CN115422547A - Data processing method, processor and related equipment - Google Patents
Data processing method, processor and related equipment Download PDFInfo
- Publication number
- CN115422547A CN115422547A CN202211042922.XA CN202211042922A CN115422547A CN 115422547 A CN115422547 A CN 115422547A CN 202211042922 A CN202211042922 A CN 202211042922A CN 115422547 A CN115422547 A CN 115422547A
- Authority
- CN
- China
- Prior art keywords
- execution environment
- encryption
- data
- processor
- target data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a data processing method, a processor and related equipment, wherein the processor is internally provided with at least one processor core and an encryption and decryption module, the processor is loaded with a first execution environment and a second execution environment, the security level of the first execution environment is lower than that of the second execution environment, and the data processing method comprises the following steps: under a first execution environment, acquiring an encryption and decryption request initiated by a target application program, wherein the encryption and decryption request carries first target data to be processed; and responding to the encryption and decryption request, and indicating the encryption and decryption module to process the first target data under the second execution environment so as to ensure the data security of the encryption and decryption module and improve the security of the processor.
Description
Technical Field
The present invention relates to the field of data processing technologies, and in particular, to a data processing method, a processor, and a related device.
Background
At present, a processor mainly performs encryption and decryption operations through hardware encryption and decryption devices such as an independent encryption and decryption chip or an encryption and decryption card. However, since the hardware encryption and decryption device and the processor are subordinate to different hardware entities, the hardware encryption and decryption device and the processor need to be connected through a hardware interface, which causes an intruder to break the intruding processor system by monitoring the hardware interface, resulting in potential safety hazard of the processor system.
Disclosure of Invention
The invention discloses a data processing method, a processor and related equipment, which aim to solve the problem of potential safety hazard of the processor caused by the fact that the processor is connected with hardware encryption and decryption equipment through a hardware interface.
In a first aspect, the present invention discloses a data processing method, where the data processing method is applied to a processor, where the processor is provided with at least one processor core and an encryption/decryption module, the processor is loaded with a first execution environment and a second execution environment, and a security level of the first execution environment is lower than a security level of the second execution environment, and the data processing method includes that the processor core executes the following operations: under the first execution environment, acquiring an encryption and decryption request initiated by a target application program; wherein, the encryption and decryption request carries first target data to be processed; and responding to the encryption and decryption request, and instructing the encryption and decryption module to process the first target data under the second execution environment.
In a second aspect, the present invention discloses a processor, where the processor is provided with at least one processor core and an encryption/decryption module, and the processor is loaded with a first execution environment and a second execution environment, where the security level of the first execution environment is lower than that of the second execution environment; the processor core is configured to obtain an encryption and decryption request initiated by a target application program in the first execution environment, where the encryption and decryption request carries first target data to be processed, respond to the encryption and decryption request, and instruct the encryption and decryption module to process the first target data in the second execution environment.
In a third aspect, the present invention discloses an electronic device, comprising: a memory to store instructions; a processor for performing the data processing method of any one of the above in accordance with instructions stored in the memory. The processor core and the hardware encryption and decryption module are arranged in the processor, and the encryption and decryption module can only receive the indication sent by the processor core under the second execution environment with higher security level, so that the security of the processor and the electronic equipment can be improved.
In a fourth aspect, the invention discloses a computer readable storage medium having stored thereon instructions for executing the data processing method of any of the above.
In a fifth aspect, the present invention discloses a computer program product or computer program comprising computer instructions stored in a computer readable storage medium; the computer instructions are read from the computer-readable storage medium by a processor, and the processor implements the data processing method as any one of the above when executing the computer instructions.
According to the data processing method, the processor, the electronic equipment, the computer readable storage medium, the computer program product or the computer program, the processor core and the hardware encryption and decryption module are arranged in the processor, so that an invader cannot break and invade the processor system by monitoring a hardware interface between the processor and external encryption and decryption equipment, and the safety of the processor system is improved; the processor core obtains an encryption and decryption request which is initiated by a target application program and carries first target data to be processed under a first execution environment with a lower security level, and indicates the encryption and decryption module to process the first target data under a second execution environment with a higher security level, namely, the encryption and decryption module is under the second execution environment, so that the security level of the encryption and decryption module is equal to that of the second execution environment, the data security of the encryption and decryption module can be ensured, and the security of a processor system is further improved.
In some optional examples, the processor is loaded with OpenSSL, and after acquiring, in the first execution environment, an encryption/decryption request initiated by a target application, the method further includes: acquiring configuration data generated by the OpenSSL under the first execution environment, wherein the configuration data corresponds to the processing operation to be performed on the first target data; the instructing, in the second execution environment, the encryption and decryption module to process the first target data includes: and under the second execution environment, instructing the encryption and decryption module to determine a target algorithm required by the processing operation to be performed on the first target data based on the configuration data, and performing corresponding processing operation on the first target data based on the target algorithm to ensure the information transmission safety of the network application program on the network.
In some optional examples, the data processing method further comprises: acquiring second target data in the second execution environment, wherein the second target data is data stored in a storage space corresponding to the second execution environment after the encryption and decryption module processes the first target data; and under the first execution environment, feeding back the second target data to the target application program so as to enable the target application program to execute a corresponding function based on the second target data. The second target data is stored in the storage space with higher security level, so that the security of the second target data can be further ensured.
In some optional examples, before instructing, in the second execution environment, the encryption/decryption module to process the first target data, or before feeding back, in the first execution environment, the second target data to the target application program, further includes: and switching the first execution environment and the second execution environment and data interaction between the first execution environment and the second execution environment are realized by calling an SMC instruction, so that the safety of the interacted data is ensured through a communication protocol between the first execution environment and the second execution environment, and the data safety of the encryption and decryption module is further ensured.
In some optional examples, the first execution environment comprises a normal execution environment, and the second execution environment comprises a trusted execution environment, so that data of the encryption and decryption module is guaranteed to be safe through the trusted execution environment with a higher security level.
In some optional examples, the processor is loaded with OpenSSL, and the processor core is further configured to, in the first execution environment, obtain configuration data generated by the OpenSSL, where the configuration data corresponds to a to-be-processed operation on the first target data, and in the second execution environment, instruct the encryption/decryption module to determine, based on the configuration data, a target algorithm required by the to-be-processed operation on the first target data, and perform, based on the target algorithm, a corresponding processing operation on the first target data, so as to ensure, through OpenSSL, information transmission security of a network application program on a network.
In some optional examples, the processor core is further configured to, in the second execution environment, obtain second target data, where the second target data is data stored in a storage space corresponding to the second execution environment after the encryption and decryption module processes the target data, and in the first execution environment, feed back the second target data to the target application program, so that the target application program executes a corresponding function based on the second target data. The storage space corresponding to the second execution environment with higher security level is used for storing the second target data, so that the security of the second target data can be further ensured.
In some optional examples, the processor core is further configured to implement switching between the first execution environment and the second execution environment and interaction of data between the first execution environment and the second execution environment by invoking an SMC instruction, so as to ensure security of the interacted data and thus data security of the encryption and decryption module through a communication protocol between the first execution environment and the second execution environment.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments or the background art of the present invention, the drawings required to be used in the embodiments or the background art of the present invention will be described below.
Fig. 1 is a schematic structural diagram of a processor according to an embodiment of the present invention.
Fig. 2 is a schematic structural diagram of another processor according to an embodiment of the disclosure.
Fig. 3 is a schematic diagram of an architecture of a processor core according to an embodiment of the present invention.
Fig. 4 is a schematic structural diagram of a system on a chip according to an embodiment of the present invention.
Fig. 5 is a schematic structural diagram of a memory according to an embodiment of the present invention.
Fig. 6 is a flowchart of a data processing method according to an embodiment of the present invention.
Fig. 7 is a flowchart of another data processing method according to an embodiment of the disclosure.
Fig. 8 is a flowchart of another data processing method according to the embodiment of the present invention.
Fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the disclosure.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
At present, hardware encryption and decryption devices such as an independent encryption and decryption chip or an encryption and decryption card are mainly connected with a processor through a hardware interface. The control unit in the processor controls the hardware encryption and decryption device to provide standard encryption and decryption services for the application program running in the processor in a software driving mode. However, since the hardware interface has a risk of being snooped, a safety hazard exists in the processor system.
Based on this, the invention discloses a scheme for improving processor security, which is characterized in that a processor core and a hardware encryption and decryption module are arranged in a processor, the processor core is enabled to obtain an encryption and decryption request carrying target data under a first execution environment with a lower security level, and the encryption and decryption module is instructed to process the target data under a second execution environment with a higher security level, so that the data security of the encryption and decryption module is ensured, and the security of a processor system is improved.
The following explains the related terms to which the present invention relates:
a common Execution Environment (REE), also called Rich Execution Environment, may run a conventional Operating System (OS), a common program, and store common information based on a common region on a System on Chip (SoC).
The Trusted Execution Environment (TEE) provides functions of isolated Execution, secure communication, secure storage and the like based on a secure area on the SOC, ensures the integrity, confidentiality and availability of sensitive information in the TEE, and provides secure service for a Rich Execution Environment (REE).
The encryption and decryption module, which may also be referred to as a cryptographic engine unit, may perform a corresponding cryptographic operation in response to an encryption and decryption request from an execution environment, including, for example, encrypting or decrypting data or other related operations.
The computer system may support a variety of execution environments, such as TEE, REE, or other execution environments, which all have a need to access and use the cryptographic engine unit. In order to perform the cryptographic operation required by the encryption/decryption request, it is necessary to store data required to perform the cryptographic operation, for example, object data on which the cryptographic operation is to be performed and attribute information of the cryptographic operation itself (for example, a type of the cryptographic operation, a key, and the like).
As an optional implementation of the disclosure, an embodiment of the invention discloses a processor. Fig. 1 is a schematic structural diagram of a processor according to an embodiment of the present invention, and as shown in fig. 1, a processor 10 may include at least one processor core 101 and an encryption/decryption module 102. In other words, the processor 10 is internally provided with at least one processor core 101 and an encryption/decryption module 102.
The processor core 101 is connected to the encryption and decryption module 102, and is configured to control operations of the encryption and decryption module 102; the encryption and decryption module 102 is configured to perform cryptographic operation on data according to a cryptographic algorithm.
The cryptographic algorithm includes an encryption algorithm, a decryption algorithm, or other algorithms. For example, the cryptographic algorithm may be a symmetric algorithm, an asymmetric algorithm, a hash algorithm, or other cryptographic algorithm. Symmetric algorithms refer to encryption algorithms that use the same key for encryption and decryption. The data sender encrypts the plaintext by using the key and sends the encrypted plaintext, and the data receiver recovers the ciphertext into the plaintext by using the same key after receiving the data. In the symmetric algorithm, since the sender and the receiver use the same key to encrypt and decrypt data, the security of encryption depends not only on the encryption algorithm itself, but also is important. Symmetric algorithms may include SM4 national cipher, AES128, AES192, AES256, etc. (AES is an abbreviation of Advanced Encryption Standard). Asymmetric algorithms refer to encryption algorithms that use different keys for encryption and decryption. The asymmetric algorithm employs two keys, referred to as a public key (public key) and a private key (private key), respectively, which appear in pairs. If data is encrypted with a public key (private key), it can only be decrypted with the corresponding private key (public key). The asymmetric algorithm may include Elgamal algorithm, RSA (Rivest, shamir and Adleman) algorithm, etc. A hash algorithm is a function that changes an arbitrarily long string of input messages to a fixed length string of output. The process of generating the hash value by the hash algorithm is one-way, the reverse operation is difficult to complete, and the probability of collision (two different inputs generate the same hash value) is very small.
In some embodiments, as shown in fig. 1, the processor 10 may include multiple processor cores 101, that is, the processor 10 may be a processor with a multi-core architecture, although the invention is not limited thereto, and in other embodiments, as shown in fig. 2, fig. 2 is a schematic structural diagram of another processor disclosed in the embodiment of the present invention, and the processor 10 may also include one processor core 101, that is, the processor 10 may be a processor with a single-core architecture.
In the embodiment of the present invention, as shown in fig. 2, a processor 10 is loaded with a first execution environment and a second execution environment, and a security level of the first execution environment is lower than a security level of the second execution environment. The processor core 101 may be configured to: in a first execution environment, an encryption and decryption request initiated by a target application program in the first execution environment is obtained, the encryption and decryption request carries first target data to be processed, the encryption and decryption request is responded, and in a second execution environment, the encryption and decryption module 102 is instructed to process the first target data.
Of course, in other embodiments, the processor core 101 may also be configured to: in the second execution environment, an encryption and decryption request initiated by an application program in the second execution environment is obtained, the encryption and decryption request carries target data to be processed, the encryption and decryption request is responded, and the encryption and decryption module 102 is instructed to process the target data in the second execution environment.
Because the hardware encryption and decryption module 102 is arranged inside the processor 10, an intruder cannot crack the intruding processor system by monitoring a hardware interface between the processor 10 and an external encryption and decryption device, and the safety of the processor system is improved; because the processor core 101 may instruct the encryption and decryption module 102 to process the first target data in the second execution environment with a higher security level, the encryption and decryption module 102 is equivalently in the second execution environment, so that the security level of the encryption and decryption module 102 is equivalent to the security level of the second execution environment, thereby ensuring the data security of the encryption and decryption module 102 and eliminating the security risk of data theft.
It is understood that, since the security level of the second execution environment is higher than that of the first execution environment, the processor core 101 in the second execution environment is not easily hacked by an intruder, and the data security of the encryption/decryption module 102 and the processor 10 can be ensured. Even if the intruder can crack the processor core 101 under the first execution environment with a low intrusion security level, the intruder can only send an instruction to the encryption and decryption module 102 through the processor core 101 under the first execution environment, but because the encryption and decryption module 102 needs to execute a corresponding operation under the instruction of the processor core 101 under the second execution environment, the intruder cannot instruct the encryption and decryption module 102 to output the encryption and decryption data through the processor core 101 under the first execution environment, so that the data security of the encryption and decryption module 102 and the processor 10 can be ensured, and the security of the processor 10 can be further improved.
In some embodiments of the invention, the first execution environment may be a normal execution environment and the second execution environment may be a trusted execution environment. In other embodiments, the first execution environment may be a normal execution environment and the second execution environment may be a secure element subsystem execution environment. The security level of the security element subsystem execution environment is higher than that of the trusted execution environment, and the security level of the trusted execution environment is higher than that of the common execution environment.
The differences between the different execution environments will be described below in conjunction with the architecture of the processor core 101. As shown in fig. 3, fig. 3 is a schematic diagram of an architecture of a processor core according to an embodiment of the present invention, and the execution levels EL0 to EL3 may be used to represent the operation levels of the processor core 101.
Among them, EL0-EL2 are classified into a Secure world (Secure world) and a Normal world (Normal world). EL0 is a user mode, and runs applications, which are divided into applications running in the general world and applications running in the secure world; EL1 is an operating system kernel mode, an operating system is operated, and the operating system is divided into a general operating system operated in a common world and a credible operating system operated in a safe world; EL2 is a virtual machine monitor mode, and a virtual machine is operated; EL3 is a security monitoring mode, running a security monitor responsible for switching between the secure world and the general world of the processor core 101.
Taking a common execution environment and a trusted execution environment as examples, when the execution environment of the processor core 101 is the common execution environment, the world in which the processor core 101 is located is the common world, the application program run by the processor core 101 is the application program of the common world, and the operating system is a general operating system of the common world; when the execution environment of the processor core 101 is a trusted execution environment, the world in which the processor core 101 is located is a secure world, the application program run by the processor core 101 is an application program of the secure world, and the operating system is a general operating system of the secure world.
In some embodiments of the present invention, when the processor core 101 needs to run an operating system or an application program in the common world, the current execution environment is switched to the common execution environment; when the processor core 101 needs to run an operating system or an application program of the secure world, the current execution environment is switched to the trusted execution environment.
In some embodiments of the invention, the processor core 101 is further configured to: switching between execution environments and data interaction between execution environments are realized by calling an SMC (Secure Monitor Call) instruction.
In some embodiments, the processor core 101 is further configured to switch the first execution environment to the second execution environment by invoking the SMC instruction, and transfer the first target data in the storage space corresponding to the first execution environment to the storage space corresponding to the second execution environment, so that the processor core 101 instructs the encryption and decryption module 102 to process the first target data in the second execution environment.
In some embodiments of the invention, the processor core 101 invokes an SMC instruction to: the value of the flag bit (NS bit) of the hardware register in the processor 10 is changed so that the switching of the execution environment and the interaction of data are performed by passing parameters through the flag bit of the hardware register.
In some embodiments, after the flag bit of the hardware register is changed from 1 to 0, the execution environment of the processor core 101 is switched from the normal execution environment to the trusted execution environment; after the flag bit of the hardware register is changed from 0 to 1, the execution environment of the processor core 101 is switched from the trusted execution environment to the normal execution environment. It should be noted that the example is only an example, and should not be construed as a limitation.
In the embodiment of the present invention, the storage space of the processor 10 includes a normal storage space and a secure storage space, the application program and the operating system running in the first execution environment may store data in the normal storage space correspondingly, and the application program and the operating system running in the second execution environment may store data in the secure storage space correspondingly. The common storage space and the safe storage space are isolated from each other, so that the safety of the data in the safe storage space can be ensured.
In some embodiments, the memory space of the processor 10 may further include a shared memory space, and the processor core 101 is further configured to implement data interaction between different execution environments through the shared memory space.
In some embodiments, before the execution environment of the processor core 101 is switched from the first execution environment to the second execution environment, the processor core 101 in the first execution environment is further configured to store the first target data that needs to be interacted into the shared memory space, and after the execution environment of the processor core 101 is switched from the first execution environment to the second execution environment, the processor core 101 in the second execution environment is further configured to obtain the first target data that needs to be interacted from the shared memory space and store the first target data into the secure memory space corresponding to the second execution environment.
It should be noted that when the processor core 101 in the first execution environment stores the data to be interacted into the shared memory space, the data to be interacted needs to be stored into a data format meeting the requirement of the communication protocol according to the communication protocol between the first execution environment and the second execution environment, when the processor core 101 in the second execution environment obtains the data to be interacted from the shared memory space, it is determined whether the data format meets the data format meeting the requirement of the communication protocol, if so, the encryption and decryption module 102 is instructed to process the first target data, and if not, the encryption and decryption module 102 is not instructed to process the first target data.
Based on this, even if the first execution environment of the processor core 101 is invaded by an invader, as long as the communication protocol between the first execution environment and the second execution environment is not cracked, the invader cannot realize the data interaction between the first execution environment and the second execution environment, and further cannot instruct the encryption and decryption module 102 to process the data.
In the embodiment of the present invention, the storage space of the processor 10 may be a storage space of a register inside the processor 10, or may be a storage space of a memory outside the processor 10. As shown in fig. 4, fig. 4 is a schematic structural diagram of a system on chip according to an embodiment of the present invention, where the system on chip includes a processor 10 and a memory 11. The Memory 11 may be a Dynamic Random Access Memory (DDR).
As shown in fig. 5, fig. 5 is a schematic structural diagram of a memory disclosed in the embodiment of the present invention, where the memory 11 may include a normal memory 111 and a secure memory 112, the normal memory 111 is used to provide a normal storage space, and the secure memory 112 is used to provide a secure storage space. In some embodiments, the memory 11 may further include a shared memory 113, and the shared memory 113 is used for providing a shared storage space.
In some embodiments of the present invention, the encryption and decryption module 102 is further configured to store, in a storage space corresponding to the second execution environment, second target data obtained by processing the first target data. The storage space corresponding to the second execution environment may be a secure memory, so as to store the second target data through the storage space with a higher security level, and further ensure the security of the second target data.
In some embodiments of the present invention, the processor core 101 is further configured to obtain second target data in the second execution environment, and feed the second target data back to the target application program in the first execution environment, so that the target application program executes a corresponding function based on the second target data. The target application is also illustratively operative to send the second target data to the remote server. The second target data is data stored in a storage space corresponding to the second execution environment after the encryption/decryption module 102 processes the target data.
In some embodiments of the present invention, the processor core 101 is further configured to switch the second execution environment to the first execution environment by calling an SMC instruction, and transfer the second target data in the storage space corresponding to the second execution environment to the storage space corresponding to the first execution environment, so that the processor core 101 feeds back the second target data to the target application program running in the first execution environment.
In some embodiments of the present invention, the target application may be a network application, such as a Secure browser, and the processor 10 may be loaded with an OpenSSL (Open Secure Sockets Layer), and the processor core 101 is further configured to implement an encryption and decryption function of data based on the OpenSSL, so as to ensure Secure transmission of the data on the network.
In some embodiments of the present invention, openSSL includes a general engine and a security engine, where the general engine is configured to drive encryption and decryption software or hardware in the first execution environment to perform encryption and decryption operations, and the security engine is configured to drive the encryption and decryption module 102 in the second execution environment to perform encryption and decryption operations.
If the security level of the data required by the encryption and decryption request is not high, the processor core 101 may drive, through a common engine inside the OpenSSL, encryption and decryption software or hardware in the first execution environment to perform encryption and decryption processing on the to-be-processed data carried in the encryption and decryption request. However, if the security level of the data required by the encryption and decryption request is higher, the processor core 101 needs to generate configuration data through a security engine inside the OpenSSL, and drive the encryption and decryption module 102 in the second execution environment to perform encryption and decryption processing on the to-be-processed data carried in the encryption and decryption request.
Based on this, in some embodiments of the present invention, the processor core 101 is further configured to, in a first execution environment, obtain configuration data generated by OpenSSL, and, in a second execution environment, instruct the encryption and decryption module 102 to determine, based on the configuration data, a target algorithm required by a processing operation to be performed on the first target data, and perform a corresponding processing operation on the first target data based on the target algorithm. The configuration data corresponds to a processing operation to be performed on the first target data.
The processor core 101 is further configured to determine, through OpenSSL based on the requirement information carried in the encryption and decryption request, that the processing operation to be performed on the first target data is an encryption operation, a decryption operation, or another operation, and determine a target algorithm required by the encryption operation, the decryption operation, or another operation, where the target algorithm may be any cryptographic algorithm.
The configuration data may include a key of the target algorithm, an encryption mode, an encryption initialization vector, and the like. For example, the processing operation to be performed is an encryption operation, the target algorithm is an SM4 algorithm in a symmetric algorithm, and the configuration data includes an SM4 encryption key, an SM4 encryption mode (supporting multiple encryption modes, such as cbc, ecb, and the like), an SM4 encryption initialization vector iv value, and the like.
In some embodiments of the present invention, the processor core 101 is further configured to transfer the configuration data to a storage space corresponding to the second execution environment by storing the configuration data in the shared storage space.
In some embodiments, the processor core 101 is further configured to, in the second execution environment, obtain configuration data in a storage space corresponding to the second execution environment, determine a corresponding interface of the encryption/decryption module 102 based on the configuration data, and configure a corresponding register inside the encryption/decryption module 102 through the corresponding interface, so that after the encryption/decryption module 102 obtains the first target data from the storage space corresponding to the second execution environment, the first target data is subjected to a corresponding processing operation through a target algorithm corresponding to the corresponding register.
Different interfaces of the encryption and decryption module 102 have mapping relationships with addresses of different registers, so that the corresponding registers are configured through the corresponding interfaces. It should be noted that, according to the type of the target algorithm, the registers inside the encryption/decryption module 102 may be divided into registers of a symmetric encryption/decryption group, registers of an asymmetric encryption/decryption group, registers of a hash algorithm group, and registers of a general group.
For example, after determining that the target algorithm is a symmetric algorithm according to the configuration data, the processor core 101 selects a symmetric encryption/decryption group of registers and a general-purpose group of registers, modifies the registers in a reasonable order, and writes the configuration data required during the encryption/decryption operation into the registers, so that the encryption/decryption module 102 performs the corresponding encryption/decryption operation.
As an optional implementation of the disclosure, the embodiment of the present invention discloses a data processing method, which is applied to the processor 10 disclosed in the above embodiment of the present invention. As shown in fig. 1, at least one processor core 101 and an encryption/decryption module 102 are provided in the processor 10, and the processor 10 is loaded with a first execution environment and a second execution environment, where the security level of the first execution environment is lower than that of the second execution environment.
As shown in fig. 6, fig. 6 is a flowchart of a data processing method according to an embodiment of the present invention, where the data processing method includes the following operations executed by the processor core 101:
s501: under a first execution environment, acquiring an encryption and decryption request initiated by a target application program; the encryption and decryption request carries first target data to be processed;
s502: and responding to the encryption and decryption request, and instructing the encryption and decryption module to process the first target data under the second execution environment.
The processor core 101 may obtain, when the execution environment is the first execution environment, an encryption/decryption request initiated by a target application running in the first execution environment, where the encryption/decryption request carries first target data to be encrypted/decrypted. Then, the processor core 101 responds to the encryption and decryption request, switches the execution environment to the second execution environment, and instructs the encryption and decryption module to perform encryption and decryption processing on the first target data in the second execution environment.
Because the hardware encryption and decryption module 102 is arranged inside the processor 10, an intruder cannot break the intruding processor system by monitoring a hardware interface between the processor 10 and an external encryption and decryption device, and the safety of the processor system is improved; because the processor core 101 may instruct the encryption and decryption module 102 to process the first target data in the second execution environment with a higher security level, it is equivalent to make the encryption and decryption module 102 in the second execution environment, so that the security level of the encryption and decryption module 102 is equal to the security level of the second execution environment, thereby ensuring the data security of the encryption and decryption module 102 and further improving the security of the processor system.
In some embodiments of the invention, the first execution environment may comprise a normal execution environment and the second execution environment may comprise a trusted execution environment. Of course, the present invention is not limited thereto, and the first execution environment may be a normal execution environment, and the second execution environment may be a secure element subsystem execution environment.
On the basis of the foregoing embodiment, in some embodiments of the present invention, in the second execution environment, before instructing the encryption and decryption module to process the first target data, the data processing method further includes: and switching the first execution environment into a second execution environment by calling the SMC instruction, and transmitting the data of the storage space corresponding to the first execution environment into the storage space corresponding to the second execution environment.
In some embodiments of the present invention, the target application program for the processor core 101 to obtain the encryption and decryption request is a network application program, the processor 10 is loaded with OpenSSL, and the processor core 101 is further configured to implement an encryption and decryption function of data based on OpenSSL, so as to ensure secure transmission of the data on the network. As shown in fig. 7, fig. 7 is a flowchart of another data processing method disclosed in the embodiment of the present invention, where the data processing method includes the following operations performed by the processor core 101:
s601: under a first execution environment, acquiring an encryption and decryption request initiated by a target application program and configuration data generated by OpenSSL; the encryption and decryption request carries first target data to be processed, and the configuration data correspond to processing operation to be performed on the first target data;
s602: and responding to the encryption and decryption request, and under a second execution environment, instructing the encryption and decryption module to determine a target algorithm required by the to-be-processed processing operation of the first target data based on the configuration data, and performing corresponding processing operation on the first target data based on the target algorithm.
In some embodiments, after the processor core 101 acquires the first target data and the configuration data, the first target data and the configuration data may be transferred to a storage space corresponding to the second execution environment by storing the first target data and the configuration data in the shared storage space, and in the second execution environment, the corresponding interface of the encryption and decryption module 102 is determined based on the configuration data, and the corresponding register inside the encryption and decryption module 102 is configured through the corresponding interface, so that the encryption and decryption module 102 performs a corresponding processing operation on the first target data through a target algorithm corresponding to the corresponding register.
In some embodiments of the present invention, as shown in fig. 8, fig. 8 is a flowchart of another data processing method disclosed in the embodiments of the present invention, and in addition to steps S701 and S702 which are the same as steps S501 and S502, the data processing method further includes the following operations performed by the processor core 101:
s703: acquiring second target data in a second execution environment, wherein the second target data is data stored in a storage space corresponding to the second execution environment after the target data is processed by the encryption and decryption module;
s704: and under the first execution environment, feeding back the second target data to the target application program so that the target application program executes a corresponding function based on the second target data.
For example, if the target application is a secure browser, the processor core 101 may feed back the second target data to the secure browser, so that the secure browser sends the second target data to the remote server.
In some embodiments of the present invention, before feeding back the second target data to the target application program in the first execution environment, the data processing method further includes: and switching the second execution environment into the first execution environment by calling the SMC instruction, and transmitting the second target data in the storage space corresponding to the second execution environment into the storage space corresponding to the first execution environment.
It should be noted that, in some embodiments of the present invention, data interaction between the execution environments may be controlled by the agent software in the first execution environment and the security driver software in the second execution environment. For example, the first target data is transferred from the common storage space corresponding to the first execution environment to the shared storage space through the agent software, the first target data in the shared storage space is stored to the secure storage space corresponding to the second execution environment through the secure driver software, the second target data is stored from the secure storage space corresponding to the second execution environment to the shared storage space through the secure driver software, and the second target data is stored from the shared storage space to the common storage space corresponding to the first execution environment through the agent software.
A data processing flow disclosed in the embodiment of the present invention is described below by taking an example in which the target application is a secure browser.
When a user opens a secure browser running in a first execution environment in a computer system and inputs a network address to be accessed in an address bar of the secure browser, if a link protocol of the network address is a secure link protocol, such as https, information interaction between a local server and a remote server is triggered.
In the information interaction process, the interactive data needs to be sent to the remote server in an encrypted form, so that the secure browser initiates an encryption request carrying the first target data to be encrypted, and sends the encryption request to OpenSSL in the first execution environment. And generating configuration data corresponding to the to-be-processed processing operation of the first target data through a security engine of OpenSSL, wherein the first target data and the configuration data are stored in a common storage space corresponding to the first execution environment.
And then the agent software in the first execution environment switches the execution environment into a second execution environment by calling the SMC instruction, and transmits the first target data and the configuration data thereof from the common storage space corresponding to the first execution environment to the shared storage space. And then, the security driver software in the second execution environment transfers the first target data and the configuration data thereof from the shared storage space to the secure storage space corresponding to the second execution environment, and instructs the encryption and decryption module 102 to determine a target algorithm required by the to-be-processed processing operation of the first target data based on the configuration data, and perform corresponding processing operation on the first target data based on the target algorithm.
During the processing operation, the encryption and decryption module 102 stores the obtained second target data in the secure storage space corresponding to the second execution environment. After the encryption and decryption module 102 completes the processing operation, the secure driver in the second execution environment switches the execution environment to the first execution environment by calling the SMC instruction, and transfers the second target data from the secure storage space corresponding to the second execution environment to the shared storage space.
And then the agent software in the first execution environment transfers the second target data from the shared storage space to the common storage space corresponding to the first execution environment, and transfers the second target data to the secure browser through the security engine of the OpenSSL, so that the secure browser sends the second target data to the remote server.
As an optional implementation of the disclosure of the present invention, an embodiment of the present invention discloses an electronic device, as shown in fig. 9, where fig. 9 is a schematic structural diagram of an electronic device disclosed in the embodiment of the present invention, and the electronic device includes:
a memory 81 for storing instructions;
the processor 82 is configured to execute the instructions stored in the memory 81 to implement the data processing method provided in any of the above embodiments.
In particular, the electronic device may further comprise a bus, a communication interface 83, an input device 84 and an output device 85. The processor 82, the memory 81, the communication interface 83, the input device 84, and the output device 85 are connected to each other via a bus. Wherein:
a bus may include a path that transfers information between components of a computer system.
The processor 82 may be a general-purpose processor, such as a general-purpose Central Processing Unit (CPU), microprocessor, etc., an application-specific integrated circuit (ASIC), or one or more integrated circuits for controlling the execution of programs in accordance with the inventive arrangements. But may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The processor 82 may include a main processor, and may further include a baseband chip, a modem, and the like.
The memory 81 stores a program for executing the technical solution of the present invention, and may also store an operating system and other critical services. In particular, the program may include program code including computer operating instructions. More specifically, memory 81 may include a read-only memory (ROM), other types of static storage devices that may store static information and instructions, a Random Access Memory (RAM), other types of dynamic storage devices that may store information and instructions, a disk storage, a flash, and so forth.
The input device 84 may include a means for receiving user-entered data and information, such as a keyboard, mouse, camera, scanner, light pen, voice input device, touch screen, pedometer, or gravity sensor, among others. Output device 85 may include a means for allowing information to be output to a user, such as a display screen, a printer, speakers, etc. Communication interface 83 may include any device that uses a transceiver or the like to communicate with other devices or communication networks, such as an ethernet network, a Radio Access Network (RAN), a Wireless Local Area Network (WLAN), etc.
As an alternative implementation of the present disclosure, the present embodiment discloses a computer program product, which includes computer program instructions, and the computer program instructions, when executed by a processor, cause the processor to execute the data processing method provided in any of the above embodiments.
The computer program product may include program code for carrying out operations for embodiments of the present application in any combination of one or more programming languages, including an object oriented programming language such as python, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server.
As an alternative implementation of the disclosure, an embodiment of the present invention discloses a computer readable storage medium, on which instructions for executing the data processing method provided by any of the above embodiments are stored.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by hardware that is instructed by a computer program, and the computer program may be stored in a non-volatile computer-readable storage medium, and when executed, may include the processes of the embodiments of the methods described above. Any reference to memory, storage, databases, or other media used in the embodiments provided herein may include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above examples only express several embodiments of the present specification, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present description, which falls within the scope of protection of the present description. Therefore, the protection scope of the patent of the specification shall be subject to the appended claims.
Claims (11)
1. A data processing method is applied to a processor, wherein the processor is internally provided with at least one processor core and an encryption/decryption module, the processor is loaded with a first execution environment and a second execution environment, the security level of the first execution environment is lower than that of the second execution environment, and the data processing method comprises the following operations executed by the processor core:
under the first execution environment, acquiring an encryption and decryption request initiated by a target application program; wherein, the encryption and decryption request carries first target data to be processed;
and responding to the encryption and decryption request, and indicating the encryption and decryption module to process the first target data under the second execution environment.
2. The data processing method according to claim 1, wherein the processor is loaded with OpenSSL, and after acquiring, in the first execution environment, an encryption/decryption request initiated by a target application program, the method further includes:
acquiring configuration data generated by the OpenSSL under the first execution environment, wherein the configuration data corresponds to the processing operation to be performed on the first target data;
the instructing, in the second execution environment, the encryption and decryption module to process the first target data includes:
and under the second execution environment, instructing the encryption and decryption module to determine a target algorithm required by the processing operation to be performed on the first target data based on the configuration data, and performing corresponding processing operation on the first target data based on the target algorithm.
3. The data processing method of claim 1, further comprising:
acquiring second target data in the second execution environment, wherein the second target data is data stored in a storage space corresponding to the second execution environment after the encryption and decryption module processes the first target data;
and under the first execution environment, feeding back the second target data to the target application program so as to enable the target application program to execute a corresponding function based on the second target data.
4. The data processing method according to claim 1, wherein, before instructing, in the second execution environment, the encryption/decryption module to process the first target data, or before feeding back, in the first execution environment, the second target data to the target application program, further comprises:
and switching the first execution environment and the second execution environment and interacting data of the first execution environment and the second execution environment by calling an SMC instruction.
5. The data processing method of claim 1, wherein the first execution environment comprises a normal execution environment and the second execution environment comprises a trusted execution environment.
6. The processor is characterized in that at least one processor core and an encryption and decryption module are arranged in the processor, the processor is provided with a first execution environment and a second execution environment, and the security level of the first execution environment is lower than that of the second execution environment;
the processor core is configured to obtain an encryption and decryption request initiated by a target application program in the first execution environment, where the encryption and decryption request carries first target data to be processed, respond to the encryption and decryption request, and instruct the encryption and decryption module to process the first target data in the second execution environment.
7. The processor according to claim 6, wherein the processor is loaded with OpenSSL, and the processor core is further configured to, in the first execution environment, obtain configuration data generated by the OpenSSL, where the configuration data corresponds to a processing operation to be performed on the first target data, and in the second execution environment, instruct the encryption and decryption module to determine, based on the configuration data, a target algorithm required for the processing operation to be performed on the first target data, and perform the corresponding processing operation on the first target data based on the target algorithm.
8. The processor of claim 6, wherein the processor core is further configured to obtain, in the second execution environment, second target data, where the second target data is data stored in a storage space corresponding to the second execution environment after the encryption and decryption module processes the first target data, and feed the second target data back to the target application program in the first execution environment, so that the target application program executes a corresponding function based on the second target data.
9. The processor of claim 6, wherein the processor core is further configured to enable switching between the first execution environment and the second execution environment and interaction of data between the first execution environment and the second execution environment by invoking an SMC instruction.
10. An electronic device, comprising:
a memory to store instructions;
a processor for performing the data processing method of any one of claims 1 to 5 in accordance with instructions stored in the memory.
11. A computer-readable storage medium having stored thereon instructions for executing the data processing method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211042922.XA CN115422547A (en) | 2022-08-29 | 2022-08-29 | Data processing method, processor and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211042922.XA CN115422547A (en) | 2022-08-29 | 2022-08-29 | Data processing method, processor and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115422547A true CN115422547A (en) | 2022-12-02 |
Family
ID=84200625
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211042922.XA Pending CN115422547A (en) | 2022-08-29 | 2022-08-29 | Data processing method, processor and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115422547A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117009108A (en) * | 2023-02-24 | 2023-11-07 | 荣耀终端有限公司 | Message processing method, device and storage medium |
-
2022
- 2022-08-29 CN CN202211042922.XA patent/CN115422547A/en active Pending
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117009108A (en) * | 2023-02-24 | 2023-11-07 | 荣耀终端有限公司 | Message processing method, device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11704416B2 (en) | Computational operations in enclave computing environments | |
| US11038852B2 (en) | Method and system for preventing data leakage from trusted network to untrusted network | |
| WO2019105290A1 (en) | Data processing method, and application method and apparatus of trusted user interface resource data | |
| CN110492990B (en) | Private key management method, device and system under block chain scene | |
| US9355280B2 (en) | Apparatus and method for providing hardware security | |
| US11082231B2 (en) | Indirection directories for cryptographic memory protection | |
| US10938792B2 (en) | Layered encryption for end to end communication | |
| US11477008B2 (en) | Service processing methods, apparatuses, devices and systems | |
| JP2021111973A (en) | Blockchain-based multi-party computing method, device, electronic device, non-temporary computer-readable storage medium, and computer program | |
| KR102186114B1 (en) | Method, system, and medium for using dynamic public key infrastructure to transmit and receive encrypted messages | |
| US8612753B2 (en) | Method and apparatus for protected code execution on clients | |
| CN113609522B (en) | Data authorization and data access method and device | |
| US11637704B2 (en) | Method and apparatus for determining trust status of TPM, and storage medium | |
| US20230222230A1 (en) | Key distribution system in a secure enclave | |
| CN112822177A (en) | Data transmission method, device, equipment and storage medium | |
| CN115422547A (en) | Data processing method, processor and related equipment | |
| EP3716563A1 (en) | Method and apparatus for establishing virtual network function instance | |
| US20240028759A1 (en) | Database access method and apparatus | |
| US11997192B2 (en) | Technologies for establishing device locality | |
| CN109450899B (en) | Key management method and device, electronic equipment and storage medium | |
| CN114244515B (en) | Hypervisor-based virtual machine communication method and device, readable storage medium and electronic equipment | |
| US11647013B1 (en) | Encryption of data via public key cryptography with certificate verification of target | |
| WO2023124530A1 (en) | Data encryption system and related product | |
| JP7302404B2 (en) | Information processing device and program | |
| JP2014212474A (en) | Secret key distribution method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |