CN117313124A - Firmware security processing system and encryption and decryption methods - Google Patents

Firmware security processing system and encryption and decryption methods Download PDF

Info

Publication number
CN117313124A
CN117313124A CN202311261893.0A CN202311261893A CN117313124A CN 117313124 A CN117313124 A CN 117313124A CN 202311261893 A CN202311261893 A CN 202311261893A CN 117313124 A CN117313124 A CN 117313124A
Authority
CN
China
Prior art keywords
firmware
upper computer
memory
encryption
decryption
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202311261893.0A
Other languages
Chinese (zh)
Inventor
何全
付彦淇
周津
王晓璐
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tianjin Jinhang Computing Technology Research Institute
Original Assignee
Tianjin Jinhang Computing Technology Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tianjin Jinhang Computing Technology Research Institute filed Critical Tianjin Jinhang Computing Technology Research Institute
Priority to CN202311261893.0A priority Critical patent/CN117313124A/en
Publication of CN117313124A publication Critical patent/CN117313124A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/72Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information in cryptographic circuits
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a firmware security processing system and an encryption and decryption method, wherein the system comprises: the system comprises an upper computer and a memory, wherein the memory is used for storing primary user firmware and secondary user firmware, and the primary user firmware at least comprises a time sequence configuration for modifying an upper computer interface and a storage address of the secondary user firmware; the Flash controller comprises a direct channel module, an encryption/decryption channel module, a QSPI protocol control module and a channel switching module; the through channel module is connected with the memory, and the encryption/decryption channel module is connected with the memory through the QSPI protocol control module; when the interface time sequence configuration of the upper computer is consistent with the interface time sequence configuration of the QSPI protocol control module, the channel switching module is connected with the upper computer and the encryption/decryption channel module, otherwise, the channel switching module is connected with the upper computer and the direct channel module. The system provided herein can encrypt and decrypt data stored in memory.

Description

Firmware security processing system and encryption and decryption methods
Technical Field
The present disclosure relates generally to the field of information security technologies, and in particular, to a firmware security processing system and encryption and decryption methods.
Background
The program written in the program in the firmware is a component widely applied to modern electronic system equipment. The firmware takes on the work of the bottommost layer of the system and directly controls the hardware in the system equipment, such as the first started program BIOS after the computer is powered on.
The memory is an indispensable important component of many devices in modern information society, while the Flash memory (also called as a Flash memory) is used as a storage device in modern information system application, has the characteristics of erasable information, programmable information, no loss when power is lost and long-term storage, and is usually used as a firmware memory. In a system using a Flash memory as firmware storage, a Flash controller is generally used to perform read-write operations on Flash. However, most of the Flash controllers in the market have no encryption function, and once the Flash memory storing the user firmware is lost or stolen, information of the user firmware program may be leaked, so that the Flash controller needs to be additionally provided with a function of improving the security.
Disclosure of Invention
In view of the foregoing drawbacks or shortcomings of the prior art, it is desirable to provide a firmware secure processing system and encryption and decryption methods to solve the foregoing problems.
A first aspect of the present application provides a firmware secure processing system, including:
an upper computer;
the memory is used for storing primary user firmware and secondary user firmware, and the primary user firmware at least comprises a time sequence configuration for modifying an upper computer interface and a storage address of the secondary user firmware;
the Flash controller comprises a direct channel module, an encryption/decryption channel module, a QSPI protocol control module and a channel switching module; the through channel module is connected with the memory, and the encryption/decryption channel module is connected with the memory through the QSPI protocol control module; when the interface time sequence configuration of the upper computer is consistent with the interface time sequence configuration of the QSPI protocol control module, the channel switching module is connected with the upper computer and the encryption/decryption channel module, otherwise, the channel switching module is connected with the upper computer and the straight-through channel module.
According to the technical scheme provided by the embodiment of the application, the system further comprises a PC host, wherein the PC host is connected with the memory and used for programming the unencrypted primary user firmware and secondary user firmware to the memory.
According to the technical scheme provided by the embodiment of the application, one or only one of the through channel module and the encryption/decryption channel module is connected with the upper computer.
According to the technical scheme provided by the embodiment of the application, the encryption/decryption channel module adopts an SM4 block cipher algorithm.
According to the technical scheme provided by the embodiment of the application, the processing system comprises an encryption process and a decryption process, and when the encryption process is performed, the encryption/decryption channel module transmits data to the memory direction by the upper computer; and when the decryption process is performed, the encryption/decryption channel module transmits data from the memory to the upper computer.
The second aspect of the present application provides a firmware security encryption method, based on the above firmware security processing system, comprising the following steps:
the memory stores unencrypted primary user firmware and secondary user firmware;
the upper computer reads the primary user firmware in the memory through the straight-through channel module, and acquires a secondary user firmware storage address appointed in the primary user firmware; and modifying the interface timing sequence of the self according to the timing sequence configuration;
the upper computer reads the secondary user firmware in the memory according to the secondary user firmware storage address;
when the upper computer judges that the interface time sequence configuration of the upper computer is consistent with the QSPI protocol control module, a switching instruction is sent, and the switching instruction is used for indicating the switching channel module to connect the encryption/decryption channel module and the upper computer;
and the upper computer encrypts the secondary user firmware through the encryption/decryption channel module and writes the encrypted secondary user firmware into the memory.
According to the technical scheme provided by the embodiment of the application, after the encrypted secondary user firmware is written into the memory, the secondary user firmware which is not encrypted before is covered.
The third aspect of the present application provides a firmware secure decryption method, based on the above firmware secure processing system, comprising the following steps:
the upper computer reads the primary user firmware in the memory through the through channel module, acquires the storage address of the secondary user firmware appointed in the primary user firmware, and modifies the interface time sequence of the upper computer according to the time sequence configuration;
when the host computer judges that the interface time sequence configuration of the host computer is consistent with the QSPI protocol control module, a switching instruction is sent, and the switching instruction is used for indicating the switching channel module to connect the encryption/decryption channel module and the host computer;
the upper computer determines the position of the secondary user firmware in the memory according to the storage address of the secondary user firmware;
and the upper computer decrypts the secondary firmware after encrypting in the memory through the SM4 decryption channel module.
Compared with the prior art, the beneficial effect of this application lies in: according to the Flash controller, the through channel module, the encryption/decryption channel module, the QSPI protocol control module and the channel switching module are arranged in the Flash controller, so that the upper computer can read the primary user firmware from the memory through the through channel module, and obtain the storage address of the secondary user firmware according to the primary user firmware, and the upper computer can conveniently find the position of the secondary user firmware in the memory; and meanwhile, the interface time sequence of the upper computer can be modified according to the primary user firmware, and when the interface time sequence of the upper computer is consistent with the interface time sequence of the QSPI protocol control module, the upper computer can be connected with the memory through the encryption/decryption channel module, so that the secondary user firmware can be encrypted or decrypted. The firmware security processing system provided by the application can encrypt and decrypt the secondary user firmware stored in the memory, and improves the security of data.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings, in which:
fig. 1 is a schematic structural diagram of a firmware security processing system provided in embodiment 1 of the present application;
fig. 2 is a flowchart of steps of a firmware security encryption method provided in embodiment 2 of the present application;
fig. 3 is a flowchart of the steps of the firmware security decryption method provided in embodiment 3 of the present application.
Detailed Description
The present application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be noted that, for convenience of description, only the portions related to the invention are shown in the drawings.
It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.
Example 1
Referring to fig. 1, the present embodiment provides a firmware security processing system, including:
an upper computer;
the memory is used for storing primary user firmware and secondary user firmware, and the primary user firmware at least comprises a time sequence configuration for modifying an upper computer interface and a storage address of the secondary user firmware;
the Flash controller comprises a direct channel module, an encryption/decryption channel module, a QSPI protocol control module and a channel switching module; the through channel module is connected with the memory, and the encryption/decryption channel module is connected with the memory through the QSPI protocol control module; when the interface time sequence configuration of the upper computer is consistent with the interface time sequence configuration of the QSPI protocol control module, the channel switching module is connected with the upper computer and the encryption/decryption channel module, otherwise, the channel switching module is connected with the upper computer and the straight-through channel module.
Further, the system also comprises a PC host, wherein the PC host is connected with the memory and is used for programming the unencrypted primary user firmware and secondary user firmware to the memory.
Further, one and only one of the pass-through channel module and the encryption/decryption channel module is connected with the upper computer.
Specifically, the firmware start flow of the upper computer is divided into a primary boot and a secondary boot. The first-level boot firmware is solidified in the upper computer, cannot be changed by a user and is responsible for loading the externally stored first-level user firmware into a program execution space of the upper computer; after the primary boot is completed, performing a secondary boot, and starting the primary user firmware to run at the moment; typically, the primary user firmware is a section of a bootstrap program, which allows a user to customize, and a general user loads and runs the secondary user firmware into a program execution space through the bootstrap program, thereby completing loading and execution of the whole user firmware. The general secondary user firmware has important significance for users, and the Flash controller can complete the security encryption protection of the secondary user firmware.
In the application, the upper computer and the Flash are QSPI interfaces and communicate with each other through a QSPI bus. The method comprises the steps that a primary boot reads a primary user program through a QSPI interface, the primary user program is executed based on primary user firmware, at the moment, a QSPI bus uses default configuration of an upper computer, the default time sequence configuration of a QSPI protocol control module is generally a fixed value and cannot be changed, and when the time sequence configuration of the QSPI interface of the upper computer is inconsistent with that of the QSPI protocol control module, the QSPI interface of the upper computer cannot be directly communicated; and a through passage module is designed in the Flash controller, and at the moment, the QSPI structure of the upper computer is required to be directly connected with a memory interface by using the through passage module so as to ensure the normal operation of the primary boot program. After the execution of the primary boot program is finished in the upper computer, the primary user program starts to execute, the QSPI interface time sequence configuration of the upper computer is modified through configuration in the primary user program, the interface time sequence configuration of the QSPI protocol control module in the Flash controller is kept consistent, and then the upper computer can use the encryption/decryption channel module of the Flash controller to conduct data communication, and encryption or decryption of data is conducted.
In a preferred embodiment, the encryption/decryption channel module employs an SM4 block cipher algorithm.
Further, the algorithm adopted by the encryption/decryption channel module is not limited to the SM4 block cipher algorithm, and an AES algorithm can be adopted.
In a preferred embodiment, the processing system includes an encryption process and a decryption process, and the encryption/decryption channel module transmits data from the host computer to the memory direction when the encryption process is performed; and when the decryption process is performed, the encryption/decryption channel module transmits data from the memory to the upper computer.
Example 2
Referring to fig. 2, the present embodiment provides a firmware security encryption method, based on the firmware security processing system described in embodiment 1, including the following steps:
s11, storing unencrypted primary user firmware and unencrypted secondary user firmware in a memory;
s12, the upper computer reads the primary user firmware in the memory through the straight-through channel module, and acquires a secondary user firmware storage address appointed in the primary user firmware; and modifying the interface timing sequence of the self according to the timing sequence configuration;
s13, the upper computer reads the secondary user firmware in the memory according to the secondary user firmware storage address;
s14, when the upper computer judges that the interface time sequence configuration of the upper computer is consistent with the QSPI protocol control module, a switching instruction is sent, and the switching instruction is used for indicating the switching channel module to connect the encryption/decryption channel module and the upper computer;
s15, the upper computer encrypts the secondary user firmware through the encryption/decryption channel module and writes the encrypted secondary user firmware into the memory.
Further, after the encrypted secondary user firmware is written into the memory, the secondary user firmware that was not encrypted before is overwritten.
Specifically, in this embodiment, encryption is mainly related to encrypting user firmware, where the user firmware includes two parts, namely, primary user firmware and secondary user firmware, and the encryption is performed on the secondary user firmware.
The specific steps of the encryption of the user firmware are as follows:
the PC host is in charge of directly programming the manufactured original user firmware file into the memory, then the upper computer directly reads the primary user firmware in the memory through the through channel module, a storage address of the appointed secondary user firmware is found in the primary user firmware, and the secondary user firmware in the memory is read through the address; then, the upper computer modifies the QSPI interface time sequence of the upper computer according to the time sequence configuration in the user firmware, and when the QSPI interface time sequence of the upper computer is consistent with the QSPI protocol control module time sequence, the upper computer sends a switching instruction to request to switch channels, and the channel switching module opens the encryption/decryption channels; and then the upper computer encrypts the read secondary user firmware through an encryption/decryption channel and writes the encrypted secondary user firmware into a memory, and the encrypted secondary user firmware covers the previously unencrypted secondary user firmware, so that the security encryption protection of the secondary user firmware is completed.
Example 3
Referring to fig. 3, the present embodiment provides a firmware secure decryption method, based on the firmware secure processing system described in embodiment 1, including the following steps:
s21, the upper computer reads the primary user firmware in the memory through the through channel module, acquires the storage address of the secondary user firmware appointed in the primary user firmware, and modifies the interface time sequence of the upper computer according to the time sequence configuration;
s22, when the upper computer judges that the interface time sequence configuration of the upper computer is consistent with the QSPI protocol control module, a switching instruction is sent, and the switching instruction is used for indicating the switching channel module to connect the encryption/decryption channel module and the upper computer;
s23, the upper computer determines the position of the secondary user firmware in the memory according to the storage address of the secondary user firmware;
s24, the upper computer decrypts the secondary firmware after encrypting in the memory through the SM4 decryption channel module.
The specific steps of decrypting the user firmware are as follows:
after the upper computer is electrified, reading the primary user firmware in the memory through a through channel module of the Flash controller, and finding a designated secondary user firmware storage address in the primary user firmware; then, the upper computer modifies the QSPI interface time sequence of the upper computer according to the time sequence configuration in the user firmware, and when the QSPI interface time sequence of the upper computer is consistent with the QSPI protocol control module time sequence, the upper computer sends a switching instruction to request to switch channels, and the channel switching module opens the encryption/decryption channels; and reading the secondary user firmware in the memory through the encryption/decryption channel module according to the acquired secondary user firmware storage address to complete the safe decryption operation of the secondary user firmware, and loading the decrypted secondary user firmware into a program execution space of the upper computer to complete the operation of the secondary user firmware.
The foregoing description is only of the preferred embodiments of the present application and is presented as a description of the principles of the technology being utilized. It will be appreciated by persons skilled in the art that the scope of the invention referred to in this application is not limited to the specific combinations of features described above, but it is intended to cover other embodiments in which any combination of features described above or equivalents thereof is possible without departing from the spirit of the invention. Such as the above-described features and technical features having similar functions (but not limited to) disclosed in the present application are replaced with each other.

Claims (8)

1. A firmware secure processing system, comprising:
an upper computer;
the memory is used for storing primary user firmware and secondary user firmware, and the primary user firmware at least comprises a time sequence configuration for modifying an upper computer interface and a storage address of the secondary user firmware;
the Flash controller comprises a direct channel module, an encryption/decryption channel module, a QSPI protocol control module and a channel switching module; the through channel module is connected with the memory, and the encryption/decryption channel module is connected with the memory through the QSPI protocol control module; when the interface time sequence configuration of the upper computer is consistent with the interface time sequence configuration of the QSPI protocol control module, the channel switching module is connected with the upper computer and the encryption/decryption channel module, otherwise, the channel switching module is connected with the upper computer and the straight-through channel module.
2. The firmware secure processing system of claim 1, further comprising a PC host coupled to the memory for programming unencrypted primary and secondary user firmware to the memory.
3. The firmware secure processing system of claim 2, wherein one and only one of said pass-through channel module and said encryption/decryption channel module is connected to said host computer.
4. A firmware secure processing system according to claim 3, wherein said encryption/decryption channel module employs SM4 block cipher algorithm.
5. The firmware secure processing system of claim 4, wherein said processing system comprises an encryption process and a decryption process, said encryption/decryption channel module transmitting data from said host computer to said memory direction while in said encryption process; and when the decryption process is performed, the encryption/decryption channel module transmits data from the memory to the upper computer.
6. A firmware security encryption method based on the firmware security processing system of any one of claims 1-5, comprising the steps of:
the memory stores unencrypted primary user firmware and secondary user firmware;
the upper computer reads the primary user firmware in the memory through the straight-through channel module, and acquires a secondary user firmware storage address appointed in the primary user firmware; and modifying the interface timing sequence of the self according to the timing sequence configuration;
the upper computer reads the secondary user firmware in the memory according to the secondary user firmware storage address;
when the upper computer judges that the interface time sequence configuration of the upper computer is consistent with the QSPI protocol control module, a switching instruction is sent, and the switching instruction is used for indicating the switching channel module to connect the encryption/decryption channel module and the upper computer;
and the upper computer encrypts the secondary user firmware through the encryption/decryption channel module and writes the encrypted secondary user firmware into the memory.
7. The method of claim 6, wherein after the encrypted secondary user firmware is written to the memory, the previously unencrypted secondary user firmware is overwritten.
8. A firmware secure decryption method based on the firmware secure processing system of any of claims 1-5, comprising the steps of:
the upper computer reads the primary user firmware in the memory through the through channel module, acquires the storage address of the secondary user firmware appointed in the primary user firmware, and modifies the interface time sequence of the upper computer according to the time sequence configuration;
when the host computer judges that the interface time sequence configuration of the host computer is consistent with the QSPI protocol control module, a switching instruction is sent, and the switching instruction is used for indicating the switching channel module to connect the encryption/decryption channel module and the host computer;
the upper computer determines the position of the secondary user firmware in the memory according to the storage address of the secondary user firmware;
and the upper computer decrypts the secondary firmware after encrypting in the memory through the SM4 decryption channel module.
CN202311261893.0A 2023-09-27 2023-09-27 Firmware security processing system and encryption and decryption methods Pending CN117313124A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311261893.0A CN117313124A (en) 2023-09-27 2023-09-27 Firmware security processing system and encryption and decryption methods

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311261893.0A CN117313124A (en) 2023-09-27 2023-09-27 Firmware security processing system and encryption and decryption methods

Publications (1)

Publication Number Publication Date
CN117313124A true CN117313124A (en) 2023-12-29

Family

ID=89242007

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311261893.0A Pending CN117313124A (en) 2023-09-27 2023-09-27 Firmware security processing system and encryption and decryption methods

Country Status (1)

Country Link
CN (1) CN117313124A (en)

Similar Documents

Publication Publication Date Title
KR101224322B1 (en) Methods and apparatus for the secure handling of data in a microcontroller
AU2012204448B2 (en) System and method for in-place encryption
CN100378689C (en) Enciphered protection and read write control method for computer data
US11283606B2 (en) Trusted execution environment-based key burning system and method
CN112989356B (en) Blank security chip burning method, system, blank security chip and storage medium
KR102007532B1 (en) Hardware security module with means to selectively activate or inhibit debugging and corresponding debugging method
EP3007094B1 (en) Boot program, information processing apparatus, information processing system, information processing method, semiconductor apparatus, and program
KR20060082804A (en) Method and portable storage device for allocating secure area in insecure area
US20150319147A1 (en) System and method for file encrypting and decrypting
US11405202B2 (en) Key processing method and apparatus
CN109766731B (en) Encrypted data processing method and device based on solid state disk and computer equipment
CN111881490A (en) Shared data protection method for NVME storage equipment fused with external encryption chip
CN114238185A (en) Direct storage access and command data transmission method, device and related equipment
KR20120068745A (en) Hardware security module and treatment process therein
WO2019080112A1 (en) Ukey-based software decryption method and terminal
CN106657551A (en) Method and system for preventing mobile terminal from being unlocked
CN112270002B (en) Full-disc encryption method, system operation method and electronic equipment
CN112417521A (en) Information security system based on FPGA + processor architecture and working method thereof
CN117313124A (en) Firmware security processing system and encryption and decryption methods
CN111512308A (en) Storage controller, file processing method, device and system
CN111159783B (en) Portable high-speed stream encryption hardware device and method
CN113127896B (en) Data processing method and device based on independent encryption chip
CN113591107A (en) System and method for realizing file redirection encryption and decryption
CN113343215A (en) Embedded software authorization and authentication method and electronic equipment
CN107688729B (en) Application program protection system and method based on trusted host

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination