CN115062353B - Trusted computing system and trusted computing method based on single chip - Google Patents

Trusted computing system and trusted computing method based on single chip Download PDF

Info

Publication number
CN115062353B
CN115062353B CN202210983984.4A CN202210983984A CN115062353B CN 115062353 B CN115062353 B CN 115062353B CN 202210983984 A CN202210983984 A CN 202210983984A CN 115062353 B CN115062353 B CN 115062353B
Authority
CN
China
Prior art keywords
trusted
kernel
service
application
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210983984.4A
Other languages
Chinese (zh)
Other versions
CN115062353A (en
Inventor
于杨
李鹏
习伟
李立浧
杨奇逊
曾祥君
尹项根
黄凯
姚浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Southern Power Grid Digital Grid Research Institute Co Ltd
Original Assignee
Southern Power Grid Digital Grid Research Institute Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Southern Power Grid Digital Grid Research Institute Co Ltd filed Critical Southern Power Grid Digital Grid Research Institute Co Ltd
Priority to CN202210983984.4A priority Critical patent/CN115062353B/en
Publication of CN115062353A publication Critical patent/CN115062353A/en
Application granted granted Critical
Publication of CN115062353B publication Critical patent/CN115062353B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/76Architectures of general purpose stored program computers
    • G06F15/78Architectures of general purpose stored program computers comprising a single central processing unit
    • G06F15/7807System on chip, i.e. computer system on a single chip; System in package, i.e. computer system on one or more chips in a single package
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y04INFORMATION OR COMMUNICATION TECHNOLOGIES HAVING AN IMPACT ON OTHER TECHNOLOGY AREAS
    • Y04SSYSTEMS INTEGRATING TECHNOLOGIES RELATED TO POWER NETWORK OPERATION, COMMUNICATION OR INFORMATION TECHNOLOGIES FOR IMPROVING THE ELECTRICAL POWER GENERATION, TRANSMISSION, DISTRIBUTION, MANAGEMENT OR USAGE, i.e. SMART GRIDS
    • Y04S40/00Systems for electrical power generation, transmission, distribution or end-user application management characterised by the use of communication or information technologies, or communication or information technology specific aspects supporting them
    • Y04S40/20Information technology specific aspects, e.g. CAD, simulation, modelling, system security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Mathematical Physics (AREA)
  • Computing Systems (AREA)
  • Microelectronics & Electronic Packaging (AREA)
  • Storage Device Security (AREA)
  • Power Sources (AREA)

Abstract

The present application relates to a single-chip based trusted computing architecture, a trusted computing method, an electrical device, a computer storage medium and a computer program product. The trusted computing architecture based on the single chip comprises a main control chip, a trusted module and a service module, wherein the main control chip is provided with a trusted kernel and at least one service processing kernel, and the service processing kernel and the trusted kernel are isolated from each other; the service processing core is used for responding to a processing request related to the power service demand and operating the service application corresponding to the processing request in the service module; and the trusted kernel is used for running the corresponding trusted application in the trusted module to perform trusted computing to obtain trusted data if the running business application needs to perform trusted computing. By adopting the framework, external trusted chip hardware does not need to be additionally added, the hardware design cost is reduced, and the performance burden generated by the trusted chip is reduced.

Description

Trusted computing system and trusted computing method based on single chip
Technical Field
The present application relates to the field of power system terminal security protection technologies, and in particular, to a trusted computing system, a trusted computing method, a power device, a computer storage medium, and a computer program product based on a single chip.
Background
Safe and stable power supply is the fundamental guarantee of social life and production development, and the industrial power control terminal is an important link for maintaining the normal operation and safe operation of a power system. A large amount of novel electric power industrial control equipment access electric power control system through public network under the novel electric power system construction background, electric power terminal progressively exposes among open interactive network environment, and electric power system network security boundary is fuzzy gradually, and electric power terminal equipment body safety faces the severe challenge, has seriously threatened the operation of electric wire netting safety and stability.
In order to ensure the complete and stable operation of the power grid, the terminal safety of the power system needs to be protected. And the safe and stable operation of the power grid is ensured by carrying out trusted calculation on the power terminal. However, current trusted computing schemes are developed according to different power business requirements, the hardware design cost is high, and the performance burden generated by the trusted chip is increased.
Disclosure of Invention
In view of the above, there is a need to provide a trusted computing system, a method, a power device, a computer-readable storage medium, and a computer program product based on a single chip, which can reduce hardware design cost and reduce performance burden generated by the trusted chip.
In a first aspect, the present application provides a trusted computing system based on a single chip, where the trusted computing system based on a single chip includes a main control chip, a trusted module, and a service module, where the main control chip is provided with a trusted kernel and at least one service processing kernel, and the service processing kernel and the trusted kernel are isolated from each other; wherein:
the service processing core is used for responding to a processing request related to the power service requirement and operating the service application corresponding to the processing request in the service module;
and the trusted kernel is used for running the corresponding trusted application in the trusted module to perform trusted calculation if the service application needs to be operated to perform trusted calculation so as to obtain trusted data.
In one embodiment, a secure kernel is arranged on the main control chip, and the service processing kernel, the trusted kernel and the secure kernel are isolated from each other; and the security kernel is used for providing a security algorithm required by the trusted computing of the service application to the trusted kernel if the trusted kernel cannot support the trusted computing of the service application, so that the trusted kernel runs the corresponding trusted application in the trusted module to perform the trusted computing.
In one embodiment, the master control chip is further provided with an open resource area corresponding to the service processing core, a trusted resource area corresponding to the trusted kernel, and a secure resource area corresponding to the secure kernel; the open resource area, the trusted resource area and the secure resource area are isolated from each other.
In one embodiment, the trusted kernel is further configured to, if trusted computing is required to be performed when the business application is run, run a corresponding trusted application in the trusted module to perform trusted computing to obtain trusted data, and store the trusted data in the open resource area and/or the trusted resource area according to actual requirements.
In one embodiment, a first trusted interface is arranged on the trusted module; the service module is provided with a second trusted interface, and the first trusted interface and the second trusted interface are used for establishing interaction between the service application and the trusted application, so that if the service application needs to be operated to perform trusted computing, the corresponding trusted application in the trusted module is operated to perform trusted computing through the trusted kernel, and trusted data is obtained.
In one embodiment, the trusted module comprises a trusted operating system running on the trusted kernel and a trusted application deployed on the operating system; the service module comprises a service processing system running on the service processing core and a service application deployed on the service processing system.
In a second aspect, the application further provides a trusted computing method. The method comprises the following steps:
responding to a processing request related to the power service requirement, and calling the service processing core to run a service application corresponding to the processing request;
if the electric power service processing request needs to be subjected to trusted computing, the trusted module calls the trusted kernel to run a corresponding trusted application to perform trusted computing, and trusted data are obtained.
In one embodiment, if the trusted kernel cannot implement the trusted computing, the secure kernel is called by the trusted module;
obtaining an algorithm corresponding to the trusted computing type from a secure resource area of the security kernel for trusted computing, so that the trusted kernel runs a corresponding trusted application in the trusted module for trusted computing
In a third aspect, the application also provides an electrical device. The power device comprises a memory storing a computer program and a processor implementing the following steps when executing the computer program:
responding to a processing request related to the power service demand, and calling the service processing core to run a service application corresponding to the processing request;
if the electric power service processing request needs to be subjected to trusted computing, the trusted module calls the trusted kernel to run a corresponding trusted application to perform trusted computing, and trusted data are obtained.
In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium, on which a computer program is stored which, when executed by a processor, carries out the steps of:
responding to a processing request related to the power service requirement, and calling the service processing core to run a service application corresponding to the processing request;
if the electric power service processing request needs to be subjected to trusted computing, the trusted module calls the trusted kernel to run a corresponding trusted application to perform trusted computing, and trusted data are obtained.
In a fifth aspect, the present application further provides a computer program product. The computer program product comprising a computer program which when executed by a processor performs the steps of:
responding to a processing request related to the power service requirement, and calling the service processing core to run a service application corresponding to the processing request;
if the electric power service processing request needs to be subjected to trusted computing, the trusted module calls the trusted kernel to run a corresponding trusted application to perform trusted computing, and trusted data are obtained.
The trusted computing system, the trusted computing method, the trusted computing device, the power equipment, the storage medium and the computer program product based on the single chip comprise a main control chip, a trusted module and a service module, wherein the main control chip is provided with a trusted kernel and at least one service processing kernel, and the service processing kernel and the trusted kernel are isolated from each other. The trusted computing system based on the single chip performs trusted computing by arranging the service processing and the trusted kernel on the main control chip without additionally increasing external trusted chip hardware, thereby reducing the hardware design cost and the performance burden generated by the trusted chip. The software and the hardware are matched for use, the service processing core is used for responding to a processing request related to the power service requirement, the service application corresponding to the processing request in the service module is operated, when the service application needs to be operated and trusted computing is carried out, the trusted kernel operates the corresponding trusted application in the trusted module to carry out trusted computing, trusted data are obtained, trusted computing is achieved on the same chip, and risks caused by communication between the chip and the chip are reduced.
Drawings
FIG. 1 is a schematic diagram of a trusted computing system based on a single chip in one embodiment;
FIG. 2 is a schematic diagram of a trusted computing system based on a single chip in another embodiment;
FIG. 3 is a schematic diagram of a trusted computing system based on a single chip in another embodiment;
FIG. 4 is a diagram illustrating an application of a trusted computing system based on a single chip in one embodiment;
FIG. 5 is a flowchart of a trusted computing method in one embodiment;
fig. 6 is an internal structural view of an electric power device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more clearly understood, the present application is further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
As can be appreciated, trusted computing is a widely used trusted computing platform based on hardware security module support in computing and communication systems to improve the security of the system as a whole.
In this embodiment, a trusted computing system based on a single chip is provided, as shown in fig. 1, the trusted computing system based on a single chip includes a main control chip, a trusted module, and a service module, where the main control chip is provided with a trusted kernel and at least one service processing kernel, and the service processing kernel and the trusted kernel are isolated from each other; wherein: the service processing core is used for responding to a processing request related to the power service demand and operating the service application corresponding to the processing request in the service module; and the trusted kernel is used for running the corresponding trusted application in the trusted module to perform trusted computing to obtain trusted data if the running business application needs to perform trusted computing.
The credibility comprises multistage software and hardware credibility such as network safety, software and hardware environment safety and the like. The electric power system includes credibility measurement of hardware credible start of electric power equipment, loading of an operating system and software application program image files, dynamic credibility measurement of application program code segments in the running process of the equipment and the like.
The trusted boot is a static trusted verification process established by kernel integrity check in the process from terminal power-on to main operating system operation, after the integrity check is passed, the trusted boot code is loaded in sequence according to the boot flow, and the loaded main operating system state is judged, so that the boot code program is guaranteed to be trusted and not to be tampered, is used for establishing a trusted main operating system operation state in the boot start-up stage, and has the function of establishing the trusted main operating system operation state in the boot start-up stage. For example, the security authentication is performed on the power system device, and whether the power system device is authentic is detected. After the application program of the power system is started, the credibility detection is carried out on the program file of the application program, and whether the program file is credible or not is judged.
The credibility measurement when the software application program image file is loaded refers to that when a credible kernel carries out credible safety processing, an encryption algorithm is obtained from a safety kernel, a characteristic value is extracted through an image file characteristic value, a hash value is obtained through hash value calculation of the image file characteristic value through a national encryption algorithm, and the correctness and the integrity of the software application program image file are determined through verification of the hash value.
The trusted computing system based on the single chip is a structure combining software and hardware, the hardware part of the trusted computing system based on the single chip comprises a main control chip, the main control chip is a high-performance multi-core chip, a plurality of physical entity cores which are isolated from each other are arranged on the main control chip, the physical entity cores can be trusted cores, business processing cores or safety cores, and the types of the physical entity cores are not limited.
In this embodiment, the number of the trusted kernels is 1, and the determination of the target physical entity kernel as the trusted kernel from the master control chip is determined according to the service requirement of the application scenario. The number of the service processing cores may be 1 or 2, and the number of the service processing cores is not limited herein. The service kernel allows the running of the application related to the service, and the credible kernel runs the safe credible application related to the service. Algorithms and working modes which are suitable for power application scene requirements under different types are integrated in the trusted kernel.
The software part of the trusted computing system based on the single chip comprises a business module corresponding to the business processing core and a trusted module corresponding to the trusted kernel. The service module comprises service applications, service operating systems and trusted interfaces (trusted client interfaces) which support different service requirements, and the trusted module comprises trusted applications, trusted operating systems and trusted interfaces (trusted internal interfaces) which support different trusted computations. The service operating system corresponding to the service kernel is generally only used for deploying various application programs related to safety, and if some special services need to use a safe and trusted function, registration needs to be performed on a trusted client and a trusted internal.
According to the trusted computing system based on the single chip, the service processing and the trusted kernel are arranged on the main control chip, so that external trusted chip hardware does not need to be additionally added during trusted computing, the hardware design cost is reduced, and the performance burden generated by the trusted chip is additionally reduced. The software and the hardware are matched for use, the service processing core is used for responding to a processing request related to the power service requirement, the service application corresponding to the processing request in the service module is operated, when the service application needs to be operated and trusted computing is carried out, the trusted kernel operates the corresponding trusted application in the trusted module to carry out trusted computing, trusted data are obtained, trusted computing is achieved on the same chip, and risks caused by communication between the chip and the chip are reduced.
In another embodiment, a single-chip based trusted computing system is provided, as shown in fig. 2, the single-chip based trusted computing system includes a main control chip, a trusted module, and a service module, where the main control chip is provided with a trusted kernel and at least one service processing kernel and a secure kernel, and the service processing kernel, the trusted kernel, and the secure kernel are isolated from each other. The master control chip is also provided with an open resource area corresponding to the service processing core, a trusted resource area corresponding to the trusted kernel and a secure resource area corresponding to the secure kernel; the open resource area, the trusted resource area and the secure resource area are isolated from each other. Furthermore, data in the open resource area can be accessed by the service kernel and the trusted kernel, and data in the trusted resource area can only be accessed by the trusted kernel and the security kernel, so that the data can be protected, data stealing is avoided, and the security of the power system is improved. For example, each electric meter is provided with a corresponding identifier, and in order to avoid electric larceny behaviors such as tampering of electric meter data, the identifier data of the electric meter can be stored in a trusted resource area. If the service kernel needs to obtain the security data from the security kernel, the required security data can be obtained from the security kernel only through the trusted kernel.
The service processing core is used for responding to a processing request related to the power service demand and operating the service application corresponding to the processing request in the service module; and the trusted kernel is used for running the corresponding trusted application in the trusted module to perform trusted computing to obtain trusted data if the running business application needs to perform trusted computing. And the safety kernel is used for providing a safety algorithm required by the trusted computing of the service application for the trusted kernel if the trusted kernel can not support the trusted computing of the service application, so that the trusted kernel operates the corresponding trusted application in the trusted module to perform the trusted computing. For example, when a power device is powered on and started, a trusted measurement of the hardware trusted start of the power device is required. And measuring the dynamic credibility of the application program code segments in the running process of the power equipment.
The security algorithm required for trusted computing includes an existing security algorithm, which is not described herein. The security kernel only provides basic security functions such as cryptographic algorithm, secret key storage management and the like, and can only be called by the trusted kernel.
According to the trusted computing system based on the single chip, the service processing and the trusted kernel are arranged on the main control chip, and when trusted computing is carried out, external trusted chip hardware does not need to be additionally arranged, so that the hardware design cost is reduced, and the performance burden generated by the trusted chip is reduced. The method comprises the steps that software and hardware are used in a matched mode, a service processing core is used for responding a processing request related to power service requirements, service applications corresponding to the processing request in a service module are operated, when the service applications need to be operated and trusted computing is carried out, if a trusted kernel cannot support the trusted computing of the service applications, a security algorithm needed by the trusted computing of the service applications is provided for the trusted kernel, so that the trusted kernel can operate the corresponding trusted applications in the trusted module to carry out the trusted computing to obtain trusted data, the trusted computing is achieved on the same chip, and risks caused by communication between the chip and the chip are reduced.
In another embodiment, a single-chip based trusted computing system is provided, as shown in fig. 3, the single-chip based trusted computing system includes a main control chip, a trusted module, and a service module, where the main control chip is provided with a trusted kernel and at least one service processing kernel and a secure kernel, and the service processing kernel, the trusted kernel, and the secure kernel are isolated from each other. The main control chip is also provided with an open resource area corresponding to the service processing core, a trusted resource area corresponding to the trusted kernel and a safe resource area corresponding to the safe kernel; the open resource area, the credible resource area and the safe resource area are isolated from each other. The trusted modules include a trusted operating system running on a trusted kernel and trusted application programs, such as trusted application 1, trusted application 2, and trusted application n, deployed on the operating system. The service module includes a service processing system running on the service processing core and service applications deployed on the service processing system, for example, service application 1, service application 2, and service application n. The main control chip is also provided with a security operating system (COS) corresponding to the security kernel.
The trusted module is provided with a first trusted interface; the service module is provided with a second trusted interface, and the first trusted interface and the second trusted interface are used for establishing interaction between the service application and the trusted application, so that if the service application needs to be operated for trusted calculation, the trusted kernel operates the corresponding trusted application in the trusted module for trusted calculation to obtain trusted data. The first trusted interface may be a trusted internal interface and the second trusted interface may be a trusted client interface.
The service processing core is used for responding to a processing request related to the power service demand and operating the service application corresponding to the processing request in the service module; the trusted kernel is used for running a corresponding trusted application in the trusted module to perform trusted calculation to obtain trusted data if the operation of the service application needs to perform trusted calculation; and the safety kernel is used for providing a safety algorithm required by the trusted computing of the service application for the trusted kernel if the trusted kernel can not support the trusted computing of the service application, so that the trusted kernel operates the corresponding trusted application in the trusted module to perform the trusted computing. It can be understood that the trusted kernel, the trusted operating system, and the trusted application may perform security encryption and trust measurement according to actual requirements by investigating and researching cryptographic algorithms, keys, and the like in the secure kernel. It can be understood that, in the trusted computing system based on a single chip, the trusted module is decoupled from the service kernel through security isolation, and a trusted resource area and a secure resource area are set, so as to ensure the trusted independence and security in the main control chip.
Optionally, in an embodiment, the trusted kernel is further configured to, if the service application needs to be executed by trusted computing, execute the corresponding trusted application in the trusted module to execute the trusted computing, obtain trusted data, and store the trusted data in the open resource area and/or the trusted resource area according to actual requirements. For example, when a business application needs to perform secure trusted computing, interaction between the business application and the trusted application is established by calling the first trusted interface and the second trusted interface, and the trusted operating system executes a corresponding trusted application to perform secure trusted processing, such as: encryption, decryption, signing, signature verification, trusted storage, trusted metrics, trusted authentication, and the like. And placing the obtained credible data in the open resource area. For another example, in response to a processing request related to a power service requirement, a service processing core runs a service application corresponding to the processing request in a service module, and when the service application needs to perform credibility measurement, a credible client interface is called, and the credible client interacts with a credible internal to request credible calculation for signature verification. And accessing the security kernel through the trusted kernel, reading the key from the security resource area of the security kernel, performing trusted computation of signature verification by using the key to obtain a trusted computation result, namely trusted data, and sending the trusted data to the development resource area corresponding to the service processing kernel.
It can be understood that the existing trusted computing is realized by adding a trusted computing chip and a trusted computing board card, and the added trusted computing chip and the added trusted computing board card are based on specific scene requirements. When the trusted computing is carried out, a physical communication channel with an original main control chip of the power terminal needs to be established, and the trusted computing method is single in trusted measuring mode, low in complexity, insufficient in flexibility and low in safety coefficient. In the application, the hardware credible design of an external safe and credible chip is replaced by a single multi-core high-performance main control chip, so that the hardware design cost is reduced, and the performance burden generated by a credible computing chip is lightened.
In one embodiment, as shown in fig. 4, the application of the trust measurement when loading the software application image file of the single-chip-based trusted computing system includes a security kernel, a secure resource area, a trusted kernel, and a root of trust, where the security kernel and the trusted kernel communicate based on a data bus, and further include a processing core for processing communication management, monitoring, logic protection, and control output. When loading a software application program image file, the credibility measurement is needed, when the credible kernel carries out credible safety processing, an encryption algorithm is obtained from a safety kernel, after extracting the characteristic value of the image file, the characteristic value of the image file is obtained, the hash value is obtained by carrying out hash value calculation on the characteristic value of the image file through the national encryption algorithm, the calculated hash value is verified, when the verification is passed, the correctness and the integrity of the software application program image file are determined, the permission file of a file system is loaded, and the software application program image file is loaded through a BootLoader. The trusted computing is completed in the chip, and potential safety hazards caused by communication between chips are avoided.
According to the trusted computing system based on the single chip, the service processing, the trusted kernel and the security kernel are arranged on the main control chip, and when trusted computing is carried out, if the trusted kernel can not support the trusted computing of the service application, the security algorithm required by the trusted computing of the service application is provided for the trusted kernel, so that the trusted kernel runs the corresponding trusted application in the trusted module to carry out the trusted computing, and trusted data are obtained. The single multi-core high-performance main control chip replaces the hardware credible design of an external safe and credible chip (or board card), so that the hardware design cost is reduced, and the performance burden generated by a credible computing chip is relieved. The complex trusted computing system based on the single chip and multiple chips is simplified, the cost is saved, and the risk brought by the communication between the chips is reduced; the three physical entity kernels realize the safe isolation of three different dimensions, the problem of safe operation environment is solved, and the safe and reliable module and the service main module are internally decoupled on the premise of external cohesion; various strategies are preset in advance, safe encryption and decryption and credible calculation are carried out according to different business requirements in a layered and graded mode, and the method is high in flexibility and wide in adaptability.
Based on the same inventive concept, the embodiment of the present application further provides a trusted computing method for implementing the above-mentioned trusted computing system based on a single chip. The implementation scheme for solving the problem provided by the apparatus is similar to the implementation scheme described in the above method, so specific limitations in one or more embodiments of the trusted computing method provided below may refer to the limitations of the single-chip-based trusted computing system in the foregoing, and details are not described here again.
In one embodiment, as shown in fig. 5, a trusted computing method is provided, which is described by taking the method as an example applied to the above-mentioned trusted computing system based on a single chip, and includes the following steps:
step 502, responding to a processing request related to the power service requirement, and calling a service processing core to run a service application corresponding to the processing request.
The processing request related to the power service requirement comprises a processing request for hardware trusted start of the power equipment, trusted measurement when an operating system and a software application program image file are loaded, and dynamic trusted measurement of an application program code segment in the running process of the equipment.
The trusted computing method is applied to a trusted computing system based on a single chip, the trusted computing system based on the single chip comprises a main control chip, a trusted module and a service module, the main control chip is provided with a trusted kernel and at least one service processing kernel and a secure kernel, and the service processing kernel, the trusted kernel and the secure kernel are mutually isolated. The main control chip is also provided with an open resource area corresponding to the service processing core, a trusted resource area corresponding to the trusted kernel and a safe resource area corresponding to the safe kernel; the open resource area, the credible resource area and the safe resource area are isolated from each other. The trusted module comprises a trusted operating system running on the trusted kernel and a trusted application program deployed on the operating system; the service module comprises a service processing system running on the service processing core and a service application deployed on the service processing system. The trusted module is provided with a first trusted interface; the service module is provided with a second trusted interface, the first trusted interface and the second trusted interface are used for establishing interaction between the service application and the trusted application, and if the service application needs to be operated for trusted computing, the trusted kernel operates the corresponding trusted application in the trusted module for trusted computing to obtain trusted data.
It can be understood that the trusted kernel, the trusted operating system, and the trusted application can call a cryptographic algorithm, a key, and the like in the secure kernel according to actual requirements to perform secure encryption and trusted measurement.
Specifically, the power device responds to a processing request related to the power service demand, and calls a service application corresponding to the running processing request through the service module. The service application comprises service applications of different service scenes, and the service application can be configured according to different power service scenes.
And step 504, if the operation processing request corresponds to the relevant service application and needs to be subjected to trusted computing, calling the trusted kernel to operate the corresponding trusted application to perform trusted computing to obtain trusted data.
The credibility comprises multistage software and hardware credibility such as network safety, software and hardware environment safety and the like. The electric power system includes credibility measurement of hardware credible start of electric power equipment, loading of an operating system and software application program image files, dynamic credibility measurement of application program code segments in the running process of the equipment and the like.
Optionally, in an embodiment, if the trusted kernel cannot implement trusted computing, the secure kernel of the trusted computing system is invoked through the trusted module; and obtaining an algorithm corresponding to the trusted computing type from the secure resource area of the security kernel for trusted computing, so that the trusted kernel runs a corresponding trusted application in the trusted module for trusted computing, and trusted computing required by different scenes is met.
According to the trusted computing method, the processing request related to the power service requirement is responded, the service processing core is called to run the service application corresponding to the processing request, if the power service processing request needs to be executed, trusted computing is carried out, the trusted core is called by the trusted module to run the corresponding trusted application to carry out trusted computing, and trusted data are obtained. That is to say, a single multi-core high-performance main control chip replaces a single-chip-based trusted computing system determined by hardware trusted design of an external secure and trusted chip, when a service application needs to be operated and trusted computing is performed, a trusted kernel operates a corresponding trusted application in a trusted module to perform trusted computing, trusted data is obtained, trusted computing is achieved on the same chip, and risks caused by communication between the chip and the chip are reduced.
It should be understood that, although the steps in the flowcharts related to the embodiments are shown in sequence as indicated by the arrows, the steps are not necessarily executed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the above embodiments may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of performing the steps or stages is not necessarily sequential, but may be performed alternately or alternately with other steps or at least a part of the steps or stages in other steps.
In one embodiment, a power device is provided, which may be a terminal, and the internal structure thereof may be as shown in fig. 6. The power device includes a processor, a memory, a communication interface, a display screen, and an input device connected by a system bus. Wherein the processor of the power device is configured to provide computing and control capabilities. The memory of the power equipment comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The communication interface of the power equipment is used for carrying out wired or wireless communication with an external terminal, and the wireless communication can be realized through WIFI, a mobile cellular network, NFC (near field communication) or other technologies. The computer program is executed by a processor to implement a trusted computing method. The display screen of the power equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the power equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on a shell of the power equipment, an external keyboard, a touch pad or a mouse and the like.
Those skilled in the art will appreciate that the configuration shown in fig. 6 is a block diagram of only a portion of the configuration associated with the present application and does not constitute a limitation on the power device to which the present application is applied, and that a particular power device may include more or less components than those shown in the figures, or combine certain components, or have a different arrangement of components.
In one embodiment, there is also provided a power device, including a memory and a processor, where the memory stores a computer program, and the processor implements the steps in the above method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In an embodiment, a computer program product is provided, comprising a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
It should be noted that, the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by hardware that is instructed by a computer program, and the computer program may be stored in a non-volatile computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include a Read-Only Memory (ROM), a magnetic tape, a floppy disk, a flash Memory, an optical Memory, a high-density embedded nonvolatile Memory, a resistive Random Access Memory (ReRAM), a Magnetic Random Access Memory (MRAM), a Ferroelectric Random Access Memory (FRAM), a Phase Change Memory (PCM), a graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases involved in the embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present application, and the description thereof is more specific and detailed, but not to be construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application shall be subject to the appended claims.

Claims (10)

1. A trusted computing system based on a single chip is characterized by comprising a main control chip, a trusted module and a service module, wherein the main control chip is provided with a trusted kernel and at least one service processing kernel, and the service processing kernel and the trusted kernel are isolated from each other; wherein:
the service processing core is used for responding to a processing request related to the power service requirement and operating the service application corresponding to the processing request in the service module;
and the trusted kernel is used for running the corresponding trusted application in the trusted module to perform trusted calculation if the service application needs to be operated to perform trusted calculation so as to obtain trusted data.
2. The trusted computing system based on single chip according to claim 1, wherein a secure kernel is provided on the main control chip, and the service processing kernel, the trusted kernel and the secure kernel are isolated from each other; and the security kernel is used for providing a security algorithm required by the trusted computing of the service application to the trusted kernel if the trusted kernel cannot support the trusted computing of the service application, so that the trusted kernel runs the corresponding trusted application in the trusted module to perform the trusted computing.
3. The trusted computing system based on single chip according to claim 2, wherein the master control chip further includes an open resource area corresponding to the service processing core, a trusted resource area corresponding to the trusted kernel, and a secure resource area corresponding to the secure kernel; the open resource area, the trusted resource area and the secure resource area are isolated from each other.
4. The trusted computing system based on the single chip according to claim 3, wherein the trusted kernel is further configured to, if the service application needs to be operated for trusted computing, operate a corresponding trusted application in the trusted module for trusted computing to obtain trusted data, and store the trusted data in the open resource area and/or the trusted resource area according to actual requirements.
5. The single-chip based trusted computing system of claim 1, wherein said trusted module has a first trusted interface; the service module is provided with a second trusted interface, and the first trusted interface and the second trusted interface are used for establishing interaction between the service application and the trusted application, so that if the service application needs to be operated to perform trusted computing, the corresponding trusted application in the trusted module is operated to perform trusted computing through the trusted kernel, and trusted data is obtained.
6. The single-chip based trusted computing system of claim 1, wherein the trusted module comprises a trusted operating system running on the trusted kernel and a trusted application deployed on the operating system; the service module comprises a service processing system running on the service processing core and a service application deployed on the service processing system.
7. A trusted computing method applied to the trusted computing system based on single chip according to any one of claims 2 to 6, the method comprising:
responding to a processing request related to the power service demand, and calling the service processing core to run a service application corresponding to the processing request;
and if the relevant service application corresponding to the processing request needs to be subjected to trusted computing when running, calling the trusted kernel to run the corresponding trusted application to carry out trusted computing to obtain trusted data.
8. The method of claim 7, further comprising:
if the trusted kernel can not realize the trusted computation, calling a security kernel through the trusted module;
and acquiring an algorithm corresponding to the trusted computing type from a secure resource area of the security kernel to perform trusted computing, so that the trusted kernel runs a corresponding trusted application in the trusted module to perform trusted computing.
9. An electrical device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any one of claims 7 to 8.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 7 to 8.
CN202210983984.4A 2022-08-16 2022-08-16 Trusted computing system and trusted computing method based on single chip Active CN115062353B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210983984.4A CN115062353B (en) 2022-08-16 2022-08-16 Trusted computing system and trusted computing method based on single chip

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210983984.4A CN115062353B (en) 2022-08-16 2022-08-16 Trusted computing system and trusted computing method based on single chip

Publications (2)

Publication Number Publication Date
CN115062353A CN115062353A (en) 2022-09-16
CN115062353B true CN115062353B (en) 2022-11-11

Family

ID=83208499

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210983984.4A Active CN115062353B (en) 2022-08-16 2022-08-16 Trusted computing system and trusted computing method based on single chip

Country Status (1)

Country Link
CN (1) CN115062353B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150145996A (en) * 2014-06-20 2015-12-31 고려대학교 산학협력단 System and method of sharing device on trustzone virtual environment
CN106230771A (en) * 2016-07-07 2016-12-14 国网青海省电力公司 Industrial control system industrial fireproof wall based on polycaryon processor
CN111709023A (en) * 2020-06-16 2020-09-25 全球能源互联网研究院有限公司 Application isolation method and system based on trusted operating system
CN112540951A (en) * 2020-12-01 2021-03-23 南方电网数字电网研究院有限公司 Special main control chip suitable for electric power system control protection device
CN113297126A (en) * 2021-06-02 2021-08-24 南方电网数字电网研究院有限公司 Isomerous and heterogeneous mixed multi-core chip architecture for realizing power data processing
CN114696468A (en) * 2022-05-31 2022-07-01 南方电网数字电网研究院有限公司 Digital power distribution network edge calculation control device and method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9300548B2 (en) * 2011-10-14 2016-03-29 Alcatel Lucent Providing dynamic reliability and security in communications environments

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20150145996A (en) * 2014-06-20 2015-12-31 고려대학교 산학협력단 System and method of sharing device on trustzone virtual environment
CN106230771A (en) * 2016-07-07 2016-12-14 国网青海省电力公司 Industrial control system industrial fireproof wall based on polycaryon processor
CN111709023A (en) * 2020-06-16 2020-09-25 全球能源互联网研究院有限公司 Application isolation method and system based on trusted operating system
CN112540951A (en) * 2020-12-01 2021-03-23 南方电网数字电网研究院有限公司 Special main control chip suitable for electric power system control protection device
CN113297126A (en) * 2021-06-02 2021-08-24 南方电网数字电网研究院有限公司 Isomerous and heterogeneous mixed multi-core chip architecture for realizing power data processing
CN114696468A (en) * 2022-05-31 2022-07-01 南方电网数字电网研究院有限公司 Digital power distribution network edge calculation control device and method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
基于多核多域安全逐层扩展的高安全平台体系结构研究;孔志印;《信息网络安全》;20150930;全文 *

Also Published As

Publication number Publication date
CN115062353A (en) 2022-09-16

Similar Documents

Publication Publication Date Title
CN104298913B (en) A kind of general intelligent terminal safe starting method
CN103914658A (en) Safe starting method of terminal equipment, and terminal equipment
CN109614799B (en) Information authentication method
CN111125707A (en) BMC (baseboard management controller) safe starting method, system and equipment based on trusted password module
CN112347472A (en) Behavior measurement method and device of power system
CN110334509B (en) Method and device for constructing trusted computing platform of dual-system architecture
CN111259370A (en) FPGA program security verification method, system, terminal and storage medium
CN115062353B (en) Trusted computing system and trusted computing method based on single chip
CN109583214A (en) A kind of method of controlling security
CN111400771A (en) Target partition checking method and device, storage medium and computer equipment
CN114244519B (en) Password verification method, password verification device, computer equipment and storage medium
CN114978649B (en) Information security protection method, device, equipment and medium based on big data
CN110543769B (en) Trusted starting method based on encrypted TF card
CN103840935B (en) The encryption in the function storehouse of open system and decryption method
CN115081034B (en) Trusted processor chip realized by multiple redundancy modes and on-chip trusted measurement method
CN115941199B (en) Identity information verification method, apparatus, device, storage medium and program product
CN114254574B (en) Security chip design method and device
CN117421709A (en) Function service method, device, computer equipment and storage medium of application program
CN115017543A (en) Flash memory data reading method and device, computer equipment and storage medium
CN117459251A (en) Message decryption method and device
CN117311731A (en) Financial program deployment method, apparatus, computer device and storage medium
CN118211225A (en) Security architecture system, method for realizing secure and trusted starting and computing device
CN117130633A (en) Application updating method, device, computer equipment and storage medium
CN117436048A (en) Security authentication method and device, computer equipment and storage medium
CN118211242A (en) Security architecture system, method for realizing secure and trusted starting and computing device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant