CN114238206A - Internet of things system on chip and working method thereof - Google Patents
Internet of things system on chip and working method thereof Download PDFInfo
- Publication number
- CN114238206A CN114238206A CN202111432604.XA CN202111432604A CN114238206A CN 114238206 A CN114238206 A CN 114238206A CN 202111432604 A CN202111432604 A CN 202111432604A CN 114238206 A CN114238206 A CN 114238206A
- Authority
- CN
- China
- Prior art keywords
- internet
- things
- trusted computing
- computing module
- chip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/76—Architectures of general purpose stored program computers
- G06F15/78—Architectures of general purpose stored program computers comprising a single central processing unit
- G06F15/7807—System on chip, i.e. computer system on a single chip; System in package, i.e. computer system on one or more chips in a single package
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/72—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Microelectronics & Electronic Packaging (AREA)
- Mathematical Physics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Stored Programmes (AREA)
Abstract
The invention discloses an on-chip system of an internet of things and a working method thereof.A CPU is used for processing and forwarding data and also comprises an interface controller. The operation memory is used for operating an operating system and a service program. NAND FLASH is used to store UBOOT, a secure OS, a trusted computing software stack for providing an interface for operating systems and applications to use the TPM, and an IOT application framework. The trusted computing module is used for the storage of a trusted measurement root, the report of the trusted measurement, the key generation, the encryption and signature and the data security storage function, and can be used for measuring UBOOT, a kernel and a service program in a starting process and storing a measurement list in the intelligent terminal equipment. The safety encryption chip is used for encrypting and decrypting the service program. The intelligent terminal protection method is efficient and practical, changes the fragmentation state of the conventional safety protection means, effectively improves the safety protection level of the intelligent terminal, and has wide application prospect.
Description
Technical Field
The invention relates to an Internet of things system on chip and a working method thereof, and belongs to the technical field of Internet of things and information security.
Background
The construction of the internet of things is entering a substantial stage. In the construction process, a large number of intelligent terminals are required to be deployed for realizing intelligent perception and ubiquitous connection. The traditional intelligent terminal development mode has the pain points of low development speed, many security holes, complicated technical route, large volume and the like, and is difficult to adapt to the requirements of the construction and development of the Internet of things.
Based on long-term practice in the field of electric power and deep understanding of the connotation of the internet of things of electric power, what is needed is what is needed. All individual chips are made in China and controllable, all software programs are developed independently, and intellectual property rights are mastered completely. How to realize the development of a core chip of the internet of things intelligent equipment in the field of electric power is a technical problem which needs to be solved urgently by technical personnel in the field.
Disclosure of Invention
The purpose is as follows: in order to overcome the defects in the prior art, the invention provides an on-chip system of an internet of things and a working method thereof. On the basis, the complete machine manufacturer can quickly form an intelligent terminal product by only adding a peripheral interface circuit without excessively considering basic security measures such as safety, credibility and the like.
The technical scheme is as follows: in order to solve the technical problems, the technical scheme adopted by the invention is as follows:
in a first aspect, an internet of things system on chip includes a CPU, an operating memory, NAND FLASH, a trusted computing module, and a secure cryptographic chip.
The CPU is used for data processing and forwarding and comprises an interface controller.
The operation memory is used for operating an operating system and a service program.
NAND FLASH is used to store UBOOT, a secure OS, a trusted computing software stack for providing an interface for operating systems and applications to use the TPM, and an IOT application framework.
The trusted computing module is used for the storage of a trusted measurement root, the report of the trusted measurement, the key generation, the encryption and signature and the data security storage function, and can be used for measuring UBOOT, a kernel and a service program in a starting process and storing a measurement list in the intelligent terminal equipment.
The safety encryption chip is used for encrypting and decrypting the service program.
Preferably, the CPU adopts a 4-core Cortex-A7 processor, and the running memory adopts 1GB memory.
As a preferred scheme, a CPU, an operating memory, NAND FLASH, a trusted computing module and a secure encryption chip are integrated on a 40x40mm single board, pins with serial numbers are led out to the back of the single board through via holes for preparing a solder ball array, and a wafer and metal wires contained in a system on a chip are subjected to high-temperature curing through plastic packaging adhesive.
Preferably, the secure encryption chip supports SM2/SM3/SM4 cryptographic algorithm.
Preferably, the interface controller includes: USB, network interface, PCIE or UART.
As a preferred scheme, the security OS is used for providing access control, cryptographic operation, active monitoring or security isolation configuration, enforcing access control on object resources, customizing different security policies according to requirements, inquiring the set security policies from a security policy library when an application program provides an operation request, and judging the legality of a request initiator to make decision-making.
In a second aspect, an operating aspect of an internet of things system includes the following steps:
after the system on the internet of things is powered on, the system is initialized, and the trusted computing module is connected with the CPU NAND FLASH.
When the trusted computing module is started for the first time, the trusted computing module performs integrity measurement on the UBOOT and the kernel file through the SPI interface, and stores a measurement result into a PCR10 register of the trusted computing module.
And (3) restarting the system on the Internet of things after power failure, restarting the system on the Internet of things again and completing system initialization, carrying out integrity measurement on the UBOOT and the kernel file by the trusted computing module, comparing a measurement result with a medium magnitude value in a PCR10 register of the trusted computing module, normally starting the system if the comparison is passed, and prompting that the system cannot be started if the comparison is failed.
As a preferred scheme, after the system on the internet of things is normally started, the trusted computing module is used as a slave device and called by the system on the internet of things, an SE function is used, an application program can call the module through a trusted computing software stack, integrity measurement is performed on the application program, and a cryptographic algorithm engine integrated with the module can also be used.
Has the advantages that: the invention provides an on-chip system of an internet of things and a working method thereof, which have the following advantages:
the invention has novel software and hardware structure, greatly simplifies the hardware structure of the intelligent terminal circuit single board by realizing the system on the Internet of things, and simultaneously transfers system software from outside to inside, thereby shortening the working period of embedded bottom layer software transplantation and development.
The invention organically integrates the safe operating system, the trusted computing software stack and the encryption and decryption engine, provides a complete safe and trusted solution for the intelligent terminal, changes the fragmentation state of the traditional safety protection means, and effectively improves the safety protection level of the intelligent terminal.
The invention creates a business mode developed by the intelligent terminal, constructs the internet of things intelligent terminal by means of the system on the internet of things, and forms a business mode jointly developed by two parties or even multiple parties. The method promotes the formation of basic software and hardware, interface hardware and a complete machine structure, establishes a multi-party parallel mode such as an Internet of things management center and Internet of things application program development, and promotes the resource optimization, mutual profit and win-win and higher quality development of an intelligent Internet of things system industrial chain.
The internet of things multi-chip packaging system innovatively develops a development mode of an intelligent terminal and creates a precedent for adopting a multi-chip packaging technology in the power industry. The popularization and application of the system chip mean that a large number of intelligent terminals of the internet of things adopt a uniform software and hardware technical route, and the system chip has important significance for the popularization and the evolution of the internet of things. In the future, the intelligent terminal can be widely cooperated with complete machine manufacturers, power users, scientific research entities and open source communities, and can be shared together, so that a new state of the intelligent terminal industry is formed, and the power internet of things is enabled together.
Drawings
Fig. 1 is a block diagram illustrating a hardware structure of an internet of things system-on-chip and its functions.
Fig. 2 is a schematic diagram of a trusted boot process of an internet of things system-on-chip.
Fig. 3 is a schematic diagram of the application of the present invention to an embedded device.
Detailed Description
The present invention will be further described with reference to the following examples.
As shown in fig. 1, the system on chip of the internet of things is suitable for intelligent terminal equipment in the power internet of things, and can realize trusted startup and data transmission encryption and decryption operations, so as to provide safety protection for the intelligent terminal. The system integrates a processor with 4 cores of Cortex-A7, a 1GB memory, a trusted computing module, a secure encryption chip and a NAND FLASH chip. And completing the design of chip package according to the data such as the wafer size of the chip, PAD coordinates and the like, and integrating the circuit on a 40x40mm single board. And leading out the pins with the serial numbers to the back of the single plate through the through holes for preparing the solder ball array. And carrying out high-temperature curing on the wafer and the metal wires contained in the system on chip by the plastic sealant.
The CPU is used for data processing and forwarding and the like, and comprises a common interface controller.
The operation memory is used for operating an operating system and a service program.
NAND FLASH is used to store UBOOT, secure OS, trusted computing software stack and the application framework of the things internet, wherein the trusted computing software stack mainly functions to provide an interface for operating system and application software to use TPM.
The trusted computing module is used for the functions of storage of a trusted measurement root, report of trusted measurement, key generation, encryption and signature, data security storage and the like, can be used for measuring UBOOT, a kernel and a service program in a starting process in intelligent terminal equipment, stores a measurement list, ensures the integrity of the starting program and the service program, and improves the security attribute of a system.
The safety encryption chip is used for encrypting and decrypting the service program to ensure the safety of data transmission; the security encryption chip supports cryptographic algorithms such as SM2/SM3/SM4 and the like, can be used for encryption and decryption operations of service programs, and ensures the security of transmission data.
The secure OS serves as a security server, provides security functions such as access control, cryptographic operations, active monitoring, security isolation configuration, and the like, and has the capability of performing mandatory access control on object resources. Different security policies can be customized in the security OS according to requirements, when an application program makes an operation request, the security OS can inquire the set security policy from a security policy library, and judge the legality of a request initiator to make a decision.
The UBOOT, secure OS, trusted computing software stack, internet of things application framework, etc. software is solidified NAND FLASH. The CPU is connected with the trusted computing module through the SPI interface, and data interaction can be carried out between the CPU and the trusted computing module through the trusted computing software stack. When a device or a board card of the integrated internet of things system-on-chip is started, trusted starting can be achieved, a trusted starting process is shown in fig. 2, after the system is powered on, the system is initialized, a trusted computing module is connected with a CPU and NAND FLASH, when the system is started for the first time, the trusted computing module performs integrity measurement on a UBOOT and a kernel file through an SPI interface, and a measurement result is stored in a PCR10 register of the trusted computing module. And at the moment, performing power-off restarting, after the system is restarted and system initialization is completed, performing integrity measurement on the UBOOT and the kernel file by the trusted computing module, comparing a measurement result with a medium-level value in a PCR10 register of the trusted computing module, if the comparison is passed, normally starting the system, and if the comparison is failed, starting a card and prompting that the system cannot be started. The system integrates a safety encryption chip, and can encrypt transmission data in the application of the intelligent terminal according to a customized support national encryption algorithm or a power special algorithm so as to improve the safety protection level.
When the internet of things terminal equipment developed based on the system chip on the internet of things is started, the trusted computing module measures UBOOT and a kernel thereof when the internet of things terminal equipment is powered on and started for the first time, and stores a measurement list into a PCR10 register of the trusted computing module, the trusted computing module is not started for the first time, a CPU reset signal is pulled when the internet of things terminal equipment is powered on and started, the CPU is hung, the trusted computing module measures UBOOT, the reset CPU signal is released when the measurement is passed, the integrity measurement of the kernel is continued, the measurement value is compared with the measurement list, and the kernel is started if the measurement value is passed; if the comparison fails, the system cannot be started. Meanwhile, after the system is normally started, the trusted computing module can be called by the system as a slave device, an SE function is used, an application program can call the module through a trusted computing software stack, integrity measurement is carried out on the application program, and a cryptographic algorithm engine integrated with the module can be used.
As shown in fig. 3, the system on the internet of things integrates multiple interface controllers such as USB, internet access, PCIE, and UART, and is used to directly connect to the external device plug-in, thereby improving the development efficiency. And secondary development can be carried out on the basis of the system on the Internet of things according to budget and application scene requirements. The realization of the system on the Internet of things greatly simplifies the hardware structure of the circuit single board of the intelligent terminal, and simultaneously, system software is transferred from the outside of the chip to the inside of the chip, thereby shortening the working period of the transplantation and development of embedded bottom layer software. The lower graph shows that the intelligent terminal equipment of the internet of things based on the development of the system chip of the internet of things only needs to add a peripheral equipment interface according to business requirements, thereby greatly shortening the development period and reducing the development difficulty.
The above description is only of the preferred embodiments of the present invention, and it should be noted that: it will be apparent to those skilled in the art that various modifications and adaptations can be made without departing from the principles of the invention and these are intended to be within the scope of the invention.
Claims (8)
1. An internet of things system-on-chip, comprising: the system comprises a CPU, an operating memory NAND FLASH, a trusted computing module and a security encryption chip;
the CPU is used for data processing and forwarding and comprises an interface controller;
the operation memory is used for operating an operating system and a service program;
NAND FLASH is used for storing UBOOT, secure OS, trusted computing software stack and the application framework of the things internet, wherein the trusted computing software stack is used for providing an interface for operating system and application software to use TPM;
the trusted computing module is used for the functions of storage of a trusted measurement root, report of trusted measurement, key generation, encryption, signature and data security storage, and can be used for measuring UBOOT, a kernel and a service program in a starting process and storing a measurement list in the intelligent terminal equipment;
the safety encryption chip is used for encrypting and decrypting the service program.
2. The system on an internet of things of claim 1, wherein: the CPU adopts a processor with 4 cores Cortex-A7, and the running memory adopts 1GB memory.
3. The system on an internet of things of claim 1, wherein: the CPU, the operation memory, the NAND FLASH, the trusted computing module and the secure encryption chip are integrated on a 40x40mm single board, pins with serial numbers are led out to the back of the single board through via holes for preparing a solder ball array, and a wafer and a metal wire contained in a system on a chip are subjected to high-temperature curing through plastic package glue.
4. The system on an internet of things of claim 1, wherein: the secure encryption chip supports SM2/SM3/SM4 cryptographic algorithm.
5. The system on an internet of things of claim 1, wherein: the interface controller includes: USB, network interface, PCIE or UART.
6. The system on an internet of things of claim 1, wherein: the security OS is used for providing access control, cryptographic operation, active monitoring or security isolation configuration, performing mandatory access control on object resources, customizing different security policies according to requirements, inquiring the set security policies from a security policy library when an application program provides an operation request, and judging the legality of a request initiator to make decision judgment.
7. The operating method of the system on an internet of things as claimed in any one of claims 1 to 6, wherein: the method comprises the following steps:
after the system on the Internet of things is powered on, the system is initialized, and the trusted computing module is connected with the CPU and NAND FLASH;
when the trusted computing module is started for the first time, the trusted computing module performs integrity measurement on UBOOT and a kernel file through an SPI interface, and stores a measurement result into a PCR10 register of the trusted computing module;
and (3) restarting the system on the Internet of things after power failure, restarting the system on the Internet of things again and completing system initialization, carrying out integrity measurement on the UBOOT and the kernel file by the trusted computing module, comparing a measurement result with a medium magnitude value in a PCR10 register of the trusted computing module, normally starting the system if the comparison is passed, and prompting that the system cannot be started if the comparison is failed.
8. The method of operation of claim 7, wherein: further comprising:
after the system on the Internet of things is normally started, the trusted computing module is used as slave equipment and called by the system on the Internet of things, the SE function is used, the application program can call the module through the trusted computing software stack, integrity measurement is carried out on the application program, and a cryptographic algorithm engine integrated with the module can be used.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111432604.XA CN114238206A (en) | 2021-11-29 | 2021-11-29 | Internet of things system on chip and working method thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111432604.XA CN114238206A (en) | 2021-11-29 | 2021-11-29 | Internet of things system on chip and working method thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114238206A true CN114238206A (en) | 2022-03-25 |
Family
ID=80751729
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111432604.XA Pending CN114238206A (en) | 2021-11-29 | 2021-11-29 | Internet of things system on chip and working method thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114238206A (en) |
-
2021
- 2021-11-29 CN CN202111432604.XA patent/CN114238206A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11757647B2 (en) | Key protection for computing platform | |
| US11954204B2 (en) | Artificial intelligence AI processing method and AI processing apparatus | |
| CN107667347B (en) | Techniques for virtualized access to security services provided by a converged manageability and security engine | |
| KR101825005B1 (en) | In-system provisioning of firmware for a hardware platform | |
| TWI277904B (en) | Method, recording medium and system for protecting information | |
| EP3461016A1 (en) | System on chip and processing device | |
| CN106687975B (en) | Trusted execution environment extensible computing device interface | |
| US20160018990A1 (en) | Electronic device and method for managing memory of electronic device | |
| US9223326B2 (en) | Distributed thermal management system for servers | |
| US11836262B2 (en) | Protection of communications between trusted execution environment and hardware accelerator utilizing enhanced end-to-end encryption and inter-context security | |
| US20220277108A1 (en) | Trusted Application Running Method, Information Processing Method, Memory Allocation Method, and Apparatus | |
| CN104303190A (en) | Providing geographic protection to a system | |
| CN102255888A (en) | Method and apparatus for secure scan of Data storage device from remote server | |
| EP2612252A1 (en) | Virtual usb compound device enumeration | |
| CN106127059B (en) | The realization of credible password module and method of servicing on a kind of ARM platform | |
| CN108491727B (en) | Safety processor integrating general calculation, trusted calculation and password calculation | |
| TW201942784A (en) | Data encryption, decryption method and device | |
| WO2018210320A1 (en) | Method and device for charging user equipment by means of charging apparatus | |
| CN106933764A (en) | A kind of credible password module and its method of work based on domestic TCM chips | |
| CN215769721U (en) | Data processing unit board card | |
| CN103106373A (en) | Trusted computing chip and trusted computing system | |
| US11467644B2 (en) | Systems and methods for detecting battery removal while an information handling system is in an off state | |
| US11983260B2 (en) | Partitioned platform security mechanism | |
| WO2023160701A1 (en) | Component communication method and computing device | |
| CN114238206A (en) | Internet of things system on chip and working method thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |