WO2019047745A1 - Data sharing method, terminal apparatus and storage medium - Google Patents

Data sharing method, terminal apparatus and storage medium Download PDF

Info

Publication number
WO2019047745A1
WO2019047745A1 PCT/CN2018/102692 CN2018102692W WO2019047745A1 WO 2019047745 A1 WO2019047745 A1 WO 2019047745A1 CN 2018102692 W CN2018102692 W CN 2018102692W WO 2019047745 A1 WO2019047745 A1 WO 2019047745A1
Authority
WO
WIPO (PCT)
Prior art keywords
platform
physical storage
virtual address
data
application
Prior art date
Application number
PCT/CN2018/102692
Other languages
French (fr)
Chinese (zh)
Inventor
赵泳清
吕达夫
Original Assignee
阿里巴巴集团控股有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 阿里巴巴集团控股有限公司 filed Critical 阿里巴巴集团控股有限公司
Publication of WO2019047745A1 publication Critical patent/WO2019047745A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • G06F12/109Address translation for multiple virtual address spaces, e.g. segmentation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/0802Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
    • G06F12/0806Multiuser, multiprocessor or multiprocessing cache systems
    • G06F12/084Multiuser, multiprocessor or multiprocessing cache systems with a shared cache
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present application relates to the field of computer technologies, and in particular, to a data sharing method, a terminal device, and a storage medium.
  • TEE Trusted Execution Environment
  • REE Rich Execution Environment
  • TEE is a secure area on the host processor's main processor that guarantees the security, confidentiality, and integrity of the code and data loaded into the environment.
  • TEE can provide security services for the REE corresponding operating system, such as REE needs to transfer data to the TEE for processing, etc., therefore, TEE and REE need to share data.
  • a shared space B needs to be set in the terminal device in advance, so that the application in the REE stores the shared data in the space A, and the shared data can be stored in the shared space B, and then Tell the TEE corresponding storage information.
  • the application in the TEE can obtain the shared data from the shared space B for processing, and store the processed data in the shared space B. Then, the application in the REE needs to copy the data in the shared space B back into the space A.
  • the above method of sharing data requires setting a dedicated shared space for shared data, and the shared space cannot be used by non-shared data, which causes waste of resources. Moreover, when the data needs to be shared, the same data in the device needs to be stored in two spaces, which also causes waste of resources.
  • the embodiment of the present application provides a data sharing method to reduce resource waste caused by sharing data.
  • the embodiment of the present application further provides a terminal device and a storage medium to ensure implementation and application of the foregoing system.
  • the embodiment of the present application discloses a data sharing method, which is applied to a terminal device, where the terminal device includes a first platform in a non-secure environment and a second platform in a trusted execution environment, the method.
  • the first platform determines a corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform; the second platform is based on the physical storage address. Mapping the corresponding second virtual address information in the trusted execution environment, and processing the shared data corresponding to the second virtual address information.
  • the embodiment of the present application further discloses a terminal device, where the terminal device includes a first platform in a non-secure environment and a second platform in a trusted execution environment; the first platform is configured to use the first data according to the shared data.
  • the virtual address information is used to determine the corresponding physical storage address, and the physical storage address is sent to the second platform.
  • the second platform is configured to map the corresponding storage address in the trusted execution environment according to the physical storage address.
  • the second virtual address information processes the shared data corresponding to the second virtual address information.
  • the embodiment of the present application further discloses a terminal device, including: one or more processors; and one or more machine-readable media having instructions stored thereon, when executed by the one or more processors, The terminal device is caused to perform a data sharing method as described in one or more of the embodiments of the present application.
  • the embodiment of the present application further discloses one or more machine readable mediums having stored thereon instructions that, when executed by one or more processors, cause the terminal device to perform one or more of the embodiments as described in the embodiments of the present application. Data sharing method.
  • the embodiments of the present application include the following advantages:
  • the first platform in the non-secure environment determines the corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform in the trusted execution environment, thereby There is no need to set a shared space dedicated to the shared data, and the space storage data is applied to reduce the waste of resources when needed; the second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address.
  • the shared data corresponding to the second virtual address information is processed. It can be seen that different platforms are mapped to different virtual address information for the shared data in the same physical storage address, thereby being in a non-secure environment and a trusted execution environment. Shared data can be obtained from the same physical storage address without wasting resources.
  • FIG. 1 is a schematic diagram of interaction between platforms according to an embodiment of the present application.
  • FIG. 3 is a flow chart showing the steps of another data sharing method embodiment of the present application.
  • FIG. 4 is a schematic diagram of interaction between a REE and a TEE according to the present application.
  • FIG. 5 is a structural block diagram of an embodiment of a terminal device of the present application.
  • FIG. 6 is a schematic structural diagram of hardware of an electronic device according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of hardware of an electronic device according to another embodiment of the present application.
  • TEE provides an isolated execution environment that provides security features including isolated execution, integrity of trusted applications, confidentiality of trusted data, secure storage, and more. Therefore, TEE provides a higher level of execution space than REE, such as the common mobile operating system (Android, etc.) execution environment; and more than the security element SE (Secure Element, such as smart card, SIM card, etc.) The function.
  • REE common mobile operating system
  • SE Secure Element
  • the non-secure environment and the trusted execution environment may implement and provide corresponding functions based on the corresponding platform, and the platform may provide an execution environment for the operating system, the driver, the application, and the like.
  • the non-secure environment corresponds to the first platform
  • the trusted execution environment corresponds to the second platform.
  • the first platform can provide a rich execution environment for operating systems such as Android and Linux
  • the trusted execution environment of the second platform can be based on the processor.
  • Technology is determined, such as Intel's trust enforcement technology, AMD's secure virtual machine, ARM's TrustZone, and more.
  • the application running in the REE is called a client application (CA), and the application running in the TEE is called a trusted application (TA).
  • the CA can invoke the interface to request security services from the TA.
  • the TA can access all functions of the device's main processor and memory.
  • the hardware isolation technology protects it from the user's App, which is installed in the main operating system environment, and the software and password isolation technology inside the TEE can protect each TA. Interact with each other so that they can be used simultaneously by multiple different service providers without compromising security.
  • the TA when the TA provides security services for the CA, it needs to obtain the application data corresponding to the CA, and then process the application data, and then feed back to the CA, which can be referred to as shared data, that is, both the CA and the TA are required. data.
  • the terminal device includes a first platform in a non-secure environment and a second platform in a trusted execution environment, where the first platform and the second platform are isolated.
  • the two platforms can support different operating systems, such as the first platform supports Android, Linux, etc., and the second platform supports an operating system that provides security services.
  • Both the first platform and the second platform support the running of the application, so the application in the first platform needs the application providing service in the second platform.
  • the payment application in the first platform performs the corresponding function of payment
  • the application in the second platform is required to provide sensitive data such as bank certificate and user data; for example, in the scenario of communication and encryption, the application of the first platform needs to be second.
  • Application of the platform to obtain keys, encrypted communication data, and the like.
  • the first platform may determine first virtual address information corresponding to the shared data, and then determine a physical storage address corresponding to the storage shared data based on the first virtual address information, where the shared data may be stored in one or more In the data block, one or more physical storage addresses can be determined.
  • the physical storage address can then be sent to the second platform.
  • the second platform may map the physical storage address, determine the corresponding second virtual address information, and then obtain the shared data according to the second virtual address information, and then process the shared data.
  • the terminal device includes various electronic devices such as a smart phone, a personal computer, an Internet of Things device, and a wearable device.
  • the shared data can be determined according to specific services, such as e-commerce, payment-related user passwords, credit card information, electronic bank vouchers, network accounts, etc.; such as keys, signatures, and the like related to data encryption; Sensitive data such as call content and short messages.
  • the embodiment of the present application does not need to set a shared space dedicated to shared data, and applies space storage data when needed, thereby reducing waste of resources, and mapping different platforms to different virtual address information for shared data in the same physical storage address.
  • both the first platform and the second platform can obtain shared data from the same physical storage address without causing waste of resources.
  • FIG. 2 a flow chart of steps of an embodiment of a data sharing method according to the present application is shown, which specifically includes the following steps:
  • Step 202 The first platform determines a corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform.
  • the first platform determines the corresponding physical storage address according to the first virtual address information of the shared data, including: the first platform stores the shared data in the first virtual address information, according to The first storage information determines a corresponding physical storage address.
  • the shared data that needs to be processed by the application in the second platform may be stored, and it is determined that the shared data is stored in the non-
  • the first virtual address information in the security environment, the first virtual address information corresponding to the memory space accessible in the non-secure environment, and then the corresponding one or more physical storage addresses may be obtained based on the first virtual address information mapping, and then Sending the first physical storage address to the second platform, so that the second platform can acquire the shared data.
  • Step 204 The second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address, and processes the shared data corresponding to the second virtual address information.
  • the second platform may map the physical storage address in the trusted execution environment to obtain corresponding second virtual address information, where the second virtual address information is accessible to the trusted execution environment.
  • the memory space can then be used to obtain shared data based on the second virtual address information, and then the shared data can be processed.
  • the processing operation of the application corresponding service in the first platform may be performed, and the processed data is stored in the corresponding memory space of the second virtual address information, and the first platform application may acquire the processed data based on the first virtual address information, and execute the Required operation.
  • the first platform in the non-secure environment determines the corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform in the trusted execution environment, thereby eliminating the need to set
  • the shared data-specific shared space is applied for the space storage data when there is a demand, and the waste of the resource is reduced.
  • the second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address.
  • the shared data corresponding to the second virtual address information is processed. It can be seen that different platforms are mapped to different virtual address information for the shared data in the same physical storage address, so that the non-secure environment and the trusted execution environment can be used. Obtaining shared data from the same physical storage address does not waste resources.
  • the shared data can be obtained from the same physical storage address, but different environments correspond to different virtual address information, so the data does not need to be copied in two storage spaces, and the resource consumption is reduced. On the basis of this, it also reduces data operations and reduces the burden on the equipment.
  • the first virtual address information includes: a first start address and a data size; and the second virtual address information includes: a second start address and a data size.
  • the first platform runs with a first application and the second platform runs with a second application. Therefore, applications in different execution environments can perform data interaction and share data for required processing.
  • the trusted execution environment can provide trusted service support for non-secure environments and ensure data security.
  • FIG. 3 a flow chart of steps of another data sharing method embodiment of the present application is shown, which specifically includes the following steps:
  • Step 302 The first application invokes a first function request address space, and acquires first storage information corresponding to the address space.
  • Step 304 Store the shared data in the address space according to the first storage information.
  • Step 306 Send the first storage information to the first platform.
  • the first platform runs the first application.
  • the data to be processed is determined to be shared data, so the The data size corresponding to the shared data, the address space requested by the first function is requested to be based on the data size, and the first start address corresponding to the first function is obtained based on the first function, and the first storage information is generated based on the first start address and the data size.
  • the shared data can then be stored in an address space corresponding to the first start address.
  • the first function is a malloc function
  • the malloc function can be called to allocate a space based on the data size, determine a corresponding first start address and data size, store the shared data in the space, and then send the first virtual address information. Give the first platform.
  • Step 308 the first platform calls a second function, and maps the first storage information in the non-secure environment to obtain a corresponding physical storage address.
  • the first platform may determine an interface function provided by the operating system, that is, a second function for converting between the virtual address and the physical storage address, for example, providing a conversion between the virtual address and the physical storage address for the non-secure environment. Therefore, the second function can be called, and the second function can perform calculation based on the first starting address and the data size in a non-secure environment to determine one or more physical storage addresses corresponding to the data.
  • Step 310 The first platform generates a corresponding array according to the physical storage address and the data size.
  • Step 312 The first platform sends the array to the second platform.
  • the data is usually discontinuously stored in the device hardware. Therefore, the physical storage addresses corresponding to the shared data are usually discontinuous.
  • an array may be generated according to the physical storage address and the data size. Each physical storage address and data size can be stored in the array. The array can then be transferred to the second platform so that the non-secure environment can inform the trusted execution environment of the shared data that needs to be processed and its storage location.
  • Step 314 The second platform parses the array to obtain a corresponding physical storage address and data size.
  • Step 316 invoking a third function, mapping the physical storage address in the trusted execution environment to determine second virtual address information.
  • the second platform may parse the array in the trusted execution environment, obtain each physical storage address and data size, and then call a third function, and the physical storage address in the trusted execution environment. Mapping is performed to determine that each physical storage address corresponds to the mapping to obtain an address space, that is, to determine a second starting address for storing the shared data in the trusted execution environment.
  • the second function is used to perform conversion between the virtual address and the physical storage address, for example, to provide a conversion between the virtual address and the physical storage address for the trusted execution environment, and the second function and the third function may be the same or different.
  • Step 318 The second platform sends the second virtual address information to the second application.
  • Step 320 The second application acquires corresponding shared data according to the second virtual address information, and processes the shared data in the trusted execution environment.
  • the second platform sends the second virtual address information to the corresponding second application, and then the second application may determine the second start address from the second virtual address information, obtain the shared data based on the second start address, and then The shared data is processed in the trusted execution environment, such as decryption based on a key, signature verification, bank certificate authentication, obtaining user data, and the like.
  • the second application determines that the data size is insufficient, sending a request to the first application to notify the first application to re-request the address space.
  • the data size required for the processed data can be obtained, so that the data size corresponding to the second virtual address information and the data size required after the processing can be determined, and the second virtual address is determined.
  • the request may be sent to the first application, the request is used to inform the data size of the required space, so that the first application may re-request the address space, and perform the above steps 302-322.
  • the shared data of the first application and the second application are obtained based on the first platform in the non-secure environment and the second platform in the trusted execution environment, that is, the data interaction is implemented based on the platform dimension, and the first application and the second application are implemented. Communication interactions between applications, such as request, response, instruction transfer, etc., based on application-oriented dimensions.
  • the shared data of the first platform and the second platform are stored in the same physical storage address instead of the set shared space, so the data size is not limited, and theoretically all the free memory space in the first platform can be shared. When there is no shared service, it will not occupy idle resources.
  • the first platform corresponds to a non-secure environment and the second platform corresponds to a trusted execution environment.
  • the first application CA is a payment application
  • the payment application runs in a non-secure environment REE
  • the second application TA is a security support application, or a plug-in corresponding to the payment application
  • the second application TA runs in a trusted execution environment TEE.
  • the CA needs to verify the account data, determine the data size of the application space is 268 KB, and then call the malloc function to allocate a 268 KB segment space X to determine the corresponding first virtual address information, where the first starting address is A001 and the data size is 268KB.
  • the account data that needs to be shared with the TA can then be stored in space X.
  • the CA then returns the first virtual address information to the driver of the non-secure environment.
  • the non-secure environment can be mapped according to the first virtual address information, and the corresponding physical storage addresses are: N0, N4, N5, N8, and N11. Since the physical storage addresses are not continuous, the data size and all physical storages can be obtained.
  • the address exists in the array share_pa_t.
  • a driver in a non-secure environment can send the set share_pa_t to the operating system TEE_OS of the trusted execution environment.
  • TEE_OS can parse the contents of the array share_pa_t, obtain the corresponding physical storage addresses (N0, N4, N5, N8, and N11, etc.) and the data size (268 KB), and then map based on the physical storage address and the data size to obtain the second virtual
  • the address information includes a second start address B001' and a data size of 268 KB.
  • the TEE_OS sends the second virtual address information to the second application TA, and the TA acquires account data based on the second virtual address information, and then verifies the account data.
  • the verification result may then be stored according to the second virtual address information, so that the CA can obtain operations required for the execution of the verification result, such as providing a payment function and the like.
  • the TA may determine the data size required after the account data is verified, and then compare the data size corresponding to the second virtual address information with the required data size, if the required data size No more than 268KB, that is, the requested space X is enough to accommodate the processed data, and can perform subsequent verification and other processing operations; conversely, if the required data size is greater than 268 KB, such as 300 KB, the applied space X is insufficient to accommodate the processing.
  • the data can be sent to the CA to inform that it needs 300KB of space, the CA re-applies, and performs the above process.
  • the embodiment of the present application does not need to pre-define the shared space, but can trust the physical storage address of the shared memory and the non-secure environment shared memory, thereby reducing the consumption of memory resources. Therefore, the driver of the non-secure environment does not need to send a request to the operating system of the trusted execution environment during the initialization phase to query the shared space, reduce the startup time of the device, and provide efficiency. And based on the shared physical storage address, the shared data between the trusted execution environment and the non-secure environment does not need to be replicated between different addresses, reducing data resources and processing time.
  • the embodiment further provides a terminal device, where the terminal device includes a first platform 502 in a non-secure environment and a second platform 504 in a trusted execution environment.
  • FIG. 5 a structural block diagram of an embodiment of a terminal device of the present application is shown, which may specifically include the following modules:
  • the first platform 502 is configured to determine a corresponding physical storage address according to the first virtual address information of the shared data, and send the physical storage address to the second platform.
  • the second platform 504 is configured to map the corresponding second virtual address information in the trusted execution environment according to the physical storage address, and process the shared data corresponding to the second virtual address information.
  • the first platform in the non-secure environment determines the corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform in the trusted execution environment, thereby eliminating the need to set
  • the shared data-specific shared space is applied for the space storage data when there is a demand, and the waste of resources is reduced;
  • the second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address,
  • the shared data corresponding to the second virtual address information is processed. It can be seen that, for shared data in the same physical storage address, different platforms are mapped to different virtual address information, so that the non-secure environment and the trusted execution environment are available. Obtaining shared data in the same physical storage address does not waste resources.
  • the first platform and the second platform can obtain shared data from the same physical storage address, but different platforms correspond to different virtual address information, so the data does not need to be copied in two storage spaces, and on the basis of reducing resource occupation, It also reduces data operations and reduces the burden on the device.
  • the first virtual address information includes: a first start address and a data size; and the second virtual address information includes: a second start address and a data size.
  • the first platform runs with a first application and the second platform runs with a second application. Therefore, applications in different execution environments can perform data interaction and share data for required processing.
  • the trusted execution environment can provide trusted service support for non-secure environments and ensure data security.
  • the first platform is configured to store shared data in the first virtual address information, and determine a corresponding physical storage address according to the first storage information.
  • the first platform is configured to use the first function to call the first function request address space, obtain the first storage information corresponding to the address space, and store the shared data in the address space according to the first storage information, The first stored information is sent to the first platform.
  • the first platform is configured to invoke a second function, and map the first storage information in the non-secure environment to obtain a corresponding physical storage address.
  • the first platform is further configured to generate a corresponding array according to the physical storage address and the data size; the first platform sends the array to the second platform.
  • the second platform is configured to parse the array to obtain a corresponding physical storage address and a data size, and invoke a third function to map the physical storage address in the trusted execution environment to determine a second Virtual address information.
  • the second platform is configured to send the second virtual address information to the second application; the second application acquires corresponding shared data according to the second virtual address information, where the trusted execution environment is The shared data is processed.
  • the second platform is further configured to: if the second application determines that the data size is insufficient, send a request to the first application to notify the first application to re-request the address space.
  • the shared data of the first application and the second application is obtained based on the first platform in the non-secure environment and the second platform in the trusted execution environment, that is, the data interaction is implemented based on the platform dimension, and between the first application and the second application Communication interactions, such as request, response, instruction transfer, etc., based on application-oriented dimensions. Therefore, the shared data of the first platform and the second platform are stored in the same physical storage address instead of the set shared space, so the data size is not limited, and theoretically all the free memory space in the first platform can be shared. When there is no shared service, it will not occupy idle resources.
  • the first platform corresponds to a non-secure environment and the second platform corresponds to a trusted execution environment.
  • the first application CA runs in the non-secure environment REE
  • the second application TA runs in the trusted execution environment TEE.
  • the embodiment of the present application does not need to pre-define the shared space, but can trust the physical storage address of the shared memory and the non-secure environment shared memory, thereby reducing the consumption of memory resources. Therefore, the driver of the non-secure environment does not need to send a request to the operating system of the trusted execution environment during the initialization phase to query the shared space, reduce the startup time of the device, and provide efficiency. And based on the shared physical storage address, the shared data between the trusted execution environment and the non-secure environment does not need to be replicated between different addresses, reducing data resources and processing time.
  • the embodiment of the present application further provides a non-volatile readable storage medium, where the storage medium stores one or more programs, and when the one or more modules are applied to the device, the device may be executed.
  • the instructions of each method step in the embodiment of the present application is not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to the storage medium.
  • Embodiments of the present application provide one or more machine readable medium having stored thereon instructions that, when executed by one or more processors, cause an electronic device to perform the method as described in one or more of the above embodiments.
  • the electronic device includes a terminal device, a server, and the like.
  • FIG. 6 is a schematic structural diagram of hardware of an electronic device according to an embodiment of the present disclosure, where the electronic device may include a terminal device, a server, and the like.
  • the electronic device can include an input device 60, a processor 61, an output device 62, a memory 63, and at least one communication bus 64.
  • Communication bus 64 is used to implement a communication connection between components.
  • the memory 63 may include a high speed RAM (Random Access Memory), and may also include a non-volatile storage NVM (Non-Volatile Memory), such as at least one disk storage.
  • the memory 63 may store various programs for use. The various processing functions are completed and the method steps of the embodiment are implemented.
  • the processor 61 may be, for example, a central processing unit (CPU), an application specific integrated circuit (ASIC), a digital signal processor (DSP), a digital signal processing device (DSPD), and a programmable logic.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • DSP digital signal processor
  • DSPD digital signal processing device
  • programmable logic A device (PLD), field programmable gate array (FPGA), controller, microcontroller, microprocessor or other electronic component is implemented that is coupled to the input device 60 and output device 62 described above by a wired or wireless connection.
  • PLD field programmable gate array
  • controller microcontroller, microprocessor or other electronic component is implemented that is coupled to the input device 60 and output device 62 described above by a wired or wireless connection.
  • the input device 60 may include multiple input devices, for example, at least one of a user-oriented user interface, a device-oriented device interface, a software programmable interface, a camera, and a sensor.
  • the device-oriented device interface may be a wired interface used for data transmission between the device and the device, or may be a hardware insertion interface (for example, a USB interface, a serial port, etc.) for data transmission between the device and the device.
  • the user-oriented user interface may be, for example, a user-oriented control button, a voice input device for receiving voice input, and a touch-sensing device for receiving a user's touch input (eg, a touch screen with touch sensing function, touch
  • the programmable interface of the software may be, for example, an input for the user to edit or modify the program, such as an input pin interface or an input interface of the chip; optionally, the transceiver may have Radio frequency transceiver chip, baseband processing chip, and transceiver antenna for communication functions.
  • An audio input device such as a microphone can receive voice data.
  • Output device 62 may include an output device such as a display, an audio, or the like.
  • the processor of the device includes functions for executing modules of the network management device in each electronic device.
  • the specific functions and technical effects may be referred to the foregoing embodiments, and details are not described herein again.
  • FIG. 7 is a schematic structural diagram of hardware of an electronic device according to another embodiment of the present disclosure.
  • Figure 7 is a specific embodiment of the implementation of Figure 6.
  • the electronic device of this embodiment includes a processor 71 and a memory 72.
  • the processor 71 executes the computer program code stored in the memory 72 to implement the data sharing method of FIGS. 1 to 4 in the above embodiment.
  • the memory 72 is configured to store various types of data to support operation at the electronic device. Examples of such data include instructions for any application or method operating on an electronic device, such as messages, pictures, videos, and the like.
  • Memory 72 may include random access memory RAM and may also include non-volatile memory NVM, such as at least one disk storage.
  • processor 71 is disposed in processing component 70.
  • the electronic device can also include a communication component 73, a power component 74, a multimedia component 75, an audio component 76, an input/output interface 77, and/or a sensor component 78.
  • the components and the like included in the device are set according to actual requirements, which is not limited in this embodiment.
  • Processing component 70 typically controls the overall operation of the device.
  • Processing component 70 may include one or more processors 71 to execute instructions to perform all or part of the steps of the above-described methods of Figures 1-4.
  • processing component 70 can include one or more modules to facilitate interaction between component 70 and other components.
  • processing component 70 can include a multimedia module to facilitate interaction between multimedia component 75 and processing component 70.
  • Power component 74 provides power to various components of the device.
  • Power component 74 can include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the electronic device.
  • the multimedia component 75 includes a display screen between the device and the user that provides an output interface.
  • the display screen can include a liquid crystal display (LCD) and a touch panel (TP). If the display includes a touch panel, the display can be implemented as a touch screen to receive input signals from the user.
  • the touch panel includes one or more touch sensors to sense touches, slides, and gestures on the touch panel. The touch sensor may sense not only the boundary of the touch or sliding action, but also the duration and pressure associated with the touch or slide operation.
  • the audio component 76 is configured to output and/or input an audio signal.
  • audio component 76 includes a microphone (MIC) that is configured to receive an external audio signal when the device is in an operational mode, such as a voice recognition mode.
  • the received audio signal may be further stored in memory 72 or transmitted via communication component 73.
  • audio component 76 also includes a speaker for outputting an audio signal.
  • the input/output interface 77 provides an interface between the processing component 70 and the peripheral interface module, which may be a click wheel, a button, or the like. These buttons may include, but are not limited to, a volume button, a start button, and a lock button.
  • Sensor assembly 78 includes one or more sensors for providing various aspects of state assessment for the device.
  • sensor component 78 can detect the on/off state of the device, the relative positioning of the components, and the presence or absence of user contact with the device.
  • Sensor assembly 78 can include a proximity sensor configured to detect the presence of nearby objects without any physical contact, including detecting the distance between the user and the device.
  • the sensor assembly 78 can also include a camera or the like.
  • Communication component 73 is configured to facilitate wired or wireless communication between the electronic device and other electronic devices.
  • the electronic device can access a wireless network based on a communication standard such as WiFi, 2G or 3G, or a combination thereof.
  • the electronic device may include a SIM card slot for inserting the SIM card, so that the device can log in to the GPRS network to establish communication with the server via the Internet.
  • the communication component 73, the audio component 76, the input/output interface 77, and the sensor component 78 involved in the embodiment of FIG. 7 can be implemented as an input device in the embodiment of FIG. 6.
  • An embodiment of the present application provides a terminal device, including: one or more processors; and one or more machine-readable media having stored thereon instructions, when executed by the one or more processors, The terminal device is caused to perform the method as described in one or more of the embodiments of the present application.
  • the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • Embodiments of the present application are described with reference to flowcharts and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing terminal device to produce a machine such that instructions are executed by a processor of a computer or other programmable data processing terminal device
  • Means are provided for implementing the functions specified in one or more of the flow or in one or more blocks of the flow chart.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing terminal device to operate in a particular manner, such that instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the instruction device implements the functions specified in one or more blocks of the flow or in a flow or block diagram of the flowchart.

Abstract

A data sharing method, a terminal apparatus and a storage medium. The terminal apparatus comprises a first platform in a rich execution environment and a second platform in a trusted execution environment. The method comprises: the first platform determining, according to first virtual address information of shared data, a corresponding physical storage address and sending the physical storage address to the second platform (202); and the second platform performing mapping in the trusted execution environment according to the physical storage address, so as to obtain corresponding second virtual address information, and processing shared data corresponding to the second virtual address information (204). The method acquires shared data from the same physical storage address in both the rich execution environment and the trusted execution environment without wasting resources.

Description

一种数据共享方法、终端设备和存储介质Data sharing method, terminal device and storage medium
本申请要求2017年09月06日递交的申请号为201710797460.5、发明名称为“一种数据共享方法、终端设备和存储介质”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。The present application claims the priority of the Chinese Patent Application No. PCT Application No. No. No. No. No. No. No. No. No. No. .
技术领域Technical field
本申请涉及计算机技术领域,特别是涉及一种数据共享方法、一种终端设备和一种存储介质。The present application relates to the field of computer technologies, and in particular, to a data sharing method, a terminal device, and a storage medium.
背景技术Background technique
可信执行环境(Trusted Execution Environment,TEE)与非安全环境(Rich Execution Environment,REE)是终端设备中并存的运行环境,常见的操作系统如Android、Linux都运行在REE中。TEE是终端设备的主处理器上的一个安全区域,其可以保证加载到该环境内部的代码和数据的安全性、机密性以及完整性。Trusted Execution Environment (TEE) and Rich Execution Environment (REE) are running environments that coexist in terminal devices. Common operating systems such as Android and Linux run in REE. The TEE is a secure area on the host processor's main processor that guarantees the security, confidentiality, and integrity of the code and data loaded into the environment.
其中,TEE可给REE对应操作系统提供安全服务,如REE需要传递数据到TEE下进行运算等处理等,因此,TEE和REE之间需要共享数据。Among them, TEE can provide security services for the REE corresponding operating system, such as REE needs to transfer data to the TEE for processing, etc., therefore, TEE and REE need to share data.
通常为了实现TEE和REE之间的数据共享,需要预先在终端设备中设置一共享空间B,从而REE中应用将共享数据存储到空间A后,可将该共享数据存储到共享空间B中,然后告知TEE对应的存储信息。TEE中应用可从共享空间B中获取共享数据进行处理,将处理后的数据存储到共享空间B中,则REE中应用还需要将共享空间B中的数据复制回空间A中。Generally, in order to implement data sharing between the TEE and the REE, a shared space B needs to be set in the terminal device in advance, so that the application in the REE stores the shared data in the space A, and the shared data can be stored in the shared space B, and then Tell the TEE corresponding storage information. The application in the TEE can obtain the shared data from the shared space B for processing, and store the processed data in the shared space B. Then, the application in the REE needs to copy the data in the shared space B back into the space A.
上述这种共享数据的方式,需要为共享数据设置专门的共享空间,非共享数据无法使用该共享空间,会造成资源的浪费。并且,需要共享数据时设备中同一份数据需要存储到两份空间中,同样造成了资源的浪费。The above method of sharing data requires setting a dedicated shared space for shared data, and the shared space cannot be used by non-shared data, which causes waste of resources. Moreover, when the data needs to be shared, the same data in the device needs to be stored in two spaces, which also causes waste of resources.
发明内容Summary of the invention
本申请实施例提供了一种数据共享方法,以减少共享数据所造成的资源浪费。The embodiment of the present application provides a data sharing method to reduce resource waste caused by sharing data.
相应的,本申请实施例还提供了一种终端设备以及一种存储介质,用以保证上述系统的实现及应用。Correspondingly, the embodiment of the present application further provides a terminal device and a storage medium to ensure implementation and application of the foregoing system.
为了解决上述问题,本申请实施例公开了一种数据共享方法,应用于终端设备,所 述终端设备包括非安全环境中的第一平台和可信任执行环境中的第二平台,所述的方法包括:所述第一平台依据共享数据的第一虚拟地址信息,确定对应的物理存储地址,发送所述物理存储地址给所述第二平台;所述第二平台依据所述物理存储地址,在所述可信任执行环境中映射得到对应的第二虚拟地址信息,对所述第二虚拟地址信息对应的共享数据进行处理。In order to solve the above problem, the embodiment of the present application discloses a data sharing method, which is applied to a terminal device, where the terminal device includes a first platform in a non-secure environment and a second platform in a trusted execution environment, the method. The first platform determines a corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform; the second platform is based on the physical storage address. Mapping the corresponding second virtual address information in the trusted execution environment, and processing the shared data corresponding to the second virtual address information.
本申请实施例还公开了一种终端设备,所述终端设备包括非安全环境中的第一平台和可信任执行环境中的第二平台;所述第一平台,用于依据共享数据的第一虚拟地址信息,确定对应的物理存储地址,发送所述物理存储地址给所述第二平台;所述第二平台,用于依据所述物理存储地址,在所述可信任执行环境中映射得到对应的第二虚拟地址信息,对所述第二虚拟地址信息对应的共享数据进行处理。The embodiment of the present application further discloses a terminal device, where the terminal device includes a first platform in a non-secure environment and a second platform in a trusted execution environment; the first platform is configured to use the first data according to the shared data. The virtual address information is used to determine the corresponding physical storage address, and the physical storage address is sent to the second platform. The second platform is configured to map the corresponding storage address in the trusted execution environment according to the physical storage address. The second virtual address information processes the shared data corresponding to the second virtual address information.
本申请实施例还公开了一种终端设备,包括:一个或多个处理器;和其上存储有指令的一个或多个机器可读介质,当由所述一个或多个处理器执行时,使得所述终端设备执行如本申请实施例中一个或多个所述的数据共享方法。The embodiment of the present application further discloses a terminal device, including: one or more processors; and one or more machine-readable media having instructions stored thereon, when executed by the one or more processors, The terminal device is caused to perform a data sharing method as described in one or more of the embodiments of the present application.
本申请实施例还公开了一个或多个机器可读介质,其上存储有指令,当由一个或多个处理器执行时,使得终端设备执行如本申请实施例中一个或多个所述的数据共享方法。The embodiment of the present application further discloses one or more machine readable mediums having stored thereon instructions that, when executed by one or more processors, cause the terminal device to perform one or more of the embodiments as described in the embodiments of the present application. Data sharing method.
与现有技术相比,本申请实施例包括以下优点:Compared with the prior art, the embodiments of the present application include the following advantages:
在本申请实施例中,非安全环境中的第一平台依据共享数据的第一虚拟地址信息,确定对应的物理存储地址,发送所述物理存储地址给可信任执行环境中的第二平台,从而无需设置共享数据专用的共享空间,在有需求时才申请空间存储数据,减少资源的浪费;第二平台依据所述物理存储地址在所述可信任执行环境中映射得到对应的第二虚拟地址信息,对所述第二虚拟地址信息对应的共享数据进行处理,可见,对于同一物理存储地址中的共享数据,不同平台映射为不同的虚拟地址信息,从而在非安全环境和可信任执行环境中都可从同一物理存储地址中获取共享数据,不会造成资源的浪费。In the embodiment of the present application, the first platform in the non-secure environment determines the corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform in the trusted execution environment, thereby There is no need to set a shared space dedicated to the shared data, and the space storage data is applied to reduce the waste of resources when needed; the second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address. The shared data corresponding to the second virtual address information is processed. It can be seen that different platforms are mapped to different virtual address information for the shared data in the same physical storage address, thereby being in a non-secure environment and a trusted execution environment. Shared data can be obtained from the same physical storage address without wasting resources.
附图说明DRAWINGS
图1是本申请实施例的一种平台间的交互示意图;1 is a schematic diagram of interaction between platforms according to an embodiment of the present application;
图2是本申请一种数据共享方法实施例的步骤流程图;2 is a flow chart of steps of an embodiment of a data sharing method of the present application;
图3是本申请另一种数据共享方法实施例的步骤流程图;3 is a flow chart showing the steps of another data sharing method embodiment of the present application;
图4是本申请一种REE和TEE间的交互示意图;4 is a schematic diagram of interaction between a REE and a TEE according to the present application;
图5是本申请一个终端设备实施例的结构框图;5 is a structural block diagram of an embodiment of a terminal device of the present application;
图6是本申请一实施例提供的电子设备的硬件结构示意图;FIG. 6 is a schematic structural diagram of hardware of an electronic device according to an embodiment of the present application; FIG.
图7是本申请另一实施例提供的电子设备的硬件结构示意图。FIG. 7 is a schematic structural diagram of hardware of an electronic device according to another embodiment of the present application.
具体实施方式Detailed ways
为使本申请的上述目的、特征和优点能够更加明显易懂,下面结合附图和具体实施方式对本申请作进一步详细的说明。The above described objects, features and advantages of the present application will become more apparent and understood.
TEE提供一个隔离的执行环境,提供的安全特征包含:隔离执行、可信应用的完整性、可信数据的机密性、安全存储等。因此,TEE提供的执行空间比REE,如常见的移动操作系统(Android等)的执行环境提供更高级别的安全性;而比安全元素SE(Secure Element,如智能卡、SIM卡等)提供更多的功能。TEE provides an isolated execution environment that provides security features including isolated execution, integrity of trusted applications, confidentiality of trusted data, secure storage, and more. Therefore, TEE provides a higher level of execution space than REE, such as the common mobile operating system (Android, etc.) execution environment; and more than the security element SE (Secure Element, such as smart card, SIM card, etc.) The function.
本申请实施例中,非安全环境和可信任执行环境可基于相应的平台实现并提供相应的功能,平台可为操作系统、驱动、应用等提供执行环境。其中,非安全环境对应第一平台,可信任执行环境对应第二平台,第一平台可为Android、Linux等操作系统提供富有的执行环境,第二平台的可信任执行环境可基于处理器提供的技术确定,如因特尔的信任执行技术、AMD的安全虚拟机、ARM的TrustZone等。In the embodiment of the present application, the non-secure environment and the trusted execution environment may implement and provide corresponding functions based on the corresponding platform, and the platform may provide an execution environment for the operating system, the driver, the application, and the like. The non-secure environment corresponds to the first platform, and the trusted execution environment corresponds to the second platform. The first platform can provide a rich execution environment for operating systems such as Android and Linux, and the trusted execution environment of the second platform can be based on the processor. Technology is determined, such as Intel's trust enforcement technology, AMD's secure virtual machine, ARM's TrustZone, and more.
其中,运行在REE中的应用称为客户端应用(Client Application,CA),运行在TEE中应用称为可信应用(Trusted Application,TA),CA可调用接口向TA请求安全服务,相应的TA可为CA提供安全服务。其中,TA可以访问设备主处理器和内存的全部功能,硬件隔离技术保护其不受安装在主操作系统环境的用户Apps即CA影响,且TEE内部的软件和密码隔离技术可以保护每个TA不相互影响,从而能够为多个不同的服务提供商同时使用,而不影响安全性。因此,在TA为CA提供安全服务时,就需要获取CA对应的应用数据,然后对应用数据进行处理后,再反馈给CA,可将该应用数据称为共享数据,即CA和TA均需要的数据。The application running in the REE is called a client application (CA), and the application running in the TEE is called a trusted application (TA). The CA can invoke the interface to request security services from the TA. Provides security services for CA. The TA can access all functions of the device's main processor and memory. The hardware isolation technology protects it from the user's App, which is installed in the main operating system environment, and the software and password isolation technology inside the TEE can protect each TA. Interact with each other so that they can be used simultaneously by multiple different service providers without compromising security. Therefore, when the TA provides security services for the CA, it needs to obtain the application data corresponding to the CA, and then process the application data, and then feed back to the CA, which can be referred to as shared data, that is, both the CA and the TA are required. data.
本申请实施例中,终端设备包括非安全环境中的第一平台和可信任执行环境中的第二平台,第一平台和第二平台之间是隔离的。两个平台可支持不同的操作系统,如第一平台支持Android、Linux等,而第二平台支持提供安全服务的操作系统。第一平台和第二平台均支持应用的运行,因此第一平台中的应用需要第二平台中应用提供服务。例如,第一平台中的支付应用执行支付相应功能,就需要第二平台中的应用提供银行证书、用户数据等敏感数据;又如,通信、加密等场景下,第一平台的应用需要第二平台的应用 来获取密钥、以及加密的通信数据等。In the embodiment of the present application, the terminal device includes a first platform in a non-secure environment and a second platform in a trusted execution environment, where the first platform and the second platform are isolated. The two platforms can support different operating systems, such as the first platform supports Android, Linux, etc., and the second platform supports an operating system that provides security services. Both the first platform and the second platform support the running of the application, so the application in the first platform needs the application providing service in the second platform. For example, the payment application in the first platform performs the corresponding function of payment, and the application in the second platform is required to provide sensitive data such as bank certificate and user data; for example, in the scenario of communication and encryption, the application of the first platform needs to be second. Application of the platform to obtain keys, encrypted communication data, and the like.
如图1所示,第一平台可确定共享数据对应的第一虚拟地址信息,然后可基于该第一虚拟地址信息确定对应存储共享数据的物理存储地址,其中,共享数据可存储在一个或多个数据块中,因此可确定出一个或多个物理存储地址。然后可将该物理存储地址发送给所述第二平台。第二平台可对该物理存储地址进行映射,确定对应的第二虚拟地址信息,然后可依据该第二虚拟地址信息获取共享数据,然后对共享数据进行处理。As shown in FIG. 1 , the first platform may determine first virtual address information corresponding to the shared data, and then determine a physical storage address corresponding to the storage shared data based on the first virtual address information, where the shared data may be stored in one or more In the data block, one or more physical storage addresses can be determined. The physical storage address can then be sent to the second platform. The second platform may map the physical storage address, determine the corresponding second virtual address information, and then obtain the shared data according to the second virtual address information, and then process the shared data.
本申请实施例中,终端设备包括智能手机、个人计算机、物联网设备、可穿戴设备等各种电子设备。共享数据可依据具体业务确定,例如与电子商务、支付相关的用户密码、信用卡信息、电子银行凭证、网络账户等数据;又如与数据加密相关的密钥、签名等数据;又如与通信相关的通话内容、短消息等敏感数据。In the embodiment of the present application, the terminal device includes various electronic devices such as a smart phone, a personal computer, an Internet of Things device, and a wearable device. The shared data can be determined according to specific services, such as e-commerce, payment-related user passwords, credit card information, electronic bank vouchers, network accounts, etc.; such as keys, signatures, and the like related to data encryption; Sensitive data such as call content and short messages.
本申请实施例无需设置共享数据专用的共享空间,在有需求时才申请空间存储数据,减少资源的浪费,并且,对于同一物理存储地址中的共享数据,不同平台映射为不同的虚拟地址信息,从而第一平台和第二平台都可从同一物理存储地址中获取共享数据,不会造成资源的浪费。The embodiment of the present application does not need to set a shared space dedicated to shared data, and applies space storage data when needed, thereby reducing waste of resources, and mapping different platforms to different virtual address information for shared data in the same physical storage address. Thus, both the first platform and the second platform can obtain shared data from the same physical storage address without causing waste of resources.
参照图2,示出了本申请一种数据共享方法实施例的步骤流程图,具体包括如下步骤:Referring to FIG. 2, a flow chart of steps of an embodiment of a data sharing method according to the present application is shown, which specifically includes the following steps:
步骤202,第一平台依据共享数据的第一虚拟地址信息,确定对应的物理存储地址,发送所述物理存储地址给所述第二平台。Step 202: The first platform determines a corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform.
本申请一个可选实施例中,所述第一平台依据共享数据的第一虚拟地址信息,确定对应的物理存储地址,包括:所述第一平台在第一虚拟地址信息中存储共享数据,依据所述第一存储信息确定对应的物理存储地址。In an optional embodiment of the present application, the first platform determines the corresponding physical storage address according to the first virtual address information of the shared data, including: the first platform stores the shared data in the first virtual address information, according to The first storage information determines a corresponding physical storage address.
第一平台中应用进行处理时,有时一些服务如支付、加密等安全服务需要第二平台中应用协助,因此可存储需要第二平台中应用处理的共享数据,确定存储该共享数据在所述非安全环境中的第一虚拟地址信息,该第一虚拟地址信息对应非安全环境中可访问的内存空间,然后可基于该第一虚拟地址信息映射得到对应的一个或多个物理存储地址,然后可将第一物理存储地址发送给第二平台,使得第二平台能够获取共享数据。When the application is processed in the first platform, sometimes some services such as payment, encryption, and the like need application assistance in the second platform, so the shared data that needs to be processed by the application in the second platform may be stored, and it is determined that the shared data is stored in the non- The first virtual address information in the security environment, the first virtual address information corresponding to the memory space accessible in the non-secure environment, and then the corresponding one or more physical storage addresses may be obtained based on the first virtual address information mapping, and then Sending the first physical storage address to the second platform, so that the second platform can acquire the shared data.
步骤204,第二平台依据所述物理存储地址,在所述可信任执行环境中映射得到对应的第二虚拟地址信息,对所述第二虚拟地址信息对应的共享数据进行处理。Step 204: The second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address, and processes the shared data corresponding to the second virtual address information.
第二平台在接收到物理存储地址后,可在所述可信任执行环境中对该物理存储地址进行映射,得到对应的第二虚拟地址信息,该第二虚拟地址信息对应可信任执行环境可 访问的内存空间,然后可基于第二虚拟地址信息获取共享数据,然后可对共享数据进行处理。After receiving the physical storage address, the second platform may map the physical storage address in the trusted execution environment to obtain corresponding second virtual address information, where the second virtual address information is accessible to the trusted execution environment. The memory space can then be used to obtain shared data based on the second virtual address information, and then the shared data can be processed.
可执行第一平台中应用对应服务的处理操作,然后将处理得到的数据存储到该第二虚拟地址信息对应内存空间中,第一平台应用可基于第一虚拟地址信息获取处理的数据,执行所需的操作。The processing operation of the application corresponding service in the first platform may be performed, and the processed data is stored in the corresponding memory space of the second virtual address information, and the first platform application may acquire the processed data based on the first virtual address information, and execute the Required operation.
综上所述,非安全环境中的第一平台依据共享数据的第一虚拟地址信息,确定对应的物理存储地址,发送所述物理存储地址给可信任执行环境中的第二平台,从而无需设置共享数据专用的共享空间,在有需求时才申请空间存储数据,减少资源的浪费;第二平台依据所述物理存储地址,在所述可信任执行环境中映射得到对应的第二虚拟地址信息,对所述第二虚拟地址信息对应的共享数据进行处理,可见,对于同一物理存储地址中的共享数据,不同平台映射为不同的虚拟地址信息,从而在非安全环境和可信任执行环境中都可从同一物理存储地址中获取共享数据,不会造成资源的浪费。In summary, the first platform in the non-secure environment determines the corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform in the trusted execution environment, thereby eliminating the need to set The shared data-specific shared space is applied for the space storage data when there is a demand, and the waste of the resource is reduced. The second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address. The shared data corresponding to the second virtual address information is processed. It can be seen that different platforms are mapped to different virtual address information for the shared data in the same physical storage address, so that the non-secure environment and the trusted execution environment can be used. Obtaining shared data from the same physical storage address does not waste resources.
其次,在非安全环境和可信任执行环境中都可从同一物理存储地址中获取共享数据,只是不同环境对应不同的虚拟地址信息,因此数据无需在两个存储空间中复制,在减少资源占用的基础上,也减少数据操作,减少设备的负担。Secondly, in the non-secure environment and the trusted execution environment, the shared data can be obtained from the same physical storage address, but different environments correspond to different virtual address information, so the data does not need to be copied in two storage spaces, and the resource consumption is reduced. On the basis of this, it also reduces data operations and reduces the burden on the equipment.
本申请实施例中,所述第一虚拟地址信息包括:第一起始地址和数据大小;所述第二虚拟地址信息包括:第二起始地址和数据大小。第一平台运行有第一应用,第二平台运行有第二应用。从而不同执行环境中的应用可进行数据交互,共享数据进行所需的处理,可信任执行环境能够为非安全环境提供可信任的服务支持,保证数据安全。In the embodiment of the present application, the first virtual address information includes: a first start address and a data size; and the second virtual address information includes: a second start address and a data size. The first platform runs with a first application and the second platform runs with a second application. Therefore, applications in different execution environments can perform data interaction and share data for required processing. The trusted execution environment can provide trusted service support for non-secure environments and ensure data security.
参照图3,示出了本申请另一种数据共享方法实施例的步骤流程图,具体包括如下步骤:Referring to FIG. 3, a flow chart of steps of another data sharing method embodiment of the present application is shown, which specifically includes the following steps:
步骤302,所述第一应用调用第一函数请求地址空间,获取所述地址空间对应的第一存储信息。Step 302: The first application invokes a first function request address space, and acquires first storage information corresponding to the address space.
步骤304,依据所述第一存储信息在所述地址空间中存储共享数据。Step 304: Store the shared data in the address space according to the first storage information.
步骤306,将所述第一存储信息发送给第一平台。Step 306: Send the first storage information to the first platform.
第一平台运行有第一应用,非安全环境中第一应用运行过程中,若需要可信任执行环境中运行的第二应用的服务,可确定所需处理的数据为共享数据,因此可确定该共享数据对应的数据大小,基于该数据大小调用第一函数请求存储的地址空间,可基于该第一函数获取对应分配的第一起始地址,基于该第一起始地址和数据大小生成第一存储信息。然后可在该第一起始地址对应的地址空间中存储共享数据。The first platform runs the first application. In the non-secure environment, during the running of the first application, if the service of the second application running in the trusted execution environment is required, the data to be processed is determined to be shared data, so the The data size corresponding to the shared data, the address space requested by the first function is requested to be based on the data size, and the first start address corresponding to the first function is obtained based on the first function, and the first storage information is generated based on the first start address and the data size. . The shared data can then be stored in an address space corresponding to the first start address.
例如,第一函数为malloc函数,可调用malloc函数基于数据大小分配一段空间,确定对应的第一起始地址和数据大小,再将共享数据存入该空间中,然后将该第一虚拟地址信息发送给第一平台。For example, the first function is a malloc function, and the malloc function can be called to allocate a space based on the data size, determine a corresponding first start address and data size, store the shared data in the space, and then send the first virtual address information. Give the first platform.
步骤308,所述第一平台调用第二函数,在所述非安全环境中对第一存储信息进行映射,得到对应的物理存储地址。 Step 308, the first platform calls a second function, and maps the first storage information in the non-secure environment to obtain a corresponding physical storage address.
第一平台可确定操作系统提供的接口函数即第二函数,该第二函数用于进行虚拟地址和物理存储地址之间的转换,例如为非安全环境提供虚拟地址和物理存储地址之间的转换,因此可调用该第二函数,该第二函数可在非安全环境中,基于第一起始地址和数据大小进行计算,确定数据对应存储的一个或多个物理存储地址。The first platform may determine an interface function provided by the operating system, that is, a second function for converting between the virtual address and the physical storage address, for example, providing a conversion between the virtual address and the physical storage address for the non-secure environment. Therefore, the second function can be called, and the second function can perform calculation based on the first starting address and the data size in a non-secure environment to determine one or more physical storage addresses corresponding to the data.
步骤310,第一平台依据所述物理存储地址和数据大小,生成对应的数组。Step 310: The first platform generates a corresponding array according to the physical storage address and the data size.
步骤312,第一平台发送所述数组给第二平台。Step 312: The first platform sends the array to the second platform.
数据在设备硬件中通常是不连续存储的,因此共享数据对应的各物理存储地址通常是不连续的,为了便于该物理存储地址的传输和使用,可依据物理存储地址和数据大小生成数组,即该数组中可存储各物理存储地址和数据大小。然后可传输该数组给第二平台,从而非安全环境可告知可信任执行环境需要处理的共享数据及其存储位置。The data is usually discontinuously stored in the device hardware. Therefore, the physical storage addresses corresponding to the shared data are usually discontinuous. To facilitate the transmission and use of the physical storage address, an array may be generated according to the physical storage address and the data size. Each physical storage address and data size can be stored in the array. The array can then be transferred to the second platform so that the non-secure environment can inform the trusted execution environment of the shared data that needs to be processed and its storage location.
步骤314,所述第二平台对所述数组进行解析,获取对应的物理存储地址和数据大小。Step 314: The second platform parses the array to obtain a corresponding physical storage address and data size.
步骤316,调用第三函数,在所述可信任执行环境中对所述物理存储地址进行映射,确定第二虚拟地址信息。 Step 316, invoking a third function, mapping the physical storage address in the trusted execution environment to determine second virtual address information.
第二平台接收到数组后,在可信任执行环境中可对数组进行解析,从中获取各物理存储地址和数据大小,然后调用第三函数,在所述可信任执行环境中对所述物理存储地址进行映射,确定各物理存储地址对应映射得到地址空间,即确定在所述可信任执行环境中存储共享数据的第二起始地址。其中,该第二函数用于进行虚拟地址和物理存储地址之间的转换,例如为可信任执行环境提供虚拟地址和物理存储地址之间的转换,第二函数和第三函数可相同或不同。After receiving the array, the second platform may parse the array in the trusted execution environment, obtain each physical storage address and data size, and then call a third function, and the physical storage address in the trusted execution environment. Mapping is performed to determine that each physical storage address corresponds to the mapping to obtain an address space, that is, to determine a second starting address for storing the shared data in the trusted execution environment. The second function is used to perform conversion between the virtual address and the physical storage address, for example, to provide a conversion between the virtual address and the physical storage address for the trusted execution environment, and the second function and the third function may be the same or different.
步骤318,第二平台将所述第二虚拟地址信息发送给第二应用。Step 318: The second platform sends the second virtual address information to the second application.
步骤320,所述第二应用依据所述第二虚拟地址信息获取对应的共享数据,在所述可信任执行环境中对所述共享数据进行处理。Step 320: The second application acquires corresponding shared data according to the second virtual address information, and processes the shared data in the trusted execution environment.
第二平台将第二虚拟地址信息发送给对应的第二应用,然后第二应用可从第二虚拟地址信息中确定第二起始地址,基于该第二起始地址获取共享数据,然后可在所述可信 任执行环境中对共享数据进行处理,例如基于密钥进行解密、签名验证、银行证书认证、获取用户数据等。The second platform sends the second virtual address information to the corresponding second application, and then the second application may determine the second start address from the second virtual address information, obtain the shared data based on the second start address, and then The shared data is processed in the trusted execution environment, such as decryption based on a key, signature verification, bank certificate authentication, obtaining user data, and the like.
本申请一个可选实施例中,若所述第二应用判断所述数据大小不足,则向所述第一应用发送请求,以告知所述第一应用重新请求地址空间。第二应用在进行数据处理时,可获知处理后数据所需的数据大小,因此可确定该第二虚拟地址信息对应的数据大小和处理后所需的数据大小进行比较,确定该第二虚拟地址信息是否足够存储处理后的数据,若空间不足,则可向第一应用发送请求,该请求用于告知所需空间的数据大小,从而第一应用可重新请求地址空间,执行上述步骤302-322。In an optional embodiment of the present application, if the second application determines that the data size is insufficient, sending a request to the first application to notify the first application to re-request the address space. When the second application performs data processing, the data size required for the processed data can be obtained, so that the data size corresponding to the second virtual address information and the data size required after the processing can be determined, and the second virtual address is determined. Whether the information is sufficient to store the processed data, if the space is insufficient, the request may be sent to the first application, the request is used to inform the data size of the required space, so that the first application may re-request the address space, and perform the above steps 302-322. .
其中,第一应用和第二应用的共享数据,基于非安全环境中的第一平台和可信任执行环境中的第二平台获取,即数据交互基于平台维度实现,而第一应用和第二应用之间的通信交互,如请求、响应、指令传输等基于应用的维度实现。The shared data of the first application and the second application are obtained based on the first platform in the non-secure environment and the second platform in the trusted execution environment, that is, the data interaction is implemented based on the platform dimension, and the first application and the second application are implemented. Communication interactions between applications, such as request, response, instruction transfer, etc., based on application-oriented dimensions.
从而第一平台和第二平台的共享数据存储在相同的物理存储地址中,而不是设定的共享空间中,因此数据大小不受限制,理论上可以共享第一平台中所有空闲的内存空间。而在没有共享服务时,也不会占用空闲的资源。Thus, the shared data of the first platform and the second platform are stored in the same physical storage address instead of the set shared space, so the data size is not limited, and theoretically all the free memory space in the first platform can be shared. When there is no shared service, it will not occupy idle resources.
在一个示例中,第一平台对应非安全环境,所述第二平台对应可信任执行环境。假设第一应用CA为支付应用,该支付应用运行在非安全环境REE中,则第二应用TA为安全支持应用,或支付应用对应的插件等,该第二应用TA运行在可信任执行环境TEE中,如图4所示。In one example, the first platform corresponds to a non-secure environment and the second platform corresponds to a trusted execution environment. Assume that the first application CA is a payment application, the payment application runs in a non-secure environment REE, and the second application TA is a security support application, or a plug-in corresponding to the payment application, and the second application TA runs in a trusted execution environment TEE. In, as shown in Figure 4.
CA要进行账户数据的验证,确定需要申请空间的数据大小为268KB,然后调用malloc函数分配一268KB的段空间X,确定对应的第一虚拟地址信息,其中第一起始地址为A001、数据大小为268KB。然后可将需要与TA共享的账户数据存入空间X中。然后CA将第一虚拟地址信息返回给非安全环境的驱动(driver)。非安全环境的驱动可按照第一虚拟地址信息进行映射,得到对应物理存储地址包括:N0、N4、N5、N8和N11等,由于物理存储地址不连续,因此可将数据大小和所有的物理存储地址存在数组share_pa_t中。非安全环境的驱动可将该组share_pa_t发送给可信任执行环境的操作系统TEE_OSThe CA needs to verify the account data, determine the data size of the application space is 268 KB, and then call the malloc function to allocate a 268 KB segment space X to determine the corresponding first virtual address information, where the first starting address is A001 and the data size is 268KB. The account data that needs to be shared with the TA can then be stored in space X. The CA then returns the first virtual address information to the driver of the non-secure environment. The non-secure environment can be mapped according to the first virtual address information, and the corresponding physical storage addresses are: N0, N4, N5, N8, and N11. Since the physical storage addresses are not continuous, the data size and all physical storages can be obtained. The address exists in the array share_pa_t. A driver in a non-secure environment can send the set share_pa_t to the operating system TEE_OS of the trusted execution environment.
TEE_OS可解析该数组share_pa_t中的内容,获取对应的物理存储地址(N0、N4、N5、N8和N11等)和数据大小(268KB),然后基于物理存储地址和数据大小进行映射,得到第二虚拟地址信息,包括第二起始地址B001’和数据大小268KB,TEE_OS将第二虚拟地址信息发送给第二应用TA,TA基于该第二虚拟地址信息获取账户数据,然 后对该账户数据进行验证。然后可将验证结果依据该第二虚拟地址信息进行存储,从而CA可获取该验证结果执行所需的操作,如提供支付功能等。TEE_OS can parse the contents of the array share_pa_t, obtain the corresponding physical storage addresses (N0, N4, N5, N8, and N11, etc.) and the data size (268 KB), and then map based on the physical storage address and the data size to obtain the second virtual The address information includes a second start address B001' and a data size of 268 KB. The TEE_OS sends the second virtual address information to the second application TA, and the TA acquires account data based on the second virtual address information, and then verifies the account data. The verification result may then be stored according to the second virtual address information, so that the CA can obtain operations required for the execution of the verification result, such as providing a payment function and the like.
其中,TA获取到第二虚拟地址信息后,可确定账户数据验证后所需的数据大小,然后将第二虚拟地址信息对应的数据大小和所需的数据大小进行比较,若所需的数据大小不大于268KB,即申请的空间X足够容纳处理后的数据,可以执行后续的验证等处理操作;反之,若所需的数据大小大于268KB,如为300KB,即申请的空间X不足以容纳处理后的数据,则可发送通知给CA来告知需要300KB的空间,CA重新申请,并执行上述流程。After obtaining the second virtual address information, the TA may determine the data size required after the account data is verified, and then compare the data size corresponding to the second virtual address information with the required data size, if the required data size No more than 268KB, that is, the requested space X is enough to accommodate the processed data, and can perform subsequent verification and other processing operations; conversely, if the required data size is greater than 268 KB, such as 300 KB, the applied space X is insufficient to accommodate the processing. The data can be sent to the CA to inform that it needs 300KB of space, the CA re-applies, and performs the above process.
本申请实施例无需预定义共享空间,而是可信任执行环境和非安全环境共享内存的物理存储地址,减少对内存资源的消耗。因此,非安全环境的驱动也无需在初始化阶段发送请求给可信任执行环境的操作系统,来查询共享空间,减少设备启动时间,提供效率。且基于共享的物理存储地址,可信任执行环境和非安全环境之间的共享数据无需再不同地址间复制,减少数据资源和处理时间。The embodiment of the present application does not need to pre-define the shared space, but can trust the physical storage address of the shared memory and the non-secure environment shared memory, thereby reducing the consumption of memory resources. Therefore, the driver of the non-secure environment does not need to send a request to the operating system of the trusted execution environment during the initialization phase to query the shared space, reduce the startup time of the device, and provide efficiency. And based on the shared physical storage address, the shared data between the trusted execution environment and the non-secure environment does not need to be replicated between different addresses, reducing data resources and processing time.
需要说明的是,对于方法实施例,为了简单描述,故将其都表述为一系列的动作组合,但是本领域技术人员应该知悉,本申请实施例并不受所描述的动作顺序的限制,因为依据本申请实施例,某些步骤可以采用其他顺序或者同时进行。其次,本领域技术人员也应该知悉,说明书中所描述的实施例均属于优选实施例,所涉及的动作并不一定是本申请实施例所必须的。It should be noted that, for the method embodiments, for the sake of simple description, they are all expressed as a series of action combinations, but those skilled in the art should understand that the embodiments of the present application are not limited by the described action sequence, because In accordance with embodiments of the present application, certain steps may be performed in other sequences or concurrently. In the following, those skilled in the art should also understand that the embodiments described in the specification are all preferred embodiments, and the actions involved are not necessarily required in the embodiments of the present application.
在上述实施例的基础上,本实施例还提供了一种终端设备,所述终端设备包括非安全环境中的第一平台502和可信任执行环境中的第二平台504。Based on the foregoing embodiment, the embodiment further provides a terminal device, where the terminal device includes a first platform 502 in a non-secure environment and a second platform 504 in a trusted execution environment.
参照图5,示出了本申请一种终端设备实施例的结构框图,具体可以包括如下模块:Referring to FIG. 5, a structural block diagram of an embodiment of a terminal device of the present application is shown, which may specifically include the following modules:
第一平台502,用于依据共享数据的第一虚拟地址信息,确定对应的物理存储地址,发送所述物理存储地址给所述第二平台。The first platform 502 is configured to determine a corresponding physical storage address according to the first virtual address information of the shared data, and send the physical storage address to the second platform.
第二平台504,用于依据所述物理存储地址,在所述可信任执行环境中映射得到对应的第二虚拟地址信息,对所述第二虚拟地址信息对应的共享数据进行处理。The second platform 504 is configured to map the corresponding second virtual address information in the trusted execution environment according to the physical storage address, and process the shared data corresponding to the second virtual address information.
综上所述,非安全环境中的第一平台依据共享数据的第一虚拟地址信息,确定对应的物理存储地址,发送所述物理存储地址给可信任执行环境中的第二平台,从而无需设置共享数据专用的共享空间,在有需求时才申请空间存储数据,减少资源的浪费;第二平台依据所述物理存储地址在所述可信任执行环境中映射得到对应的第二虚拟地址信 息,对所述第二虚拟地址信息对应的共享数据进行处理,可见,对于同一物理存储地址中的共享数据,不同平台映射为不同的虚拟地址信息,从而在非安全环境和可信任执行环境中都可从同一物理存储地址中获取共享数据,不会造成资源的浪费。In summary, the first platform in the non-secure environment determines the corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform in the trusted execution environment, thereby eliminating the need to set The shared data-specific shared space is applied for the space storage data when there is a demand, and the waste of resources is reduced; the second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address, The shared data corresponding to the second virtual address information is processed. It can be seen that, for shared data in the same physical storage address, different platforms are mapped to different virtual address information, so that the non-secure environment and the trusted execution environment are available. Obtaining shared data in the same physical storage address does not waste resources.
其次,第一平台和第二平台都可从同一物理存储地址中获取共享数据,只是不同平台对应不同的虚拟地址信息,因此数据无需在两个存储空间中复制,在减少资源占用的基础上,也减少数据操作,减少设备的负担。Secondly, the first platform and the second platform can obtain shared data from the same physical storage address, but different platforms correspond to different virtual address information, so the data does not need to be copied in two storage spaces, and on the basis of reducing resource occupation, It also reduces data operations and reduces the burden on the device.
本申请实施例中,所述第一虚拟地址信息包括:第一起始地址和数据大小;所述第二虚拟地址信息包括:第二起始地址和数据大小。第一平台运行有第一应用,第二平台运行有第二应用。从而不同执行环境中应用可进行数据交互,共享数据进行所需的处理,可信任执行环境能够为非安全环境提供可信任的服务支持,保证数据安全。In the embodiment of the present application, the first virtual address information includes: a first start address and a data size; and the second virtual address information includes: a second start address and a data size. The first platform runs with a first application and the second platform runs with a second application. Therefore, applications in different execution environments can perform data interaction and share data for required processing. The trusted execution environment can provide trusted service support for non-secure environments and ensure data security.
所述第一平台,用于在第一虚拟地址信息中存储共享数据,依据所述第一存储信息确定对应的物理存储地址。The first platform is configured to store shared data in the first virtual address information, and determine a corresponding physical storage address according to the first storage information.
所述第一平台,用于采用第一应用调用第一函数请求地址空间,获取所述地址空间对应的第一存储信息;依据所述第一存储信息在所述地址空间中存储共享数据,将所述第一存储信息发送给第一平台。The first platform is configured to use the first function to call the first function request address space, obtain the first storage information corresponding to the address space, and store the shared data in the address space according to the first storage information, The first stored information is sent to the first platform.
所述第一平台,用于调用第二函数,在所述非安全环境中对第一存储信息进行映射,得到对应的物理存储地址。The first platform is configured to invoke a second function, and map the first storage information in the non-secure environment to obtain a corresponding physical storage address.
所述第一平台,还用于依据所述物理存储地址和数据大小,生成对应的数组;所述第一平台发送所述数组给第二平台。The first platform is further configured to generate a corresponding array according to the physical storage address and the data size; the first platform sends the array to the second platform.
所述第二平台,用于对所述数组进行解析,获取对应的物理存储地址和数据大小;调用第三函数,在所述可信任执行环境中对所述物理存储地址进行映射,确定第二虚拟地址信息。The second platform is configured to parse the array to obtain a corresponding physical storage address and a data size, and invoke a third function to map the physical storage address in the trusted execution environment to determine a second Virtual address information.
所述第二平台,用于将所述第二虚拟地址信息发送给第二应用;所述第二应用依据所述第二虚拟地址信息获取对应的共享数据,在所述可信任执行环境中对所述共享数据进行处理。The second platform is configured to send the second virtual address information to the second application; the second application acquires corresponding shared data according to the second virtual address information, where the trusted execution environment is The shared data is processed.
所述第二平台,还用于若所述第二应用判断所述数据大小不足,则向所述第一应用发送请求,以告知所述第一应用重新请求地址空间。The second platform is further configured to: if the second application determines that the data size is insufficient, send a request to the first application to notify the first application to re-request the address space.
第一应用和第二应用的共享数据,基于非安全环境中的第一平台和可信任执行环境中的第二平台获取,即数据交互基于平台维度实现,而第一应用和第二应用之间的通信交互,如请求、响应、指令传输等基于应用的维度实现。从而第一平台和第二平台的共 享数据存储在相同的物理存储地址中,而不是设定的共享空间中,因此数据大小不受限制,理论上可以共享第一平台中所有空闲的内存空间。而在没有共享服务时,也不会占用空闲的资源。The shared data of the first application and the second application is obtained based on the first platform in the non-secure environment and the second platform in the trusted execution environment, that is, the data interaction is implemented based on the platform dimension, and between the first application and the second application Communication interactions, such as request, response, instruction transfer, etc., based on application-oriented dimensions. Therefore, the shared data of the first platform and the second platform are stored in the same physical storage address instead of the set shared space, so the data size is not limited, and theoretically all the free memory space in the first platform can be shared. When there is no shared service, it will not occupy idle resources.
在一个示例中,第一平台对应非安全环境,所述第二平台对应可信任执行环境。则第一应用CA运行在非安全环境REE中,第二应用TA运行在可信任执行环境TEE中。本申请实施例无需预定义共享空间,而是可信任执行环境和非安全环境共享内存的物理存储地址,减少对内存资源的消耗。因此,非安全环境的驱动也无需在初始化阶段发送请求给可信任执行环境的操作系统,来查询共享空间,减少设备启动时间,提供效率。且基于共享的物理存储地址,可信任执行环境和非安全环境之间的共享数据无需再不同地址间复制,减少数据资源和处理时间。In one example, the first platform corresponds to a non-secure environment and the second platform corresponds to a trusted execution environment. Then the first application CA runs in the non-secure environment REE, and the second application TA runs in the trusted execution environment TEE. The embodiment of the present application does not need to pre-define the shared space, but can trust the physical storage address of the shared memory and the non-secure environment shared memory, thereby reducing the consumption of memory resources. Therefore, the driver of the non-secure environment does not need to send a request to the operating system of the trusted execution environment during the initialization phase to query the shared space, reduce the startup time of the device, and provide efficiency. And based on the shared physical storage address, the shared data between the trusted execution environment and the non-secure environment does not need to be replicated between different addresses, reducing data resources and processing time.
本申请实施例还提供了一种非易失性可读存储介质,该存储介质中存储有一个或多个模块(programs),该一个或多个模块被应用在设备时,可以使得该设备执行本申请实施例中各方法步骤的指令(instructions)。The embodiment of the present application further provides a non-volatile readable storage medium, where the storage medium stores one or more programs, and when the one or more modules are applied to the device, the device may be executed. The instructions of each method step in the embodiment of the present application.
本申请实施例提供了一个或多个机器可读介质,其上存储有指令,当由一个或多个处理器执行时,使得电子设备执行如上述实施例中一个或多个所述的方法。所述电子设备包括终端设备、服务器等。Embodiments of the present application provide one or more machine readable medium having stored thereon instructions that, when executed by one or more processors, cause an electronic device to perform the method as described in one or more of the above embodiments. The electronic device includes a terminal device, a server, and the like.
图6为本申请一实施例提供的电子设备的硬件结构示意图,该电子设备可包括终端设备、服务器等。如图6所示,该电子设备可以包括输入设备60、处理器61、输出设备62、存储器63和至少一个通信总线64。通信总线64用于实现元件之间的通信连接。存储器63可能包含高速RAM(Random Access Memory,随机存取存储器),也可能还包括非易失性存储NVM(Non-Volatile Memory),例如至少一个磁盘存储器,存储器63中可以存储各种程序,用于完成各种处理功能以及实现本实施例的方法步骤。FIG. 6 is a schematic structural diagram of hardware of an electronic device according to an embodiment of the present disclosure, where the electronic device may include a terminal device, a server, and the like. As shown in FIG. 6, the electronic device can include an input device 60, a processor 61, an output device 62, a memory 63, and at least one communication bus 64. Communication bus 64 is used to implement a communication connection between components. The memory 63 may include a high speed RAM (Random Access Memory), and may also include a non-volatile storage NVM (Non-Volatile Memory), such as at least one disk storage. The memory 63 may store various programs for use. The various processing functions are completed and the method steps of the embodiment are implemented.
可选的,上述处理器61例如可以为中央处理器(Central Processing Unit,简称CPU)、应用专用集成电路(ASIC)、数字信号处理器(DSP)、数字信号处理设备(DSPD)、可编程逻辑器件(PLD)、现场可编程门阵列(FPGA)、控制器、微控制器、微处理器或其他电子元件实现,该处理器61通过有线或无线连接耦合到上述输入设备60和输出设备62。Optionally, the processor 61 may be, for example, a central processing unit (CPU), an application specific integrated circuit (ASIC), a digital signal processor (DSP), a digital signal processing device (DSPD), and a programmable logic. A device (PLD), field programmable gate array (FPGA), controller, microcontroller, microprocessor or other electronic component is implemented that is coupled to the input device 60 and output device 62 described above by a wired or wireless connection.
可选的,上述输入设备60可以包括多种输入设备,例如可以包括面向用户的用户接口、面向设备的设备接口、软件的可编程接口、摄像头、传感器中至少一种。可选的, 该面向设备的设备接口可以是用于设备与设备之间进行数据传输的有线接口、还可以是用于设备与设备之间进行数据传输的硬件插入接口(例如USB接口、串口等);可选的,该面向用户的用户接口例如可以是面向用户的控制按键、用于接收语音输入的语音输入设备以及用户接收用户触摸输入的触摸感知设备(例如具有触摸感应功能的触摸屏、触控板等);可选的,上述软件的可编程接口例如可以是供用户编辑或者修改程序的入口,例如芯片的输入引脚接口或者输入接口等;可选的,上述收发信机可以是具有通信功能的射频收发芯片、基带处理芯片以及收发天线等。麦克风等音频输入设备可以接收语音数据。输出设备62可以包括显示器、音响等输出设备。Optionally, the input device 60 may include multiple input devices, for example, at least one of a user-oriented user interface, a device-oriented device interface, a software programmable interface, a camera, and a sensor. Optionally, the device-oriented device interface may be a wired interface used for data transmission between the device and the device, or may be a hardware insertion interface (for example, a USB interface, a serial port, etc.) for data transmission between the device and the device. Optionally, the user-oriented user interface may be, for example, a user-oriented control button, a voice input device for receiving voice input, and a touch-sensing device for receiving a user's touch input (eg, a touch screen with touch sensing function, touch Optionally, the programmable interface of the software may be, for example, an input for the user to edit or modify the program, such as an input pin interface or an input interface of the chip; optionally, the transceiver may have Radio frequency transceiver chip, baseband processing chip, and transceiver antenna for communication functions. An audio input device such as a microphone can receive voice data. Output device 62 may include an output device such as a display, an audio, or the like.
在本实施例中,该设备的处理器包括用于执行各电子设备中网络管理装置各模块的功能,具体功能和技术效果参照上述实施例即可,此处不再赘述。In this embodiment, the processor of the device includes functions for executing modules of the network management device in each electronic device. The specific functions and technical effects may be referred to the foregoing embodiments, and details are not described herein again.
图7为本申请另一实施例提供的电子设备的硬件结构示意图。图7是对图6在实现过程中的一个具体的实施例。如图7所示,本实施例的电子设备包括处理器71以及存储器72。FIG. 7 is a schematic structural diagram of hardware of an electronic device according to another embodiment of the present disclosure. Figure 7 is a specific embodiment of the implementation of Figure 6. As shown in FIG. 7, the electronic device of this embodiment includes a processor 71 and a memory 72.
处理器71执行存储器72所存放的计算机程序代码,实现上述实施例中图1至图4的数据共享方法。The processor 71 executes the computer program code stored in the memory 72 to implement the data sharing method of FIGS. 1 to 4 in the above embodiment.
存储器72被配置为存储各种类型的数据以支持在电子设备的操作。这些数据的示例包括用于在电子设备上操作的任何应用程序或方法的指令,例如消息,图片,视频等。存储器72可能包含随机存取存储器RAM,也可能还包括非易失性存储器NVM,例如至少一个磁盘存储器。The memory 72 is configured to store various types of data to support operation at the electronic device. Examples of such data include instructions for any application or method operating on an electronic device, such as messages, pictures, videos, and the like. Memory 72 may include random access memory RAM and may also include non-volatile memory NVM, such as at least one disk storage.
可选地,处理器71设置在处理组件70中。该电子设备还可以包括:通信组件73,电源组件74,多媒体组件75,音频组件76,输入/输出接口77和/或传感器组件78。设备具体所包含的组件等依据实际需求设定,本实施例对此不作限定。Optionally, processor 71 is disposed in processing component 70. The electronic device can also include a communication component 73, a power component 74, a multimedia component 75, an audio component 76, an input/output interface 77, and/or a sensor component 78. The components and the like included in the device are set according to actual requirements, which is not limited in this embodiment.
处理组件70通常控制设备的整体操作。处理组件70可以包括一个或多个处理器71来执行指令,以完成上述图1至图4方法的全部或部分步骤。此外,处理组件70可以包括一个或多个模块,便于处理组件70和其他组件之间的交互。例如,处理组件70可以包括多媒体模块,以方便多媒体组件75和处理组件70之间的交互。 Processing component 70 typically controls the overall operation of the device. Processing component 70 may include one or more processors 71 to execute instructions to perform all or part of the steps of the above-described methods of Figures 1-4. Moreover, processing component 70 can include one or more modules to facilitate interaction between component 70 and other components. For example, processing component 70 can include a multimedia module to facilitate interaction between multimedia component 75 and processing component 70.
电源组件74为设备的各种组件提供电力。电源组件74可以包括电源管理系统,一个或多个电源,及其他与为电子设备生成、管理和分配电力相关联的组件。 Power component 74 provides power to various components of the device. Power component 74 can include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the electronic device.
多媒体组件75包括在设备和用户之间的提供一个输出接口的显示屏。在一些实施例中,显示屏可以包括液晶显示器(LCD)和触摸面板(TP)。如果显示屏包括触摸面板, 显示屏可以被实现为触摸屏,以接收来自用户的输入信号。触摸面板包括一个或多个触摸传感器以感测触摸、滑动和触摸面板上的手势。所述触摸传感器可以不仅感测触摸或滑动动作的边界,而且还检测与所述触摸或滑动操作相关的持续时间和压力。The multimedia component 75 includes a display screen between the device and the user that provides an output interface. In some embodiments, the display screen can include a liquid crystal display (LCD) and a touch panel (TP). If the display includes a touch panel, the display can be implemented as a touch screen to receive input signals from the user. The touch panel includes one or more touch sensors to sense touches, slides, and gestures on the touch panel. The touch sensor may sense not only the boundary of the touch or sliding action, but also the duration and pressure associated with the touch or slide operation.
音频组件76被配置为输出和/或输入音频信号。例如,音频组件76包括一个麦克风(MIC),当设备处于操作模式,如语音识别模式时,麦克风被配置为接收外部音频信号。所接收的音频信号可以被进一步存储在存储器72或经由通信组件73发送。在一些实施例中,音频组件76还包括一个扬声器,用于输出音频信号。The audio component 76 is configured to output and/or input an audio signal. For example, audio component 76 includes a microphone (MIC) that is configured to receive an external audio signal when the device is in an operational mode, such as a voice recognition mode. The received audio signal may be further stored in memory 72 or transmitted via communication component 73. In some embodiments, audio component 76 also includes a speaker for outputting an audio signal.
输入/输出接口77为处理组件70和外围接口模块之间提供接口,上述外围接口模块可以是点击轮,按钮等。这些按钮可包括但不限于:音量按钮、启动按钮和锁定按钮。The input/output interface 77 provides an interface between the processing component 70 and the peripheral interface module, which may be a click wheel, a button, or the like. These buttons may include, but are not limited to, a volume button, a start button, and a lock button.
传感器组件78包括一个或多个传感器,用于为设备提供各个方面的状态评估。例如,传感器组件78可以检测到设备的打开/关闭状态,组件的相对定位,用户与设备接触的存在或不存在。传感器组件78可以包括接近传感器,被配置用来在没有任何的物理接触时检测附近物体的存在,包括检测用户与设备间的距离。在一些实施例中,该传感器组件78还可以包括摄像头等。 Sensor assembly 78 includes one or more sensors for providing various aspects of state assessment for the device. For example, sensor component 78 can detect the on/off state of the device, the relative positioning of the components, and the presence or absence of user contact with the device. Sensor assembly 78 can include a proximity sensor configured to detect the presence of nearby objects without any physical contact, including detecting the distance between the user and the device. In some embodiments, the sensor assembly 78 can also include a camera or the like.
通信组件73被配置为便于电子设备和其他电子设备之间有线或无线方式的通信。电子设备可以接入基于通信标准的无线网络,如WiFi,2G或3G,或它们的组合。在一个实施例中,该电子设备中可以包括SIM卡插槽,该SIM卡插槽用于插入SIM卡,使得设备可以登录GPRS网络,通过互联网与服务器建立通信。 Communication component 73 is configured to facilitate wired or wireless communication between the electronic device and other electronic devices. The electronic device can access a wireless network based on a communication standard such as WiFi, 2G or 3G, or a combination thereof. In an embodiment, the electronic device may include a SIM card slot for inserting the SIM card, so that the device can log in to the GPRS network to establish communication with the server via the Internet.
由上可知,在图7实施例中所涉及的通信组件73、音频组件76以及输入/输出接口77、传感器组件78均可以作为图6实施例中的输入设备的实现方式。It can be seen from the above that the communication component 73, the audio component 76, the input/output interface 77, and the sensor component 78 involved in the embodiment of FIG. 7 can be implemented as an input device in the embodiment of FIG. 6.
本申请实施例提供了一种终端设备,包括:一个或多个处理器;和,其上存储有指令的一个或多个机器可读介质,当由所述一个或多个处理器执行时,使得所述终端设备执行如本申请实施例中一个或多个所述的方法。An embodiment of the present application provides a terminal device, including: one or more processors; and one or more machine-readable media having stored thereon instructions, when executed by the one or more processors, The terminal device is caused to perform the method as described in one or more of the embodiments of the present application.
对于装置实施例而言,由于其与方法实施例基本相似,所以描述的比较简单,相关之处参见方法实施例的部分说明即可。For the device embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
本说明书中的各个实施例均采用递进的方式描述,每个实施例重点说明的都是与其他实施例的不同之处,各个实施例之间相同相似的部分互相参见即可。The various embodiments in the present specification are described in a progressive manner, and each embodiment focuses on differences from other embodiments, and the same similar parts between the various embodiments can be referred to each other.
本申请实施例是参照根据本申请实施例的方法、终端设备(系统)、和计算机程序产品的流程图和/或方框图来描述的。应理解可由计算机程序指令实现流程图和/或方框图中的每一流程和/或方框、以及流程图和/或方框图中的流程和/或方框的结合。可 提供这些计算机程序指令到通用计算机、专用计算机、嵌入式处理机或其他可编程数据处理终端设备的处理器以产生一个机器,使得通过计算机或其他可编程数据处理终端设备的处理器执行的指令产生用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的装置。Embodiments of the present application are described with reference to flowcharts and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG. These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing terminal device to produce a machine such that instructions are executed by a processor of a computer or other programmable data processing terminal device Means are provided for implementing the functions specified in one or more of the flow or in one or more blocks of the flow chart.
这些计算机程序指令也可存储在能引导计算机或其他可编程数据处理终端设备以特定方式工作的计算机可读存储器中,使得存储在该计算机可读存储器中的指令产生包括指令装置的制造品,该指令装置实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能。The computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing terminal device to operate in a particular manner, such that instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device. The instruction device implements the functions specified in one or more blocks of the flow or in a flow or block diagram of the flowchart.
这些计算机程序指令也可装载到计算机或其他可编程数据处理终端设备上,使得在计算机或其他可编程终端设备上执行一系列操作步骤以产生计算机实现的处理,从而在计算机或其他可编程终端设备上执行的指令提供用于实现在流程图一个流程或多个流程和/或方框图一个方框或多个方框中指定的功能的步骤。These computer program instructions can also be loaded onto a computer or other programmable data processing terminal device such that a series of operational steps are performed on the computer or other programmable terminal device to produce computer-implemented processing, such that the computer or other programmable terminal device The instructions executed above provide steps for implementing the functions specified in one or more blocks of the flowchart or in a block or blocks of the flowchart.
尽管已描述了本申请实施例的优选实施例,但本领域内的技术人员一旦得知了基本创造性概念,则可对这些实施例做出另外的变更和修改。所以,所附权利要求意欲解释为包括优选实施例以及落入本申请实施例范围的所有变更和修改。While a preferred embodiment of the embodiments of the present application has been described, those skilled in the art can make further changes and modifications to the embodiments once they are aware of the basic inventive concept. Therefore, the appended claims are intended to be interpreted as including all the modifications and the modifications
最后,还需要说明的是,在本文中,诸如第一和第二等之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗示这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者终端设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者终端设备所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括所述要素的过程、方法、物品或者终端设备中还存在另外的相同要素。Finally, it should also be noted that in this context, relational terms such as first and second are used merely to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply these entities. There is any such actual relationship or order between operations. Furthermore, the terms "comprises" or "comprising" or "comprising" or any other variations are intended to encompass a non-exclusive inclusion, such that a process, method, article, or terminal device that includes a plurality of elements includes not only those elements but also Other elements that are included, or include elements inherent to such a process, method, article, or terminal device. An element defined by the phrase "comprising a ..." does not exclude the presence of additional identical elements in the process, method, article, or terminal device that comprises the element, without further limitation.
以上对本申请所提供的一种数据共享方法、一种终端设备和一种存储介质,进行了详细介绍,本文中应用了具体个例对本申请的原理及实施方式进行了阐述,以上实施例的说明只是用于帮助理解本申请的方法及其核心思想;同时,对于本领域的一般技术人员,依据本申请的思想,在具体实施方式及应用范围上均会有改变之处,综上所述,本说明书内容不应理解为对本申请的限制。The foregoing describes a data sharing method, a terminal device, and a storage medium provided by the present application. The principles and implementation manners of the present application are described in the specific examples. It is only used to help understand the method of the present application and its core ideas; at the same time, for those of ordinary skill in the art, according to the idea of the present application, there will be changes in specific implementation manners and application scopes. The contents of this specification are not to be construed as limiting the application.

Claims (20)

  1. 一种数据共享方法,其特征在于,应用于终端设备,所述终端设备包括非安全环境中的第一平台和可信任执行环境中的第二平台,所述的方法包括:A data sharing method, which is applied to a terminal device, where the terminal device includes a first platform in a non-secure environment and a second platform in a trusted execution environment, and the method includes:
    所述第一平台依据共享数据的第一虚拟地址信息,确定对应的物理存储地址,发送所述物理存储地址给所述第二平台;Determining, by the first platform, the corresponding physical storage address according to the first virtual address information of the shared data, and sending the physical storage address to the second platform;
    所述第二平台依据所述物理存储地址,在所述可信任执行环境中映射得到对应的第二虚拟地址信息,对所述第二虚拟地址信息对应的共享数据进行处理。And mapping, by the second platform, the corresponding second virtual address information in the trusted execution environment according to the physical storage address, and processing the shared data corresponding to the second virtual address information.
  2. 根据权利要求1所述的方法,其特征在于,所述第一虚拟地址信息包括:第一起始地址和数据大小;所述第二虚拟地址信息包括:第二起始地址和数据大小。The method according to claim 1, wherein the first virtual address information comprises: a first start address and a data size; and the second virtual address information comprises: a second start address and a data size.
  3. 根据权利要求2所述的方法,其特征在于,所述第一平台依据共享数据的第一虚拟地址信息,确定对应的物理存储地址,包括:The method according to claim 2, wherein the first platform determines a corresponding physical storage address according to the first virtual address information of the shared data, including:
    所述第一平台在第一虚拟地址信息中存储共享数据,依据第一存储信息确定对应的物理存储地址。The first platform stores the shared data in the first virtual address information, and determines the corresponding physical storage address according to the first storage information.
  4. 根据权利要求3所述的方法,其特征在于,所述第一平台运行有第一应用;所述第一平台在第一虚拟地址信息中存储共享数据,包括:The method of claim 3, wherein the first platform runs a first application; the first platform stores shared data in the first virtual address information, including:
    所述第一应用调用第一函数请求地址空间,获取所述地址空间对应的第一存储信息;The first application invokes a first function request address space, and acquires first storage information corresponding to the address space;
    依据所述第一存储信息在所述地址空间中存储共享数据,将所述第一存储信息发送给第一平台。And storing the shared data in the address space according to the first storage information, and transmitting the first storage information to the first platform.
  5. 根据权利要求4所述的方法,其特征在于,依据所述第一存储信息确定对应的物理存储地址,包括:The method according to claim 4, wherein determining a corresponding physical storage address according to the first storage information comprises:
    所述第一平台调用第二函数,在所述非安全环境中对第一存储信息进行映射,得到对应的物理存储地址。The first platform invokes a second function, and maps the first storage information in the non-secure environment to obtain a corresponding physical storage address.
  6. 根据权利要求2所述的方法,其特征在于,所述的方法还包括:The method of claim 2, wherein the method further comprises:
    所述第一平台依据所述物理存储地址和数据大小,生成对应的数组;The first platform generates a corresponding array according to the physical storage address and the data size;
    则所述发送物理存储地址给所述第二平台,包括:所述第一平台发送所述数组给第二平台。And sending the physical storage address to the second platform, including: the first platform sending the array to the second platform.
  7. 根据权利要求6所述的方法,其特征在于,所述第二平台依据所述物理存储地址,在所述可信任执行环境中映射得到对应的第二虚拟地址信息,包括:The method according to claim 6, wherein the mapping, by the second platform, the corresponding second virtual address information in the trusted execution environment according to the physical storage address, includes:
    所述第二平台对所述数组进行解析,获取对应的物理存储地址和数据大小;The second platform parses the array to obtain a corresponding physical storage address and data size;
    调用第三函数,在所述可信任执行环境中对所述物理存储地址进行映射,确定第二虚拟地址信息。Calling a third function to map the physical storage address in the trusted execution environment to determine second virtual address information.
  8. 根据权利要求4所述的方法,其特征在于,所述第二平台运行有第二应用,对所述第二虚拟地址信息对应的共享数据进行处理,包括:The method according to claim 4, wherein the second platform runs a second application, and the shared data corresponding to the second virtual address information is processed, including:
    第二平台将所述第二虚拟地址信息发送给第二应用;The second platform sends the second virtual address information to the second application;
    所述第二应用依据所述第二虚拟地址信息获取对应的共享数据,在所述可信任执行环境中对所述共享数据进行处理。The second application acquires corresponding shared data according to the second virtual address information, and processes the shared data in the trusted execution environment.
  9. 根据权利要求8所述的方法,其特征在于,还包括:The method of claim 8 further comprising:
    若所述第二应用判断所述数据大小不足,则向所述第一应用发送请求,以告知所述第一应用重新请求地址空间。And if the second application determines that the data size is insufficient, sending a request to the first application to notify the first application to re-request the address space.
  10. 一种终端设备,其特征在于,所述终端设备包括非安全环境中的第一平台和可信任执行环境中的第二平台;A terminal device, where the terminal device includes a first platform in a non-secure environment and a second platform in a trusted execution environment;
    所述第一平台,用于依据共享数据的第一虚拟地址信息,确定对应的物理存储地址,发送所述物理存储地址给所述第二平台;The first platform is configured to determine a corresponding physical storage address according to the first virtual address information of the shared data, and send the physical storage address to the second platform;
    所述第二平台,用于依据所述物理存储地址,在所述可信任执行环境中映射得到对应的第二虚拟地址信息,对所述第二虚拟地址信息对应的共享数据进行处理。The second platform is configured to map the corresponding second virtual address information in the trusted execution environment according to the physical storage address, and process the shared data corresponding to the second virtual address information.
  11. 根据权利要求10所述的终端设备,其特征在于,所述第一虚拟地址信息包括:第一起始地址和数据大小;所述第二虚拟地址信息包括:第二起始地址和数据大小。The terminal device according to claim 10, wherein the first virtual address information comprises: a first start address and a data size; and the second virtual address information comprises: a second start address and a data size.
  12. 根据权利要求11所述的终端设备,其特征在于,The terminal device according to claim 11, wherein
    所述第一平台,用于在第一虚拟地址信息中存储共享数据,依据第一存储信息确定对应的物理存储地址。The first platform is configured to store shared data in the first virtual address information, and determine a corresponding physical storage address according to the first storage information.
  13. 根据权利要求12所述的终端设备,其特征在于,所述第一平台运行有第一应用;The terminal device according to claim 12, wherein the first platform runs a first application;
    所述第一平台,用于采用第一应用调用第一函数请求地址空间,获取所述地址空间对应的第一存储信息;依据所述第一存储信息在所述地址空间中存储共享数据,将所述第一存储信息发送给第一平台。The first platform is configured to use the first function to call the first function request address space, obtain the first storage information corresponding to the address space, and store the shared data in the address space according to the first storage information, The first stored information is sent to the first platform.
  14. 根据权利要求13所述的终端设备,其特征在于,The terminal device according to claim 13, wherein
    所述第一平台,用于调用第二函数,在所述非安全环境中对第一存储信息进行映射,得到对应的物理存储地址。The first platform is configured to invoke a second function, and map the first storage information in the non-secure environment to obtain a corresponding physical storage address.
  15. 根据权利要求11所述的终端设备,其特征在于,The terminal device according to claim 11, wherein
    所述第一平台,还用于依据所述物理存储地址和数据大小,生成对应的数组;所述 第一平台发送所述数组给第二平台。The first platform is further configured to generate a corresponding array according to the physical storage address and the data size; the first platform sends the array to the second platform.
  16. 根据权利要求15所述的终端设备,其特征在于,The terminal device according to claim 15, wherein
    所述第二平台,用于对所述数组进行解析,获取对应的物理存储地址和数据大小;调用第三函数,在所述可信任执行环境中对所述物理存储地址进行映射,确定第二虚拟地址信息。The second platform is configured to parse the array to obtain a corresponding physical storage address and a data size, and invoke a third function to map the physical storage address in the trusted execution environment to determine a second Virtual address information.
  17. 根据权利要求13所述的终端设备,其特征在于,The terminal device according to claim 13, wherein
    所述第二平台,用于将所述第二虚拟地址信息发送给第二应用;所述第二应用依据所述第二虚拟地址信息获取对应的共享数据,在所述可信任执行环境中对所述共享数据进行处理。The second platform is configured to send the second virtual address information to the second application; the second application acquires corresponding shared data according to the second virtual address information, where the trusted execution environment is The shared data is processed.
  18. 根据权利要求17所述的终端设备,其特征在于,The terminal device according to claim 17, wherein
    所述第二平台,还用于若所述第二应用判断所述数据大小不足,则向所述第一应用发送请求,以告知所述第一应用重新请求地址空间。The second platform is further configured to: if the second application determines that the data size is insufficient, send a request to the first application to notify the first application to re-request the address space.
  19. 一种终端设备,其特征在于,包括:A terminal device, comprising:
    一个或多个处理器;和One or more processors; and
    其上存储有指令的一个或多个机器可读介质,当由所述一个或多个处理器执行时,使得所述终端设备执行如权利要求1-9中一个或多个所述的方法。One or more machine-readable media having stored thereon instructions that, when executed by the one or more processors, cause the terminal device to perform the method of one or more of claims 1-9.
  20. 一个或多个机器可读介质,其上存储有指令,当由一个或多个处理器执行时,使得终端设备执行如权利要求1-9中一个或多个所述的方法。One or more machine-readable medium having stored thereon instructions that, when executed by one or more processors, cause the terminal device to perform the method of one or more of claims 1-9.
PCT/CN2018/102692 2017-09-06 2018-08-28 Data sharing method, terminal apparatus and storage medium WO2019047745A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710797460.5 2017-09-06
CN201710797460.5A CN109460373B (en) 2017-09-06 2017-09-06 Data sharing method, terminal equipment and storage medium

Publications (1)

Publication Number Publication Date
WO2019047745A1 true WO2019047745A1 (en) 2019-03-14

Family

ID=65606037

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/102692 WO2019047745A1 (en) 2017-09-06 2018-08-28 Data sharing method, terminal apparatus and storage medium

Country Status (2)

Country Link
CN (1) CN109460373B (en)
WO (1) WO2019047745A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609528A (en) * 2021-07-14 2021-11-05 洛阳小行家科技有限公司 Data authorization circulation method and system based on digital pass

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110245001B (en) * 2019-05-05 2023-04-18 创新先进技术有限公司 Data isolation method and device and electronic equipment
CN110348204B (en) * 2019-06-17 2023-05-16 海光信息技术股份有限公司 Code protection system, authentication method, authentication device, chip and electronic equipment
CN110399235B (en) 2019-07-16 2020-07-28 阿里巴巴集团控股有限公司 Multithreading data transmission method and device in TEE system
CN110442462B (en) 2019-07-16 2020-07-28 阿里巴巴集团控股有限公司 Multithreading data transmission method and device in TEE system
US10699015B1 (en) 2020-01-10 2020-06-30 Alibaba Group Holding Limited Method and apparatus for data transmission in a tee system
CN110442463B (en) * 2019-07-16 2020-07-07 阿里巴巴集团控股有限公司 Data transmission method and device in TEE system
CN114117460A (en) * 2020-09-01 2022-03-01 鸿富锦精密电子(天津)有限公司 Data protection method and device, electronic equipment and storage medium
CN112214444A (en) * 2020-09-24 2021-01-12 深圳云天励飞技术股份有限公司 Inter-core communication method, ARM, DSP and terminal
CN112783847B (en) * 2021-01-18 2022-08-12 中国农业科学院深圳农业基因组研究所 Data sharing method and device
CN114154163B (en) * 2021-10-19 2023-01-10 北京荣耀终端有限公司 Vulnerability detection method and device
CN115017497B (en) * 2021-11-24 2023-04-18 荣耀终端有限公司 Information processing method, device and storage medium
CN116090032B (en) * 2022-06-29 2023-10-20 荣耀终端有限公司 Display method and related device
CN117707799A (en) * 2022-09-07 2024-03-15 华为技术有限公司 Data processing method, terminal device and readable storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106203082A (en) * 2016-06-29 2016-12-07 上海交通大学 The system and method efficiently isolating kernel module based on virtualization hardware characteristic
CN106354687A (en) * 2016-08-29 2017-01-25 珠海市魅族科技有限公司 Data transmission method and system
US20170206174A1 (en) * 2016-01-15 2017-07-20 Bittium Wireless Oy Secure memory storage
CN107038128A (en) * 2016-02-03 2017-08-11 华为技术有限公司 A kind of virtualization of performing environment, the access method of virtual execution environment and device

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0871128A2 (en) * 1997-04-10 1998-10-14 Digital Equipment Corporation Method and apparatus for providing a shared data region using shared page tables
US6549996B1 (en) * 1999-07-02 2003-04-15 Oracle Corporation Scalable multiple address space server
US7114053B2 (en) * 2003-08-21 2006-09-26 Texas Instruments Incorporated Virtual-to-physical address conversion in a secure system
US20060143411A1 (en) * 2004-12-23 2006-06-29 O'connor Dennis M Techniques to manage partition physical memory
US7734890B2 (en) * 2006-10-06 2010-06-08 Okralabs Llc Method and system for using a distributable virtual address space
CN101819564B (en) * 2009-02-26 2013-04-17 国际商业机器公司 Method and device for assisting communication between virtual machines
CN102110196B (en) * 2009-12-25 2015-04-29 中国长城计算机深圳股份有限公司 Method and system for safely transmitting data among parallel-running multiple user operating systems
US20120110575A1 (en) * 2010-10-29 2012-05-03 Unisys Corp. Secure partitioning with shared input/output
US8656137B2 (en) * 2011-09-01 2014-02-18 Qualcomm Incorporated Computer system with processor local coherency for virtualized input/output
EP2767110A4 (en) * 2011-10-12 2015-01-28 C Sam Inc A multi-tiered secure mobile transactions enabling platform
US9311011B2 (en) * 2013-08-07 2016-04-12 Qualcomm Incorporated Dynamic address negotiation for shared memory regions in heterogenous multiprocessor systems
CN105446713B (en) * 2014-08-13 2019-04-26 阿里巴巴集团控股有限公司 Method for secure storing and equipment
US9454497B2 (en) * 2014-08-15 2016-09-27 Intel Corporation Technologies for secure inter-virtual-machine shared memory communication
US9940456B2 (en) * 2014-12-16 2018-04-10 Intel Corporation Using trusted execution environments for security of code and data
CN104581214B (en) * 2015-01-28 2018-09-11 三星电子(中国)研发中心 Multimedia content guard method based on ARM TrustZone systems and device
CN106612306A (en) * 2015-10-22 2017-05-03 中兴通讯股份有限公司 Data sharing method and device of virtual machine
CN105488679B (en) * 2015-11-23 2019-12-03 北京小米支付技术有限公司 Mobile payment device, method and apparatus based on biological identification technology
CN106845174B (en) * 2015-12-03 2020-07-10 福州瑞芯微电子股份有限公司 Application authority management method and system under security system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170206174A1 (en) * 2016-01-15 2017-07-20 Bittium Wireless Oy Secure memory storage
CN107038128A (en) * 2016-02-03 2017-08-11 华为技术有限公司 A kind of virtualization of performing environment, the access method of virtual execution environment and device
CN106203082A (en) * 2016-06-29 2016-12-07 上海交通大学 The system and method efficiently isolating kernel module based on virtualization hardware characteristic
CN106354687A (en) * 2016-08-29 2017-01-25 珠海市魅族科技有限公司 Data transmission method and system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113609528A (en) * 2021-07-14 2021-11-05 洛阳小行家科技有限公司 Data authorization circulation method and system based on digital pass

Also Published As

Publication number Publication date
CN109460373A (en) 2019-03-12
CN109460373B (en) 2022-08-26

Similar Documents

Publication Publication Date Title
WO2019047745A1 (en) Data sharing method, terminal apparatus and storage medium
WO2018228199A1 (en) Authorization method and related device
KR102323763B1 (en) Methods and systems for providing secure communication between a host system and a data processing accelerator
TWI538462B (en) Method for managing digital usage rights of documents,non-transitory computer-readable media and mobile computing device
US10409984B1 (en) Hierarchical data security measures for a mobile device
US11424930B2 (en) Systems and methods for providing account information
US20180183578A1 (en) Provisioning keys for virtual machine scaling
US9525675B2 (en) Encryption key retrieval
CN112262546B (en) Method and system for key distribution and exchange for data processing accelerator
WO2017218180A1 (en) Platform attestation and registration for servers
US20180285560A1 (en) System, Apparatus And Method For Providing Locality Assertion Between A Security Processor And An Enclave
CN112262547A (en) Data processing accelerator with security element to provide root trust service
KR101837678B1 (en) Computing apparatus based on trusted execution environment
CN112236972A (en) Method and system for deriving session keys to ensure an information exchange channel between a host system and a data processing accelerator
WO2017206833A1 (en) Payment method, payment apparatus, and payment server
US11734416B2 (en) Construct general trusted application for a plurality of applications
KR20140110639A (en) Data security method and electronic device implementing the same
US11822664B2 (en) Securely signing configuration settings
CN112292678A (en) Method and system for validating a kernel object to be executed by a data processing accelerator of a host system
US20230161885A1 (en) Security architecture system, cryptographic operation method for security architecture system, and computing device
CN112334902A (en) Method for establishing a secure information exchange channel between a host system and a data processing accelerator
EP3921749A1 (en) Device and method for authenticating application in execution environment in trust zone
US11374898B1 (en) Use of partial hash of domain name to return IP address associated with the domain name
WO2014117648A1 (en) Application access method and device
CN112236772A (en) Method and system for managing memory of a data processing accelerator

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18854261

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18854261

Country of ref document: EP

Kind code of ref document: A1