CN114254574A

CN114254574A - Security chip design method and device

Info

Publication number: CN114254574A
Application number: CN202111494937.5A
Authority: CN
Inventors: 蔡田田; 邓清唐; 习伟; 陈波; 杨英杰; 关志华
Original assignee: Southern Power Grid Digital Grid Research Institute Co Ltd
Current assignee: Southern Power Grid Digital Grid Research Institute Co Ltd
Priority date: 2021-12-08
Filing date: 2021-12-08
Publication date: 2022-03-29
Anticipated expiration: 2041-12-08
Also published as: CN114254574B

Abstract

The application relates to a security chip design method, a security chip design device, a computer device, a storage medium and a computer program product. The method comprises the following steps: acquiring design information aiming at a security chip, wherein the design information comprises function design information, area design information and power consumption design information; determining a functional module required to be included by the security chip according to the functional design information; determining the set number of the functional modules of the target type in the security chip according to the area design information and the power consumption design information; and generating a design file of the security chip according to the determined functional modules and the set number, and generating software and hardware description information corresponding to the security chip based on the design file. The method can be used for customizing the security chip in a personalized way.

Description

Security chip design method and device

Technical Field

The present application relates to the field of internet of things technology, and in particular, to a method and an apparatus for designing a security chip, a computer device, a storage medium, and a computer program product.

Background

In recent years, the technology of internet of things has been gradually applied to the life of people, and intelligent devices such as intelligent lamps and intelligent sound equipment based on the technology of internet of things have become very common, however, the security problem has become the biggest obstacle to the development of internet of things. The security chip with high security, strong real-time performance and low power consumption plays an important role in guaranteeing the security of the Internet of things.

At present, many companies have produced security chips which can be applied to intelligent terminals of the internet of things, but most of the security chips are general security chips and cannot meet personalized customization requirements of users.

Disclosure of Invention

In view of the above, there is a need to provide a security chip design method, apparatus, computer device, computer readable storage medium and computer program product capable of meeting the customized requirements of users.

In a first aspect, the present application provides a method for designing a security chip. The method comprises the following steps:

acquiring design information aiming at a security chip, wherein the design information comprises function design information, area design information and power consumption design information;

determining a functional module required to be included by the security chip according to the functional design information;

determining the set number of the functional modules of the target type in the security chip according to the area design information and the power consumption design information;

and generating a design file of the security chip according to the determined functional modules and the set number, and generating software and hardware description information corresponding to the security chip based on the design file.

In one embodiment, determining the functional modules required to be included in the security chip according to the functional design information includes:

determining the type of a symmetric trusted algorithm module, the type of an asymmetric trusted algorithm module and the type of a hash algorithm module which are required to be included in the security chip according to the functional design information, and determines whether the security chip needs to set an acceleration engine unit in the symmetric trusted algorithm module, needs to set an acceleration engine unit in the asymmetric trusted algorithm module, needs to set an acceleration engine unit in the hash algorithm module, needs to set a PUF circuit, a function assistant device arranged in the security chip, and a target security protection function module, the target safety protection function module comprises an address out-of-range detection module, a reset module, an attack detection module, a biological characteristic module and an anti-tampering shielding module, wherein the address out-of-range detection module is used for detecting the address out-of-range condition when the safety chip executes read/write operation.

In one embodiment, determining the set number of functional modules of the target type in the security chip according to the area design information and the power consumption design information includes:

and determining the set number of the symmetrical credible algorithm modules, the set number of the asymmetrical credible algorithm modules and the set number of the hash algorithm modules in the security chip according to the area design information and the power consumption design information.

In one embodiment, the type of the symmetric trusted algorithm module comprises a national secret symmetric trusted algorithm type and an international symmetric trusted algorithm type; the types of the asymmetric trusted algorithm module comprise a national secret asymmetric trusted algorithm type and an international asymmetric trusted algorithm type; the types of the hash algorithm module comprise a national secret hash algorithm type and an international hash algorithm type; the function aid includes a true random number generator and a division accelerator.

In one embodiment, the method further comprises:

if it is determined that the security chip needs to be provided with the PUF circuit, the PUF circuit and functional modules other than the PUF circuit are integrated into one SOC.

In one embodiment, generating a design file of the security chip according to the determined functional modules and the set number includes:

determining a plurality of Slave functional units mounted under a bus of the security chip according to the determined functional modules and the set number;

determining hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit aiming at each Slave functional unit;

acquiring sequencing information corresponding to each Slave functional unit, performing address allocation based on the sequencing information, and determining an address space corresponding to each Slave functional unit;

and generating a software architecture and a hardware architecture corresponding to the security chip based on the address space, the hardware design information corresponding to each Slave functional unit and the software design information corresponding to each Slave functional unit, and generating a design file of the security chip according to the software architecture and the hardware architecture.

In one embodiment, determining hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit includes:

and determining hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit based on the security chip module library.

In one embodiment, the method further comprises:

and executing simulation test operation corresponding to the security chip based on the software and hardware description information.

In a second aspect, the present application further provides a security chip design apparatus. The device includes:

the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring design information aiming at a security chip, and the design information comprises function design information, area design information and power consumption design information;

the determining module is used for determining the functional modules required to be included by the security chip according to the functional design information; determining the set number of the functional modules of the target type in the security chip according to the area design information and the power consumption design information;

and the generating module is used for generating a design file of the safety chip according to the determined functional modules and the set number, and generating software and hardware description information corresponding to the safety chip based on the design file.

In one embodiment, the determining module is specifically configured to:

In one embodiment, the determining module is further specifically configured to:

In one embodiment, the apparatus is further configured to:

In one embodiment, the generating module is specifically configured to:

In one embodiment, the generating module is further specifically configured to:

In one embodiment, the apparatus is further configured to:

In a third aspect, the present application also provides a computer device. The computer device comprises a memory and a processor, wherein the memory stores a computer program, and the processor implements the security chip design method according to any one of the first aspect when executing the computer program.

In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, implements the secure chip design method as described in any of the above first aspects.

In a fifth aspect, the present application further provides a computer program product. The computer program product comprises a computer program which, when executed by a processor, implements the secure chip design method as described in any one of the above first aspects.

The method, the device, the computer equipment, the storage medium and the computer program product for designing the security chip acquire the design information aiming at the security chip, wherein the design information comprises the function design information, the area design information and the power consumption design information, the function modules required to be included by the security chip are determined according to the function design information, the setting number of the function modules with the target type in the security chip is determined according to the area design information and the power consumption design information, the design file of the security chip is generated according to the determined function modules and the setting number, the software and hardware description information corresponding to the security chip is generated based on the design file, the setting number of the function modules included by the security chip and the function modules with the target type is determined based on the design information aiming at the security chip so as to generate the design file of the security chip, and the purpose of customizing the security chip according to the design information is realized, the requirement of customizing the security chip in a personalized way by a user is met.

Drawings

FIG. 1 is a schematic flow chart diagram illustrating a method for designing a security chip in one embodiment;

FIG. 2 is a schematic flow chart of step 104 in one embodiment;

FIG. 3 is a schematic flow chart diagram illustrating a method for designing a security chip according to another embodiment;

FIG. 4 is a block diagram showing the structure of a security chip designing apparatus according to an embodiment;

FIG. 5 is a block diagram showing the construction of a secure chip designing apparatus according to another embodiment;

FIG. 6 is a diagram illustrating an internal structure of a computer device according to an embodiment.

Detailed Description

In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.

In recent years, intelligent equipment based on the internet of things technology is more and more widely applied to the life of people. However, the property security and privacy security of people are suffering from threats from the internet of things.

In order to ensure the property safety and privacy safety of people, the security chip is arranged, and plays an important role in ensuring the safety of the Internet of things. At present, security chips have been widely used in access control systems, intelligent terminals, financial systems, and the like.

At present, many companies produce security chips applicable to intelligent terminals of internet of things, such as national technologies, large and down microelectronics, double denier microelectronics, huada electronics, and the like, however, most of the security chips produced by the companies are general security chips, and cannot meet personalized requirements of users.

In view of this, the embodiment of the present application provides a method for designing a security chip, which can meet the personalized customization requirements of customers.

It should be noted that, in the security chip design method provided in the embodiment of the present application, the execution main body may be a security chip design apparatus, and the security chip design apparatus may be implemented as part or all of a terminal in a software, hardware, or a combination of software and hardware.

In the following method embodiments, the execution subject is a terminal, where the terminal may be a personal computer, a notebook computer, a media player, a smart television, a smart phone, a tablet computer, a portable wearable device, and the like, and it is understood that the method may also be applied to a server, and may also be applied to a system including a terminal and a server, and is implemented through interaction between the terminal and the server.

Referring to fig. 1, a flowchart of a method for designing a security chip according to an embodiment of the present disclosure is shown. As shown in fig. 1, the secure chip design method may include the steps of:

step 101, obtaining design information for a security chip.

Wherein the design information includes functional design information, area design information, and power consumption design information. The power consumption design information refers to the power consumption upper limit value of the Internet of things security chip.

Optionally, the functional design information includes information of a conventional module required to be included in the security chip and user-defined requirement design information. The user-defined requirement design information comprises special requirement information of a user for certain conventional modules, or unique requirements of the user on a software architecture and/or a hardware architecture of a security chip, such as a pure digital internet of things security chip, an analog-digital mixed type internet of things security chip, an overall template design, a template deletion design and a user-defined hardware language description file of the user-defined internet of things security chip architecture, and the like.

Optionally, the user inputs design information for the security chip on the user interface according to the interface prompt information. The terminal receives design information for the security chip input by a user.

And 102, determining a functional module required to be included by the security chip according to the functional design information.

In an alternative implementation, the user may check the desired function module name on the user interface. And the terminal receives the name of the functional module selected by the user so as to determine the functional module required to be included by the security chip.

In an optional implementation manner, a user inputs tag information on a user interface, and a terminal receives the tag information and determines a functional module required to be included in a security chip according to the tag information.

And 103, determining the set number of the functional modules of the target type in the security chip according to the area design information and the power consumption design information.

Optionally, after receiving the area design information and the power consumption design information input by the user, the terminal obtains prompt information of the set number of the target type function modules included in the security chip according to the area design information and the power consumption design information, and displays the prompt information on the user interface, where the prompt information includes a set number threshold of the target type function modules, and the user determines the set number of the target type function modules in the security chip.

When the target type function modules include a plurality of function modules, the terminal can update the prompt information of the set number of the target type function modules contained in the security chip according to the set number of each target type function module input by the user in real time.

And 104, generating a design file of the security chip according to the determined functional modules and the set number, and generating software and hardware description information corresponding to the security chip based on the design file.

Optionally, the design file includes a hardware design file and a software design file. The software and hardware description information includes software functional code written by a program description language and hardware functional code written by a hardware language description.

In the method for designing the safety chip, the functional modules contained in the safety chip and the set number of the functional modules are determined based on the design information aiming at the safety chip so as to generate the design file of the safety chip, and the software and hardware description information corresponding to the safety chip is generated based on the design file, so that the purpose of customizing the safety chip according to the design information is realized, and the requirement of customizing the safety chip by a user in a personalized way is met.

In the embodiment of the present application, based on the embodiment shown in fig. 1, the embodiment relates to an implementation process for determining a functional module that needs to be included in a secure chip according to functional design information in step 102, where the implementation process includes the following steps:

according to the functional design information, the type of a symmetric trusted algorithm module, the type of an asymmetric trusted algorithm module and the type of a hash algorithm module which are required to be included in the security chip are determined, and whether an acceleration engine unit needs to be arranged in the symmetric trusted algorithm module, whether an acceleration engine unit needs to be arranged in the asymmetric trusted algorithm module, whether an acceleration engine unit needs to be arranged in the hash algorithm module, whether a PUF circuit needs to be arranged, a functional assistant arranged in the security chip and a target security protection functional module need to be arranged are determined.

The target safety protection function module comprises an address out-of-range detection module, a reset module, an attack detection module, a biological characteristic module and an anti-tampering shielding module, wherein the address out-of-range detection module is used for detecting the address out-of-range condition when the safety chip executes read/write operation.

The reset module reset management module is used for generating a reset signal and executing chip reset operation. The attack response module is used for detecting whether the condition of attacking the security chip occurs or not.

The biometric module stores biometric data and uses it as a root key. Optionally, the data of the module is only accessed by the embedded low-power processor, and the embedded low-power processor calls the biometric data and encrypts the biometric data through the symmetric trusted algorithm module or the asymmetric trusted algorithm module to generate an encryption key.

The tamper-resistant shielding module is a complex metal wire covered on the surface layer of the internet of things security chip, and is called as a tamper-resistant line. At least one functional line is determined from a reset signal, an enable signal, a mode select signal, etc. of some sensitive or critical circuits of the security chip, the determined functional lines being mixed within the tamper resistant lines. The embedded low power processor may further elect a portion of the biometric data, which is time division multiplexed as a time sequence of the tamper-resistant line and the functional line. Specifically, the section data may have a section rule set by a user input or determined based on a random number generated by the terminal.

The acceleration engine unit arranged in the symmetric trusted algorithm module, the asymmetric trusted algorithm module or the hash algorithm module is used for processing hardware circuits arranged in large number operation or expansion operation which is large in operation amount in the algorithm or difficult to process by an embedded low-power-consumption processor, and the like, such as four basic operations of modular addition, modular subtraction, modular multiplication, modular inversion and the like.

Wherein the function aid comprises at least a true random number generator. The true random number generator is used to generate the random numbers required by the key. In addition, the function aid also comprises a division accelerator and the like. The division accelerator is specifically 16/8 division accelerator, and can quickly realize large prime number judgment in key generation.

Optionally, the terminal generates multiple recommendation schemes according to the functional design information, presents the multiple recommendation schemes to the user, and determines a final recommendation scheme by the user; or the terminal generates a final recommendation scheme according to the functional design information. The terminal determines the type of a symmetric trusted algorithm module, the type of an asymmetric trusted algorithm module and the type of a hash algorithm module which are required to be included in the security chip according to the determined final recommended scheme, and determines whether the security chip needs to set an acceleration engine unit in the symmetric trusted algorithm module, whether the acceleration engine unit needs to be set in the asymmetric trusted algorithm module, whether the acceleration engine unit needs to be set in the hash algorithm module, whether a PUF circuit needs to be set, a function assistant device arranged in the security chip and a target security protection function module, which determine the setting information of the security chip.

Optionally, the type of the symmetric trusted algorithm module includes a national secret symmetric trusted algorithm type and an international symmetric trusted algorithm type; the types of the asymmetric trusted algorithm module comprise a national secret asymmetric trusted algorithm type and an international asymmetric trusted algorithm type; the types of the hash algorithm module comprise a national secret hash algorithm type and an international hash algorithm type; the function aid includes a true random number generator and a division accelerator.

The international symmetric credible algorithm types comprise DES, 3DES, AES, improved DES, improved 3DES, improved AES, international symmetric credible algorithms obtained by combining multiple international symmetric credible algorithm types, international symmetric credible algorithms improved by users, international symmetric credible algorithms required by users and the like.

The type of the national secret asymmetric trusted algorithm comprises SM2, SM9, a national secret asymmetric trusted algorithm obtained by combining a plurality of national secret asymmetric trusted algorithm types, a user self-operated improved national secret asymmetric trusted algorithm, a user self-defined international asymmetric trusted algorithm and the like, and the type of the international asymmetric trusted algorithm comprises RSA, ECC, an international asymmetric trusted algorithm obtained by combining a plurality of international asymmetric trusted algorithm types, a user self-operated improved international asymmetric trusted algorithm, a user self-defined international asymmetric trusted algorithm and the like.

The international hash algorithm types comprise SHA, MD, international hash algorithms obtained by combining various international hash algorithm types, international hash algorithms improved by users, international hash algorithms required by users, and the like.

The method and the device for customizing the safety chip have the advantages that the functional modules required to be included in the safety chip and the setting number of the target type functional modules in the safety chip are determined, the types of the selectable functional modules are various, and a user only needs to select the functional modules required by the user, so that the requirements of multifunctional customization and personalized customization of the safety chip are met.

In the embodiment of the present application, based on the above embodiment, the method for designing a security chip further includes the following steps:

Optionally, the terminal acquires bus control IP information, and integrates the PUF circuit and functional modules including the symmetric trusted algorithm module, the asymmetric trusted algorithm module, and the hash algorithm module into one SOC through the bus control IP information. The bus control IP may be set by a user.

Specifically, the integrated symmetric trusted algorithm module needs to be configured with a data input register, a data output register, a control register and a status register for the symmetric trusted algorithm module; the integrated asymmetric trusted algorithm module needs to be provided with a data register, a control register and a status register; the integrated hash algorithm module is provided with a data input register, a data output and input register, a control register and a state register; the integrated PUF circuit is provided with a data input register, a data output/input register, a control register, and a status register.

The control register comprises data information for describing the type of currently input data, data information for describing whether the data is updated or not, data information corresponding to software reset and data information corresponding to reserved bits; the status register is used for marking that the current trusted algorithm module is in an encryption or decryption mode, whether a secret key is generated or not and whether data encryption/decryption is completed or not.

Optionally, the SOC further includes an embedded low-power processor module, a ROM module, a RAM module, a FLASH module, an interface module, and the like. Wherein the external interface module comprises one or more of the following interface types: an I2C interface, an SPI interface, a GPIO interface, a UART interface, a timer, a USB interface, a 7816 interface, an SWP interface, an ADC interface, a DAC interface, an MCC interface, and an NFC interface. The interface type may be determined by a user or determined according to a chip area or shape. The FLASH module can be realized in an external SPI FLASH mode without being integrated into the soc.

In this embodiment, by determining that the security chip needs to be provided with the PUF circuit, the PUF circuit and functional modules other than the PUF circuit are integrated into one SOC, thereby implementing an integrated design of the security chip.

In the embodiment of the present application, based on the embodiment shown in fig. 1, this embodiment relates to an implementation process for determining the set number of function modules of a target type in a security chip according to area design information and power consumption design information in step 103, where the implementation process includes the following steps:

Optionally, the security chip at least includes a symmetric trusted algorithm module, an asymmetric trusted algorithm module, and a set number of hash algorithm modules. And the number of the symmetrical credible algorithm modules, the asymmetrical credible algorithm modules or the hash algorithm modules is properly increased according to the area design information and the power consumption design information. For example, the terminal receives area design information and power consumption design information input by a user, determines an upper limit value of the total quantity of the symmetry trusted algorithm module, the asymmetry trusted algorithm module and the hash algorithm module, presents the upper limit value to the user by virtue of a terminal interface, and determines the quantity of the symmetry trusted algorithm module, the asymmetry trusted algorithm module or the hash algorithm module.

In this embodiment, the setting number of the symmetric trusted algorithm modules, the setting number of the asymmetric trusted algorithm modules, and the setting number of the hash algorithm modules in the security chip are determined according to the area design information and the power consumption design information, so that the power consumption and the area of the chip and the setting number of each trusted algorithm module can be customized.

In the embodiment of the present application, as shown in fig. 2, based on any of the above embodiments, the embodiment relates to an implementation process for generating a design file of a secure chip according to a determined functional module and a set number in step 104, where the implementation process includes step 201, step 202, step 203, and step 204:

step 201, determining a plurality of Slave functional units mounted under the bus of the security chip according to the determined functional modules and the set number.

The plurality of Slave functional units comprise a PUF circuit, asymmetrical trusted algorithm modules, symmetrical trusted algorithm modules, hash algorithm modules, a ROM module, a RAM module and the like.

The bus of the security chip is an AMBA bus. The AMBA bus is a high-performance embedded microcontroller on-chip communication standard and comprises an AHB high-performance bus, an ASB system bus and an APB peripheral bus. The AHB high-performance bus is used for connecting the embedded low-power-consumption processor with the symmetric trusted algorithm module, the asymmetric trusted algorithm module, the hash algorithm module, the RAM and the ROM; and the true random number generator and the external interface exchange data with the embedded low-power-consumption processor after being converted into an APB bridge AHB bus through an APB peripheral bus.

Step 202, determining, for each Slave functional unit, hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit.

Optionally, according to the requirement information input by the user, hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit are determined. The requirement information is label information corresponding to each Slave functional unit or a user-defined functional requirement input by a user, and the like. The terminal can determine hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit according to the input label information.

And step 203, acquiring the sequencing information corresponding to each Slave functional unit, performing address allocation based on the sequencing information, and determining the address space corresponding to each Slave functional unit.

Optionally, the terminal determines, according to the size of each Slave functional unit, ordering information corresponding to each Slave functional unit.

And the terminal takes the address space corresponding to each Slave functional unit as a bus control IP and stores the bus control IP in a preset storage path.

And 204, generating a software architecture and a hardware architecture corresponding to the security chip based on the address space, the hardware design information corresponding to each Slave functional unit and the software design information corresponding to each Slave functional unit, and generating a design file of the security chip according to the software architecture and the hardware architecture.

Optionally, based on the security chip module library, hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit are determined.

The security chip module library comprises a security chip general architecture template and modules of all functional modules contained in the security chip.

In an optional implementation manner, a user selects an internet of things security chip architecture template on a user interface, performs modification operation on the internet of things security chip architecture template, and determines hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit. The modification operation comprises the steps of adding a Slave functional unit, deleting the Slave functional unit, replacing some Slave functional units and adding a self-defined design label for some Slave functional units to label the functional requirement information of the Slave functional unit. In an optional implementation manner, a user determines corresponding templates for each Slave functional unit on a user interface, and determines hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit according to the determined templates.

Optionally, after generating software and hardware description information corresponding to the security chip, the method further includes: and executing simulation test operation corresponding to the security chip based on the software and hardware description information. Namely, each functional module of the security chip is ensured to meet the requirements by executing the simulation test operation corresponding to the security chip.

In this embodiment, a plurality of Slave functional units mounted under a bus of a security chip are determined according to the determined functional modules and the set number, and for each Slave functional unit, hardware design information corresponding to each Slave functional unit, software design information corresponding to each Slave functional unit, and address space information are determined, and based on the address space, the hardware design information corresponding to each Slave functional unit, and the software design information corresponding to each Slave functional unit, a software architecture and a hardware architecture corresponding to the security chip are generated to generate a design file of the security chip, so that the purpose of integrating the security chip can be achieved.

In an embodiment of the present application, as shown in fig. 3, a method for designing a security chip is provided, which includes the following steps:

step 301, design information for a security chip is acquired.

Wherein the design information includes function design information, area design information, and power consumption design information.

And 302, determining the set number of the symmetrical trusted algorithm modules, the set number of the asymmetrical trusted algorithm modules and the set number of the hash algorithm modules in the security chip according to the area design information and the power consumption design information.

Step 303, determining a functional module required to be included in the security chip according to the functional design information.

The method comprises the steps of determining the type of a symmetric trusted algorithm module, the type of an asymmetric trusted algorithm module and the type of a hash algorithm module which are required to be included in a security chip, and determining whether the security chip needs to be provided with an acceleration engine unit in the symmetric trusted algorithm module, whether the security chip needs to be provided with the acceleration engine unit in the asymmetric trusted algorithm module, whether the security chip needs to be provided with the acceleration engine unit in the hash algorithm module, whether a PUF circuit needs to be provided, a function assistant and a target security protection function module which are arranged in the security chip. The target safety protection function module comprises an address out-of-range detection module, a reset module, an attack detection module, a biological characteristic module and an anti-tampering shielding module, wherein the address out-of-range detection module is used for detecting the address out-of-range condition when the safety chip executes read/write operation.

The type of the symmetric trusted algorithm module comprises a national secret symmetric trusted algorithm type and an international symmetric trusted algorithm type; the types of the asymmetric trusted algorithm module comprise a national secret asymmetric trusted algorithm type and an international asymmetric trusted algorithm type; the types of the hash algorithm module comprise a national secret hash algorithm type and an international hash algorithm type; the function aid includes a true random number generator and a division accelerator.

In step 304, it is determined whether the functional module that the security chip needs to include includes a PUF circuit.

If the secure chip is determined to need to be provided with the PUF circuit, the PUF circuit and functional modules other than the PUF circuit are integrated into one SOC, step 305.

In step 306, if it is determined that the security chip does not need to be provided with the PUF circuit, the functional modules are integrated into one SOC.

And 307, determining a plurality of Slave functional units mounted under the bus of the security chip according to the determined functional modules and the set number.

And 308, determining hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit based on the security chip module library aiming at each Slave functional unit.

Step 309, obtaining the sorting information corresponding to each Slave functional unit, and performing address allocation based on the sorting information to determine the address space corresponding to each Slave functional unit.

And 310, generating a software architecture and a hardware architecture corresponding to the security chip based on the address space, the hardware design information corresponding to each Slave functional unit and the software design information corresponding to each Slave functional unit, and generating a design file of the security chip according to the software architecture and the hardware architecture.

And 311, executing a simulation test operation corresponding to the security chip based on the software and hardware description information.

The method and the device for customizing the safety chip determine the functional modules contained in the safety chip and the set number of the functional modules based on the design information aiming at the safety chip so as to generate the design file of the safety chip, and generate the software and hardware description information corresponding to the safety chip based on the design file, thereby achieving the purpose of customizing the safety chip according to the design information and meeting the requirement of customizing the safety chip by a user; the types of the functional modules can be selected to be various by determining the functional modules required to be included in the security chip and the setting number of the functional modules of the target type in the security chip, and a user only needs to select the functional modules required by the user, so that the requirements of multifunctional customization and personalized customization of the customized security chip are met.

It should be understood that, although the steps in the flowcharts related to the embodiments as described above are sequentially displayed as indicated by arrows, the steps are not necessarily performed sequentially as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.

Based on the same inventive concept, the embodiment of the present application further provides a security chip design apparatus for implementing the above related security chip design method. The implementation scheme for solving the problem provided by the device is similar to the implementation scheme recorded in the method, so the specific limitations in one or more embodiments of the security chip design device provided below can be referred to the limitations in the security chip design method above, and are not described herein again.

In one embodiment, as shown in fig. 4, there is provided a secure chip designing apparatus including: the device comprises an acquisition module, a determination module and a generation module, wherein:

In one embodiment, the determining module is specifically configured to:

In one embodiment, the apparatus is further configured to:

In one embodiment, the generating module is specifically configured to:

In one embodiment, the generating module is further specifically configured to:

In one embodiment, the apparatus is further configured to:

The modules in the security chip design apparatus may be implemented wholly or partially by software, hardware, or a combination thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.

In one embodiment, as shown in fig. 5, there is provided a secure chip designing apparatus including: template storehouse, demand acquisition unit, software and hardware design unit, bus and integrated unit and simulation unit, it is specific:

the template library is used for storing a security chip module library of the overall framework template of the security chip and/or the templates of all the functional modules of the security chip;

the system comprises a requirement acquisition unit and a safety chip, wherein the requirement acquisition unit is used for acquiring design information aiming at the safety chip, and the design information comprises function design information, area design information and power consumption design information.

The software and hardware design unit is used for determining the setting number of the symmetrical credible algorithm modules, the setting number of the asymmetrical credible algorithm modules and the setting number of the hash algorithm modules in the security chip according to the area design information and the power consumption design information; and determining the functional modules required to be included in the security chip according to the functional design information.

The software and hardware design unit is further specifically configured to determine the type of a symmetric trusted algorithm module, the type of an asymmetric trusted algorithm module, and the type of a hash algorithm module that the security chip needs to include, and determine whether the security chip needs to set an acceleration engine unit in the symmetric trusted algorithm module, whether the security chip needs to set an acceleration engine unit in the asymmetric trusted algorithm module, whether the security chip needs to set an acceleration engine unit in the hash algorithm module, whether a PUF circuit needs to be set, a function aid provided in the security chip, and a target security protection function module. The target safety protection function module comprises an address out-of-range detection module, a reset module, an attack detection module, a biological characteristic module and an anti-tampering shielding module, wherein the address out-of-range detection module is used for detecting the address out-of-range condition when the safety chip executes read/write operation.

The bus and the integration unit are used for judging whether the functional modules required to be included by the security chip comprise the PUF circuit or not, integrating the PUF circuit and the functional modules except the PUF circuit into an SOC if the security chip is determined to be required to be provided with the PUF circuit, and integrating the functional modules into the SOC if the security chip is determined not to be required to be provided with the PUF circuit; according to the determined functional modules and the set number, determining a plurality of Slave functional units mounted under a bus of the security chip, acquiring sequencing information corresponding to each Slave functional unit, performing address allocation based on the sequencing information, and determining an address space corresponding to each Slave functional unit.

The software and hardware design unit is also used for determining hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit based on the safety chip module library aiming at each Slave functional unit; and generating a software architecture and a hardware architecture corresponding to the security chip based on the address space, the hardware design information corresponding to each Slave functional unit and the software design information corresponding to each Slave functional unit, and generating a design file of the security chip according to the software architecture and the hardware architecture.

And the simulation unit is used for executing the simulation test operation corresponding to the security chip based on the software and hardware description information.

In one embodiment, a computer device is provided, which may be a terminal, and its internal structure diagram may be as shown in fig. 6. The computer device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the computer device is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a secure chip design method. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on the shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.

Those skilled in the art will appreciate that the architecture shown in fig. 6 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.

In one embodiment, a computer device is provided, comprising a memory and a processor, the memory having a computer program stored therein, the processor implementing the following steps when executing the computer program:

In one embodiment, the processor, when executing the computer program, further performs the steps of:

determining the type of a symmetric trusted algorithm module, the type of an asymmetric trusted algorithm module and the type of a hash algorithm module which are required to be included in the security chip according to the functional design information, wherein the type of the symmetric trusted algorithm module specifically comprises a national secret symmetric trusted algorithm type and an international symmetric trusted algorithm type; the types of the asymmetric trusted algorithm module comprise a national secret asymmetric trusted algorithm type and an international asymmetric trusted algorithm type; the types of the hash algorithm module comprise a national secret hash algorithm type and an international hash algorithm type; the function aid includes a true random number generator and a division accelerator.

determining a plurality of Slave functional units mounted under a bus of the security chip according to the determined functional modules and the set number; determining hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit aiming at each Slave functional unit; acquiring sequencing information corresponding to each Slave functional unit, performing address allocation based on the sequencing information, and determining an address space corresponding to each Slave functional unit; and generating a software architecture and a hardware architecture corresponding to the security chip based on the address space, the hardware design information corresponding to each Slave functional unit and the software design information corresponding to each Slave functional unit, and generating a design file of the security chip according to the software architecture and the hardware architecture.

In one embodiment, a computer-readable storage medium is provided, having a computer program stored thereon, which when executed by a processor, performs the steps of:

In one embodiment, the computer program when executed by the processor further performs the steps of:

In one embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, performs the steps of:

It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), Magnetic Random Access Memory (MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.

The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.

The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims

1. A method for designing a secure chip, the method comprising:

2. The method according to claim 1, wherein the determining, according to the functional design information, the functional modules required to be included in the security chip comprises:

determining the type of a symmetric trusted algorithm module, the type of an asymmetric trusted algorithm module and the type of a hash algorithm module which are required to be included by the security chip according to the functional design information, and determining whether the security chip needs to set an acceleration engine unit in the symmetric trusted algorithm module, needs to set an acceleration engine unit in the asymmetric trusted algorithm module, needs to set an acceleration engine unit in the hash algorithm module, needs to set a PUF circuit, a function assistant device arranged in the security chip, and a target security protection function module, the target safety protection function module comprises an address out-of-range detection module, a reset module, an attack detection module, a biological characteristic module and an anti-tampering shielding module, wherein the address out-of-range detection module is used for detecting the address out-of-range condition when the safety chip executes read/write operation, and the biological characteristic module is used for storing biological characteristic information.

3. The method of claim 2, wherein determining the set number of functional modules of the target type in the security chip according to the area design information and the power consumption design information comprises:

4. The method of claim 2, wherein the types of the symmetric trusted algorithm module include a national symmetric trusted algorithm type and an international symmetric trusted algorithm type; the types of the asymmetric trusted algorithm module comprise a national secret asymmetric trusted algorithm type and an international asymmetric trusted algorithm type; the types of the hash algorithm module comprise a national secret hash algorithm type and an international hash algorithm type; the function aid includes a true random number generator and a division accelerator.

5. The method of claim 2, further comprising:

and if the security chip is determined to need to be provided with the PUF circuit, integrating the PUF circuit and each functional module except the PUF circuit into one SOC.

6. The method according to any one of claims 1 to 4, wherein the generating a design file of the security chip according to the determined functional modules and the set number comprises:

determining a plurality of Slave functional units mounted under a bus of a security chip according to the determined functional modules and the set number;

and generating a software architecture and a hardware architecture corresponding to a security chip based on the address space, the hardware design information corresponding to each Slave functional unit and the software design information corresponding to each Slave functional unit, and generating a design file of the security chip according to the software architecture and the hardware architecture.

7. The method of claim 6, wherein the determining hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit comprises:

and determining hardware design information corresponding to each Slave functional unit and software design information corresponding to each Slave functional unit based on a security chip module library.

8. The method of any of claims 1 to 4, further comprising:

9. A security chip design apparatus, the apparatus comprising:

10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any of claims 1 to 8.

11. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 8.

12. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1 to 8 when executed by a processor.