Disclosure of Invention
The invention provides a memory data encryption and decryption method, which solves the problem of malicious attack caused by the fact that an encryption key is kept unchanged.
The invention provides a memory data encryption and decryption method, which comprises the following steps:
s1, the processor module sends a key updating request to the encryption module, and the encryption module generates a new key after receiving the request;
s2, for each encrypted memory page in the memory, the encryption module decrypts the memory page data corresponding to the encrypted memory page by using the old key, and re-encrypts each decrypted page data by using the new key.
Wherein, step S1 is preceded by: the operating system checks the current state of the processor module, and if the processor module is busy, the operating system directly exits;
if the processor module is in the idle state, the operating system is suspended, no input-output operation of any other process is accepted, and the above-described steps S1 and S2 are performed.
In addition, after the steps are successfully executed, the operating system returns to success; if an error occurs in the above steps, the operating system returns to error and ends the updating process.
Step S1 further includes the encryption module saving the new key to the register of the memory controller module or its internal EEPROM.
In step S1, the processor module sends a key update request to the encryption module via the key update interface.
Preferably, the processor module sends the key update request to the cryptographic module in step S1 by a new machine instruction, or the controller Firmware (FW) providing a new application programming interface.
By using the memory data encryption and decryption method provided by the invention, malicious attacks caused by keeping an encryption key of an SME technology unchanged can be effectively reduced, so that the security of memory encryption is remarkably improved; and the flexibility of a security scheme is provided, and a user and a system can dynamically update the encryption and decryption keys according to needs.
Detailed Description
The technical solution of the present invention is further described in detail by the accompanying drawings and embodiments.
As shown in fig. 2 and 3, the present invention provides a method for encrypting and decrypting memory data, wherein the method comprises:
s1, the processor module 1 sends a key updating request to the encryption module 2, and the encryption module generates a new key after receiving the request;
s2, for each encrypted memory page in the memory, the encryption module 2 decrypts the memory page data corresponding to the encrypted memory page by using the old key, and re-encrypts each decrypted page data by using the new key.
By using the memory data encryption and decryption method provided by the invention, malicious attacks caused by keeping an encryption key of an SME technology unchanged can be effectively reduced, so that the security of memory encryption is remarkably improved; and the flexibility of a security scheme is provided, and a user and a system can dynamically update the encryption and decryption keys according to needs.
Because the updating of the encryption key can cause the invalidation of the current encrypted data in the memory, the encrypted data in the memory needs to be decrypted after the key is updated successfully, and then the new key is used for encryption storage again. When the system is in a full-load operation state, the system has a large amount of data stored in the memory. If the key is updated at this point, it will take a long time to decrypt/encrypt the data in memory, which may result in the system being unavailable for a long period of time.
Therefore, in a preferred embodiment of the present invention, step S1 is preceded by: the operating system checks the current state of the processor module 1, and if the processor module 1 is busy, the operating system directly exits;
if the processor module 1 is in the idle state, the operating system is suspended, no input-output operation of any other process is accepted, and the above-described steps S1 and S2 are performed.
By using the memory data encryption and decryption method provided by the invention, malicious attacks caused by keeping an encryption key of an SME technology unchanged can be effectively reduced, so that the security of memory encryption is remarkably improved; and the flexibility of a security scheme is provided, and a user and a system can dynamically update the encryption and decryption keys according to needs.
In addition, after the steps are successfully executed, the operating system returns to success; if an error occurs in the above steps, the operating system returns to error and ends the updating process.
Step S1 further includes the encryption module saving the new key to the register in the memory controller module or its internal EEPROM.
A system for increasing memory encryption security by dynamically updating encryption keys is shown in fig. 2. The system supports the dynamic updating function of the encryption KEY by passing a KEY updating interface (shown as an interface by a dotted line in fig. 3, the implementation form includes a hardware instruction UPDATE _ MEM _ KEY, the encryption module FW provides a new API, etc.) between the processor module 1 and the encryption module 2. After the function is added, the operating system can send a key update request to the cryptographic module 2 at an appropriate timing to generate a new cryptographic key. Further, the processor module 1 realizes sending the key update request to the cryptographic module 2 by a new machine instruction, or by the controller Firmware (FW) providing a new Application Programming Interface (API), in step S1.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
Those of skill would further appreciate that the various illustrative components and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative components and steps have been described above generally in terms of their functionality in order to clearly illustrate this interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied in hardware, a software module executed by a processor, or a combination of the two. A software module may reside in Random Access Memory (RAM), memory, Read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
The above embodiments are provided to further explain the objects, technical solutions and advantages of the present invention in detail, it should be understood that the above embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements, etc. made within the spirit and principle of the present invention should be included in the scope of the present invention.