WO2018072715A1 - Communication system and electronic device - Google Patents

Communication system and electronic device Download PDF

Info

Publication number
WO2018072715A1
WO2018072715A1 PCT/CN2017/106734 CN2017106734W WO2018072715A1 WO 2018072715 A1 WO2018072715 A1 WO 2018072715A1 CN 2017106734 W CN2017106734 W CN 2017106734W WO 2018072715 A1 WO2018072715 A1 WO 2018072715A1
Authority
WO
WIPO (PCT)
Prior art keywords
execution environment
processor core
trusted execution
channel
drive
Prior art date
Application number
PCT/CN2017/106734
Other languages
French (fr)
Chinese (zh)
Inventor
孟庆洋
高峰
孟令智
张强
Original Assignee
北京豆荚科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京豆荚科技有限公司 filed Critical 北京豆荚科技有限公司
Publication of WO2018072715A1 publication Critical patent/WO2018072715A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/48Program initiating; Program switching, e.g. by interrupt
    • G06F9/4806Task transfer initiation or dispatching
    • G06F9/4843Task transfer initiation or dispatching by program, e.g. task dispatcher, supervisor, operating system
    • G06F9/485Task life-cycle, e.g. stopping, restarting, resuming execution
    • G06F9/4856Task life-cycle, e.g. stopping, restarting, resuming execution resumption being on a different machine, e.g. task migration, virtual machine migration
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/544Buffers; Shared memory; Pipes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/546Message passing systems or structures, e.g. queues
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2209/00Indexing scheme relating to G06F9/00
    • G06F2209/50Indexing scheme relating to G06F9/50
    • G06F2209/508Monitor

Definitions

  • the present invention relates to a communication system for communication between a general execution environment and a trusted execution environment and an electronic device to which the communication system is applied.
  • TEE Trusted Execution Environment
  • TEE Trusted Execution Environment
  • ARM has fully supported TEE in chip IP design.
  • Qualcomm, MediaTek, Samsung, HiSilicon, and Spreadtrum have already supported TEE on hardware.
  • Intel's X86 architecture and Imagination's MIPS architecture have also introduced similar solutions.
  • the common problem of these solutions is that the channel between the common execution environment REE and the trusted execution environment TEE is realized in a single channel, which makes the channel design complicated, the maintenance difficulty and the communication efficiency low.
  • the technical problem to be solved by the present invention is to implement processor core scheduling between a common execution environment and a trusted execution environment to optimally allocate resources.
  • the present invention proposes a communication system for communication between a general execution environment and a trusted execution environment, wherein the communication system includes: a normal execution environment and a trusted execution environment, wherein the trusted execution The environment is isolated from the general execution environment; both the trusted execution environment and the normal execution environment are capable of running an operating system and an application, and the communication system further includes a processor core scheduling unit, and the processor core scheduling unit checks the trusted execution environment at intervals Task load conditions for each processor core:
  • the processor core scheduling unit migrates the processor core of the normal execution environment to the trusted execution environment via the scheduling and control channel, and processes the trusted execution environment as the processor core of the trusted execution environment.
  • the processor core scheduling unit migrates all processor cores of the trusted execution environment to the normal execution environment via the scheduling and control channels as a processor of the normal execution environment.
  • the core performs the tasks of the normal execution environment
  • the processor core scheduling unit migrates the idle processor core to the normal execution environment via the scheduling and control channels to perform normal execution as the processor core of the normal execution environment.
  • the task of the environment is reduced and an idle processor core is present.
  • the processor core scheduling unit checks the task load conditions of the processor cores of the trusted execution environment every set time (eg, 100 ms).
  • the processor core of the trusted execution environment with too high task load issues a request to the processor core scheduling unit to cause the processor
  • the core scheduling unit checks the state of the processor core of the normal execution environment and randomly selects the CPU core of the suspended state to transfer to the trusted execution environment to perform the task of the trusted execution environment as the processor core of the trusted execution environment, and processes
  • the core scheduling unit distributes the tasks to be distributed of the requesting processor core to the newly transferred processor core of the trusted execution environment for processing according to specific task rules.
  • the communication system further includes an interrupt control unit that interrupts the interrupt control unit to be processed only by the processor core of the trusted execution environment if the processor core of the trusted execution environment receives the interrupt
  • the safety interruption is divided into the first group, and the other interruptions are divided into the second group as non-safety interruptions.
  • the interrupt control unit hands the first set of security interrupts to the processor core of the trusted execution environment and transfers the second set of non-secure interrupts to the normal execution via the scheduling and control channels.
  • the processor core processing of the environment.
  • the interrupt control unit hands the first set of security interrupts to the processor core of the trusted execution environment, and the interrupt control unit determines that the non-secure interrupts in the second group are shared peripheral interrupts, Private interrupt or soft interrupt:
  • the interrupt control unit indicates that the processor core of the trusted execution environment that received the interrupt discards it, and the interrupt control unit transfers the discarded shared peripheral interrupt to the normal execution environment via the scheduling and control channel.
  • the interrupt control unit notifies the processor core scheduling unit, which then transfers the processor core of the trusted execution environment receiving the interrupt to the normal execution environment via the scheduling and control channel. Become the processor core of the normal execution environment and queue the interrupted tasks in the work queue.
  • a processor core scheduling unit is configured to schedule a processor core within a trusted execution environment and between a trusted execution environment and a normal execution environment
  • the processor core scheduling unit retransmits the processor core of the normal execution environment that receives the interrupt to the trusted execution environment via the scheduling and control channel, thereby Re-establish the processor core of the trusted execution environment to wait for other interrupts to be received.
  • the communication system further includes: an application channel and a drive channel disposed between the normal execution environment and the trusted execution environment, wherein the application channel is used in the normal execution environment and the trusted execution environment Communication between applications; drive channels are used to communicate between drives in a normal execution environment and a trusted execution environment.
  • the application channel, the drive channel, and the scheduling and control channel are respectively disposed in a shared memory between the normal execution environment and the trusted execution environment, and the shared memory for the different channels are independent of each other.
  • the application channel, the drive channel, and the scheduling and control channels each include a forward channel and a reverse channel, wherein the forward channel is used to transmit messages in the transmit queue of the normal execution environment to In the receive queue of the message execution environment, the reverse channel is used to transfer messages in the send queue of the trusted execution environment to the receive queue of the normal execution environment.
  • the message type and message content of the message to be transmitted or received are stored in the respective transmit queues and receive queues of the normal execution environment and the trusted execution environment, thereby being sent via the channel conforming to the message type. Or receive individual messages.
  • a client application, a host driver, a virtual driver, and/or a processor core can be run in a general execution environment, and a trusted application, a host driver, a virtual driver can be run in a trusted execution environment. And / or processor core.
  • the drive channel is configured to communicate between the virtual drive and the host drive between the normal execution environment and the trusted execution environment to implement the common execution environment and the trusted execution environment. Drive sharing between.
  • a normal execution environment invokes a specific driver
  • the normal execution environment calls The drive is arranged in a virtual drive of the normal execution environment, thereby triggering information related to the drive to be sent to the corresponding master drive of the trusted execution environment via the forward channel of the drive channel, and the master drive is invoked and will process The resulting information is returned to the virtual drive of the normal execution environment via the reverse channel of the drive channel, and
  • the trusted execution environment invokes a specific driver
  • the trusted execution environment invokes the setting of the driver at the trusted Executing a virtual drive of the environment, thereby triggering information related to the drive to be sent to a corresponding main drive of the normal execution environment via a reverse channel of the drive channel, and the main drive is invoked and the information obtained after processing is via the drive channel
  • the forward channel is returned to the virtual drive of the trusted execution environment.
  • the present invention also proposes an electronic device comprising: a communication system according to the present invention; and a network interface and a peripheral device interface, wherein the user can obtain an application via a network interface or a peripheral device interface and install the application in the communication system, Users can also run different applications with the aid of a communication system.
  • the processor core is scheduled between the trusted execution environment and the common execution environment via the scheduling and control channel, and the problem of limited processing capability in the TEE is solved.
  • Figure 1 schematically illustrates a multi-channel communication system for communication between REE and TEE.
  • FIG. 2 schematically illustrates an embodiment of a drive channel in accordance with an embodiment of the present invention.
  • Fig. 3 schematically shows the workflow of the drive division unit.
  • FIG. 4 schematically illustrates a security hierarchy of a multi-channel communication system in accordance with an embodiment of the present invention.
  • Fig. 5 schematically shows a virtual docking mode between REE and TEE.
  • Fig. 6 schematically shows a schematic diagram of the operation of a core scheduling unit in accordance with an embodiment of the present invention.
  • Fig. 7 schematically shows the workflow of an interrupt control unit in accordance with an embodiment of the present invention.
  • FIG. 8 schematically illustrates an electronic device in accordance with an embodiment of the present invention.
  • a multi-channel communication system for communication between REE and TEE is proposed System.
  • the multi-channel communication system includes a REE and a TEE isolated from the REE, and an operating system and an application are run in both the TEE and the REE, for example, a client application, a host driver, a virtual driver, and/or a processor core running on the REE side.
  • a trusted application, a main drive, a virtual drive, and/or a processor core are run on the TEE side; and an application channel, a drive channel, and a scheduling and control channel disposed between the REE and the TEE are also included.
  • the application channel is constructed as communication between the application between the REE and the TEE; the drive channel is constructed to communicate between the driver for running between the REE and the TEE; and the scheduling and control channel is constructed to be in the REE Communication between scheduling and control commands between TEEs.
  • the application channel, the drive channel and the scheduling and control channel are isolated from each other and are capable of communicating in parallel. Therefore, multiple types of security problems such as biometrics, mobile payment, digital copyright protection, secure positioning, and Internet of Things security can be efficiently solved on one mobile terminal at the same time.
  • the structural design of the channel is complicated. Because a single channel is used, the TEE side needs to parse the information on the REE side, and the loader communicates with the access object corresponding to the TEE side. On the other hand, if there is an application on the TEE side to call the program, driver, etc. on the REE side, communication can only be performed through this channel. This channel is used for data structures for operations such as driving, application, scheduling, etc. The inclusion of multiple data types in a communication poses great difficulties in design and implementation.
  • the shared memory between the REE side and the TEE side is respectively set, and the shared memory for different channels is independent of each other.
  • shared memory different data types are passed between different channels in REE and TEE.
  • the shared memory used to implement different channels is a memory portion that is set on the REE side and can be shared with the TEE, and belongs to non-trusted memory (the memory set on the TEE side is a trusted memory that is inaccessible on the REE side), and
  • the memory of different channels can be independent of each other by means of logical division. For example, fixed and independent memory areas can be divided for different channels, or the memory area allocated to each channel can be adjusted as needed in each operation. After each adjustment, the independence between the channels is still ensured by logical division. .
  • the data transfer process for each channel is as follows:
  • the application channel, the driving channel, and the scheduling and control channel may be respectively in a simplex manner, and each includes a forward channel and a reverse channel, wherein the forward channel is used to send the REE side in the transmission queue.
  • the message is transmitted to the receiving queue on the TEE side, and the reverse channel is used to transmit the message in the sending queue on the TEE side to the receiving queue on the REE side.
  • the application channel, the drive channel, and the scheduling and control channel can also adopt a half-duplex or duplex communication mode. Accordingly, the forward channel and the reverse channel can also be virtual channels, which can be implemented by switching or competing.
  • message types and message contents of messages to be transmitted or received are stored in respective transmission queues and reception queues on the REE side and the TEE side, thereby transmitting or receiving respective messages via channels conforming to the message type. In this way, it is possible to simply divide the message to be transmitted into the correct channel.
  • the application channel carries a standard application protocol, such as a Client API compliant with the GPTEE Note 1 standard.
  • the drive channel is configured to communicate between the virtual drive and the main drive between the REE and the TEE to enable drive sharing between the REE and the TEE.
  • the solution of the embodiment of the present invention is based on the TEE technology, and is not limited to a processor chip supporting the ARM Trustzone extension.
  • the multi-level operation method proposed by the present invention can simultaneously and efficiently solve a biological problem on a mobile terminal. Identification, mobile payment, digital copyright protection, secure positioning, Internet of Things security and many other security issues.
  • the TEE architecture can be roughly divided into three layers, including the hardware layer, the TEE OS (operating system) layer, and the TA (Trusted Application Trusted Application) layer.
  • a multi-channel communication system according to an embodiment of the present invention is implemented at the TEEOS layer.
  • FIG. 1 illustrates a multi-channel communication system 100 for communication between a REE and a TEE, in accordance with an embodiment of the present invention.
  • the multi-channel communication system 100 includes a REE 101 and a TEE 102 isolated from the REE 101, wherein an operating system and an application are run in both the TEE 102 and the REE 101, for example, a customer running on the REE 101 side.
  • End applications, host drivers, virtual drives, and/or processor cores run on the TEE 102 side with trusted applications, host drivers, virtual drives, and/or processor cores.
  • the TEE trusted execution environment
  • REE Common Execution Environment
  • the multi-channel communication system 100 also includes an application channel 103, a drive channel 104, and a dispatch and control channel 105 disposed between the REE 101 and the TEE 102, wherein the application channel 103 is configured as an application in the REE 101 and TEE 102 Communication between the drives; the drive channel 104 is configured for communication between the drives running in the REE 101 and the TEE 102; and the scheduling and control channel 105 is configured for scheduling and controlling commands between the REE 101 and the TEE 102 Communication.
  • the application channel 103 can provide a specified interface for the application vendor's APP. As long as the interface is followed, the vendor can apply the registered APP to the platform.
  • the highly secure APP can be placed on the TEE side. For the access permission of the APP placed on the TEE side, it is generally at the factory stage of the device, and the trusted application developer and the equipment vendor and the TEE provider negotiate to verify the access by signature.
  • the communication between the host driver and the virtual driver can be achieved by driving the channel 104 due to the type of the driver and the size of the occupied resources.
  • Different drivers can be flexibly set to save on the TEE side or the REE side. For a driver that occupies more resources and is more difficult to migrate, it can remain on the REE side. On the TEE side, you can save drivers that take up less resources and require a higher level of security.
  • the current trusted execution environment has no scheduling of resources.
  • the designated processor core is generally responsible for the operation of the TEE-related services and tasks. Since the protection content to be run in the current TEE is small, the processing capability of the single core can also be handled.
  • the use of related applications such as iris and DRM will greatly increase the load on the TEE side. Therefore, reasonable scheduling of resources is necessary. None of the currently known TEE vendors implement processor scheduling between REE and TEE.
  • application channel 103, drive channel 104, and scheduling and control channel 105 may be the same channel.
  • the TEE adopts a macro kernel or a sandbox architecture. Based on its own characteristics, the kernel object is associated with only one process, and the communication between the TEE and the REE can only be communicated through a single channel.
  • sandbox sandbox technology
  • the sandbox can usually provide users with a tightly controlled set of resources to ensure the running of the program. It can provide a virtual system environment for the user APP.
  • this single, shared channel has the following characteristics: (1) The structural design of the channel is complicated. Since the single channel is used, the TEE side needs to parse the information on the REE side through the loader and TEE. The corresponding access object on the side communicates. On the other hand, if there is an application on the TEE side to call the program, driver, etc. on the REE side, communication can only be performed through this channel. This channel is used for data structures for operations such as driving, application, scheduling, etc. The inclusion of multiple data types in a communication poses great difficulties in design and implementation. (2) Software design ideas that do not conform to low coupling are very difficult for maintenance and upgrade. The upgrade of the channel may cause the mutual influence of the corresponding modules, which is prone to errors. (3) Inefficiency. Single channel cannot handle concurrent processing of different types of concurrent data such as data and drivers.
  • application channel 103, drive channel 104, and scheduling and control channel 105 are isolated from each other and are concurrent.
  • the application channel 103 is responsible for communication between the client APP (the client application on the REE side) and the Trusted APP (the trusted application on the TEE side), and the application channel 103 mainly carries the standard application protocol (such as the Client API conforming to the GPTEE Note 1 standard).
  • the drive channel 104 is responsible for communication between the device main drive and the virtual drive between the REE and the TEE; the drive channel 104 carries the communication interface of various types of drives, and the present invention adopts a method of driving virtual docking to complete the drive between the REE and the TEE. Sharing; scheduling and control channel 105 carries scheduling and control commands between REE and TEE.
  • the isolated channels are implemented through virtualization technology.
  • the shared memory between the REE side and the TEE side is respectively set for the application channel 103, the driving channel 104, and the scheduling and control channel 105, and the shared memories for the different channels are independent of each other.
  • the application channel 103, the drive channel 104, and the scheduling and control channel 105 each include a forward channel and a reverse channel, wherein the forward channel is used to transmit a message in the transmit queue on the REE side to the receive queue on the TEE side, in the reverse direction.
  • the channel is used to transmit the message in the send queue on the TEE side to the receive queue on the REE side.
  • Message types and message contents of messages to be transmitted or received are stored in respective transmission queues and reception queues on the REE side and the TEE side, thereby transmitting or receiving respective messages via channels conforming to the message type.
  • the message when the message is transmitted through multiple channels, the message can be correctly transmitted to the REE or TEE through different channels according to the type.
  • Message queues for CA (Client Application, Client Application) and TA (Trusted Application) must have separate threads to handle the contents of the queue.
  • different channels can be concurrently executed, and the calls of CA and TA in the same channel do not have to wait for the returned result, and the concurrent operation is truly performed.
  • the mutually isolated multi-channel of the present invention supports concurrent calls.
  • multiple virtual machines can be virtualized on one TEE to create execution space for different TAs.
  • a plurality of CAs disposed on the REE side can simultaneously call a plurality of TAs disposed on the TEE side, and multiple drivers can be shared with each other at the same time.
  • the characteristics of the virtual machine are isolation and security, and security isolation can also be achieved.
  • the solution of this embodiment truly achieves multi-channel concurrency technology and is in a leading position in system performance and scalability.
  • biometrics can be efficiently solved simultaneously on one mobile terminal. Mobile payment, digital copyright protection, secure location, Internet of Things security and many other security issues.
  • This mutually isolated multi-channel by the present invention also achieves greater security than a technical solution that does not support virtualization.
  • the level of protection and level of the TEE side has obvious advantages over the existing TEE software products.
  • TEE and REE Data exchange between TEE and REE can take many forms. For example, in a mobile terminal, application data (AD) and control data (MCP, NQ) are transmitted via different buffers, but such buffer-based data Transmission does not achieve effective control for the drive and scheduling.
  • AD application data
  • MCP, NQ control data
  • the support of multiple TEEs based on virtualization is currently the biggest advantage of the isolated multi-channels of the present invention compared to other TEE vendors. Currently, other vendors do not support multiple TEEs.
  • Figure 2 illustrates a drive channel in accordance with one embodiment of the present invention.
  • the drive channel 104 is configured to communicate between the virtual drive and the main drive between the REE and the TEE to enable drive sharing between the REE and the TEE.
  • the driver's call is implemented by means of virtual docking.
  • the main drive and virtual drive can be assigned to different execution environments depending on the characteristics of the drive itself. That is, the main driver of the drive is set in one execution environment, and the virtual drive of the drive is set in another execution environment. For example, put the file system driver in the REE and the FP driver in the TEE. The division of the driver will be further explained below.
  • the REE calls the virtual drive of the drive set on the REE side, thereby triggering the
  • the drive related information is sent to the corresponding main drive on the TEE side via the forward channel of the drive channel, and the main drive is called and the processed information is returned to the virtual drive on the REE side via the reverse channel of the drive channel.
  • the TEE calls the virtual drive of the drive set on the TEE side, thereby triggering
  • the drive related information is sent to the corresponding main drive on the REE side via the reverse channel of the drive channel, and the main drive is called and the processed information is returned to the virtual drive on the TEE side via the forward channel of the drive channel.
  • the application can call any driver on the REE side or the TEE side without feeling the transition between REE and TEE.
  • the fingerprint drive is called on the REE side, and the main drive of the drive, or the real drive, is located on the TEE side.
  • the fingerprint driver is called on the REE side to obtain the fingerprint information, but the REE side does not have the real fingerprint driver, but the interface for operating the fingerprint is defined on the REE side by means of virtualization.
  • the multi-channel communication system invokes the virtualized fingerprint interface on the REE side, and actually transmits the information of the fingerprint interface to the TEE through the forward channel of the drive channel 104, and the TEE side obtains the real fingerprint interface. After the fingerprint related information, the information is sent to the REE side through the reverse driving channel, and the REE obtains the fingerprint related result.
  • the CA that does not feel the driver on the REE side actually has a switchover between the two execution environments. This is achieved by the way of virtualization combined with the drive channel to achieve message communication.
  • the present invention proposes a method of driving division based on the degree of security and availability, and an implementation method using a virtual docking method.
  • the multi-channel communication system comprises a drive division unit.
  • Fig. 3 schematically shows the workflow of the drive division unit.
  • the drive dividing unit performs the following steps:
  • step 301 the security of the driver to be operated on the multi-channel communication system is evaluated; under the condition that the security of the driver is above the first security threshold, the main drive of the drive is divided into the TEE side in step 302, The virtual drive of the drive is set on the REE side; under the condition that the security of the drive is below the second security threshold, the main drive of the drive is divided into the REE side in step 303, and the virtual drive of the drive is set on the TEE side.
  • the availability and achievability of the driver is checked in step 304 if the availability is below the availability threshold and the achievability is Above the fulfillment threshold, the main drive of the drive is divided to the TEE side in step 305 and the driven virtual drive is placed on the REE side, otherwise the main drive of the drive is divided to the REE side and the drive is set on the TEE side in step 306 Virtual drive.
  • DRM Digital Rights Management
  • NFC Near Field Communication
  • iris camera driver it is characterized that the drive system is relatively difficult to fully migrate to the TEE and there is a certain degree of security requirements.
  • the present invention utilizes the virtualization technology and container technology in REE to protect such driving resources.
  • the driving division unit divides the main drive of the DRM drive, the camera drive, the network drive, the GPS drive, and the storage drive to the REE side; and the partially driven main drive for data transmission and data analysis in the iris drive Divided to the TEE side, and the main drive driven by the other part of the iris drive is divided into the REE side; the main drive of the NFC drive is divided into the REE side; the main drive division of the partial drive for data transmission and data analysis in the fingerprint drive is divided Go to the TEE side and divide the main driver of the partial drive initiated by the SPI interrupt (shared peripheral interrupt) in the fingerprint driver to the REE side; divide the SE (secure element) driver to the TEE side; and, support the TUI (trusted user)
  • the main drive of the drive of the interface is set on the REE side as well as on the TEE side. This division takes into account the level of security requirements and the level of protection of the overall architecture.
  • Drivers that support TUI include LCD drivers, touch screen drivers, and I2C drivers
  • FIG. 4 schematically illustrates a security hierarchy of a multi-channel communication system in accordance with an embodiment of the present invention.
  • REE is less secure than TEE.
  • REE includes a security level hypervisor and a security level lower than that of the hypervisor. The hypervisor and the container are isolated from each other, and the REE and TEE are isolated from each other.
  • the Container layer refers to the related technology similar to the container technology under the Linux operating system.
  • the Hypervisor refers to the virtual software layer established by the hardware-supported virtualization extension technology.
  • the TEE refers to the TEE technology provided by the processor chip not limited to the ARM Trustzone extension. .
  • the drive dividing unit sets the main drive of the drive divided to the REE side to the Container or the Hypervisor, respectively.
  • the multi-channel communication system further includes an SE operating environment that is isolated from the REE and the TEE, and the SE operating environment may cover an eSE (embedded secure element) in the mobile terminal.
  • the SE operating environment may cover an eSE (embedded secure element) in the mobile terminal. Unit), SIM (Subscriber Identification Module), SSD (secure storage device), etc., have the highest security level, but the processing power is weak.
  • REE network driver, GPS driver. Storage drivers, etc., are not so demanding for their security, but the demand is very high. Need to use frequently. If you put it in the TEE, it will seriously affect the performance of the system. So placed in REE without protection.
  • REE Container For the protection of some special drivers and operations, it is not possible to consider only its security, but also to consider the technical achievability. Such as DRM drive, NFC drive and iris camera drive, it is characterized that the drive system is relatively difficult to fully migrate to the TEE and there is a certain degree of security requirements.
  • the driver for the data transmission and data analysis sections in the iris drive is placed on the secure end, and the other parts are driven in the REE Container. Because the two parts of the drive involve security protection. But other parts of the security level are lower, so put it in the REE Container.
  • REE Hypervisoer In REE, arm virtualization supports EL2 hardware virtualization in REE. Virtualization can increase the level of security, but after all, it is in REE, and the security level is lower than TEE. NFC has been gradually applied, but it is mainly used in non-secure terminals. The market demand for NFC payment is relatively small. Secondly, NFC equipment vendors rarely provide porting code in TEE. The porting difficulties are quite large, which will have a considerable impact on system stability. . So, keep the NFC driver on the REE side, but put it in the hypervisor to increase the security level.
  • TEE The use of fingerprints is related to payment, and payment is absolutely safe, so the fingerprint driver is placed in the TEE, and the use of the fingerprint device can only be used in the security world.
  • the SPI interrupt initiation in the fingerprint driver is initiated in the REE. This part is not protected by the TEE.
  • Other fingerprint data transmission and analysis are placed in the TEE.
  • the SE has the highest level of security and the SE driver must be placed in the TEE.
  • TUI Refers to the trusted user interface.
  • the driver for the screen is placed in both REE and TEE.
  • the use of the screen is the most frequent, and the screen driver needs to be included on the REE side.
  • a secure interface such as when entering a bank account number and password, it is necessary to directly invoke the screen driver on the secure side when executing in the TEE.
  • a virtual docking method between different security levels is implemented. Specifically, the initialization of the environment on the REE side, whether it is a Container or a Hypervisor, is initiated and detected from the TEE side, wherein the TEE boots and initializes the Hypervisor, and the Hypervisor redirects and initializes the Container. Therefore, TEE is the basis of security and credibility, ensuring that the entire security guidance is based on authenticity and integrity verification.
  • Fig. 5 schematically shows a virtual docking mode between REE and TEE.
  • both the Container and the Hypervisor environment are initialized and detected from the TEE side.
  • the TEE boots and initializes the Hypervisor, and the Hypervisor redirects and initializes the Container.
  • TEE ensures that the entire security guidance is based on authenticity and integrity verification.
  • DRM and iris when DRM or iris TA performs safe operation, it borrows the driver module in Container of REE. When a call is completed, Hypervisor immediately controls the IO of DRM and iris camera. The prohibition is done by means of a mechanism similar to IOMMU or SMMU in the processor chip, ensuring that the control register REE OS of the driver cannot be tampered with during safe operation.
  • the NFC driver taking the offline payment as an example, the NFC driver is isolated and protected in a virtual machine on the hypervisor. It is expected that the key eSE driver is fully protected in the TEE, and it may exist with the highest security.
  • the hierarchical SE performs direct interaction.
  • the protection methods and methods of the TEE for various types of driving are effectively solved.
  • other TEE vendors generally handle the migration of the drive system to the secure end or all of them in the REE.
  • the design is simple and the security is relatively high, there is no corresponding analysis of the types and characteristics of the driver, resulting in serious defects in the implementation.
  • the well-known TEE vendors all of them are present.
  • the driver migrated to the TEE, but it has not been implemented until now, because the driver and the system are closely related. Although it can completely protect the driver, it is an indisputable fact that it cannot be realized.
  • the TEE cryptographically encrypts the data to be transmitted to the REE side to ensure that the data flowing to the REE side is ciphertext. Therefore, the security of the TEE side is not tamperable and undetectable, and the security is transmitted to the receiver on the REE side, which ensures the higher security of the TEE operating environment and the entire multi-channel communication system.
  • the multi-channel communication system can also include a processor core scheduling unit.
  • the processor core scheduling unit can schedule the processor cores within the TEE and between the TEE and the REE.
  • the processor core scheduling unit checks the task load status of each processor core on the TEE side at intervals (for example, 100 ms), and processes according to the result of the check:
  • the processor core scheduling unit migrates the processor core on the REE side to the TEE side via the scheduling and control channel, and processes the TEE side task as the processor core on the TEE side;
  • the processor core scheduling unit migrates all processor cores on the TEE side to the REE side via the scheduling and control channels to perform REE as the processor core on the REE side Side task
  • the processor core scheduling unit migrates the idle processor core to the REE side via the scheduling and control channel to execute the REE side as the processor core on the REE side Task.
  • a processor core of the TEE side with a task overload may be requested to issue a request to the processor core scheduling unit, so that the processor core scheduling
  • the unit checks the state of the processor core on the REE side and randomly selects the processor core in the suspended state to transfer to the TEE side to perform the task on the TEE side as the processor core on the TEE side, and the processor core scheduling unit will issue the request processing
  • the tasks to be distributed of the core of the device are distributed to the newly transferred processor core on the TEE side for processing according to specific task rules, for example, in order of priority or in order of migration time.
  • Fig. 6 schematically shows a schematic diagram of the operation of a core scheduling unit in accordance with an embodiment of the present invention.
  • the processor core 2 acts as a dedicated task processing security task (Secure Task) on the TEE side, and periodically returns the processor core 2 to the REE through global scheduling, mainly in response to the inter-core scheduling and routine of the REE OS.
  • Task and interrupt scheduling the processor core 3 dynamically joins the TEE runtime environment according to the load of the TEE, and processes the Secure Task, which is the basic global scheduling method proposed by the present invention.
  • the processor core scheduling unit uses a time slice based single core scheduling algorithm to schedule the core on the TEE side.
  • each task is assigned a priority.
  • Multiple processes alternately execute on the same TEE core, and N processes can execute simultaneously at any one time, but only one process is executing at any one time. If a process runs out of its own time slice, but has not yet completed it, then you need to switch the currently used core to other processes.
  • the process that uses the time slice mentioned is interrupted by the time between the next round of processes. In the slice loop, when it belongs to its own time slice, it is switched back to the core to run.
  • the processor core scheduling unit can continue to execute the execution of the process running out of time slices by starting a new core, that is, by balancing the core load by enabling the new core.
  • the new core is preferably a core that is idle in the TEE, or a core that is randomly selected from the idle cores in the REE and migrated from the REE side.
  • HEFT Heterogeneous-Earliest-Finish-Time
  • CPOP Critical-path-on-a-Processor
  • a multi-channel communication system includes an interrupt control unit in the event that an interrupt is received by a processor core on the TEE side:
  • the interrupt control unit divides the interrupts that can only be handled by the processor core on the TEE side into the first group as interrupts, and divides the other interrupts in the interrupt into the second group as non-safe interrupts.
  • the interrupt control unit hands over the safety interrupts in the first group to the processor core on the TEE side
  • the interrupt control unit transfers the non-secure interrupts in the second group to the processor core on the REE side via the scheduling and control channels.
  • the interrupt control unit hands over the safety interrupts in the first group to the processor core on the TEE side
  • the interrupt control unit determines whether the non-secure interrupt in the second group is an SPI (Share Peripheral Interrupt), a PPI (Private Interrupt), or a SGI (Soft Interrupt). If it is an SPI, the interrupt control unit indicates that the interrupt is received. The processor core of the TEE side discards it, and the interrupt control unit transfers the discarded SPI to the processor core on the REE side via the scheduling and control channel for processing; if it is PPI or SGI, the interrupt control unit notifies the processor The core scheduling unit, the processor core scheduling unit then transfers the processor core of the TEE side receiving the interrupt to the REE side via the scheduling and control channel to become the processor core of the REE side, and places the interrupted task in the corresponding The working queue is queued.
  • SPI Share Peripheral Interrupt
  • PPI Primaryvate Interrupt
  • SGI Soft Interrupt
  • the processor core scheduling unit re-transfers the processor core of the REE side that receives the interrupt to the TEE side via the scheduling and control channel, thereby re-establishing it as the processor core on the TEE side. Waiting to receive other interrupts. For example, after the interrupt is placed in the work queue, the processor core scheduling unit immediately transfers the processor core on the REE side that received the interrupt back to the TEE side via the scheduling and control channel.
  • the solution of this embodiment can discard a large number of SPIs and process them to other REE processor cores, which greatly reduces the number of times the TEE processor core switches back to the REE processor core for processing, thereby greatly improving the processing efficiency of the TEE.
  • Fig. 7 schematically shows the workflow of an interrupt control unit in accordance with an embodiment of the present invention.
  • the interrupt control unit determines whether the interrupt is a secure interrupt FIQ or a non-secure interrupt IRQ, and puts the safety interrupt FIQ into one group and the other interrupt to another In the group. Based on the division of secure interrupts and non-secure interrupts, the interrupt needs to be handled in the TEE for secure interrupts, and other interrupts must be handled in other REE processor cores or in the REE processor core.
  • the interrupts that are not necessarily processed in the TEE side are generally allocated to the REE processor core for processing to reduce the TEE resource load. Therefore, dividing the interrupt received by the TEE core as above enables the processor core on the TEE side.
  • the generated non-secure interrupt IRQ or the safety interrupt FIQ is scheduled to avoid excessive load on the TEE side processor core.
  • the safety interrupt FIQ can be left to the TEE processor core processing, and the non-secure interrupt IRQ is migrated to the REE side via the scheduling and control channel 105 to be added to the work queue by the REE processor core. Thereafter, the processor core is switched back to the TEE side by the interrupt control unit and continues to wait for other interrupts of the core.
  • non-secure interrupt IRQ is shared peripheral interrupt SPI, private Interrupt PPI or soft interrupt SGI.
  • the non-secure SPI can be discarded by the TEE core and taken over by the REE core through the scheduling and control channel 105.
  • the SPI can be taken over by any processor core, and the interrupt PPI and soft interrupt SGI can only be processed by the TEE processor core that currently receives the interrupt, so the optimization of the processing of this part of the interrupt is to migrate the TEE processor core. Go to the REE side to handle the interrupt PPI and soft interrupt SGI as the REE processor core. Therefore, the interrupts that are not processed in the TEE processor core are distributed to the REE processor core as much as possible. Because the TEE processor core discards a large number of SPIs and processes them by other REE processor cores, the number of times that the TEE processor core switches back to the REE processor core is greatly reduced, thereby greatly improving the processing efficiency of the TEE.
  • FIG. 8 schematically illustrates an electronic device in accordance with an embodiment of the present invention.
  • the electronic device has a multi-channel communication system and a network interface and a peripheral device interface according to an embodiment of the present invention, wherein a user can obtain an application via a network interface or a peripheral device interface and install on a multi-channel communication system, and the user can also run different application.
  • the electronic device can be, for example, a mobile phone, a palmtop computer, a notebook computer, a desktop computer, a wearable smart communication device, or the like, any electronic device that is considered reasonable by those skilled in the art.
  • the present invention also relates to a multi-channel communication method designed to operate a multi-channel communication system in accordance with an embodiment of the present invention as described above.
  • the invention further relates to a computer program product having program code for causing execution of a multi-channel communication method in accordance with an embodiment of the present invention when the computer program is executed on a computer.
  • the invention further relates to a data carrier having program code of a computer program for causing execution of a multi-channel communication method in accordance with an embodiment of the present invention when the computer program is executed on a computer.
  • the present invention also relates to an electronic device having a drive dividing unit and a network interface and a peripheral device interface according to an embodiment of the present invention, wherein a user can obtain a drive via a network interface or a peripheral device interface, and drive the dividing unit to drive the
  • the main drive is divided into a trusted execution environment or a normal execution environment.
  • the present invention also relates to an electronic device having a processor core scheduling unit and a network interface and a peripheral device interface according to an embodiment of the present invention, wherein a user can obtain an application via a network interface or a peripheral device interface, and run on the electronic device During application, the processor core scheduling unit schedules the processor cores within the trusted execution environment and between the trusted execution environment and the normal execution environment in accordance with the load state on the processor core of the trusted execution environment.
  • the invention further relates to a processor core scheduling method designed to run a processor core scheduling unit in accordance with an embodiment of the present invention.
  • the invention further relates to a computer program product having program code for causing execution of a processor core scheduling method in accordance with the present invention when the computer program is executed on a computer.
  • the invention further relates to a data carrier having program code of a computer program for causing execution of a processor core scheduling method in accordance with an embodiment of the present invention when the computer program is executed on a computer.
  • the present invention also relates to an electronic device having an interrupt control unit and a network interface and a peripheral device interface according to an embodiment of the present invention, wherein a user can obtain an application via a network interface or a peripheral device interface while the application is running on the electronic device
  • the interrupt control unit schedules the interrupt between the processor core of the trusted execution environment and the processor core of the normal execution environment in accordance with the type of interrupt received by the processor core of the trusted execution environment.
  • the invention further relates to an interrupt control method designed to operate an interrupt control unit in accordance with an embodiment of the present invention.
  • the invention further relates to a computer program product having program code for causing execution of an interrupt control method according to an embodiment of the invention when executing a computer program on a computer.
  • the invention further relates to a data carrier having program code of a computer program for causing execution of an interrupt control method according to an embodiment of the invention when the computer program is executed on a computer.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a communication system and an electronic device, and in particular, to a communication system used for communication between an ordinary execution environment and a trusted execution environment. The communication system comprises the ordinary execution environment and the trusted execution environment. The trusted execution environment is isolated from the ordinary execution environment, and an operation system and an application both can run in the trusted execution environment and the ordinary execution environment. The communication system also comprises a processor core scheduling unit. The processor core scheduling unit is used for checking the task load condition of each processor core of the trusted execution environment every once in a while, and scheduling, according to the task load condition, the processor core between the trusted execution environment and the ordinary execution environment through by a scheduling and control channel.

Description

通信系统和电子设备Communication systems and electronic devices 技术领域Technical field
本发明涉及一种用于普通执行环境与可信执行环境之间的通信的通信系统以及应用该通信系统的电子设备。The present invention relates to a communication system for communication between a general execution environment and a trusted execution environment and an electronic device to which the communication system is applied.
背景技术Background technique
可信执行环境TEE(Trusted Execution Environment)或者说安全运行时环境(safe runtime environment)的基本思想在于:除了普通操作系统之外,提供一个与之隔离的安全操作系统,并运行在一套隔离的硬件基础之上,这个安全操作系统就被称为TEE。已知可以通过ARM信任区(trust zone)技术在微处理器单元中生成受保护的区域来作为TEE。该TEE被用于运行称作信任小程序(trustlet)的应用。ARM在芯片IP设计中已经全面支持了TEE,目前高通、联发科、三星、海思、展讯等都已经在硬件上支持了TEE。Intel的X86架构和Imagination的MIPS架构,也都先后推出了类似的解决方案。而这些解决方案共同存在的问题是以单通道实现在普通执行环境REE与可信执行环境TEE之间的通道,从而使得通道设计复杂,维护难度较大和通信效率低下。The basic idea of the Trusted Execution Environment (TEE) or the safe runtime environment is to provide a secure operating system that is isolated from the normal operating system and run in a set of isolated On top of the hardware, this secure operating system is called TEE. It is known that a protected area can be generated in a microprocessor unit as a TEE by the ARM trust zone technique. This TEE is used to run an application called a trustlet. ARM has fully supported TEE in chip IP design. At present, Qualcomm, MediaTek, Samsung, HiSilicon, and Spreadtrum have already supported TEE on hardware. Intel's X86 architecture and Imagination's MIPS architecture have also introduced similar solutions. The common problem of these solutions is that the channel between the common execution environment REE and the trusted execution environment TEE is realized in a single channel, which makes the channel design complicated, the maintenance difficulty and the communication efficiency low.
发明内容Summary of the invention
本发明要解决的技术问题是实现普通执行环境与可信执行环境之间的处理器核心调度以最优配置资源。The technical problem to be solved by the present invention is to implement processor core scheduling between a common execution environment and a trusted execution environment to optimally allocate resources.
为解决该技术问题,本发明提出了一种用于普通执行环境与可信执行环境之间的通信的通信系统,其中,通信系统包括:普通执行环境和可信执行环境,其中,可信执行环境与普通执行环境隔离;在可信执行环境和普通执行环境均能够运行有操作系统和应用,通信系统还包括处理器核心调度单元,该处理器核心调度单元每隔一段时间检查可信执行环境的各处理器核心的任务负载情况:In order to solve the technical problem, the present invention proposes a communication system for communication between a general execution environment and a trusted execution environment, wherein the communication system includes: a normal execution environment and a trusted execution environment, wherein the trusted execution The environment is isolated from the general execution environment; both the trusted execution environment and the normal execution environment are capable of running an operating system and an application, and the communication system further includes a processor core scheduling unit, and the processor core scheduling unit checks the trusted execution environment at intervals Task load conditions for each processor core:
如果可信执行环境的处理器核心任务负载过高,则将其任务负载转移至其它未任务负载过高的可信执行环境处理器核心,如果在转移后可信执行环境处理器核心总体仍然任务负载过高,则处理器核心调度单元经由调度与控制通道将普通执行环境的处理器核心迁移到可信执行环境,而作为可信执行环境的处理器核心来处理该可信执行环境的任务, If the processor core task of the Trusted Execution Environment is overloaded, transfer its task load to other Trusted Execution Environment processor cores that are not under-loaded, if the Trusted Execution Environment Processor Core is still tasked after the transfer If the load is too high, the processor core scheduling unit migrates the processor core of the normal execution environment to the trusted execution environment via the scheduling and control channel, and processes the trusted execution environment as the processor core of the trusted execution environment.
如果可信执行环境的所有任务处于阻塞或挂起状态,则处理器核心调度单元经由调度与控制通道将可信执行环境的所有处理器核心迁移到普通执行环境,以作为普通执行环境的处理器核心执行普通执行环境的任务,If all tasks of the trusted execution environment are in a blocked or suspended state, the processor core scheduling unit migrates all processor cores of the trusted execution environment to the normal execution environment via the scheduling and control channels as a processor of the normal execution environment. The core performs the tasks of the normal execution environment,
如果可信执行环境的任务减少并且出现闲置的处理器核心,处理器核心调度单元经由调度与控制通道将闲置的处理器核心迁移到普通执行环境,以作为普通执行环境的处理器核心执行普通执行环境的任务。If the task of the trusted execution environment is reduced and an idle processor core is present, the processor core scheduling unit migrates the idle processor core to the normal execution environment via the scheduling and control channels to perform normal execution as the processor core of the normal execution environment. The task of the environment.
在一个根据本发明的实施例中,处理器核心调度单元每隔所设定的时间(如100ms)检查可信执行环境的各处理器核心的任务负载情况。In an embodiment in accordance with the invention, the processor core scheduling unit checks the task load conditions of the processor cores of the trusted execution environment every set time (eg, 100 ms).
在一个根据本发明的实施例中,如果可信执行环境处理器核心总体任务负载过高,由任务负载过高的可信执行环境的处理器核心向处理器核心调度单元发出请求,使得处理器核心调度单元检查普通执行环境的处理器核心的状态并且随机选择挂起状态的处理器核心转移到可信执行环境,以作为可信执行环境的处理器核心执行可信执行环境的任务,并且处理器核心调度单元将发出请求的处理器核心的待分发的任务按照特定的任务规则分发给新转移来可信执行环境的处理器核心以进行处理。In an embodiment in accordance with the present invention, if the trusted execution environment processor core overall task load is too high, the processor core of the trusted execution environment with too high task load issues a request to the processor core scheduling unit to cause the processor The core scheduling unit checks the state of the processor core of the normal execution environment and randomly selects the CPU core of the suspended state to transfer to the trusted execution environment to perform the task of the trusted execution environment as the processor core of the trusted execution environment, and processes The core scheduling unit distributes the tasks to be distributed of the requesting processor core to the newly transferred processor core of the trusted execution environment for processing according to specific task rules.
在一个根据本发明的实施例中,通信系统还包括中断控制单元,如果可信执行环境的处理器核心接收到中断,则中断控制单元将只能由可信执行环境的处理器核心处理的中断作为安全中断划分到第一组,并且将其它中断作为非安全中断划分到第二组。In an embodiment in accordance with the invention, the communication system further includes an interrupt control unit that interrupts the interrupt control unit to be processed only by the processor core of the trusted execution environment if the processor core of the trusted execution environment receives the interrupt The safety interruption is divided into the first group, and the other interruptions are divided into the second group as non-safety interruptions.
在一个根据本发明的实施例中,中断控制单元将第一组的安全中断交由可信执行环境的处理器核心处理,以及将第二组的非安全中断经由调度与控制通道转移给普通执行环境的处理器核心处理。In an embodiment in accordance with the invention, the interrupt control unit hands the first set of security interrupts to the processor core of the trusted execution environment and transfers the second set of non-secure interrupts to the normal execution via the scheduling and control channels. The processor core processing of the environment.
在一个根据本发明的实施例中,中断控制单元将第一组的安全中断交由可信执行环境的处理器核心处理,以及中断控制单元判断第二组中的非安全中断是共享外围中断、私有中断还是软中断:In an embodiment in accordance with the invention, the interrupt control unit hands the first set of security interrupts to the processor core of the trusted execution environment, and the interrupt control unit determines that the non-secure interrupts in the second group are shared peripheral interrupts, Private interrupt or soft interrupt:
如果是共享外围中断,则中断控制单元指示接收到该中断的可信执行环境的处理器核心将其丢弃,并且中断控制单元经由调度与控制通道将该被丢弃的共享外围中断转移至普通执行环境的处理器核心进行处理;If it is a shared peripheral interrupt, the interrupt control unit indicates that the processor core of the trusted execution environment that received the interrupt discards it, and the interrupt control unit transfers the discarded shared peripheral interrupt to the normal execution environment via the scheduling and control channel. Processor core for processing;
如果是私有中断或软中断,则中断控制单元通知处理器核心调度单元,处理器核心调度单元随后经由调度与控制通道将接收到该中断的可信执行环境的处理器核心转移到普通执行环境从而成为普通执行环境的处理器核心,并且将该中断的任务放在工作队列里排队。 If it is a private interrupt or a soft interrupt, the interrupt control unit notifies the processor core scheduling unit, which then transfers the processor core of the trusted execution environment receiving the interrupt to the normal execution environment via the scheduling and control channel. Become the processor core of the normal execution environment and queue the interrupted tasks in the work queue.
在一个根据本发明的实施例中,处理器核心调度单元用于在可信执行环境内部以及在可信执行环境与普通执行环境之间调度处理器核心,In an embodiment in accordance with the invention, a processor core scheduling unit is configured to schedule a processor core within a trusted execution environment and between a trusted execution environment and a normal execution environment,
其中,在私有中断或软中断的任务被放入工作队列后,处理器核心调度单元将接收到中断的普通执行环境的处理器核心经由调度与控制通道重新转移回可信执行环境,从而使其重新成为可信执行环境的处理器核心以等待接收其它中断。Wherein, after the task of the private interrupt or the soft interrupt is put into the work queue, the processor core scheduling unit retransmits the processor core of the normal execution environment that receives the interrupt to the trusted execution environment via the scheduling and control channel, thereby Re-establish the processor core of the trusted execution environment to wait for other interrupts to be received.
在一个根据本发明的实施例中,通信系统还包括:布置在普通执行环境与可信执行环境之间的应用通道和驱动通道,其中,应用通道用于在普通执行环境和可信执行环境的应用程序之间的通信;驱动通道用于运行在普通执行环境和可信执行环境的驱动之间的通信。In an embodiment in accordance with the present invention, the communication system further includes: an application channel and a drive channel disposed between the normal execution environment and the trusted execution environment, wherein the application channel is used in the normal execution environment and the trusted execution environment Communication between applications; drive channels are used to communicate between drives in a normal execution environment and a trusted execution environment.
在一个根据本发明的实施例中,应用通道、驱动通道和调度与控制通道分别设置于普通执行环境与可信执行环境之间的共享内存,用于不同通道的共享内存之间相互独立。In an embodiment in accordance with the present invention, the application channel, the drive channel, and the scheduling and control channel are respectively disposed in a shared memory between the normal execution environment and the trusted execution environment, and the shared memory for the different channels are independent of each other.
在一个根据本发明的实施例中,应用通道、驱动通道和调度与控制通道各自包括正向通道和反向通道,其中,正向通道用于将普通执行环境的发送队列中的消息传送到可信执行环境的接收队列中,反向通道用于将可信执行环境的发送队列中的消息传送到普通执行环境的接收队列中。In an embodiment in accordance with the invention, the application channel, the drive channel, and the scheduling and control channels each include a forward channel and a reverse channel, wherein the forward channel is used to transmit messages in the transmit queue of the normal execution environment to In the receive queue of the message execution environment, the reverse channel is used to transfer messages in the send queue of the trusted execution environment to the receive queue of the normal execution environment.
在一个根据本发明的实施例中,在普通执行环境和可信执行环境各自的发送队列和接收队列中保存有待发送或所接收的消息的消息类型和消息内容,从而经由符合消息类型的通道发送或接收各个消息。In an embodiment in accordance with the invention, the message type and message content of the message to be transmitted or received are stored in the respective transmit queues and receive queues of the normal execution environment and the trusted execution environment, thereby being sent via the channel conforming to the message type. Or receive individual messages.
在一个根据本发明的实施例中,在普通执行环境能够运行有客户端应用、主驱动、虚拟驱动和/或处理器核心,在可信执行环境能够运行有可信应用、主驱动、虚拟驱动和/或处理器核心。In an embodiment in accordance with the invention, a client application, a host driver, a virtual driver, and/or a processor core can be run in a general execution environment, and a trusted application, a host driver, a virtual driver can be run in a trusted execution environment. And / or processor core.
在一个根据本发明的实施例中,驱动通道构建为用于在普通执行环境与可信执行环境之间,在虚拟驱动与主驱动之间通信,以实现在普通执行环境与可信执行环境之间的驱动共享。In an embodiment in accordance with the invention, the drive channel is configured to communicate between the virtual drive and the host drive between the normal execution environment and the trusted execution environment to implement the common execution environment and the trusted execution environment. Drive sharing between.
在一个根据本发明的实施例中,在普通执行环境调用特定的驱动的情况下,如果在可信执行环境存在该驱动的主驱动而在普通执行环境存在该驱动的虚拟驱动,普通执行环境调用该驱动的设置在该普通执行环境的虚拟驱动,从而触发与该驱动有关的信息经由驱动通道的正向通道被发送至可信执行环境的相应的主驱动,进而该主驱动被调用和将处理后所得的信息经由驱动通道的反向通道返回至普通执行环境的虚拟驱动,以及, In an embodiment in accordance with the present invention, in the case where a normal execution environment invokes a specific driver, if the host driver of the driver exists in the trusted execution environment and the virtual driver of the driver exists in the normal execution environment, the normal execution environment calls The drive is arranged in a virtual drive of the normal execution environment, thereby triggering information related to the drive to be sent to the corresponding master drive of the trusted execution environment via the forward channel of the drive channel, and the master drive is invoked and will process The resulting information is returned to the virtual drive of the normal execution environment via the reverse channel of the drive channel, and
在可信执行环境调用特定的驱动的情况下,如果在可信执行环境存在该驱动的虚拟驱动而在普通执行环境存在该驱动的主驱动,可信执行环境调用该驱动的设置在该可信执行环境的虚拟驱动,从而触发与该驱动有关的信息经由驱动通道的反向通道被发送至普通执行环境的相应的主驱动,进而该主驱动被调用和将处理后所得的信息经由驱动通道的正向通道返回至可信执行环境的虚拟驱动。In the case where the trusted execution environment invokes a specific driver, if the virtual driver of the driver exists in the trusted execution environment and the host driver of the driver exists in the normal execution environment, the trusted execution environment invokes the setting of the driver at the trusted Executing a virtual drive of the environment, thereby triggering information related to the drive to be sent to a corresponding main drive of the normal execution environment via a reverse channel of the drive channel, and the main drive is invoked and the information obtained after processing is via the drive channel The forward channel is returned to the virtual drive of the trusted execution environment.
本发明还提出了一种电子设备,其中,包括:根据本发明的通信系统以及网络接口和外围设备接口,其中,用户能够经由网络接口或者外围设备接口获得应用并且将该应用安装于通信系统,用户还能够借助通信系统运行不同的应用。The present invention also proposes an electronic device comprising: a communication system according to the present invention; and a network interface and a peripheral device interface, wherein the user can obtain an application via a network interface or a peripheral device interface and install the application in the communication system, Users can also run different applications with the aid of a communication system.
通过本发明,经由调度与控制通道在可信执行环境与普通执行环境之间调度处理器核心,解决了TEE中处理能力有限的问题。Through the invention, the processor core is scheduled between the trusted execution environment and the common execution environment via the scheduling and control channel, and the problem of limited processing capability in the TEE is solved.
附图说明DRAWINGS
为了更清楚地说明本发明实施例的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其它的附图。其中:In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the embodiments or the prior art description will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, those skilled in the art can obtain other drawings according to the drawings without any creative work. among them:
图1示意性地示出了一种用于REE与TEE之间的通信的多通道通信系统。Figure 1 schematically illustrates a multi-channel communication system for communication between REE and TEE.
图2示意性地示出了根据本发明实施例的驱动通道的一个实施例。FIG. 2 schematically illustrates an embodiment of a drive channel in accordance with an embodiment of the present invention.
图3示意性地示出了该驱动划分单元的工作流程。Fig. 3 schematically shows the workflow of the drive division unit.
图4示意性地示出了根据本发明实施例的多通道通信系统的安全层次。FIG. 4 schematically illustrates a security hierarchy of a multi-channel communication system in accordance with an embodiment of the present invention.
图5示意性地示出了REE与TEE间的虚拟对接方式。Fig. 5 schematically shows a virtual docking mode between REE and TEE.
图6示意性地示出了根据本发明实施例的核心调度单元的工作方式的示意图。Fig. 6 schematically shows a schematic diagram of the operation of a core scheduling unit in accordance with an embodiment of the present invention.
图7示意性地示出了根据本发明实施例的中断控制单元的工作流程。Fig. 7 schematically shows the workflow of an interrupt control unit in accordance with an embodiment of the present invention.
图8示意性地示出了根据本发明实施例的电子设备。FIG. 8 schematically illustrates an electronic device in accordance with an embodiment of the present invention.
为了纵览性,为相同或相当的元件贯穿所有附图地标以相同的附图标记。附图仅为示意性的,其中的元件无需合乎比例。For the sake of overview, the same or corresponding elements are designated by the same reference numerals throughout the drawings. The drawings are merely schematic and the elements are not necessarily to scale.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, but not all embodiments.
根据本发明的实施例,提出了一种用于REE与TEE之间的通信的多通道通信系 统。该多通道通信系统包括REE和与REE隔离的TEE,在TEE和REE中均运行有操作系统和应用,例如,在REE侧运行有客户端应用、主驱动、虚拟驱动和/或处理器核心,在TEE侧运行有可信应用、主驱动、虚拟驱动和/或处理器核心;还包括布置在REE与TEE之间的应用通道、驱动通道和调度与控制通道。其中,应用通道构建为在REE和TEE之间的应用程序的通信;驱动通道构建为在REE和TEE之间的用于运行的驱动之间的通信;以及,调度与控制通道构建为在REE与TEE之间的用于调度和控制命令的通信。According to an embodiment of the present invention, a multi-channel communication system for communication between REE and TEE is proposed System. The multi-channel communication system includes a REE and a TEE isolated from the REE, and an operating system and an application are run in both the TEE and the REE, for example, a client application, a host driver, a virtual driver, and/or a processor core running on the REE side. A trusted application, a main drive, a virtual drive, and/or a processor core are run on the TEE side; and an application channel, a drive channel, and a scheduling and control channel disposed between the REE and the TEE are also included. Wherein, the application channel is constructed as communication between the application between the REE and the TEE; the drive channel is constructed to communicate between the driver for running between the REE and the TEE; and the scheduling and control channel is constructed to be in the REE Communication between scheduling and control commands between TEEs.
根据本发明的实施例,应用通道、驱动通道和调度与控制通道相互隔离并且能够并行通信。从而可以在一台移动终端上同时高效率地解决生物识别、移动支付、数字版权保护、安全定位、物联网安全等多类安全问题。According to an embodiment of the invention, the application channel, the drive channel and the scheduling and control channel are isolated from each other and are capable of communicating in parallel. Therefore, multiple types of security problems such as biometrics, mobile payment, digital copyright protection, secure positioning, and Internet of Things security can be efficiently solved on one mobile terminal at the same time.
相反,单通道结构的缺点在于:In contrast, the disadvantages of a single-channel structure are:
(1)通道的结构设计复杂。由于使用单通道,TEE侧需要对REE侧的信息进行解析,通过加载器与TEE侧对应的访问对象进行通信。反之,如果TEE侧有应用要调用REE侧的程序、驱动等,也只能通过此通道来进行通信。对于驱动、应用、调度等操作的数据结构都要使用该通道,一种通信中包含多种数据类型对设计和实现带来了巨大困难。(1) The structural design of the channel is complicated. Because a single channel is used, the TEE side needs to parse the information on the REE side, and the loader communicates with the access object corresponding to the TEE side. On the other hand, if there is an application on the TEE side to call the program, driver, etc. on the REE side, communication can only be performed through this channel. This channel is used for data structures for operations such as driving, application, scheduling, etc. The inclusion of multiple data types in a communication poses great difficulties in design and implementation.
(2)不符合低耦合的软件设计思想,对于维护和升级存在着非常大的困难。通道的升级可能造成相应模块的相互影响,容易产生错误。(2) Software design ideas that do not conform to low coupling are very difficult for maintenance and upgrade. The upgrade of the channel may cause the mutual influence of the corresponding modules, which is prone to errors.
(3)效率低下。单通道无法实现并发处理数据、驱动等不同类型的并发处理。(3) Inefficiency. Single channel cannot handle concurrent processing of different types of concurrent data such as data and drivers.
根据本发明的实施例,对于应用通道、驱动通道和调度与控制通道,分别设置在REE侧与TEE侧之间的共享内存,用于不同的通道的共享内存之间相互独立。通过共享内存,REE与TEE之间实现不同数据类型在不同通道的传递。According to the embodiment of the present invention, for the application channel, the driving channel, and the scheduling and control channel, the shared memory between the REE side and the TEE side is respectively set, and the shared memory for different channels is independent of each other. Through shared memory, different data types are passed between different channels in REE and TEE.
换句话说,用于实现不同通道的共享内存是设置在REE侧并可与TEE共享的内存部分,属于非可信内存(设置在TEE侧的内存是REE侧不可访问的可信内存),并且可以通过逻辑划分的方式实现不同通道的内存之间的相互独立。例如,可以为不同的通道划分固定的、相互独立内存区域,或者可以在每次运行中根据需要调整分配给各通道的内存区域,每次调整后,仍通过逻辑划分保证各通道间的独立性。In other words, the shared memory used to implement different channels is a memory portion that is set on the REE side and can be shared with the TEE, and belongs to non-trusted memory (the memory set on the TEE side is a trusted memory that is inaccessible on the REE side), and The memory of different channels can be independent of each other by means of logical division. For example, fixed and independent memory areas can be divided for different channels, or the memory area allocated to each channel can be adjusted as needed in each operation. After each adjustment, the independence between the channels is still ensured by logical division. .
举例而言,各通道的数据传递过程如下:For example, the data transfer process for each channel is as follows:
首先,将数据载入不同通道的共享内存;然后,在REE或TEE侧读取数据;接下来,在REE或TEE侧根据数据类型,对数据做出标识并封装到不同的数据结构里面,然后将数据放在相应的工作队列中,等待被处理。 First, load the data into the shared memory of different channels; then, read the data on the REE or TEE side; next, identify the data on the REE or TEE side according to the data type and package it into different data structures, then Put the data in the appropriate work queue and wait for it to be processed.
由于用于不同通道的内存相互独立,虚拟的“通道”自然也相互隔离。通过这种方式,不同类型的数据经由专用通道进行传送,实现了完全的并发性,并且使得能够支持“多TEE”架构,即,在TEE侧虚拟化出的多个虚拟机的同时通信。Since the memory used for different channels is independent of each other, the virtual "channels" are naturally isolated from each other. In this way, different types of data are transmitted via dedicated channels, achieving full concurrency and enabling support for "multi-TEE" architecture, ie simultaneous communication of multiple virtual machines virtualized on the TEE side.
根据本发明的实施例,应用通道、驱动通道和调度与控制通道可以分别采用单工的方式,并且各自包括正向通道和反向通道,其中,正向通道用于将REE侧的发送队列中的消息传送到TEE侧的接收队列中,反向通道用于将TEE侧的发送队列中的消息传送到REE侧的接收队列中。这样进一步提高了“并发性”,并且降低了数据传输中的出错概率。应用通道、驱动通道和调度与控制通道也可以采用半双工或者双工的通信方式,相应地正向通道和反向通道也可以是虚拟通道,可以通过切换或者竞合来实现。According to an embodiment of the present invention, the application channel, the driving channel, and the scheduling and control channel may be respectively in a simplex manner, and each includes a forward channel and a reverse channel, wherein the forward channel is used to send the REE side in the transmission queue. The message is transmitted to the receiving queue on the TEE side, and the reverse channel is used to transmit the message in the sending queue on the TEE side to the receiving queue on the REE side. This further increases "concurrency" and reduces the probability of errors in data transmission. The application channel, the drive channel, and the scheduling and control channel can also adopt a half-duplex or duplex communication mode. Accordingly, the forward channel and the reverse channel can also be virtual channels, which can be implemented by switching or competing.
根据本发明的实施例,在REE侧和TEE侧各自的发送队列和接收队列中保存有待发送或所接收的消息的消息类型和消息内容,从而经由符合消息类型的通道发送或接收各个消息。通过该方式能够简单地实现将待传送的消息划分到正确的通道。According to an embodiment of the present invention, message types and message contents of messages to be transmitted or received are stored in respective transmission queues and reception queues on the REE side and the TEE side, thereby transmitting or receiving respective messages via channels conforming to the message type. In this way, it is possible to simply divide the message to be transmitted into the correct channel.
根据本发明的实施例,应用通道承载标准的应用协议、如符合GPTEE注1标准的Client API。According to an embodiment of the invention, the application channel carries a standard application protocol, such as a Client API compliant with the GPTEE Note 1 standard.
根据本发明的实施例,驱动通道构建为用于在REE与TEE之间,在虚拟驱动与主驱动之间通信,以实现在REE与TEE之间的驱动共享。In accordance with an embodiment of the present invention, the drive channel is configured to communicate between the virtual drive and the main drive between the REE and the TEE to enable drive sharing between the REE and the TEE.
本发明实施例的方案以TEE技术为核心,面向但不局限于支持ARM Trustzone扩展的处理器芯片,通过本发明所提出的多层次操作方法,可以在一台移动终端上同时高效率地解决生物识别,移动支付,数字版权保护,安全定位,物联网安全等多类安全问题。The solution of the embodiment of the present invention is based on the TEE technology, and is not limited to a processor chip supporting the ARM Trustzone extension. The multi-level operation method proposed by the present invention can simultaneously and efficiently solve a biological problem on a mobile terminal. Identification, mobile payment, digital copyright protection, secure positioning, Internet of Things security and many other security issues.
TEE的架构大体可以分为三层,包括了硬件层、TEE OS(操作系统)层,以及TA(Trusted Application可信应用)层。根据本发明实施例的多通道通信系统是在TEEOS层实现的。The TEE architecture can be roughly divided into three layers, including the hardware layer, the TEE OS (operating system) layer, and the TA (Trusted Application Trusted Application) layer. A multi-channel communication system according to an embodiment of the present invention is implemented at the TEEOS layer.
图1示出了根据本发明实施例的一种用于REE与TEE之间的通信的多通道通信系统100。如图1所示,该多通道通信系统100包括REE 101和与REE 101隔离的TEE 102,其中,在TEE 102和REE 101中均运行有操作系统和应用,例如,在REE 101端运行有客户端应用、主驱动、虚拟驱动和/或处理器核心,在TEE 102端运行有可信应用、主驱动、虚拟驱动和/或处理器核心。FIG. 1 illustrates a multi-channel communication system 100 for communication between a REE and a TEE, in accordance with an embodiment of the present invention. As shown in FIG. 1, the multi-channel communication system 100 includes a REE 101 and a TEE 102 isolated from the REE 101, wherein an operating system and an application are run in both the TEE 102 and the REE 101, for example, a customer running on the REE 101 side. End applications, host drivers, virtual drives, and/or processor cores run on the TEE 102 side with trusted applications, host drivers, virtual drives, and/or processor cores.
TEE(trusted execution environment)是一个安全执行环境,它与普通执行环境(REE)之间隔离,而操作系统和应用可以分别运行在两个执行环境中。从而需要 在TEE与REE之间提供通道以用于数据传输。The TEE (trusted execution environment) is a secure execution environment that is isolated from the Common Execution Environment (REE), which can be run in two execution environments. Thus need Provides a channel between TEE and REE for data transfer.
因此,多通道通信系统100还包括设置在REE 101与TEE 102之间的应用通道103、驱动通道104和调度与控制通道105,其中,应用通道103构建为在REE 101和TEE 102中的应用程序之间的通信;驱动通道104构建为用于运行在REE 101和TEE 102中的驱动之间的通信;以及,调度与控制通道105构建为用于调度和控制命令在REE 101与TEE 102之间的通信。Accordingly, the multi-channel communication system 100 also includes an application channel 103, a drive channel 104, and a dispatch and control channel 105 disposed between the REE 101 and the TEE 102, wherein the application channel 103 is configured as an application in the REE 101 and TEE 102 Communication between the drives; the drive channel 104 is configured for communication between the drives running in the REE 101 and the TEE 102; and the scheduling and control channel 105 is configured for scheduling and controlling commands between the REE 101 and the TEE 102 Communication.
应用通道103可以为应用厂商的APP提供指定的接口,只要遵循此接口,厂商都可以将注册的APP应用到本平台中,其中,根据本发明可以将具有高度安全性的APP放置在TEE侧。对于安置在TEE侧的APP的准入权限,一般是在设备的工厂阶段,由可信应用开发商和设备商、TEE提供商之间协商,通过签名来验证准入的。The application channel 103 can provide a specified interface for the application vendor's APP. As long as the interface is followed, the vendor can apply the registered APP to the platform. According to the present invention, the highly secure APP can be placed on the TEE side. For the access permission of the APP placed on the TEE side, it is generally at the factory stage of the device, and the trusted application developer and the equipment vendor and the TEE provider negotiate to verify the access by signature.
由于驱动种类、占用资源大小的不同,通过驱动通道104,可以实现主机驱动和虚拟驱动之间的通信。可以将不同的驱动灵活地设置保存在TEE侧或者REE侧。对于占用资源较多,且迁移难度较大的驱动可以保留在REE侧。而在TEE侧可以保存占用资源较小且需要较高安全级别的驱动。The communication between the host driver and the virtual driver can be achieved by driving the channel 104 due to the type of the driver and the size of the occupied resources. Different drivers can be flexibly set to save on the TEE side or the REE side. For a driver that occupies more resources and is more difficult to migrate, it can remain on the REE side. On the TEE side, you can save drivers that take up less resources and require a higher level of security.
关于调度通道,目前的可信执行环境没有对资源的调度。例如,在目前的TEE中,一般都是分配指定的处理器核心负责TEE相关服务和任务(task)的运行,由于目前TEE中要运行的保护内容较少,单核心的处理能力还可以应对。但是随着对TEE需求的扩大,虹膜、DRM等相关应用的使用,会造成TEE侧的负载极大的增加。因此,对于资源的合理调度是十分必要的。目前已知的TEE厂商都没有实现REE与TEE之间的处理器调度。Regarding the scheduling channel, the current trusted execution environment has no scheduling of resources. For example, in the current TEE, the designated processor core is generally responsible for the operation of the TEE-related services and tasks. Since the protection content to be run in the current TEE is small, the processing capability of the single core can also be handled. However, with the expansion of the demand for TEE, the use of related applications such as iris and DRM will greatly increase the load on the TEE side. Therefore, reasonable scheduling of resources is necessary. None of the currently known TEE vendors implement processor scheduling between REE and TEE.
在本发明的一个实施例中,应用通道103、驱动通道104和调度与控制通道105可以为同一通道。在该实施例中,TEE采用宏内核或沙箱架构,基于其自身的特点,即内核对象仅关联一个进程,导致TEE与REE之间的通信仅能通过单一的通道来进行通信。具体而言,sandbox(沙箱技术)是一种分隔运行程序的安全机制,经常用于执行未测试的代码或者第三方的非可信程序。沙箱通常可以为用户提供一套严密控制的资源集合来保证程序的运行,可以为用户APP提供虚拟系统环境,在对沙箱环境中运行的程序即使出现错误,也只是修改破坏本地临时资源而不会造成系统的崩溃。沙箱的工作原来为同一时刻只能包含一个沙箱运行,在不支持虚拟化技术的条件下,以及沙箱的机制,TEE中只能同时运行一个可信应用TA。In one embodiment of the invention, application channel 103, drive channel 104, and scheduling and control channel 105 may be the same channel. In this embodiment, the TEE adopts a macro kernel or a sandbox architecture. Based on its own characteristics, the kernel object is associated with only one process, and the communication between the TEE and the REE can only be communicated through a single channel. Specifically, sandbox (sandbox technology) is a security mechanism that separates running programs and is often used to execute untested code or third-party non-trusted programs. The sandbox can usually provide users with a tightly controlled set of resources to ensure the running of the program. It can provide a virtual system environment for the user APP. Even if there is an error in the program running in the sandbox environment, it only modifies the local temporary resources. Will not cause a system crash. The work of the sandbox originally can only contain one sandbox operation at the same time. Under the condition that the virtualization technology is not supported, and the mechanism of the sandbox, only one trusted application TA can be run simultaneously in the TEE.
然而这种单一的、共享的通道的实现方式具有如下特点:(1)通道的结构设计复杂。由于使用单通道,TEE侧需要对REE侧的信息进行解析,通过加载器与TEE 侧对应的访问对象进行通信。反之,如果TEE侧有应用要调用REE侧的程序、驱动等,也只能通过此通道来进行通信。对于驱动、应用、调度等操作的数据结构都要使用该通道,一种通信中包含多种数据类型对设计和实现带来了巨大困难。(2)不符合低耦合的软件设计思想,对于维护和升级存在着非常大的困难。通道的升级可能造成相应模块的相互影响,容易产生错误。(3)效率低下。单通道无法实现并发处理数据、驱动等不同类型的并发处理。However, the implementation of this single, shared channel has the following characteristics: (1) The structural design of the channel is complicated. Since the single channel is used, the TEE side needs to parse the information on the REE side through the loader and TEE. The corresponding access object on the side communicates. On the other hand, if there is an application on the TEE side to call the program, driver, etc. on the REE side, communication can only be performed through this channel. This channel is used for data structures for operations such as driving, application, scheduling, etc. The inclusion of multiple data types in a communication poses great difficulties in design and implementation. (2) Software design ideas that do not conform to low coupling are very difficult for maintenance and upgrade. The upgrade of the channel may cause the mutual influence of the corresponding modules, which is prone to errors. (3) Inefficiency. Single channel cannot handle concurrent processing of different types of concurrent data such as data and drivers.
根据本发明的又一实施例,应用通道103、驱动通道104和调度与控制通道105相互隔离并且能够并发。其中,应用通道103负责Client APP(REE侧的客户应用)与Trusted APP(TEE侧的可信应用)之间的通信,应用通道103主要承载标准的应用协议(如符合GPTEE注1标准的Client API);驱动通道104负责REE与TEE间设备主驱动和虚拟驱动之间的通信;驱动通道104承载各类驱动的通信接口,本发明采用了驱动虚拟对接的方法来完成REE与TEE之间的驱动共享;调度与控制通道105承载着REE与TEE之间的调度类与控制类命令。In accordance with yet another embodiment of the present invention, application channel 103, drive channel 104, and scheduling and control channel 105 are isolated from each other and are concurrent. The application channel 103 is responsible for communication between the client APP (the client application on the REE side) and the Trusted APP (the trusted application on the TEE side), and the application channel 103 mainly carries the standard application protocol (such as the Client API conforming to the GPTEE Note 1 standard). The drive channel 104 is responsible for communication between the device main drive and the virtual drive between the REE and the TEE; the drive channel 104 carries the communication interface of various types of drives, and the present invention adopts a method of driving virtual docking to complete the drive between the REE and the TEE. Sharing; scheduling and control channel 105 carries scheduling and control commands between REE and TEE.
相互隔离的通道是通过虚拟化技术实现的。具体而言,是通过为应用通道103、驱动通道104和调度与控制通道105分别设置在REE侧与TEE侧之间的共享内存而实现的,用于不同的通道的共享内存之间相互独立。应用通道103、驱动通道104和调度与控制通道105各自包括正向通道和反向通道,其中,正向通道用于将REE侧的发送队列中的消息传送到TEE侧的接收队列中,反向通道用于将TEE侧的发送队列中的消息传送到REE侧的接收队列中。在REE侧和TEE侧各自的发送队列和接收队列中保存有待发送或所接收的消息的消息类型和消息内容,从而经由符合消息类型的通道发送或接收各个消息。这样在通过多通道进行消息传递时,才能正确的将消息按照类型通过不同的通道传输到REE或者TEE中。对CA(Client Application,客户端应用)和TA(Trusted Application,可信应用)的消息队列都要有独立的线程来负责处理队列中的内容。通过本实施例的方案,不同的通道之间可以并发,同一通道内CA和TA的调用也不用等待返回的结果,真正做到并发操作。The isolated channels are implemented through virtualization technology. Specifically, the shared memory between the REE side and the TEE side is respectively set for the application channel 103, the driving channel 104, and the scheduling and control channel 105, and the shared memories for the different channels are independent of each other. The application channel 103, the drive channel 104, and the scheduling and control channel 105 each include a forward channel and a reverse channel, wherein the forward channel is used to transmit a message in the transmit queue on the REE side to the receive queue on the TEE side, in the reverse direction. The channel is used to transmit the message in the send queue on the TEE side to the receive queue on the REE side. Message types and message contents of messages to be transmitted or received are stored in respective transmission queues and reception queues on the REE side and the TEE side, thereby transmitting or receiving respective messages via channels conforming to the message type. In this way, when the message is transmitted through multiple channels, the message can be correctly transmitted to the REE or TEE through different channels according to the type. Message queues for CA (Client Application, Client Application) and TA (Trusted Application) must have separate threads to handle the contents of the queue. With the solution of this embodiment, different channels can be concurrently executed, and the calls of CA and TA in the same channel do not have to wait for the returned result, and the concurrent operation is truly performed.
本发明的该相互隔离的多通道支持并发调用。通过使用上述虚拟化技术,在一个TEE上可以虚拟化多个虚拟机,为不同的TA创建执行空间。如多个设置在REE侧的CA可以同时调用多个设置在TEE侧的TA,多个驱动可以同时相互共享等。虚拟机的特性即为隔离性和安全性,同时也可以实现安全隔离。该实施例的方案真正做到了多通道的并发技术,在系统的性能和可扩展性上都处于领先地位。通过该实施例所提出的多层次操作方法,可以在一台移动终端上同时高效率地解决生物识别, 移动支付,数字版权保护,安全定位,物联网安全等多类安全问题。The mutually isolated multi-channel of the present invention supports concurrent calls. By using the above virtualization technology, multiple virtual machines can be virtualized on one TEE to create execution space for different TAs. For example, a plurality of CAs disposed on the REE side can simultaneously call a plurality of TAs disposed on the TEE side, and multiple drivers can be shared with each other at the same time. The characteristics of the virtual machine are isolation and security, and security isolation can also be achieved. The solution of this embodiment truly achieves multi-channel concurrency technology and is in a leading position in system performance and scalability. Through the multi-level operation method proposed in this embodiment, biometrics can be efficiently solved simultaneously on one mobile terminal. Mobile payment, digital copyright protection, secure location, Internet of Things security and many other security issues.
通过本发明的该相互隔离的多通道还相比于不支持虚拟化的技术方案实现了更大的安全性。在TEE侧的保护层次和级别上都要比现有的TEE软件产品有明显的优势。This mutually isolated multi-channel by the present invention also achieves greater security than a technical solution that does not support virtualization. The level of protection and level of the TEE side has obvious advantages over the existing TEE software products.
在TEE和REE之间的数据交换可以采用多种方式,例如,在移动终端中,应用数据(AD)与控制数据(MCP、NQ)经由不同的缓冲器传输,但是这种基于缓冲器的数据传输对于驱动以及调度无法实现有效的控制。基于虚拟化而实现的多TEE的支持,是目前本发明的相互隔离的多通道相比于其他TEE厂商最大的优势。目前其他厂商都不支持多TEE。Data exchange between TEE and REE can take many forms. For example, in a mobile terminal, application data (AD) and control data (MCP, NQ) are transmitted via different buffers, but such buffer-based data Transmission does not achieve effective control for the drive and scheduling. The support of multiple TEEs based on virtualization is currently the biggest advantage of the isolated multi-channels of the present invention compared to other TEE vendors. Currently, other vendors do not support multiple TEEs.
图2示出了根据本发明一个实施例的驱动通道。如图2所示,驱动通道104构建为用于在REE与TEE之间,在虚拟驱动与主驱动之间通信,以实现在REE与TEE之间的驱动共享。Figure 2 illustrates a drive channel in accordance with one embodiment of the present invention. As shown in FIG. 2, the drive channel 104 is configured to communicate between the virtual drive and the main drive between the REE and the TEE to enable drive sharing between the REE and the TEE.
驱动的调用是通过虚拟对接的方式实现的。可以根据驱动本身的特点而将主驱动和虚拟驱动分配在不同的执行环境中。也就是说,在一个执行环境中设置驱动的主驱动,在另一执行环境中设置该驱动的虚拟驱动。例如,将文件系统驱动放在REE中,FP驱动放在TEE中。驱动的划分方式在以下会进一步说明。The driver's call is implemented by means of virtual docking. The main drive and virtual drive can be assigned to different execution environments depending on the characteristics of the drive itself. That is, the main driver of the drive is set in one execution environment, and the virtual drive of the drive is set in another execution environment. For example, put the file system driver in the REE and the FP driver in the TEE. The division of the driver will be further explained below.
在REE侧调用特定的驱动的情况下,如果在REE侧仅存在该驱动的虚拟驱动而在TEE侧存在该驱动的主驱动,REE调用设置在REE侧的该驱动的虚拟驱动,从而触发与该驱动有关的信息经由驱动通道的正向通道被发送至TEE侧的相应的主驱动,进而该主驱动被调用和将处理后所得的信息经由驱动通道的反向通道返回至REE侧的虚拟驱动。In the case where a specific driver is called on the REE side, if there is only the virtual drive of the drive on the REE side and the main drive of the drive exists on the TEE side, the REE calls the virtual drive of the drive set on the REE side, thereby triggering the The drive related information is sent to the corresponding main drive on the TEE side via the forward channel of the drive channel, and the main drive is called and the processed information is returned to the virtual drive on the REE side via the reverse channel of the drive channel.
在TEE侧调用特定的驱动的情况下,如果在TEE侧仅存在该驱动的虚拟驱动而在REE侧存在该驱动的主驱动,TEE调用设置在TEE侧的该驱动的虚拟驱动,从而触发与该驱动有关的信息经由驱动通道的反向通道被发送至REE侧的相应的主驱动,进而该主驱动被调用和将处理后所得的信息经由驱动通道的正向通道返回至TEE侧的虚拟驱动。In the case where a specific driver is called on the TEE side, if there is only the virtual drive of the drive on the TEE side and the main drive of the drive exists on the REE side, the TEE calls the virtual drive of the drive set on the TEE side, thereby triggering The drive related information is sent to the corresponding main drive on the REE side via the reverse channel of the drive channel, and the main drive is called and the processed information is returned to the virtual drive on the TEE side via the forward channel of the drive channel.
通过这种方式,应用可以在REE侧或TEE侧调用任何驱动而感觉不到在REE与TEE之间的转换。以指纹识别应用为例,在REE侧调用指纹驱动,而该驱动的主驱动,或者说真正的驱动位于TEE侧。换句话说,在REE侧调用指纹驱动获取指纹信息,而REE侧却不存在真正的指纹驱动,但通过虚拟化的方式在REE侧定义了操作指纹的接口。 In this way, the application can call any driver on the REE side or the TEE side without feeling the transition between REE and TEE. Taking the fingerprint recognition application as an example, the fingerprint drive is called on the REE side, and the main drive of the drive, or the real drive, is located on the TEE side. In other words, the fingerprint driver is called on the REE side to obtain the fingerprint information, but the REE side does not have the real fingerprint driver, but the interface for operating the fingerprint is defined on the REE side by means of virtualization.
根据本发明实施例的多通道通信系统调用REE侧的虚拟化的指纹接口,实际是通过驱动通道104的正向通道将指纹接口的信息传递到TEE中,TEE侧再通过调用真正的指纹接口获得指纹相关信息后,将信息通过反向驱动通道发送到REE侧,REE再获得指纹相关结果。REE侧的CA感觉不到驱动的调用实际上是存在两个执行环境的切换的。这就是通过虚拟化的方式结合驱动通道,实现了消息的通信。The multi-channel communication system according to the embodiment of the present invention invokes the virtualized fingerprint interface on the REE side, and actually transmits the information of the fingerprint interface to the TEE through the forward channel of the drive channel 104, and the TEE side obtains the real fingerprint interface. After the fingerprint related information, the information is sent to the REE side through the reverse driving channel, and the REE obtains the fingerprint related result. The CA that does not feel the driver on the REE side actually has a switchover between the two execution environments. This is achieved by the way of virtualization combined with the drive channel to achieve message communication.
终端上搭载的各类硬件以及其提供的安全服务如指纹识别、虹膜识别、DRM(Digital Rights Management,数字版权管理)、NFC等,都有自身的驱动程序,其驱动划分是在REE侧还是在TEE侧,目前的TEE软件产品均未给出明确的划分方法以及实现方法。本发明提出基于安全性与可用性的需求程度来进行驱动划分的方法以及采用虚拟对接方式的实现方法。All kinds of hardware and security services such as fingerprint recognition, iris recognition, DRM (Digital Rights Management), NFC, etc. are installed on the terminal, and their drivers are divided on the REE side or in the REE side. On the TEE side, the current TEE software products do not give a clear division method and implementation method. The present invention proposes a method of driving division based on the degree of security and availability, and an implementation method using a virtual docking method.
根据本发明的一个实施例,多通道通信系统包括驱动划分单元。图3示意性地示出了该驱动划分单元的工作流程。该驱动划分单元执行如下步骤:According to an embodiment of the invention, the multi-channel communication system comprises a drive division unit. Fig. 3 schematically shows the workflow of the drive division unit. The drive dividing unit performs the following steps:
在步骤301,评估待在多通道通信系统上运行的驱动的安全性;在该驱动的安全性在第一安全性阈值以上的条件下,在步骤302将该驱动的主驱动划分到TEE侧,在REE侧设置该驱动的虚拟驱动;在该驱动的安全性在第二安全性阈值以下的条件下,在步骤303将该驱动的主驱动划分到REE侧,在TEE侧设置该驱动的虚拟驱动;在该驱动的安全性位于第一安全性阈值与第二安全性阈值之间的条件下,在步骤304检查该驱动的可用性和可实现性,如果可用性在可用性阈值以下并且可实现性在可实现性阈值以上,在步骤305将该驱动的主驱动划分到TEE侧并且在REE侧设置该驱动的虚拟驱动,否则在步骤306将该驱动的主驱动划分到REE侧并且在TEE侧设置该驱动的虚拟驱动。In step 301, the security of the driver to be operated on the multi-channel communication system is evaluated; under the condition that the security of the driver is above the first security threshold, the main drive of the drive is divided into the TEE side in step 302, The virtual drive of the drive is set on the REE side; under the condition that the security of the drive is below the second security threshold, the main drive of the drive is divided into the REE side in step 303, and the virtual drive of the drive is set on the TEE side. Under the condition that the security of the driver is between the first security threshold and the second security threshold, the availability and achievability of the driver is checked in step 304 if the availability is below the availability threshold and the achievability is Above the fulfillment threshold, the main drive of the drive is divided to the TEE side in step 305 and the driven virtual drive is placed on the REE side, otherwise the main drive of the drive is divided to the REE side and the drive is set on the TEE side in step 306 Virtual drive.
该划分方式兼顾了安全性、可用性以及可实现性。具体而言:This division takes into account security, availability and achievability. in particular:
-安全性&可用性考虑:从驱动资源的安全性方面进行划分。对于安全需求强的驱动,趋向TEE侧划分,其中,安全性是第一标准,也是设立单独的TEE的主要目的,因此,安全性高于阈值的驱动应划分到TEE侧;相对于安全性其对可用性的需求更多的情况,趋向REE侧划分,利用REE与TEE虚拟对接方式来保证安全。例如目前终端设备常用的指纹驱动,其安全需求较强,因此指纹的主驱动(Host Driver)划分在TEE中,在REE留有虚拟的(Virtualized)驱动接口供REE使用;而如存储与网络,其驱动系统较大,相对于安全性其对可用性的需求更多,因此将主驱动划分在REE侧,TEE侧留有虚拟驱动接口。- Security & Usability Considerations: Divide from the security aspects of the driver resources. For the driver with strong security demand, it tends to be divided into TEE side. Among them, security is the first standard and the main purpose of setting up a separate TEE. Therefore, the driver with higher security than the threshold should be divided into the TEE side; In the case of more demand for usability, the REE side is divided, and the REE and TEE virtual docking methods are used to ensure security. For example, the fingerprint driver commonly used in terminal devices has strong security requirements. Therefore, the host driver of the fingerprint is divided into TEE, and a virtualized virtual interface is reserved for REE in the REE; for example, storage and network. The drive system is large, and its demand for availability is more than security. Therefore, the main drive is divided on the REE side, and the virtual drive interface is left on the TEE side.
-可实现性:对于一些特殊驱动与操作的保护是不能够只考虑其安全性,还需 要综合考虑技术上的可实现性。如DRM(数字版权管理)驱动,NFC(近距离无线通信)驱动以及虹膜摄像头驱动,其特点是驱动系统较大较难完全迁移到TEE中并且还有一定程度的安全需求。对于此类驱动,考虑技术可实现性,会划分到REE侧,对该类驱动的安全,本发明利用了REE中的虚拟化技术与容器技术将此类驱动资源进行保护。- achievability: for some special drive and operation protection is not only able to consider its security, but also It is necessary to consider the technical achievability. Such as DRM (Digital Rights Management) driver, NFC (Near Field Communication) driver and iris camera driver, it is characterized that the drive system is relatively difficult to fully migrate to the TEE and there is a certain degree of security requirements. For such drivers, considering the technical achievability, it will be divided into the REE side. For the security of this type of driver, the present invention utilizes the virtualization technology and container technology in REE to protect such driving resources.
根据本发明的一个实施例,驱动划分单元将DRM驱动、摄像头驱动、网络驱动、GPS驱动和存储驱动的主驱动划分到REE侧;将虹膜驱动中关于数据传输、数据分析的部分驱动的主驱动划分到TEE侧,而将虹膜驱动中的其它部分驱动的主驱动划分到REE侧;将NFC驱动的主驱动划分到REE侧;将指纹驱动中有关数据传输、数据分析的部分驱动的主驱动划分到TEE侧,并且将指纹驱动中有关SPI中断(共享外围中断)发起的部分驱动的主驱动划分到REE侧;将SE(安全元件)驱动划分到TEE侧;以及,将支持TUI(可信用户接口)的驱动的主驱动设置在REE侧以及TEE侧。该划分考虑了安全级别需求以及整体架构的保护级别。支持TUI的驱动包括LCD驱动、触摸屏驱动和I2C驱动。According to an embodiment of the present invention, the driving division unit divides the main drive of the DRM drive, the camera drive, the network drive, the GPS drive, and the storage drive to the REE side; and the partially driven main drive for data transmission and data analysis in the iris drive Divided to the TEE side, and the main drive driven by the other part of the iris drive is divided into the REE side; the main drive of the NFC drive is divided into the REE side; the main drive division of the partial drive for data transmission and data analysis in the fingerprint drive is divided Go to the TEE side and divide the main driver of the partial drive initiated by the SPI interrupt (shared peripheral interrupt) in the fingerprint driver to the REE side; divide the SE (secure element) driver to the TEE side; and, support the TUI (trusted user) The main drive of the drive of the interface is set on the REE side as well as on the TEE side. This division takes into account the level of security requirements and the level of protection of the overall architecture. Drivers that support TUI include LCD drivers, touch screen drivers, and I2C drivers.
图4示意性地示出了根据本发明实施例的多通道通信系统的安全层次。REE的安全性低于TEE,REE又包括安全层次Hypervisor和安全性低于Hypervisor的安全层次Container,其中,Hypervisor与Container相互隔离,REE与TEE相互隔离。FIG. 4 schematically illustrates a security hierarchy of a multi-channel communication system in accordance with an embodiment of the present invention. REE is less secure than TEE. REE includes a security level hypervisor and a security level lower than that of the hypervisor. The hypervisor and the container are isolated from each other, and the REE and TEE are isolated from each other.
Container层泛指与Linux操作系统下的容器技术类似的相关技术,Hypervisor指通过硬件支持的虚拟化扩展技术建立起的虚拟软件层,TEE指根据不局限于ARM Trustzone扩展的处理器芯片提供TEE技术。The Container layer refers to the related technology similar to the container technology under the Linux operating system. The Hypervisor refers to the virtual software layer established by the hardware-supported virtualization extension technology. The TEE refers to the TEE technology provided by the processor chip not limited to the ARM Trustzone extension. .
根据本发明的实施例,驱动划分单元将划分到REE侧的驱动的主驱动分别设置到Container或者Hypervisor中。According to an embodiment of the present invention, the drive dividing unit sets the main drive of the drive divided to the REE side to the Container or the Hypervisor, respectively.
在本发明的一个实施例中,根据本发明实施例的多通道通信系统还包括与REE和TEE隔离的SE运行环境,该SE运行环境可以涵盖移动终端中的eSE(embedded secure element,嵌入式安全单元)、SIM(Subscriber Identification Module客户识别模块)、SSD(secure storage device,安全存储设备)等,拥有最高的安全等级,但是处理能力较弱。In an embodiment of the present invention, the multi-channel communication system according to the embodiment of the present invention further includes an SE operating environment that is isolated from the REE and the TEE, and the SE operating environment may cover an eSE (embedded secure element) in the mobile terminal. Unit), SIM (Subscriber Identification Module), SSD (secure storage device), etc., have the highest security level, but the processing power is weak.
如果分别按照驱动的安全级别和整体架构安全的需求为这些安全层次划分驱动,则有:If these drivers are partitioned according to the driver's security level and overall architecture security requirements, then:
REE:网络驱动、GPS驱动。存储驱动等,对他们的安全需求不是那么高,但需求量非常高。需要频繁的使用。如果将其放在TEE里,将严重的影响系统的性能。 所以放置在REE中不加保护。REE: network driver, GPS driver. Storage drivers, etc., are not so demanding for their security, but the demand is very high. Need to use frequently. If you put it in the TEE, it will seriously affect the performance of the system. So placed in REE without protection.
REE Container:对于一些特殊驱动与操作的保护是不能够只考虑其安全性,还需要综合考虑技术上的可实现性。如DRM驱动,NFC驱动以及虹膜摄像头驱动,其特点是驱动系统较大较难完全迁移到TEE中并且还有一定程度的安全需求。按照本发明,例如将虹膜驱动中关于数据传输、数据分析部分的驱动放置在安全端,其他部分驱动放置在REE Container里。因为驱动的这两部分涉及到安全保护。但是其他部分安全保护级别较低,所以将其放置在REE Container中。REE Container: For the protection of some special drivers and operations, it is not possible to consider only its security, but also to consider the technical achievability. Such as DRM drive, NFC drive and iris camera drive, it is characterized that the drive system is relatively difficult to fully migrate to the TEE and there is a certain degree of security requirements. According to the present invention, for example, the driver for the data transmission and data analysis sections in the iris drive is placed on the secure end, and the other parts are driven in the REE Container. Because the two parts of the drive involve security protection. But other parts of the security level are lower, so put it in the REE Container.
REE Hypervisoer:在REE中,arm虚拟化在REE中支持EL2的硬件虚拟化。虚拟化可以提高安全级别,但是毕竟是在REE中,安全级别低于TEE。NFC目前已经逐渐应用,但主要应用于非安全端,NFC支付的市场需求比较小;其次,NFC设备厂商很少提供在TEE中的移植代码,移植困难相当大,对系统稳定会造成相当的影响。所以,保留NFC驱动在REE侧,但是将其放在Hypervisor里,提高安全级别。REE Hypervisoer: In REE, arm virtualization supports EL2 hardware virtualization in REE. Virtualization can increase the level of security, but after all, it is in REE, and the security level is lower than TEE. NFC has been gradually applied, but it is mainly used in non-secure terminals. The market demand for NFC payment is relatively small. Secondly, NFC equipment vendors rarely provide porting code in TEE. The porting difficulties are quite large, which will have a considerable impact on system stability. . So, keep the NFC driver on the REE side, but put it in the hypervisor to increase the security level.
TEE:指纹的使用与支付有关,而支付是需要绝对安全的,所以将指纹驱动放置在TEE中,指纹设备的使用只有在安全世界中能够使用。指纹驱动中SPI中断发起是在REE中发起的,这部分不受TEE的保护,其他的指纹数据传输、分析等放置在TEE中。SE的安全级别最高,SE驱动必须放在TEE中。TEE: The use of fingerprints is related to payment, and payment is absolutely safe, so the fingerprint driver is placed in the TEE, and the use of the fingerprint device can only be used in the security world. The SPI interrupt initiation in the fingerprint driver is initiated in the REE. This part is not protected by the TEE. Other fingerprint data transmission and analysis are placed in the TEE. The SE has the highest level of security and the SE driver must be placed in the TEE.
TUI:指可信用户接口。屏幕的驱动在REE和TEE中都要放置。屏幕的使用是最频繁的,在REE侧需要包含屏幕驱动。但是为了确保在需要安全界面的情况下,如输入银行账号和密码时需要在TEE中执行时,需要在安全端直接调用屏幕驱动。TUI: Refers to the trusted user interface. The driver for the screen is placed in both REE and TEE. The use of the screen is the most frequent, and the screen driver needs to be included on the REE side. However, in order to ensure that when a secure interface is required, such as when entering a bank account number and password, it is necessary to directly invoke the screen driver on the secure side when executing in the TEE.
根据本发明的实施例,实现了不同安全层次之间的虚拟对接方法。具体而言,在REE侧不论是Container还是Hypervisor的环境的初始化均从TEE侧来发起和检测,其中,TEE引导并初始化Hypervisor,Hypervisor再引导并初始化Container。从而,TEE作为安全可信的基础,保证整个安全引导要建立在真实性、完整性校验的基础上。According to an embodiment of the invention, a virtual docking method between different security levels is implemented. Specifically, the initialization of the environment on the REE side, whether it is a Container or a Hypervisor, is initiated and detected from the TEE side, wherein the TEE boots and initializes the Hypervisor, and the Hypervisor redirects and initializes the Container. Therefore, TEE is the basis of security and credibility, ensuring that the entire security guidance is based on authenticity and integrity verification.
图5示意性地示出了REE与TEE间的虚拟对接方式。在REE侧不论是Container还是Hypervisor的环境的初始化均从TEE侧来发起和检测,其中,TEE引导并初始化Hypervisor,Hypervisor再引导并初始化Container。TEE作为安全可信的基础,保证整个安全引导要建立在真实性,完整性校验的基础上。Fig. 5 schematically shows a virtual docking mode between REE and TEE. On the REE side, both the Container and the Hypervisor environment are initialized and detected from the TEE side. The TEE boots and initializes the Hypervisor, and the Hypervisor redirects and initializes the Container. As a basis for security and credibility, TEE ensures that the entire security guidance is based on authenticity and integrity verification.
对于DRM与虹膜,当DRM或虹膜TA进行安全操作时,其借由了REE中Container中的驱动模块,当完成一次调用后,Hypervisor立即将DRM与虹膜摄像头驱动的IO控 制进行禁止,其借助了处理器芯片中类似于IOMMU或SMMU的机制来完成,确保在安全操作时,驱动的控制寄存器REE OS是不能篡改的。For DRM and iris, when DRM or iris TA performs safe operation, it borrows the driver module in Container of REE. When a call is completed, Hypervisor immediately controls the IO of DRM and iris camera. The prohibition is done by means of a mechanism similar to IOMMU or SMMU in the processor chip, ensuring that the control register REE OS of the driver cannot be tampered with during safe operation.
对于NFC驱动,以线下支付为例,NFC驱动在Hypervisor上的一个虚拟机中进行隔离与保护,预期配合的关键的eSE驱动是完全在TEE中进行保护的,其与可能存在的、最高安全层次的SE进行直接的交互。For the NFC driver, taking the offline payment as an example, the NFC driver is isolated and protected in a virtual machine on the hypervisor. It is expected that the key eSE driver is fully protected in the TEE, and it may exist with the highest security. The hierarchical SE performs direct interaction.
其他的如安全定位及物联网安全关键定位模块与驱动模块的保护都可以通过类似的方案来实现。Other security-critical and IoT security critical positioning modules and driver module protection can be achieved through a similar solution.
通过本发明的驱动划分方法及对接方式,切实解决了TEE对各类驱动的保护方式和方法问题。目前其他TEE厂商对驱动系统的处理方式一般采用全部迁移到安全端或者全部放在REE里。这样的设计虽然设计简单,安全性相对较高,但是,对驱动的种类和特性没有做相应的分析,造成了实现上存在严重的缺陷,已知的著名TEE厂商中,就出现了将所有的驱动迁移到TEE中的做法,但是到目前仍然没有得到实现,因为驱动和系统密切相关,虽然可以完全保护驱动,但无法实现也是不争的事实。Through the driving division method and the docking method of the invention, the protection methods and methods of the TEE for various types of driving are effectively solved. At present, other TEE vendors generally handle the migration of the drive system to the secure end or all of them in the REE. Although the design is simple and the security is relatively high, there is no corresponding analysis of the types and characteristics of the driver, resulting in serious defects in the implementation. Among the well-known TEE vendors, all of them are present. The driver migrated to the TEE, but it has not been implemented until now, because the driver and the system are closely related. Although it can completely protect the driver, it is an indisputable fact that it cannot be realized.
根据本发明的实施例,TEE以密码学方式加密待传送至REE侧的数据,以保证流向REE侧的数据都是密文的。从而将TEE侧不可篡改、不可侦听等安全性传递至REE侧的接收方,保证了TEE运行环境以及整个多通道通信系统更高的安全性。According to an embodiment of the invention, the TEE cryptographically encrypts the data to be transmitted to the REE side to ensure that the data flowing to the REE side is ciphertext. Therefore, the security of the TEE side is not tamperable and undetectable, and the security is transmitted to the receiver on the REE side, which ensures the higher security of the TEE operating environment and the entire multi-channel communication system.
多通道通信系统还可以包括处理器核心调度单元。该处理器核心调度单元可以在TEE内部以及在TEE与REE之间调度处理器核心。该处理器核心调度单元每隔一段时间(例如100ms)检查TEE侧各处理器核心的任务负载情况,以及根据检查的结果进行处理:The multi-channel communication system can also include a processor core scheduling unit. The processor core scheduling unit can schedule the processor cores within the TEE and between the TEE and the REE. The processor core scheduling unit checks the task load status of each processor core on the TEE side at intervals (for example, 100 ms), and processes according to the result of the check:
-在TEE侧的处理器核心任务负载过高的情况下,将其任务负载转移至其它未任务负载过高的TEE侧处理器核心,在转移后TEE侧处理器核心总体仍然任务负载过高的情况下,处理器核心调度单元经由调度与控制通道将REE侧的处理器核心迁移到TEE侧,作为TEE侧的处理器核心来处理TEE侧的任务;- In the case that the processor core task load on the TEE side is too high, the task load is transferred to other TEE side processor cores that are not task-loaded too much. After the transfer, the TEE side processor core is still too task-intensive. In this case, the processor core scheduling unit migrates the processor core on the REE side to the TEE side via the scheduling and control channel, and processes the TEE side task as the processor core on the TEE side;
-在TEE侧的所有任务处于阻塞或挂起状态的情况下,处理器核心调度单元经由调度与控制通道将所有TEE侧的处理器核心迁移到REE侧,以作为REE侧的处理器核心执行REE侧的任务;- In the case where all tasks on the TEE side are in a blocked or suspended state, the processor core scheduling unit migrates all processor cores on the TEE side to the REE side via the scheduling and control channels to perform REE as the processor core on the REE side Side task
-在TEE侧的任务减少并且出现闲置的处理器核心的情况下,处理器核心调度单元经由调度与控制通道将闲置的处理器核心迁移到REE侧,以作为REE侧的处理器核心执行REE侧的任务。 - In the case where the task on the TEE side is reduced and an idle processor core is present, the processor core scheduling unit migrates the idle processor core to the REE side via the scheduling and control channel to execute the REE side as the processor core on the REE side Task.
这种方式可以最大程度上利用目前系统的处理器资源,确保TEE和REE中处理程序的良性运行。This approach maximizes the use of processor resources in the current system to ensure the benign operation of handlers in TEE and REE.
根据本发明的一个实施例,在TEE侧处理器核心总体任务负载过高的情况下,可以由任务负载过高的TEE侧的处理器核心向处理器核心调度单元发出请求,使得处理器核心调度单元检查REE侧的处理器核心的状态并且随机选择挂起状态的处理器核心转移到TEE侧,以作为TEE侧的处理器核心执行TEE侧的任务,并且处理器核心调度单元将发出请求的处理器核心的待分发的任务按照特定的任务规则、例如按照优先级排序地或者按照迁移时间先后顺序地分发给新转移来TEE侧的处理器核心以进行处理。According to an embodiment of the present invention, in a case where the total task load of the TEE side processor core is too high, a processor core of the TEE side with a task overload may be requested to issue a request to the processor core scheduling unit, so that the processor core scheduling The unit checks the state of the processor core on the REE side and randomly selects the processor core in the suspended state to transfer to the TEE side to perform the task on the TEE side as the processor core on the TEE side, and the processor core scheduling unit will issue the request processing The tasks to be distributed of the core of the device are distributed to the newly transferred processor core on the TEE side for processing according to specific task rules, for example, in order of priority or in order of migration time.
图6示意性地示出了根据本发明实施例的核心调度单元的工作方式的示意图。Fig. 6 schematically shows a schematic diagram of the operation of a core scheduling unit in accordance with an embodiment of the present invention.
如图6所示,处理器核心2作为TEE侧专用Core处理安全任务(Secure Task),期间会通过全局调度定期将处理器核心2还回REE,主要是响应REE OS的核间调度与例行任务与中断调度,处理器核心3根据TEE的负载情况动态加入到TEE运行环境中,处理Secure Task,此为本发明提出的基本全局调度方法。As shown in FIG. 6, the processor core 2 acts as a dedicated task processing security task (Secure Task) on the TEE side, and periodically returns the processor core 2 to the REE through global scheduling, mainly in response to the inter-core scheduling and routine of the REE OS. Task and interrupt scheduling, the processor core 3 dynamically joins the TEE runtime environment according to the load of the TEE, and processes the Secure Task, which is the basic global scheduling method proposed by the present invention.
在本发明的又一实施例中,处理器核心调度单元采用基于时间片的单核调度算法来对TEE侧的核心进行调度。其中,每个任务都被分配有优先级。多个进程轮换地在同一TEE核心上相互交替执行,在任一段时间内可以有N个进程在同时执行,但在任意一个时刻只有一个进程在执行。倘若某个进程用完了自己的时间片,但尚未执行完毕,那么就需要将当前使用的核心切换给其它进程使用,所提及的用完时间片的进程通过定时中断在下一轮进程间的时间片循环中在属于自己的时间片到来时再被切换回核心上运行。在TEE和REE总共有多个核心的情况下,处理器核心调度单元可以通过启动新核心来继续执行用完时间片的进程的执行,即通过启用新核心来均衡核心的负载。该新的核心优选是TEE中闲置的核心,也可以是从REE中的闲置核心中随机挑选并且从REE侧迁移过来的核心。为实现该实施例,例如可以采用HEFT(Heterogeneous-Earliest-Finish-Time,异构最早完成时间)或CPOP(Critical-path-on-a-Processor,处理器上的关键路径)算法。In still another embodiment of the present invention, the processor core scheduling unit uses a time slice based single core scheduling algorithm to schedule the core on the TEE side. Among them, each task is assigned a priority. Multiple processes alternately execute on the same TEE core, and N processes can execute simultaneously at any one time, but only one process is executing at any one time. If a process runs out of its own time slice, but has not yet completed it, then you need to switch the currently used core to other processes. The process that uses the time slice mentioned is interrupted by the time between the next round of processes. In the slice loop, when it belongs to its own time slice, it is switched back to the core to run. In the case where there are multiple cores in total for TEE and REE, the processor core scheduling unit can continue to execute the execution of the process running out of time slices by starting a new core, that is, by balancing the core load by enabling the new core. The new core is preferably a core that is idle in the TEE, or a core that is randomly selected from the idle cores in the REE and migrated from the REE side. To implement this embodiment, for example, HEFT (Heterogeneous-Earliest-Finish-Time) or CPOP (Critical-path-on-a-Processor) algorithm can be used.
根据本发明的一个实施例,多通道通信系统包括中断控制单元,在TEE侧的处理器核心接收到中断的情况下:In accordance with an embodiment of the present invention, a multi-channel communication system includes an interrupt control unit in the event that an interrupt is received by a processor core on the TEE side:
-中断控制单元将中断中只能由TEE侧的处理器核心处理的中断作为安全中断划分到第一组中,并且将中断中的其它中断作为非安全中断划分到第二组中。The interrupt control unit divides the interrupts that can only be handled by the processor core on the TEE side into the first group as interrupts, and divides the other interrupts in the interrupt into the second group as non-safe interrupts.
接下来,可以进行如下处理: Next, you can do the following:
-中断控制单元将第一组中的安全中断交由TEE侧的处理器核心处理,以及- the interrupt control unit hands over the safety interrupts in the first group to the processor core on the TEE side, and
-中断控制单元将第二组中的非安全中断经由调度与控制通道转移给REE侧的处理器核心处理。The interrupt control unit transfers the non-secure interrupts in the second group to the processor core on the REE side via the scheduling and control channels.
或者进行如下处理:Or proceed as follows:
-中断控制单元将第一组中的安全中断交由TEE侧的处理器核心处理,以及- the interrupt control unit hands over the safety interrupts in the first group to the processor core on the TEE side, and
-中断控制单元判断第二组中的非安全中断是SPI(Share Peripheral Interrupt,共享外围中断)、PPI(私有中断)还是SGI(软中断),如果是SPI,则中断控制单元指示接收到该中断的TEE侧的处理器核心将其丢弃,并且中断控制单元经由调度与控制通道将该被丢弃的SPI转移至REE侧的处理器核心进行处理;如果是PPI或SGI,则中断控制单元通知处理器核心调度单元,处理器核心调度单元随后经由调度与控制通道将接收到该中断的TEE侧的处理器核心转移到REE侧从而成为REE侧的处理器核心,并且将该中断的任务放在相应的工作队列(working Queue)里面排队,之后,处理器核心调度单元将接收到该中断的REE侧的处理器核心经由调度与控制通道重新转移回TEE侧,从而使其重新成为TEE侧的处理器核心以等待接收其它中断。例如,在中断被放入工作队列后,处理器核心调度单元立刻将接收到该中断的REE侧的处理器核心经由调度与控制通道重新转移回TEE侧。该实施例的方案可将大量的SPI丢弃,交由其他REE处理器核心进行处理,大大减少了TEE处理器核心切换回REE处理器核心进行处理的次数,从而大幅度提升了TEE的处理效率。The interrupt control unit determines whether the non-secure interrupt in the second group is an SPI (Share Peripheral Interrupt), a PPI (Private Interrupt), or a SGI (Soft Interrupt). If it is an SPI, the interrupt control unit indicates that the interrupt is received. The processor core of the TEE side discards it, and the interrupt control unit transfers the discarded SPI to the processor core on the REE side via the scheduling and control channel for processing; if it is PPI or SGI, the interrupt control unit notifies the processor The core scheduling unit, the processor core scheduling unit then transfers the processor core of the TEE side receiving the interrupt to the REE side via the scheduling and control channel to become the processor core of the REE side, and places the interrupted task in the corresponding The working queue is queued. After that, the processor core scheduling unit re-transfers the processor core of the REE side that receives the interrupt to the TEE side via the scheduling and control channel, thereby re-establishing it as the processor core on the TEE side. Waiting to receive other interrupts. For example, after the interrupt is placed in the work queue, the processor core scheduling unit immediately transfers the processor core on the REE side that received the interrupt back to the TEE side via the scheduling and control channel. The solution of this embodiment can discard a large number of SPIs and process them to other REE processor cores, which greatly reduces the number of times the TEE processor core switches back to the REE processor core for processing, thereby greatly improving the processing efficiency of the TEE.
图7示意性地示出了根据本发明实施例的中断控制单元的工作流程。如图7所示,响应于TEE处理器核心接收到中断,中断控制单元判断该中断为安全中断FIQ还是非安全中断IRQ,并且将安全中断FIQ放到一个组中,将其它中断放到另一组中。基于安全中断和非安全中断的划分,对于安全中断需要在TEE中处理该中断,其他中断必须在其他REE处理器核心或者本REE处理器核心中处理。Fig. 7 schematically shows the workflow of an interrupt control unit in accordance with an embodiment of the present invention. As shown in FIG. 7, in response to the TEE processor core receiving the interrupt, the interrupt control unit determines whether the interrupt is a secure interrupt FIQ or a non-secure interrupt IRQ, and puts the safety interrupt FIQ into one group and the other interrupt to another In the group. Based on the division of secure interrupts and non-secure interrupts, the interrupt needs to be handled in the TEE for secure interrupts, and other interrupts must be handled in other REE processor cores or in the REE processor core.
由于TEE侧的硬件资源有限,为了提高TEE处理器核心的处理能力,一般将非必须在TEE侧中处理的中断分给REE处理器核心来处理,来减轻TEE资源负载。因此,如上划分TEE核心所接收的中断使得能够针对于TEE侧的处理器核心。对于产生的非安全中断IRQ或者安全中断FIQ进行调度,尽量避免TEE侧处理器核心的负载过大。下一步可以将安全中断FIQ留给TEE处理器核心处理,将非安全中断IRQ经由调度与控制通道105迁移到REE侧由REE处理器核心来加入工作队列。之后,该处理器核心被中断控制单元切换回TEE侧,继续等待接收该核心的其它中断。Due to the limited hardware resources on the TEE side, in order to improve the processing power of the TEE processor core, the interrupts that are not necessarily processed in the TEE side are generally allocated to the REE processor core for processing to reduce the TEE resource load. Therefore, dividing the interrupt received by the TEE core as above enables the processor core on the TEE side. The generated non-secure interrupt IRQ or the safety interrupt FIQ is scheduled to avoid excessive load on the TEE side processor core. In the next step, the safety interrupt FIQ can be left to the TEE processor core processing, and the non-secure interrupt IRQ is migrated to the REE side via the scheduling and control channel 105 to be added to the work queue by the REE processor core. Thereafter, the processor core is switched back to the TEE side by the interrupt control unit and continues to wait for other interrupts of the core.
在可选的下一步骤中,进一步区分非安全中断IRQ是共享外围中断SPI、私有 中断PPI还是软中断SGI。其中非安全的SPI可以被TEE核心丢弃,通过调度与控制通道105由REE核心接手并处理。SPI可以被任一处理器核心接管,而中断PPI和软中断SGI只能被当前接收到该中断的TEE处理器核心处理,因此对于这部分中断的处理的优化方式是将该TEE处理器核心迁移到REE侧来作为REE处理器核心处理该中断PPI和软中断SGI。从而将在TEE处理器核心中的不需要处理的中断尽可能的分到REE处理器核心去处理。由于TEE处理器核心将大量的SPI丢弃,交由其他REE处理器核心进行处理,大大减少了TEE处理器核心切换回REE处理器核心进行处理的次数,从而大幅度提升了TEE的处理效率。In the optional next step, further distinguish between non-secure interrupt IRQ is shared peripheral interrupt SPI, private Interrupt PPI or soft interrupt SGI. The non-secure SPI can be discarded by the TEE core and taken over by the REE core through the scheduling and control channel 105. The SPI can be taken over by any processor core, and the interrupt PPI and soft interrupt SGI can only be processed by the TEE processor core that currently receives the interrupt, so the optimization of the processing of this part of the interrupt is to migrate the TEE processor core. Go to the REE side to handle the interrupt PPI and soft interrupt SGI as the REE processor core. Therefore, the interrupts that are not processed in the TEE processor core are distributed to the REE processor core as much as possible. Because the TEE processor core discards a large number of SPIs and processes them by other REE processor cores, the number of times that the TEE processor core switches back to the REE processor core is greatly reduced, thereby greatly improving the processing efficiency of the TEE.
图8示意性地示出了一种根据本发明实施例的电子设备。该电子设备具有根据本发明实施例的多通道通信系统以及网络接口和外围设备接口,其中,用户能够经由网络接口或者外围设备接口获得应用并且安装在多通道通信系统上,用户还能够运行不同的应用。该电子设备例如可以是手机、掌上电脑、笔记本电脑、桌面电脑、可穿戴智能通信设备等任何本领域技术人员认为合理的电子设备。FIG. 8 schematically illustrates an electronic device in accordance with an embodiment of the present invention. The electronic device has a multi-channel communication system and a network interface and a peripheral device interface according to an embodiment of the present invention, wherein a user can obtain an application via a network interface or a peripheral device interface and install on a multi-channel communication system, and the user can also run different application. The electronic device can be, for example, a mobile phone, a palmtop computer, a notebook computer, a desktop computer, a wearable smart communication device, or the like, any electronic device that is considered reasonable by those skilled in the art.
本发明还涉及一种多通道通信方法,其设计为用于运行根据上述的、根据本发明实施例的多通道通信系统。The present invention also relates to a multi-channel communication method designed to operate a multi-channel communication system in accordance with an embodiment of the present invention as described above.
本发明还涉及一种计算机程序产品,其具有程序代码,以便当在计算机上执行计算机程序时引起执行按照本发明实施例的多通道通信方法。The invention further relates to a computer program product having program code for causing execution of a multi-channel communication method in accordance with an embodiment of the present invention when the computer program is executed on a computer.
本发明还涉及一种数据载体,其具有计算机程序的程序代码,以便当在计算机上执行计算机程序时引起执行按照本发明实施例的多通道通信方法。The invention further relates to a data carrier having program code of a computer program for causing execution of a multi-channel communication method in accordance with an embodiment of the present invention when the computer program is executed on a computer.
本发明还涉及一种电子设备,其具有根据本发明实施例的驱动划分单元以及网络接口和外围设备接口,其中,用户能够经由网络接口或者外围设备接口获得驱动,并且驱动划分单元将该驱动的主驱动划分到可信执行环境或者普通执行环境。The present invention also relates to an electronic device having a drive dividing unit and a network interface and a peripheral device interface according to an embodiment of the present invention, wherein a user can obtain a drive via a network interface or a peripheral device interface, and drive the dividing unit to drive the The main drive is divided into a trusted execution environment or a normal execution environment.
本发明还涉及一种电子设备,其具有根据本发明实施例的处理器核心调度单元以及网络接口和外围设备接口,其中,用户能够经由网络接口或者外围设备接口获得应用,在该电子设备上运行应用期间,处理器核心调度单元根据可信执行环境的处理器核心上的负载状态而对在可信执行环境内部以及在可信执行环境与普通执行环境之间调度处理器核心。The present invention also relates to an electronic device having a processor core scheduling unit and a network interface and a peripheral device interface according to an embodiment of the present invention, wherein a user can obtain an application via a network interface or a peripheral device interface, and run on the electronic device During application, the processor core scheduling unit schedules the processor cores within the trusted execution environment and between the trusted execution environment and the normal execution environment in accordance with the load state on the processor core of the trusted execution environment.
本发明还涉及一种处理器核心调度方法,其设计为用于运行根据本发明实施例的处理器核心调度单元。The invention further relates to a processor core scheduling method designed to run a processor core scheduling unit in accordance with an embodiment of the present invention.
本发明还涉及一种计算机程序产品,其具有程序代码,以便当在计算机上执行计算机程序时引起执行按照本发明的处理器核心调度方法。 The invention further relates to a computer program product having program code for causing execution of a processor core scheduling method in accordance with the present invention when the computer program is executed on a computer.
本发明还涉及一种数据载体,其具有计算机程序的程序代码,以便当在计算机上执行计算机程序时引起执行按照本发明实施例的处理器核心调度方法。The invention further relates to a data carrier having program code of a computer program for causing execution of a processor core scheduling method in accordance with an embodiment of the present invention when the computer program is executed on a computer.
本发明还涉及一种电子设备,其具有根据本发明实施例的中断控制单元以及网络接口和外围设备接口,其中,用户能够经由网络接口或者外围设备接口获得应用,在该电子设备上运行应用期间,中断控制单元根据可信执行环境的处理器核心接收到的中断类型而在可信执行环境的处理器核心与普通执行环境的处理器核心之间调度该中断。The present invention also relates to an electronic device having an interrupt control unit and a network interface and a peripheral device interface according to an embodiment of the present invention, wherein a user can obtain an application via a network interface or a peripheral device interface while the application is running on the electronic device The interrupt control unit schedules the interrupt between the processor core of the trusted execution environment and the processor core of the normal execution environment in accordance with the type of interrupt received by the processor core of the trusted execution environment.
本发明还涉及一种中断控制方法,其设计为用于运行根据本发明实施例的中断控制单元。The invention further relates to an interrupt control method designed to operate an interrupt control unit in accordance with an embodiment of the present invention.
本发明还涉及一种计算机程序产品,其具有程序代码,以便当在计算机上执行计算机程序时引起执行根据本发明实施例的中断控制方法。The invention further relates to a computer program product having program code for causing execution of an interrupt control method according to an embodiment of the invention when executing a computer program on a computer.
本发明还涉及一种数据载体,其具有计算机程序的程序代码,以便当在计算机上执行计算机程序时引起执行根据本发明实施例的中断控制方法。The invention further relates to a data carrier having program code of a computer program for causing execution of an interrupt control method according to an embodiment of the invention when the computer program is executed on a computer.
以上,仅为本公开的具体实施方式,但本公开的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本公开揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本公开的保护范围之内。因此,本公开的保护范围应以权利要求的保护范围为准。The above is only the specific embodiment of the present disclosure, but the scope of the present disclosure is not limited thereto, and any person skilled in the art can easily think of changes or substitutions within the technical scope of the disclosure, and should cover It is within the scope of protection of the present disclosure. Therefore, the scope of protection of the disclosure should be determined by the scope of the claims.
附图标记列表List of reference signs
REE  普通执行环境REE normal execution environment
TEE  可信执行环境TEE Trusted Execution Environment
SE   安全元件SE safety element
100  多通道通信系统100 multi-channel communication system
101  REE101 REE
102  TEE102 TEE
103  应用通道103 application channel
104  驱动通道104 drive channel
105  调度与控制通道105 scheduling and control channels
DRM  数字版权保护DRM Digital Copyright Protection
NFC  近距离无线通信NFC short-range wireless communication
IRQ  非安全中断 IRQ non-secure interrupt
FIQ  安全中断FIQ security interrupt
SPI  共享外围中断SPI shared peripheral interrupt
PPI  私有中断PPI private interrupt
SGI  软中断SGI soft interrupt
eSE  嵌入式安全单元 eSE Embedded Security Unit

Claims (16)

  1. 一种用于普通执行环境与可信执行环境之间的通信的通信系统,A communication system for communication between a general execution environment and a trusted execution environment,
    其中,among them,
    所述通信系统包括:普通执行环境和可信执行环境,The communication system includes: a general execution environment and a trusted execution environment,
    其中,among them,
    所述可信执行环境与所述普通执行环境隔离;The trusted execution environment is isolated from the normal execution environment;
    在所述可信执行环境和所述普通执行环境均能够运行有操作系统和应用,An operating system and an application can be run in both the trusted execution environment and the normal execution environment.
    所述通信系统还包括处理器核心调度单元,The communication system also includes a processor core scheduling unit,
    该处理器核心调度单元每隔一段时间检查所述可信执行环境的各处理器核心的任务负载情况:The processor core scheduling unit checks the task load of each processor core of the trusted execution environment at intervals:
    如果所述可信执行环境的处理器核心任务负载过高,则将其任务负载转移至其它未任务负载过高的可信执行环境处理器核心,如果在转移后可信执行环境处理器核心总体仍然任务负载过高,则所述处理器核心调度单元经由调度与控制通道将所述普通执行环境的处理器核心迁移到所述可信执行环境,而作为所述可信执行环境的处理器核心来处理该可信执行环境的任务,If the processor core task of the trusted execution environment is overloaded, transfer its task load to other untrusted trusted execution processor cores, if the trusted execution environment processor core is global after the transfer If the task load is too high, the processor core scheduling unit migrates the processor core of the normal execution environment to the trusted execution environment via the scheduling and control channel as the processor core of the trusted execution environment. To handle the tasks of the trusted execution environment,
    如果所述可信执行环境的所有任务处于阻塞或挂起状态,则所述处理器核心调度单元经由所述调度与控制通道将可信执行环境的所有处理器核心迁移到所述普通执行环境,以作为普通执行环境的处理器核心执行普通执行环境的任务,If all tasks of the trusted execution environment are in a blocked or suspended state, the processor core scheduling unit migrates all processor cores of the trusted execution environment to the normal execution environment via the scheduling and control channel, Perform the tasks of a normal execution environment with a processor core that acts as a normal execution environment.
    如果所述可信执行环境的任务减少并且出现闲置的处理器核心,所述处理器核心调度单元经由所述调度与控制通道将闲置的处理器核心迁移到普通执行环境,以作为普通执行环境的处理器核心执行普通执行环境的任务。If the task of the trusted execution environment is reduced and an idle processor core is present, the processor core scheduling unit migrates the idle processor core to the normal execution environment via the scheduling and control channel as a normal execution environment The processor core performs the tasks of a normal execution environment.
  2. 根据权利要求1所述的通信系统,其中,所述处理器核心调度单元每隔所设定的时间检查所述可信执行环境的各处理器核心的任务负载情况。The communication system according to claim 1, wherein said processor core scheduling unit checks a task load condition of each processor core of said trusted execution environment every set time.
  3. 根据权利要求2所述的通信系统,其中,所述所设定的时间是100ms。The communication system according to claim 2, wherein said set time is 100 ms.
  4. 根据权利要求1-3中至少一项所述的通信系统,其中,如果可信执行环境处理器核心总体任务负载过高,由任务负载过高的可信执行环境的处理器核心向所述处理器核心调度单元发出请求,使得处理器核心调度单元检查普通执行环境的处理 器核心的状态并且随机选择挂起状态的处理器核心转移到可信执行环境,以作为可信执行环境的处理器核心执行可信执行环境的任务,并且处理器核心调度单元将发出请求的处理器核心的待分发的任务按照特定的任务规则分发给新转移来可信执行环境的处理器核心以进行处理。A communication system according to at least one of claims 1 to 3, wherein if the trusted execution environment processor core overall task load is too high, the processor core of the trusted execution environment having a high task load is directed to the processing The core scheduling unit issues a request to cause the processor core scheduling unit to check the processing of the normal execution environment The state of the core and randomly select the pending processor core to transfer to the trusted execution environment to perform the task of the trusted execution environment as the processor core of the trusted execution environment, and the processor core scheduling unit will issue the request for processing The tasks to be distributed by the core of the kernel are distributed to the processor core of the new trusted execution environment for processing according to specific task rules.
  5. 根据权利要求1-4中至少一项所述的通信系统,其中,所述通信系统还包括中断控制单元,如果所述可信执行环境的处理器核心接收到中断,则所述中断控制单元将只能由可信执行环境的处理器核心处理的中断作为安全中断划分到第一组,并且将其它中断作为非安全中断划分到第二组。The communication system according to at least one of claims 1 to 4, wherein the communication system further comprises an interrupt control unit, if the processor core of the trusted execution environment receives an interrupt, the interrupt control unit Interrupts that can only be handled by the processor core of the trusted execution environment are divided into the first group as security interrupts, and other interrupts are divided into the second group as non-secure interrupts.
  6. 根据权利要求5所述的通信系统,其中,The communication system according to claim 5, wherein
    所述中断控制单元将所述第一组的安全中断交由所述可信执行环境的处理器核心处理,以及The interrupt control unit hands the first set of security interrupts to the processor core of the trusted execution environment, and
    将所述第二组的非安全中断经由所述调度与控制通道转移给所述普通执行环境的处理器核心处理。The second set of non-secure interrupts are transferred to the processor core processing of the normal execution environment via the scheduling and control channel.
  7. 根据权利要求5所述的通信系统,其中,The communication system according to claim 5, wherein
    所述中断控制单元将所述第一组的安全中断交由所述可信执行环境的处理器核心处理,以及The interrupt control unit hands the first set of security interrupts to the processor core of the trusted execution environment, and
    所述中断控制单元判断所述第二组中的非安全中断是共享外围中断、私有中断还是软中断,The interrupt control unit determines whether the non-secure interrupt in the second group is a shared peripheral interrupt, a private interrupt, or a soft interrupt.
    如果是共享外围中断,则所述中断控制单元指示接收到该中断的可信执行环境的处理器核心将其丢弃,并且中断控制单元经由所述调度与控制通道将该被丢弃的共享外围中断转移至所述普通执行环境的处理器核心进行处理;If it is a shared peripheral interrupt, the interrupt control unit instructs the processor core of the trusted execution environment that received the interrupt to discard it, and the interrupt control unit transfers the discarded shared peripheral interrupt via the dispatch and control channel Processing to a processor core of the general execution environment;
    如果是私有中断或软中断,则中断控制单元通知处理器核心调度单元,处理器核心调度单元随后经由所述调度与控制通道将接收到该中断的可信执行环境的处理器核心转移到普通执行环境从而成为普通执行环境的处理器核心,并且将该中断的任务放在工作队列里排队。If it is a private interrupt or a soft interrupt, the interrupt control unit notifies the processor core scheduling unit, which then transfers the processor core of the trusted execution environment receiving the interrupt to the normal execution via the dispatch and control channel. The environment thus becomes the processor core of the normal execution environment, and the interrupted tasks are queued in the work queue.
  8. 根据权利要求7所述的通信系统,其中,所述处理器核心调度单元用于在可信执行环境内部以及在可信执行环境与普通执行环境之间调度处理器核心, The communication system of claim 7 wherein said processor core scheduling unit is operative to schedule a processor core within a trusted execution environment and between a trusted execution environment and a normal execution environment,
    其中,在私有中断或软中断的任务被放入所述工作队列后,所述处理器核心调度单元将接收到所述中断的所述普通执行环境的处理器核心经由所述调度与控制通道重新转移回可信执行环境,从而使其重新成为可信执行环境的处理器核心以等待接收其它中断。After the task of the private interrupt or the soft interrupt is placed in the work queue, the processor core scheduling unit re-processes the processor core of the normal execution environment that receives the interrupt via the scheduling and control channel. Transfer back to the trusted execution environment, causing it to re-enter the processor core of the trusted execution environment to wait for other interrupts to be received.
  9. 根据权利要求1-8中任一项所述的通信系统,其中,A communication system according to any one of claims 1-8, wherein
    所述通信系统还包括:布置在普通执行环境与可信执行环境之间的应用通道和驱动通道,The communication system further includes: an application channel and a drive channel disposed between the normal execution environment and the trusted execution environment,
    其中,among them,
    所述应用通道用于在所述普通执行环境和所述可信执行环境的应用程序之间的通信;The application channel is for communication between the normal execution environment and an application of the trusted execution environment;
    所述驱动通道用于运行在所述普通执行环境和所述可信执行环境的驱动之间的通信。The drive channel is for operating communication between the normal execution environment and the drive of the trusted execution environment.
  10. 根据权利要求9所述的通信系统,其中,所述应用通道、所述驱动通道和所述调度与控制通道分别设置于所述普通执行环境与所述可信执行环境之间的共享内存,用于不同通道的共享内存之间相互独立。The communication system according to claim 9, wherein said application channel, said drive channel, and said scheduling and control channel are respectively disposed in a shared memory between said normal execution environment and said trusted execution environment, Independent of the shared memory of different channels.
  11. 根据权利要求9所述的通信系统,其中,所述应用通道、所述驱动通道和所述调度与控制通道各自包括正向通道和反向通道,其中,所述正向通道用于将所述普通执行环境的发送队列中的消息传送到所述可信执行环境的接收队列中,所述反向通道用于将所述可信执行环境的发送队列中的消息传送到所述普通执行环境的接收队列中。The communication system according to claim 9, wherein said application channel, said drive channel, and said scheduling and control channel each comprise a forward channel and a reverse channel, wherein said forward channel is for said A message in a send queue of a normal execution environment is transmitted to a receive queue of the trusted execution environment, the reverse channel being configured to transmit a message in a send queue of the trusted execution environment to the normal execution environment In the receive queue.
  12. 根据权利要求11所述的通信系统,其中,在所述普通执行环境和所述可信执行环境各自的发送队列和接收队列中保存有待发送或所接收的消息的消息类型和消息内容,从而经由符合消息类型的通道发送或接收各个消息。The communication system according to claim 11, wherein a message type and a message content of a message to be transmitted or received are stored in respective transmission queues and reception queues of said normal execution environment and said trusted execution environment, thereby Channels that match the message type send or receive individual messages.
  13. 根据权利要求9所述的通信系统,其中,在所述普通执行环境能够运行有客户端应用、主驱动、虚拟驱动和/或处理器核心,在所述可信执行环境能够运行有可信应用、主驱动、虚拟驱动和/或处理器核心。 The communication system of claim 9 wherein said general execution environment is capable of running a client application, a host driver, a virtual driver and/or a processor core, wherein said trusted execution environment is capable of running a trusted application , main drive, virtual drive and / or processor core.
  14. 根据权利要求13所述的通信系统,其中,驱动通道构建为用于在所述普通执行环境与所述可信执行环境之间,在所述虚拟驱动与所述主驱动之间通信,以实现在所述普通执行环境与所述可信执行环境之间的驱动共享。The communication system of claim 13 wherein the drive channel is configured to communicate between the virtual drive and the host drive between the normal execution environment and the trusted execution environment to enable Drive sharing between the normal execution environment and the trusted execution environment.
  15. 根据权利要求14所述的通信系统,其中,The communication system according to claim 14, wherein
    在所述普通执行环境调用特定的驱动的情况下,如果在所述可信执行环境存在该驱动的主驱动而在所述普通执行环境存在该驱动的虚拟驱动,所述普通执行环境调用该驱动的设置在该普通执行环境的虚拟驱动,从而触发与该驱动有关的信息经由所述驱动通道的正向通道被发送至所述可信执行环境的相应的主驱动,进而该主驱动被调用和将处理后所得的信息经由所述驱动通道的反向通道返回至所述普通执行环境的虚拟驱动,以及,In the case that the normal execution environment invokes a specific driver, if there is a main driver of the driver in the trusted execution environment and the virtual driver of the driver exists in the normal execution environment, the normal execution environment calls the driver. a virtual drive disposed in the normal execution environment, thereby triggering information related to the drive to be sent to a corresponding primary drive of the trusted execution environment via a forward channel of the drive channel, and the primary drive is invoked and Returning the processed information to the virtual drive of the normal execution environment via the reverse channel of the drive channel, and
    在所述可信执行环境调用特定的驱动的情况下,如果在所述可信执行环境存在该驱动的虚拟驱动而在所述普通执行环境存在该驱动的主驱动,所述可信执行环境调用该驱动的设置在该可信执行环境的虚拟驱动,从而触发与该驱动有关的信息经由所述驱动通道的反向通道被发送至所述普通执行环境的相应的主驱动,进而该主驱动被调用和将处理后所得的信息经由所述驱动通道的正向通道返回至所述可信执行环境的虚拟驱动。In the case that the trusted execution environment invokes a specific driver, if there is a virtual driver of the driver in the trusted execution environment and a host driver of the driver exists in the normal execution environment, the trusted execution environment invokes a virtual drive of the drive disposed in the trusted execution environment, thereby triggering information related to the drive to be sent to a corresponding main drive of the normal execution environment via a reverse channel of the drive channel, and the host drive is further The information obtained and processed is returned to the virtual drive of the trusted execution environment via the forward channel of the drive channel.
  16. 一种电子设备,其中,包括:根据权利要求1至15中任一项所述的通信系统以及网络接口和外围设备接口,其中,用户能够经由所述网络接口或者外围设备接口获得应用并且将该应用安装于所述通信系统,用户还能够借助所述通信系统运行不同的应用。 An electronic device, comprising: the communication system according to any one of claims 1 to 15, and a network interface and a peripheral device interface, wherein a user can obtain an application via the network interface or a peripheral device interface and The application is installed in the communication system, and the user can also run different applications by means of the communication system.
PCT/CN2017/106734 2016-10-19 2017-10-18 Communication system and electronic device WO2018072715A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201610910850.4 2016-10-19
CN201610910850.4A CN106547618B (en) 2016-10-19 2016-10-19 Communication system and electronic equipment

Publications (1)

Publication Number Publication Date
WO2018072715A1 true WO2018072715A1 (en) 2018-04-26

Family

ID=58369418

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/106734 WO2018072715A1 (en) 2016-10-19 2017-10-18 Communication system and electronic device

Country Status (2)

Country Link
CN (1) CN106547618B (en)
WO (1) WO2018072715A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113645248A (en) * 2021-08-17 2021-11-12 公安部交通管理科学研究所 Data exchange system and method under cross-network environment

Families Citing this family (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106547633B (en) * 2016-10-19 2019-12-31 沈阳微可信科技有限公司 Multi-channel communication system and electronic device
CN106548077B (en) * 2016-10-19 2019-03-15 沈阳微可信科技有限公司 Communication system and electronic equipment
CN106547618B (en) * 2016-10-19 2019-10-29 沈阳微可信科技有限公司 Communication system and electronic equipment
CN106990972B (en) * 2017-04-13 2021-04-02 沈阳微可信科技有限公司 Method and device for operating a trusted user interface
CN108985756B (en) * 2017-06-05 2022-11-22 华为技术有限公司 SE application processing method, user terminal and server
CN109117625B (en) * 2017-06-22 2020-11-06 华为技术有限公司 Method and device for determining safety state of AI software system
CN107544918B (en) * 2017-08-17 2021-01-15 海光信息技术股份有限公司 Memory page sharing method
CN107908957B (en) * 2017-11-03 2021-09-17 北京邮电大学 Safe operation management method and system of intelligent terminal
CN108491727B (en) * 2018-04-08 2021-03-16 成都三零嘉微电子有限公司 Safety processor integrating general calculation, trusted calculation and password calculation
CN109960582B (en) 2018-06-19 2020-04-28 华为技术有限公司 Method, device and system for realizing multi-core parallel on TEE side
CN109168085B (en) * 2018-08-08 2021-01-08 瑞芯微电子股份有限公司 Hardware protection method for video stream of equipment client
CN109766152B (en) * 2018-11-01 2022-07-12 华为终端有限公司 Interaction method and device
WO2020150892A1 (en) * 2019-01-22 2020-07-30 深圳市汇顶科技股份有限公司 Biometric identification system and method, and terminal device
CN110795385B (en) * 2019-10-29 2023-11-03 飞腾信息技术有限公司 Trusted core and computing core resource allocation method and device of system on chip
CN110909346B (en) * 2019-11-20 2021-12-10 北京理工大学 Management method and system for manufacturing execution system
CN113192237B (en) * 2020-01-10 2023-04-18 阿里巴巴集团控股有限公司 Internet of things equipment supporting TEE and REE and method for realizing communication between TEE and REE
CN113138878B (en) * 2020-01-19 2022-11-18 华为技术有限公司 Method for processing crash of trusted execution environment operating system and electronic equipment
CN111414626B (en) * 2020-04-01 2023-09-26 中国人民解放军国防科技大学 Real-time guaranteeing method and system based on TEE expansion
CN111414246B (en) * 2020-04-01 2022-10-11 中国人民解放军国防科技大学 Cross-secure-world real-time function calling method and device on computing platform with TEE extension
CN116097221A (en) * 2020-04-30 2023-05-09 华为技术有限公司 Secure data processing method and device
CN113626818B (en) * 2020-05-08 2023-10-20 华为技术有限公司 Computer system, service processing method, readable storage medium and chip
CN111931193B (en) * 2020-09-27 2021-03-23 翱捷科技股份有限公司 Method and system for hardware cooperation during software running environment switching
CN112953909B (en) * 2021-01-28 2023-03-14 北京豆荚科技有限公司 Method for realizing vehicle-mounted internal and external network safety isolation based on TEE
CN115509677A (en) * 2021-06-23 2022-12-23 华为技术有限公司 Communication method and related device between virtual machine and security isolation zone
CN115640116B (en) * 2021-12-14 2024-03-26 荣耀终端有限公司 Service processing method and related device
TWI825972B (en) * 2022-09-02 2023-12-11 英屬維爾京群島商威爾德嘉德有限公司 Image processing systems, methods, electronic devices and media

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150067220A1 (en) * 2013-09-04 2015-03-05 Jory Schwach Real-time embedded system
US8996864B2 (en) * 2006-12-22 2015-03-31 Virtuallogix Sa System for enabling multiple execution environments to share a device
CN105095765A (en) * 2014-05-14 2015-11-25 展讯通信(上海)有限公司 Mobile terminal, and processor system and trusted execution method thereof
CN105468980A (en) * 2015-11-16 2016-04-06 华为技术有限公司 Security control method, device and system
CN106547618A (en) * 2016-10-19 2017-03-29 沈阳微可信科技有限公司 Communication system and electronic equipment

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105592403B (en) * 2014-12-29 2020-03-31 中国银联股份有限公司 NFC-based communication device and method
CN109871717A (en) * 2016-02-29 2019-06-11 华为技术有限公司 A kind of data security transmission device and method
CN106547633B (en) * 2016-10-19 2019-12-31 沈阳微可信科技有限公司 Multi-channel communication system and electronic device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8996864B2 (en) * 2006-12-22 2015-03-31 Virtuallogix Sa System for enabling multiple execution environments to share a device
US20150067220A1 (en) * 2013-09-04 2015-03-05 Jory Schwach Real-time embedded system
CN105095765A (en) * 2014-05-14 2015-11-25 展讯通信(上海)有限公司 Mobile terminal, and processor system and trusted execution method thereof
CN105468980A (en) * 2015-11-16 2016-04-06 华为技术有限公司 Security control method, device and system
CN106547618A (en) * 2016-10-19 2017-03-29 沈阳微可信科技有限公司 Communication system and electronic equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113645248A (en) * 2021-08-17 2021-11-12 公安部交通管理科学研究所 Data exchange system and method under cross-network environment

Also Published As

Publication number Publication date
CN106547618B (en) 2019-10-29
CN106547618A (en) 2017-03-29

Similar Documents

Publication Publication Date Title
WO2018072715A1 (en) Communication system and electronic device
WO2018072713A1 (en) Communication system and electronic device
WO2018072714A1 (en) Multichannel communication system and electronic device
US10120736B2 (en) Executing a kernel device driver as a user space process
US6370606B1 (en) System and method for simulating hardware interrupts in a multiprocessor computer system
US7730249B2 (en) Device control apparatus that calls an operating system to control a device
US9633231B2 (en) Hardware-protective data processing systems and methods using an application executing in a secure domain
WO2015090158A1 (en) Method for interruption affinity binding of virtual network interface card, and computer device
EP3074865B1 (en) Hardware virtualization module for exclusive controlled access to cpu
EP2003554A1 (en) Input/output control apparatus, input/output control system, and input/output control method
US20160366130A1 (en) Apparatus and method for providing security service based on virtualization
US10068068B2 (en) Trusted timer service
KR20160014647A (en) A method and apparatus for interrupt handling
US20110219373A1 (en) Virtual machine management apparatus and virtualization method for virtualization-supporting terminal platform
EP3436947B1 (en) Secure driver platform
WO2023109211A9 (en) Service processing method and related apparatus
US11221875B2 (en) Cooperative scheduling of virtual machines
US20150356307A1 (en) Safe input method and system
KR101334842B1 (en) Virtual machine manager for platform of terminal having function of virtualization and method thereof
WO2023185478A1 (en) Method and apparatus for communication between application programs, and storage medium and program product
KR102333693B1 (en) Method and apparatus for operating multi-processor system in electronic device
US9256732B2 (en) Processing efficiency on secure systems having a host processor and smart card
JP7047906B2 (en) Input / output processing allocation control device, input / output processing allocation control system, input / output processing allocation control method, and input / output processing allocation control program
EP3255544B1 (en) Interrupt controller
CN115413337A (en) Electronic device, system-on-chip and physical core allocation method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17862797

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17862797

Country of ref document: EP

Kind code of ref document: A1