CN114091027B - Information configuration method, data access method, related device and equipment - Google Patents
Information configuration method, data access method, related device and equipment Download PDFInfo
- Publication number
- CN114091027B CN114091027B CN202111454122.4A CN202111454122A CN114091027B CN 114091027 B CN114091027 B CN 114091027B CN 202111454122 A CN202111454122 A CN 202111454122A CN 114091027 B CN114091027 B CN 114091027B
- Authority
- CN
- China
- Prior art keywords
- data
- information
- application program
- storage device
- verification
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides an information configuration method, a data access method, a related device and equipment, wherein in the information configuration method, trusted hardware can generate verification information corresponding to an application program when verifying the validity of the identity of the application program, and the verification information is configured in storage equipment which is required to be accessed by the application program so as to determine the access authority of the application program based on the verification information, thereby ensuring the data security of the storage equipment.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to an information configuration method, a data access method, a related device and equipment.
Background
Storage devices (e.g., hard disks) are typically required in physical hosts to store a substantial portion of the data in the physical hosts. Programs in physical hosts are typically required to run based on data in these storage devices.
In general, data in storage devices may be accessed by programs (including privilege level programs) of a physical host without limitation, while if a physical host is infected with a virus, malicious access to these storage devices may be made in the form of programs, which poses a threat to the data security of the storage devices. For example, the lux virus may traverse all files in the hard disk of the computer, and then format the files and encrypt the files, thereby causing problems such as the data stored in the hard disk being damaged, the corresponding files being unreadable, and the like.
Therefore, how to ensure the data security of the storage device is a problem to be solved in the art.
Disclosure of Invention
In view of this, the embodiments of the present invention provide an information configuration method, a data access method, and related devices and apparatuses, so as to ensure the data security of a storage device.
In order to achieve the above object, the embodiment of the present invention provides the following technical solutions:
in a first aspect, an embodiment of the present invention provides an information configuration method, applied to trusted hardware, where the method includes:
acquiring a configuration request of an application program, wherein the configuration request at least comprises identity information of the application program;
verifying the legitimacy of the identity of the application program according to the identity information;
if the identity of the application program is legal, generating verification information corresponding to the application program;
and sending configuration information to a storage device which is required to be accessed by the application program, wherein the configuration information comprises the verification information, so that the storage device determines the access authority of the application program based on the verification information.
Optionally, the information configuration method further includes:
a feedback message is sent to a processor to cause the processor to perform access to the storage device by the application based on the feedback message.
Optionally, the generating verification information corresponding to the application program includes:
encryption information for data encryption is generated, and the encryption information is used as the verification information.
Optionally, the generating verification information corresponding to the application program includes:
generating encryption information for data encryption;
generating variable information, wherein the variable information changes based on a preset rule;
and combining the encryption information and the variable information to form verification information corresponding to the application program.
Optionally, the variable information is a round value, and the generating variable information includes: an initial value of the round value is randomly generated.
Optionally, the identity information is certificate information of a public key certificate of the application program, and the public key certificate is signed based on a chip private key of the trusted hardware.
Optionally, the sending a feedback message to the processor includes:
encrypting the verification information based on a public key in the public key certificate;
generating a feedback message based on the encrypted ciphertext;
and sending the generated feedback message to the processor.
Optionally, the step of generating the verification information corresponding to the application program includes: and taking the identity information of the application program as verification information.
Optionally, the configuration request includes feature information of the application program, and the step of generating verification information corresponding to the application program includes: taking the characteristic information of the application program as verification information; or, taking the characteristic information of the application program and the identity information of the application program as verification information.
Optionally, the configuration information further includes authority configuration information of the application program, and the access authority of the application program at least includes writing authority.
In a second aspect, an embodiment of the present invention provides an information configuration method, applied to a storage device, where the method includes:
acquiring configuration information, wherein the configuration information comprises verification information corresponding to an application program, and the verification information is generated by trusted hardware when verifying the identity of the application program;
and configuring the verification information to determine the access authority of the application program based on the verification information.
Optionally, the configuration information further includes authority configuration information of the application program, and the access authority of the application program at least includes writing authority.
In a third aspect, an embodiment of the present invention provides an information configuration method, applied to a processor, where the method includes:
Sending a configuration request to trusted hardware, wherein the configuration request at least comprises identity information of an application program, so that the trusted hardware verifies the validity of the identity of the application program based on the identity information, and generates verification information corresponding to the application program when the identity of the application program is legal, so that a storage device which is required to be accessed by the application program configures the verification information to confirm the access right of the application program based on the verification information;
and acquiring a feedback message sent by the trusted hardware to execute the access of the application program to the storage device based on the feedback message.
Optionally, before sending the configuration request to the trusted hardware, the method further includes:
generating public and private key pairs belonging to the application program according to the information of the application program;
sending the public key in the public-private key pair to the trusted hardware, so that the trusted hardware carries out private key signing on the public key based on the chip private key of the chip where the trusted hardware is positioned, and a public key certificate belonging to the application program is generated;
and acquiring the public key certificate.
Optionally, after the obtaining the feedback message sent by the trusted hardware, the method further includes:
And decrypting and obtaining the verification information in the feedback message based on the private key of the application program.
Optionally, the configuration request further includes authority configuration information of the application program, and the access authority of the application program at least includes writing authority.
In a fourth aspect, an embodiment of the present invention provides a data access method, applied to a storage device, including:
acquiring data to be processed of an application program, wherein the data to be processed comprises data to be written and data to be checked;
verifying the data to be verified based on pre-configured verification information to determine the access authority of the application program; wherein the access rights at least comprise write rights;
and if the data to be verified passes the verification, writing the data to be written into the storage equipment.
Optionally, the verifying the data to be verified based on the pre-configured verification information includes:
acquiring data to be written in the data to be processed;
encrypting the data to be written based on the verification information to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as verification data;
and comparing the data to be checked with the check data, and if the data to be checked are matched, passing the check of the data to be checked.
Optionally, the verification information is identity information of the application program and/or feature information of the application program.
Optionally, the storage device is configured with write protection enabling information, and when the write protection enabling information indicates that the write protection function is enabled, the step of verifying the data to be verified based on the pre-configured verification information is executed.
In a fifth aspect, an embodiment of the present invention provides a data access method, applied to a processor, including:
generating data to be processed of an application program, wherein the data to be processed comprises data to be written and data to be checked;
and sending the data to be processed to a storage device, so that the storage device can write the data to be written in according to the authority of the application program after checking the data to be checked according to the checking information.
Optionally, in the step of generating the data to be processed of the application program, the data to be verified is set at the head of the data to be processed, and the data to be written is set at the tail of the data to be processed.
Optionally, the generating the data to be processed of the application program includes:
acquiring data to be written of an application program;
Encrypting the data to be written based on the verification information of the application program to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as the data to be verified;
and merging the data to be verified and the data to be written into data to be processed.
Optionally, in the step of generating the data to be processed of the application program, the identity information of the application program and/or the characteristic information of the application program are used as the data to be verified.
In a sixth aspect, an embodiment of the present invention provides an information configuration apparatus, including:
the system comprises a request acquisition module, a request processing module and a configuration module, wherein the request acquisition module is used for acquiring a configuration request of an application program, and the configuration request at least comprises identity information of the application program;
the identity verification module is used for verifying the validity of the identity of the application program according to the identity information;
the information generation module is used for generating verification information corresponding to the application program when the identity of the application program is legal;
and the information sending module is used for sending configuration information to the storage equipment which is required to be accessed by the application program, wherein the configuration information comprises the verification information so that the storage equipment can determine the access authority of the application program based on the verification information.
In a seventh aspect, an embodiment of the present invention provides an information configuration apparatus, including:
the information acquisition module is used for acquiring configuration information, wherein the configuration information comprises verification information corresponding to an application program, and the verification information is generated by trusted hardware when the identity of the application program is verified to be legal;
and the information configuration module is used for configuring the verification information so as to determine the access authority of the application program based on the verification information.
In an eighth aspect, an embodiment of the present invention provides an information configuration apparatus, including:
a request sending module, configured to send a configuration request to trusted hardware, where the configuration request includes at least identity information of an application program, so that the trusted hardware verifies validity of an identity of the application program based on the identity information, and generates verification information corresponding to the application program when the identity of the application program is legal, so that a storage device that the application program needs to access configures the verification information, and confirms access rights of the application program based on the verification information;
and the feedback message acquisition module is used for acquiring feedback messages sent by the trusted hardware so as to execute the access of the application program to the storage device based on the feedback messages.
In a ninth aspect, an embodiment of the present invention provides a data access apparatus, including:
the data acquisition module is used for acquiring data to be processed of the application program, wherein the data to be processed comprises data to be written and data to be checked;
the data verification module is used for verifying the data to be verified based on pre-configured verification information so as to determine the access authority of the application program; wherein the access rights at least comprise write rights;
and the data writing module is used for writing the data to be written into the storage equipment if the data to be checked passes the check.
In a tenth aspect, an embodiment of the present invention provides a data access apparatus, including:
the data generation module is used for generating data to be processed of the application program, wherein the data to be processed comprises data to be written and data to be checked;
and the data transmitting module is used for transmitting the data to be processed to the storage equipment so that the storage equipment can write the data to be written in according to the authority of the application program after checking the data to be checked according to the checking information.
In an eleventh aspect, embodiments of the present invention provide trusted hardware configured to perform an information configuration method applied to the trusted hardware.
In a twelfth aspect, an embodiment of the present invention provides a storage device including a controller configured to perform an information configuration method applied to the storage device and to perform a data access method applied to the storage device.
Optionally, the controller includes a verification module, where the verification module includes a calculation engine and a verification parameter register, where the calculation engine is used to perform encryption calculation, and the verification parameter register is used to store the verification information.
In a thirteenth aspect, embodiments of the present invention provide a processor configured to perform an information configuration method applied to the processor, and a data access method applied to the processor.
In a fourteenth aspect, an embodiment of the present invention provides a data processing system, including:
the trusted hardware, the storage device, and the processor.
In a fifteenth aspect, an embodiment of the present invention provides a storage medium, where the storage medium stores one or more computer-executable instructions for performing an information configuration method applied to trusted hardware, or an information configuration method applied to a processor, or an information configuration method applied to a storage device, or a data access method applied to a processor, or a data access method applied to a storage device.
The embodiment of the invention provides an information configuration method, a data access method, a related device and equipment, wherein in the information configuration method, trusted hardware can generate verification information corresponding to an application program when verifying the validity of the identity of the application program, and the verification information is configured in storage equipment which is required to be accessed by the application program, so that the storage equipment determines the access authority of the application program based on the verification information.
It can be seen that, according to the scheme provided by the embodiment of the invention, the verification information corresponding to the application program is configured for the storage device, so that the storage device can verify the identity of the application program based on the verification information of the application program, and thus the attack of viruses on the data in the storage device is resisted. And based on the authentication of the storage device to the application program, the protection of the data is realized from the perspective of hardware, so that even if the program is at a privilege level, the access to the hard disk data is impossible to realize on the premise that the authentication cannot be carried out, and the data security of the storage device is ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
FIG. 1 is a schematic diagram of a data processing system;
FIG. 2 is an exemplary diagram of a method for accessing hard disk data;
FIG. 3 is a schematic diagram of a data processing system according to an embodiment of the present invention;
FIG. 4 is an alternative flow of an information configuration method according to an embodiment of the present invention;
FIG. 5 is an alternative flowchart of step S12 provided in an embodiment of the present invention;
FIG. 6 is an alternative flowchart of step S15 provided in an embodiment of the present invention;
FIG. 7 is an alternative flow chart of a data access method provided by an embodiment of the present invention;
FIG. 8 is a schematic diagram of a structure of data to be processed according to an embodiment of the present invention;
FIG. 9 is an alternative flowchart of step S21 provided in an embodiment of the present invention;
FIG. 10 is an alternative flowchart of step S23 provided in an embodiment of the present invention;
FIG. 11 is a schematic diagram of a data access flow provided in an embodiment of the present invention;
FIG. 12 is an alternative block diagram of a trusted hardware angled information configuration apparatus provided by an embodiment of the present invention;
FIG. 13 is an alternative block diagram of an information configuration apparatus for storing device angles according to an embodiment of the present invention;
FIG. 14 is an alternative block diagram of a processor angular information configuration apparatus according to an embodiment of the present invention;
FIG. 15 is an alternative block diagram of a data access apparatus for storage device angle according to an embodiment of the present invention;
Fig. 16 is an alternative block diagram of a processor-angled data access device according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
FIG. 1 shows a schematic architecture of a data processing system, which, with reference to FIG. 1, may include a hardware layer 11, a kernel layer 12, and an application layer 13. The hardware layer 11 is configured to provide corresponding hardware support for system operation, the kernel layer 12 is configured to provide an operating space for an operating system kernel, and the application layer 13 is configured to provide an operating space for the application program 10.
The hardware layer 11 may include hardware devices for implementing system operations, only the processor (central processing unit, CPU) 14, the controller 15, and the hard disk 16 being shown in this example for ease of description. The processor 14 is a core of system operation and control, and is an execution unit for information processing and application program running; the controller 15 and the hard disk 16 may be understood as storage devices of the system, wherein the controller 15 is adapted to provide an interface for the hard disk 16 to enable communication between the processor 14 and the hard disk 16.
The kernel layer 12 may include a hard disk drive 17, a file system 18, and a virtual file system (virtual file system, VFS) 19; the hard disk drive 17 is used for controlling hard disk addressing and access data of the hard disk, the file system 18 is a system provided in an operating system for managing a hard disk file read-write method, data organization and data storage form, and the virtual file system 19 is used for providing a unified operating interface and application programming interface for various file systems.
When the application program 10 in the application layer 13 needs to access data in the hard disk, the kernel layer 12 presents, based on an interface provided by the virtual file system 19, file access information from the file system 18, and accesses hard disk data based on the hard disk drive 17. The hardware layer 11 is represented by a processor 14 accessing data in a hard disk 16 through a controller 15.
In an alternative implementation, the system may perform access control of the hard disk data based on the rights of the user, thereby providing protection for the hard disk data. The virtual file system or the file system based on the kernel layer provides different authorities for different users, and whether access can be executed is judged according to the identity of the user and the authority of the identity for operating the files and the catalogs (such as reading, writing and executable).
For example, referring to the example diagram of the hard disk data access method shown in fig. 2, when an application accesses data in a hard disk, a VFS or a file system in a kernel layer may query rights of a user using the application from rights information stored in the hard disk, for example, the rights information may include read/write/executable rights corresponding to a file owner (owner)/a group of users (group)/other users (other), respectively, so as to perform corresponding access control, and read and write file data in the hard disk.
However, with continued reference to fig. 2, for this type of access control, the virus (e.g., the lux virus) may access the hard disk as long as it has acquired the corresponding user rights, or the virus may utilize the kernel vulnerability to launch an attack on the hard disk based on the privilege level rights of the system.
Based on this, the embodiment of the invention provides an information configuration method, a data access method, a related device and equipment, wherein in the information configuration method, trusted hardware can generate verification information corresponding to an application program when verifying the validity of the identity of the application program, and the verification information is configured in a storage device which is required to be accessed by the application program so as to determine the access authority of the application program based on the verification information.
It can be seen that the scheme provided by the embodiment of the invention configures corresponding verification information for the storage device, so that the storage device can verify the identity of the application program based on the verification information, thereby resisting the attack of viruses on the data in the storage device. And based on the authentication of the storage device to the application program, the protection of the data is realized from the perspective of hardware, so that even if the program is at a privilege level, the access to the hard disk data is impossible to realize on the premise that the authentication cannot be carried out, and the data security of the storage device is ensured.
And the corresponding verification information is generated by the trusted hardware based on the corresponding verification information, so that the privilege level program cannot acquire the corresponding verification information, the information safety of the verification information is ensured, and further, the data of the hard disk cannot be randomly accessed by the privilege level program.
The information configuration scheme provided by the embodiment of the invention will be described in detail.
In an alternative implementation, the architecture of a data processing system shown in fig. 3 is schematic, and in conjunction with fig. 1, the system architecture shown in fig. 3 is compared with the system architecture shown in fig. 1, and the hardware layer 11 further includes a memory 20 and trusted hardware 21, where the memory 20 is used to provide a data base for data processing by the processor 14, and the trusted hardware 21 is a device that can provide a trusted environment for data processing.
The trusted hardware 21 may be, for example, TPM (Trusted Platform Module ) hardware, which is a hardware chip conforming to a trusted computing standard specification issued by a trusted computing organization, and is composed of a measurable core trust source CRTM (core root of trust for measurement, the core of a trusted measurement root) and a TPM chip; alternatively, the trusted hardware 21 may be a security processor (PSP, platform Secure Processor), where the security processor is a security processor that is specially configured and is used for data security, and the security processor may have a data processing function, so that more security-related services can be processed, and data security of the system is ensured.
In terms of arrangement of trusted hardware, the trusted hardware may be arranged outside the processor or may be integrated with the processor on the same chip. In this example, trusted hardware (e.g., a secure processor) may be built inside a CPU SOC (CPU on-chip), and firmware programs of the trusted hardware may be issued by CPU vendors, and services such as certificate management, cryptographic operations, and secure function management may be integrated inside the trusted hardware.
Also, in the system architecture, the storage device 22 may be an external storage device (i.e. a storage device located outside the on-chip), where the storage device 22 communicates with the processor 14 through a bus, and the storage device 22 includes a controller 15 and a storage device, and in this example, the storage device may be a hard disk 16, where the controller 15 includes, in addition to control logic 23 for logic control, a verification module 24, and the verification module 24 may determine an access right of the application program 10, so that the controller 15 may perform access control of data in the storage device (for example, the hard disk 16) based on the access right of the application program 10. In other examples, the storage device 22 may also be other external storage devices, such as magnetic disks, optical disks, etc., or may also be removable external storage devices, such as a removable hard disk, etc.
In some alternative implementations, the verification module 24 may verify the identity of the application based on password verification, thereby determining its corresponding access rights. Based on this, the verification module may include a computing engine 25 (for example, may be a MAC computing engine, where MAC is an abbreviation of Message Authentication Codes, meaning a message authentication code), and the corresponding verification algorithm may be a digest computing algorithm such as SM3/SHA3 (SM 3 is one of the cryptographic algorithms, SHA3 is a third generation secure hash algorithm). Meanwhile, the verification module 24 may further include a verification parameter register 26 for storing corresponding key information, verification parameters, and the like.
The isolation protection of the hard disk data is realized by constructing confidential isolation and authentication management of the data in the storage equipment and introducing trusted hardware to be used as verification configuration management of the controller.
Based on the optional architecture shown in fig. 3, in an optional implementation, fig. 4 shows an optional flow of the information configuration method provided by the embodiment of the present invention, as shown in fig. 4, where the flow may include:
step S10, the processor sends a configuration request of the application program to the trusted hardware, wherein the configuration request at least comprises identity information of the application program.
In the process that the processor executes the application program, if the application program has the requirement of data access to the storage device, the processor can send a configuration request of the application program to the trusted hardware so as to trigger a subsequent information configuration flow to carry out corresponding verification information configuration.
It will be appreciated that the application program is executed by the processor, and accordingly, the access to the storage device by the application program is also implemented by the processor, corresponding to the configuration process of the application program being performed, and the corresponding steps being executed by the processor.
The identity information of the application program is used for indicating whether the application program is legal, whether the application program has corresponding access rights and the like. The identity information may be identity data representing the application, or may be identity data representing a user of the application, or may be identity data representing both the application and the user of the application.
The identity information may be certificate information of a public key certificate of the application program, the public key certificate may be a public key certificate of a chip private key of the trusted hardware after verification, and correspondingly, the certificate information may be certificate information of the public key certificate of the trusted hardware after verification, which is used for identity verification of the application program by the trusted hardware.
Wherein, in an optional example, the signing process of the public key certificate may include: and the processor generates a public-private key pair (namely a matched public key and private key) belonging to the application program according to the information of the application program, and the trusted hardware (such as a secure processor) performs private key signing on the public key based on the chip private key of the chip where the trusted hardware is positioned to generate a public key certificate belonging to the application program, so that the application program obtains the public key certificate.
Specifically, after the public and private key pair belonging to the application program is generated, the trusted hardware manufacturer can confirm the identity of the application program, and after the identity is confirmed, the chip private key signature of the trusted hardware is used to form the public key certificate of the application program.
In an alternative implementation, the configuration request may further include feature information of the application program, for example, an identification code of the application program, configuration information, or operation information, where the feature information may be used as at least part of basic data for generating the verification information.
Alternatively, in some optional examples, the configuration request may further include authority configuration information of the application program, for example, read/write authority, and the access authority of the application program includes at least write authority.
Correspondingly, after the processor sends the configuration request, the trusted hardware can acquire the configuration request.
And step S11, the trusted hardware verifies the validity of the identity of the application program according to the identity information.
After the trusted hardware acquires the configuration request, the trusted hardware can verify the validity of the identity according to the identity information in the configuration request. When the identity information is the certificate information of the public key certificate of the application program, the trusted hardware can verify the public key certificate of the application program according to the certificate information, determine the validity of the public key certificate, and further determine the validity of the identity of the application program.
When verifying the public key certificate of the application program according to the certificate information, the certificate can be verified by utilizing a chip public key based on the certificate information to determine the validity of the public key certificate. If the identity of the application program is legal, step S12 is executed, and if the identity of the application program is illegal, an abnormal message is returned to the processor, and the information configuration flow is exited.
And step S12, the trusted hardware generates verification information corresponding to the application program.
When the identity of the application is legal, the trusted hardware may generate verification information corresponding to the application, such that the storage device configures the verification information.
The verification information is information for performing application program identity verification, and the verification information can be information for directly performing verification. Correspondingly, the identity information of the application program can be used as verification information, and then the identity information of the application program can be sent to serve as data to be verified when the application program is accessed to the data, so that verification of the application program can be achieved.
Likewise, in other optional examples, the feature information of the application program may be used as verification information, or the feature information and the identity information of the application program may be used as verification information at the same time, and accordingly, when the application program accesses the data, the data to be verified may be obtained based on the corresponding information, so as to realize verification of the application program.
Step S13, the trusted hardware sends configuration information to the storage equipment which is required to be accessed by the application program;
after the verification information is generated, the verification information can be sent to a storage device as configuration information, so that the verification information is configured on the storage device, and the storage device determines the access authority of the application program based on the verification information.
In an optional example, the configuration information may further include authority configuration information of the application program, so that the storage device determines the authority corresponding to the application program based on the authority configuration information. For example, an application may be configured to have write permission (i.e., control application write enable), such that when a write operation of the application is performed, if the identity of the application is verified to be legitimate, the application is determined to have write permission, and then the write operation of the application is performed.
The storage device is a device having an access right configuration function, so that the configuration of the access right can be realized based on the function. In an alternative example, the access rights configuration function may also be turned on or off based on instructions of trusted hardware. For example, the access right may be a write right, the instruction for controlling the write right may be a write protection enabling instruction, the write protection enabling instruction may configure write protection enabling information, and when the write protection enabling information indicates that a write protection function is enabled, the step of verifying the data to be verified based on the pre-configured verification information is performed. For example, it is possible to check that the write_protect=1 or the write_protect=0 in the parameter register in the module, wherein the write_protect=1 is enabled and the write_protect=0 is disabled. The time for controlling the access right configuration function to be opened or closed can be based on the selection of a user when the system is started, and the trusted hardware is controlled to send the write protection enabling instruction, or can be based on the selection of the user when the system is running.
Correspondingly, after the trusted hardware sends the configuration information to the storage device which is required to be accessed by the application program, the storage device can acquire the configuration information, so that verification information in the configuration information is acquired.
Step S14, the storage device configures the verification information to determine the access authority of the application program based on the verification information;
after the verification information corresponding to the application program is obtained, the storage device can configure the verification information, so that the verification of the access authority of the application program is realized in the subsequent access process of the application program. The access rights may include read, write, and executable rights, so that the storage device performs operations such as reading and writing to the storage device based on authentication of the application program. In an alternative example, the access rights include at least a write right, so that a write operation of the application program is controlled, so that the corresponding application program has the write right when the verification passes.
In performing the configuration information, the configuration flow may be executed by a controller of the storage device, and the verification information may be stored in a verification parameter register of the storage device.
Step S15, the trusted hardware sends a feedback message to the processor;
it will be appreciated that after the trusted hardware sends the configuration information, the processor is notified by a feedback message to cause the processor to perform the access of the application to the storage device based on the feedback message.
When the application program performs data access, the data to be checked can be generated in a mode of matching with the check information, for example, the data to be checked is generated based on the characteristic data and the identity data of the application program, and further the storage device can realize confirmation of the access authority of the application program by checking the data to be checked.
It will be appreciated that in accessing a storage device, having write permission may enable an application to change data stored in the storage device, which is critical to data security, and in some typical security threats, such as the lux virus, it is based on encrypting the data and then re-writing the data to the storage device, so that a user can decrypt and retrieve the data in the storage device only by obtaining a corresponding key.
The scheme provided by the embodiment of the invention configures corresponding verification information for the storage device, so that the storage device can verify the identity of the application program based on the verification information, thereby resisting the attack of viruses on the data in the storage device.
And based on the authentication of the storage device to the application program, the protection of the data is realized from the perspective of hardware, so that even if the program is at a privilege level, the access to the hard disk data is impossible to realize on the premise that the authentication cannot be carried out, and the data security of the storage device is ensured. And the corresponding verification information is generated by the trusted hardware based on the corresponding verification information, so that the privilege level program cannot acquire the corresponding verification information, the information safety of the verification information is ensured, and further, the data of the hard disk cannot be randomly accessed by the privilege level program.
In another optional example, the verification information may include encryption information for encryption, so that the data is encrypted based on the encryption information, so as to improve complexity of later data verification and ensure security of the data. When checking, the storage device can generate check data for checking based on the encryption information, and the application program can acquire the check information and generate data to be checked for checking based on the encryption information in the check information so as to realize checking of the data.
Accordingly, referring to the optional flowchart of step S12 shown in fig. 5, generating the verification information corresponding to the application program in step S12 may include:
Step S121: generating encryption information for data encryption;
the encryption information is used for data encryption, and specifically, the encryption information may include a key used for encryption, or may further include encryption algorithm information used for data encryption. In an alternative example, encryption may be performed by calculating a data digest, such as a MAC algorithm, and the key may be a MAC-key, accordingly.
The encryption information is used as verification information, so that the encryption of the data can be realized, the complexity of data verification is improved, and the safety of the data is ensured.
In some optional examples, the verification information may further include variable information as an encrypted data base, where the variable information may change based on a preset rule, so that the variable information may be expressed as different values at different occasions, thereby further improving complexity of data encryption and guaranteeing safety of data. Accordingly, the generating verification information corresponding to the application program in step S12 may further include:
step S122: generating variable information;
the variable information may include an initial value and a corresponding algorithm (for embodying a change rule of the variable information), so that when the change rule and the initial value of the variable information are clarified, a current value of the variable information may be calculated.
For example, the variable information may be a round value (round value) which is added with 1 after each operation is performed, and after an initial value is determined, the round value corresponding to each operation can be determined.
When the verification information has both the encryption information and the variable information, the step S12 further includes:
step S123: and combining the encryption information and the variable information to form verification information corresponding to the application program.
The encryption information and the variable information can be respectively combined based on different identifications or different positions, so that the verification information is obtained through combination, and the verification information is further sent to a storage device.
Correspondingly, when the storage device performs configuration of the check information in step S14, the check information may be stored in a check parameter register of the storage device, where when the check information includes variable information at the same time, a value in the check parameter register changes based on a preset rule.
When the application program accesses the data, the storage device can generate check data based on the configured check information, the application program can also generate the data to be checked based on the check information, and the generated data to be checked is compared with the check data generated by the storage device to determine the access authority of the application program. Therefore, in the embodiment of the invention, the verification information is further sent to the processor through a feedback message. Specifically, the feedback message includes the verification information.
And sending the verification information to a processor, so that data to be verified corresponding to the application program can be generated based on the verification information, and further, the access of the application program to the storage device is executed based on the verification information.
In an alternative example, the trusted hardware may encrypt the verification information based on the public key of the corresponding application in the public key certificate and send the encrypted ciphertext to the processor. Accordingly, the processor may decrypt the ciphertext based on a private key corresponding to the public key of the application, thereby obtaining the verification information.
Accordingly, referring to the optional flowchart of step S15 shown in fig. 6, step S15 may include:
step S151, encrypting the verification information based on a public key in the public key certificate;
wherein, when the identity information of the application program is the certificate information of the public key certificate of the application program, the verification information can be encrypted based on the public key in the public key certificate. Accordingly, the processor may decrypt and obtain the verification information in the feedback message based on the private key of the application.
Step S152, generating a feedback message based on the encrypted ciphertext;
After the verification information is encrypted, the generated ciphertext may be transmitted to the application as at least a portion of the feedback message.
Step S153, sending the generated feedback message to the processor.
Based on the feedback message including the encrypted verification information, the processor may obtain a corresponding ciphertext based on the feedback message, thereby obtaining a corresponding verification message. Specifically, the processor may decrypt and obtain the verification information in the feedback message based on the private key of the application program.
When the verification information includes variable information, the variable information has the same change rule and initial value as the variable information of the storage device at the application program end, and synchronously changes along with the variable information of the storage device end, so that the values of the variable information of the application program end and the variable information of the storage device end are always consistent.
The data is verified in an encryption mode, so that the complexity of later data verification can be improved, and the safety of the data is further ensured.
In the following, taking writing of data by an executing application program as an example, a data access flow after configuration of check information is described, and referring to an optional flowchart of a data access method shown in fig. 7, the data access flow includes:
Step S21, the processor generates data to be processed of an application program, wherein the data to be processed comprises data to be written and data to be checked;
when the storage equipment which is required to be accessed by the application program needs to be subjected to security verification, generating data to be processed, which simultaneously comprises the data to be written and the data to be verified, when the data is written.
It is understood that the data to be verified matches the verification information configured in the storage device. Specifically, when the verification information configured in the storage device is identity information of the application program, the data to be verified may be the identity information of the application program; similarly, when the characteristic information of the application program is verification information, or the characteristic information and the identity information of the application program are used as verification information, corresponding data to be verified of the application program corresponds to the characteristic information of the application program, or the characteristic information of the application program and the identity information of the application program are used for realizing verification of the application program based on the corresponding data to be verified.
The data to be processed can be set to be data with a fixed format so as to realize normal use of the verification function in the controller. For example, taking 256-bit (bit) data as an example, the data to be verified may be set at the head of the data to be processed, and the data to be written may be set at the tail of the data to be processed. Referring to the schematic structure of the data to be processed shown in fig. 8, when an application program needs to write data into a storage device, 256 bits of data needs to be generated as data to be verified each time the data is written, and the data to be verified is set at the head of the data to be written.
It should be noted that the format of the data to be processed may be completely transparent to file system management in the operating system kernel.
Returning to fig. 7, referring to step S22, the processor sends the data to be processed to the storage device;
after the data to be processed is generated, the data to be processed can be sent to a storage device, so that the storage device can write the data to be written in according to the authority of the application program after verifying the data to be verified according to the verification information.
Step S23, the storage device checks the data to be checked based on the pre-configured check information;
verifying the data to be verified to determine the access authority of the application program; when data is written, the access right at least comprises a writing right;
by judging whether the application program has the writing permission or not, the data in the storage device can be protected from being tampered by the application program without permission, for example, the data in the storage device can be prevented from being encrypted by the luxo virus, and therefore the safety of the data is guaranteed.
If the data to be verified passes the verification, step S24 is executed, and if the data to be verified does not pass the verification, the writer is considered to be illegal or encounters a virus attack, and the access flow is abnormally exited.
In other optional examples, the storage device further confirms whether the write-protection function is enabled or not before checking, and if the write-protection function is not enabled, step S24 is directly performed. In a specific example, it may be determined whether the write protect is equal to 1, and if not, it is indicated that the write protect function is not enabled, and step S24 is performed.
Step S24, the storage device writes the data to be written into the storage device;
it can be understood that if the data to be verified passes the verification, the application program has a corresponding access right. When the access right at least comprises a writing right, the data to be verified passes verification, and the data to be written in can be written in the storage device.
It is to be understood that the application program may be written in a DMA (Direct Memory Access ) mode, for example.
The scheme provided by the embodiment of the invention configures corresponding verification information for the storage device, so that the storage device can verify the identity of the application program based on the verification information, thereby resisting the attack of viruses on the data in the storage device.
And based on the authentication of the storage device to the application program, the protection of the data is realized from the perspective of hardware, so that even if the program is at a privilege level, the access to the hard disk data is impossible to realize on the premise that the authentication cannot be carried out, and the data security of the storage device is ensured. And the corresponding verification information is generated by the trusted hardware based on the corresponding verification information, so that the privilege level program cannot acquire the corresponding verification information, the information safety of the verification information is ensured, and further, the data of the hard disk cannot be randomly accessed by the privilege level program.
In another optional example, the verification information includes encryption information used for encryption, and accordingly, when data access is performed, data to be verified for verification may be generated based on the encryption information and encryption is performed on the data.
Accordingly, referring to the optional flowchart of step S21 shown in fig. 9, the step of generating data to be processed in step S21 may include:
step S211: acquiring data to be written of an application program;
when the verification information includes encryption information for encryption, the data to be written can be encrypted based on the encryption information, so that data verification is realized based on the encrypted data obtained by encryption as the data to be verified.
Correspondingly, after the data to be written of the application program is generated, the data to be written can be acquired and used as a data base for generating the data to be verified.
Step S212: encrypting the data to be written based on the verification information of the application program to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as the data to be verified;
after the data to be written is acquired, encryption of the data to be written may be performed based on encryption information in the verification information.
Specifically, when the verification information includes only encryption information, encryption of data to be written is performed based on a key used for encryption, taking the encryption information as an example. In an alternative example, the key may be a MAC-key, and correspondingly, a MAC algorithm may be adopted, and encryption of data to be written is performed based on the MAC-key, and the encrypted data of the data to be written is used as data to be verified.
In a further optional example, when the verification information further includes variable information, the step S212 may specifically be: and encrypting the data to be written based on the encryption information and the variable information to obtain the encryption data of the data to be written, and taking the encryption data of the data to be written as the data to be verified.
Wherein, the variable information can be used as a summary parameter to participate in encryption. For example, the encryption information is a key MAC-key, the variable information is a round value, the encryption algorithm is SM3, and the corresponding encryption data mac=sm3 (data to be written is MAC-key is round value).
It should be noted that, after the encryption calculation is performed, the variable information is changed based on a preset change rule. For example, when the variable information is a round value, the corresponding round value is added by 1 after each encryption operation is performed.
Step S213: merging the data to be verified and the data to be written into data to be processed;
based on the fixed format set by the data to be processed, the data to be verified and the data to be written can be combined into the data to be processed. For example, taking the data to be verified as a 256-bit MAC value as an example, the MAC value may be set at the head of the data, and the data to be written may be set at the rear of the MAC value.
Correspondingly, referring to the optional flowchart of step S23 shown in fig. 10, in step S23, the corresponding verification procedure may include:
step S231, obtaining data to be written in the data to be processed;
after receiving the data to be processed, the data to be written in the data to be processed can be determined based on the format of the data to be processed.
Step S232, encrypting the data to be written based on the verification information to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as verification data;
after the data to be written is acquired, encryption of the data can be performed based on the configured verification information.
Specifically, when the verification information includes only encryption information, encryption of data to be written is performed based on a key used for encryption, taking the encryption information as an example. In an alternative example, the key may be a MAC-key, and correspondingly, a MAC algorithm may be adopted, encryption of data to be written is performed based on the MAC-key, and the encrypted data of the data to be written is used as verification data. Specifically, the verification module in the controller may be used to generate the verification data, and the calculation engine may specifically be used to perform the encryption calculation.
In a further optional example, when the verification information further includes variable information, the step S232 may specifically be: and encrypting the data to be written based on the encryption information and the variable information to obtain the encryption data of the data to be written, and taking the encryption data of the data to be written as verification data. For example, the encryption information is a key MAC-key, the variable information is a round value, the encryption algorithm is SM3, and the corresponding encryption data mac=sm3 (data to be written is MAC-key is round value).
It should be noted that, after the encryption calculation is performed, the variable information is changed based on a preset change rule. For example, when the variable information is a round value, the corresponding round value is added by 1 after each encryption operation is performed.
Step S233, comparing the data to be checked with the check data;
if the data to be checked are matched with the check data, the data to be checked pass the check; if the data to be checked and the check data are not matched, the data to be checked do not pass the check.
And when the data to be checked do not pass the check, the access flow is abnormally exited.
It can be seen that the complexity of the later data verification can be improved by verifying the data in an encryption mode, so that the safety of the data is further ensured.
It should be noted that, the application program itself may use a plurality of security technologies, such as encryption virtualization, TEE (Trusted Execution Environment ) and the like to ensure its security, and resist the attack of the virus on the application program itself, and the embodiment of the present invention is not limited specifically.
In a specific example, referring to a schematic diagram of a data access flow shown in fig. 11, the data access flow includes:
when the application program needs to write data, calculating a corresponding MAC value (hereinafter referred to as an original MAC) based on the data to be written as the data to be verified, wherein:
original mac=sm3 (data to be written i MAC-key i round value)
And generates data to be processed in a format shown in fig. 8 by the step of generating formatted data, and adds 1 to the round value.
Correspondingly, the controller in the storage device firstly judges whether the write-protection function is enabled, if not, the controller directly executes DMA copy, and copies the data to be written into the storage device. If yes, calculating a check MAC value by using an SM3 calculation engine based on the MAC-key and the round value as check data, and specifically:
Check mac=sm3 (data to be written i MAC-key i round value)
And further adding 1 to the round value, judging whether the calculated check data are equal to the data to be checked, namely judging whether the check MAC is equal to the original MAC, if so, executing DMA copy, copying the data to be written into a hard disk, and if not, exiting by mistake.
In the following, from the perspective of the apparatus, the solution provided by the embodiments of the present invention is described, and each apparatus described below may be considered as a functional module that needs to be set to implement the method provided by the embodiments of the present invention; the contents of the apparatus described below may be referred to in correspondence with the contents of the method described above.
In an alternative implementation, fig. 12 shows an alternative block diagram of an information configuration apparatus provided by an embodiment of the present invention, where the information configuration apparatus may be applied to trusted hardware, as shown in fig. 12, and the information configuration apparatus may include:
a request acquisition module 100, configured to acquire a configuration request of an application program, where the configuration request at least includes identity information of the application program;
an identity verification module 110, configured to verify validity of an identity of the application program according to the identity information;
the information generating module 120 is configured to generate verification information corresponding to the application program when the identity of the application program is legal;
And the information sending module 130 is configured to send configuration information to a storage device that is required to be accessed by the application program, where the configuration information includes the verification information, so that the storage device determines the access authority of the application program based on the verification information.
Optionally, the information configuration apparatus further includes:
and a feedback message sending module 140, configured to send a feedback message to a processor, so that the processor executes access of the application program to the storage device based on the feedback message.
Optionally, the information generating module 120 is configured to generate verification information corresponding to the application program, including:
encryption information for data encryption is generated, and the encryption information is used as the verification information.
Optionally, the information generating module 120 is configured to generate verification information corresponding to the application program, including:
generating encryption information for data encryption;
generating variable information, wherein the variable information changes based on a preset rule;
and combining the encryption information and the variable information to form verification information corresponding to the application program.
Optionally, the variable information is a round value, and the information generating module 120 is configured to generate variable information, including: an initial value of the round value is randomly generated.
Optionally, the identity information is certificate information of a public key certificate of the application program, and the public key certificate is signed based on a chip private key of the trusted hardware.
Optionally, the feedback message sending module 140 is configured to send a feedback message to the processor, including:
encrypting the verification information based on a public key in the public key certificate;
generating a feedback message based on the encrypted ciphertext;
and sending the generated feedback message to the processor.
Optionally, the step of generating the verification information corresponding to the application program by the information generating module 120 includes: and taking the identity information of the application program as verification information.
Optionally, the configuration request includes feature information of the application program, and the information generating module 120 is configured to generate verification information corresponding to the application program, including: taking the characteristic information of the application program as verification information; or, taking the characteristic information of the application program and the identity information of the application program as verification information.
Optionally, the configuration information further includes authority configuration information of the application program, and the access authority of the application program at least includes writing authority.
In an alternative implementation, fig. 13 shows an alternative block diagram of an information configuration apparatus provided by an embodiment of the present invention, where the information configuration apparatus may be applied to a storage device, as shown in fig. 13, and the information configuration apparatus may include:
the information acquisition module 200 is configured to acquire configuration information, where the configuration information includes verification information corresponding to an application program, where the verification information is generated by trusted hardware when verifying that an identity of the application program is legal;
an information configuration module 210, configured to configure the verification information to determine the access rights of the application program based on the verification information.
Optionally, the configuration information further includes authority configuration information of the application program, and the access authority of the application program at least includes writing authority.
In an optional implementation, fig. 14 shows an optional block diagram of an information configuration apparatus provided in an embodiment of the present invention, where the information configuration apparatus may be applied to a device that executes an application program, and may specifically be a processor, as shown in fig. 14, where the information configuration apparatus may include:
a request sending module 300, configured to send a configuration request to trusted hardware, where the configuration request includes at least identity information of the application program, so that the trusted hardware verifies validity of an identity of the application program based on the identity information, and generates verification information corresponding to the application program when the identity of the application program is legal, so that a storage device that the application program needs to access configures the verification information, and confirms access rights of the application program based on the verification information;
A feedback message obtaining module 310, configured to obtain a feedback message sent by the trusted hardware, so as to perform access of the application program to the storage device based on the feedback message.
Optionally, the information configuration apparatus further includes:
a key generation module 320, configured to generate a public-private key pair belonging to the application program according to the information of the application program;
a key sending module 330, configured to send a public key in the public-private key pair to the trusted hardware, so that the trusted hardware signs the public key with a private key based on a chip private key of a chip where the trusted hardware is located, and generates a public key certificate that belongs to the application program;
a certificate acquisition module 340, configured to acquire the public key certificate.
Optionally, the information configuration apparatus further includes:
and the decryption module 350 is configured to decrypt and obtain the verification information in the feedback message based on the private key of the application program.
Optionally, the configuration information further includes authority configuration information of the application program, and the access authority of the application program at least includes writing authority.
In an alternative implementation, fig. 15 shows an alternative block diagram of a data access apparatus provided by an embodiment of the present invention, where the data access apparatus may be applied to a storage device, as shown in fig. 15, and the data access apparatus may include:
The data acquisition module 400 is configured to acquire data to be processed of an application program, where the data to be processed includes data to be written and data to be checked;
a data verification module 410, configured to verify the data to be verified based on pre-configured verification information, so as to determine access rights of the application program; wherein the access rights at least comprise write rights;
and the data writing module 420 is configured to write the data to be written into the storage device when the data to be verified passes the verification.
Optionally, the data verification module 410 is configured to verify the data to be verified based on pre-configured verification information, including:
acquiring data to be written in the data to be processed;
encrypting the data to be written based on the verification information to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as verification data;
and comparing the data to be checked with the check data, and if the data to be checked are matched, passing the check of the data to be checked.
Optionally, the verification information is identity information of the application program and/or feature information of the application program.
Optionally, the storage device is configured with write protection enabling information, and when the write protection enabling information indicates that a write protection function is enabled, the data verification module 410 performs the step of verifying the data to be verified based on the pre-configured verification information.
In an optional implementation, fig. 16 shows an optional block diagram of a data access apparatus provided in an embodiment of the present invention, where the data access apparatus may be applied to a device for executing an application, and may specifically be a processor, as shown in fig. 16, where the data access apparatus may include:
the data generating module 500 is configured to generate data to be processed of an application program, where the data to be processed includes data to be written and data to be verified;
the data sending module 510 is configured to send the data to be processed to a storage device, so that the storage device verifies the data to be verified according to the verification information, and then writes the data to be written according to the authority of the application program.
Optionally, the data generating module 500 is configured to set the data to be verified at a header of the data to be processed and set the data to be written at a tail of the data to be processed in a process of generating the data to be processed of the application program.
Optionally, the data generating module 500 is configured to generate data to be processed of an application program, including:
acquiring data to be written of an application program;
encrypting the data to be written based on the verification information of the application program to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as the data to be verified;
And merging the data to be verified and the data to be written into data to be processed.
Optionally, the data generating module 500 is configured to use identity information of an application program and/or feature information of the application program as data to be verified in a process of generating data to be processed of the application program.
The embodiment of the present invention further provides trusted hardware, where the trusted hardware may be configured to perform the method for configuring information on the trusted hardware angle provided by the embodiment of the present invention, and specific content may refer to the description of the corresponding part above, which is not further described herein.
The embodiment of the invention also provides a storage device, which can be configured to execute the information configuration method of the storage device angle and the data access method of the storage device angle, and specific content can be referred to the description of the corresponding parts and is not further described herein.
The embodiment of the invention also provides a storage device, which comprises a controller, wherein the controller can be configured to execute the information configuration method of the storage device angle and the data access method of the storage device angle.
Optionally, the controller includes a verification module, where the verification module includes a calculation engine and a verification parameter register, where the calculation engine is used to perform encryption calculation, and the verification parameter register is used to store the verification information.
The method for specific implementation of the storage device may be referred to in the corresponding part of the description above, and will not be further described herein.
The embodiment of the invention also provides a processor, which is configured to execute the processor angle information configuration method and the processor angle data access method provided by the embodiment of the invention, and specific content can be referred to the description of the corresponding parts and is not further described herein.
An embodiment of the present invention further provides a data processing system, where the structure of the data processing system may be combined with that shown in fig. 3, and the data processing system may include: the embodiment of the invention provides trusted hardware, the storage device provided by the embodiment of the invention and the processor provided by the embodiment of the invention.
The embodiment of the invention also provides a storage medium, which stores one or more computer executable instructions, and the one or more computer executable instructions are used for the information configuration method of the trusted hardware angle provided by the embodiment of the invention, or the information configuration method of the storage device angle provided by the embodiment of the invention, or the information configuration method of the processor angle provided by the embodiment of the invention, or the data access method of the storage device angle provided by the embodiment of the invention, or the data access method of the processor angle provided by the embodiment of the invention.
The foregoing describes several embodiments of the present invention, and the various alternatives presented by the various embodiments may be combined, cross-referenced, with each other without conflict, extending beyond what is possible embodiments, all of which are considered to be embodiments of the present invention disclosed and disclosed.
Although the embodiments of the present invention are disclosed above, the present invention is not limited thereto. Various changes and modifications may be made by one skilled in the art without departing from the spirit and scope of the invention, and the scope of the invention should be assessed accordingly to that of the appended claims.
Claims (32)
1. An information configuration method, applied to trusted hardware, comprising:
acquiring a configuration request of an application program, wherein the configuration request at least comprises identity information of the application program;
verifying the legitimacy of the identity of the application program according to the identity information;
if the identity of the application program is legal, generating verification information corresponding to the application program;
and sending configuration information to a storage device which is required to be accessed by the application program, wherein the configuration information comprises the verification information and authority configuration information of the application program, so that the storage device determines the access authority of the application program based on the verification information, the access authority of the application program at least comprises writing authority, and the storage device is an external storage device.
2. The information configuration method according to claim 1, characterized by further comprising:
a feedback message is sent to a processor to cause the processor to perform access to the storage device by the application based on the feedback message.
3. The information configuration method according to claim 2, wherein the generating verification information corresponding to the application program includes:
encryption information for data encryption is generated, and the encryption information is used as the verification information.
4. The information configuration method according to claim 2, wherein the generating verification information corresponding to the application program includes:
generating encryption information for data encryption;
generating variable information, wherein the variable information changes based on a preset rule;
and combining the encryption information and the variable information to form verification information corresponding to the application program.
5. The information configuration method according to claim 4, wherein the variable information is a round value; the generating variable information includes: an initial value of the round value is randomly generated.
6. The information configuration method according to claim 3 or 4, wherein the identity information is certificate information of a public key certificate of the application program, the public key certificate being signed based on a chip private key of the trusted hardware.
7. The information configuration method according to claim 6, wherein the sending a feedback message to the processor includes:
encrypting the verification information based on a public key in the public key certificate;
generating a feedback message based on the encrypted ciphertext;
and sending the generated feedback message to the processor.
8. The information configuration method according to claim 1, wherein the step of generating the verification information corresponding to the application program includes: and taking the identity information of the application program as verification information.
9. The information configuration method according to claim 1, wherein the configuration request includes feature information of the application program, and the step of generating verification information corresponding to the application program includes: taking the characteristic information of the application program as verification information; or, taking the characteristic information of the application program and the identity information of the application program as verification information.
10. The information configuration method is characterized by being applied to a storage device, wherein the storage device is an external storage device, and comprises the following steps:
acquiring configuration information, wherein the configuration information comprises verification information corresponding to an application program and authority configuration information of the application program, and the verification information is generated by trusted hardware when verifying the identity of the application program;
And configuring the verification information to determine the access rights of the application program based on the verification information, wherein the access rights of the application program at least comprise writing rights.
11. An information configuration method, applied to a processor, comprising:
sending a configuration request to trusted hardware, wherein the configuration request at least comprises identity information of an application program and authority configuration information of the application program, so that the trusted hardware verifies the legitimacy of the identity of the application program based on the identity information, and generates verification information corresponding to the application program when the identity of the application program is legal, so that a storage device which is required to be accessed by the application program configures the verification information to confirm the access authority of the application program based on the verification information, wherein the access authority of the application program at least comprises writing authority, and the storage device is an external storage device;
and acquiring a feedback message sent by the trusted hardware to execute the access of the application program to the storage device based on the feedback message.
12. The information configuration method according to claim 11, characterized in that before the sending the configuration request to the trusted hardware, further comprising:
Generating public and private key pairs belonging to the application program according to the information of the application program;
sending the public key in the public-private key pair to the trusted hardware, so that the trusted hardware carries out private key signing on the public key based on the chip private key of the chip where the trusted hardware is positioned, and a public key certificate belonging to the application program is generated;
and acquiring the public key certificate.
13. The information configuration method according to claim 11, wherein after the obtaining the feedback message sent by the trusted hardware, further comprising:
and decrypting and obtaining the verification information in the feedback message based on the private key of the application program.
14. A data access method applied to the storage device of claim 10, comprising:
acquiring data to be processed of an application program, wherein the data to be processed comprises data to be written and data to be checked;
verifying the data to be verified based on pre-configured verification information to determine the access authority of the application program; wherein the access rights at least comprise write rights;
and if the data to be verified passes the verification, writing the data to be written into the storage equipment.
15. The data access method according to claim 14, wherein the verifying the data to be verified based on the pre-configured verification information includes:
acquiring data to be written in the data to be processed;
encrypting the data to be written based on the verification information to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as verification data;
and comparing the data to be checked with the check data, and if the data to be checked are matched, passing the check of the data to be checked.
16. The data access method according to claim 14, wherein the verification information is identity information of the application program and/or characteristic information of the application program.
17. The data access method according to claim 14, wherein the storage device is configured with write protection enable information, and the step of verifying the data to be verified based on the pre-configured verification information is performed when the write protection enable information indicates that a write protection function is enabled.
18. A data access method, applied to the processor of claim 11, comprising:
Generating data to be processed of an application program, wherein the data to be processed comprises data to be written and data to be checked;
and sending the data to be processed to a storage device, so that the storage device can write the data to be written in according to the authority of the application program after checking the data to be checked according to the checking information.
19. The method according to claim 18, wherein in the step of generating the data to be processed of the application program, the data to be verified is set at a head of the data to be processed, and the data to be written is set at a tail of the data to be processed.
20. The method for accessing data according to claim 18 or 19, wherein the generating the data to be processed of the application program comprises:
acquiring data to be written of the application program;
encrypting the data to be written based on the verification information of the application program to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as the data to be verified;
and merging the data to be verified and the data to be written into data to be processed.
21. The method according to claim 18 or 19, wherein in the step of generating the data to be processed of the application program, the identity information of the application program and/or the characteristic information of the application program are used as the data to be verified.
22. An information configuration apparatus, comprising:
the system comprises a request acquisition module, a request processing module and a configuration module, wherein the request acquisition module is used for acquiring a configuration request of an application program, and the configuration request at least comprises identity information of the application program;
the identity verification module is used for verifying the validity of the identity of the application program according to the identity information;
the information generation module is used for generating verification information corresponding to the application program when the identity of the application program is legal;
the information sending module is used for sending configuration information to a storage device which is required to be accessed by the application program, wherein the configuration information comprises the verification information and authority configuration information of the application program, so that the storage device determines the access authority of the application program based on the verification information, the access authority of the application program at least comprises writing authority, and the storage device is an external storage device.
23. An information configuration apparatus, characterized by being applied to a storage device, the storage device being an external storage device, comprising:
the information acquisition module is used for acquiring configuration information, wherein the configuration information comprises verification information corresponding to an application program and authority configuration information of the application program, and the verification information is generated by trusted hardware;
And the information configuration module is used for configuring the verification information to determine the access right of the application program based on the verification information, wherein the access right of the application program at least comprises a writing right.
24. An information configuration apparatus, comprising:
a request sending module, configured to send a configuration request to trusted hardware, where the configuration request includes at least identity information of an application program and authority configuration information of the application program, so that the trusted hardware verifies validity of an identity of the application program based on the identity information, and generates verification information corresponding to the application program when the identity of the application program is legal, so that a storage device that the application program needs to access configures the verification information, and confirms access authority of the application program based on the verification information, where the access authority of the application program at least includes writing authority, and the storage device is an external storage device;
and the feedback message acquisition module is used for acquiring the feedback message sent by the trusted hardware so as to execute the access of the application program to the storage device based on the feedback message.
25. A data access apparatus for use in a storage device as claimed in claim 23, comprising:
The data acquisition module is used for acquiring data to be processed of the application program, wherein the data to be processed comprises data to be written and data to be checked;
the data verification module is used for verifying the data to be verified based on pre-configured verification information so as to determine the access authority of the application program; wherein the access rights at least comprise write rights;
and the data writing module is used for writing the data to be written into the storage device when the data to be verified passes the verification.
26. A data access device, applied to the processor of claim 11, comprising:
the data generation module is used for generating data to be processed of the application program, wherein the data to be processed comprises data to be written and data to be checked;
and the data transmitting module is used for transmitting the data to be processed to the storage equipment so that the storage equipment can write the data to be written in according to the authority of the application program after checking the data to be checked according to the checking information.
27. Trusted hardware configured to perform the information configuration method of any one of claims 1-9.
28. A storage device, characterized in that the storage device comprises a controller configured to perform the information configuration method according to claim 10, and the data access method according to any one of claims 14 to 17.
29. The memory device of claim 28, wherein the controller comprises a verification module comprising a calculation engine and a verification parameter register, the calculation engine to perform the cryptographic calculation, the verification parameter register to store the verification information.
30. A processor configured to perform the information configuration method of any one of claims 11-13, and the data access method of any one of claims 18-21.
31. A data processing system, comprising:
the trusted hardware of claim 27, the storage device of any one of claims 28 to 29, and the processor of claim 30.
32. A storage medium storing one or more computer-executable instructions for performing the information configuration method of any one of claims 1 to 9, or the information configuration method of claim 10, or the information configuration method of any one of claims 11 to 13, or the data access method of any one of claims 14 to 17, or the data access method of any one of claims 18 to 21.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111454122.4A CN114091027B (en) | 2021-12-01 | 2021-12-01 | Information configuration method, data access method, related device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111454122.4A CN114091027B (en) | 2021-12-01 | 2021-12-01 | Information configuration method, data access method, related device and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114091027A CN114091027A (en) | 2022-02-25 |
| CN114091027B true CN114091027B (en) | 2023-08-29 |
Family
ID=80306097
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111454122.4A Active CN114091027B (en) | 2021-12-01 | 2021-12-01 | Information configuration method, data access method, related device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114091027B (en) |
Citations (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201549223U (en) * | 2009-05-04 | 2010-08-11 | 同方股份有限公司 | Trusted secure portable storage device |
| CN102393836A (en) * | 2011-10-31 | 2012-03-28 | 北京天地融科技有限公司 | Mobile memory and access control method and system for mobile memory |
| CN104318176A (en) * | 2014-10-28 | 2015-01-28 | 东莞宇龙通信科技有限公司 | Terminal and data management method and device thereof |
| CN105282117A (en) * | 2014-07-21 | 2016-01-27 | 中兴通讯股份有限公司 | Access control method and device |
| CN106161028A (en) * | 2015-04-17 | 2016-11-23 | 国民技术股份有限公司 | Safety chip, communication terminal and the method improving communication security |
| CN106528690A (en) * | 2016-10-31 | 2017-03-22 | 维沃移动通信有限公司 | Method for accessing storage medium by application and mobile terminal |
| CN106657052A (en) * | 2016-12-16 | 2017-05-10 | 湖南国科微电子股份有限公司 | Access management method and system for storage data |
| CN106899963A (en) * | 2017-02-07 | 2017-06-27 | 上海斐讯数据通信技术有限公司 | Mobile hard disk and application method with sharing functionality |
| CN107330305A (en) * | 2017-06-28 | 2017-11-07 | 北京小米移动软件有限公司 | To the access right control method and device of data in the external storage of mobile terminal |
| CN108390892A (en) * | 2018-03-31 | 2018-08-10 | 北京联想核芯科技有限公司 | A kind of control method and device of remote storage system secure access |
| CN109257391A (en) * | 2018-11-30 | 2019-01-22 | 北京锐安科技有限公司 | A kind of access authority opening method, device, server and storage medium |
| CN109522060A (en) * | 2018-10-16 | 2019-03-26 | 深圳壹账通智能科技有限公司 | The restoring method and terminal device of business scenario |
| CN110457925A (en) * | 2019-08-12 | 2019-11-15 | 深圳市网心科技有限公司 | Data isolation method, device, terminal and storage medium are applied in the storage of inside and outside |
| CN111159762A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | Method and system for verifying credibility of main body under mandatory access control |
| CN111431707A (en) * | 2020-03-19 | 2020-07-17 | 腾讯科技(深圳)有限公司 | Service data information processing method, device, equipment and readable storage medium |
| CN111756698A (en) * | 2020-05-27 | 2020-10-09 | 浪潮电子信息产业股份有限公司 | Message transmission method, device, equipment and computer readable storage medium |
| CN111885196A (en) * | 2020-07-31 | 2020-11-03 | 支付宝(杭州)信息技术有限公司 | Method, device and system for accessing equipment data of Internet of things cloud platform |
| CN112433817A (en) * | 2020-11-27 | 2021-03-02 | 海光信息技术股份有限公司 | Information configuration method, direct storage access method and related device |
| CN112540831A (en) * | 2020-12-23 | 2021-03-23 | 海光信息技术股份有限公司 | Virtual trusted environment loading and running method, data processing device and safety processing device |
| CN112784262A (en) * | 2021-01-06 | 2021-05-11 | 北京小米移动软件有限公司 | Data access method, device, terminal and storage medium |
| CN113010911A (en) * | 2021-02-07 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data access control method and device and computer readable storage medium |
| CN113282951A (en) * | 2021-03-12 | 2021-08-20 | 北京字节跳动网络技术有限公司 | Security verification method, device and equipment for application program |
| CN113468618A (en) * | 2021-05-28 | 2021-10-01 | 邓丰赣 | Mobile hard disk multi-security-level interaction method and system |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8631507B2 (en) * | 2006-03-27 | 2014-01-14 | Intel Corporation | Method of using signatures for measurement in a trusted computing environment |
| NL2006733C2 (en) * | 2011-05-06 | 2012-11-08 | Tele Id Nl B V | Method and system for allowing access to a protected part of a web application. |
| US10313427B2 (en) * | 2014-09-24 | 2019-06-04 | Intel Corporation | Contextual application management |
-
2021
- 2021-12-01 CN CN202111454122.4A patent/CN114091027B/en active Active
Patent Citations (23)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN201549223U (en) * | 2009-05-04 | 2010-08-11 | 同方股份有限公司 | Trusted secure portable storage device |
| CN102393836A (en) * | 2011-10-31 | 2012-03-28 | 北京天地融科技有限公司 | Mobile memory and access control method and system for mobile memory |
| CN105282117A (en) * | 2014-07-21 | 2016-01-27 | 中兴通讯股份有限公司 | Access control method and device |
| CN104318176A (en) * | 2014-10-28 | 2015-01-28 | 东莞宇龙通信科技有限公司 | Terminal and data management method and device thereof |
| CN106161028A (en) * | 2015-04-17 | 2016-11-23 | 国民技术股份有限公司 | Safety chip, communication terminal and the method improving communication security |
| CN106528690A (en) * | 2016-10-31 | 2017-03-22 | 维沃移动通信有限公司 | Method for accessing storage medium by application and mobile terminal |
| CN106657052A (en) * | 2016-12-16 | 2017-05-10 | 湖南国科微电子股份有限公司 | Access management method and system for storage data |
| CN106899963A (en) * | 2017-02-07 | 2017-06-27 | 上海斐讯数据通信技术有限公司 | Mobile hard disk and application method with sharing functionality |
| CN107330305A (en) * | 2017-06-28 | 2017-11-07 | 北京小米移动软件有限公司 | To the access right control method and device of data in the external storage of mobile terminal |
| CN108390892A (en) * | 2018-03-31 | 2018-08-10 | 北京联想核芯科技有限公司 | A kind of control method and device of remote storage system secure access |
| CN109522060A (en) * | 2018-10-16 | 2019-03-26 | 深圳壹账通智能科技有限公司 | The restoring method and terminal device of business scenario |
| CN109257391A (en) * | 2018-11-30 | 2019-01-22 | 北京锐安科技有限公司 | A kind of access authority opening method, device, server and storage medium |
| CN110457925A (en) * | 2019-08-12 | 2019-11-15 | 深圳市网心科技有限公司 | Data isolation method, device, terminal and storage medium are applied in the storage of inside and outside |
| CN111159762A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | Method and system for verifying credibility of main body under mandatory access control |
| CN111431707A (en) * | 2020-03-19 | 2020-07-17 | 腾讯科技(深圳)有限公司 | Service data information processing method, device, equipment and readable storage medium |
| CN111756698A (en) * | 2020-05-27 | 2020-10-09 | 浪潮电子信息产业股份有限公司 | Message transmission method, device, equipment and computer readable storage medium |
| CN111885196A (en) * | 2020-07-31 | 2020-11-03 | 支付宝(杭州)信息技术有限公司 | Method, device and system for accessing equipment data of Internet of things cloud platform |
| CN112433817A (en) * | 2020-11-27 | 2021-03-02 | 海光信息技术股份有限公司 | Information configuration method, direct storage access method and related device |
| CN112540831A (en) * | 2020-12-23 | 2021-03-23 | 海光信息技术股份有限公司 | Virtual trusted environment loading and running method, data processing device and safety processing device |
| CN112784262A (en) * | 2021-01-06 | 2021-05-11 | 北京小米移动软件有限公司 | Data access method, device, terminal and storage medium |
| CN113010911A (en) * | 2021-02-07 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data access control method and device and computer readable storage medium |
| CN113282951A (en) * | 2021-03-12 | 2021-08-20 | 北京字节跳动网络技术有限公司 | Security verification method, device and equipment for application program |
| CN113468618A (en) * | 2021-05-28 | 2021-10-01 | 邓丰赣 | Mobile hard disk multi-security-level interaction method and system |
Non-Patent Citations (1)
| Title |
|---|
| 基于SEAndroid的移动设备远程管理;杨中皇等;《西安邮电大学学报》;第23卷(第3期);第13-20页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114091027A (en) | 2022-02-25 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109313690B (en) | Self-contained encrypted boot policy verification | |
| US7986786B2 (en) | Methods and systems for utilizing cryptographic functions of a cryptographic co-processor | |
| US10771264B2 (en) | Securing firmware | |
| US9135417B2 (en) | Apparatus for generating secure key using device and user authentication information | |
| US8898477B2 (en) | System and method for secure firmware update of a secure token having a flash memory controller and a smart card | |
| US8458480B2 (en) | Method and apparatus for binding TPM keys to execution entities | |
| KR100737628B1 (en) | Attestation using both fixed token and portable token | |
| US9118467B2 (en) | Generating keys using secure hardware | |
| US8127146B2 (en) | Transparent trust validation of an unknown platform | |
| WO2020192406A1 (en) | Method and apparatus for data storage and verification | |
| EP1168141B1 (en) | A secure and open computer platform | |
| KR20190063264A (en) | Method and Apparatus for Device Security Verification Utilizing a Virtual Trusted Computing Base | |
| US20110126023A1 (en) | Systems And Methods For Data Security | |
| US20050060568A1 (en) | Controlling access to data | |
| US10897359B2 (en) | Controlled storage device access | |
| US9015454B2 (en) | Binding data to computers using cryptographic co-processor and machine-specific and platform-specific keys | |
| JP2008072717A (en) | Hard disc streaming cryptographic operations with embedded authentication | |
| KR20080059675A (en) | Trusted mobile platform architecture | |
| EP1763721A1 (en) | Systems and methods for performing secure communications between an authorized computing platform and a hardware component | |
| US10282549B2 (en) | Modifying service operating system of baseboard management controller | |
| CN116566613A (en) | Securing communications with a secure processor using platform keys | |
| WO2022052665A1 (en) | Wireless terminal and interface access authentication method for wireless terminal in uboot mode | |
| CN114091027B (en) | Information configuration method, data access method, related device and equipment | |
| WO2024118799A1 (en) | Methods and systems for secure software delivery | |
| Emanuel | Tamper free deployment and execution of software using TPM |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |