CN111246466B - Encryption communication method and system for Arm architecture application processor - Google Patents
Encryption communication method and system for Arm architecture application processor Download PDFInfo
- Publication number
- CN111246466B CN111246466B CN201911416548.3A CN201911416548A CN111246466B CN 111246466 B CN111246466 B CN 111246466B CN 201911416548 A CN201911416548 A CN 201911416548A CN 111246466 B CN111246466 B CN 111246466B
- Authority
- CN
- China
- Prior art keywords
- memory area
- data
- write
- microkernel
- memory
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/03—Protecting confidentiality, e.g. by encryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/02—Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/12—Details relating to cryptographic hardware or logic circuitry
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses an encryption communication method and system for an Arm architecture application processor, wherein the method comprises the following steps: running an application operating system at a first level exception level of the application processor; enabling a microkernel system which at least performs memory allocation control to run at a second-level exception level of the application processor, wherein the second-level exception level is higher than the first-level exception level, and the microkernel system divides a memory into a first memory area and a second memory area; the microkernel system enables the application operating system to read and write only the first memory area, the communication chip to read and write only the second memory area, and the reading and writing between the first memory area and the second memory area are carried out through a hardware encryption module arranged outside the application processor. The invention can greatly reduce the risk of bypassing encryption, so that the communication is safer.
Description
Technical Field
The present application relates to the field of electrical digital data processing, and in particular, to an encryption communication method and system for an Arm architecture application processor.
Background
In a narrow sense, a System on Chip (SoC) is a Chip integration of an information System core, and key components of the System are integrated on one Chip; in a broad sense, the SoC is a micro-miniature system. The academic circles at home and abroad generally tend to define the SoC as integrating a microprocessor, an analog IP core, a digital IP core and a memory (or an off-chip memory control interface) on a single chip, which is usually a standard product customized by customers or oriented to a specific use.
In Arm (Advanced RISC Machine) V8 architecture, Application is at EL0 level with lowest privilege level, Guest OS (Linux kernel, window, etc.) is at EL1 level, Hypervisor providing virtualization support is at EL2 level, and Security Monitor providing Security support is at EL3 level. Only when an Exception occurs (or Exception processing returns), the Exception Level/privilege Level (EL) can be switched. When an anomaly occurs, there are two options, either to stay at the current EL, or to jump to a higher EL, the EL cannot degrade. Similarly, there are two options for exception handling to return, either to stay at the current EL or to turn to a lower EL.
In the prior art, a SoC hardware device has a logically separated communication chip, such as a 5G communication chip, and an application processor, and the application processor runs an application operating system, such as an android system, at an EL1 level. The application operating system and the communication chip exchange data through a shared memory controlled by the application operating system, namely the application operating system writes data into the shared memory, and the communication chip reads the shared memory. And vice versa. However, due to the SoC integration scheme, the hardware is already fixed, and it is inconvenient to embed the encryption module. At this time, if the communication needs to be encrypted, only the calling cryptographic module can be used, and the existing encryption communication mode has the risk of being bypassed.
Disclosure of Invention
In order to overcome the defects in the prior art, the technical problem to be solved by the invention is to provide an encryption communication method and system for an Arm architecture application processor, which can greatly reduce the risk of bypassing encryption and ensure that the communication is safer.
To solve the above technical problem, according to a first aspect of the present invention, there is provided an encryption communication method for an Arm architecture application processor, the method including:
running an application operating system at a first level exception level of the application processor;
enabling a microkernel system which at least performs memory allocation control to run at a second-level exception level of the application processor, wherein the second-level exception level is higher than the first-level exception level, and the microkernel system divides a memory into a first memory area and a second memory area;
the microkernel system enables the application operating system to read and write only the first memory area, the communication chip to read and write only the second memory area, and the reading and writing between the first memory area and the second memory area are carried out through a hardware encryption module arranged outside the application processor.
In an embodiment, the microkernel system enables the application operating system to read and write only the first memory area, the communication chip to read and write only the second memory area, and the reading and writing between the first and second memory areas is performed by a hardware encryption module disposed outside the application processor, including:
in response to the application operating system writing data into the first memory area, the microkernel system captures a corresponding write event;
the microkernel system transmits the first memory area and the corresponding page table information to the hardware encryption module;
the hardware encryption module encrypts data in the first memory area and writes the encrypted data into the second memory area;
the microkernel system informs the communication chip;
and the communication chip reads data from the second memory area.
In an embodiment, the microkernel system enables the application operating system to read and write only the first memory area, the communication chip to read and write only the second memory area, and the reading and writing between the first and second memory areas is performed by a hardware encryption module disposed outside the application processor, including:
responding to the communication chip to write the data into the second memory area, and transmitting the data in the second memory area to the hardware encryption module by the microkernel system;
the hardware encryption module decrypts the data and writes the decrypted data into the first memory area;
the microkernel system informs the application operating system;
and the application operating system reads data from the first memory area.
To solve the above technical problem, according to a second aspect of the present invention, there is provided an encryption communication system of an Arm architecture application processor, the system comprising:
the application processor running setting module is used for enabling an application operating system to run at a first-level exception level of the application processor;
a microkernel system operation setting module, configured to enable a microkernel system that performs at least memory allocation control to operate at a second-level exception level of the application processor, where the second-level exception level is higher than the first-level exception level, and the microkernel system divides a memory into a first memory area and a second memory area;
and the read-write setting module is used for enabling the microkernel system to enable the application operating system to read and write only the first memory area, enabling the communication chip to read and write only the second memory area, and enabling the read-write between the first memory area and the second memory area to be carried out through the hardware encryption module arranged outside the application processor.
In the prior art, an application processor operating system generally calls an encryption module directly, and the application operating system is generally a kernel part code which is very large, for example, the Linux kernel code has more than 2 million lines, so that a lot of bugs are hidden troubles. According to the invention, the memory is controlled and controlled through the microkernel system with a high execution level, the memory is divided, the application operating system only communicates with the first memory area (shared memory), the communication chip only communicates with the second memory area, and the read-write operation between the first memory area and the second memory area must be carried out through the hardware encryption module. The code amount of the microkernel operating system is about 1 ten thousand lines, formal verification can be performed, and the software code security is higher than that of a Linux kernel, so that the risk that an encryption module in the prior art can be bypassed is greatly reduced, and the communication in the SoC is safer.
Other features and advantages of the present invention will become more apparent from the detailed description of the embodiments of the present invention when taken in conjunction with the accompanying drawings.
Drawings
FIG. 1 is a flow chart of one embodiment of a method according to the present invention;
FIG. 2 is a block diagram of one embodiment of a system according to the present invention.
For the sake of clarity, the figures are schematic and simplified drawings, which only show details which are necessary for understanding the invention and other details are omitted.
Detailed Description
Embodiments and examples of the present invention will be described in detail below with reference to the accompanying drawings.
The scope of applicability of the present invention will become apparent from the detailed description given hereinafter. It should be understood, however, that the detailed description and the specific examples, while indicating preferred embodiments of the invention, are given by way of illustration only.
Fig. 1 shows a flowchart of a preferred embodiment of an encryption communication method of an Arm architecture application processor according to the present invention. An application processor based on an Arm architecture and a communication chip are integrated on an SoC chip, the communication chip is a 2G, 3G, 4G and/or 5G communication chip, and the 5G communication chip is taken as an example for description. ARM defines exception levels for authority control, namely EL0, EL1, EL2 and EL3, and the exception level levels of the ARM are sequentially increased.
In step S102, an application operating system such as a Linux system is run at the EL1 level of the application processor.
In step S104, a microkernel system performing at least memory allocation management and control is executed at the EL2 level of the application processor, and the microkernel system divides the memory into a first memory area (also referred to as a shared memory in the prior art) and a second memory area. In other embodiments, microkernel systems may also run at the EL3 level.
In step S106, in response to the application operating system writing data to the first memory area, the microkernel system captures the write event.
In step S108, the microkernel system transmits the first memory region and the corresponding page table information to the hardware encryption module. The hardware encryption module is arranged outside the application processor. If the existing SoC chip is used, the hardware encryption module is arranged outside the SoC chip because the hardware of the existing SoC chip is fixed. The hardware encryption module may also be integrated inside the SoC chip.
In step S110, the hardware encryption module encrypts the data in the first memory area, and writes the encrypted data into the second memory area.
In step S112, the microkernel system notifies the communication chip, for example, by generating a signal such as an interrupt.
In step S114, the communication chip reads the data in the second memory area.
The data transmitted from the network performs a reverse process, namely, in response to the communication chip writing the data into the second memory area, the microkernel system transmits the data in the second memory area to the hardware encryption module; the hardware encryption module decrypts the data and writes the decrypted data into the first memory area; the microkernel system notifies the application operating system, for example, by generating a soft interrupt signal; and reading the data in the first memory area by using the operating system.
Fig. 2 shows a block diagram of a preferred embodiment of an encrypted communication system of an Arm architecture application processor according to the present invention, the system comprising: an application processor running setting module 202, configured to enable an application operating system to run at a first-level exception level of the application processor; a microkernel system operation setting module 204, configured to enable a microkernel system that performs at least memory allocation management and control to operate at a second-level exception level of the application processor, where the second-level exception level is higher than the first-level exception level, and the microkernel system divides a memory into a first memory area and a second memory area; the read-write setting module 206 is used for the microkernel system to enable the application operating system to read and write only the first memory area, the communication chip to read and write only the second memory area, and the read-write between the first memory area and the second memory area is performed through the hardware encryption module arranged outside the application processor.
In one embodiment, the read/write setup module 206 includes: the capture submodule is used for responding to the writing of data into the first memory area by the application operating system, and the microkernel system captures a corresponding writing event; the first transmission submodule is used for enabling the microkernel system to transmit a first memory area and corresponding page table information to the hardware encryption module; the encryption submodule is used for enabling the hardware encryption module to encrypt the data in the first memory area and writing the encrypted data into the second memory area; the first notification submodule is used for enabling the microkernel system to notify the communication chip; and the first reading submodule is used for enabling the communication chip to read data from the second memory area.
In another embodiment, the read/write setting module 206 further includes: the second transmission submodule is used for responding to the communication chip to write data into a second memory area, and the microkernel system transmits the data in the second memory area to the hardware encryption module; the decryption submodule is used for enabling the hardware encryption module to decrypt data and writing the decrypted data into the first memory area; the second informing submodule is used for enabling the microkernel system to inform the application operating system; and the second reading submodule is used for enabling the application operating system to read data from the first memory area.
The various embodiments described herein, or certain features, structures, or characteristics thereof, may be combined as suitable in one or more embodiments of the invention. Additionally, in some cases, the order of steps depicted in the flowcharts and/or in the pipelined process may be modified, as appropriate, and need not be performed exactly in the order depicted. In addition, various aspects of the invention may be implemented using software, hardware, firmware, or a combination thereof, and/or other computer implemented modules or devices that perform the described functions. Software implementations of the present invention may include executable code stored in a computer readable medium and executed by one or more processors. The computer-readable medium may include a computer hard drive, ROM, RAM, flash memory, portable computer storage media such as CD-ROM, DVD-ROM, flash drives, and/or other devices with a Universal Serial Bus (USB) interface, and/or any other suitable tangible or non-transitory computer-readable medium or computer memory on which executable code may be stored and executed by a processor. The present invention may be used in conjunction with any suitable operating system.
As used herein, the singular forms "a", "an" and "the" include plural references (i.e., have the meaning "at least one"), unless the context clearly dictates otherwise. It will be further understood that the terms "has," "includes" and/or "including," when used in this specification, specify the presence of stated features, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, elements, components, and/or groups thereof. The term "and/or" as used herein includes any and all combinations of one or more of the associated listed items.
The foregoing describes some preferred embodiments of the present invention, but it should be emphasized that the invention is not limited to these embodiments, but can be implemented in other ways within the scope of the inventive subject matter. Various modifications and alterations of this invention will become apparent to those skilled in the art without departing from the spirit and scope of this invention.
Claims (10)
1. An encryption communication method for an Arm architecture application processor, the method comprising:
running an application operating system at a first level exception level of the application processor;
enabling a microkernel system which at least performs memory allocation control to run at a second-level exception level of the application processor, wherein the second-level exception level is higher than the first-level exception level, and the microkernel system divides a memory into a first memory area and a second memory area;
the microkernel system enables the application operating system to read and write only the first memory area, the communication chip to read and write only the second memory area, and the reading and writing between the first memory area and the second memory area are carried out through a hardware encryption module arranged outside the application processor.
2. The method of claim 1, wherein the microkernel system enables the application operating system to read from and write to only the first memory region, the communication chip to read from and write to only the second memory region, and the reading and writing between the first and second memory regions being performed by a hardware encryption module disposed outside the application processor comprises:
in response to the application operating system writing data into the first memory area, the microkernel system captures a corresponding write event;
the microkernel system transmits the first memory area and the corresponding page table information to the hardware encryption module;
the hardware encryption module encrypts data in the first memory area and writes the encrypted data into the second memory area;
the microkernel system informs the communication chip;
and the communication chip reads data from the second memory area.
3. The method of claim 1 or 2, wherein the microkernel system enables the application operating system to read and write only the first memory region, the communication chip to read and write only the second memory region, and the reading and writing between the first and second memory regions being performed by a hardware encryption module disposed outside the application processor further comprises:
responding to the communication chip to write the data into the second memory area, and transmitting the data in the second memory area to the hardware encryption module by the microkernel system;
the hardware encryption module decrypts the data and writes the decrypted data into the first memory area;
the microkernel system informs the application operating system;
and the application operating system reads data from the first memory area.
4. The method of claim 1, wherein the application processor and the communication chip are integrated on a system-on-a-chip type chip.
5. The method of claim 1, wherein the communication chip is a 2G, 3G, 4G, and/or 5G communication chip.
6. An encrypted communication system for an Arm architecture application processor, the system comprising:
the application processor running setting module is used for enabling an application operating system to run at a first-level exception level of the application processor;
a microkernel system operation setting module, configured to enable a microkernel system that performs at least memory allocation control to operate at a second-level exception level of the application processor, where the second-level exception level is higher than the first-level exception level, and the microkernel system divides a memory into a first memory area and a second memory area;
and the read-write setting module is used for enabling the microkernel system to enable the application operating system to read and write only the first memory area, enabling the communication chip to read and write only the second memory area, and enabling the read-write between the first memory area and the second memory area to be carried out through the hardware encryption module arranged outside the application processor.
7. The system of claim 6, wherein the read-write setup module comprises:
the capture submodule is used for responding to the writing of data into the first memory area by the application operating system, and the microkernel system captures a corresponding writing event;
the first transmission submodule is used for enabling the microkernel system to transmit a first memory area and corresponding page table information to the hardware encryption module;
the encryption submodule is used for enabling the hardware encryption module to encrypt the data in the first memory area and writing the encrypted data into the second memory area;
the first notification submodule is used for enabling the microkernel system to notify the communication chip;
and the first reading submodule is used for enabling the communication chip to read data from the second memory area.
8. The system of claim 7, wherein the read-write setup module further comprises:
the second transmission submodule is used for responding to the communication chip to write data into a second memory area, and the microkernel system transmits the data in the second memory area to the hardware encryption module;
the decryption submodule is used for enabling the hardware encryption module to decrypt data and writing the decrypted data into the first memory area;
the second informing submodule is used for enabling the microkernel system to inform the application operating system;
and the second reading submodule is used for enabling the application operating system to read data from the first memory area.
9. The system of claim 6, wherein the application processor and the communication chip are integrated on a system-on-a-chip type chip.
10. The system of claim 6, wherein the communication chip is a 2G, 3G, 4G, and/or 5G communication chip.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911416548.3A CN111246466B (en) | 2019-12-31 | 2019-12-31 | Encryption communication method and system for Arm architecture application processor |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911416548.3A CN111246466B (en) | 2019-12-31 | 2019-12-31 | Encryption communication method and system for Arm architecture application processor |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111246466A CN111246466A (en) | 2020-06-05 |
| CN111246466B true CN111246466B (en) | 2021-06-15 |
Family
ID=70864104
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911416548.3A Active CN111246466B (en) | 2019-12-31 | 2019-12-31 | Encryption communication method and system for Arm architecture application processor |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111246466B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112329046B (en) * | 2020-11-25 | 2023-06-23 | 北京元心科技有限公司 | Secure communication method, apparatus, electronic device, and computer-readable storage medium |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514414A (en) * | 2012-06-26 | 2014-01-15 | 上海盛轩网络科技有限公司 | Encryption method and encryption system based on ARM TrustZone |
| CN103679060A (en) * | 2012-09-19 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Encryption method and encryption device |
| CN109086100A (en) * | 2018-07-26 | 2018-12-25 | 中国科学院信息工程研究所 | A kind of high safety is credible mobile terminal safety architectural framework and security service method |
| CN109543452A (en) * | 2018-11-29 | 2019-03-29 | 北京元心科技有限公司 | Data transmission method, device, electronic equipment and computer readable storage medium |
-
2019
- 2019-12-31 CN CN201911416548.3A patent/CN111246466B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103514414A (en) * | 2012-06-26 | 2014-01-15 | 上海盛轩网络科技有限公司 | Encryption method and encryption system based on ARM TrustZone |
| CN103679060A (en) * | 2012-09-19 | 2014-03-26 | 腾讯科技(深圳)有限公司 | Encryption method and encryption device |
| CN109086100A (en) * | 2018-07-26 | 2018-12-25 | 中国科学院信息工程研究所 | A kind of high safety is credible mobile terminal safety architectural framework and security service method |
| CN109543452A (en) * | 2018-11-29 | 2019-03-29 | 北京元心科技有限公司 | Data transmission method, device, electronic equipment and computer readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111246466A (en) | 2020-06-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102171704B (en) | External encryption and recovery management with hardware encrypted storage devices | |
| US10691627B2 (en) | Avoiding redundant memory encryption in a cryptographic protection system | |
| EP3274908B1 (en) | Technologies for hardening data encryption with secure enclaves | |
| EP3757848A1 (en) | Converged cryptographic engine | |
| KR20140027475A (en) | File encryption method and device, file decryption method and device | |
| US20130166922A1 (en) | Method and system for frame buffer protection | |
| JP2018524722A (en) | Secure processing of memory cache and cached software module identification information for a method of isolating software modules by controlled encryption key management | |
| US20170256304A1 (en) | Technologies for secure content display with panel self-refresh | |
| US20230297725A1 (en) | Technologies for filtering memory access transactions received from one or more i/o devices | |
| US10929566B2 (en) | Information processing device and information processing system | |
| CN106775971B (en) | Data processing apparatus | |
| CN111246466B (en) | Encryption communication method and system for Arm architecture application processor | |
| EP3221814B1 (en) | Transparent execution of secret content | |
| CN109446847B (en) | Configuration method of dual-system peripheral resources, terminal equipment and storage medium | |
| KR101953444B1 (en) | Software security method based on virtualization technologies to ensure the security level equivalent to hardware and system using the same | |
| US10157149B2 (en) | Memory device and host device | |
| CN105243332A (en) | Encryption method and apparatus as well as kernel encryption data operation method and apparatus | |
| CN113545022A (en) | Data processing method, data encryption method, data decryption method, data encryption equipment, data decryption equipment and storage medium | |
| US9122504B2 (en) | Apparatus and method for encryption in virtualized environment using auxiliary medium | |
| CN106326782A (en) | Information processing method and electronic device | |
| CN107085900B (en) | Data processing method, device, system and POS terminal | |
| CA3165290A1 (en) | Systems and methods for secure face authentication | |
| CN111079159B (en) | Encrypted communication method and system for Hypervisor multi-domain architecture | |
| US10331564B2 (en) | Technologies for secure I/O with MIPI camera device | |
| US10402346B2 (en) | Information processing apparatus capable of backing up and restoring key for data encryption and method for controlling the same |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |