CN110543764B - System-on-chip memory protection method, password acceleration engine and memory protection device - Google Patents

System-on-chip memory protection method, password acceleration engine and memory protection device Download PDF

Info

Publication number
CN110543764B
CN110543764B CN201910859140.7A CN201910859140A CN110543764B CN 110543764 B CN110543764 B CN 110543764B CN 201910859140 A CN201910859140 A CN 201910859140A CN 110543764 B CN110543764 B CN 110543764B
Authority
CN
China
Prior art keywords
key
chip
access
memory
identification information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910859140.7A
Other languages
Chinese (zh)
Other versions
CN110543764A (en
Inventor
冯彦朝
朱青山
刘志峰
江南
谢文俊
谭绪祥
刘煊宏
吴欢欢
徐华丽
郭御风
马卓
张明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Phytium Technology Co Ltd
Original Assignee
Phytium Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Phytium Technology Co Ltd filed Critical Phytium Technology Co Ltd
Priority to CN201910859140.7A priority Critical patent/CN110543764B/en
Publication of CN110543764A publication Critical patent/CN110543764A/en
Application granted granted Critical
Publication of CN110543764B publication Critical patent/CN110543764B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Mathematical Physics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a system-on-chip memory protection method, a password acceleration engine and a memory protection device, wherein the system-on-chip memory protection method comprises the following steps: receiving an access request for accessing a system-on-chip memory and access data corresponding to the access request; the access request carries identification information for identifying the access authority of the access request, wherein the access authority is a security domain or a common domain legally accessing the system-on-chip memory; determining a key for encrypting the access data according to the identification information; and encrypting the access data by using the determined key. The invention can effectively prevent the memory information leakage of the system on chip caused by physical attack.

Description

System-on-chip memory protection method, password acceleration engine and memory protection device
Technical Field
The invention relates to the technical field of information security, in particular to a system-on-chip memory protection method, a password acceleration engine and a memory protection device.
Background
The security threat faced by computer systems is increasing, and various manufacturers propose a solution for Trusted Execution Environment (TEE). The TEE is a secure area on a System On Chip (SOC), provides functions of isolated Execution, integrity of trusted application, confidentiality of trusted data, secure storage, and the like, and corresponds to a relatively common Execution Environment (REE). The TEE is a runtime environment that coexists with the general-purpose operating system (Rich OS) on the device and provides secure services to the Rich OS. The TEE has a higher security level than the REE, and applications running on the TEE are called Trusted Applications (TA) which can access all functions of the device, and hardware isolation technology protects the TEE from the applications running on the REE. The TEE OS can protect each TA from interaction, which can be used simultaneously by multiple different service providers without affecting security.
Whether the TEE environment or the REE environment exists, information such as some temporary code data and the like in operation needs to be stored in a memory, and the security protection of the memory becomes a key point for ensuring the TEE security. In order to prevent the program on the REE side from forcibly accessing the memory space for storing the information on the TEE side, the memory space is divided into a certain area from hardware as a security domain, so that software attack can be prevented. However, the security risk caused by physical attack exists, the memory information can be leaked due to both software attack and physical attack, the physical attack can easily acquire data in the memory security domain, and the existing protection measures are not enough to cope with the physical attack, so the system on chip has the risk of the memory information leakage caused by the physical attack.
Disclosure of Invention
The invention provides a method for protecting a system-on-chip memory, a password acceleration engine and a memory protection device, and aims to solve the problem that the system-on-chip has the risk of memory information leakage caused by physical attack.
In order to achieve the above object, an embodiment of the present invention provides a method for protecting a system-on-chip memory, including:
receiving an access request for accessing a system-on-chip memory and access data corresponding to the access request; the access request carries identification information for identifying an access right of the access request, wherein the access right is a security domain or a common domain for legally accessing the on-chip system memory, the security domain is a memory space of a trusted execution environment in the on-chip system memory, and the common domain is a memory space of a common execution environment in the on-chip system memory;
determining a key for encrypting the access data according to the identification information;
and encrypting the access data by using the determined key.
Wherein the step of determining a key for encrypting the access data according to the identification information includes:
determining a key register corresponding to the identification information from a plurality of key registers of the system on chip according to the identification information; wherein keys in the plurality of key registers are different from each other;
and taking the determined key in the key register as a key for encrypting the access data.
The key in the key register is a random number generated by a random number generator, or a derivative key of the system-on-chip ID, or an operation result of operating the random number and the derivative key.
And the key in the key register is generated in the process of starting up and powering on the system on chip and is written into the key register under the trusted execution environment of the system on chip.
When the system on chip is switched to a standby state, the key in the key register is stored in an on-chip nonvolatile memory, and when the system on chip is switched from the standby state to an awakening state, the key stored in the on-chip nonvolatile memory is reloaded into the key register by a firmware program.
When the system on chip is switched to a sleep state, the key in the key register is stored in an on-chip nonvolatile memory, and when the system on chip is switched to an awaken state from the sleep state, the key stored in the on-chip nonvolatile memory is reloaded into the key register.
When the system on chip is switched from a sleep state to an awake state, a new key is acquired through a random number generator and loaded into a key register.
An embodiment of the present invention further provides a cryptographic acceleration engine, including:
the system comprises a receiving unit, a judging unit and a judging unit, wherein the receiving unit is used for receiving an access request for accessing a system-on-chip memory and access data corresponding to the access request; the access request carries identification information for identifying an access right of the access request, wherein the access right is a security domain or a common domain for legally accessing the on-chip system memory, the security domain is a memory space of a trusted execution environment in the on-chip system memory, and the common domain is a memory space of a common execution environment in the on-chip system memory;
a determining unit, configured to determine, according to the identification information, a key for encrypting the access data;
and the encryption unit is used for encrypting the access data by using the determined key.
The embodiment of the invention also provides a system-on-chip memory protection device, which comprises a memory isolation module and the password acceleration engine;
the memory isolation module is configured to, when receiving an access request for accessing a system-on-chip memory and access data corresponding to the access request, add identification information for identifying an access permission of the access request to the access request, and send the access request carrying the identification information and the access data corresponding to the access request to a cryptographic acceleration engine.
The scheme of the invention has at least the following beneficial effects:
in the embodiment of the invention, aiming at a TEE and REE dual-system structure, for access data entering a memory of a system on chip, a key for encrypting the access data is determined according to the access authority of an access request corresponding to the access data, and the access data is encrypted by using the key, so that the data of a security domain and a common domain of the access memory are encrypted by using different keys, thereby solving the problem of memory information leakage caused by physical attack.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the structures shown in the drawings without creative efforts.
FIG. 1 is a flow chart of a method for protecting a system-on-chip memory according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a memory according to an embodiment of the invention;
FIG. 3 is a block diagram of a cryptographic acceleration engine in an embodiment of the invention;
FIG. 4 is a block diagram of a system-on-chip memory guard according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first" and "second" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. In the description of the present invention, "a plurality" means two or more unless specifically defined otherwise.
As shown in fig. 1, an embodiment of the present invention provides a method for protecting a system-on-chip memory, including:
step 11, receiving an access request for accessing a system-on-chip memory and access data corresponding to the access request; the access request carries identification information for identifying the access authority of the access request.
The access right is a security domain or a common domain for legally accessing the on-chip system memory, wherein the security domain is a memory space of a trusted execution environment in the on-chip system memory, and the common domain is a memory space of a common execution environment in the on-chip system memory.
It should be noted that, in the embodiment of the present invention, the on-chip system memory may be divided into the security domain and the normal domain by the memory isolation module, and the memory after the domain division is shown in fig. 2, where a rectangle frame with oblique lines represents the security domain, and a rectangle frame without oblique lines represents the normal domain. And as an example, the specific structure of the memory isolation module can be implemented by using the security isolation device for the storage system in patent 201810475132.8 (i.e. a security isolation method and device for the storage system).
And step 12, determining a key for encrypting the access data according to the identification information.
In the embodiment of the present invention, since the access permissions of the access requests are different, and the keys for encrypting the access data are different, the keys need to be determined according to the access permissions of the access requests, so as to implement encryption of the data of the security domain and the general domain of the access memory by using different keys, and solve the problem of memory information leakage caused by physical attack.
Specifically, in the embodiment of the present invention, the specific implementation manner of the step 12 may be: and determining a key register corresponding to the identification information from a plurality of key registers of the system on chip according to the identification information, and taking a key in the determined key register as a key for encrypting the access data. Wherein the keys in the plurality of key registers are different from each other.
It should be noted that, in the embodiment of the present invention, the above multiple key registers include a key register corresponding to a secure domain and a key register corresponding to a normal domain, but each key register has only one key (the generation of the key will be described in detail later). Since the access authority of the access request can be determined through the identification information, the key register corresponding to the identification information can be determined according to the identification information (that is, if the access authority of the access request is a security domain of a legal access system-on-chip memory, the key register corresponding to the security domain is used as the key register corresponding to the identification information, and if the access authority of the access request is a normal domain of the legal access system-on-chip memory, the key register corresponding to the normal domain is used as the key register corresponding to the identification information).
It can be understood that, in the embodiment of the present invention, when the access right of the access request is determined to be a normal domain that legitimately accesses the system-on-chip memory according to the identification information, the access data corresponding to the access request may not be encrypted, because the security requirement of the normal domain is low, and the time delay may be reduced without encryption.
And step 13, encrypting the access data by using the determined key.
In the embodiment of the present invention, after the key is determined, the key may enter the encryption/decryption channel with the access request to complete encryption of the access data.
It is worth mentioning that, in the embodiment of the present invention, for a dual-architecture of the TEE and the REE, for access data entering a system-on-chip memory, a key for encrypting the access data is determined according to an access right of an access request corresponding to the access data, and the access data is encrypted by using the key, so that data of a security domain and a general domain of the access memory are encrypted by using different keys, thereby increasing the security of the TEE, effectively defending the problem of physical attack of the memory, and even if the memory is physically attacked, an attacker obtains a ciphertext, which does not cause information leakage. Meanwhile, the mode of the key is determined according to the access authority of the access request, the system on chip can complete dynamic switching of the key in the running process, the security enhancement of software attack can be realized, and the security domain can be further ensured to be accessed only by the TEE and not to be accessed by the program at the REE side.
In addition, the method for protecting the system-on-chip memory has small influence on performance, has great flexibility, and can well balance the overhead of safety, performance and cost.
Next, generation, storage, restoration, and the like of the key in the key register are described in detail.
In an embodiment of the present invention, the key in the key register is a random number generated by a random number generator (TRNG), or a derivative key of the system-on-chip ID, or an operation result of operating the random number and the derivative key. Here, the operation is not limited to a specific form, and may be a product operation, a sum operation, or the like.
Wherein, in an embodiment of the invention, the key in the key register is only writable and not readable, and the key can only be written in a trusted execution environment. Specifically, the key in the key register is generated in the boot power-on process of the system on chip and written into the key register in the trusted execution environment of the system on chip. That is, when the system on chip is powered on, the key is generated by any one of the three ways (i.e. by the random number generator, by derivation of the system on chip ID, by operation on the random number generated by the random number generator and the derived key of the system on chip ID), and is written into the key register in the TEE environment, and is not changed in the whole operation process of the system on chip. After the system on chip is restarted, the above process is repeated. The keys after being electrified every time are different, and the difficulty of cracking is increased. The data in the memory is lost after the system on chip is shut down, so that the key in the key register is not required to be stored in the shutdown process.
In the embodiment of the invention, when the system on chip is in a standby (Sleep) state, only a few parts are powered on, and the rest parts are powered off until the system on chip is awakened again. In the standby state, the memory is in the power supply state, and the memory controller and the password acceleration engine executing the on-chip system memory protection method are in the power off state, so that the secret key in the secret key register can be stored in an on-chip nonvolatile memory, and when the password acceleration engine is awakened, the secret key is reloaded into the secret key register in the password acceleration engine by the firmware program. That is, when the system on chip switches to a standby state, the key in the key register is stored in an on-chip nonvolatile memory, and when the system on chip switches from the standby state to an awake state, the key stored in the on-chip nonvolatile memory is reloaded into the key register by a firmware program.
In addition, in the embodiment of the present invention, when the system on chip is in a sleep (Hibernate) state (similar to a shutdown state), data in the memory is first stored on the hard disk, and is reloaded into the memory when being awakened, so as to be restored to the state before the sleep. Since the data in the memory is decrypted when leaving the memory and stored in the hard disk as plaintext or encrypted by other cryptographic acceleration engines, there are two ways to process the key, one is to store the key and reload it into the key register when waking up. That is, when the system on chip switches to a sleep state, the key in the key register is stored in an on-chip nonvolatile memory, and when the system on chip switches from the sleep state to a wake state, the key stored in the on-chip nonvolatile memory is reloaded into the key register. And secondly, the secret key is not stored, and a firmware program is directly used to obtain a new secret key through the TRNG and load the new secret key into the secret key register during awakening. That is, when the system on chip is switched from the sleep state to the wake state, a new key is obtained by the random number generator and loaded into the key register.
As shown in fig. 3, an embodiment of the present invention further provides a cryptographic acceleration engine, including: a receiving unit 31, a determining unit 32 and an encrypting unit 33.
The receiving unit 31 is configured to receive an access request for accessing a system-on-chip memory and access data corresponding to the access request; the access request carries identification information for identifying an access right of the access request, the access right is a security domain or a common domain which legally accesses the on-chip system memory, the security domain is a memory space of a trusted execution environment in the on-chip system memory, and the common domain is a memory space of a common execution environment in the on-chip system memory.
A determining unit 32, configured to determine, according to the identification information, a key for encrypting the access data.
An encryption unit 33 for encrypting the access data with the determined key.
In the embodiment of the present invention, the cryptographic acceleration engine 30 is a device corresponding to the above-mentioned system-on-chip memory protection method, and can solve the problem of memory information leakage caused by physical attack.
It should be noted that the cryptographic acceleration engine 30 includes all units for implementing the above-described system-on-chip memory protection method, and in order to avoid too many repetitions, details of each unit of the cryptographic acceleration engine 30 are not described herein.
It should be noted that the cryptographic acceleration engine 30 applies a symmetric encryption algorithm to the access data, and the decryption process of the access data is the reverse process of encryption.
In addition, as shown in fig. 4, an embodiment of the present invention further provides a system-on-chip memory protection apparatus, which includes a memory isolation module 41 and the above-mentioned cryptographic acceleration engine 30.
The memory isolation module 41 is configured to, when receiving an access request for accessing the system-on-chip memory and access data corresponding to the access request, add identification information for identifying an access permission of the access request in the access request, and send the access request carrying the identification information and the access data corresponding to the access request to the cryptographic acceleration engine 30.
The access right is a security domain or a common domain for legally accessing the on-chip system memory, wherein the security domain is a memory space of a trusted execution environment in the on-chip system memory, and the common domain is a memory space of a common execution environment in the on-chip system memory.
It is to be understood that the foregoing has described an implementation of the memory isolation module 41, and the implementation thereof is not described again to avoid redundancy.
It should be noted that the memory isolation module 41 and the cryptographic acceleration engine 30 are disposed between the on-chip interconnection network (NOC5) and the memory controller (DDR controller 6), the memory isolation module 41 is connected to the NOC5 and the cryptographic acceleration engine 30, the cryptographic acceleration engine 30 is connected to the DDR controller 6, and the NOC5, the memory isolation module 41, the cryptographic acceleration engine 30, and the DDR controller 6 are connected by an Advanced eXtensible Interface (AXI) bus.
It should be noted that, in the embodiment of the present invention, the soc memory protection device 4 divides the memory into a security domain and a normal domain through the memory isolation module 41, and adds identification information for identifying the access right of the access request in the access request, so that the cryptographic acceleration engine 30 can determine a key for encrypting the access data according to the access right of the access request corresponding to the access data after receiving the access request, and encrypt the access data by using the key, so as to encrypt the data of the security domain and the normal domain of the access memory by using different keys, thereby solving the problem of memory information leakage caused by physical attack, even if the memory is physically attacked, an attacker obtains a ciphertext without causing information leakage, and simultaneously can also realize security enhancement of software attack, further ensuring that the security domain can only be accessed by TEE, cannot be accessed by programs on the REE side.
The above-mentioned embodiments are only used for illustrating the technical solutions of the present invention, and not for limiting the same; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; such modifications and substitutions do not substantially depart from the spirit and scope of the embodiments of the present invention, and are intended to be included within the scope of the present invention.

Claims (9)

1. A method for protecting a system-on-chip memory, comprising:
receiving an access request for accessing a system-on-chip memory and access data corresponding to the access request; the access request carries identification information for identifying an access right of the access request, wherein the access right is a security domain or a common domain for legally accessing the on-chip system memory, the security domain is a memory space of a trusted execution environment in the on-chip system memory, and the common domain is a memory space of a common execution environment in the on-chip system memory;
determining a key for encrypting the access data according to the identification information;
encrypting the access data by using the determined key;
the method comprises the steps that a plurality of key registers comprise key registers corresponding to security domains and key registers corresponding to common domains, each key register corresponds to a key, the access authority of an access request is determined through identification information, the key register corresponding to the identification information is determined according to the identification information, and if the access authority of the access request is legal to access the security domain of the on-chip system memory, the key register corresponding to the security domain is used as the key register corresponding to the identification information; and if the access authority of the access request is a normal domain which is legal to access the system-on-chip memory, taking a key register corresponding to the normal domain as a key register corresponding to the identification information.
2. The method according to claim 1, wherein the step of determining the key for encrypting the access data according to the identification information comprises:
determining a key register corresponding to the identification information from a plurality of key registers of the system on chip according to the identification information; wherein keys in the plurality of key registers are different from each other;
and taking the determined key in the key register as a key for encrypting the access data.
3. The method according to claim 2, wherein the key in the key register is a random number generated by a random number generator, or a derivative key of the system-on-chip ID, or an operation result of an operation performed on the random number and the derivative key.
4. The method as claimed in claim 3, wherein the key in the key register is generated during power-on of the system-on-chip and written into the key register under a trusted execution environment of the system-on-chip.
5. The method of claim 2, wherein the key stored in the key register is stored in an on-chip non-volatile memory when the system-on-chip switches to the standby state, and wherein the key stored in the on-chip non-volatile memory is reloaded into the key register by a firmware program when the system-on-chip switches from the standby state to the wake-up state.
6. The method of claim 2, wherein the key stored in the key register is stored in an on-chip non-volatile memory when the system-on-chip switches to the sleep state, and wherein the key stored in the on-chip non-volatile memory is reloaded into the key register when the system-on-chip switches from the sleep state to the wake state.
7. The method according to claim 2, wherein when the system on chip switches from the sleep state to the wake state, a new key is obtained by a random number generator and loaded into the key register.
8. A cryptographic acceleration engine, comprising:
the system comprises a receiving unit, a judging unit and a judging unit, wherein the receiving unit is used for receiving an access request for accessing a system-on-chip memory and access data corresponding to the access request; the access request carries identification information for identifying an access right of the access request, wherein the access right is a security domain or a common domain for legally accessing the on-chip system memory, the security domain is a memory space of a trusted execution environment in the on-chip system memory, and the common domain is a memory space of a common execution environment in the on-chip system memory;
a determining unit, configured to determine, according to the identification information, a key for encrypting the access data;
an encryption unit configured to encrypt the access data using the determined key;
the method comprises the steps that a plurality of key registers comprise key registers corresponding to security domains and key registers corresponding to common domains, each key register corresponds to a key, the access authority of an access request is determined through identification information, the key register corresponding to the identification information is determined according to the identification information, and if the access authority of the access request is legal to access the security domain of the on-chip system memory, the key register corresponding to the security domain is used as the key register corresponding to the identification information; and if the access authority of the access request is a normal domain which is legal to access the system-on-chip memory, taking a key register corresponding to the normal domain as a key register corresponding to the identification information.
9. A system-on-chip memory guard comprising a memory isolation module and the cryptographic acceleration engine of claim 8;
the memory isolation module is configured to, when receiving an access request for accessing a system-on-chip memory and access data corresponding to the access request, add identification information for identifying an access permission of the access request to the access request, and send the access request carrying the identification information and the access data corresponding to the access request to a cryptographic acceleration engine.
CN201910859140.7A 2019-09-11 2019-09-11 System-on-chip memory protection method, password acceleration engine and memory protection device Active CN110543764B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910859140.7A CN110543764B (en) 2019-09-11 2019-09-11 System-on-chip memory protection method, password acceleration engine and memory protection device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910859140.7A CN110543764B (en) 2019-09-11 2019-09-11 System-on-chip memory protection method, password acceleration engine and memory protection device

Publications (2)

Publication Number Publication Date
CN110543764A CN110543764A (en) 2019-12-06
CN110543764B true CN110543764B (en) 2021-07-23

Family

ID=68713591

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910859140.7A Active CN110543764B (en) 2019-09-11 2019-09-11 System-on-chip memory protection method, password acceleration engine and memory protection device

Country Status (1)

Country Link
CN (1) CN110543764B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4145296A1 (en) * 2021-09-01 2023-03-08 Phytium Technology Co., Ltd. Microprocessor, data processing method, electronic device, and storage medium

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111666577B (en) * 2020-06-07 2022-07-19 厦门亿联网络技术股份有限公司 Data decryption method, device, equipment and storage medium
CN113420308A (en) * 2021-07-01 2021-09-21 联芸科技(杭州)有限公司 Data access control method and control system for encryption memory
CN113722750B (en) * 2021-07-20 2024-03-19 南京航空航天大学 Authentication encryption and group key based network-on-chip security domain construction method
CN113449347B (en) * 2021-09-01 2021-12-17 飞腾信息技术有限公司 Microprocessor, data processing method, electronic device, and storage medium
CN113449331B (en) * 2021-09-01 2021-12-17 飞腾信息技术有限公司 Microprocessor, data processing method, electronic device, and storage medium
CN113821821B (en) * 2021-11-24 2022-02-15 飞腾信息技术有限公司 Security architecture system, cryptographic operation method of security architecture system and computing device
CN113821835B (en) * 2021-11-24 2022-02-08 飞腾信息技术有限公司 Key management method, key management device and computing equipment

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102063592A (en) * 2011-01-07 2011-05-18 北京工业大学 Credible platform and method for controlling hardware equipment by using same
CN105429752A (en) * 2015-11-10 2016-03-23 中国电子科技集团公司第三十研究所 Processing method and system of user key in cloud environment
CN106980794A (en) * 2017-04-01 2017-07-25 北京元心科技有限公司 TrustZone-based file encryption and decryption method and device and terminal equipment
CN108288004A (en) * 2017-12-07 2018-07-17 深圳市中易通安全芯科技有限公司 A kind of encryption chip is in REE and TEE environmental coexistence system and methods
CN108781210A (en) * 2015-12-11 2018-11-09 格马尔托股份有限公司 Mobile device with credible performing environment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20010056540A1 (en) * 1997-09-16 2001-12-27 Timothy Ober Secure memory area
CN102404110A (en) * 2011-12-08 2012-04-04 宇龙计算机通信科技(深圳)有限公司 Method and device for obtaining keys
US8898769B2 (en) * 2012-11-16 2014-11-25 At&T Intellectual Property I, Lp Methods for provisioning universal integrated circuit cards

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102063592A (en) * 2011-01-07 2011-05-18 北京工业大学 Credible platform and method for controlling hardware equipment by using same
CN102063592B (en) * 2011-01-07 2013-03-06 北京工业大学 Credible platform and method for controlling hardware equipment by using same
CN105429752A (en) * 2015-11-10 2016-03-23 中国电子科技集团公司第三十研究所 Processing method and system of user key in cloud environment
CN108781210A (en) * 2015-12-11 2018-11-09 格马尔托股份有限公司 Mobile device with credible performing environment
CN106980794A (en) * 2017-04-01 2017-07-25 北京元心科技有限公司 TrustZone-based file encryption and decryption method and device and terminal equipment
CN108288004A (en) * 2017-12-07 2018-07-17 深圳市中易通安全芯科技有限公司 A kind of encryption chip is in REE and TEE environmental coexistence system and methods

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4145296A1 (en) * 2021-09-01 2023-03-08 Phytium Technology Co., Ltd. Microprocessor, data processing method, electronic device, and storage medium

Also Published As

Publication number Publication date
CN110543764A (en) 2019-12-06

Similar Documents

Publication Publication Date Title
CN110543764B (en) System-on-chip memory protection method, password acceleration engine and memory protection device
US9842212B2 (en) System and method for a renewable secure boot
US7392415B2 (en) Sleep protection
US9898624B2 (en) Multi-core processor based key protection method and system
CN107408081B (en) Providing enhanced replay protection for memory
US10243990B1 (en) Systems and methods for detecting replay attacks on security space
KR101662616B1 (en) Methods and apparatus to protect memory regions during low-power states
US10536266B2 (en) Cryptographically securing entropy for later use
KR102013841B1 (en) Method of managing key for secure storage of data, and and apparatus there-of
US20090187771A1 (en) Secure data storage with key update to prevent replay attacks
US20130205139A1 (en) Scrambling An Address And Encrypting Write Data For Storing In A Storage Device
US10565130B2 (en) Technologies for a memory encryption engine for multiple processor usages
EP3271828B1 (en) Cache and data organization for memory protection
EP3757838B1 (en) Warm boot attack mitigations for non-volatile memory modules
Gross et al. Enhancing the Security of FPGA-SoCs via the Usage of ARM TrustZone and a Hybrid-TPM
CN109697351B (en) Trusted measurement system and method
CN109583196B (en) Key generation method
JP2021057043A (en) Processing system having trust anchor computing device and corresponding method
Liu et al. Off-chip memory encryption and integrity protection based on AES-GCM in embedded systems
CN114861191B (en) Embedded equipment safe starting architecture and method
CN109598150B (en) Key using method
Belle-Isle Memory Protection with Cached Authentication Trees
KR20240097596A (en) Method for encryption key generation and management for full disk encryption
CN115905108A (en) IOPMP architecture implementation method for RISC-V chip
CN118821243A (en) Data processing method, electronic device, storage medium, and computer program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Address after: No.5 building, Xin'an venture Plaza, marine high tech Development Zone, Binhai New Area, Tianjin, 300450

Applicant after: Feiteng Information Technology Co.,Ltd.

Address before: No.5 building, Xin'an venture Plaza, marine high tech Development Zone, Binhai New Area, Tianjin, 300450

Applicant before: TIANJIN FEITENG INFORMATION TECHNOLOGY Co.,Ltd.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant