CN107194284A - A kind of method and system based on the user-isolated data of TrustZone - Google Patents

A kind of method and system based on the user-isolated data of TrustZone Download PDF

Info

Publication number
CN107194284A
CN107194284A CN201710481894.4A CN201710481894A CN107194284A CN 107194284 A CN107194284 A CN 107194284A CN 201710481894 A CN201710481894 A CN 201710481894A CN 107194284 A CN107194284 A CN 107194284A
Authority
CN
China
Prior art keywords
trustzone
secure
memory region
isolated
region
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710481894.4A
Other languages
Chinese (zh)
Inventor
黄闯营
戴鸿君
于治楼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan Inspur Hi Tech Investment and Development Co Ltd
Original Assignee
Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Inspur Hi Tech Investment and Development Co Ltd filed Critical Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority to CN201710481894.4A priority Critical patent/CN107194284A/en
Publication of CN107194284A publication Critical patent/CN107194284A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a kind of method and system based on the user-isolated data of Trustzone, method includes:Trustzone coprocessors are set in intelligent terminal and common memory region, shared drive region and secure memory region are set on the internal memory of intelligent terminal;The common domain operating system for running on common memory region stores user data to be isolated to shared drive region, fast interrupt signal is sent to the interrupt control unit of Trustzone coprocessors, so that Trustzone coprocessors enter monitoring mode;Run using the Trustzone coprocessor control secure domain operation systems for entering monitoring mode in secure memory region;The secure domain operation system for running on secure memory region reads user data to be isolated from shared drive region, and the user data to be isolated of reading is loaded into secure memory region.By technical scheme, the security of user data can be improved.

Description

A kind of method and system based on the user-isolated data of TrustZone
Technical field
The present invention relates to intelligent terminal technical field, more particularly to a kind of side based on the user-isolated data of TrustZone Method and system.
Background technology
With continuing to develop for mobile network, the application of the mobile intelligent terminal such as mobile phone and notebook computer also obtains band extensively Popularization.For user data higher to security requirement in mobile terminal, it usually needs carry out security isolation to it.
At present, mainly different pieces of information is stored respectively to realize by virtual technologies such as virtual machines, so as to realize pair Different user data data are isolated, to improve the security of relative users data.
But, virtualization can not defining application to the access rights of internal memory, segregate user data is loaded To intelligent terminal internal memory when, it is easy to stolen by corresponding application program, the security of user data is relatively low.
The content of the invention
The embodiments of the invention provide a kind of method and system based on the user-isolated data of TrustZone, use can be improved The security of user data.
In a first aspect, the invention provides a kind of method based on the user-isolated data of Trustzone, including:
Trustzone coprocessors are set in intelligent terminal in advance, and set on the internal memory of the intelligent terminal Common memory region, shared drive region and secure memory region;
The common domain operating system for running on the common memory region stores user data to be isolated to described shared Region of memory;
The common domain operating system in the common memory region is run on to the interruption control of the Trustzone coprocessors Device processed sends fast interrupt signal, so that the Trustzone coprocessors enter monitoring mode;
Using the Trustzone coprocessor controls secure domain operation system into monitoring mode in the safety Deposit in region and run;
Run on the secure domain operation system in the secure memory region read from the shared drive region described in treat every The secure memory region is loaded into from user data, and by the user data to be isolated of reading.
Preferably,
The Trustzone coprocessor controls secure domain operation system using into monitoring mode is in the peace Run in full region of memory, including:
The NS positions that the secure configuration registers of the Trustzone coprocessors of monitoring mode will be entered are revised as 0, so that Secure domain operation system described in Trustzone coprocessor controls is run in the secure memory region.
Preferably,
The user data to be isolated, including:At least one application program;
Then, it is described that the user data to be isolated of reading is loaded into the secure memory region, including:Control each The application program is run on the secure memory region.
Preferably,
The user data to be isolated, including:At least one data to be stored;
Then, it is described that the user data to be isolated of reading is loaded into the secure memory region, including:By reading Each described data to be stored writes the secure memory region.
Preferably,
It is described that each described data to be stored of reading are write into the secure memory region, including:According to pre-setting Each described data to be stored that encryption secret key pair in the Trustzone coprocessors is read are encrypted close to be formed Text, and the ciphertext of formation is write to described secure memory region.
Second aspect, the embodiments of the invention provide a kind of system based on the user-isolated data of Trustzone, including:
Trustzone coprocessors, setup module, control module, common domain operating system and secure domain operation system;Its In,
The setup module, for setting the Trustzone coprocessors in intelligent terminal, and in the intelligence Common memory region, shared drive region and secure memory region are set on the internal memory of terminal;
The common domain operating system, for running on the common memory region, by user data to be isolated store to The shared drive region;Fast interrupt signal is sent to the interrupt control unit of the Trustzone coprocessors, so that described Trustzone coprocessors enter monitoring mode;
The control module, for being grasped using the Trustzone coprocessor controls security domain for entering monitoring mode Make system to run in the secure memory region;
The secure domain operation system, for running on the safety under the control of the Trustzone coprocessors Region of memory, the user data to be isolated is read from the shared drive region, and by the number of users to be isolated of reading According to being loaded into the secure memory region.
Preferably,
The control module, the secure configuration registers for the Trustzone coprocessors by monitoring mode is entered NS are revised as 0, so that secure domain operation system described in Trustzone coprocessor controls is transported in the secure memory region OK.
Preferably,
When the user data to be isolated includes at least one application program, the secure domain operation system, for controlling Each described application program is made to run on the secure memory region.
Preferably,
When the user data to be isolated includes at least one data to be stored, the secure domain operation system is used for Each described data to be stored of reading are write into the secure memory region.
Preferably,
The secure domain operation system, for secret according to the encryption being set in advance in the Trustzone coprocessors Key is encrypted to form ciphertext to each described data to be stored of reading, and the ciphertext of formation is write in described safety Deposit region.
The embodiments of the invention provide a kind of method and system based on the user-isolated data of Trustzone, in this method, By setting common memory region, shared drive region and secure memory region on the internal memory of intelligent terminal, while in intelligence Trustzone coprocessors are set, and common domain operating system is only capable of operating in common memory region, when needs are to operation in terminal When the data to be isolated that application program in common memory region is provided are isolated, then it can be incited somebody to action by common domain operating system Data to be isolated are written to shared drive region, then send quick-speed interruption to the interrupt control unit of Trustzone coprocessors Signal so that Trustzone coprocessors enter monitoring mode, subsequently can then pass through the Trustzone under monitoring mode Coprocessor control secure domain operation system is switched to security domain in secure memory area operation, realization from common domain operating system Operating system, secure domain operation system can then read corresponding data to be isolated, and treating reading from shared drive region Isolated data is loaded into secure memory region.In summary, by providing the internal memory of intelligent terminal hardware protection with will be intelligently The memory setting of terminal is multiple region of memorys, and data to be isolated are loaded into after secure memory region, general due to running on Application program in logical region of memory can not direct access safety region of memory so that run on common memory region each Application program can not steal the user data being loaded into secure memory region, so as to improve the security of user data.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, drawings in the following description are the present invention Some embodiments, for those of ordinary skill in the art, on the premise of not paying creative work, can also basis These accompanying drawings obtain other accompanying drawings.
Fig. 1 is a kind of flow chart for method based on the user-isolated data of TrustZone that one embodiment of the invention is provided;
Fig. 2 is the flow for another method based on the user-isolated data of TrustZone that one embodiment of the invention is provided Figure;
Fig. 3 is that a kind of structure for system based on the user-isolated data of TrustZone that one embodiment of the invention is provided is shown It is intended to.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is A part of embodiment of the present invention, rather than whole embodiments, based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained on the premise of creative work is not made, belongs to the scope of protection of the invention.
As shown in figure 1, the embodiments of the invention provide a kind of method based on the user-isolated data of Trustzone, Including:
Step 101, Trustzone coprocessors are set in intelligent terminal in advance, and in the intelligent terminal Deposit setting common memory region, shared drive region and secure memory region;
Step 102, run on the common domain operating system in the common memory region by user data to be isolated store to The shared drive region;
Step 103, the common domain operating system in the common memory region is run on to the Trustzone coprocessors Interrupt control unit send fast interrupt signal so that the Trustzone coprocessors enter monitoring mode;
Step 104, using the Trustzone coprocessor controls secure domain operation system into monitoring mode in institute State in secure memory region and run;
Step 105, the secure domain operation system for running on the secure memory region is read from the shared drive region The user data to be isolated, and the user data to be isolated of reading is loaded into the secure memory region.
In the above embodiment of the present invention, by setting common memory region, shared section key on the internal memory of intelligent terminal Domain and secure memory region, while setting Trustzone coprocessors in intelligent terminal, common domain operating system is only capable of operation In common memory region, when the data to be isolated that needs are provided the application program for running on common memory region are isolated When, then data to be isolated can be written to by shared drive region by common domain operating system, then be handled to Trustzone associations The interrupt control unit of device sends fast interrupt signal so that Trustzone coprocessors enter monitoring mode, subsequently can then pass through Trustzone coprocessor control secure domain operation systems under monitoring mode in secure memory area operation, realize from Common domain operating system is switched to secure domain operation system, and secure domain operation system can then be read accordingly from shared drive region Data to be isolated, and the data to be isolated of reading are loaded into secure memory region.In summary, by intelligent terminal Internal memory provides hardware protection so that the memory setting of intelligent terminal, as multiple region of memorys, data to be isolated is loaded into safety , can not direct access safety region of memory due to running on application program in common memory region after depositing region so that The user data being loaded into secure memory region can not be stolen by running on each application program in common memory region, so as to carry The security of high user data.
It is described to be pacified using the Trustzone coprocessor controls for entering monitoring mode in one embodiment of the invention Universe operating system is run in the secure memory region, including:The Trustzone coprocessors of monitoring mode will be entered The NS positions of secure configuration registers are revised as 0, so that secure domain operation system is described described in Trustzone coprocessor controls Run in secure memory region.
In the above embodiment of the present invention, pass through ARM (Advanced RISC Machines) processor to intelligent terminal It is extended, to increase carrying Trustzone coprocessor (such as CP15 coprocessors) in intelligent terminal.Carry Having in Trustzone coprocessors has one NS in a secure configuration registers, the register, this NS indicates current The state of intelligent terminal, if NS are 0, current intelligent terminal is in safe state, can pacify in secure memory area operation Universe operating system;If NS are 1, current intelligent terminal is in non-security state, can be general in common memory area operation Logical domain operating system.Simultaneously as the NS positions of secure configuration registers are only in monitoring mode in Trustzone coprocessors Shi Caineng is modified, therefore, can be at Trustzone associations when the operating system environment for intelligent terminal is switched over On the premise of reason device is in monitoring mode, the common of switching intelligent terminal is realized by changing the NS positions of secure configuration registers Domain operating system and secure domain operation system.
Because the application program in secure memory region directly sets the NS positions of secure configuration registers under non-monitor mode 1 is set to, then intelligent terminal is directly entered non-secure states, this application program for run on common memory region is able to access that The instruction that processor is being received, and the data in register so that user data has the risk being stolen.Cause This, either needs to be switched to secure domain operation system from common domain operating system, or be switched to from secure domain operation system Common domain operating system, only could directly change security configuration in the case where Trustzone coprocessors are in monitoring mode and post The NS positions of storage.
In one embodiment of the invention, the type of user data to be isolated can specifically include application program or number to be stored According to.
Specifically, it is described to be treated described in reading when the user data to be isolated includes at least one application program User-isolated data are loaded into the secure memory region, including:Each described application program is controlled in the secure memory area Run on domain.The application journey for operating in secure memory region can not directly be accessed by running on the application program in common memory region Sequence, can improve the security for each application program for running on secure memory region.
Accordingly, it is described to be treated described in reading when the user data to be isolated includes at least one application program User-isolated data are loaded into the secure memory region, including:Each described application program is controlled in the secure memory area Run on domain.Run on the application program in common memory region and can not directly access and be stored in each of secure memory region and wait to deposit Data are stored up, the security for each data to be stored for being stored in secure memory region can be improved.
It is described by reading in order to further improve in the security of each data to be stored, one embodiment of the invention Each described data to be stored writes the secure memory region, including:Handled according to the Trustzone associations are set in advance in Each described data to be stored that encryption secret key pair in device is read are encrypted to form ciphertext, and the ciphertext of formation are write Described secure memory region.
Specifically, corresponding AES can be pre-set in Trustzone coprocessors here and decryption is calculated Method, such as AES (Advanced Encryption Standard, Advanced Encryption Standard) AES and AES decipherment algorithms, lead to The reading and writing data request crossed in read-write monitoring function pair security domain region of memory is monitored.There are data to be stored when listening to When needing to be written into secure memory region, data storage can be treated by AES encryption algorithm and is encrypted to form ciphertext, so Ciphertext is written to secure memory region afterwards;Need to be read out when listening to the ciphertext in the presence of write-in secure memory region, then The ciphertext of reading can be parsed by AES decipherment algorithms to obtain corresponding data to be stored.
In order to more clearly illustrate technical scheme and advantage, it is based on the embodiments of the invention provide another The method of the user-isolated data of Trustzone, is isolated into the user data received with reference to user's request to smart mobile phone Example, such as Fig. 2 so, can specifically include each following step:
Step 201, Trustzone coprocessors are set in smart mobile phone.
Step 202, common memory region, shared drive region and secure memory area are set on the internal memory of smart mobile phone Domain.
Step 203, mutually corresponding AES encryption module and AES decryption moulds are set respectively in Trustzone coprocessors Block.
Step 204, user operates smart mobile phone by running on the common domain operating system in common memory region.
Step 205, control the relative client program on smart mobile phone to receive by the common domain operating system of operation to use User data, and the user data of reception is stored to shared drive region.
Step 206, send fast to the interrupt control unit of Trustzone coprocessors by the common domain operating system of operation Fast interrupt signal.
Step 207, interrupt control unit is when receiving terminal signaling, and control Trustzone coprocessors enter monitoring mould Formula.
Step 208, it is revised as the NS positions that the secure configuration registers of the Trustzone coprocessors of monitoring mode will be entered 0 so that Trustzone coprocessor control secure domain operation systems are run in secure memory region.
Step 209, the secure domain operation system of operation reads user data to be isolated from shared drive region.
Step 210, the reading and writing data in function pair security domain region of memory is monitored by the read-write of secure domain operation system Request is monitored, and when listening to secure domain operation system and needing the user data of reading writing secure memory region, is led to Cross the AES encryption module being set in advance in Trustzone coprocessors and treat data storage and be encrypted to form ciphertext, and The ciphertext of formation is written to secure memory region.
Step 211, the reading and writing data in function pair security domain region of memory is monitored by the read-write of secure domain operation system Request is monitored, when listening to secure domain operation system and have read the ciphertext in write-in secure memory region, by setting in advance The AES deciphering modules in Trustzone coprocessors are put the ciphertext of reading is decrypted to obtain corresponding user data.
In the embodiment of the present invention, user can realize controls corresponding application program in intelligent hand by common domain operating system The common memory area operation of machine, by each higher application program of secure domain operation system control security requirement in intelligence The secure memory area operation of mobile phone, at the same time it can also by being cut from common domain operating system to secure domain operation system Change, while switching operating system, user can combine practical business demand by number of users to be stored in common domain operating system According to secure memory region is isolated to, so as to improve the security of corresponding application programs and data to be stored.
As shown in figure 3, the embodiments of the invention provide a kind of system based on the user-isolated data of Trustzone, including:
Trustzone coprocessors 301, setup module 302, control module 303, common domain operating system 304 and safety Domain operating system 305;Wherein,
The setup module 302, for setting the Trustzone coprocessors 301 in intelligent terminal, and in institute State and common memory region, shared drive region and secure memory region are set on the internal memory of intelligent terminal;
The common domain operating system 304, for running on the common memory region, user data to be isolated is stored To the shared drive region;Fast interrupt signal is sent to the interrupt control unit of the Trustzone coprocessors 301, with The Trustzone coprocessors 301 are made to enter monitoring mode;
The control module 303, for controlling peace using the Trustzone coprocessors 301 for entering monitoring mode Universe operating system 305 is run in the secure memory region;
The secure domain operation system 305, for running on institute under the control of the Trustzone coprocessors 301 Secure memory region is stated, the user data to be isolated is read from the shared drive region, and by the described to be isolated of reading User data is loaded into the secure memory region.
In a preferred embodiment of the invention, the control module 303, for the Trustzone by monitoring mode is entered The NS positions of the secure configuration registers of coprocessor 301 are revised as 0, so that Trustzone coprocessors 301 control the safety Domain operating system 305 is run in the secure memory region.
In a preferred embodiment of the invention, when the user data to be isolated includes at least one application program, institute Secure domain operation system 305 is stated, for controlling each described application program to be run on the secure memory region.
In a preferred embodiment of the invention, when the user data to be isolated includes at least one data to be stored, The secure domain operation system 305, for each described data to be stored of reading to be write into the secure memory region.
In a preferred embodiment of the invention, the secure domain operation system 305, for according to being set in advance in Each described data to be stored that encryption secret key pair in Trustzone coprocessors 301 is read are encrypted to form ciphertext, And the ciphertext of formation is write to described secure memory region.
The contents such as the information exchange between each unit, implementation procedure in said apparatus, due to implementing with the inventive method Example is based on same design, and particular content can be found in the narration in the inventive method embodiment, and here is omitted.
In summary, each embodiment of the invention at least has the advantages that:
1st, in one embodiment of the invention, by setting common memory region, shared section key on the internal memory of intelligent terminal Domain and secure memory region, while setting Trustzone coprocessors in intelligent terminal, common domain operating system is only capable of operation In common memory region, when the data to be isolated that needs are provided the application program for running on common memory region are isolated When, then data to be isolated can be written to by shared drive region by common domain operating system, then be handled to Trustzone associations The interrupt control unit of device sends fast interrupt signal so that Trustzone coprocessors enter monitoring mode, subsequently can then pass through Trustzone coprocessor control secure domain operation systems under monitoring mode in secure memory area operation, realize from Common domain operating system is switched to secure domain operation system, and secure domain operation system can then be read accordingly from shared drive region Data to be isolated, and the data to be isolated of reading are loaded into secure memory region.In summary, by intelligent terminal Internal memory provides hardware protection so that the memory setting of intelligent terminal, as multiple region of memorys, data to be isolated is loaded into safety , can not direct access safety region of memory due to running on application program in common memory region after depositing region so that The user data being loaded into secure memory region can not be stolen by running on each application program in common memory region, so as to carry The security of high user data.
2nd, in one embodiment of the invention, either need to be switched to secure domain operation system from common domain operating system, also It is to be switched to common domain operating system from secure domain operation system, is only in monitoring mode in Trustzone coprocessors It is lower directly to change the NS positions of secure configuration registers, prevent that the application program in secure memory region is straight under non-monitor mode Tap into non-secure states, it is to avoid run on the instruction that the application program access process device in common memory region is being received, with And the data in register, prevent user data to be stolen.
3rd, in one embodiment of the invention, by corresponding AES to needing to be isolated in the user in secure memory region Storage is encrypted in data, further improves the security of user data.
It should be noted that herein, such as first and second etc relational terms are used merely to an entity Or operation makes a distinction with another entity or operation, and not necessarily require or imply exist between these entities or operation Any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant be intended to it is non- It is exclusive to include, so that process, method, article or equipment including a series of key elements not only include those key elements, But also other key elements including being not expressly set out, or also include solid by this process, method, article or equipment Some key elements.In the absence of more restrictions, by sentence " including the key element that a 〃 〃 " is limited, it is not excluded that Also there is other identical factor in the process including the key element, method, article or equipment.
It is last it should be noted that:Presently preferred embodiments of the present invention is the foregoing is only, the skill of the present invention is merely to illustrate Art scheme, is not intended to limit the scope of the present invention.Any modification for being made within the spirit and principles of the invention, Equivalent substitution, improvement etc., are all contained in protection scope of the present invention.

Claims (10)

1. a kind of method based on the user-isolated data of Trustzone, it is characterised in that including:
Trustzone coprocessors are set in intelligent terminal in advance, and set common on the internal memory of the intelligent terminal Region of memory, shared drive region and secure memory region;
The common domain operating system for running on the common memory region stores user data to be isolated to the shared drive Region;
The common domain operating system in the common memory region is run on to the interrupt control unit of the Trustzone coprocessors Fast interrupt signal is sent, so that the Trustzone coprocessors enter monitoring mode;
Using the Trustzone coprocessor controls secure domain operation system into monitoring mode in the secure memory area Run in domain;
The secure domain operation system for running on the secure memory region reads the use to be isolated from the shared drive region User data, and the user data to be isolated of reading is loaded into the secure memory region.
2. according to the method described in claim 1, it is characterised in that
The Trustzone coprocessor controls secure domain operation system using into monitoring mode is in the safety Deposit in region and run, including:
The NS positions that the secure configuration registers of the Trustzone coprocessors of monitoring mode will be entered are revised as 0, so that Secure domain operation system described in Trustzone coprocessor controls is run in the secure memory region.
3. according to the method described in claim 1, it is characterised in that
The user data to be isolated, including:At least one application program;
Then, it is described that the user data to be isolated of reading is loaded into the secure memory region, including:Control described in each Application program is run on the secure memory region.
4. according to the method described in claim 1, it is characterised in that
The user data to be isolated, including:At least one data to be stored;
Then, it is described that the user data to be isolated of reading is loaded into the secure memory region, including:By each of reading The data to be stored write the secure memory region.
5. method according to claim 4, it is characterised in that
It is described that each described data to be stored of reading are write into the secure memory region, including:According to being set in advance in Each the described data to be stored for stating the reading of the encryption secret key pair in Trustzone coprocessors are encrypted to form ciphertext, And the ciphertext of formation is write to described secure memory region.
6. a kind of system based on the user-isolated data of Trustzone, it is characterised in that including:
Trustzone coprocessors, setup module, control module, common domain operating system and secure domain operation system;Wherein,
The setup module, for setting the Trustzone coprocessors in intelligent terminal, and in the intelligent terminal Internal memory on common memory region, shared drive region and secure memory region are set;
The common domain operating system, for running on the common memory region, user data to be isolated is stored to described Shared drive region;Fast interrupt signal is sent to the interrupt control unit of the Trustzone coprocessors, so that described Trustzone coprocessors enter monitoring mode;
The control module, for utilizing the Trustzone coprocessor controls secure domain operation system for entering monitoring mode System is run in the secure memory region;
The secure domain operation system, for running on the secure memory under the control of the Trustzone coprocessors Region, reads the user data to be isolated, and the user data to be isolated of reading is added from the shared drive region It is downloaded to the secure memory region.
7. system according to claim 6, it is characterised in that
The control module, the NS positions for the secure configuration registers of the Trustzone coprocessors by monitoring mode is entered 0 is revised as, so that secure domain operation system described in Trustzone coprocessor controls is run in the secure memory region.
8. system according to claim 6, it is characterised in that
When the user data to be isolated includes at least one application program, the secure domain operation system is each for controlling The individual application program is run on the secure memory region.
9. system according to claim 6, it is characterised in that
When the user data to be isolated includes at least one data to be stored, the secure domain operation system, for that will read Each the described data to be stored taken write the secure memory region.
10. system according to claim 9, it is characterised in that
The secure domain operation system, for according to the encryption secret key pair being set in advance in the Trustzone coprocessors Each the described data to be stored read are encrypted to form ciphertext, and the ciphertext of formation is write to described secure memory area Domain.
CN201710481894.4A 2017-06-22 2017-06-22 A kind of method and system based on the user-isolated data of TrustZone Pending CN107194284A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710481894.4A CN107194284A (en) 2017-06-22 2017-06-22 A kind of method and system based on the user-isolated data of TrustZone

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710481894.4A CN107194284A (en) 2017-06-22 2017-06-22 A kind of method and system based on the user-isolated data of TrustZone

Publications (1)

Publication Number Publication Date
CN107194284A true CN107194284A (en) 2017-09-22

Family

ID=59879716

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710481894.4A Pending CN107194284A (en) 2017-06-22 2017-06-22 A kind of method and system based on the user-isolated data of TrustZone

Country Status (1)

Country Link
CN (1) CN107194284A (en)

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107835185A (en) * 2017-11-21 2018-03-23 广州大学 A kind of mobile terminal safety method of servicing and device based on ARM TrustZone
CN108052415A (en) * 2017-11-17 2018-05-18 中国科学院信息工程研究所 A kind of malware detection platform quick recovery method and system
CN108155986A (en) * 2017-12-14 2018-06-12 晶晨半导体(上海)股份有限公司 A kind of key programming system and method based on credible performing environment
CN108154032A (en) * 2017-11-16 2018-06-12 中国科学院软件研究所 It is a kind of that the computer system root of trust construction method of memory integrity ensuring is had the function of based on credible performing environment
CN108647513A (en) * 2018-03-22 2018-10-12 华中科技大学 A kind of shared library security isolation method and system based on TrustZone
CN109684126A (en) * 2018-12-25 2019-04-26 贵州华芯通半导体技术有限公司 For the Memory Checkout method of ARM equipment and the ARM equipment of execution Memory Checkout
CN109783207A (en) * 2017-11-13 2019-05-21 厦门雅迅网络股份有限公司 Protect the method and system of dual system shared drive data safety
CN109992992A (en) * 2019-01-25 2019-07-09 中国科学院数据与通信保护研究教育中心 A kind of believable protecting sensitive data method and system
CN111414859A (en) * 2020-03-20 2020-07-14 山东大学 TrustZone-based retina identification method
CN111431993A (en) * 2020-03-20 2020-07-17 山东大学 Method for realizing IoT equipment heartbeat communication based on TrustZone technology
CN111913806A (en) * 2020-08-03 2020-11-10 Oppo广东移动通信有限公司 Memory area management method, electronic equipment and storage medium
EP3761208A4 (en) * 2018-04-02 2021-04-21 Huawei Technologies Co., Ltd. Trust zone-based operating system and method
CN113220225A (en) * 2021-04-06 2021-08-06 浙江大学 Memory data read-write method and device for RISC-V processor, processor and storage medium
CN113254969A (en) * 2021-06-08 2021-08-13 挂号网(杭州)科技有限公司 Service data processing method and device, electronic equipment and storage medium
CN113268447A (en) * 2021-06-10 2021-08-17 海光信息技术股份有限公司 Computer architecture and access control, data interaction and safe starting method in computer architecture
WO2021174512A1 (en) * 2020-03-06 2021-09-10 华为技术有限公司 Electronic device and security protection method
CN113835933A (en) * 2021-11-26 2021-12-24 北京指掌易科技有限公司 Data management method, device, medium and electronic equipment
CN114048502A (en) * 2021-10-15 2022-02-15 中国科学院信息工程研究所 Lightweight trusted channel and communication control method thereof

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104091135A (en) * 2014-02-24 2014-10-08 电子科技大学 Safety system and safety storage method of intelligent terminal
CN104318182A (en) * 2014-10-29 2015-01-28 中国科学院信息工程研究所 Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension
CN104581214A (en) * 2015-01-28 2015-04-29 三星电子(中国)研发中心 Multimedia content protecting method and device based on ARM TrustZone system
CN104992122A (en) * 2015-07-20 2015-10-21 武汉大学 Cell phone private information safe box based on ARM Trust Zone
US9483638B2 (en) * 2005-12-23 2016-11-01 Texas Instruments Incorporated Method and system for preventing unauthorized processor mode switches

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9483638B2 (en) * 2005-12-23 2016-11-01 Texas Instruments Incorporated Method and system for preventing unauthorized processor mode switches
CN104091135A (en) * 2014-02-24 2014-10-08 电子科技大学 Safety system and safety storage method of intelligent terminal
CN104318182A (en) * 2014-10-29 2015-01-28 中国科学院信息工程研究所 Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension
CN104581214A (en) * 2015-01-28 2015-04-29 三星电子(中国)研发中心 Multimedia content protecting method and device based on ARM TrustZone system
CN104992122A (en) * 2015-07-20 2015-10-21 武汉大学 Cell phone private information safe box based on ARM Trust Zone

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109783207B (en) * 2017-11-13 2023-08-22 厦门雅迅网络股份有限公司 Method and system for protecting dual-system shared memory data security
CN109783207A (en) * 2017-11-13 2019-05-21 厦门雅迅网络股份有限公司 Protect the method and system of dual system shared drive data safety
CN108154032A (en) * 2017-11-16 2018-06-12 中国科学院软件研究所 It is a kind of that the computer system root of trust construction method of memory integrity ensuring is had the function of based on credible performing environment
CN108154032B (en) * 2017-11-16 2021-07-30 中国科学院软件研究所 Computer system trust root construction method with memory integrity guarantee function
CN108052415A (en) * 2017-11-17 2018-05-18 中国科学院信息工程研究所 A kind of malware detection platform quick recovery method and system
CN108052415B (en) * 2017-11-17 2022-01-04 中国科学院信息工程研究所 Rapid recovery method and system for malicious software detection platform
CN107835185A (en) * 2017-11-21 2018-03-23 广州大学 A kind of mobile terminal safety method of servicing and device based on ARM TrustZone
CN108155986A (en) * 2017-12-14 2018-06-12 晶晨半导体(上海)股份有限公司 A kind of key programming system and method based on credible performing environment
CN108647513A (en) * 2018-03-22 2018-10-12 华中科技大学 A kind of shared library security isolation method and system based on TrustZone
CN108647513B (en) * 2018-03-22 2020-04-28 华中科技大学 TrustZone-based shared library security isolation method and system
EP3761208A4 (en) * 2018-04-02 2021-04-21 Huawei Technologies Co., Ltd. Trust zone-based operating system and method
US11443034B2 (en) 2018-04-02 2022-09-13 Huawei Technologies Co., Ltd. Trust zone-based operating system and method
CN109684126A (en) * 2018-12-25 2019-04-26 贵州华芯通半导体技术有限公司 For the Memory Checkout method of ARM equipment and the ARM equipment of execution Memory Checkout
CN109684126B (en) * 2018-12-25 2022-05-03 贵州华芯通半导体技术有限公司 Memory verification method for ARM equipment and ARM equipment for executing memory verification
CN109992992A (en) * 2019-01-25 2019-07-09 中国科学院数据与通信保护研究教育中心 A kind of believable protecting sensitive data method and system
WO2021174512A1 (en) * 2020-03-06 2021-09-10 华为技术有限公司 Electronic device and security protection method
CN111431993A (en) * 2020-03-20 2020-07-17 山东大学 Method for realizing IoT equipment heartbeat communication based on TrustZone technology
CN111414859A (en) * 2020-03-20 2020-07-14 山东大学 TrustZone-based retina identification method
CN111913806A (en) * 2020-08-03 2020-11-10 Oppo广东移动通信有限公司 Memory area management method, electronic equipment and storage medium
CN113220225A (en) * 2021-04-06 2021-08-06 浙江大学 Memory data read-write method and device for RISC-V processor, processor and storage medium
CN113220225B (en) * 2021-04-06 2022-04-12 浙江大学 Memory data read-write method and device for RISC-V processor, processor and storage medium
CN113254969A (en) * 2021-06-08 2021-08-13 挂号网(杭州)科技有限公司 Service data processing method and device, electronic equipment and storage medium
CN113268447A (en) * 2021-06-10 2021-08-17 海光信息技术股份有限公司 Computer architecture and access control, data interaction and safe starting method in computer architecture
CN114048502A (en) * 2021-10-15 2022-02-15 中国科学院信息工程研究所 Lightweight trusted channel and communication control method thereof
CN114048502B (en) * 2021-10-15 2023-08-15 中国科学院信息工程研究所 Lightweight trusted channel and communication control method thereof
CN113835933A (en) * 2021-11-26 2021-12-24 北京指掌易科技有限公司 Data management method, device, medium and electronic equipment

Similar Documents

Publication Publication Date Title
CN107194284A (en) A kind of method and system based on the user-isolated data of TrustZone
US20230110230A1 (en) Technologies for secure i/o with memory encryption engines
US20140164793A1 (en) Cryptographic information association to memory regions
EP3274850B1 (en) Protecting a memory
US8479264B2 (en) Architecture for virtual security module
CN101782956B (en) Method and device for protecting data on basis of AES real-time encryption
US11204881B2 (en) Computer system software/firmware and a processor unit with a security module
CN101051892B (en) Enciphering device and method for CPU special data
CN104318182A (en) Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension
CN106469124A (en) A kind of memory access control method and device
KR20080074848A (en) Methods and apparatus for the secure handling of data in a microcontroller
CN103778384A (en) Identity authentication based virtual terminal safety environment protection method and system
CN107111728A (en) Safe key export function
CN108090366A (en) Data guard method and device, computer installation and readable storage medium storing program for executing
CN108288004A (en) A kind of encryption chip is in REE and TEE environmental coexistence system and methods
CN105095945A (en) SD card capable of securely storing data
US20210319117A1 (en) Secure asset management system
CN208848330U (en) A kind of double-core POS machine safety chip
CN104955043B (en) A kind of intelligent terminal security protection system
CN101196877A (en) Multiple memory cell operation isolated smart card and its implementing method
CN116048809B (en) Task processing method of multi-core heterogeneous security chip and security chip device
CN103699853B (en) A kind of intelligent SD card and control system thereof and method
CN103699434B (en) A kind of method being had secure access between the MPU for being suitable for having secure access between more applications and its more applications
CN207475576U (en) A kind of safety mobile terminal system based on safety chip
CN102880818A (en) Software protection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170922