mode
System is run in the secure memory region;
The secure domain operation system, for running on the secure memory under the control of the Trustzone coprocessors
Region, reads the user data to be isolated, and the user data to be isolated of reading is added from the shared drive region
It is downloaded to the secure memory region.
7. system according to claim 6, it is characterised in that
The control module, the NS positions for the secure configuration registers of the Trustzone coprocessors by monitoring mode is entered
0 is revised as, so that secure domain operation system described in Trustzone coprocessor controls is run in the secure memory region.
8. system according to claim 6, it is characterised in that
When the user data to be isolated includes at least one application program, the secure domain operation system is each for controlling
The individual application program is run on the secure memory region.
9. system according to claim 6, it is characterised in that
When the user data to be isolated includes at least one data to be stored, the secure domain operation system, for that will read
Each the described data to be stored taken write the secure memory region.
10. system according to claim 9, it is characterised in that
The secure domain operation system, for according to the encryption secret key pair being set in advance in the Trustzone coprocessors
Each the described data to be stored read are encrypted to form ciphertext, and the ciphertext of formation is write to described secure memory area
Domain.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710481894.4A CN107194284A (en) | 2017-06-22 | 2017-06-22 | A kind of method and system based on the user-isolated data of TrustZone |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710481894.4A CN107194284A (en) | 2017-06-22 | 2017-06-22 | A kind of method and system based on the user-isolated data of TrustZone |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107194284A true CN107194284A (en) | 2017-09-22 |
Family
ID=59879716
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710481894.4A Pending CN107194284A (en) | 2017-06-22 | 2017-06-22 | A kind of method and system based on the user-isolated data of TrustZone |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107194284A (en) |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN107835185A (en) * | 2017-11-21 | 2018-03-23 | 广州大学 | A kind of mobile terminal safety method of servicing and device based on ARM TrustZone |
CN108052415A (en) * | 2017-11-17 | 2018-05-18 | 中国科学院信息工程研究所 | A kind of malware detection platform quick recovery method and system |
CN108155986A (en) * | 2017-12-14 | 2018-06-12 | 晶晨半导体(上海)股份有限公司 | A kind of key programming system and method based on credible performing environment |
CN108154032A (en) * | 2017-11-16 | 2018-06-12 | 中国科学院软件研究所 | It is a kind of that the computer system root of trust construction method of memory integrity ensuring is had the function of based on credible performing environment |
CN108647513A (en) * | 2018-03-22 | 2018-10-12 | 华中科技大学 | A kind of shared library security isolation method and system based on TrustZone |
CN109684126A (en) * | 2018-12-25 | 2019-04-26 | 贵州华芯通半导体技术有限公司 | For the Memory Checkout method of ARM equipment and the ARM equipment of execution Memory Checkout |
CN109783207A (en) * | 2017-11-13 | 2019-05-21 | 厦门雅迅网络股份有限公司 | Protect the method and system of dual system shared drive data safety |
CN109992992A (en) * | 2019-01-25 | 2019-07-09 | 中国科学院数据与通信保护研究教育中心 | A kind of believable protecting sensitive data method and system |
CN111414859A (en) * | 2020-03-20 | 2020-07-14 | 山东大学 | TrustZone-based retina identification method |
CN111431993A (en) * | 2020-03-20 | 2020-07-17 | 山东大学 | Method for realizing IoT equipment heartbeat communication based on TrustZone technology |
CN111913806A (en) * | 2020-08-03 | 2020-11-10 | Oppo广东移动通信有限公司 | Memory area management method, electronic equipment and storage medium |
EP3761208A4 (en) * | 2018-04-02 | 2021-04-21 | Huawei Technologies Co., Ltd. | Trust zone-based operating system and method |
CN113220225A (en) * | 2021-04-06 | 2021-08-06 | 浙江大学 | Memory data read-write method and device for RISC-V processor, processor and storage medium |
CN113254969A (en) * | 2021-06-08 | 2021-08-13 | 挂号网(杭州)科技有限公司 | Service data processing method and device, electronic equipment and storage medium |
CN113268447A (en) * | 2021-06-10 | 2021-08-17 | 海光信息技术股份有限公司 | Computer architecture and access control, data interaction and safe starting method in computer architecture |
WO2021174512A1 (en) * | 2020-03-06 | 2021-09-10 | 华为技术有限公司 | Electronic device and security protection method |
CN113835933A (en) * | 2021-11-26 | 2021-12-24 | 北京指掌易科技有限公司 | Data management method, device, medium and electronic equipment |
CN114048502A (en) * | 2021-10-15 | 2022-02-15 | 中国科学院信息工程研究所 | Lightweight trusted channel and communication control method thereof |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104091135A (en) * | 2014-02-24 | 2014-10-08 | 电子科技大学 | Safety system and safety storage method of intelligent terminal |
CN104318182A (en) * | 2014-10-29 | 2015-01-28 | 中国科学院信息工程研究所 | Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension |
CN104581214A (en) * | 2015-01-28 | 2015-04-29 | 三星电子(中国)研发中心 | Multimedia content protecting method and device based on ARM TrustZone system |
CN104992122A (en) * | 2015-07-20 | 2015-10-21 | 武汉大学 | Cell phone private information safe box based on ARM Trust Zone |
US9483638B2 (en) * | 2005-12-23 | 2016-11-01 | Texas Instruments Incorporated | Method and system for preventing unauthorized processor mode switches |
-
2017
- 2017-06-22 CN CN201710481894.4A patent/CN107194284A/en active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9483638B2 (en) * | 2005-12-23 | 2016-11-01 | Texas Instruments Incorporated | Method and system for preventing unauthorized processor mode switches |
CN104091135A (en) * | 2014-02-24 | 2014-10-08 | 电子科技大学 | Safety system and safety storage method of intelligent terminal |
CN104318182A (en) * | 2014-10-29 | 2015-01-28 | 中国科学院信息工程研究所 | Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension |
CN104581214A (en) * | 2015-01-28 | 2015-04-29 | 三星电子(中国)研发中心 | Multimedia content protecting method and device based on ARM TrustZone system |
CN104992122A (en) * | 2015-07-20 | 2015-10-21 | 武汉大学 | Cell phone private information safe box based on ARM Trust Zone |
Cited By (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109783207B (en) * | 2017-11-13 | 2023-08-22 | 厦门雅迅网络股份有限公司 | Method and system for protecting dual-system shared memory data security |
CN109783207A (en) * | 2017-11-13 | 2019-05-21 | 厦门雅迅网络股份有限公司 | Protect the method and system of dual system shared drive data safety |
CN108154032A (en) * | 2017-11-16 | 2018-06-12 | 中国科学院软件研究所 | It is a kind of that the computer system root of trust construction method of memory integrity ensuring is had the function of based on credible performing environment |
CN108154032B (en) * | 2017-11-16 | 2021-07-30 | 中国科学院软件研究所 | Computer system trust root construction method with memory integrity guarantee function |
CN108052415A (en) * | 2017-11-17 | 2018-05-18 | 中国科学院信息工程研究所 | A kind of malware detection platform quick recovery method and system |
CN108052415B (en) * | 2017-11-17 | 2022-01-04 | 中国科学院信息工程研究所 | Rapid recovery method and system for malicious software detection platform |
CN107835185A (en) * | 2017-11-21 | 2018-03-23 | 广州大学 | A kind of mobile terminal safety method of servicing and device based on ARM TrustZone |
CN108155986A (en) * | 2017-12-14 | 2018-06-12 | 晶晨半导体(上海)股份有限公司 | A kind of key programming system and method based on credible performing environment |
CN108647513A (en) * | 2018-03-22 | 2018-10-12 | 华中科技大学 | A kind of shared library security isolation method and system based on TrustZone |
CN108647513B (en) * | 2018-03-22 | 2020-04-28 | 华中科技大学 | TrustZone-based shared library security isolation method and system |
EP3761208A4 (en) * | 2018-04-02 | 2021-04-21 | Huawei Technologies Co., Ltd. | Trust zone-based operating system and method |
US11443034B2 (en) | 2018-04-02 | 2022-09-13 | Huawei Technologies Co., Ltd. | Trust zone-based operating system and method |
CN109684126A (en) * | 2018-12-25 | 2019-04-26 | 贵州华芯通半导体技术有限公司 | For the Memory Checkout method of ARM equipment and the ARM equipment of execution Memory Checkout |
CN109684126B (en) * | 2018-12-25 | 2022-05-03 | 贵州华芯通半导体技术有限公司 | Memory verification method for ARM equipment and ARM equipment for executing memory verification |
CN109992992A (en) * | 2019-01-25 | 2019-07-09 | 中国科学院数据与通信保护研究教育中心 | A kind of believable protecting sensitive data method and system |
WO2021174512A1 (en) * | 2020-03-06 | 2021-09-10 | 华为技术有限公司 | Electronic device and security protection method |
CN111431993A (en) * | 2020-03-20 | 2020-07-17 | 山东大学 | Method for realizing IoT equipment heartbeat communication based on TrustZone technology |
CN111414859A (en) * | 2020-03-20 | 2020-07-14 | 山东大学 | TrustZone-based retina identification method |
CN111913806A (en) * | 2020-08-03 | 2020-11-10 | Oppo广东移动通信有限公司 | Memory area management method, electronic equipment and storage medium |
CN113220225A (en) * | 2021-04-06 | 2021-08-06 | 浙江大学 | Memory data read-write method and device for RISC-V processor, processor and storage medium |
CN113220225B (en) * | 2021-04-06 | 2022-04-12 | 浙江大学 | Memory data read-write method and device for RISC-V processor, processor and storage medium |
CN113254969A (en) * | 2021-06-08 | 2021-08-13 | 挂号网(杭州)科技有限公司 | Service data processing method and device, electronic equipment and storage medium |
CN113268447A (en) * | 2021-06-10 | 2021-08-17 | 海光信息技术股份有限公司 | Computer architecture and access control, data interaction and safe starting method in computer architecture |
CN114048502A (en) * | 2021-10-15 | 2022-02-15 | 中国科学院信息工程研究所 | Lightweight trusted channel and communication control method thereof |
CN114048502B (en) * | 2021-10-15 | 2023-08-15 | 中国科学院信息工程研究所 | Lightweight trusted channel and communication control method thereof |
CN113835933A (en) * | 2021-11-26 | 2021-12-24 | 北京指掌易科技有限公司 | Data management method, device, medium and electronic equipment |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107194284A (en) | A kind of method and system based on the user-isolated data of TrustZone | |
US20230110230A1 (en) | Technologies for secure i/o with memory encryption engines | |
US20140164793A1 (en) | Cryptographic information association to memory regions | |
EP3274850B1 (en) | Protecting a memory | |
US8479264B2 (en) | Architecture for virtual security module | |
CN101782956B (en) | Method and device for protecting data on basis of AES real-time encryption | |
US11204881B2 (en) | Computer system software/firmware and a processor unit with a security module | |
CN101051892B (en) | Enciphering device and method for CPU special data | |
CN104318182A (en) | Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension | |
CN106469124A (en) | A kind of memory access control method and device | |
KR20080074848A (en) | Methods and apparatus for the secure handling of data in a microcontroller | |
CN103778384A (en) | Identity authentication based virtual terminal safety environment protection method and system | |
CN107111728A (en) | Safe key export function | |
CN108090366A (en) | Data guard method and device, computer installation and readable storage medium storing program for executing | |
CN108288004A (en) | A kind of encryption chip is in REE and TEE environmental coexistence system and methods | |
CN105095945A (en) | SD card capable of securely storing data | |
US20210319117A1 (en) | Secure asset management system | |
CN208848330U (en) | A kind of double-core POS machine safety chip | |
CN104955043B (en) | A kind of intelligent terminal security protection system | |
CN101196877A (en) | Multiple memory cell operation isolated smart card and its implementing method | |
CN116048809B (en) | Task processing method of multi-core heterogeneous security chip and security chip device | |
CN103699853B (en) | A kind of intelligent SD card and control system thereof and method | |
CN103699434B (en) | A kind of method being had secure access between the MPU for being suitable for having secure access between more applications and its more applications | |
CN207475576U (en) | A kind of safety mobile terminal system based on safety chip | |
CN102880818A (en) | Software protection method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170922 |