CN109726566A - Encryption system and encryption method based on secure memory encryption technology - Google Patents
Encryption system and encryption method based on secure memory encryption technology Download PDFInfo
- Publication number
- CN109726566A CN109726566A CN201811400799.8A CN201811400799A CN109726566A CN 109726566 A CN109726566 A CN 109726566A CN 201811400799 A CN201811400799 A CN 201811400799A CN 109726566 A CN109726566 A CN 109726566A
- Authority
- CN
- China
- Prior art keywords
- encryption
- unit
- data
- processing unit
- identification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Abstract
The present invention provides encryption system and method based on secure memory encryption technology.Encryption system includes: processing unit, for carrying out pool control to each functional unit;I/O-unit, for the data transmission between different processing units;Internal storage location, for storing data;And encryption/decryption element, it is encrypted or is decrypted for the data to disengaging internal storage location, the I/O-unit encryption identification for the processing unit encryption identification of processing unit and for I/O-unit is arranged in encryption system and data address in association, and processing unit encryption identification and I/O-unit encryption identification are opposite logic value, encryption/decryption element carries out encryption or decryption process when processing unit reads and writes data to internal storage location, based on processing unit encryption identification;When I/O-unit reads and writes data to internal storage location, encryption or decryption process is carried out based on I/O-unit encryption identification.According to the present invention, in the case where not increasing individual hardware module, the safe transmission of internal storage data between IO is realized using existing SME framework.
Description
Technical field
The present invention relates to the present invention relates to data encryption technologys, and in particular to the encryption system based on secure memory encryption technology
System and encryption method.
Background technique
The complexity of computer system is higher and higher, and the application of the emerging technologies such as cloud computing and big data is also increasingly developed,
Under many processing application environments, it can be related to transmitting between physical machine and transmit data, physical machine between data, virtual machine (VM)
Between virtual machine transmit data, CPU kernel and kernel between transmit data (being referred to as transmitting data between processor), and
And in many cases, it between processor and processor and indirect transmission data, but needs through interface (IO) Lai Shixian
Transmit data.
As described above, producing a large amount of data, with advances in technology, in computer disposal in order to avoid data access
In the process may occur unwarranted access, destroy, distort, need in data access support data encryption mechanism.
In this regard, for example in the prior art, being proposed SME (Secure Memory Encryption: secure memory encryption) skill
Art can be realized internal storage data encryption handling.Secure memory encryption SME provides a safer memory encryption equipment
System, in order to memory access according to when must first pass through authorization can just access, the encryption in Installed System Memory can be used,
It can be used in the system of VM or container environment, in addition can also support using in this kind of hard of network, storage, drawing chip card
On part device.
Illustrate the SME working method in data transmission in the prior art based on Fig. 1.Fig. 1 shows the functional block of SME
Figure.Processor (identifies c-bit by the way that c-bit mark is arranged in the page table (page table) of process by software in CPUID
Position), or indicate whether the address is interior using a certain bit (such as bit47 of 48 physical address) of physical address
Deposit encryption.
Shown in the block diagram of lower part as shown in figure 1, when writing memory, moderator selects currently transmitted IO to write memory request still
CPU write memory request sends the one i.e. CPU page table c-bit for being used to mark encrypted state in page table or IO pages to memory
Table c-bit is to selector.Meanwhile under the mode for writing memory, encryption/decryption module selects encryption mode, to the number to be written of plaintext
Ciphertext data are formed according to being encrypted, if current request CPU page table c-bit and I/O page table c-bit=1, ciphertext number
It is written to memory according to by selector, if current request CPU page table c-bit and I/O page table c-bit=0, clear data
Memory is written by selector.
Shown in the block diagram on top as shown in figure 1, when rdma read, read request is sent, the selection of the first moderator sends IO and reads
Memory request or the request of CPU rdma read send the one i.e. CPU page table for being used to mark encrypted state in page table to memory
C-bit or I/O page table c-bit is to selector.Meanwhile under the mode of rdma read, encryption/decryption module selects decryption mode, to reading
The data of DDR are decrypted out.If current request CPU page table c-bit and I/O page table c-bit=1, selector output by
The data of plaintext after encryption/decryption module decryption are to the second moderator, if current request CPU page table c-bit and I/O page table c-
Bit=0, then selector directly exports internal storage data to the second moderator.Second moderator is IO rdma read according to transmission
The data received are sent IO or CPU by request or the request of CPU rdma read, selection.
As described above, SME mode encrypts automatically when writing data into memory, solved automatically when reading data from memory
It is close, for being encrypted to the partial data in memory to prevent the physical attacks internally deposited.
Under certain security scenarios, when two CPU are needed through I/O transfer partial memory data, need between IO
Transmission is encrypted, to prevent the attack to data are transmitted between IO.But it can be seen that SME from the working method of SME and mention
The protection to internal storage data is supplied, IO and CPU page table c-bit is set as identical value in current software or IO is directly multiplexed
The page table of CPU, and for only one c-bit of same address, so as c-bit=1, then data add when being written
Close, when reading, decrypts, so that data are only encryption in memory, using in plain text between IO after data are by reading memory
Transmission.As c-bit=0, data are plaintext in memory, and also using plaintext between IO after data are by reading memory
Transmission.Therefore, existing SME can not provide the security requirements that data are transmitted between IO.
To solve the above-mentioned problems, a kind of thinking is as shown in Figure 2 based on Data Encryption Transmission between hard-wired IO
Method.As shown in Fig. 2, increasing an individual encryption/decryption module on IO in block diagram shown in Fig. 1.Memory side adds
Deciphering module is identical as above-mentioned SME working method.(the frame on the top of Fig. 2 when there is internal storage data to be sent to other systems
Figure), data are read from memory, before being sent to other systems by IO, encryption/decryption module carries out the data to be sent
Encryption, to guarantee to transmit between IO using ciphertext;When IO receives the ciphertext data that other systems send (under Fig. 2
The block diagram in portion), encryption/decryption module is transmitted in system after the data received are decrypted.This mode ensures data
Transmission is to improve data transmission security in encrypted state, (add however, it is desirable to increase individual hardware module between IO
Deciphering module), it will increase the complexity of hardware design.
As described above, in the prior art, there are problems that SME can not provide the security requirements that data are transmitted between IO, such as
Fruit increases encryption/decryption module on I/O control module, then there are problems that will increase design complexities.
Summary of the invention
Subject to be solved by the invention
The present invention is to complete in view of the above-mentioned problems, utilizes existing SME system architecture its purpose is to provide a kind of
The encryption system and encryption method of encrypted transmission internal storage data are provided between IO.
Means for solving the problems
In order to solve above-mentioned problem, a scheme of the invention provides a kind of encryption based on secure memory encryption technology
System, comprising: processing unit, for carrying out pool control to each functional unit;I/O-unit, between different processing units
Data transmission;Internal storage location, for storing data;And encryption/decryption element, for the data for passing in and out above-mentioned internal storage location
It is encrypted or is decrypted, which is characterized in that
Processing unit encryption identification and use for processing unit is arranged in above-mentioned encryption system and data address in association
In the I/O-unit encryption identification of I/O-unit, and above-mentioned processing unit encryption identification and above-mentioned I/O-unit encryption identification are to patrol on the contrary
Value is collected,
Above-mentioned encryption/decryption element is based on above-mentioned processing unit when above-mentioned processing unit reads and writes data to above-mentioned internal storage location
Encryption identification carries out encryption or decryption process;It is mono- based on above-mentioned IO when above-mentioned I/O-unit reads and writes data to above-mentioned internal storage location
First encryption identification carries out encryption or decryption process.
In the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system in write mode,
In the case where write request comes from above-mentioned processing unit, above-mentioned encryption/decryption element is switched to encryption mode, is writing
In the case that request comes from above-mentioned I/O-unit, above-mentioned encryption/decryption element is switched to decryption mode.
In the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system further includes selector,
Above-mentioned encryption system in write mode,
In the case where above-mentioned write request comes from above-mentioned processing unit, above-mentioned selector is based on above-mentioned processing unit encryption mark
Know to select that above-mentioned internal storage location will be write direct from the data of above-mentioned processing unit, or adds via above-mentioned encryption/decryption element
The above-mentioned internal storage location of write-in after close,
Above-mentioned write request come from above-mentioned I/O-unit in the case where, above-mentioned selector based on above-mentioned I/O-unit encryption identification come
Data from above-mentioned I/O-unit are write direct above-mentioned internal storage location by selection, or are write after decrypting via above-mentioned encryption/decryption element
Enter above-mentioned internal storage location.
In the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system further includes the first moderator,
In write mode, above-mentioned first moderator is selected the write request from above-mentioned processing unit also above-mentioned encryption system
It is that the write request from above-mentioned I/O-unit is sent to above-mentioned internal storage location.
In the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system in read mode,
In the case where read request comes from above-mentioned processing unit, above-mentioned encryption/decryption element is switched to decryption mode, is reading
In the case that request comes from above-mentioned I/O-unit, above-mentioned encryption/decryption element is switched to encryption mode.
In the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system further includes selector,
Above-mentioned encryption system in read mode,
In the case where above-mentioned read request comes from above-mentioned processing unit, above-mentioned selector is based on above-mentioned processing unit encryption mark
Know to select that above-mentioned processing unit will be directly read out to from the data of above-mentioned internal storage location, or via above-mentioned encryption/decryption element
Above-mentioned processing unit is read into after decryption,
Above-mentioned read request come from above-mentioned I/O-unit in the case where, above-mentioned selector based on above-mentioned I/O-unit encryption identification come
Data from above-mentioned internal storage location are directly read out to above-mentioned I/O-unit by selection, or via the encryption of above-mentioned encryption/decryption element after
Read into above-mentioned I/O-unit.
In the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system further includes the second moderator,
Above-mentioned encryption system in read mode,
Reading of the above-mentioned first moderator selection by the read request from above-mentioned processing unit still from above-mentioned I/O-unit is asked
It asks and is sent to above-mentioned internal storage location,
Data from above-mentioned selector are read into above-mentioned processing unit or above-mentioned IO by above-mentioned second moderator selection
Unit.
In the above-mentioned encryption system based on secure memory encryption technology,
Data sending terminal and data receiver are all made of above-mentioned encryption system,
Above-mentioned processing unit encryption identification is set as identity logic in above-mentioned data sending terminal and above-mentioned data receiver
Value, above-mentioned I/O-unit encryption identification are set as identical logical values in above-mentioned data sending terminal and above-mentioned data receiver.
In the above-mentioned encryption system based on secure memory encryption technology,
Data sending terminal and data receiver are all made of above-mentioned encryption system,
Above-mentioned processing unit encryption identification is set as opposite logic in above-mentioned data sending terminal and above-mentioned data receiver
Value, above-mentioned I/O-unit encryption identification are set as opposite logic value in above-mentioned data sending terminal and above-mentioned data receiver.
In the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned processing unit is CPU,
Above-mentioned processing unit encryption identification is a certain bit in CPU page table, and above-mentioned IO encryption identification is certain in I/O page table
One bit or above-mentioned processing unit encryption identification and above-mentioned IO encryption identification are a certain bit in physical address.
In the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned processing unit encryption identification is CPU page table c-bit, and above-mentioned IO encryption identification is I/O page table c-bit, Huo Zheshang
It states processing unit encryption identification and above-mentioned IO encryption identification is the 47bit in physical address,
Above-mentioned CPU page table c-bit, above-mentioned I/O page table c-bit or above-mentioned 47bit be 1 when, expression carry out encryption or
Decryption processing is indicated when above-mentioned CPU page table c-bit, above-mentioned I/O page table c-bit or above-mentioned 47bit are 0 without adding
Close or decryption processing.
Another technical solution of the invention provides the encryption in a kind of encryption system based on secure memory encryption technology
Method, above-mentioned encryption system include: processing unit, for carrying out pool control to each functional unit;I/O-unit, for difference
Data transmission between processing unit;Internal storage location, for storing data;And encryption/decryption element, for above-mentioned interior to passing in and out
The data of memory cell are encrypted or are decrypted,
Above-mentioned encryption method is characterised by comprising:
It is arranged in association with the data address to be encrypted for the processing unit encryption identification of processing unit and for IO
The I/O-unit encryption identification of unit, and above-mentioned processing unit encryption identification and above-mentioned I/O-unit encryption identification are opposite logic value
The step of;And
Above-mentioned encryption/decryption element is based on above-mentioned processing unit when above-mentioned processing unit is written and read above-mentioned internal storage location
Encryption identification carries out encryption or decryption process;It is mono- based on above-mentioned IO when above-mentioned I/O-unit is written and read above-mentioned internal storage location
First encryption identification carries out the step of encryption or decryption process.
In the encryption method in the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system in write mode,
In the case where write request comes from above-mentioned processing unit, above-mentioned encryption/decryption element is switched to encryption mode, is writing
In the case that request comes from above-mentioned I/O-unit, above-mentioned encryption/decryption element is switched to decryption mode.
In the encryption method in the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system further includes selector,
Above-mentioned encryption system in write mode,
In the case where above-mentioned write request comes from above-mentioned processing unit, above-mentioned selector is based on above-mentioned processing unit encryption mark
Know to select that above-mentioned internal storage location will be write direct from the data of above-mentioned processing unit, or adds via above-mentioned encryption/decryption element
The above-mentioned internal storage location of write-in after close,
Above-mentioned write request come from above-mentioned I/O-unit in the case where, above-mentioned selector based on above-mentioned I/O-unit encryption identification come
Data from above-mentioned I/O-unit are write direct above-mentioned internal storage location by selection, or are write after decrypting via above-mentioned encryption/decryption element
Enter above-mentioned internal storage location.
In the encryption method in the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system further includes the first moderator,
In write mode, above-mentioned first moderator is selected the write request from above-mentioned processing unit also above-mentioned encryption system
It is that the write request from above-mentioned I/O-unit is sent to above-mentioned internal storage location.
In the encryption method in the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system in read mode,
In the case where read request comes from above-mentioned processing unit, above-mentioned encryption/decryption element is switched to decryption mode, is reading
In the case that request comes from above-mentioned I/O-unit, above-mentioned encryption/decryption element is switched to encryption mode.
In the encryption method in the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system further includes selector,
Above-mentioned encryption system in read mode,
In the case where above-mentioned read request comes from above-mentioned processing unit, above-mentioned selector is based on above-mentioned processing unit encryption mark
Know to select that above-mentioned processing unit will be directly read out to from the data of above-mentioned internal storage location, or via above-mentioned encryption/decryption element
Above-mentioned processing unit is read into after decryption,
Above-mentioned read request come from above-mentioned I/O-unit in the case where, above-mentioned selector based on above-mentioned I/O-unit encryption identification come
Data from above-mentioned internal storage location are directly read out to above-mentioned I/O-unit by selection, or via the encryption of above-mentioned encryption/decryption element after
Read into above-mentioned I/O-unit.
In the encryption method in the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned encryption system further includes the second moderator,
Above-mentioned encryption system in read mode,
Reading of the above-mentioned first moderator selection by the read request from above-mentioned processing unit still from above-mentioned I/O-unit is asked
It asks and is sent to above-mentioned internal storage location,
Data from above-mentioned selector are read into above-mentioned processing unit or above-mentioned IO by above-mentioned second moderator selection
Unit.
In the encryption method in the above-mentioned encryption system based on secure memory encryption technology,
Data sending terminal and data receiver are all made of above-mentioned encryption system,
Above-mentioned processing unit encryption identification is set as identity logic in above-mentioned data sending terminal and above-mentioned data receiver
Value, above-mentioned I/O-unit encryption identification are set as identical logical values in above-mentioned data sending terminal and above-mentioned data receiver.
In the encryption method in the above-mentioned encryption system based on secure memory encryption technology,
Data sending terminal and data receiver are all made of above-mentioned encryption system,
Above-mentioned processing unit encryption identification is set as opposite logic in above-mentioned data sending terminal and above-mentioned data receiver
Value, above-mentioned I/O-unit encryption identification are set as opposite logic value in above-mentioned data sending terminal and above-mentioned data receiver.
In the encryption method in the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned processing unit is CPU,
Above-mentioned processing unit encryption identification is a certain bit in CPU page table, and above-mentioned IO encryption identification is certain in I/O page table
One bit or above-mentioned processing unit encryption identification and above-mentioned IO encryption identification are a certain bit in physical address.
In the encryption method in the above-mentioned encryption system based on secure memory encryption technology,
Above-mentioned processing unit encryption identification is CPU page table c-bit, and above-mentioned IO encryption identification is I/O page table c-bit, Huo Zheshang
It states processing unit encryption identification and above-mentioned IO encryption identification is the 47bit in physical address,
When above-mentioned CPU page table c-bit, above-mentioned I/O page table c-bit or above-mentioned 47bit are 1, are encrypted or decrypted
Processing, when above-mentioned CPU page table c-bit, above-mentioned I/O page table c-bit or above-mentioned 47bit are 0, without encrypting or decrypting
Processing.
Invention effect
By using the encryption system and encryption method in the encryption system of the invention based on secure memory encryption technology,
It can be realized between IO using existing SME framework to internal storage data in the case where not needing to increase individual hardware module
Safe transmission.The safety for increasing data transmission between IO, prevents the attack of outer bound pair I/O transfer data.
Detailed description of the invention
Fig. 1 shows the functional block diagram of SME.
Fig. 2 shows the block diagrams based on hard-wired data encryption system.
Specific embodiment
Exemplary embodiments of the present invention are illustrated below in conjunction with attached drawing, it should be understood that provide these embodiment party
Formula is used for the purpose of making those skilled in the art can better understand that realizing the present invention in turn, and not limit in any way
The scope of the present invention.
[data encryption system]
The data encryption system of embodiments of the present invention on hardware configuration with the prior art used SME data protect
Protecting system is identical, therefore, is illustrated herein using Fig. 1.Fig. 1 shows the data encryption system of embodiments of the present invention
The block diagram of one embodiment.Data encryption system shown in FIG. 1 is used as transmitting terminal system when sending data, is receiving
Receiving terminal system is used as when data.
As shown in Figure 1, data encryption system includes: CPU, it is used to carry out pool control to each functional unit;IO,
For the data transmission between different processing units;Memory, for storing data;And encryption/decryption module, be used for into
The data of internal storage location are encrypted or are decrypted out.In addition, as needed can also include selector in data encryption system
And moderator etc., this will be specifically described below.
It should be noted that in the above-described embodiment, to simplify the explanation and being easy to understand, for transmitting terminal system
With receiving terminal system only illustrate respectively include a CPU and with a CPU be one-to-one corresponding relationship it is other
Each functional module or device, still, CPU can be the multiple CPU for needing to securely communicate, other each functional modules or device
Can for it is multiple or or between multiple CPU share.Moreover, so-called CPU is also not necessarily limited to usually said centre
Device is managed, is also possible to realize that the module of cpu function, the kernel (core) of CPU, other instructions carry out I/O data in virtual machine (VM)
The software/hardware module of transmission, process etc., the software module or hardware module carried out data transmission between any instruction IO are all visual
For the CPU (also referred to as processing unit) illustrated in embodiments of the present invention.
In the data encryption system of embodiment, the multiple CPU for needing to securely communicate are (in embodiment with two
For CPU) it each comfortable transmitting terminal memory and receives and defines one section of memory headroom in end memory and be used to carry out safe I/O data transmission,
To this section of memory headroom, the configuration of encryption identification of two CPU using identical key sum for marking encrypted state.Encryption
Mark refers to being used to refer to whether to take the address to be accessed encryption or decryption measure when accessing memory.Encryption identification
It can be a certain position in page table, such as c-bit, a certain bit of physical address, such as bit47 also can be used.In this reality
It applies in example, is illustrated for using the c-bit in page table.CPU sets I/O page table c-bit to the phase of CPU page table c-bit
Converse value, that is, if CPU page table c-bit=1, I/O page table c-bit=0;If CPU page table c-bit=0, I/O page table c-bit=
1.The setting in IO memory management unit (input/output memory management unit, IOMMU) of the page table of IO.
The setting in the memory management unit (memory management unit, MMU) of system of the page table of CPU.Two CPU are to needs
The I/O page table c-bit for carrying out safe I/O data transmission address field is set as identical value.Two CPU are to needing to carry out safe I/O transfer
The CPU page table c-bit of address field is set as identical value.
When the access request to memory comes from IO, page table of the encryption identification from IO, when the access request to memory is come
When from CPU, page table of the encryption identification from CPU.
Encryption/decryption module is by judging that access request comes from CPU still from IO to switch encryption and decryption direction.Work as access
When request is from IO, encryption mode is selected when reading data from memory, selects decryption mode when data are written to memory;Work as access
When request is from CPU, decryption mode is selected when reading data from memory, selects encryption mode when data are written to memory.
In the following, illustrate in Data Encryption Transmission between carrying out IO, above-mentioned transmitting terminal system, receiving terminal system, with
And its relationship and effect between each module having, for the system carry out other work when (such as not via IO and CPU it
Between when directly transmitting data) movement, in this description will be omitted.
When as transmitting terminal system, including write data mode and read data pattern.Shown in the figure of lower part as shown in figure 1,
In write data mode, memory request and data to be written are write in CPU transmission;First moderator sends CPU write by judgement selection
Memory request and data to be written;Encryption/decryption module selects encryption mode;Selector judges in the future according to CPU page table c-bit
Memory is write direct from the data of moderator, and memory still is written into the data from encryption/decryption module;Transmitting terminal memory storage waits for
Send data.Shown in the figure on top as shown in figure 1, in read data pattern, CPU indicates that IO issues rdma read request with from memory
Read data to be sent;First moderator receives the rdma read sent from IO request by judgement selection, and selection sends IO and reads
Memory request selects to send I/O page table c-bit to selector to memory;Encryption/decryption module judges according to I/O page table c-bit
Whether the clear data from memory is encrypted, in I/O page table c-bit=1, encrypted, in I/O page table c-bit=0
When, without encryption;Selector selects output data according to I/O page table c-bit, in I/O page table c-bit=1, by encryption and decryption
The encrypted ciphertext data of module are output to the second moderator, in I/O page table c-bit=0, directly by the ciphertext number in memory
According to being output to the second moderator;Second moderator sends IO for the ciphertext data from selector by judgement selection.Because
I/O page table c-bit and CPU page table c-bit are arranged to opposite logic value, so if what CPU was written in memory is plaintext number
According to, then encryption/decryption module is encrypted IO at the time of reading, and if what CPU was written in memory is ciphertext data, IO is being read
When encryption/decryption module without decryption, it is ensured that the data that IO is read from memory always encryption data.
When as receiving terminal system, including write data mode and read data pattern.Shown in the figure of lower part as shown in figure 1,
In write data mode, IO receives the ciphertext data that the IO from transmitting terminal system is sent;First moderator is by judgement selection
What reception was sent from IO writes memory request and ciphertext data, sends selector for I/O page table c-bit;Encryption/decryption module according to
I/O page table c-bit is to determine whether be decrypted the ciphertext data from the first moderator, in I/O page table c-bit=1, into
Row decryption, in I/O page table c-bit=0, without decryption;Selector selects write-in data according to I/O page table c-bit, in IO
When page table c-bit=1, the clear data after being decrypted by encryption/decryption module is written to memory, in I/O page table c-bit=0, directly
It connects and the ciphertext data from moderator is written to memory.Shown in the figure on top as shown in figure 1, in read data pattern, CPU hair
Rdma read is sent to request to read the data in memory;First moderator receives the rdma read sent from CPU by judgement selection
Request, selection send the request of CPU rdma read to memory, and select to send CPU page table c-bit to selector;In CPU page table c-
When bit=1, the ciphertext data from memory are decrypted in encryption/decryption module, in CPU page table c-bit=0, without solution
It is close;Selector selects output data according to CPU page table c-bit, in CPU page table c-bit=1, is decrypted by encryption/decryption module
Clear data afterwards is output to the second moderator, and in CPU page table c-bit=0, the data in memory are directly output to second
Moderator;Second moderator sends CPU for the data from selector by judgement selection selection.Because of CPU page table c-bit
It is arranged to opposite logic value with I/O page table c-bit, so CPU adds solution when reading if it is ciphertext that IO, which is written in memory,
Close module is decrypted, and if IO be written in memory be in plain text, CPU read when encryption/decryption module without encryption, really
Data that CPU is read from memory always clear data is protected.
It should be noted that in the data encryption system of the above embodiments, by encryption/decryption module, in the first arbitration
Second moderator is only used for reading data mould by device and this three of the selector dual-purpose in write data mode and read data pattern
Formula.However, without being limited thereto, respective encryption/decryption module, secondary can also be respectively set for write data mode and read data pattern
It cuts out device, selector and in each of receiving terminal system and transmitting terminal system, uses 2 encryption/decryption modules, 3 in the case
A moderator, 2 selectors.Further, it is also possible to 1 moderator is only arranged, 1 moderator by dual-purpose in write data mode and
In read data pattern, also, in read data pattern, it is used for selecting to send the request of CPU rdma read to memory or IO is read
Memory request and by data selection read into CPU or IO.
[data encryption and transmission method between IO]
The composition of data encryption system and its working method in each portion is explained above.In the following, illustrating in embodiment
Data encryption system in be applicable in IO between data encryption and transmission method each step.To simplify the explanation and it is easy to understand,
Only illustrate respectively includes a CPU and other each functional modules or device with a CPU for one-to-one corresponding relationship
Data encryption and transmission method between IO in the case where part is including still that the data of the multiple CPU securely communicated is needed to add
In the case where close system, this method is equally applicable.
As the CPU page table c-bit=0 in transmitting terminal system, in transmitting terminal system:
Step 1,1 is set by I/O page table c-bit.
Step 2, CPU write memory, due to CPU page table c-bit=0, so clear data is written to memory by selector.
Step 3, IO rdma read data, due to I/O page table c-bit=1, so encryption/decryption module carries out the data of reading
Encryption, and selector is selected according to I/O page table c-bit=1 by the encrypted ciphertext data of encryption/decryption module, ciphertext data
It is output to IO by the second moderator, and is sent from IO to outside.
In receiving terminal system:
Step 4,0 is set by CPU page table c-bit, sets 1 for I/O page table c-bit.
Step 5, IO receives the ciphertext data sent from the IO of transmitting terminal system, due to I/O page table c-bit=1, so
The ciphertext data of memory to be written are decrypted in encryption/decryption module, and selector is selected according to I/O page table c-bit=1 will be by adding
Memory is written in clear data after deciphering module decryption.
Step 6, CPU rdma read, due to CPU page table c-bit=0, so selector selection CPU is directly bright from memory reading
Literary data.
As the CPU page table c-bit=1 in transmitting terminal system, in transmitting terminal system:
Step 1,0 is set by I/O page table c-bit.
Step 2, CPU write memory, due to CPU page table c-bit=1, so encryption/decryption module encrypts write-in data,
Selector selection will be written to memory by the encrypted ciphertext data of encryption/decryption module.
Step 3, IO rdma read, due to I/O page table c-bit=0, so selector selection directly reads the ciphertext in memory
Data, ciphertext data are output to IO by the second moderator, and are sent from IO to outside.
In receiving terminal system:
Step 4,1 is set by CPU page table c-bit, sets 0 for I/O page table c-bit.
Step 5, IO receives the ciphertext data sent from the IO of transmitting terminal system, due to I/O page table c-bit=0, so
Ciphertext data are directly written to memory without decryption, selector selection by encryption/decryption module.
Step 6, CPU rdma read, due to CPU page table c-bit=1, so encryption/decryption module is to the data read from memory
It is decrypted, the clear data after being decrypted by encryption/decryption module is sent CPU by selector selection, and CPU obtains clear data.
[variation]
Between above-mentioned data encryption system and IO in data encryption and transmission method, illustrate two CPU page table c-bit
Identical logical values are set as, and two I/O page table c-bit=0 are set as the logical value opposite with CPU page table c-bit.However, simultaneously
It is not limited to this set, it is an object of the invention to realize Data Encryption Transmission between IO, as long as the CPU page table in transmitting terminal system
C-bit and I/O page table c-bit=0 is on the contrary, can be realized the encryption of I/O transfer data, for being in plain text in receiving terminal system
Or memory is written in ciphertext, can be arranged according to actual needs.Moreover, in receiving terminal system, as long as CPU page table c-bit
No matter CPU can with I/O page table c-bit=0 on the contrary, the data then received are written in memory with plaintext or ciphertext
Read clear data.Citing is illustrated below.
As the CPU page table c-bit=0 in transmitting terminal system, in transmitting terminal system:
Step 1,1 is set by I/O page table c-bit.
Step 2, CPU write memory, due to CPU page table c-bit=0, so clear data is written to memory by selector.
Step 3, IO rdma read data, due to I/O page table c-bit=1, so encryption/decryption module carries out the data of reading
Encryption, and selector is selected according to I/O page table c-bit=1 by the encrypted ciphertext data of encryption/decryption module, ciphertext data
IO is reached by the second moderator, and is sent from IO to outside.
In receiving terminal system:
Step 4,1 is set by CPU page table c-bit, sets 0 for I/O page table c-bit.
Step 5, IO writes memory, due to I/O page table c-bit=0, so selector is selected according to I/O page table c-bit=0
Ciphertext data received by IO are write direct into memory.
Step 6, CPU rdma read, due to CPU page table c-bit=1, so encryption/decryption module is to the ciphertext read from memory
Data are decrypted, and the clear data after being decrypted by encryption/decryption module is sent CPU by selector selection, and CPU obtains plaintext number
According to.
As the CPU page table c-bit=1 in transmitting terminal system, in transmitting terminal system:
Step 1,0 is set by I/O page table c-bit.Step 2, CPU write memory, due to CPU page table c-bit=1, so plus
Deciphering module encrypts write-in data, and selector selection will be written to interior by the encrypted ciphertext data of encryption/decryption module
It deposits.
Step 3, IO rdma read, due to I/O page table c-bit=0, so encryption/decryption module is without encryption, selector selection
The ciphertext data in memory are directly read, ciphertext data are output to transmitting terminal IO by the second moderator and are sent out from IO to outside
It send.
In receiving terminal system:
Step 4,0 is set by CPU page table c-bit, sets 1 for I/O page table c-bit.
Step 5, IO writes memory, due to I/O page table c-bit=1, so encryption/decryption module is to ciphertext number received by IO
According to being decrypted, the clear data after being decrypted by encryption/decryption module is written to memory by selector selection.
Step 6, CPU rdma read, due to CPU page table c-bit=0, so selector selection CPU is directly bright from memory reading
Literary number, CPU obtain clear data.
As described above, passing through in data encryption and transmission method between embodiment and the data encryption system and IO of variation
CPU page table c-bit, I/O page table c-bit in transmitting terminal system and receiving terminal system are set, especially, in transmitting terminal system,
The logical value opposite with CPU page table c-bit, and memory, encryption/decryption module and selector are set by I/O page table c-bit
(above-mentioned step 1- step 3), thus really is acted according to the I/O page table c-bit and CPU page table c-bit in transmitting terminal system
No matter having protected be written in hair memory is ciphertext data or clear data, I O read to data be all encryption data and send
The encryption data, in receiving terminal system, what IO was received is all encryption data, so that between transmitting terminal IO and receiving end IO
The data of transmission are in encrypted state.
For CPU page table c-bit, the I/O page table c-bit in receiving terminal system, it is not limited to the above embodiments point of middle explanation
It is not identical value with CPU page table c-bit, the I/O page table c-bit of transmitting terminal, but can according to need to memory and ciphertext number is written
According to or clear data be configured (above-mentioned step 4,5).In receiving terminal system, when needing that clear data is written,
1 is set by I/O page table c-bit, after encryption/decryption module is decrypted to the ciphertext data from IO, selector is by plaintext number
According to write-in memory, at this point, setting 0, CPU for CPU page table c-bit directly reads clear data in memory.In receiving end system
In system, when needing to be written ciphertext data, 0 is set by I/O page table c-bit, selector directly writes to ciphertext data interior
It deposits, at this point, setting 1 for CPU page table c-bit, the ciphertext data read from memory are decrypted in encryption/decryption module, and CPU is obtained
Clear data to after being decrypted.Therefore, no matter the memory in receiving terminal system is with ciphertext storing data or to deposit in plain text
Store up data, as long as by receiving terminal system CPU page table c-bit and I/O page table c-bit be set as opposite logical value, it will be able to
So that CPU reads clear data.
In addition, indicate whether data encrypt using page table c-bit above-mentioned in embodiment and variation,
However, it is without being limited thereto, it can also indicate whether data encrypt (referred to as encryption identification) using other marks.
In addition, above-mentioned in embodiment and variation, data between IO are illustrated according to the sequencing of each step
Encrypted transmission method, still, those skilled in the art can according to actual needs close a part in above-mentioned each step
And decomposition, adjustment sequence etc..
It, can be in the case where needing to increase individual hardware module by using method of the invention, use is existing
SME unit realizes the safe transmission between IO to internal storage data.The safety for increasing data transmission between IO, prevents outer bound pair IO
Transmit the attack of data.
Although in addition, describing the present invention under the background of system module unit and being illustrated in the form of functional block
It is bright, but it is to be understood that, unless otherwise indicated, one or more of the function and/or feature can be collected
At in single physical device and/or software module or one or more functions and/or feature can be filled in individual physics
Set or software module in be implemented.
Above with reference to attached drawing, embodiment and variation based on embodiment illustrate the present invention, but the present invention not limits
It is equal according to actual needs that the part of each embodiment is constituted to the side after appropriately combined or displacement due to above-mentioned embodiment
Case is also contained in the scope of the present invention.Furthermore it is also possible to which the knowledge based on those skilled in the art suitably recombinates each embodiment party
The combination and processing sequence of formula, or the deformation such as various design alterations is applied to each embodiment, it has been applied such deformation
Embodiment may also be within the scope of the present invention.
Claims (22)
1. a kind of encryption system based on secure memory encryption technology, comprising: processing unit, for being carried out to each functional unit
Plan as a whole control;I/O-unit, for the data transmission between different processing units;Internal storage location, for storing data;And add solution
Close unit, for the data for passing in and out the internal storage location to be encrypted or decrypted, which is characterized in that
The encryption system and data address are arranged in association for the processing unit encryption identification of processing unit and for IO
The I/O-unit encryption identification of unit, and the processing unit encryption identification and the I/O-unit encryption identification are opposite logic
Value,
The encryption/decryption element is encrypted when the processing unit reads and writes data to the internal storage location based on the processing unit
Mark carries out encryption or decryption process;When the I/O-unit reads and writes data to the internal storage location, added based on the I/O-unit
Secret mark, which is known, carries out encryption or decryption process.
2. the encryption system as described in claim 1 based on secure memory encryption technology, which is characterized in that
The encryption system in write mode,
In the case where write request comes from the processing unit, the encryption/decryption element is switched to encryption mode, in write request
In the case where the I/O-unit, the encryption/decryption element is switched to decryption mode.
3. the encryption system as claimed in claim 2 based on secure memory encryption technology, which is characterized in that
The encryption system further includes selector,
The encryption system in write mode,
The write request come from the processing unit in the case where, the selector based on the processing unit encryption identification come
Data from the processing unit are write direct the internal storage location by selection, or via encryption/decryption element encryption after
The internal storage location is written,
In the case where the write request comes from the I/O-unit, the selector is selected based on the I/O-unit encryption identification
Data from the I/O-unit are write direct into the internal storage location, or institute is written after decrypting via the encryption/decryption element
State internal storage location.
4. the encryption system as claimed in claim 3 based on secure memory encryption technology, which is characterized in that
The encryption system further includes the first moderator,
In write mode, the first moderator selection still comes the write request from the processing unit to the encryption system
The internal storage location is sent to from the write request of the I/O-unit.
5. the encryption system as described in claim 1 based on secure memory encryption technology, which is characterized in that
The encryption system in read mode,
In the case where read request comes from the processing unit, the encryption/decryption element is switched to decryption mode, in read request
In the case where the I/O-unit, the encryption/decryption element is switched to encryption mode.
6. the encryption system as claimed in claim 5 based on secure memory encryption technology, which is characterized in that
The encryption system further includes selector,
The encryption system in read mode,
The read request come from the processing unit in the case where, the selector based on the processing unit encryption identification come
Data from the internal storage location are directly read out to the processing unit by selection, or are decrypted via the encryption/decryption element
After read into the processing unit,
In the case where the read request comes from the I/O-unit, the selector is selected based on the I/O-unit encryption identification
Data from the internal storage location are directly read out to the I/O-unit, or are read after being encrypted via the encryption/decryption element
To the I/O-unit.
7. the encryption system as claimed in claim 6 based on secure memory encryption technology, which is characterized in that
The encryption system further includes the second moderator,
The encryption system in read mode,
By the read request from the processing unit, still the read request from the I/O-unit is sent out for the first moderator selection
It is sent to the internal storage location,
Data from the selector are read into the processing unit or the I/O-unit by the second moderator selection.
8. such as described in any item encryption systems based on secure memory encryption technology of claim 1 to 7, which is characterized in that
Data sending terminal and data receiver are all made of the encryption system,
The processing unit encryption identification is set as identical logical values in the data sending terminal and the data receiver, institute
It states I/O-unit encryption identification and is set as identical logical values in the data sending terminal and the data receiver.
9. such as described in any item encryption systems based on secure memory encryption technology of claim 1 to 7, which is characterized in that
Data sending terminal and data receiver are all made of the encryption system,
The processing unit encryption identification is set as opposite logic value, institute in the data sending terminal and the data receiver
It states I/O-unit encryption identification and is set as opposite logic value in the data sending terminal and the data receiver.
10. such as described in any item encryption systems based on secure memory encryption technology of claim 1 to 7, which is characterized in that
The processing unit is CPU,
The processing unit encryption identification is a certain bit in CPU page table, and the IO encryption identification is a certain in I/O page table
Bit or the processing unit encryption identification and the IO encryption identification are a certain bit in physical address.
11. the encryption system as claimed in claim 10 based on secure memory encryption technology, which is characterized in that
The processing unit encryption identification is CPU page table c-bit, and the IO encryption identification is I/O page table c-bit or the place
Reason unit encryption identification and the IO encryption identification are the 47bit in physical address,
When the CPU page table c-bit, the I/O page table c-bit or the 47bit are 1, expression is encrypted or is decrypted
Processing, the CPU page table c-bit, the I/O page table c-bit or the 47bit be 0 when, indicate without encryption or
Decryption processing.
12. the encryption method in a kind of encryption system based on secure memory encryption technology, the encryption system includes: that processing is single
Member, for carrying out pool control to each functional unit;I/O-unit, for the data transmission between different processing units;Memory
Unit, for storing data;And encryption/decryption element, for the data for passing in and out the internal storage location to be encrypted or are decrypted,
The encryption method is characterised by comprising:
It is arranged in association with the data address to be encrypted for the processing unit encryption identification of processing unit and for I/O-unit
I/O-unit encryption identification, and the processing unit encryption identification and the I/O-unit encryption identification are the step of opposite logic value
Suddenly;And
The encryption/decryption element is encrypted when the processing unit is written and read the internal storage location based on the processing unit
Mark carries out encryption or decryption process;When the I/O-unit is written and read the internal storage location, added based on the I/O-unit
Secret mark knows the step of carrying out encryption or decryption process.
13. the encryption method in encryption system as claimed in claim 12 based on secure memory encryption technology, feature exist
In,
The encryption system in write mode,
In the case where write request comes from the processing unit, the encryption/decryption element is switched to encryption mode, in write request
In the case where the I/O-unit, the encryption/decryption element is switched to decryption mode.
14. the encryption method in encryption system as claimed in claim 13 based on secure memory encryption technology, feature exist
In,
The encryption system further includes selector,
The encryption system in write mode,
The write request come from the processing unit in the case where, the selector based on the processing unit encryption identification come
Data from the processing unit are write direct the internal storage location by selection, or via encryption/decryption element encryption after
The internal storage location is written,
In the case where the write request comes from the I/O-unit, the selector is selected based on the I/O-unit encryption identification
Data from the I/O-unit are write direct into the internal storage location, or institute is written after decrypting via the encryption/decryption element
State internal storage location.
15. the encryption method in encryption system as claimed in claim 14 based on secure memory encryption technology, feature exist
In,
The encryption system further includes the first moderator,
In write mode, the first moderator selection still comes the write request from the processing unit to the encryption system
The internal storage location is sent to from the write request of the I/O-unit.
16. the encryption method in encryption system as claimed in claim 12 based on secure memory encryption technology, feature exist
In,
The encryption system in read mode,
In the case where read request comes from the processing unit, the encryption/decryption element is switched to decryption mode, in read request
In the case where the I/O-unit, the encryption/decryption element is switched to encryption mode.
17. the encryption method in encryption system as claimed in claim 16 based on secure memory encryption technology, feature exist
In,
The encryption system further includes selector,
The encryption system in read mode,
The read request come from the processing unit in the case where, the selector based on the processing unit encryption identification come
Data from the internal storage location are directly read out to the processing unit by selection, or are decrypted via the encryption/decryption element
After read into the processing unit,
In the case where the read request comes from the I/O-unit, the selector is selected based on the I/O-unit encryption identification
Data from the internal storage location are directly read out to the I/O-unit, or are read after being encrypted via the encryption/decryption element
To the I/O-unit.
18. the encryption method in encryption system as claimed in claim 17 based on secure memory encryption technology, feature exist
In,
The encryption system further includes the second moderator,
The encryption system in read mode,
By the read request from the processing unit, still the read request from the I/O-unit is sent out for the first moderator selection
It is sent to the internal storage location,
Data from the selector are read into the processing unit or the I/O-unit by the second moderator selection.
19. the encryption side in described in any item encryption systems based on secure memory encryption technology of such as claim 12 to 18
Method, which is characterized in that
Data sending terminal and data receiver are all made of the encryption system,
The processing unit encryption identification is set as identical logical values in the data sending terminal and the data receiver, institute
It states I/O-unit encryption identification and is set as identical logical values in the data sending terminal and the data receiver.
20. the encryption side in described in any item encryption systems based on secure memory encryption technology of such as claim 12 to 18
Method, which is characterized in that
Data sending terminal and data receiver are all made of the encryption system,
The processing unit encryption identification is set as opposite logic value, institute in the data sending terminal and the data receiver
It states I/O-unit encryption identification and is set as opposite logic value in the data sending terminal and the data receiver.
21. the encryption side in described in any item encryption systems based on secure memory encryption technology of such as claim 12 to 18
Method, which is characterized in that
The processing unit is CPU,
The processing unit encryption identification is a certain bit in CPU page table, and the IO encryption identification is a certain in I/O page table
Bit or the processing unit encryption identification and the IO encryption identification are a certain bit in physical address.
22. the encryption side in described in any item encryption systems based on secure memory encryption technology of such as claim 12 to 18
Method, which is characterized in that
The processing unit encryption identification is CPU page table c-bit, and the IO encryption identification is I/O page table c-bit or the place
Reason unit encryption identification and the IO encryption identification are the 47bit in physical address,
When the CPU page table c-bit, the I/O page table c-bit or the 47bit are 1, carry out at encryption or decryption
Reason, the CPU page table c-bit, the I/O page table c-bit or the 47bit be 0 when, without encrypt or decryption at
Reason.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811400799.8A CN109726566B (en) | 2018-11-22 | 2018-11-22 | Encryption system and encryption method based on secure memory encryption technology |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811400799.8A CN109726566B (en) | 2018-11-22 | 2018-11-22 | Encryption system and encryption method based on secure memory encryption technology |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109726566A true CN109726566A (en) | 2019-05-07 |
| CN109726566B CN109726566B (en) | 2021-03-09 |
Family
ID=66295133
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811400799.8A Active CN109726566B (en) | 2018-11-22 | 2018-11-22 | Encryption system and encryption method based on secure memory encryption technology |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109726566B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113220415A (en) * | 2021-04-25 | 2021-08-06 | 南京南瑞信息通信科技有限公司 | Kata container-oriented persistent data protection method and device |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102077204A (en) * | 2008-06-24 | 2011-05-25 | 纳格拉影像股份有限公司 | Secure memory management system and method |
| CN102567689A (en) * | 2011-12-05 | 2012-07-11 | 清华大学 | Phase-change storage unit based non-volatile internal storage data confidentiality protecting method |
| CN106203130A (en) * | 2016-06-26 | 2016-12-07 | 厦门天锐科技股份有限公司 | A kind of transparent encipher-decipher method driving layer based on Intelligent Dynamic |
| CN107292202A (en) * | 2016-04-12 | 2017-10-24 | 中兴通讯股份有限公司 | A kind of method and system taken over third party's storage device and encryption function is provided |
| CN107563207A (en) * | 2017-08-04 | 2018-01-09 | 致象尔微电子科技(上海)有限公司 | Encryption method, device and decryption method, device |
| US20180095899A1 (en) * | 2016-10-01 | 2018-04-05 | Intel Corporation | Multi-crypto-color-group vm/enclave memory integrity method and apparatus |
| CN108021817A (en) * | 2017-12-20 | 2018-05-11 | 北京遥感设备研究所 | A kind of encryption and decryption memory access interface realizes system and method |
| CN108197504A (en) * | 2017-12-28 | 2018-06-22 | 湖南国科微电子股份有限公司 | A kind of controlled data encrypting and deciphering system and method |
| CN108449172A (en) * | 2017-01-31 | 2018-08-24 | 慧与发展有限责任合伙企业 | Input/output data is encrypted |
-
2018
- 2018-11-22 CN CN201811400799.8A patent/CN109726566B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102077204A (en) * | 2008-06-24 | 2011-05-25 | 纳格拉影像股份有限公司 | Secure memory management system and method |
| CN102567689A (en) * | 2011-12-05 | 2012-07-11 | 清华大学 | Phase-change storage unit based non-volatile internal storage data confidentiality protecting method |
| CN107292202A (en) * | 2016-04-12 | 2017-10-24 | 中兴通讯股份有限公司 | A kind of method and system taken over third party's storage device and encryption function is provided |
| CN106203130A (en) * | 2016-06-26 | 2016-12-07 | 厦门天锐科技股份有限公司 | A kind of transparent encipher-decipher method driving layer based on Intelligent Dynamic |
| US20180095899A1 (en) * | 2016-10-01 | 2018-04-05 | Intel Corporation | Multi-crypto-color-group vm/enclave memory integrity method and apparatus |
| CN108449172A (en) * | 2017-01-31 | 2018-08-24 | 慧与发展有限责任合伙企业 | Input/output data is encrypted |
| CN107563207A (en) * | 2017-08-04 | 2018-01-09 | 致象尔微电子科技(上海)有限公司 | Encryption method, device and decryption method, device |
| CN108021817A (en) * | 2017-12-20 | 2018-05-11 | 北京遥感设备研究所 | A kind of encryption and decryption memory access interface realizes system and method |
| CN108197504A (en) * | 2017-12-28 | 2018-06-22 | 湖南国科微电子股份有限公司 | A kind of controlled data encrypting and deciphering system and method |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113220415A (en) * | 2021-04-25 | 2021-08-06 | 南京南瑞信息通信科技有限公司 | Kata container-oriented persistent data protection method and device |
| CN113220415B (en) * | 2021-04-25 | 2022-08-09 | 南京南瑞信息通信科技有限公司 | Kata container-oriented persistent data protection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109726566B (en) | 2021-03-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7092400B2 (en) | Method of transmitting data through a data bus | |
| CA1318028C (en) | System and method for providing for secure encryptor key management | |
| US10382410B2 (en) | Memory operation encryption | |
| EP2817916B1 (en) | Cryptographic transmission system using key encryption key | |
| CN1331056C (en) | Control function based on requesting master id and a data address within an integrated system | |
| US20140164793A1 (en) | Cryptographic information association to memory regions | |
| EP0583140A1 (en) | System for seamless processing of encrypted and non-encrypted data and instructions | |
| WO2019109967A1 (en) | Storage apparatus and method for address scrambling | |
| US10943020B2 (en) | Data communication system with hierarchical bus encryption system | |
| EP3667535B1 (en) | Storage data encryption and decryption device and method | |
| CN108197504B (en) | Controllable data encryption and decryption system and method | |
| CN101051892B (en) | Enciphering device and method for CPU special data | |
| CN102081713B (en) | Office system for preventing data from being divulged | |
| CN106469124A (en) | A kind of memory access control method and device | |
| CN105095945A (en) | SD card capable of securely storing data | |
| EP4064084A1 (en) | Password management method and related device | |
| CN107832635A (en) | Access right control method, device, equipment and computer-readable recording medium | |
| CN109726566A (en) | Encryption system and encryption method based on secure memory encryption technology | |
| US7673151B2 (en) | Processor for encrypting and/or decrypting data and method of encrypting and/or decrypting data using such a processor | |
| US9979541B2 (en) | Content management system, host device and content key access method | |
| US20040034768A1 (en) | Data encryption device based on protocol analyse | |
| CN109711207B (en) | Data encryption method and device | |
| CN107317925A (en) | Mobile terminal | |
| US10019584B2 (en) | Performance of image forming functions based on encrypted data stored in volatile memory | |
| CN114257457B (en) | File sharing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |