CN111950017A - Memory data protection method, device, equipment and storage medium - Google Patents
Memory data protection method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN111950017A CN111950017A CN201910398934.8A CN201910398934A CN111950017A CN 111950017 A CN111950017 A CN 111950017A CN 201910398934 A CN201910398934 A CN 201910398934A CN 111950017 A CN111950017 A CN 111950017A
- Authority
- CN
- China
- Prior art keywords
- access instruction
- data block
- instruction
- data
- physical block
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Abstract
The invention provides a memory data protection method, a device, equipment and a storage medium. The method comprises the following steps: the method comprises the steps of obtaining an access instruction, and obtaining a data block accessed by the security access instruction when the access instruction is determined to be the security access instruction, wherein the security access instruction is a specific instruction preset in hardware, and after the obtained data block is subjected to secret processing, executing operation corresponding to the security access instruction, wherein the size of a storage space occupied by the data block is within a preset range, and the preset range is from a preset multiple of the storage space occupied by one cache line to the size of data volume capable of being stored in one physical memory page, so that efficient protection of memory data is realized, and the power consumption and performance loss of a system are reduced.
Description
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a method, an apparatus, a device, and a storage medium for protecting memory data.
Background
In the current information age, computer applications are becoming more popular and computer system security is receiving more and more attention. At present, a computer system usually stores program instructions and data in a memory in a plaintext mode, and many attack methods utilize the characteristic of the memory and realize attack by acquiring and tampering data in the memory. Therefore, how to secure the data of the program in the memory is crucial to the security of the whole computer system.
At present, Secure Memory Encryption (SME) technology is generally adopted to protect data in a Memory, and the technology sets special Encryption hardware on Memory controllers integrated on a processor, wherein each Memory controller comprises a hardware engine of an Advanced Encryption Standard (AES) algorithm with high performance. When data is written into the memory, the memory data is encrypted by the hardware engine, and when data is read from the memory, the data to be read is correspondingly decrypted by the hardware engine, as shown in fig. 1.
The memory comprises a plurality of physical memory pages, and data is stored in the memory in the form of pages in sequence. In the process of encrypting data, controlling which physical memory pages are encrypted is realized by setting a page table in an operating system. In an operating system, the 47 th bit (C-bit for short) of a physical address in a Page Table Entry (PTE) is set to be 1, which indicates that the page is to be encrypted and decrypted, and if the bit is set to be 0, the page is accessed normally.
However, since the SME technique is not flexibly applicable, the memory data can be encrypted only in units of pages, which easily causes performance loss and generates large power consumption.
Disclosure of Invention
The invention provides a memory data protection method, a device, equipment and a storage medium, which realize high-efficiency protection of memory data and reduce power consumption and performance loss.
In a first aspect, the present invention provides a method for protecting memory data, including:
acquiring an access instruction;
when the access instruction is determined to be a safe access instruction, acquiring a data block accessed by the safe access instruction; the safety access instruction is a specific instruction preset in hardware;
after the obtained data block is subjected to secret processing, executing operation corresponding to the safety access instruction; the size of the storage space occupied by the data block is within a preset range, and the preset range is from a preset multiple of the storage space occupied by one cache line to the size of the data volume capable of being stored in one physical memory page.
In a specific implementation manner, the method for determining that the access instruction is a secure access instruction includes:
acquiring an operation code corresponding to the access instruction;
and when the operation code is a specific operation code, determining that the access instruction is a safe access instruction.
Further, after determining that the access instruction is a secure access instruction, the method for obtaining the data block accessed by the secure access instruction includes:
acquiring a virtual address carried in the security access instruction;
converting the virtual address into a physical address according to the TLB;
according to the preset multiple, carrying out shift operation on the physical address to generate a physical block address corresponding to a data block accessed by the safe access instruction;
acquiring a data block stored in a memory space indicated by the physical block address, and determining the acquired data block as a data block accessed by the secure access instruction;
wherein the secure access instruction is a secure read instruction.
In a specific implementation manner, the secure access instruction further includes a secure write instruction, and if the secure access instruction accesses a data block, performing secret processing on the data block, including:
if the safe access instruction is a safe reading instruction, decrypting the data block read from the memory space according to the physical block address;
if the safe access instruction is a safe write instruction, encrypting the data block needing to be written into the memory space corresponding to the physical block address;
executing the operation corresponding to the safety access instruction, including:
if the safe access instruction is a safe reading instruction, reading the decrypted data block from the memory space;
and if the safe access instruction is a safe write instruction, storing the encrypted data block into the memory space.
Furthermore, a lookup table is preset in the hardware, and the lookup table includes a corresponding relationship between a physical block address and a valid bit of at least one data block; if the access instruction is a secure write instruction, while performing secret processing on the data block accessed by the secure access instruction, the method further includes:
looking up the physical block address of the data block in the lookup table;
when the lookup table comprises the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in a valid state, the lookup table is not operated;
when the lookup table contains the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in an invalid state, setting the valid position corresponding to the physical block address of the data block to be in a valid state;
when the lookup table does not contain the physical block address of the data block, storing the physical block address of the data block to an idle position in the lookup table, and taking an effective position corresponding to the physical block address of the data block as an effective state;
when the access instruction is a non-secure access instruction, the method further comprises:
acquiring a physical block address accessed by the non-secure access instruction;
when the lookup table contains the physical block address accessed by the non-secure access instruction and the valid bit corresponding to the physical block address accessed by the non-secure access instruction is in a valid state, acquiring the data block accessed by the non-secure access instruction according to the physical block address accessed by the non-secure access instruction;
and after the data block accessed by the non-secure access instruction is subjected to secret processing, executing the operation corresponding to the non-secure access instruction.
In a second aspect, the present invention provides a memory data protection device, including:
the processor core module is used for acquiring an access instruction;
the processor core module is further used for acquiring a data block accessed by the safe access instruction when the access instruction is determined to be the safe access instruction; the safety access instruction is a specific instruction preset in hardware;
the memory controller module is used for executing the operation corresponding to the safety access instruction after carrying out the secrecy processing on the acquired data block; the size of the storage space occupied by the data block is within a preset range, and the preset range is from a preset multiple of the storage space occupied by one cache line to the size of the data volume capable of being stored in one physical memory page.
In a specific implementation, the processor core module is further configured to:
acquiring an operation code corresponding to the access instruction;
and when the operation code is a specific operation code, determining that the access instruction is a safe access instruction.
Further, the processor core module is specifically configured to:
acquiring a virtual address carried in the security access instruction;
converting the virtual address into a physical address according to the TLB;
according to the preset multiple, carrying out shift operation on the physical address to generate a physical block address corresponding to a data block accessed by the safe access instruction;
acquiring a data block stored in a memory space indicated by the physical block address, and determining the acquired data block as a data block accessed by the secure access instruction; wherein the secure access instruction is a secure read instruction.
In a specific implementation manner, the secure access instruction further includes a secure write instruction, and the apparatus further includes an encryption/decryption module;
the encryption and decryption module is used for:
if the safe access instruction is a safe reading instruction, decrypting the data block read from the memory space according to the physical block address;
if the safe access instruction is a safe write instruction, encrypting the data block needing to be written into the memory space corresponding to the physical block address;
executing the operation corresponding to the safety access instruction, including:
if the safe access instruction is a safe reading instruction, reading the decrypted data block from the memory space;
and if the safe access instruction is a safe write instruction, storing the encrypted data block into the memory space.
Further, the device also comprises a physical block address recording module; presetting a lookup table in the hardware, wherein the lookup table comprises the corresponding relation between the physical block address and the effective bit of at least one data block;
the physical block address recording module is used for:
if the access instruction is a secure write instruction, while performing secret processing on the data block accessed by the secure access instruction, the method further includes:
looking up the physical block address of the data block in the lookup table;
when the lookup table comprises the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in a valid state, the lookup table is not operated;
when the lookup table contains the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in an invalid state, setting the valid position corresponding to the physical block address of the data block to be in a valid state;
when the lookup table does not contain the physical block address of the data block, storing the physical block address of the data block to an idle position in the lookup table, and taking an effective position corresponding to the physical block address of the data block as an effective state;
when the access instruction is a non-secure access instruction, the method further comprises:
acquiring a physical block address accessed by the non-secure access instruction;
when the lookup table contains the physical block address accessed by the non-secure access instruction and the valid bit corresponding to the physical block address accessed by the non-secure access instruction is in a valid state, acquiring the data block accessed by the non-secure access instruction according to the physical block address accessed by the non-secure access instruction;
and after the data block accessed by the non-secure access instruction is subjected to secret processing, executing the operation corresponding to the non-secure access instruction.
In a third aspect, the present invention provides an electronic device comprising: a memory and a processor;
the memory stores computer-executable instructions;
the processor executes computer-executable instructions stored by the memory, causing the processor to perform the memory data protection method of the first aspect.
In a fourth aspect, the present invention provides a storage medium comprising: a readable storage medium and a computer program for implementing the memory data protection method according to the first aspect.
According to the memory data protection method, device, equipment and storage medium provided by the embodiment of the invention, when an access instruction is received, the access instruction is judged; when the access instruction is determined to be a safe access instruction, acquiring a data block accessed by the safe access instruction, and executing an operation corresponding to the safe access instruction after carrying out secret processing on the data block; the size of the preset data block is a preset range, and the preset range is a preset multiple of a storage space occupied by one cache line to the size of data amount capable of being stored in one physical memory page. By adopting the technical scheme, on one hand, the secure access instruction and the non-secure access instruction are distinguished from the access instruction, and only the data block accessed by the secure access instruction is subjected to secret operation, so that the security of the key data is ensured, and the processing efficiency of the processor on the instruction and the data is improved; on the other hand, compared with the processing mode of encrypting and decrypting data in the whole physical memory page in the prior art, the embodiment of the invention performs the encryption processing by taking the data blocks as the unit, and the size of the storage space occupied by each data block is not more than the size of the data amount which can be stored in one physical memory page, namely, the encryption and decryption processing of the data is not required to be performed by taking the physical memory page as the unit, but only the encryption and decryption processing of the data blocks is performed, so that the encryption and decryption operation of the key data is more flexible, and the system power consumption and the performance loss are effectively reduced; on the other hand, when the physical memory page is encrypted and decrypted in the prior art, the C-bit of the physical memory page needs to be set on the operating system level, that is, the operating system code is modified to protect the key data, and once the operating system is attacked, the security of the protected key data is threatened.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a schematic flow chart illustrating an embodiment of a memory data protection method in the prior art;
fig. 2 is a schematic flowchart of a memory data protection method according to a first embodiment of the present invention;
fig. 3 is a schematic flowchart of a second memory data protection method according to an embodiment of the present invention;
fig. 4 is a schematic flowchart of a third embodiment of a memory data protection method according to the present invention;
fig. 5 is a schematic flowchart of a fourth embodiment of a memory data protection method according to the present invention;
fig. 6 is a schematic flow chart illustrating a fifth embodiment of a method for protecting memory data according to the present invention;
fig. 7 is a schematic structural diagram of a memory data protection apparatus according to a first embodiment of the present invention;
fig. 8 is a schematic structural diagram of a memory data protection apparatus according to a second embodiment of the present invention;
fig. 9 is a schematic structural diagram of a memory data protection apparatus according to a third embodiment of the present invention;
fig. 10 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As used herein, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Reference throughout this specification to "one embodiment" or "another embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the present application. Thus, the appearances of the phrases "in one embodiment" or "in this embodiment" in various places throughout this specification are not necessarily all referring to the same embodiment. It should be noted that the embodiments and features of the embodiments may be combined with each other without conflict.
The execution main body of the scheme is an electronic device with a processor and/or a compiler, and the electronic device can be applied to a terminal device, such as a Personal Computer (PC), a notebook, a tablet, a wearable product, an intelligent household appliance product, an intelligent robot and the like, and also can be applied to a server, or applied to an industrial device, such as a numerical control device, a program control device and the like.
The memory data protection method provided by the scheme is characterized in that a security access instruction is set, and the security access instruction is a specific instruction preset in hardware; optionally, the method for setting the secure access instruction includes: firstly, safety key data are predetermined, wherein the safety key data can be data needing to be protected, such as a user name, a password and the like, and the data determined as the safety key data are declared; secondly, setting corresponding compiling guidance according to the declaration of the safety key data, wherein the electronic equipment can determine which data are the safety key data through the compiling guidance, for example, the compiling guidance of the safety key data can be set as a safety key attribute in advance, and the electronic equipment determines the data with the safety key attribute as the safety key data; finally, the compiler generates a security access instruction for the access of the security-critical data and a non-security access instruction for the access of the non-security-critical data by recognizing the compilation instruction, and needs to perform security processing on the accessed data when executing the security access instruction. The compiling guide is an indication set according to specific conditions in the process of programming and is used for indicating whether any data is the attribute of the safety critical data.
In a specific implementation manner, the secure access instruction may be designed as a secure write instruction (SSrore instruction: SSrore rt, rs) and a secure read instruction (SLoad instruction: SLoad rt, rs), where the secure write instruction (SSrore instruction: SSrore rt, rs) takes a value in an rt register as an address, writes a value in an rs register into a memory space corresponding to the address, and the SSrore instruction indicates that data is encrypted and stored in the memory space, that is, after being encrypted by data, the data is written into the corresponding memory space; the secure read instruction (SLoad instruction: SLoad rt, rs) is to read the data in the memory space corresponding to the address into the rt register by using the value in the rs register as the address. The SLoad instruction indicates that the content in the memory space corresponding to the address is encrypted and stored, and the content in the memory space needs to be decrypted and then read into the rt register, so that in the ssore instruction/SLoad instruction design, the access to the data with the length of 8 bits, 16 bits, 32 bits, 64 bits and the like in the register can be supported.
Optionally, the method for declaring any data as safety-critical data in the program includes: adding an identifier 'security' of a variable statement in a programming language, wherein as shown in a following program, a Key is a variable, and an attribute of the variable can be determined to be safety Key data through the form of the variable statement identifier, namely after the Key is declared by the security, the attribute of the Key is the safety Key data; after the compiler identifies the 'security' identifier, a security access instruction SLoad/SStore instruction is generated to access the Key, and if the variable temp does not declare security, a non-security access instruction is adopted for accessing the temp. Based on this, the attribute of any one variable is either safety-critical data or non-safety-critical data.
By adopting the technical scheme, the compiler presets the safety access instruction on the hardware level according to the preset compiling instruction, and the hardware attack difficulty is far greater than that of the operating system attack, so that the problem that the safety key data stored in the physical memory page can be acquired by attacking the operating system in the prior art can be effectively avoided, and the safety of the safety key data is improved.
In this scheme, the safety critical data includes: the encryption and decryption of the security key data are the encryption and decryption of the data block which needs to be accessed by the security access instruction, the size of the storage space occupied by the data block is within a preset range, the preset range can be a preset multiple of the storage space occupied by one Cache line to the size of the data volume which can be stored in one system physical memory page, wherein the preset multiple is 2NMultiple (N ═ 0,1,2 …), a data block configuration register is set, and the value of N is set by the operating system. Assuming that the size of the storage space occupied by one Cache line is 256 bits (32 bytes), and the size of the amount of data (occupied storage space) that can be stored in a physical memory page is 4KB, the value of N may be 0,1,2, 3, 4, 5, 6, and 7.
Based on the above-mentioned security access instruction preset in the hardware, the following describes the implementation process of the present solution in detail through several embodiments.
Fig. 2 is a schematic flow chart of a memory data protection method according to a first embodiment of the present invention, as shown in fig. 2, the method includes:
s101: an access instruction is obtained.
In the embodiment of the present invention, the access instruction may be an access instruction received from a connected external compiler, or an access instruction obtained by a compiler integrated with an electronic device; and, the access instruction includes a secure access instruction and a non-secure access instruction. Optionally, the compiler may determine, by identifying the compilation instruction, that the data with the attribute of the security key is accessed, and generate the security access instruction, and generate the non-security access instruction when the data with the attribute of the non-security key is accessed.
Optionally, the access instruction includes a type of the access instruction and an access address, where the type of the access instruction may include a secure access instruction type and a non-secure access instruction type; when the explicit access instruction type is a secure access instruction type or a non-secure access instruction type, the access instruction may further include a request type of the secure access instruction/a request type of the non-secure access instruction, and the request types include a read request type and a write request type; the access address is a virtual address, and the virtual address is used for indicating the position information of data which needs to be read by a security access instruction/non-security access instruction of a read request type or the position information of data which needs to be written by a security access instruction/non-security access instruction of a write request type; in addition, when the request type is a write request type, the access instruction further includes a data block to be written.
S102: and when the access instruction is determined to be the safe access instruction, acquiring the data block accessed by the safe access instruction.
In the embodiment of the present invention, the security access instruction is a specific instruction preset in hardware, such as the above-mentioned security write instruction (SSrore instruction: SStore rt, rs) and security read instruction (SLoad instruction: SLoad rt, rs).
In order to adapt to the secure access instruction, in the hardware implementation model in this step, the data block accessed by the secure access instruction, the physical block address, and the request type of the secure access instruction may be obtained by the processor core module. The processor core module mainly executes various instructions, including access instructions, operation instructions, branch instructions and the like. In a specific hardware implementation, the processor core module mainly includes an instruction fetch unit, a decode unit, an execution unit, a register, a Cache (Cache) memory, and the like. The execution part of the access instruction in the processor core module mainly comprises: the system comprises an access instruction transmitting queue, an access special fixed-point register file, an access address generating component, a data Cache component, a data conversion detection Buffer (TLB) component and the like.
In a specific implementation manner, fig. 3 is a flowchart illustrating a second embodiment of a memory data protection method according to the present invention, and as shown in fig. 3, when a request type of a security access instruction is a read request, a method for obtaining a data block accessed by the security access instruction includes:
s1021: and acquiring the virtual address carried in the security access instruction.
S1022: the virtual address is translated to a physical address based on the TLB.
S1023: and according to a preset multiple, carrying out shift operation on the physical address to generate a physical block address corresponding to the data block accessed by the safe access instruction.
In a specific implementation manner, the method for performing a shift operation on the physical address according to a preset multiple and converting the physical address of the secure access instruction into the physical block address includes: obtaining the N value contained in the preset multiple, wherein the N value is a preset value, and the preset multiple is 2N(ii) a Removing the lower 5+ N bits of the physical address, wherein N is set by the data block configuration register; for example, assuming that the physical address of the secure access instruction is 48 bits, the size of the storage space occupied by one Cache line is 32 bytes, and for the value 0x80001000FFFF of the physical address, if the value of the data block configuration register is 0, the lower 5+ N bits of the physical address are removed, and the number of bits of the obtained physical block address is 43 bits, and the value of the physical address is 0x400008007 FF; based on the above example, if the value of the data block configuration register is 1, the lower 5+ N bits of the physical address are removed, and the number of the obtained physical block address bits is 42 bits, and the value of the physical block address is 0x200004003 FF. And so on.
Optionally, when the request type of the security access instruction is a write request, the method for obtaining the memory space location (i.e., the physical block address) of the data block to be written may be obtained in the above manner (step S1021 to step S1023), which is not described herein again.
The embodiment shown in fig. 3 realizes that the virtual address of the secure access instruction is converted into the physical block address of the data block to be accessed, so as to further acquire the data block accessed by the secure access instruction.
S1024: and acquiring the data blocks stored in the memory space indicated by the physical block addresses, and determining the acquired data blocks as the data blocks accessed by the security access instruction.
S103: and after the obtained data block is subjected to secret processing, executing the operation corresponding to the security access instruction.
The size of the storage space occupied by the data block is within a preset range, and the preset range is from a preset multiple of the storage space occupied by one cache line to the size of the data volume capable of being stored in one physical memory page.
In this step, the data block of the memory space to be accessed by the obtained security access instruction is processed in a confidential manner, for example, encrypted or decrypted, and then corresponding operation is executed according to the security access instruction, for example, if the security access instruction is a security read instruction, the data block stored in the memory space indicated by the physical block address is obtained, the obtained data block is decrypted, and the decrypted data block is read, and if the security access instruction is a security write instruction, the data block which needs to be written into the memory space indicated by the physical block address is encrypted, and the encrypted data block is stored into the corresponding memory space.
In the memory data protection method provided by this embodiment, when an access instruction is received, the access instruction is determined; when the access instruction is determined to be a safe access instruction, acquiring a data block accessed by the safe access instruction, and executing an operation corresponding to the safe access instruction after carrying out secret processing on the data block; the size of the preset data block is a preset range, and the preset range is a preset multiple of a storage space occupied by one cache line to the size of data amount capable of being stored in one physical memory page. By adopting the technical scheme, on one hand, the secure access instruction and the non-secure access instruction are distinguished from the access instruction, and only the data block accessed by the secure access instruction is subjected to secret operation, so that the security of the key data is ensured, and the processing efficiency of the processor on the instruction and the data is improved; on the other hand, compared with the processing mode of encrypting and decrypting the physical memory page data in the prior art, the embodiment of the invention performs the encryption processing by taking the data blocks as the unit, and the size of the storage space occupied by each data block is not more than the size of the data amount which can be stored in one physical memory page, namely, the data is not required to be encrypted and decrypted by taking the physical memory page as the unit, but only the data blocks are encrypted and decrypted, so that the encryption and decryption operation of the key data is more flexible, and the system power consumption and the performance loss are effectively reduced; on the other hand, when the physical memory page is encrypted and decrypted in the prior art, the C-bit of the physical memory page needs to be set on the operating system level, that is, the operating system code is modified to protect the key data, and once the operating system is attacked, the security of the protected key data is threatened.
On the basis of the above embodiment, the present solution provides a possible implementation manner for how to determine that the access instruction is a secure access instruction, including: and acquiring an operation code corresponding to the access instruction, and determining that the access instruction is a safe access instruction when the operation code is a specific operation code, wherein the specific operation code is a preset code corresponding to the safe access instruction.
Furthermore, the present solution may also preset a lookup table in hardware, as shown in table 1, where the lookup table includes a corresponding relationship between a physical block address and a valid bit of at least one data block,
| physical Block Address | Significant bit |
TABLE 1
Physical block address: the size is determined according to the practical situation of processor design and is variable;
VALID bit (VALID): 1 bit, when 1, it represents the configuration item is valid state; a value of 0 indicates that the configuration item is in an invalid state.
The contents of the lookup table can be emptied when the process of the operating system is started, and the contents of the lookup table are also stored and restored when the process is switched.
Based on the above possible hardware implementation model, in addition to a processor core module capable of executing the memory access instruction, the hardware implementation model may further include a physical block address recording module, where the physical block address recording module is configured to process a physical block address in the secure access address received by the processor core module. With reference to the lookup table embodiment shown in table 1, fig. 4 is a schematic flowchart of a third embodiment of a memory data protection method provided in an embodiment of the present invention, and as shown in fig. 4, if an access instruction is a secure write instruction, while acquiring a physical block address accessed by the secure access instruction and performing security processing on a data block accessed by the secure access instruction, the method further includes:
s201: and searching the physical block address of the data block accessed by the safe write instruction in a lookup table.
In the embodiment of the invention, the physical block address recording module receives the physical block address to be accessed by the safe write instruction sent by the processor core module, and the physical block address is searched in a lookup table in a traversing way or is compared with the physical block addresses of all the entries in the lookup table.
S202: and when the lookup table contains the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in a valid state, not operating the lookup table.
If the physical block address to be accessed by the secure write instruction is the same as the physical block address of an entry in the lookup table, and the valid bit of the entry is in a valid state, for example, the valid bit is 1, it indicates that the physical block address to be accessed by the secure write instruction has been recorded, and no operation is required to be performed on the lookup table.
S203: and when the lookup table contains the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in an invalid state, setting the valid position corresponding to the physical block address of the data block to be in a valid state.
If the physical block address to be accessed by the secure write instruction is the same as the physical block address of an entry in the lookup table, and the valid bit of the entry is in an invalid state, for example, if the valid bit is 0, it indicates that the physical block address to be accessed by the secure write instruction has already been recorded, and at this time, the valid position needs to be in a valid state, for example, the valid position needs to be set to 1.
S204: and when the lookup table does not contain the physical block address of the data block, storing the physical block address of the data block to an idle position in the lookup table, and setting an effective position corresponding to the physical block address of the data block as an effective state.
If the physical block address to be accessed by the secure write instruction is different from the physical block addresses of all the entries in the lookup table, indicating that the physical block address is not recorded, it is necessary to find an idle entry in the lookup table, record the physical block address, and set the effective position of the entry to be in an effective state, for example, set the effective position to be 1.
Optionally, if no free entry can be found in the lookup table, indicating that the lookup table is full, the recording may be optionally discarded, and the physical block address is discarded.
In this embodiment, when the secure write instruction is executed, the physical block address to be accessed by the secure write instruction is searched in the lookup table, whether the physical block address to be accessed by the secure write instruction is already recorded in the lookup table is determined, if so, whether the valid bit corresponding to the physical block address in the table entry is in a valid state is further determined, if not, the valid position corresponding to the physical block address is in a valid state, and if not, the physical block address is recorded in an idle table entry in the lookup table, so that protection of the critical data is achieved. By adopting the technical scheme, when a user thinks that some safety key data can be accessed through the non-safety instruction, the non-safety access instruction can access part of the safety key data only by carrying out corresponding searching operation in the searching table according to the physical block address accessed in the non-safety access instruction, so that the flexibility of safety key data access is improved.
With reference to the lookup table embodiment shown in table 1, fig. 5 is a flowchart illustrating a fourth embodiment of a memory data protection method according to the present invention, and as shown in fig. 5, if the access instruction is a non-secure access instruction, the method further includes:
s301: and acquiring the physical block address accessed by the non-secure access instruction.
This step is similar to step S102, and is not described here again.
S302: and when the lookup table contains the physical block address accessed by the non-secure access instruction and the valid bit corresponding to the physical block address accessed by the non-secure access instruction is in a valid state, acquiring the data block accessed by the non-secure access instruction according to the physical block address accessed by the non-secure access instruction.
And traversing and searching the physical block address accessed by the non-secure access instruction in a lookup table, or comparing the physical block address accessed by the non-secure access instruction with the physical block addresses of all table entries in the lookup table, and if the lookup table contains the physical block address accessed by the non-secure access instruction and the corresponding valid bit in the table entry is in a valid state, for example, the valid bit is 1, acquiring the data block of the physical block address accessed by the non-secure access instruction.
S303: and after the data block accessed by the non-secure access instruction is subjected to secret processing, executing the operation corresponding to the non-secure access instruction.
And after the data block accessed by the non-secure access instruction is subjected to corresponding confidential processing according to the request type of the non-secure access instruction, executing the operation corresponding to the non-secure access instruction. The request type of the non-secure access instruction comprises a read request type and a write request type.
Optionally, the request type of the non-secure access instruction may be a read request type only, that is, the non-secure access instruction can only read the security critical data, and the security critical data cannot be written in the specified location of the memory space, so that the security of the system is ensured.
In this embodiment, when the non-secure access instruction is to be executed, the physical block address accessed by the non-secure access instruction is searched in the lookup table, and if the lookup table includes the physical block address accessed by the non-secure access instruction and the corresponding valid bit in the table entry is in a valid state, the data block accessed by the non-secure access instruction is acquired and is subjected to secret processing, and then the operation corresponding to the non-secure access instruction is executed, so that the problem that the key data stored in the physical page memory can be acquired by attacking the operating system is effectively avoided, and the security of the key data is improved.
In a specific implementation manner, the hardware implementation model further includes an encryption/decryption module, where the encryption/decryption module is configured to perform encryption/decryption operations on the security-critical data according to the type of the access instruction, the physical block address, and/or the data block; wherein, the type of the access instruction comprises a secure access instruction and a non-secure access instruction, and the request type of the secure access instruction/the request type of the non-secure access instruction. In the Encryption and decryption module, the data block can be encrypted and decrypted by a plurality of algorithms, and the invention takes the implementation of Advanced Encryption Standard (AES) algorithm as an example and can also implement other Encryption and decryption algorithms. In addition, a random number generator of hardware is integrated in the encryption and decryption module, and a secret key is regenerated every time the computer is started.
The AES encrypted data block packet length is 128 bits, and the key length may be any one of 128 bits, 192 bits, and 256 bits. AES encryption has many rounds of repetition and transformation. The method comprises the following steps: 1) key expansion (KeyExpansion); 2) initial Round (Initial Round); 3) repeated Rounds (Rounds), each including: SubBytes, ShiftRows, MixColumns, AddRoundKey; 4) final Round (Final Round) without MixColumns.
The invention implements AES algorithm in hardware in an encryption and decryption module for encrypting and decrypting a data block (generally 256 bits).
Optionally, the hardware implementation model further includes a memory controller module, where the memory controller module is located between the processor core module and the encryption and decryption module, and is used to implement control over the encryption and decryption module and the memory space.
On the basis of the foregoing embodiment, the following describes the present solution through a possible implementation process, and fig. 6 is a flowchart illustrating a fifth embodiment of a memory data protection method provided in an embodiment of the present invention, where as shown in fig. 6, the access instruction is a non-secure access instruction, and the method includes:
s401: and acquiring the request type, the physical block address and/or the data block of the access instruction.
After the access instruction is obtained, the processor core module identifies the access instruction, and obtains a request type, an access address and/or a data block of the access instruction (if the access instruction is a write request, the access instruction includes the data block). Further, the processor core module sends an access instruction to the memory controller module, and according to the physical address, data is written or read to or from the memory by the size of one Cache line (generally 256 bits) at a time, and at the same time, the processor core module converts the access address (virtual address) of the access instruction into a physical address according to the TLB, converts the physical address into a physical block address, and sends the physical block address to the physical block address recording module.
S402: it is determined whether the physical block address is recorded in the lookup table.
In an implementation embodiment, the memory controller module receives an access instruction for accessing the memory space from the processor core module, and obtains a request type, a physical block address and/or a data block of a non-secure access instruction included in the access instruction; and the request type, the physical block address and/or the data block of the non-secure access instruction are/is sent to the encryption and decryption module, the encryption and decryption module sends the physical block address to the physical block address recording module, the physical block address recording module inquires whether the physical block address is recorded in a lookup table of the physical block address recording module, and returns the inquiry result to the encryption and decryption module.
S403: if the physical block address is not recorded in the lookup table, setting the flag bit to 0, and returning the flag bit to the memory controller module.
If the encryption and decryption module receives that the result returned by the physical block address recording module is 0, which indicates that the physical block address is not recorded in the lookup table, the flag bit is set to 0, which indicates that the data accessed by the access instruction does not need to be processed in a confidential mode, and the flag bit and the data block are returned to the memory controller module.
S404: if the physical block address is recorded in the lookup table, whether the valid bit corresponding to the physical block address in the lookup table is in a valid state is judged.
If the valid bit corresponding to the physical block address in the lookup table is in an invalid state, setting the flag bit to 0 to indicate that the data accessed by the access instruction does not need to be subjected to secret processing, and returning the flag bit and the data block to the memory controller module.
If the valid bit corresponding to the physical block address in the lookup table is in a valid state, step S405 is performed: and carrying out secret processing according to the request type of the non-secure access instruction.
If the result returned by the encryption and decryption module after receiving the physical block address recording module is 1, the physical block address is indicated to be recorded in the lookup table, and the valid bit corresponding to the physical block address in the lookup table is in a valid state, the data block is subjected to secret processing according to the type of the non-secure access instruction.
S406: and if the request type of the access instruction is a read request, decrypting the data block and returning the data block to the memory controller module.
If the request type of the non-secure access instruction is a read request, the data block is decrypted, the flag bit is set to 1 to indicate that decryption is needed, and the flag bit and the decrypted data block are returned to the memory controller module.
S407: and if the request type of the access instruction is a write request, encrypting the data block and returning the data block to the memory controller.
And if the request type of the non-secure access instruction is a write request, encrypting the data block, setting the flag bit to be 1 to indicate that encryption is required, and returning the flag bit and the decrypted data block to the memory controller module.
Further, if the flag bit returned by the encryption and decryption module received by the memory controller module is 0, the execution continues according to the execution logic of the access instruction; if the flag bit returned by the encryption and decryption module received by the memory controller module is 1, replacing the original data block with the encrypted or decrypted data block returned by the encryption and decryption module, and then continuing to execute the access instruction (for a read operation, returning the decrypted data block to the processor core module, and for a write operation, writing the encrypted data block into the memory). The original data block refers to a data block extracted by a memory controller in a memory space indicated by a physical block address; for example, when the request type of the non-secure access instruction is a read request type, the original data block is a data block in an encrypted state.
In this embodiment, when a user thinks that some security critical data can be accessed through a non-security instruction, the user only needs to perform corresponding lookup operations in the lookup table according to the physical block address accessed in the non-security access instruction, and then the non-security access instruction performs corresponding operations on part of the security critical data according to the request type of the non-security access instruction, thereby improving the flexibility of accessing the security critical data.
Fig. 7 is a schematic structural diagram of a memory data protection device according to a first embodiment of the present invention, and as shown in fig. 7, a memory data protection device 10 according to the present embodiment includes:
the processor core block 11: for obtaining an access instruction;
the processor core module 11 is further configured to, when it is determined that the access instruction is a secure access instruction, obtain a data block accessed by the secure access instruction; the safety access instruction is a specific instruction preset in hardware;
memory controller module 12: the security access instruction is used for executing the operation corresponding to the security access instruction after the obtained data block is subjected to security processing; the size of the storage space occupied by the data block is within a preset range, and the preset range is from a preset multiple of the storage space occupied by one cache line to the size of the data volume capable of being stored in one physical memory page.
The memory data protection device 10 provided in this embodiment may be a chip, an integrated circuit, a microprocessor, or the like. The memory data protection apparatus 10 provided in this embodiment may be applied to various electronic devices, including a processor core module 11 and a memory controller module 12, configured to determine an access instruction when receiving the access instruction; when the access instruction is determined to be a safe access instruction, acquiring a data block accessed by the safe access instruction, and executing an operation corresponding to the safe access instruction after carrying out secret processing on the data block; the size of the preset data block is a preset range, the preset range is a preset multiple of a storage space occupied by a cache line to the size of the data quantity capable of being stored in a physical memory page, a safe access instruction and a non-safe access instruction are distinguished from the access instruction, the data block occupying the storage space and not larger than the physical memory page is encrypted and decrypted, and the safe access instruction is preset on a hardware level, so that flexible operation of encryption and decryption of key data is realized, the processing efficiency of the data and the safety of the key data are improved, and the power consumption and the performance loss of a system are reduced.
The memory data protection device provided in this embodiment may implement the technical solutions of the above method embodiments, and the implementation principles and technical effects are similar, which are not described herein again.
On the basis of the above embodiment, the processor core module 11 is further configured to:
acquiring an operation code corresponding to the access instruction;
and when the operation code is a specific operation code, determining that the access instruction is a safe access instruction.
In a specific implementation manner, the processor core module is specifically configured to:
acquiring a virtual address carried in the security access instruction;
converting the virtual address into a physical address according to a translation detection buffer (TLB);
according to the preset multiple, carrying out shift operation on the physical address to generate a physical block address corresponding to a data block accessed by the safe access instruction;
and acquiring the data block stored in the memory space indicated by the physical block address, and determining the acquired data block as the data block accessed by the safe access instruction.
On the basis of the foregoing embodiment, fig. 8 is a schematic structural diagram of a second memory data protection apparatus according to an embodiment of the present invention, and as shown in fig. 8, the secure access instruction includes: if the memory data protection device 10 provided in this embodiment further includes a secure read instruction and a secure write instruction: and an encryption and decryption module 13.
The encryption and decryption module is used for:
if the safe access instruction is a safe reading instruction, decrypting the data block read from the memory space according to the physical block address;
if the safe access instruction is a safe write instruction, encrypting the data block needing to be written into the memory space corresponding to the physical block address;
executing the operation corresponding to the safety access instruction, including:
if the safe access instruction is a safe reading instruction, reading the decrypted data block from the memory space;
and if the safe access instruction is a safe write instruction, storing the encrypted data block into the memory space.
On the basis of the foregoing embodiment, fig. 9 is a schematic structural diagram of a third embodiment of the memory data protection device according to the present invention, and as shown in fig. 9, the memory data protection device 10 according to the present embodiment further includes: a physical block address recording module 14 and a security module 15.
Presetting a lookup table in the hardware, wherein the lookup table comprises the corresponding relation between the physical block address and the effective bit of at least one data block;
the physical block address recording module is used for:
if the access instruction is a secure write instruction, while performing secret processing on the data block accessed by the secure access instruction, the method further includes:
looking up the physical block address of the data block in the lookup table;
when the lookup table comprises the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in a valid state, the lookup table is not operated;
when the lookup table contains the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in an invalid state, setting the valid position corresponding to the physical block address of the data block to be in a valid state;
when the lookup table does not contain the physical block address of the data block, storing the physical block address of the data block to an idle position in the lookup table, and taking an effective position corresponding to the physical block address of the data block as an effective state;
when the access instruction is a non-secure access instruction, the method further comprises:
acquiring a physical block address accessed by the non-secure access instruction;
when the lookup table contains the physical block address accessed by the non-secure access instruction and the valid bit corresponding to the physical block address accessed by the non-secure access instruction is in a valid state, acquiring the data block accessed by the non-secure access instruction according to the physical block address accessed by the non-secure access instruction;
and after the data block accessed by the non-secure access instruction is subjected to secret processing, executing the operation corresponding to the non-secure access instruction.
The security module 15 includes the physical block address recording module 14 and the encryption/decryption module 12.
Fig. 10 shows an electronic device, and the embodiment of the invention is only illustrated in fig. 10 by way of example, which does not mean that the invention is limited thereto.
Fig. 10 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention. The electronic devices provided by the present embodiments include, but are not limited to, mobile phones, computers, digital broadcast terminals, messaging devices, game consoles, tablet devices, medical devices, fitness devices, personal digital assistants, and the like.
As shown in fig. 10, the electronic device 20 provided in the present embodiment may include: a memory 201, a processor 202; optionally, a bus 203 may also be included. The bus 203 is used to realize connection between the elements.
The memory 201 stores computer-executable instructions;
the processor 202 executes the computer-executable instructions stored in the memory 201, so that the processor executes the memory data protection method provided by any one of the foregoing embodiments.
Wherein, the memory 201 and the processor 202 are electrically connected directly or indirectly to realize the data transmission or interaction. For example, these components may be electrically connected to each other via one or more communication buses or signal lines, such as via bus 203. The memory 201 stores computer-executable instructions for implementing the data access control method, including at least one software functional module that can be stored in the memory 201 in the form of software or firmware, and the processor 202 executes various functional applications and data processing by running software programs and modules stored in the memory 201.
The Memory 201 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 201 is used for storing programs, and the processor 202 executes the programs after receiving the execution instructions. Further, the software programs and modules in the memory 201 may also include an operating system, which may include various software components and/or drivers for managing system tasks (e.g., memory management, storage device control, power management, etc.), and may communicate with various hardware or software components to provide an operating environment for other software components.
The processor 202 may be an integrated circuit chip having signal processing capabilities. The Processor 202 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and so on. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. It will be appreciated that the configuration of fig. 10 is merely illustrative and may include more or fewer components than shown in fig. 9 or have a different configuration than shown in fig. 10. The components shown in fig. 10 may be implemented in hardware and/or software.
The embodiment of the present invention further provides a computer-readable storage medium, where computer-executable instructions are stored thereon, and when the computer-executable instructions are executed by a processor, the method for protecting memory data provided in any of the above method embodiments can be implemented.
The computer-readable storage medium in this embodiment may be any available medium that can be accessed by a computer or a data storage device such as a server, a data center, etc. that is integrated with one or more available media, and the available media may be magnetic media (e.g., floppy disks, hard disks, magnetic tapes), optical media (e.g., DVDs), or semiconductor media (e.g., SSDs), etc.
Those of ordinary skill in the art will understand that: all or a portion of the steps of implementing the above-described method embodiments may be performed by hardware associated with program instructions. The program may be stored in a computer-readable storage medium. When executed, the program performs steps comprising the method embodiments described above; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (12)
1. A memory data protection method is characterized by comprising the following steps:
acquiring an access instruction;
when the access instruction is determined to be a safe access instruction, acquiring a data block accessed by the safe access instruction; the safety access instruction is a specific instruction preset in hardware;
after the obtained data block is subjected to secret processing, executing operation corresponding to the safety access instruction; the size of the storage space occupied by the data block is within a preset range, and the preset range is from a preset multiple of the storage space occupied by one cache line to the size of the data volume capable of being stored in one physical memory page.
2. The method of claim 1, wherein determining that the access instruction is a secure access instruction comprises:
acquiring an operation code corresponding to the access instruction;
and when the operation code is a specific operation code, determining that the access instruction is a safe access instruction.
3. The method according to claim 1 or 2, wherein the method for obtaining the data block accessed by the secure access instruction after determining that the access instruction is the secure access instruction comprises:
acquiring a virtual address carried in the security access instruction;
converting the virtual address into a physical address according to a translation detection buffer (TLB);
according to the preset multiple, carrying out shift operation on the physical address to generate a physical block address corresponding to a data block accessed by the safe access instruction;
acquiring a data block stored in a memory space indicated by the physical block address, and determining the acquired data block as a data block accessed by the secure access instruction;
wherein the secure access instruction is a secure read instruction.
4. The method of claim 3, wherein the secure access instruction further comprises a secure write instruction, and wherein the securing the data block accessed by the secure access instruction comprises:
if the safe access instruction is a safe reading instruction, decrypting the data block read from the memory space according to the physical block address;
if the safe access instruction is a safe write instruction, encrypting the data block needing to be written into the memory space corresponding to the physical block address;
executing the operation corresponding to the safety access instruction, including:
if the safe access instruction is a safe reading instruction, reading the decrypted data block from the memory space;
and if the safe access instruction is a safe write instruction, storing the encrypted data block into the memory space.
5. The method according to claim 3 or 4, wherein a lookup table is preset in the hardware, and the lookup table includes a corresponding relationship between a physical block address and a valid bit of at least one data block; if the access instruction is a secure write instruction, while performing secret processing on the data block accessed by the secure access instruction, the method further includes:
looking up the physical block address of the data block in the lookup table;
when the lookup table comprises the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in a valid state, the lookup table is not operated;
when the lookup table contains the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in an invalid state, setting the valid position corresponding to the physical block address of the data block to be in a valid state;
when the lookup table does not contain the physical block address of the data block, storing the physical block address of the data block to an idle position in the lookup table, and taking an effective position corresponding to the physical block address of the data block as an effective state;
when the access instruction is a non-secure access instruction, the method further comprises:
acquiring a physical block address accessed by the non-secure access instruction;
when the lookup table contains the physical block address accessed by the non-secure access instruction and the valid bit corresponding to the physical block address accessed by the non-secure access instruction is in a valid state, acquiring the data block accessed by the non-secure access instruction according to the physical block address accessed by the non-secure access instruction;
and after the data block accessed by the non-secure access instruction is subjected to secret processing, executing the operation corresponding to the non-secure access instruction.
6. A memory data protection device, comprising:
the processor core module is used for acquiring an access instruction;
the processor core module is further used for acquiring a data block accessed by the safe access instruction when the access instruction is determined to be the safe access instruction; the safety access instruction is a specific instruction preset in hardware;
the memory controller module is used for executing the operation corresponding to the safety access instruction after carrying out the secrecy processing on the acquired data block; the size of the storage space occupied by the data block is within a preset range, and the preset range is from a preset multiple of the storage space occupied by one cache line to the size of the data volume capable of being stored in one physical memory page.
7. The apparatus of claim 6, wherein the processor core module is further configured to:
acquiring an operation code corresponding to the access instruction;
and when the operation code is a specific operation code, determining that the access instruction is a safe access instruction.
8. The apparatus of claim 6 or 7, wherein the processor core module is specifically configured to:
acquiring a virtual address carried in the security access instruction;
converting the virtual address into a physical address according to a translation detection buffer (TLB);
according to the preset multiple, carrying out shift operation on the physical address to generate a physical block address corresponding to a data block accessed by the safe access instruction;
acquiring a data block stored in a memory space indicated by the physical block address, and determining the acquired data block as a data block accessed by the secure access instruction; wherein the secure access instruction is a secure read instruction.
9. The apparatus of claim 8, wherein the secure access instruction further comprises a secure write instruction, the apparatus further comprising an encryption/decryption module;
the encryption and decryption module is used for:
if the safe access instruction is a safe reading instruction, decrypting the data block read from the memory space according to the physical block address;
if the safe access instruction is a safe write instruction, encrypting the data block needing to be written into the memory space corresponding to the physical block address;
executing the operation corresponding to the safety access instruction, including:
if the safe access instruction is a safe reading instruction, reading the decrypted data block from the memory space;
and if the safe access instruction is a safe write instruction, storing the encrypted data block into the memory space.
10. The apparatus of claim 8 or 9, further comprising a physical block address recording module; presetting a lookup table in the hardware, wherein the lookup table comprises the corresponding relation between the physical block address and the effective bit of at least one data block;
the physical block address recording module is used for:
if the access instruction is a secure write instruction, while performing secret processing on the data block accessed by the secure access instruction, the method further includes:
looking up the physical block address of the data block in the lookup table;
when the lookup table comprises the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in a valid state, the lookup table is not operated;
when the lookup table contains the physical block address of the data block and the valid bit corresponding to the physical block address of the data block is in an invalid state, setting the valid position corresponding to the physical block address of the data block to be in a valid state;
when the lookup table does not contain the physical block address of the data block, storing the physical block address of the data block to an idle position in the lookup table, and taking an effective position corresponding to the physical block address of the data block as an effective state;
when the access instruction is a non-secure access instruction, the method further comprises:
acquiring a physical block address accessed by the non-secure access instruction;
when the lookup table contains the physical block address accessed by the non-secure access instruction and the valid bit corresponding to the physical block address accessed by the non-secure access instruction is in a valid state, acquiring the data block accessed by the non-secure access instruction according to the physical block address accessed by the non-secure access instruction;
and after the data block accessed by the non-secure access instruction is subjected to secret processing, executing the operation corresponding to the non-secure access instruction.
11. An electronic device, comprising: a memory and a processor;
the memory stores computer-executable instructions;
the processor executing the computer-executable instructions stored by the memory causes the processor to perform the memory data protection method of any one of claims 1 to 5.
12. A storage medium, comprising: a readable storage medium and a computer program for implementing the memory data protection method of any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910398934.8A CN111950017B (en) | 2019-05-14 | 2019-05-14 | Memory data protection method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910398934.8A CN111950017B (en) | 2019-05-14 | 2019-05-14 | Memory data protection method, device, equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111950017A true CN111950017A (en) | 2020-11-17 |
| CN111950017B CN111950017B (en) | 2023-05-16 |
Family
ID=73335666
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910398934.8A Active CN111950017B (en) | 2019-05-14 | 2019-05-14 | Memory data protection method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111950017B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114924794A (en) * | 2022-07-20 | 2022-08-19 | 北京微核芯科技有限公司 | Address storage and scheduling method and device for transmission queue of storage component |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051892A (en) * | 2007-03-14 | 2007-10-10 | 江中尧 | Enciphering device and method for CPU special data |
| CN106469124A (en) * | 2015-08-20 | 2017-03-01 | 深圳市中兴微电子技术有限公司 | A kind of memory access control method and device |
| CN107346401A (en) * | 2016-05-06 | 2017-11-14 | 波音公司 | Information Guarantee System for safely configuration processor |
| CN109446835A (en) * | 2018-09-30 | 2019-03-08 | 龙芯中科技术有限公司 | Data access control method, device and equipment |
-
2019
- 2019-05-14 CN CN201910398934.8A patent/CN111950017B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051892A (en) * | 2007-03-14 | 2007-10-10 | 江中尧 | Enciphering device and method for CPU special data |
| CN106469124A (en) * | 2015-08-20 | 2017-03-01 | 深圳市中兴微电子技术有限公司 | A kind of memory access control method and device |
| CN107346401A (en) * | 2016-05-06 | 2017-11-14 | 波音公司 | Information Guarantee System for safely configuration processor |
| CN109446835A (en) * | 2018-09-30 | 2019-03-08 | 龙芯中科技术有限公司 | Data access control method, device and equipment |
Non-Patent Citations (1)
| Title |
|---|
| 刘丽丽等: "具有分区加密功能的SD卡固件设计" * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114924794A (en) * | 2022-07-20 | 2022-08-19 | 北京微核芯科技有限公司 | Address storage and scheduling method and device for transmission queue of storage component |
| CN114924794B (en) * | 2022-07-20 | 2022-09-23 | 北京微核芯科技有限公司 | Address storage and scheduling method and device for transmission queue of storage component |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111950017B (en) | 2023-05-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3757850B1 (en) | Low memory overhead heap management for memory tagging | |
| CN107430670B (en) | Flexible counter system for memory protection | |
| JP4738068B2 (en) | Processor and system | |
| US7694151B1 (en) | Architecture, system, and method for operating on encrypted and/or hidden information | |
| EP2151763A1 (en) | Method and apparatus for obfuscating virtual to physical memory mapping | |
| US20240069955A1 (en) | Technologies for memory replay prevention using compressive encryption | |
| JP2009518742A (en) | Method and apparatus for secure handling of data in a microcontroller | |
| CN110347432B (en) | Processor, branch predictor, data processing method thereof and branch prediction method | |
| US20060005047A1 (en) | Memory encryption architecture | |
| CN107430671B (en) | Method for protecting data that are important for security in a cache | |
| EP3460709B1 (en) | Devices and methods for secured processors | |
| TWI551993B (en) | In-memory attack prevention | |
| CN115374440A (en) | Security defense method and electronic device | |
| CN109598105B (en) | Method and device for safely loading firmware by microcontroller, computer equipment and storage medium | |
| CN111950017B (en) | Memory data protection method, device, equipment and storage medium | |
| CN111177773A (en) | Full disk encryption and decryption method and system based on network card ROM | |
| CN111159726B (en) | UEFI (unified extensible firmware interface) environment variable-based full-disk encryption and decryption method and system | |
| CN112580052B (en) | Computer security protection method, chip, device and storage medium | |
| KR20180059217A (en) | Apparatus and method for secure processing of memory data | |
| CN111125791B (en) | Memory data encryption method and device, CPU chip and server | |
| US20180307626A1 (en) | Hardware-assisted memory encryption circuit | |
| JP5395838B2 (en) | Multi-core system | |
| US11677541B2 (en) | Method and device for secure code execution from external memory | |
| US20230418603A1 (en) | System and Method for Securing Nonvolatile Memory for Execute-in-Place | |
| CN117786699A (en) | Chip initialization method, device, module, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100095 Building 2, Longxin Industrial Park, Zhongguancun environmental protection technology demonstration park, Haidian District, Beijing Applicant after: Loongson Zhongke Technology Co.,Ltd. Address before: 100095 Building 2, Longxin Industrial Park, Zhongguancun environmental protection technology demonstration park, Haidian District, Beijing Applicant before: LOONGSON TECHNOLOGY Corp.,Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |