Disclosure of Invention
The invention aims to provide a method for defending fault injection during the safe starting of a sol national security chip, which is independent of a fault injection detection method, can be combined with an original defending method, and provides a better defending effect.
The invention comprises the following steps: the system comprises a hardware detection module, a memory authority control module and a specific software start flow which are arranged in a chip.
When the chip is designed, a hardware detection module is built in the chip, the hardware detection module tracks the process executed by software, and when the correct sequence is detected, a memory authority control module is operated to release the read-write or execution authority of the memory step by step; when the incorrect sequence is detected, the read-write or execution permission of the memory is not released through the memory permission control module, so that the software cannot continue to execute, specifically: in the chip design stage, the software and hardware agree together that for each key step of the safe start, a specific character is marked, and when the safe start is performed, the software writes the corresponding character into the hardware detection module every time one key step is executed.
And the hardware detection module is embedded with a state machine, and sequentially checks written characters according to a preset value to judge whether the software is executed correctly. Writing corresponding characters by specific safety starting software under each state so as to enable correct jump; if the written character is wrong, the state machine will enter into the wrong state, fall into the dead loop, only power-on reset again, can resume.
The key steps include various SM4 symmetric decryption algorithms, SM2 asymmetric signing verification algorithms, SM3 hash algorithms, random number self-test and specific system operation. The specific system operation includes waiting for a hardware security module self-test, program jumping from ROM to internal SRAM, etc.
After the memory authority control module is electrified on the chip, the CPU is forbidden to read, write and execute the authority of the memory by default. The memory includes an SRAM (random static memory) inside the chip and an DRAM (random dynamic memory) outside the chip. The memory authority control module is only controlled by the hardware detection module.
The specific software start-up procedure refers to writing corresponding characters to the built-in hardware detection module every time a key step or specific system operation is executed on the basis of the conventional secure start-up procedure.
The method comprises the following specific steps:
the method comprises the following steps that (1) a chip is electrified, a CPU executes ROM codes, and self-checking of a security hardware cryptographic algorithm module and self-checking of random numbers are waited; the self-detection passes, and the CPU writes specific characters into the hardware detection module.
The secure hardware cryptographic algorithm module refers to a hardware implementation module of SM4 symmetric encryption and decryption algorithm, SM2 asymmetric signature verification algorithm and SM3 hash algorithm.
Step (2), the hardware detection module receives the characters passing the self-checking, and releases the read-write authority of the CPU to the internal SRAM through the memory authority control module;
step 3, the CPU reads the bootstrap program from the external medium to the internal SRAM, and executes SM4 decryption and SM2 signature verification operation (including SM 3); after the signature passes, writing specific characters into the hardware detection module;
step (4), after the hardware detection module receives the specific character, the execution authority of the CPU on the internal SRAM is released through the memory authority control module;
step (5), the CPU jumps to the SRAM from the ROM, executes a boot program in the SRAM, and writes specific characters into the hardware detection module;
step (6), after the hardware detection module receives the specific character, the read-write authority of the CPU to the external DRAM is released through the memory authority control module;
step 7, the CPU reads the image file from the external medium to the external DRAM, and executes SM4 decryption and SM2 signature verification operation (including SM 3); after the signature passes, writing specific characters into the hardware detection module;
step (8), after the hardware detection module receives the specific character, the execution authority of the CPU to the external DRAM is released through the memory authority control module;
step (9) the CPU jumps from the internal SRAM to the external DRAM to start the system.
And (3) performing decryption and signature verification operation in the steps (3) and (7), performing one or more times according to the difference of the safe starting flow, and writing different specific characters into the hardware detection module.
When the steps are executed, the accurate fault injection of an attacker is carried out, and therefore certain key steps are skipped, such as self-checking or signature checking, and the like, the hardware detection module can not receive correct characters, the memory authority control module can not release the read-write or execution authority of the corresponding memory, and the system start can not be completed.
In order to adapt to various different starting processes, common safe starting processes are numbered, programmed into the chip and electrically programmable fuses of the chip are blown. The detection module is internally provided with a corresponding character string of a common safety starting flow. After the chip is electrified, a corresponding character string is selected according to the number, and the starting flow is checked.
The invention tracks the execution steps in the safe starting process of the chip based on the specific hardware detection module and the corresponding mechanism, effectively defends the risk of skipping key steps caused by fault injection in the process, and ensures that the soc chip has higher safety.
Detailed description of the preferred embodiments
In order to more clearly illustrate the objects, flow and advantages of the present invention, the present invention will be described in further detail below with reference to the accompanying drawings and detailed description.
Numerous implementation details are set forth in the following description, but the invention may be practiced otherwise than as described. Various modifications and improvements may be made by those skilled in the art without departing from the spirit and substance of the invention. Such variations and modifications are also to be regarded as a departure from the scope of the invention and are not limited to the disclosed embodiments.
Fig. 1 is a unitary frame of the present invention. A hardware detection module 13 and a memory authority control module 14 are included.
The CPU11 accesses both the SRAM12 and the DRAM15 through the memory authority control module 14. The hardware detection module 13 tracks the software execution sequence of the CPU11, and releases the read-write and execution authority of the SRAM12 and DRAM15 step by step through the memory authority control module 14. When the hardware detection module 13 detects that the software execution sequence of the CPU11 is abnormal, the read-write and execution authority of the SRAM12 and the DRAM15 is released, so that the system is failed to start, and the effect of preventing fault injection is achieved.
Table 1 shows the specific characters agreed by the software and hardware in the following embodiments.
Operation of
|
Success of self-test
|
Decryption completion
|
Pass of check
|
Jump SRAM success
|
Failure to start
|
Character(s)
|
C
|
D
|
S
|
E
|
F |
Example 1:
as shown in fig. 2, the present embodiment illustrates a secure boot flow for normal secondary signatures. With the sequential execution of the start-up flow, the hardware module sequentially releases the read-write permission and the execution permission of the SRAM and the DRAM.
For secure boot software, the boot flow is as follows:
step 201, the chip is powered up and ROM code is executed.
Step 202, waiting for self-checking of the hardware security module of the cryptographic algorithm. The main purpose is to detect whether the hardware module used for decryption and signature verification is faulty or not.
Step 203, if the self-test fails, the system start-up fails in step 218; the self-test passes and jumps to step 204.
Step 204, send character "C" to the hardware detection module.
Step 205, executing ROM code, and loading the boot program and signature in the external medium.
Step 206, decrypting with the key built in the chip and sending the character "D" to the hardware detection module.
Step 207, the decrypted bootstrap program is checked by using the built-in public key of the chip.
Step 208, if the signature verification fails, the step 215 is skipped to the system start failure; the signature passes, the character "S" is sent to the hardware detection module, and the process jumps to step 209.
Step 209, the software jumps from ROM to internal SRAM. If the jump fails, entering step 215 system start failure; the jump is successful, the boot procedure is executed, and step 210 is entered.
Step 210, the execution program in the SRAM is normal, and the character "E" is written into the hardware module.
Step 211, loading the image file in the external medium to the external DRAM, and performing signature verification.
Step 212, if the signature verification fails, the step 215 is skipped to the system start failure; the signature passes, the character "S" is sent to the hardware detection module, and the process jumps to step 213.
Step 213 decompresses the image file and jumps from the internal SRAM to the external DRAM.
Step 214, executing the image file, and the system is started successfully.
For a hardware detection module, the built-in state machine flow is as follows:
step 220, power-on is started.
Step 221, wait for the software to write the character "C". After the software start step 204 writes the character "C", the process jumps to step 222.
Step 222, releasing the internal SRAM read/write permission to the CPU by the memory permission control module, and jumping to step 223.
Step 223, wait for software to write character "D". After the software start step 209 writes the character "D", the process jumps to step 225.
Step 224, wait for the software to write the character "S". After the software start step 211 writes the character "S", it jumps to step 226.
Step 225, the execution authority of the internal SRAM is released by the memory authority control module, and the process goes to step 227.
At step 226, the software waits for the character "E" to be written. After the software start step 213 writes the character "S", the process jumps to step 228.
Step 227, the read/write permission of the external DRAM is released by the memory permission control module, and the process goes to step 229.
Step 228, wait for the software to write the character "S". After the software start step 215 writes the character "S", the process jumps to step 230.
In step 229, the execution authority of the external DRAM is released by the memory authority control module, and the hardware detection module completes the detection operation.
In this embodiment, the hardware detection module tracks the execution process of the software, and releases the read-write permission of the SRAM after receiving the character "C" passing the self-check; after sequentially receiving the D and S, releasing the execution authority of the SRAM; receiving E, releasing the read-write authority of the external DRAM; and finally releasing the execution authority of the external DRAM after receiving S. The method ensures that the read-write permission and the execution permission are released step by step along with the sequential establishment of the starting trust chain.
Example 2:
as shown in fig. 3, on the basis of the first embodiment, a secondary security start-up procedure when being attacked by fault injection is shown.
Assume that an attacker tampers with the boot and image files of the external medium. According to the normal flow of the first embodiment (fig. 2), when the signature verification fails in step 207 and step 208, the program may be found to be tampered, and then the process jumps to step 215, and the start is terminated. However, if the attacker determines in step 207 that the signature result is accurate, the fault injection is performed, the program jumps to an error, and step 209 is continued, if the startup procedure fails to find the fault injection, the tampered boot procedure is continued. The system can continue to be tampered with the guiding program, the tampered image file is checked, the system can finally run an illegal program, and the security of the whole embedded system can be thoroughly destroyed.
After the method of the present invention is used, similarly (as shown in fig. 3), when the attacker performs the signature verification operation in step 307 and determines the signature result in step 308, fault injection is performed accurately, and the program is successfully skipped to step 309 and continues to execute. However, since the abnormal jump does not write the character "S" to the hardware detection module, when the subsequent step 309 jumps to the SRAM execution program, since the hardware detection module is waiting for the character "S", the execution authority of the SRAM is not released by the memory authority control module, the tampered boot program cannot be executed, the system will jump to step 315, start up failure, and write the character "F" to the hardware detection module. After the hardware detection module receives the character F, the system starting process is judged to be incorrect, and the state machine enters an abnormal state and falls into a dead loop. Only the reset is reset, and can be resumed.
As described above, the tampered program cannot be executed continuously, the subsequent image file cannot be loaded, and the illegal program cannot be run on the chip. The whole embedded system well resists fault injection attack.
The location of the attack in example 2 can be arbitrarily selected, for example, at the time of decryption, at the time of secondary signature verification, at the time of random number self-test, and at the time of mirror signature verification. The hardware detection module can timely track the execution sequence of the software, find the certainty of key steps, further prevent the release of memory authority through the memory controller, enable the safe start to be abnormally terminated, well resist the risk of fault injection and ensure the safety of the system.
The above embodiments are merely exemplary in nature and include start-up procedures and constraint characters, locations of attacks, methods, etc., and are intended to better illustrate principles, methods, and advantages. Any alterations, modifications, and improvements are intended to be within the spirit and scope of the invention as disclosed.