CN111400726A - Data processing method, device, equipment and machine readable medium - Google Patents
Data processing method, device, equipment and machine readable medium Download PDFInfo
- Publication number
- CN111400726A CN111400726A CN201910005492.6A CN201910005492A CN111400726A CN 111400726 A CN111400726 A CN 111400726A CN 201910005492 A CN201910005492 A CN 201910005492A CN 111400726 A CN111400726 A CN 111400726A
- Authority
- CN
- China
- Prior art keywords
- file
- operating system
- processing
- execution environment
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 25
- 238000012545 processing Methods 0.000 claims abstract description 202
- 238000000034 method Methods 0.000 claims abstract description 124
- 230000003993 interaction Effects 0.000 claims description 12
- 230000008569 process Effects 0.000 description 51
- 230000006870 function Effects 0.000 description 17
- 238000010586 diagram Methods 0.000 description 14
- 238000005516 engineering process Methods 0.000 description 13
- FFBHFFJDDLITSX-UHFFFAOYSA-N benzyl N-[2-hydroxy-4-(3-oxomorpholin-4-yl)phenyl]carbamate Chemical compound OC1=C(NC(=O)OCC2=CC=CC=C2)C=CC(=C1)N1CCOCC1=O FFBHFFJDDLITSX-UHFFFAOYSA-N 0.000 description 9
- 230000009471 action Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 5
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000011161 development Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 230000000750 progressive effect Effects 0.000 description 2
- 101100498818 Arabidopsis thaliana DDR4 gene Proteins 0.000 description 1
- 101100226364 Arabidopsis thaliana EXT1 gene Proteins 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000013175 transesophageal echocardiography Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
Abstract
The embodiment of the application provides a data processing method, a data processing device and a machine readable medium, wherein equipment applied by the method is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system comprises: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system. The embodiment of the application can improve the safety of the file.
Description
Technical Field
The present application relates to the field of computer technologies, and in particular, to a data processing method, a data processing apparatus, a device, and a machine-readable medium.
Background
With the popularization of mobile devices and the development of mobile internet, mobile devices become portable electronic devices that integrate functions such as communication, payment, and entertainment. Currently, personal data such as a chat record, a payment tool password, and bank card information of a user are stored on a mobile device; whether such data stored on mobile devices is secure becomes an increasing concern for users.
One related technology has an FDE (Full Disk Encryption) function. Under the condition that the FDE function is started, all data written into a disk need to be encrypted first, and all read data need to be decrypted first.
One related technique has an FBE (File Based Encryption) function. Under the condition that the FBE function is started, different files can be encrypted by adopting different keys, and the encrypted files can be independently decrypted.
The FDE function or the FBE function encrypts the file and stores the file on the disk, so that the original file can be prevented from being directly read from the disk by others after the mobile equipment is lost. However, in the case that the mobile device is maliciously invaded and acquires the authority, the malicious process may control the operating system to decrypt the file to obtain the original file by using the acquired authority, so that there is still a risk of file leakage.
Disclosure of Invention
The technical problem to be solved by the embodiments of the present application is to provide a data processing method, which can improve the security of a file.
Correspondingly, the embodiment of the application also provides a data processing device, equipment and a machine readable medium, which are used for ensuring the realization and the application of the method.
In order to solve the above problem, an embodiment of the present application discloses a data processing method, where a device applied by the method is loaded with a first operating system and a second operating system;
the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file;
the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system.
In order to solve the above problem, an embodiment of the present application discloses a data processing method, where a device applied by the method is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system; the method comprises the following steps:
sending a file processing request to the second operating system; the file processing request is used for processing a file, and the processing comprises the following steps: encryption processing or decryption processing;
and receiving a processing result returned by the second operating system.
In order to solve the above problem, an embodiment of the present application discloses a data processing method, where a device applied by the method is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system;
the method comprises the following steps:
receiving a file processing request sent by the first operating system; the file processing request is used for processing a file, and the processing comprises the following steps: encryption processing or decryption processing;
processing the file processing request to obtain a processing result;
and sending the processing result to the first operating system.
On the other hand, the embodiment of the application also discloses a data processing device, and equipment applied by the device is loaded with a first operating system and a second operating system;
the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file;
the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system.
On the other hand, the embodiment of the application also discloses a data processing device, and equipment applied by the device is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system; the device comprises:
a sending module, configured to send a file processing request to the second operating system; the file processing request is used for processing a file, and the processing comprises the following steps: encryption processing or decryption processing;
and the receiving module is used for receiving the processing result returned by the second operating system.
On the other hand, the embodiment of the application also discloses a data processing device, and equipment applied by the device is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system;
the device comprises:
the receiving module is used for receiving a file processing request sent by the first operating system; the file processing request is used for processing a file, and the processing comprises the following steps: encryption processing or decryption processing;
the processing module is used for processing the file processing request to obtain a processing result;
and the sending module is used for sending the processing result to the first operating system.
In another aspect, an embodiment of the present application further discloses an apparatus, including:
one or more processors; and
one or more machine-readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform one or more of the methods described above.
In yet another aspect, embodiments of the present application disclose one or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an apparatus to perform one or more of the methods described above.
Compared with the prior art, the embodiment of the application has the following advantages:
the file of the embodiment of the application is stored in the name space of the first operating system, so that the file can be prevented from being accessed by a process running outside the name space; therefore, even if the device is invaded by a malicious party, the malicious process can be prevented from accessing the protected file in the namespace, and therefore the security of the file can be improved.
In addition, the key corresponding to the file is stored in the second execution environment corresponding to the second operating system in the embodiment of the present application, and the second execution environment is independent from the first execution environment, so that the risk of key leakage can be reduced in the embodiment of the present application, and the security of the file can be further improved.
Drawings
FIG. 1 is a flow chart of steps of a first embodiment of a data processing method of the present application;
FIG. 2 is a flowchart illustrating steps of a second embodiment of a data processing method according to the present application;
FIG. 3 is a flowchart illustrating the steps of a third embodiment of a data processing method according to the present application;
FIG. 4 is a flowchart illustrating the fourth step of an embodiment of a data processing method according to the present application;
FIG. 5 is a schematic diagram of data interaction between a first operating system and a second operating system according to an embodiment of the present application;
FIG. 6 is a block diagram of an embodiment of a data processing apparatus of the present application;
FIG. 7 is a block diagram of an embodiment of a data processing apparatus of the present application; and
fig. 8 is a schematic structural diagram of an apparatus provided in an embodiment of the present application.
Detailed Description
In order to make the aforementioned objects, features and advantages of the present application more comprehensible, the present application is described in further detail with reference to the accompanying drawings and the detailed description.
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments that can be derived from the embodiments given herein by a person of ordinary skill in the art are intended to be within the scope of the present disclosure.
While the concepts of the present application are susceptible to various modifications and alternative forms, specific embodiments thereof have been shown by way of example in the drawings and will herein be described in detail. It should be understood, however, that the description above is not intended to limit the application to the particular forms disclosed, but on the contrary, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the application.
Reference in the specification to "one embodiment," "an embodiment," "a particular embodiment," or the like, means that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may or may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, where a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to affect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described. In addition, it should be understood that items in the list included in the form "at least one of a, B, and C" may include the following possible items: (A) (ii) a (B) (ii) a (C) (ii) a (A and B); (A and C); (B and C); or (A, B and C). Likewise, a listing of items in the form of "at least one of a, B, or C" may mean (a); (B) (ii) a (C) (ii) a (A and B); (A and C); (B and C); or (A, B and C).
In some cases, the disclosed embodiments may be implemented as hardware, firmware, software, or any combination thereof. The disclosed embodiments may also be implemented as instructions carried or stored on one or more transitory or non-transitory machine-readable (e.g., computer-readable) storage media, which may be executed by one or more processors. A machine-readable storage medium may be implemented as a storage device, mechanism, or other physical structure (e.g., a volatile or non-volatile memory, a media disk, or other media other physical structure device) for storing or transmitting information in a form readable by a machine.
In the drawings, some structural or methodical features may be shown in a particular arrangement and/or ordering. Preferably, however, such specific arrangement and/or ordering is not necessary. Rather, in some embodiments, such features may be arranged in different ways and/or orders than as shown in the figures. Moreover, the inclusion of structural or methodical features in particular figures is not meant to imply that such features are required in all embodiments and that, in some embodiments, such features may not be included or may be combined with other features.
The embodiment of the application provides a data processing method, and equipment applied by the method is loaded with a first operating system and a second operating system; the first operating system may correspond to a first execution environment, and a namespace of the first operating system may include: a file; the second operating system may correspond to a second execution environment, and a key corresponding to a file may be stored in the second operating system. The first execution environment and the second execution environment may be concurrent and independent of each other.
In the embodiment of the present application, a Namespace (Namespace) is an environment isolation mechanism implemented by an operating system kernel between different processes. Namespaces are a property of operating system kernels to isolate and virtualize system resources, which may include: process ID (Identity), host name, user ID, network access, interprocess communication, file system, etc. Any process can be bound in a corresponding namespace, and the system resource range corresponding to the process specifically comprises the following steps: and viewing and operating the resources of the name space.
The file of the embodiment of the application is stored in the name space of the first operating system, so that the file can be prevented from being accessed by a process running outside the name space; therefore, even if the device is invaded by a malicious party, the malicious process can be prevented from accessing the protected file in the namespace, and therefore the security of the file can be improved.
Alternatively, the first execution environment may be REE (normal execution environment). Alternatively, the second execution environment may be a TEE (trusted execution environment).
A TEE may be a runtime environment that co-exists with a REE on a device, which may provide security services for the REE. TEEs are protected by hardware mechanisms and can provide higher security than REEs. Also, the TEE is isolated from the REE and may communicate with the TEE through a specific portal. Optionally, the TEE may access the memory of the REE, which cannot access the TEE memory protected by the hardware.
And a complete operating system (a second operating system) runs inside the TEE and runs in an isolated mode with the REE, and the TEE and the REE interact through a shared memory. The interior of the TEE is also divided into a kernel mode and a user mode, and the user mode of the TEE can run a plurality of different second applications.
The hardware and software resources that the TEE can access are separate from the REE. The TEE provides a secure execution environment for the second application while also protecting the confidentiality, integrity, and access rights of the resources and data of the second application. To improve the security of the TEE, the TEE is authenticated and isolated from the REE during secure boot. In the TEE, different second applications are independent of each other and cannot access each other without authorization.
According to the embodiment of the application, the key corresponding to the file is stored in the second execution environment corresponding to the second operating system, and the second execution environment is independent from the first execution environment, so that the risk of key leakage can be reduced, and the security of the file can be further improved. .
Because the trusted execution environment is protected by a hardware mechanism and has higher security, the method and the device for processing the trusted execution environment can reduce the risk of secret key leakage, and further improve the security of the file.
In an embodiment of the present application, the file may include: a plaintext file, or a ciphertext file. The ciphertext file may be a file obtained by encrypting a plaintext file with a key.
The plaintext file can be stored through the name space of the first operating system. Since the process running outside the namespace can be prevented from accessing the plaintext file, the security of the plaintext file can be improved.
Of course, the ciphertext file may also be stored through the namespace of the first operating system in the embodiment of the present application. The process running outside the name space can be prevented from accessing the ciphertext file, and the process running outside the preset range in the name space can be prevented from accessing the ciphertext file, so that the security of the ciphertext file can be improved.
In an alternative embodiment of the present application, the file may be mounted to a namespace of the first operating system. Alternatively, the file may be mounted to a namespace of the first operating system by the first process. The first process may be a first user process that is started after the kernel of the first operating system is loaded. Alternatively, the first process may be placed under a root directory of the first operating system.
In an alternative embodiment of the present application, the file may include: and the plaintext file can be obtained by decrypting the ciphertext file by the second operating system according to the key.
In this embodiment of the application, optionally, the first operating system performs data interaction with the second operating system, so that the second operating system implements encryption and/or decryption on the file through the key. Since the encryption and/or decryption of the file is performed in the second execution environment corresponding to the second operating system, the security of the file can be increased.
The embodiment of the application can be applied to a data security scene and used for improving the security of data. Where the file may be used to store security related data, such as user data, etc., which may include, but is not limited to: private data, property data, etc. According to the embodiment of the application, the security of the file can be improved, and privacy disclosure and property loss of a user are reduced.
In the embodiment of the present application, the operating system is system software in the computer system that is responsible for supporting the application program running environment and the user operating environment, and is also a core and a foundation of the computer system. The operating system is a program set which controls and manages computer software and hardware resources, reasonably organizes computer working processes and facilitates user operation. Responsibilities of the operating system typically include: direct administration of hardware, management of various computing resources (e.g., memory, processor time, etc.), and providing application-oriented services such as job management, among others.
The kernel is a basic module of the operating system and is used for managing system resources. The management system resource may include: providing abstraction at the software level (e.g., operations and rights control for objects such as processes, file systems, synchronization, memory, network protocols, etc.), abstraction of access to hardware (e.g., disks, displays, network cards), etc.
The trusted execution environment corresponding to the second operating system in the embodiment of the present application may be implemented by a hardware technology. The hardware techniques may include: the TrustZone (hardware area) hardware technology of an ARM (Advanced RISC Machine) processor, or the SGX (intel software protection Extensions) hardware technology of an X86 processor, and the like. It can be understood that, with the development of processor technology, the trusted execution environment may be implemented by a new hardware technology, and the embodiment of the present application does not impose a limitation on the specific hardware technology corresponding to the trusted execution environment.
Alternatively, the physical core of the processor may provide two virtual cores, one for the first execution environment and one for the second execution environment. Also, the processor may have a mechanism to switch between the first execution environment and the second execution environment.
The devices may specifically include, but are not limited to, a smart phone, a tablet Computer, an e-book reader, an MP3 (Moving Picture Experts Group Audio L layer III) player, an MP4 (Moving Picture Experts Group Audio L layer IV) player, a laptop Computer, a car device, a PC (Personal Computer), a set-top box, a smart television, a wearable device, a control device for a large screen, and the like, and it is understood that the present embodiment does not limit the specific devices.
Examples of the in-vehicle device may include: HUD (Head Up Display), IVI (In-Vehicle Infotainment), and the like. The vehicle-mounted equipment is usually arranged in front of a driver, can provide necessary driving information for the driver in the driving process, such as vehicle speed, oil consumption and navigation, even mobile phone call, message reminding and the like, and can also provide entertainment function for the driver; in other words, the vehicle-mounted equipment can integrate multiple functions, and a driver can conveniently pay attention to the driving road condition.
Method embodiment one
Referring to fig. 1, a flowchart illustrating steps of a first embodiment of a data processing method according to the present application is shown, where a device applied by the method is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system; the method may specifically comprise the steps of:
and 102, receiving a processing result returned by the second operating system.
At least one step included in the method of FIG. 1 may be performed by a first operating system. The first operating system may perform data interaction with the second operating system to enable encryption and/or decryption of the file by the second operating system through the key. Since the encryption and/or decryption of the file is performed in the second execution environment corresponding to the second operating system, the security of the file can be increased.
In the embodiment of the application, data interaction can be performed between the first operating system and the second operating system through the kernel-mode channel. Specifically, the first operating system comprises a first kernel, the second operating system comprises a second kernel, and data interaction can be performed between the first kernel and the second kernel.
In the embodiment of the application, data interaction can be performed between the first operating system and the second operating system through the user mode channel. Specifically, the first operating system comprises a first application, the second operating system comprises a second application, and data interaction can be performed between the first application and the second application.
Optionally, the first core may include: and the TEE driving object can judge whether the file processing request meets the condition, and if so, the execution environment of the processor can be switched from the first execution environment to the second execution environment, namely, the operation right can be handed to the second operating system. The second operating system may obtain the file processing request using the shared memory.
In an optional embodiment of the present application, the file processing request may correspond to an encrypted image file, and the processing result may specifically include: user files and executable files of objects.
In the embodiment of the application, the image file is in a file form, and a specific series of files are made into a single file according to a certain format, so that the image file is convenient for a user to download and use, such as an operating system, games and the like. The format of the image file may include: EXT4 (Fourth generation extended file system), and the like.
An encrypted image file may refer to an encrypted image file. In practical application, before the device is booted, the user file and the executable file of the object may be encrypted to obtain an encrypted image file, and the encrypted image file is packaged in a first booter package of the first operating system. Therefore, the encrypted image file can be obtained from the first flash package, and further the encrypted image file can be stored in the memory of the first operating system.
An object may be a process, a thread, or a service (service) in an operating system, etc. Among them, a service is a component of an operating system (e.g., android) that is used to process some time-consuming logic in the background, or to perform some tasks that require long-term execution, and even in the event of a program exit, to allow the service to continue to remain in execution in the background.
In an optional embodiment of the present application, the object may be configured to read a user file in a namespace, perform preset processing on the user file, and return a preset processing result to other objects requesting a service. For example, in a payment scenario, the user file may include: the information (such as card number and password) of the bank card, the preset process may include: and verifying the password input by the user and the stored password according to the information of the bank card. It is understood that, a person skilled in the art may determine the preset processing according to the actual application requirement, and the embodiment of the present application does not limit the specific preset processing.
Optionally, the method may further include: and mounting the user file and the executable file of the object to a namespace of the first operating system. The user file and the executable file of the object are mounted to the namespace of the first operating system, so that the object has access right to the user file. It is understood that the objects in the namespace of the first operating system can be one or more. Optionally, objects in the namespace of the first operating system may have security functions.
In another optional embodiment of the present application, the step 101 of sending the file processing request to the second operating system may specifically include: and responding to the access operation aiming at the file in the namespace, and sending a file processing request corresponding to the access operation to the second operating system.
In the case where a process running in a namespace accesses a file in the namespace, the kernel captures the corresponding access operation. For example, the access operation is captured by a VFS (virtual File System) layer in the kernel. The access operation may include: a read operation, or a write operation, etc. The object in the preset range or the object outside the preset range can realize the operation on the file through reading operation or writing operation. The reading operation may read user data from a user file, for example, data of a bank card; the write operation may be used to write user data to a user file, such as adding a bank card.
According to an embodiment, the file processing request corresponding to the access operation may be directly sent to the second operating system.
According to another embodiment, the file processing request corresponding to the access operation may be sent to the second operating system when a preset condition is met. Accordingly, prior to the sending of the file processing request to the second operating system, the method may further comprise: aiming at the access operation of the file in the namespace, judging whether a trigger object and/or a request object corresponding to the access operation has the access authority to the file or not to obtain a judgment result; and under the condition that the judgment result corresponding to any one of the trigger object and the request object is negative, rejecting the access operation.
The trigger object may refer to an object that triggers an access operation, and if process 1 triggers an operation on file a, process 1 may be the trigger object. The request object may refer to an object requesting an access operation, for example, if process 2 requests process 1 to access file a, process 2 may be a request object corresponding to the access operation of file a. For another example, if process 3 requests process 2 to access file a, and process 2 requests process 1 to access file a, process 2 and process 3 may serve as request objects corresponding to the access operation of file a.
The method and the device for determining the access permission of the file determine whether the trigger object and/or the request object corresponding to the access operation have the access permission of the file or not so as to enhance the security of the file in the operation process of the device.
Specifically, when the judgment result of any one of the trigger object and the request object is negative, the access operation is rejected to avoid the file being accessed by an object outside a preset range. In one example, process 3 needs to perform a payment operation, and process 3 requests process 1 to access file B in the namespace, it needs to determine whether process 3 and process 1 have access right to file B.
According to an embodiment, the determining whether the trigger object and/or the request object corresponding to the access operation have the access right to the file may specifically include: and judging whether the trigger object and/or the request object corresponding to the access operation are/is in the preset range according to the mapping relation between the file and the object in the preset range, if so, judging that the result is yes, and if not, judging that the result is no.
According to another embodiment, the determining whether the trigger object and/or the request object corresponding to the access operation have the access right to the file may specifically include: and judging whether the trigger object and/or the request object corresponding to the access operation has the access right to the file or not according to the mapping relation among the object, the file and the right.
In an optional embodiment of the present application, the step 101 of sending a file processing request to the second operating system may specifically include: and sending a file processing request corresponding to the access operation to the second operating system under the condition that the judgment results corresponding to the trigger object and the request object are both yes. The file can be accessed by the objects within the preset range, so that the security of the file can be enhanced
In summary, in the data processing method according to the embodiment of the present application, a file is stored in a namespace of a first operating system, so that a process running outside the namespace can be prevented from accessing the file; therefore, even if the device is invaded by a malicious party, the malicious process can be prevented from accessing the protected file in the namespace, and therefore the security of the file can be improved.
In addition, the key corresponding to the file is stored in the second execution environment corresponding to the second operating system in the embodiment of the present application, and the second execution environment is independent from the first execution environment, so that the risk of key leakage can be reduced in the embodiment of the present application, and the security of the file can be further improved.
In addition, the first operating system can perform data interaction with the second operating system so as to realize the encryption and/or decryption of the file through the key by the second operating system. Since the encryption and/or decryption of the file is performed in the second execution environment corresponding to the second operating system, the security of the file can be increased.
Method embodiment two
Referring to fig. 2, a flowchart illustrating steps of a second embodiment of a data processing method according to the present application is shown, where a device applied by the method may be loaded with a first operating system and a second operating system; the first operating system may correspond to a first execution environment, and a namespace of the first operating system may include: a file; the second operating system may correspond to a second execution environment, and a key corresponding to the file may be stored in the second operating system;
the method may specifically comprise the steps of:
At least one step included in the method of fig. 2 may be performed by a second operating system. The second operating system may obtain the file processing request sent by the first operating system and use the key to implement encryption and/or decryption of the file. Since the encryption and/or decryption of the file is performed in the second execution environment corresponding to the second operating system, the security of the file can be increased.
In an alternative embodiment of the present application, the key may be packaged into a second flush package of a second operating system. In this way, the key can be obtained from the second flash package, and the key can be further stored in the memory of the second operating system.
Optionally, the first operating system and the second operating system may utilize a shared memory for data interaction. Specifically, a first operating system may place file processing requests to shared memory, while a second operating system may obtain file processing requests from shared memory. Similarly, the second operating system may place the processing results into the shared memory, and the first operating system may obtain the processing results from the shared memory.
In an optional embodiment of the present application, the file processing request may correspond to an encrypted image file, and the processing result may specifically include: user files and executable files of objects.
In another optional embodiment of the present application, the processing, in step 202, the file processing request may specifically include:
encrypting the plaintext file corresponding to the file processing request according to the stored secret key; or
And decrypting the ciphertext file corresponding to the file processing request according to the stored key.
In yet another optional embodiment of the present application, the processing the file processing request specifically includes: and performing encryption processing or decryption processing on the file corresponding to the file processing request by using hardware encryption equipment. The hardware encryption equipment can encrypt the file by adopting a hardware data encryption technology and has the functions of preventing key decryption, recovering data and the like.
Of course, in the embodiment of the present application, the file corresponding to the file processing request may also be encrypted or decrypted by using a software encryption technology. The software encryption technology can realize the encryption or decryption function of the file through encryption software built in the product. Those skilled in the art can adopt hardware encryption technology or software encryption technology according to the actual application requirement.
In summary, in the data processing method according to the embodiment of the present application, the second operating system may obtain the file processing request sent by the first operating system, and encrypt and/or decrypt the file by using the key. Since the encryption and/or decryption of the file is performed in the second execution environment corresponding to the second operating system, the security of the file can be increased.
Method embodiment three
Referring to fig. 3, a flowchart illustrating steps of a third embodiment of a data processing method according to the present application is shown, where a device applied by the method may be loaded with a first operating system and a second operating system; the first operating system may correspond to a first execution environment, and a namespace of the first operating system may include: a file; the second operating system may correspond to a second execution environment, and a key corresponding to the file may be stored in the second operating system;
the method may specifically comprise the steps of:
The embodiment of the application can be applied to the starting stage of the equipment. In the starting stage, a second operating system can be mounted, so that a secret key is stored in the second operating system; the first operating system may also be mounted so that the first operating system obtains the encrypted image file. Steps 301 and 303 may be performed by a first process of the first operating system, and the first process may be a first user process started after the kernel of the first operating system is loaded.
The encrypted image file can be stored in the device offline, and the first operating system can obtain information (such as the file itself or a storage address) of the encrypted image file and send the information of the encrypted image file to the second operating system, so that the second operating system can decrypt the encrypted image file, and the first operating system can store the decrypted user file and can start the object. The decrypted user file may be a plaintext file or a ciphertext file.
In summary, in the data processing method according to the embodiment of the present application, the second operating system may obtain the decryption request sent by the first operating system, and decrypt the encrypted image file by using the key. Since the decryption of the encrypted image file is performed in the second execution environment corresponding to the second operating system, the security of the encrypted image file may be increased.
Method example four
Referring to fig. 4, a flowchart illustrating a fourth step of an embodiment of a data processing method according to the present application is shown, where a device applied by the method may be loaded with a first operating system and a second operating system; the first operating system may correspond to a first execution environment, and a namespace of the first operating system may include: a file; the second operating system may correspond to a second execution environment, and a key corresponding to the file may be stored in the second operating system;
the method may specifically comprise the steps of:
and step 404, receiving a processing result returned by the second operating system.
The access operation may include: a read operation, or a write operation, etc. For example, objects within a preset range may be operated on a file through a read operation or a write operation. The reading operation may read user data from a user file, for example, data of a bank card; the write operation may be used to write user data to a user file, such as adding a bank card.
The object in the preset range or the object outside the preset range can realize the operation on the file through reading operation or writing operation.
For example, in the case where the file in the namespace is a ciphertext file, if the access operation is a read operation or a write operation, a decryption request may be sent to the second operating system.
If the access operation is a write operation, an encryption request may be sent to the second operating system to encrypt the modified plaintext file by using the encrypted file.
It can be understood that, a person skilled in the art may determine the access operation and the corresponding file processing request according to the actual application requirement, and the specific access operation and the corresponding file processing request are not limited in the embodiment of the present application.
In summary, the data processing method according to the embodiment of the present application determines whether the trigger object and/or the request object corresponding to the access operation have an access right to the file, so as to enhance the security of the file during the operation of the device. Specifically, when the judgment result of any one of the trigger object and the request object is negative, the access operation is rejected to avoid the file being accessed by an object outside a preset range. .
In addition, in the embodiment of the present application, a file processing request corresponding to the access operation is sent to the second operating system, and the second operating system may implement encryption and/or decryption of a file through the key. Since the encryption and/or decryption of the file is performed in the second execution environment corresponding to the second operating system, the security of the file can be increased.
For a person skilled in the art to better understand the embodiment of the present application, referring to fig. 5, a data interaction schematic between a first operating system and a second operating system of the embodiment of the present application is shown, where the first operating system may include: the system comprises a first user state and a first kernel state, wherein the name space of the first user state can comprise: user files and process 1. Of course, the namespace to which process 1 belongs may also include: other processes, such as process 4, etc.
In the case where a process such as process 1 or process 2 triggers an access operation to a user file, the virtual file system in the first kernel state may detect the access operation and deliver the access operation to the first processing module. The first processing module may determine whether the trigger object and/or the request object corresponding to the access operation have an access right to the file, and if the determination result of any one of the trigger object and the request object is negative, the access operation is rejected; if the judgment results corresponding to the trigger object and the request object are both yes, sending a file processing request corresponding to the access operation to the TEE driving object; the TEE driver object may determine whether the file processing request meets a condition, and if so, may switch the execution environment of the processor from the first execution environment to the second execution environment, that is, may pass the operation right to the second operating system.
The second operating system may obtain the file processing request by using the shared memory, and process the file processing request by using the key through the second processing module. The second operating system may include: a second user state and a second kernel state. The second processing module may be located in the second user state or the second kernel state, and the specific setting manner of the second processing module is not limited in this embodiment of the application.
It should be noted that, for simplicity of description, the method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the embodiments are not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the embodiments. Further, those skilled in the art will also appreciate that the embodiments described in the specification are presently preferred and that no particular act is required of the embodiments of the application.
The embodiment of the application also provides a data processing device.
In one embodiment of the present application, the device applied by the apparatus may be loaded with a first operating system and a second operating system;
the first operating system may correspond to a first execution environment, and a namespace of the first operating system may include: a file;
the second operating system may correspond to a second execution environment, and a key corresponding to the file may be stored in the second operating system.
Optionally, the file is mounted to a namespace of the first operating system.
Optionally, the file may include: and the plaintext file is obtained by decrypting the ciphertext file by the second operating system according to the key.
Optionally, the file may include: and (4) a ciphertext file.
Optionally, the first operating system performs data interaction with the second operating system to implement encryption and/or decryption of the file through the key.
Optionally, the second execution environment may include: a trusted execution environment.
Referring to fig. 6, a block diagram of an embodiment of a data processing apparatus according to the present application is shown, wherein a device applied by the apparatus is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system may include: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file can be stored in the second operating system; the apparatus may specifically include:
a sending module 601, configured to send a file processing request to the second operating system; the file processing request is used for processing a file, and the processing may include: encryption processing or decryption processing;
a receiving module 602, configured to receive a processing result returned by the second operating system.
Optionally, the file processing request corresponds to an encrypted image file, and the processing result may include: executable files of user files and objects;
the apparatus may further include:
and the mounting module is used for mounting the user file and the executable file of the object to the namespace of the first operating system.
Optionally, the sending module 601 may include:
and the first sending module is used for responding to the access operation aiming at the file in the namespace and sending a file processing request corresponding to the access operation to the second operating system.
Optionally, the apparatus may further include:
the judging module is used for judging whether a trigger object and/or a request object corresponding to the access operation has the access authority to the file or not aiming at the access operation of the file in the namespace before the sending module sends the file processing request to the second operating system so as to obtain a judgment result;
and the rejecting module is used for rejecting the access operation under the condition that the corresponding judgment result of any one of the triggering object and the request object is negative.
Optionally, the sending module 601 may include:
and the second sending module is used for sending the file processing request corresponding to the access operation to the second operating system under the condition that the judgment results corresponding to the trigger object and the request object are both yes.
Optionally, the second execution environment may include: a trusted execution environment.
Referring to fig. 7, a block diagram of an embodiment of a data processing apparatus according to the present application is shown, wherein a device applied by the apparatus is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system may include: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file can be stored in the second operating system; the apparatus may specifically include:
a receiving module 701, configured to receive a file processing request sent by the first operating system; the file processing request is used for processing a file, and the processing comprises the following steps: encryption processing or decryption processing;
a processing module 702, configured to process the file processing request to obtain a processing result;
a sending module 703, configured to send the processing result to the first operating system.
Optionally, the file processing request corresponds to an encrypted image file, and the processing result includes: user files and executable files of objects.
Optionally, the processing module 702 may specifically include:
the encryption module is used for encrypting the plaintext file corresponding to the file processing request according to the stored secret key; or
And the decryption module is used for decrypting the ciphertext file corresponding to the file processing request according to the stored key.
Optionally, the processing module 702 may specifically include:
and the hardware encryption module is used for carrying out encryption processing or decryption processing on the file corresponding to the file processing request by using hardware encryption equipment.
Optionally, the second execution environment may include: a trusted execution environment.
For the device embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, refer to the partial description of the method embodiment.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
With regard to the apparatus in the above-described embodiment, the specific manner in which each module performs the operation has been described in detail in the embodiment related to the method, and will not be elaborated here.
Embodiments of the application may be implemented as a system or device using any suitable hardware and/or software for the desired configuration. Fig. 8 schematically illustrates an exemplary device 1300 that can be used to implement various embodiments described herein.
For one embodiment, fig. 8 illustrates an exemplary apparatus 1300, which apparatus 1300 may comprise: one or more processors 1302, a system control module (chipset) 1304 coupled to at least one of the processors 1302, system memory 1306 coupled to the system control module 1304, non-volatile memory (NVM)/storage 1308 coupled to the system control module 1304, one or more input/output devices 1310 coupled to the system control module 1304, and a network interface 1312 coupled to the system control module 1306. The system memory 1306 may include: instruction 1362, the instruction 1362 executable by the one or more processors 1302.
In some embodiments, device 1300 may include one or more machine-readable media (e.g., system memory 1306 or NVM/storage 1308) having instructions thereon and one or more processors 1302, which in combination with the one or more machine-readable media, are configured to execute the instructions to implement the modules included in the aforementioned means to perform the actions described in embodiments of the present application.
System memory 1306 for one embodiment may be used to load and store data and/or instructions 1362. For one embodiment, system memory 1306 may include any suitable volatile memory, such as suitable DRAM (dynamic random access memory). In some embodiments, system memory 1306 may include: double data rate type four synchronous dynamic random access memory (DDR4 SDRAM).
NVM/storage 1308 for one embodiment may be used to store data and/or instructions 1382. NVM/storage 1308 may include any suitable non-volatile memory (e.g., flash memory, etc.) and/or may include any suitable non-volatile storage device(s), e.g., one or more Hard Disk Drives (HDDs), one or more Compact Disc (CD) drives, and/or one or more Digital Versatile Disc (DVD) drives, etc.
The NVM/storage 1308 may include storage resources that are physically part of the device on which the apparatus 1300 is installed or may be accessible by the device and not necessarily part of the device. For example, the NVM/storage 1308 may be accessed over a network via the network interface 1312 and/or through the input/output devices 1310.
Input/output device(s) 1310 for one embodiment may provide an interface for device 1300 to communicate with any other suitable device, and input/output devices 1310 may include communication components, audio components, sensor components, and so forth.
For one embodiment, at least one of the processors 1302 may be packaged together with logic for one or more controllers (e.g., memory controllers) of the system control module 1304. For one embodiment, at least one of the processors 1302 may be packaged together with logic for one or more controllers of the system control module 1304 to form a System In Package (SiP). For one embodiment, at least one of the processors 1302 may be integrated on the same novelty as the logic of one or more controllers of the system control module 1304. For one embodiment, at least one of processors 1302 may be integrated on the same chip with logic for one or more controllers of system control module 1304 to form a system on a chip (SoC).
In various embodiments, device 1300 may include, but is not limited to, a desktop computing device or a computing device such as a mobile computing device (e.g., a laptop computing device, a handheld computing device, a tablet, a netbook, etc.), in various embodiments, device 1300 may have more or fewer components and/or different architectures, for example, in some embodiments, device 1300 may include one or more cameras, a keyboard, a liquid crystal display (L CD) screen (including a touch screen display), a non-volatile memory port, multiple antennas, a graphics chip, an Application Specific Integrated Circuit (ASIC), and a speaker.
Wherein, if the display includes a touch panel, the display screen may be implemented as a touch screen display to receive an input signal from a user. The touch panel includes one or more touch sensors to sense touch, slide, and gestures on the touch panel. The touch sensor may not only sense the boundary of a touch or slide action, but also detect the duration and pressure associated with the touch or slide operation.
The present application also provides a non-transitory readable storage medium, where one or more modules (programs) are stored in the storage medium, and when the one or more modules are applied to an apparatus, the apparatus may be caused to execute instructions (instructions) of methods in the present application.
Provided in one example is an apparatus comprising: one or more processors; and, instructions in one or more machine-readable media stored thereon, which when executed by the one or more processors, cause the apparatus to perform a method as in embodiments of the present application, which may include: the method shown in fig. 1 or fig. 2 or fig. 3 or fig. 4 or fig. 5.
One or more machine-readable media are also provided in one example, having instructions stored thereon, which when executed by one or more processors, cause an apparatus to perform a method as in embodiments of the application, which may include: the method shown in fig. 1 or fig. 2 or fig. 3 or fig. 4 or fig. 5.
The specific manner in which each module performs operations of the apparatus in the above embodiments has been described in detail in the embodiments related to the method, and will not be described in detail here, and reference may be made to part of the description of the method embodiments for relevant points.
The embodiments in the present specification are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the true scope of the embodiments of the application.
Finally, it should also be noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing detailed description has provided a data processing method, a data processing apparatus, a device, and a machine-readable medium, which are provided by the present application, and specific examples are applied herein to explain the principles and embodiments of the present application, and the descriptions of the foregoing examples are only used to help understand the method and the core ideas of the present application; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, and in summary, the content of the present specification should not be construed as a limitation to the present application.
Claims (26)
1. A data processing method is characterized in that equipment applied by the method is loaded with a first operating system and a second operating system;
the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file;
the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system.
2. The method of claim 1, wherein the file is mounted to a namespace of the first operating system.
3. The method of claim 1, wherein the file comprises: and the plaintext file is obtained by decrypting the ciphertext file by the second operating system according to the key.
4. The method of claim 1, wherein the file comprises: and (4) a ciphertext file.
5. The method of any of claims 1-4, wherein the second execution environment comprises: a trusted execution environment.
6. The method according to any one of claims 1 to 4, wherein a first operating system performs data interaction with the second operating system to realize encryption and/or decryption of the file through the key.
7. A data processing method is characterized in that equipment applied by the method is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system; the method comprises the following steps:
sending a file processing request to the second operating system; the file processing request is used for processing a file, and the processing comprises the following steps: encryption processing or decryption processing;
and receiving a processing result returned by the second operating system.
8. The method of claim 7, wherein the file processing request corresponds to an encrypted image file, and wherein the processing result comprises: executable files of user files and objects;
the method further comprises the following steps:
and mounting the user file and the executable file of the object to a namespace of the first operating system.
9. The method of claim 7, wherein sending a file processing request to the second operating system comprises:
and responding to the access operation aiming at the file in the namespace, and sending a file processing request corresponding to the access operation to the second operating system.
10. The method of claim 7, wherein the second execution environment comprises: a trusted execution environment.
11. The method of any of claims 7 to 10, wherein prior to said sending a file processing request to said second operating system, said method further comprises:
aiming at the access operation of the file in the namespace, judging whether a trigger object and/or a request object corresponding to the access operation has the access authority to the file or not to obtain a judgment result;
and under the condition that the judgment result corresponding to any one of the trigger object and the request object is negative, rejecting the access operation.
12. The method of claim 11, wherein sending a file processing request to the second operating system comprises:
and sending a file processing request corresponding to the access operation to the second operating system under the condition that the judgment results corresponding to the trigger object and the request object are both yes.
13. A data processing method is characterized in that equipment applied by the method is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system;
the method comprises the following steps:
receiving a file processing request sent by the first operating system; the file processing request is used for processing a file, and the processing comprises the following steps: encryption processing or decryption processing;
processing the file processing request to obtain a processing result;
and sending the processing result to the first operating system.
14. The method of claim 13, wherein the file processing request corresponds to an encrypted image file, and wherein the processing result comprises: user files and executable files of objects.
15. The method of claim 13, wherein the processing the file processing request comprises:
encrypting the plaintext file corresponding to the file processing request according to the stored secret key; or
And decrypting the ciphertext file corresponding to the file processing request according to the stored key.
16. The method of claim 13, wherein the processing the file processing request comprises:
and performing encryption processing or decryption processing on the file corresponding to the file processing request by using hardware encryption equipment.
17. The method of any of claims 13 to 16, wherein the second execution environment comprises: a trusted execution environment.
18. A data processing apparatus, wherein a device to which the apparatus applies is loaded with a first operating system and a second operating system;
the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file;
the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system.
19. A data processing apparatus, wherein a device to which the apparatus applies is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system; the device comprises:
a sending module, configured to send a file processing request to the second operating system; the file processing request is used for processing a file, and the processing comprises the following steps: encryption processing or decryption processing;
and the receiving module is used for receiving the processing result returned by the second operating system.
20. A data processing apparatus, wherein a device to which the apparatus applies is loaded with a first operating system and a second operating system; the first operating system corresponds to a first execution environment, and a namespace of the first operating system includes: a file; the second operating system corresponds to a second execution environment, and a key corresponding to the file is stored in the second operating system;
the device comprises:
the receiving module is used for receiving a file processing request sent by the first operating system; the file processing request is used for processing a file, and the processing comprises the following steps: encryption processing or decryption processing;
the processing module is used for processing the file processing request to obtain a processing result;
and the sending module is used for sending the processing result to the first operating system.
21. An apparatus, comprising:
one or more processors; and
one or more machine-readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform the method recited by one or more of claims 1-6.
22. One or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an apparatus to perform the method recited by one or more of claims 1-6.
23. An apparatus, comprising:
one or more processors; and
one or more machine-readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform the method recited by one or more of claims 7-12.
24. One or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an apparatus to perform the method recited by one or more of claims 7-12.
25. An apparatus, comprising:
one or more processors; and
one or more machine-readable media having instructions stored thereon that, when executed by the one or more processors, cause the apparatus to perform the method of one or more of claims 13-17.
26. One or more machine-readable media having instructions stored thereon, which when executed by one or more processors, cause an apparatus to perform the method recited by one or more of claims 13-17.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910005492.6A CN111400726B (en) | 2019-01-03 | 2019-01-03 | Data processing method, device, equipment and machine-readable medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910005492.6A CN111400726B (en) | 2019-01-03 | 2019-01-03 | Data processing method, device, equipment and machine-readable medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111400726A true CN111400726A (en) | 2020-07-10 |
| CN111400726B CN111400726B (en) | 2024-04-09 |
Family
ID=71430268
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910005492.6A Active CN111400726B (en) | 2019-01-03 | 2019-01-03 | Data processing method, device, equipment and machine-readable medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111400726B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114117460A (en) * | 2020-09-01 | 2022-03-01 | 鸿富锦精密电子(天津)有限公司 | Data protection method and device, electronic equipment and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070233686A1 (en) * | 2006-03-30 | 2007-10-04 | Microsoft Corporation | Isolated access to named resources |
| CN104239814A (en) * | 2014-09-17 | 2014-12-24 | 上海斐讯数据通信技术有限公司 | Mobile office safety method and mobile office safety system |
| CN104331329A (en) * | 2014-09-30 | 2015-02-04 | 上海斐讯数据通信技术有限公司 | Mobile office security system and method supporting domain management |
| US20160359622A1 (en) * | 2015-06-05 | 2016-12-08 | Nutanix, Inc. | Optimizable full-path encryption in a virtualization environment |
| CN106878231A (en) * | 2015-12-10 | 2017-06-20 | 中国电信股份有限公司 | Method, user terminal and system for realizing secure user data transmission |
| CN106980794A (en) * | 2017-04-01 | 2017-07-25 | 北京元心科技有限公司 | TrustZone-based file encryption and decryption method and device and terminal equipment |
| CN106997439A (en) * | 2017-04-01 | 2017-08-01 | 北京元心科技有限公司 | TrustZone-based data encryption and decryption method and device and terminal equipment |
| US20170228182A1 (en) * | 2016-02-08 | 2017-08-10 | Microsoft Technology Licensing, Llc | Container credentialing by host |
| US20180115530A1 (en) * | 2016-10-24 | 2018-04-26 | Arm Ip Limited | Federating data inside of a trusted execution environment |
| CN108733455A (en) * | 2018-05-31 | 2018-11-02 | 上海交通大学 | Vessel isolation based on ARM TrustZone enhances system |
-
2019
- 2019-01-03 CN CN201910005492.6A patent/CN111400726B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070233686A1 (en) * | 2006-03-30 | 2007-10-04 | Microsoft Corporation | Isolated access to named resources |
| CN104239814A (en) * | 2014-09-17 | 2014-12-24 | 上海斐讯数据通信技术有限公司 | Mobile office safety method and mobile office safety system |
| CN104331329A (en) * | 2014-09-30 | 2015-02-04 | 上海斐讯数据通信技术有限公司 | Mobile office security system and method supporting domain management |
| US20160359622A1 (en) * | 2015-06-05 | 2016-12-08 | Nutanix, Inc. | Optimizable full-path encryption in a virtualization environment |
| CN106878231A (en) * | 2015-12-10 | 2017-06-20 | 中国电信股份有限公司 | Method, user terminal and system for realizing secure user data transmission |
| US20170228182A1 (en) * | 2016-02-08 | 2017-08-10 | Microsoft Technology Licensing, Llc | Container credentialing by host |
| US20180115530A1 (en) * | 2016-10-24 | 2018-04-26 | Arm Ip Limited | Federating data inside of a trusted execution environment |
| CN106980794A (en) * | 2017-04-01 | 2017-07-25 | 北京元心科技有限公司 | TrustZone-based file encryption and decryption method and device and terminal equipment |
| CN106997439A (en) * | 2017-04-01 | 2017-08-01 | 北京元心科技有限公司 | TrustZone-based data encryption and decryption method and device and terminal equipment |
| CN108733455A (en) * | 2018-05-31 | 2018-11-02 | 上海交通大学 | Vessel isolation based on ARM TrustZone enhances system |
Non-Patent Citations (1)
| Title |
|---|
| 朱新华: "基于开放式组件的Web课件内容的设计与实现", 计算机系统应用, no. 09, pages 28 - 30 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114117460A (en) * | 2020-09-01 | 2022-03-01 | 鸿富锦精密电子(天津)有限公司 | Data protection method and device, electronic equipment and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111400726B (en) | 2024-04-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105447406B (en) | A kind of method and apparatus for accessing memory space | |
| EP3047375B1 (en) | Virtual machine manager facilitated selective code integrity enforcement | |
| US10536274B2 (en) | Cryptographic protection for trusted operating systems | |
| CN104969234B (en) | For the root of trust of the measurement of virtual machine | |
| JP4940460B2 (en) | Processing system, method and device | |
| EP3267351A1 (en) | Method for securely managing a docker image | |
| US9565169B2 (en) | Device theft protection associating a device identifier and a user identifier | |
| US10372628B2 (en) | Cross-domain security in cryptographically partitioned cloud | |
| CN109522722A (en) | System method and device of safe processing | |
| US20130166922A1 (en) | Method and system for frame buffer protection | |
| US10691627B2 (en) | Avoiding redundant memory encryption in a cryptographic protection system | |
| AU2020202014A1 (en) | Raw sensor input encryption for passcode entry security | |
| US20150220709A1 (en) | Security-enhanced device based on virtualization and the method thereof | |
| US20160292085A1 (en) | Protecting storage from unauthorized access | |
| KR20140051350A (en) | Digital signing authority dependent platform secret | |
| JP2018511956A (en) | Technology to enhance data encryption using secure enclaves | |
| CN104246784A (en) | Method, device, and system for protecting and securely delivering media content | |
| CN115277143B (en) | Data security transmission method, device, equipment and storage medium | |
| US20230161885A1 (en) | Security architecture system, cryptographic operation method for security architecture system, and computing device | |
| CN111538995B (en) | Data storage method and device and electronic equipment | |
| Chang et al. | User-friendly deniable storage for mobile devices | |
| US11251961B2 (en) | Methods and apparatuses for storing or invoking blockchain account private keys | |
| CN111400726B (en) | Data processing method, device, equipment and machine-readable medium | |
| US20170249453A1 (en) | Controlling access to secured media content | |
| US9772954B2 (en) | Protecting contents of storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20201224 Address after: Room 603, 6 / F, Roche Plaza, 788 Cheung Sha Wan Road, Kowloon, China Applicant after: Zebra smart travel network (Hong Kong) Ltd. Address before: A four-storey 847 mailbox in Grand Cayman Capital Building, British Cayman Islands Applicant before: Alibaba Group Holding Ltd. |
|
| TA01 | Transfer of patent application right | ||
| GR01 | Patent grant |