JP2009169841A - Information processor and portable telephone device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processor capable of executing domain division obtained by taking into consideration sufficient availability and security even when a plurality of arithmetic processing parts are provided, and to provide a portable telephone device. <P>SOLUTION: A cellular phone terminal 10 having a plurality of operating modes including a normal mode without having a protective resource and a secure mode having a protective resource has a plurality of arithmetic processing parts and a DC (Domain Coordinator) 23 for generating a domain showing an execution area including a program or data subjected to access control on the basis of a prescribed security policy, wherein the DC 23 generates a domain on the basis of the plurality of arithmetic processing parts and the plurality of operating modes. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to an information processing device and a mobile phone device, and more particularly to an information processing device and a mobile phone device capable of performing domain division in consideration of sufficient convenience and safety even when a plurality of CPUs are provided. .

  In recent years, damage to information processing terminals such as PCs due to malware has been increasing. In order to minimize such damage to information processing terminals, virtualization technology, setting of operation modes related to security, implementation of software integrity measurement or integrity verification, domain division, and the like are known.

  The virtualization technology is a technology in which a plurality of virtual environments are provided in the same CPU and a different OS is executed for each virtual environment, and is attracting attention from the viewpoint of efficient use of resources and ease of management. In terms of security, resources between virtual environments are exclusively controlled by a VMM (Virtual Machine Monitor), and access from one virtual environment to another virtual environment can be controlled. For this reason, it is difficult for damage caused by malware or the like in one environment to spread to another environment.

  Further, there are a normal mode and a secure mode as operation modes of the information processing terminal. The secure mode can be executed only by the protection application and has a dedicated protection resource. An information processing terminal having such an operation mode can be shifted from the normal mode to the secure mode to restrict access.

  Further, in order to perform software integrity measurement, a conventional PC, which is an example of an information processing terminal, performs a process called Trusted Boot, and a conventional PC, which is an example of an information processing terminal, to perform software integrity verification. Mobile phones perform a process called Secure Boot.

  A conventional PC that performs software integrity measurement is started in the order of an internal ROM (Core Root of Trust Measurement: CRTM), BIOS, and Kernel. At this time, the SHA-1 hash value of the BIOS to be activated next is calculated from the internal ROM, the hash value is set in the PCR (Platform Configuration Register) in the TPM (Trusted Platform Module), and the BIOS is activated. The BIOS calculates the hash value of Kernel, sets the hash value in PCR, and starts Kernel. Here, this hash value is set in such a manner that the hash value of Kernel depends on the hash value of BIOS. When Kernel is activated, a Trusted Component Base (TCB) is established. This series of flows is called a trusted boot.

  After the Trusted Boot is executed, when the PC is connected to the network, the external server requests the PCR value from the PC, and the PC acquires the PCR value signed with the TPM unique key from the TPM and returns it to the external server. . The external server performs control such as permitting network connection when the PCR value is equal to the assumed value. Here, the PCR is a module with high tamper resistance, and high safety is ensured. As a result, the integrity of the terminal can be guaranteed.

  In addition, a conventional mobile phone that performs software integrity verification measures hash values by the same process as Trusted Boot, compares the hash value measured in advance with the measured hash value, and applies only when there is a match. Start up. This flow is called Secure Boot. The expected hash value and the measured hash value are stored in an MTM (Mobile Trusted Module).

  As described above, in Trusted Boot, a hash value is stored in PCR and integrity verification is performed by an external server. In Secure Boot, hash value calculation and integrity verification are performed by the terminal itself. In addition, since MTM is a user's property and is a communication operator's platform, MTM for the former is Mobile Local Trusted Module (MLTM), and MTM for the latter is Mobile Remote Trusted Module (MRTM). .

  An execution area whose access is controlled according to a security policy is called a domain. This domain allows a plurality of virtual environments to belong to one domain or a domain that does not use virtualization. It is possible to set a plurality of such domains in the CPU of the information processing terminal. Note that setting a domain is also called domain division.

  As an example of a technique for performing domain division on the CPU in such an information processing terminal, domain division assuming the operation mode (see, for example, Non-Patent Document 1) or domain division assuming a virtual environment (for example, Non-Patent Document). 2) is known.

  An example of a technique for minimizing damage to the information processing terminal is a technique for comparing a generated value generated using a secret key with a stored value stored and executing a program if they match. It is known (see, for example, Patent Document 1). Further, it is known that a program encrypted with a hardware unique key is falsified and verified, and if there is no falsification, the program is decrypted and started (see, for example, Patent Document 2).

“Open and Secure Terminal Initiative 2006” NTT DOCOMO "IBM Virtualizing the Trusted Platform Module 2006" IBM Japanese Patent No. 2564593 JP 2003-108257 A

  However, in the above patent document, when the information processing terminal includes arithmetic processing units such as a plurality of CPUs, it is not assumed that domain division is performed across arithmetic processing units such as a plurality of CPUs. Domain division considering security and security is not possible.

  The present invention has been made in view of the above circumstances, and is an information processing apparatus and portable device capable of performing domain division in consideration of sufficient convenience and safety even when a plurality of arithmetic processing units are provided. An object is to provide a telephone device.

  In order to achieve the above object, an information processing apparatus according to the present invention is an information processing apparatus having a plurality of operation modes including a normal mode having no protection resource and a secure mode having a protection resource, and a plurality of arithmetic processing units. And a domain control unit that generates a domain indicating an execution region including a program or data whose access is controlled based on a predetermined security policy, wherein the domain control unit includes the plurality of arithmetic processing units and the plurality of processing units. The domain is generated based on the operation mode.

  According to the above configuration, even when a plurality of arithmetic processing units are provided, domain division considering sufficient convenience and safety can be performed.

  In the information processing apparatus of the present invention, the domain control unit further generates a domain based on the protected resource in the operation mode.

  According to the above configuration, even when a plurality of arithmetic processing units are provided, domain division considering sufficient convenience and safety can be performed.

  In the information processing apparatus of the present invention, the domain control unit further generates a domain based on a virtual environment including an execution area.

  According to the above configuration, even when a plurality of arithmetic processing units are provided, domain division considering sufficient convenience and safety can be performed.

  In the information processing apparatus according to the present invention, the domain control unit sets the execution domains whose access is controlled based on the same security policy as the same domain.

  According to the above configuration, a reliable platform can be constructed.

  Further, in the information processing apparatus of the present invention, the arithmetic processing unit has an area indicating a plurality of execution regions, and when the domain control unit communicates from the transmission source area to the transmission destination area, the transmission source area And the destination area are in the same domain, communication is permitted.

  According to the above configuration, since communication is permitted only between the same domains, a reliable platform can be constructed.

  Further, in the information processing apparatus of the present invention, the arithmetic processing unit has an area indicating a plurality of execution regions, and when the domain control unit communicates from the transmission source area to the transmission destination area, the transmission source area And the transmission destination area are different domains, and communication is permitted when the security policy includes information for permitting communication between the transmission source area and the transmission destination area.

  According to the above configuration, even when the transmission source area and the transmission destination area are different domains, communication is permitted only in a predetermined case, so that a flexible and reliable platform can be constructed.

  In the information processing apparatus of the present invention, the arithmetic processing unit has an area indicating a plurality of execution regions, and the domain control unit prohibits communication with an area where a predetermined verification process has failed.

  According to the above configuration, since the communication is prohibited when the verification process fails even in the same domain, a reliable platform can be constructed.

  Further, in the information processing apparatus according to the present invention, the arithmetic processing unit hierarchically includes execution areas including individually startable programs or data, and the execution areas of the predetermined hierarchy are unique to the execution areas of the predetermined hierarchy. When a key is used to decrypt an execution region of a layer one level higher than the predetermined layer, a predetermined verification process is executed for the execution region of the one level higher layer, and if the verification process is successful, the one step higher layer The process at the time of starting the program which the execution area | region has starts is performed.

  According to the above configuration, since a decryption or the like is performed using the unique key of the previous layer, a reliable platform can be constructed.

  In the information processing apparatus according to the present invention, the startup process is executed step by step until the lowest layer is the predetermined layer and the lower layer is one step lower than the highest layer.

  According to the above configuration, since a process at the time of starting is performed by performing decryption step by step for each layer and further unbinding Chain-binding using the unique key of the previous layer, a reliable platform can be constructed.

  In the information processing apparatus of the present invention, the execution region of the highest layer decrypts predetermined data using the unique key of the execution region of the highest layer after the execution of the execution region of the highest layer, A predetermined verification process is executed for the predetermined data, and when the verification process is successful, the predetermined data can be operated.

  According to the above configuration, for example, the startup process is performed by unbinding Chain-binding including predetermined data, so that a more reliable platform can be constructed. Further, unless the data can be decrypted, the copied data cannot be used at the copy destination terminal, and it becomes difficult to decrypt the data at the copy destination terminal. As the predetermined data, data that can be determined in advance, such as IMEI or SIMLock setting, and is not the same in all terminals can be considered.

  In the information processing apparatus of the present invention, the predetermined data is data including identification data for identifying the information processing apparatus.

  According to the above configuration, since the startup process is performed by unbinding Chain-binding including data such as IMEI, a more reliable platform can be constructed. Further, unless the decryption is possible, the copied IMEI cannot be used at the copy destination terminal, and the IMEI and related software are all difficult to decrypt at the copy destination terminal.

  The information processing apparatus according to the present invention executes a recovery process based on the importance of the predetermined hierarchy when the execution area of the predetermined hierarchy fails the verification process.

  According to the above configuration, the recovery process can be executed when verification fails, so that the startup process can be flexibly continued or stopped even when verification fails.

  The information processing apparatus according to the present invention executes a recovery process based on an importance level higher than an importance level of the predetermined hierarchy when the execution area of the predetermined hierarchy fails in the recovery process.

  According to the above configuration, since the recovery process can be further executed when the recovery fails, the startup process can be flexibly continued or stopped even when the verification or recovery fails.

  In the information processing apparatus of the present invention, the restoration process is a start / stop process of the information processing apparatus.

  According to the above configuration, the startup process can be stopped most safely by stopping and starting the information processing apparatus. In particular, high safety can be ensured by stopping the activation when verification fails in a component indispensable for the main processing of the mobile phone terminal.

  In the information processing apparatus of the present invention, the restoration process is a process of replacing the execution area of the predetermined hierarchy with another execution area acquired from an external server.

  According to the above configuration, the startup process can be flexibly continued by replacing the execution area.

  In the information processing apparatus according to the present invention, the restoration process is a process that allows only the emergency call function.

  According to the above configuration, since only an emergency call can be used, a minimum operation can be ensured in an emergency, and high safety can be ensured.

  Further, the information processing apparatus of the present invention is a process for informing the notification unit that the restoration process has failed in the verification process.

  According to the above configuration, since the user or service provider of the information processing apparatus can recognize that the information has failed, the user or service provider of the information processing apparatus can quickly determine the subsequent processing.

  Further, in the information processing apparatus according to the present invention, the arithmetic processing unit hierarchically includes execution areas including individually startable programs or data, and the execution areas of the predetermined hierarchy are unique to the execution areas of the predetermined hierarchy. Using the key, an encryption process for encrypting an execution area one level lower than the predetermined hierarchy is executed.

  According to the above configuration, since the encryption is performed using the unique key of the previous layer, a reliable platform can be constructed.

  In the information processing apparatus according to the present invention, the encryption processing is executed step by step from the highest layer to the predetermined layer until the lowest layer is set to the predetermined layer.

  According to the above configuration, since the encryption process is performed step by step for each layer and the chain-binding is performed using the unique key of the previous layer, a reliable platform can be constructed.

  The information processing apparatus according to the present invention encrypts predetermined data using the unique key of the execution layer of the highest layer before the execution region of the highest layer is encrypted. To do.

  According to the above configuration, since a startup process for performing chain-binding including predetermined data is performed, a more reliable platform can be constructed. Further, unless the data can be decrypted, the copied data cannot be used at the copy destination terminal, and it becomes difficult to decrypt the data at the copy destination terminal.

  In the information processing apparatus of the present invention, the arithmetic processing unit includes a first arithmetic processing unit and a second arithmetic processing unit that include predetermined data, and the second arithmetic processing unit includes the first arithmetic processing unit and the second arithmetic processing unit. A verification process related to an execution region including a program that configures a communication path that executes a transmission request for the predetermined data to the first arithmetic processing unit and connects the first arithmetic processing unit and the second arithmetic processing unit. Is successful, the predetermined data transmitted from the first arithmetic processing unit is stored.

  According to the above configuration, for example, when the information processing apparatus is used or periodically, the two arithmetic processing units that perform IMEI transmission / reception perform the verification processing of the program related to IMEI transmission / reception, and the verification processing is successful. Since only IMEI can be copied and stored, it is possible to ensure the completeness of IMEI.

  The information processing apparatus according to the present invention further includes a secure flag indicating the result of the verification process, and the arithmetic processing unit determines whether the verification process has failed based on the secure flag.

  In the information processing apparatus of the present invention, the arithmetic processing unit performs different control according to the result of the verification process based on the secure flag.

  According to the above configuration, by using the secure flag, the result of the verification process can be easily determined, and the behavior after the verification process can also be determined.

  In addition, a mobile phone device of the present invention includes an antenna, an input unit that receives an operation input, a wireless unit for performing wireless communication via the antenna, and any one of the information processing devices described above.

  According to the above configuration, even when a plurality of CPUs are provided, it is possible to execute domain division in consideration of sufficient convenience and safety.

  As described above, according to the information processing apparatus and the mobile phone apparatus according to the present invention, domain division can be performed across a plurality of arithmetic processing units and a plurality of modes. In the integrity verification of the present invention, it is possible to perform software and data integrity verification. Therefore, secure boot that depends not only on the program but also on the data to be protected can be executed.

  An information processing device and a mobile phone device according to an embodiment of the present invention will be described below with reference to the drawings.

  As the information processing apparatus according to the present embodiment, a PC, a personal digital assistant (PDA), a mobile phone terminal, and the like can be considered. Here, a mobile phone terminal will be considered as an example.

  FIG. 1 is a diagram illustrating an example of a hardware configuration of the mobile phone terminal according to the present embodiment.

  The mobile phone terminal according to the present embodiment includes a wireless unit 11, a C-MPU (Micro Processing Unit) 12, a volatile memory 13 such as an SDRAM, an MB (MPU Bridge) 14, and a non-volatile memory. The memory 15 includes an A-MPU 16, an internal ROM (CRTM) 17, and an MRTM (Mobile Remote Trusted Module) 18. In addition, although not shown in the drawings, an input unit that receives an operation input may naturally be provided.

  The wireless unit 11 communicates with an external communication device such as an external server via an antenna (not shown).

  The A-MPU 16 is an application MPU, and the C-MPU 12 is a communication MPU. The MPU is an example of an arithmetic processing unit, but a CPU, a DSP (Digital Signal Processor), a multi-core CPU, or the like can be considered as the arithmetic processing unit.

  The volatile memory 13 is a so-called main memory, and stores an execution program and various data.

  The MB 14 is a data transmission path between the A-MPU 16 and the C-MPU 12 and controls communication between the C-MPU 12 and the A-MPU 16. MB14 has both hardware and software elements.

  The nonvolatile memory 15 stores the IMEI described in the production process of the mobile phone terminal 10 and the encryption component.

  The internal ROM 17 stores various programs.

  MRTM18 is a module having high tamper resistance, PCR (Platform Configuration Register), Secure Flag, IMEI (International Mobile Equipment Identity) for identifying mobile terminals, Key that is an expected value that is a unique key of MRTM18. A particularly important area or data such as a certain RIM_Cert is stored.

  Note that RIM_Cert can be stored in the nonvolatile memory 15 when a digital signature or the like is applied.

  In addition, a unique key possessed by each layer, which will be described later, may be embedded in the program of each layer as plain text, or may be encrypted and embedded in the program. In the latter case, the unique key of each layer is encrypted with the unique key of MRTM 18 or an associated key. The encrypted unique key of each layer is decrypted inside the MRTM and cached in the MRTM RAM. In this case, the Key includes the cached unique key of each hierarchy.

  Here, the Secure Flag (secure flag) is a flag formed on the protected memory area held in the MTM. The result of integrity verification in each layer described later is held. Further, based on the secure flag, the arithmetic processing unit determines whether or not a predetermined verification process has failed. Further, the arithmetic processing unit performs different control depending on the result of the verification process based on the secure flag. The secure flag can be updated. In the present embodiment, Secure Flag is also simply referred to as Flag.

  The mobile phone terminal 10 uses a DC (Domain Coordinator) described later to generate a domain indicating an execution area including a program or data that is controlled based on a predetermined security policy. The mobile phone terminal 10 includes a C-MPU 12 and an A-MPU 16. Divide the area. This is called domain division. The mobile phone terminal 10 is configured to assign a domain based on a plurality of operation modes including an arithmetic processing unit such as a plurality of MPUs such as the C-MPU 12 and the A-MPU 16, a normal mode having no protection resource, and a secure mode having a protection resource. Generate.

  In addition to the plurality of arithmetic processing units and the plurality of operation modes, a domain may be generated based on cheek resources in the operation mode. Furthermore, a domain may be generated based on a virtual environment including an execution area. Furthermore, a domain may be generated based on a plurality of environments including a virtual environment and a real environment.

  Here, domain generation refers to one or a plurality of arbitrarily defined areas (A-MPU16, C-MPU12, normal mode, secure mode, virtual environment), one DC sharing information and resources. It means to realize a domain by controlling as a region.

  The protected resources are, for example, a memory and a cryptographic engine. The execution area indicates an area or a part for executing various programs, applications, or software, and includes programs and data.

  FIG. 2 is a diagram mainly illustrating an example of divided domains of the C-MPU 12 and the A-MPU 16.

  As shown in FIG. 2, the C-MPU 12 has an OD (Operator Domain). The A-MPU 16 has an execution area used in the normal mode and the secure mode. The A-MPU 16 has an OD (Operator Domain) and a UD (User Domain).

  The OD is an environment (area) in which a platform for an operator of the mobile phone terminal 10 can be constructed and an application can be executed, and cannot be directly accessed from another domain.

  The UD is an environment (execution area) in which data or an application used by the owner of the mobile phone terminal 10 or a third party providing a service to the owner can be executed, and the other UD resource only when permitted from another UD. Can be accessed and communicated with other UDs.

  The C-MPU 12 and the A-MPU 16 exclusively form OD and UD by switching between the normal mode and the secure mode. However, the C-MPU 12 and the A-MPU 16 may be MPUs that can process both modes simultaneously without forming both modes exclusively.

  The OD of the A-MPU 16 has a TCB (Trusted Component Base), a normal mode OD other than the TCB, and a secure mode OD other than the TCB. Further, the OD of the C-MPU 12 has a normal mode OD other than TCB.

  The TCB included in the OD of the A-MPU 16 includes HW (Hardware) Platform 21, IPL (Initial Program Loader) 22, DC (Domain Coordinator) 23, MS (Mode Selector) 24, VMM (Virtual Machine MP25). Bridge) 14, and MRTM (Mobile Remote Trusted Module) 18. Since the TCB is a conceptual division, components that are not included in the MPU, such as the MRTM 18 and the MB 14, can be handled as included in the TCB.

  The HW Platform 21 is a generic name for an encryption processing function, an HW unique key, and a mode switching function included in the A-MPU 16 itself. The HW Platform 21 has an internal ROM 17 (CRTM) 17, a HW unique key, and MC (Mode Controller).

  Here, MC has a mode switching function like MS. In addition, the MC has both hardware and software elements as in the MB14.

  The IPL 22 is a program that is first executed in an external ROM (not shown), and controls various hardware settings and activation of Kernel.

  The DC 23 controls the VMM 25, the MS 24, and the MB in an integrated manner according to the security policy defined for each domain, and forms a domain that extends over different areas in the mobile phone terminal 1. The DC 23 has a function as a domain control unit.

  The MS 24 is a mode switching mechanism between a normal mode and a secure mode, and performs exclusive control between modes.

  The VMM 25 is a hardware virtualization layer and performs exclusive control between virtual environments.

  In the A-MPU 16 and the C-MPU 12, the OD and UD in the secure mode other than the TCB are the OS (secure mode OS, A-OS, or C-OS) and the application (secure mode application, A-app, or C -App).

  Further, in the A-MPU 16 and the C-MPU 12, the area for storing various data is an example of MTM (Mobile Trusted Module) and is included in the Virtualizing MRTM (A-vMRTM or C-vMRTM) included in the OD and the UD. It has Virtualizing MLTM (A-vLTM).

  The vMRTM is an MLTM used in the UD realized in the normal mode of the A-MPU 16, and the function is realized by using the MRTM 18.

  vMLTM is a virtual driver for accessing the MRTM 18 from the OD realized in the normal mode of the C-MPU 12 or the A-MPU 16.

  At the time of domain generation, execution areas whose access is controlled based on the same security policy are generated as the same domain. For example, in FIG. 2, the A-MPU 16 normal mode OD, the A-MPU 16 secure mode OD and the C-MPU 12 OD, the A-MPU 16 normal mode UD 1 and the secure mode UD 1, and the A-MPU 16 normal mode. UD2 and secure mode UD2 are generated as the same domain.

  Next, an example of a flow of a series of processing (also referred to as bootstrap sequence or startup processing) from when the mobile phone terminal 10 is turned on until it can be executed by each execution area will be described.

  If Bootstrap Sequence is further divided into detailed processing, it is divided into three layers: Secure Boot 0 that establishes a TCB, Secure Boot 1 and 1 'that establishes an OD across multiple MPUs, and Secure Boot 2 that establishes a UD.

  In Bootstrap Sequence, a mobile phone platform (here, mainly A-MPU 16 and C-MPU 12) is divided into one OD and a plurality of UDs. Domain division of OD is also called OD establishment, and domain division of UD is also called UD establishment.

  In the OD establishment, the Secure Boot 0 for starting up the internal ROM (CRTM) 17, the IPL 22 and the DC 23, the Secure Boot 1 for starting up the OS / application / data (such as IMEI) in the normal mode of the OD of the A-MPU 16, and the C-MPU 16 The process is divided into three layers: SecureBoot 1 ′ for starting up the OS / application / data in the normal mode of the OD.

  In UD establishment, processing is performed in one layer of Secure Boot 2 that starts up the OS / application / data in the normal mode of A-MPU UD. UD establishment is performed after OD establishment.

  As will be described later, in the OD establishment and the UD establishment, a behavior when integrity verification fails is determined according to a predetermined importance for each layer.

  With Bootstrap Sequence, integrity verification similar to software, execution of verification failure processing, and verification depending on processing results using Secure Flag for each component and data (such as IMEI) such as internal ROM 17, IPL 22, and DC23 / Decode processing is executed.

  In addition, the component that executes activation at the time of Bootstrap Sequence verifies (measures) the integrity after decrypting the activation target component with its own unique key. When the integrity verification is successful, that is, when it is determined that the integrity is maintained, the activation target component is activated. On the other hand, if the integrity verification fails, the activation of the activation target component is prohibited. It should be noted that the component that executes the activation can be decrypted after performing the integrity verification if the encrypted activation target component is a hash target.

  The mobile phone terminal 10 is particularly required to protect the integrity of software that handles IMEI and IMEI, which are mobile unit unique numbers. In the mobile phone network, the IMEI integrity is indispensable in order to realize the invalidation of a stolen terminal by controlling access to a terminal that accesses the network using the IMEI. Further, since the PC is also provided with a mobile phone communication function, and there is a possibility that the PC will similarly require IMEI protection in the future, this embodiment in which falsification verification is performed on data such as IMEI as well as software. Bootstrap Sequence in is very useful.

  Here, an example of a method for encrypting the above components will be described.

  At the time of manufacture, the mobile phone terminal 10 repeatedly encrypts the activation target component with the unique key of the component that executes the activation, like encrypting the data with the unique key of the application and encrypting the application with the unique key of the OS. The component is stored in the nonvolatile memory 15. The root key is an HW unique key. Such an encryption method is also called Chain-binding.

  As described above, the A-MPU 16 and the C-MPU 12 hierarchically have a plurality of components (an example of an execution area including a program) that can be activated individually, and the components in the predetermined hierarchy are the unique keys of the components in the predetermined hierarchy. Is used to perform encryption processing for encrypting a component in a layer one level higher than a predetermined layer. Further, the above encryption process can be executed step by step from the lowest layer to the predetermined layer until the lowest layer is set to the predetermined layer. Thus, the encrypted component is stored in the nonvolatile memory 15.

  In addition, the above-described component performs an encryption process in which the execution region of the lower layer one level lower than the predetermined layer is encrypted using the unique key of the execution region of the predetermined layer. It may be stored in the A-MPU 16 or the C-MPU 12 after being executed step by step until it reaches a predetermined hierarchy.

  It is also possible to encrypt the execution area of the highest layer using data including IMEI or the like before encryption of the execution area of the highest layer.

  3 to 6 are flowcharts illustrating an example of Bootstrap Sequence performed by the mobile phone terminal 10. Here, in particular, integrity verification is shown. The mobile phone terminal 10 executes Secure Boot 1/1 ′ ′ / 2 after executing Secure Boot0.

  First, in the secure boot 0, the internal ROM 17 calculates its own hash value, sets the PCR, and sets the secure flag 0 to ON. Subsequently, if Flag0 = ON, the internal ROM 17 calculates the hash value by decrypting the IPL 22 with the HW unique key and the MRTM unique key, and compares RIM_Cert that is the hash expected value with the calculated hash value. Verify completeness. When the verification is successful, the internal ROM 17 sets the hash value of the IPL 22 to the MRTM 18 in the PCR, sets the Secure Flag 1 to ON, and then activates the IPL 22. On the other hand, when the verification fails, the internal ROM 16 stops activation (step S1). In the subsequent integrity verification, the calculated hash value is compared with RIM_Cert.

  If Flag1 = ON, the IPL 22 decrypts the DC 23 with the MRTM unique key and verifies the integrity. When the verification is successful, the IPL 22 sets the hash value of the DC 23 in the PCR to the MRTM 18, sets the Secure Flag 2 to ON, and then activates the DC 23. On the other hand, when verification fails, the IPL 22 stops activation (step S2).

  Here, the DC 23 includes the VMM 25, the MS 24, and the MB 14, and when the falsification verification of the DC 23, the falsification verification is performed step by step in the order of the VMM 25, the MS 24, and the MB 14. This is because the VMM 25, MS 244, and MB 14 are included in the binary file of the DC 23, and are verified together with the verification of the DC 23. Note that when the DC23 does not include the VMM25, MS24, and MB14 and the falsification verification of the DC23 is successful, the verification and activation may be performed in the order of the VMM25, MS24, and MB14.

  As a method for implementing Secure Boot0, there are a method for processing everything including integrity verification and starting the target software after verification in secure mode, and a method for processing only integrity verification in secure mode. Which should be adopted should be determined according to the implementation of the MS 24 of each platform.

  After verifying the integrity of the DC 23, the mobile phone terminal 10 executes the secure boot 1.

  In Secure Boot1, first, if Flag2 = ON, DC23 decrypts A-OS0 with the DC unique key and verifies the integrity. When the verification is successful, the DC 23 sets the hash value of the A-OS 0 to the MRTM 18 in the PCR, sets the Secure Flag 3 to ON, and then starts the A-OS 0. On the other hand, when verification fails, the DC 23 shifts the mobile phone terminal 10 to the recovery mode (step S3).

  Subsequently, if Flag3 = ON, A-OS0 decrypts A-App0 with the A-vMRTM0 unique key and verifies the integrity. When the verification is successful, A-OS0 sets the hash value of A-App0 to A-vMRTM0 in PCR, sets Secure Flag4 to ON, and then starts A-App0. On the other hand, when verification fails, the A-OS 0 shifts the mobile phone terminal 10 to the recovery mode (step S4).

  Subsequently, if Flag4 = ON, A-App0 verifies the integrity by decrypting A-Data0 (such as IMEI) with the C-App0 unique key. When the verification is successful, A-App0 sets the hash value of A-Data0 to A-vMRTM0 in PCR, sets Secure Flag5 to ON, and then caches A-Data0 in A-vMRTM0. On the other hand, when verification fails, A-App0 shifts the mobile phone terminal 10 to the recovery mode (step S5).

  After verifying the integrity of the DC 23, the mobile phone terminal 10 also implements Secure Boot 1 '. The implementation of Secure Boot 1 'can be parallel to the implementation of Secure Boot 1.

  In Secure Boot 1 ′, first, if Flag 2 = ON, the DC 23 verifies the integrity by decrypting C-OS 0 with the DC unique key. When the verification is successful, the DC 23 sets the hash value of the C-OS 0 to the MRTM 18 and sets the Secure Flag 3 ′ to ON, and then transfers the C-OS 0 / C-App 0 / C-Data 0 to the C-MPU 12. On the other hand, when verification fails, the C-OS 0 shifts the mobile phone terminal 10 to the recovery mode (step S3 ').

  Subsequently, if Flag3 ′ = ON, MB14 starts C-OS0 and uses C-vMRTM0 and A-vMRTM0 to establish a SAC (Secure Authentication channel) between C-OS0 and A-OS0. . The SAC is a communication path that realizes mutual authentication and communication path encryption like SSL (Secure Socket Layer). After the SAC is successfully established, C-OS0 verifies the integrity by decrypting C-App0 with the C-vMRTM0 unique key. When the verification is successful, C-OS0 sets the hash value of C-App0 to C-vMRTM0 in PCR, sets Secure Flag 4 'to ON, and then activates C-App0. On the other hand, when verification fails, the C-OS 0 shifts the mobile phone terminal 10 to the recovery mode (step S4 ').

  Subsequently, if Flag4 ′ = ON, C-App0 verifies the integrity by decrypting C-Data0 with the C-App0 unique key. When the verification is successful, C-App0 sets the hash value of A-Data0 in PCR to C-vMRTM0, sets Secure Flag5 to ON, and then caches A-Data0 in A-vMRTM0. On the other hand, when verification fails, C-App0 shifts the mobile phone terminal 10 to the recovery mode.

  Here, the implementation method of Secure Boot 1 ′ for performing integrity verification on the C-MPU 12 side is shown. However, not only C-OS 0 but also C-App 0 / C-Data 0 is decoded / completed by the DC 23 on the A-MPU 16 side. It is also possible to transfer to the C-MPU 12 after verifying the validity.

  After verifying the integrity of the DC 23, the mobile phone terminal 10 performs Secure Boot 2. The implementation of Secure Boot 2 can be parallel to the implementation of Secure Boot 1 and 1 '.

  In Secure Boot2, first, if Flag2 = ON, Flag5 = ON, and Flag5 '= ON, DC23 verifies the integrity by decrypting A-OS1 with the DC unique key. When the verification is successful, the DC 23 sets the hash value of the A-OS 1 in the MRTM 18 to PCR, sets the Secure Flag 6 to ON, and then activates the A-OS 1. On the other hand, when verification fails, the DC 23 shifts the mobile phone terminal 10 to the report mode (step S6).

  Subsequently, if Flag6 = ON, A-OS1 decrypts A-App1 with the A-vMRTM1 unique key and verifies the integrity. When the verification is successful, A-OS1 sets the hash value of A-App1 to A-vMLTM1 in PCR, sets Secure Flag7 to ON, and then starts A-App1. On the other hand, when verification fails, the A-OS 1 shifts the mobile phone terminal 10 to the report mode (step S7).

  Subsequently, if Flag7 = ON, A-App1 verifies the integrity by decrypting A-Data1 with the A-App1 unique key. When the verification is successful, A-App1 sets the hash value of A-Data1 in A-vMLTM1 to PCR, sets Secure Flag8 to ON, and then caches A-Data1 in A-vMLTM1. When verification fails, A-App1 makes a transition to the report mode (step S8).

  When there are a plurality of UDs as shown in FIG. 2, the A-MPU 16 establishes the same method after UD2 as with UD1.

  Further, the establishment of OD / UD in the secure mode is executed at the time of transition to the secure mode. The contents of the establishment are the same as those in the normal mode except that the MRTM 18 is directly accessed. In FIG. 3, the normal mode is assumed.

  The protection software executed in the secure mode is stored in the nonvolatile memory 15 in an encrypted state, and decryption and integrity verification are performed by the HW Platform 21 immediately before execution, and execution is permitted only when successful.

  As described above, the cellular phone terminal 10 has a plurality of components (an example of an execution area including a program) that can be individually activated by the A-MPU 16 and the C-MPU 12, and components in a predetermined hierarchy are predetermined. When the component of one layer higher than the predetermined layer is decrypted using the unique key of the component of the layer, the predetermined verification process is executed for the component of the upper layer, and if the verification process is successful, the above one layer upper layer Execute the startup process that starts the component. Further, the start-up process can be executed step by step in order from the lowest layer to the predetermined layer to the one layer lower layer than the highest layer to the predetermined layer.

  Further, after the top layer execution region is activated, the top layer execution region decrypts data such as IMEI using the unique key of the top layer execution region, executes a predetermined verification process, and performs the above verification. When the processing is successful, data such as IMEI can be operated.

  Next, an example of behavior at the time of verification failure in Bootstrap Sequence will be described.

  In the present embodiment, the following five patterns are assumed when verification fails. The cellular phone terminal 10 can change the behavior at the time of verification failure according to the importance of the layer in Bootstrap Sequence. That is, it is possible to execute a recovery process based on the importance of a predetermined hierarchy.

(1) Ignore and continue to start.
(2) Stop activation.
(3) Replace the failed component with the correct component downloaded from the repository server (an example of an external server) (also referred to as recovery mode).
(4) Only emergency notification functions such as the 110th notification can be used (also called emergency mode).
(5) Notify the user of failure (also referred to as report mode). This notification is performed by an informing unit (not shown).

  If processing fails in recovery mode, transition to emergency mode. However, the transition is performed only when the integrity of components required for communication such as IMEI and IMEI related software is guaranteed. When a failure occurs in the UD, the mode is changed to a report mode in which the user (the owner of the mobile phone terminal 10 or the service provider) is notified of the failure, and the user is allowed to determine subsequent processing.

  In addition to changing the behavior at the time of verification failure according to the importance level of the layer in Bootstrap Sequence, it is also possible to change the integrity verification level itself according to the importance level of the layer. For example, in order to speed up the start-up, the lower the importance, the narrower the component verification range or the lower the probability of verification. At least, it is necessary to implement so that the entire range of all components is verified within a certain period. However, it is possible to increase the speed by omitting a part of the verification process of the layer with low importance.

  Furthermore, when the recovery process fails, the recovery process based on the importance higher than the predetermined hierarchy (component) failed in the recovery process may be performed.

  FIG. 3 illustrates that when the verification fails, the transition is made to the recovery mode in the secure boots 1 and 1 ′ and the report mode in the secure boot 2, but the recovery mode and the emergency mode are changed depending on the importance level of each layer. , Report mode, or start / stop. However, since Secure Boot 0 has a very high level of importance, the activation is stopped when verification fails. In the report mode, for example, it is possible to display a message or the like to the user through a user interface (UI), or to send a message to an external server such as a service providing server.

  Next, an example of access control by the DC 23 will be described.

  As shown in FIG. 2, the domain in the mobile phone terminal 1 includes the TCB of the A-MPU 16, the virtual environment 0/1/2 of the normal mode 0 of the A-MPU 16, the secure mode 0/1/2 of the A-MPU 16, It is composed of one or a plurality of areas in the normal mode 0 of the C-MPU 12. For example, the OD includes a plurality of areas of TCB of A-MPU 16, virtual environment 0 of normal mode 0 of A-MPU 16, secure mode 0 of A-MPU 16, and normal mode 0 of C-MPU 12. However, the domain configuration is not limited to the above configuration.

  Here, one of the roles of the DC 23 is to flexibly share information and resources in a plurality of areas belonging to these ODs, and to control information outflow and resources to other domains. The DC 23 monitors the MB that controls a plurality of MPUs, the MS 24 that controls a plurality of operation modes, and the VMM 25 that controls a plurality of virtual environments, and performs information and resource access according to a base policy corresponding to OD and a domain policy corresponding to UD. Control. The base policy and the domain policy are examples of security policies.

  Here, the area indicates an execution area such as the OD of the normal mode of the A-MPU 16, the UD 1 or UD 2 of the A-MPU 16, the OD of the secure mode of the A-MPU 16, the UD of the UD 1, UD 2, or the C-MPU 12.

  As an example, the mobile phone terminal 10 controls inter-domain information distribution by the DC 23 as follows.

In advance, for example, DC23 specifies that information from an area to another area always passes through DC23.
The DC 23 permits communication only when the domain to which the transmission source area belongs and the domain to which the transmission destination area belongs (base policy).
The DC 23 permits communication even when the domain to which the transmission destination area belongs is different when the domain policy set in advance in the domain to which the transmission source area belongs.
The DC 23 confirms the secure flag, and prohibits communication from an area where the flag is OFF and communication to an area where the flag is OFF. That is, communication with an area where the predetermined verification process has failed is prohibited.

  Further, as an example, the mobile phone terminal 10 controls inter-domain resource sharing by the DC 23 as follows. FIG. 7 is a diagram illustrating an example of inter-domain resource sharing.

・ In order to access the MRTM 18 from a certain area in advance, be sure to specify that the route is via the DC 23.
MTM18 manages Secure Flag 0/1/2/3/6, A-vMRTM0 manages Secure Flag 4/5, C-vMRTM0 manages Secure Flag 4 '/ 5', A-vMLTM1 manages Secure Flag 7/8, and DC23 belongs Only allow access from the domain (base policy).
-It is permitted to access the MRTM 18 directly from the area in the secure mode via the DC 23. FIG. 7 shows an example of access from the OS.
-No access other than via the virtual MTM (vMRTM or vMLTM) is permitted from the area in the normal mode. In the case of via the virtual MTM, the DC 23 controls the PCR / Secure Flag of the MRTM 18 to Read Only (read only), and does not permit reference to any PCR / Secure Flag other than the MRTM 18 (base policy).
When the domain policy set in advance for the domain to which the access destination area belongs is permitted, the DC 23 permits PCR / Secure Flag reference even when the domain to which the access source area belongs is different.

  Next, an example of integrity verification after Bootstrap Sequence will be described.

  When the IMEI is used in the C-MPU 12, the IMEI is loaded via the SAC and cached in the C-vMRTM0. However, it is considered necessary to verify the integrity of IMEI and software related to IMEI at the time of use or periodically. In this integrity verification, the minimum range is verified immediately before use by verifying software that is a distribution path when reloading IMEI from A-vMRTM0 in a data-driven manner. Since integrity verification occurs every time IMEI is reloaded, the valid period of the C-vMRTM0 cache should be determined at the time of mounting and reloaded within the allowable load range.

  Specifically, this can be realized by providing a verification tag for data such as IMEI, and the data transmission source component performs the integrity of the data transmission destination component and transmits only when the verification is successful. Whether or not the verification is successful determines whether Verification Tag = ON. Also, even when reloading, by setting the integrity verification result in each component to the Secure Flag of MTM, if prior verification fails, IMEI is not output from each component to the C-MPU 12. The Verification Tag can be stored in the MTM together with data such as IMEI.

  FIG. 8 is a flowchart illustrating an example of integrity verification after Bootstrap Sequence.

  First, the C-MPU 12 requests the IMEI from the A-App0 when the validity period of the IMEI cached in the C-vMRTM0 has passed (step S11).

  Subsequently, in A-MPU 16, A-App0 reads IMEI from A-vMRTM0 (step S12). Note that IMEI is cached in MRTM 18 via A-vMRTM0 or A-vMRTM.

  Subsequently, the A-MPU 16 sets the Verification Tag to ON and sends an IMEI message to C-App0 (step S13).

  Subsequently, the A-MPU 16 or the C-MPU 12 determines whether or not the program (PG) (included in the A-OS 0, DC 23, or C-OS 0) on the communication path that has received the IMEI message is Verification_Tag = ON. .

  When Verification_Tag = ON, the A-MPU 16 and the C-MPU 12 determine whether or not the Secure Flag corresponding to the transmission source program that has sent the IMEI is ON (step S15).

  When the Secure Flag is ON, the A-MPU 16 and the C-MPU 12 execute falsification verification of the destination program (step S16) and determine whether the destination program (for example, C-OS0) has been tampered with (step S17).

  If it is determined that the destination program has not been tampered with, the A-MPU 26 and the C-MPU 22 turn on the Secure Flag corresponding to the destination program, and send an IMEI message to the destination program (step S18).

  Steps S14 to S18 are repeated for the number of programs on the communication path.

  Subsequently, the A-MPU 16 and the C-MPU 12 determine whether or not an IMEI message has been transmitted to C-App0, for example, as shown in step S13. If the IMEI message has not been transmitted, the process returns immediately before step S13.

  When the IMEI message is transmitted, the C-MPU 12 receives the IMEI message from C-App0 (step S20).

  Subsequently, the C-MPU 12 determines whether or not the secure flag of the transmission source program is ON (step S21).

  When the secure flag of the transmission source program is ON, the C-MPU 12 caches IMEI in C-vMRTM0 (step S22).

  As described above, in the integrity verification after Bootstrap Sequence, the mobile phone terminal 10 allows the C-MPU 12 to send a transmission request for data such as IMEI to the A-MPU 16 when the IMEI is used or the expiration date has passed. The C-MPU 12 stores the data transmitted from the A-MPU 16 when the verification process related to the execution area including the program constituting the communication path connecting the A-MPU 16 and the C-MPU 12 is successful.

  According to the mobile phone terminal 10, the following effects can be obtained.

-Domain division can be performed based on arithmetic processing units such as multiple MPUs and multiple modes, so even if multiple arithmetic processing units are provided, domain division is performed in consideration of sufficient convenience and safety. It is possible.

In the conventional Trusted Boot and Secure Boot, only software integrity measurement or integrity verification was performed, but in Bootstrap Sequence in this embodiment, it is possible to perform software and data (IMEI etc.) integrity verification. . Therefore, secure boot (Bootstrap Sequence in this embodiment) that depends not only on the program but also on the data to be protected can be executed.

-The mobile phone terminal 10 confirms the processing result of the previous step at the time of decryption / falsification verification by the secure flag, sets the secure flag = ON when the verification is successful, and decrypts and verifies the integrity of the data in the startup process As a result, desired domain division and integrity verification can be realized.

In order to prevent the copied IMEI from being used in the copy destination terminal, the IMEI and related software are encrypted in the copy destination terminal by encrypting the IMEI in a chain with the unique key of the HW Platform 21 / MRTM 18 as a root by Chain-binding. Are all difficult to decode.

The coincidence between the IMEI described in the nonvolatile memory 15 in the production process and the IMEI output to the wireless communication path is realized by caching the IMEI in the MRTM in a state where the integrity is guaranteed after the OD is established. This is not only the integrity verification of IMEI itself by Chain-Unbinding described above, but also the integrity of components using IMEI is guaranteed by Bootstrap Sequence, and the decoding / verification processing of IMEI is controlled depending on the Secure Flag. It is guaranteed from that. Furthermore, by performing IMEI-driven and minimum necessary IMEI-related software verification when IMEI is used, it is possible to realize efficient processing on the communication side while realizing IMEI protection.

  The present invention is useful as an information processing apparatus, a mobile phone apparatus, and the like that can execute domain division in consideration of sufficient convenience and safety even when a plurality of arithmetic processing units are provided.

The figure which shows an example of the hardware constitutions of the mobile telephone terminal concerning embodiment of this invention The figure which shows an example of the domain where C-MPU12 and A-MPU16 were mainly divided in the mobile telephone terminal concerning embodiment of this invention. The flowchart which shows an example of SecureBoot0 of Bootstrap Sequence concerning embodiment of this invention The flowchart which shows an example of SecureBoot1 of Bootstrap Sequence concerning embodiment of this invention The flowchart which shows an example of SecureBoot1 'of Bootstrap Sequence concerning embodiment of this invention The flowchart which shows an example of Secure Boot2 of Bootstrap Sequence concerning embodiment of this invention The figure which shows an example of the resource sharing between domains concerning embodiment of this invention The flowchart which shows an example of the integrity verification after Bootstrap Sequence concerning embodiment of this invention

Explanation of symbols

10 mobile phone terminal 11 wireless unit 12 C-MPU
13 Volatile memory 14 MB (MPU Bridge)
15 Nonvolatile memory 16 A-MPU
17 Internal ROM
18 MRTM
21 HW Platform
22 IPL
23 DC
24 MS
25 VMM

Claims (24)

An information processing apparatus having a plurality of operation modes including a normal mode having no protection resource and a secure mode having a protection resource,
A plurality of arithmetic processing units;
A domain control unit for generating a domain indicating an execution region including a program or data whose access is controlled based on a predetermined security policy;
Have
The domain control unit generates the domain based on the plurality of arithmetic processing units and the plurality of operation modes. The information processing apparatus according to claim 1,
The domain control unit further generates a domain based on the protected resource in the operation mode. The information processing apparatus according to claim 1,
The domain control unit further generates a domain based on a virtual environment including a predetermined execution region. The information processing apparatus according to claim 1,
The information processing apparatus according to claim 1, wherein the domain control unit uses the same domain as an execution area whose access is controlled based on the same security policy. The information processing apparatus according to claim 4,
The arithmetic processing unit has an area indicating a plurality of execution regions,
The domain control unit, when performing communication from a transmission source area to a transmission destination area, permits communication when the transmission source area and the transmission destination area are in the same domain. The information processing apparatus according to claim 4,
The arithmetic processing unit has an area indicating a plurality of execution regions,
The domain control unit, when performing communication from a transmission source area to a transmission destination area, when the transmission source area and the transmission destination area are different domains, and in the security policy, the transmission source area and the transmission destination area An information processing device that permits communication when information for permitting communication with the device is included. The information processing apparatus according to claim 4,
The arithmetic processing unit has an area indicating a plurality of execution regions,
The domain control unit prohibits communication with an area where predetermined verification processing has failed. The information processing apparatus according to claim 1,
The arithmetic processing unit hierarchically includes an execution area including individually startable programs or data,
The execution area of the predetermined hierarchy uses the unique key of the execution area of the predetermined hierarchy to decrypt the execution area of the upper layer one level higher than the predetermined hierarchy, and executes the predetermined verification process for the execution area of the upper hierarchy And when the said verification process is successful, the information processing apparatus which performs the process at the time of starting the program which the execution area of the said one step upper layer starts. The information processing apparatus according to claim 8,
The startup process is sequentially executed step by step until the lowest layer is the predetermined layer and the lower layer is one step lower than the highest layer. An information processing apparatus according to claim 8 or 9, wherein
The uppermost layer execution region, after the execution of the uppermost layer execution region, decrypts predetermined data using the unique key of the uppermost layer execution region and executes predetermined verification processing on the predetermined data An information processing apparatus that enables manipulation of the predetermined data when the verification process is successful. The information processing apparatus according to claim 10,
The predetermined data is data including identification data for identifying the information processing apparatus. The information processing apparatus according to any one of claims 8 to 11,
An execution area of a predetermined hierarchy executes a recovery process based on the importance of the predetermined hierarchy when the verification process fails. An information processing apparatus according to claim 12,
An execution area of a predetermined hierarchy executes a restoration process based on an importance level higher than the importance level of the predetermined hierarchy when the restoration process fails. An information processing apparatus according to claim 12 or 13,
The restoration process is a start / stop process of the information processing apparatus. An information processing apparatus according to claim 12 or 13,
The restoration process is a process of replacing the execution area of the predetermined hierarchy with another execution area acquired from an external server. An information processing apparatus according to claim 12 or 13,
The restoration process is a process that allows only an emergency call function to be used. An information processing apparatus according to claim 12 or 13,
The restoration process is a process for informing a notification unit that the verification process has failed. The information processing apparatus according to claim 1,
The arithmetic processing unit hierarchically includes an execution area including individually startable programs or data,
An execution area of a predetermined hierarchy executes an encryption process for encrypting an execution area one layer higher than the predetermined hierarchy using a unique key of the execution area of the predetermined hierarchy. The information processing apparatus according to claim 18,
The encryption process is executed step by step from the highest layer to the predetermined layer until the lowest layer is set to the predetermined layer. The information processing apparatus according to claim 18 or 19,
The uppermost layer execution area is an information processing apparatus that encrypts predetermined data using a unique key of the uppermost layer execution area before encrypting the uppermost layer execution area. The information processing apparatus according to claim 1,
The arithmetic processing unit includes a first arithmetic processing unit including predetermined data, and a second arithmetic processing unit,
The second arithmetic processing unit executes a transmission request for the predetermined data to the first arithmetic processing unit, and connects a communication path connecting the first arithmetic processing unit and the second arithmetic processing unit. An information processing apparatus that stores the predetermined data transmitted from the first arithmetic processing unit when a verification process related to an execution region including a program to be configured is successful. The information processing apparatus according to any one of claims 7, 8, 9, 10, and 21, further comprising:
Having a secure flag indicating the result of the verification process;
The arithmetic processing unit determines whether or not the verification process has failed based on the secure flag. An information processing apparatus according to claim 22,
The arithmetic processing unit performs different control according to a result of a verification process based on the secure flag. An antenna,
An input unit for receiving operation inputs;
A wireless unit for performing wireless communication via the antenna;
A cellular phone device comprising: the information processing device according to any one of claims 1 to 23.

Images