WO2021143168A1 - 可信执行环境操作系统崩溃处理方法及电子设备 - Google Patents

可信执行环境操作系统崩溃处理方法及电子设备 Download PDF

Info

Publication number
WO2021143168A1
WO2021143168A1 PCT/CN2020/115116 CN2020115116W WO2021143168A1 WO 2021143168 A1 WO2021143168 A1 WO 2021143168A1 CN 2020115116 W CN2020115116 W CN 2020115116W WO 2021143168 A1 WO2021143168 A1 WO 2021143168A1
Authority
WO
WIPO (PCT)
Prior art keywords
tee
ree
security
security service
execution environment
Prior art date
Application number
PCT/CN2020/115116
Other languages
English (en)
French (fr)
Inventor
胡夏蒙
贾宁
李�雨
王楠
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP20914130.8A priority Critical patent/EP4080365A4/en
Publication of WO2021143168A1 publication Critical patent/WO2021143168A1/zh
Priority to US17/866,196 priority patent/US11874743B2/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1441Resetting or repowering
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/1438Restarting or rejuvenating
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/14Error detection or correction of the data by redundancy in operation
    • G06F11/1402Saving, restoring, recovering or retrying
    • G06F11/1415Saving, restoring, recovering or retrying at system level
    • G06F11/142Reconfiguring to eliminate the error
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • This application relates to the field of terminal technology, and in particular to a method and electronic device for handling a trusted execution environment operating system crash.
  • Electronic devices based on the ARM TrustZone include a rich execution environment (REE) and a trusted execution environment (TEE).
  • REE is also referred to as a normal execution environment, including a rich execution environment operating system (REE OS) and a client application (CA) running on a general-purpose processor.
  • TEE is also known as a secure execution environment. It can run a trusted execution environment operating system (TEE OS) to provide CA with reliable security services (such as fingerprint comparison services, password verification services, face comparison services). For services, etc., these security services can run on TEE OS in the form of a trusted application (TA).
  • TEE OS trusted execution environment operating system
  • TA trusted application
  • the TEE OS crashes, causing electronic equipment to often experience system jams and interruption of security services (such as unable to unlock, unable to pay, etc.) and other abnormalities.
  • the electronic device will force the whole machine to restart to return to the normal state of use. Since the restart of the whole machine takes a long time, and the user cannot use the electronic device during the restart of the electronic device, the user experience is poor.
  • the trusted execution environment operating system crash processing method and electronic device provided by the present application can prevent the entire electronic device from restarting when an unrecoverable failure occurs on the TEE side, reduce the total time consumed for restarting, and improve user experience.
  • this application provides a trusted execution environment operating system crash processing method, which is applied to electronic devices including a trusted execution environment TEE and a rich execution environment REE.
  • TEE is a trusted execution environment operating system TEE OS and Security service
  • the method may include: based on detecting the TEE OS crash during the running of the security service, the electronic device saves the hardware state parameters of the TEE when the TEEOS crashes and the security context of the REE, and suspends the security service; the electronic device restarts the TEE OS ; The electronic device sets the hardware state parameters of the TEE after restarting the TEE OS according to the saved hardware state parameters of the TEE; the electronic device sets the security context of the REE after restarting the TEE OS according to the saved security context settings of the REE, and the security context settings according to the saved REE After restarting the TEE OS, the context of the TEE; the electronic device restores the security service.
  • the hardware status parameters of the TEE may include the data of the registers in the TEE. In this way, if the TEE OS crashes, the hardware state parameters of the electronic device are saved. Then, after the TEE OS restarts, the hardware state can be quickly restored according to the saved hardware state parameters, which is conducive to quickly recovering the security services of the TEE.
  • the hardware state parameters of the TEE may also be referred to as the hardware state parameters of the TEE OS.
  • the TEE context may include: when the TEE OS crashes, the registered agents included in the TEE OS, the sessions that have established connections, and the registered security services. Specifically, before REE calls related modules in TEE to provide security services, REE sends a security service registration request to TEE, including instruction cache registration, proxy registration, and secure memory registration. The TEE processes the request, generates a proxy, establishes a session connection, and completes the registration of the corresponding security service. In addition, the subsequent TEE provides security services for the REE through this connection, and the context generated in this process is the security context.
  • the security context of the REE may include: when the TEE OS crashes, the agents that have been registered with the TEE, the sessions that have established a connection with the TEE, and the security services that have been registered with the REE, etc.
  • TEE is used to provide security services for REE, and its context is the security context.
  • the context of TEE in this article can also be understood as the security context of TEE.
  • TEE OS After resetting the hardware status parameters and security context, TEE OS has the ability to continue to provide security services for applications in REE, and electronic devices can restore security services. In other words, after the TEE OS is restored, the operation of the security service is based on the newly set hardware status parameters and the operation of the security context.
  • TEE OS can be restarted separately to restore security services. It will not cause the complete machine of the electronic device to be forced to restart, reducing the total time consumed for restarting.
  • the hardware state parameters of the TEE after the restart of the TEE OS can be set according to the hardware state parameters of the TEE saved before the restart of the TEE OS.
  • the security context of the REE and the TEE context after the restart of the TEE OS can be set according to the security context of the REE saved before the restart of the TEE OS to further ensure the rapid recovery of security services.
  • a rich execution environment operating system REE OS runs in the REE, and the method further includes: after the electronic device suspends the security service, the REE OS notifies the application security service corresponding to the security service to be unavailable.
  • the application corresponding to the security service is deployed in REE OS and the application invokes the security service.
  • the method further includes: after the electronic device suspends the security service, suspend receiving, through the REE OS, the request for the security service sent by any application in the REE.
  • the REE OS receives the security service request sent by the application and sends the corresponding security service request to the TEE OS again, resulting in the security service still processing errors and affecting the user experience.
  • the method further includes: after the electronic device suspends the security service, notify the application corresponding to the security service to exit the security service through REE OS; after the electronic device resumes the security service, notify the application corresponding to the security service through REE OS Restart the security service.
  • the electronic device exits the security service, which can avoid the failure of the first security service request caused by the partial context information saved in the REE OS after the TEE OS is restarted.
  • the security service includes any one or more of a fingerprint comparison service, a password verification service, and a face comparison service.
  • the hardware state parameters of the TEE include: data of registers in the TEE.
  • the register may be a sec_region register, which is used to store the base address of the memory region allocated for the security service.
  • sec_region register When TEE OS crashes, save the value in the sec_region register. After the TEE OS restarts according to the method provided in this embodiment of the application, it can quickly locate the memory location before the crash according to the value of the register.
  • the security context of the REE includes: registration information of the security service.
  • the TEE side provides the security service.
  • the security service Before the application on the REE side uses the security service, the security service usually needs to be registered in the REE, and the registration information will become part of the security context of the REE.
  • this application provides a trusted execution environment operating system crash processing method, which is applied to electronic devices including a trusted execution environment TEE and a rich execution environment REE.
  • the TEE provides security services for the REE, and the TEE contains the trusted execution environment.
  • Operating system TEE OS, REE contains rich execution environment operating system REE OS, the method includes: REE OS receives the first notification during the process of REE calling the security service; the first notification indicates that TEE OS has crashed; REE OS saves REE security Context, suspend the security service, and send a second notification to TEE OS to instruct TEE OS to restart; REE OS receives the third notification, and the third notification is TEE OS after setting the TEE hardware status parameters after restarting TEE OS and sending it to REE OS Notification; REE OS sets the security context of REE after restarting TEE OS according to the saved security context of REE; REE OS receives the fourth notification, and the fourth notification is TEE OS after setting the context of TEE after restarting TEE OS and sending it to REE OS Notice;
  • the REE OS saves the REE security context, for example, it may include the REE OS to save the current security context of the REE.
  • "current" refers to the REE security context when the save action is executed.
  • the security context before a certain length of time or other security contexts set by the system can be saved.
  • the REE OS in response to the third notification, will set the security context of the REE after restarting the TEE OS according to the saved security context of the REE. In response to the fourth notice, REE OS will resume security services.
  • the third notification can also be considered to indicate that the TEE OS has set the hardware status parameters for the TEE after restarting the TEE OS; the fourth notification can also be considered to indicate that the TEE OS has been restarted after the TEE OS has been restarted.
  • TEE sets the context. The specific form of the aforementioned notification is not limited in this application.
  • the method further includes: the REE OS sends a fifth notification to the application corresponding to the security service for notifying that the security service is unavailable.
  • the method further includes: the REE OS suspends receiving the request for the security service sent by any application in the REE.
  • REE OS suspension of the security service can be considered as sending a notification that the security service is unavailable to the application corresponding to the security service to inform the application corresponding to the security service that the security service is not provided in the current period; it can also be considered as a suspension of receiving the REE.
  • a request for a security service sent by any application it can also be considered that the REE OS receives a request for a security service sent by an application, but does not process it, that is, no longer sends a security service request to the TEE side, etc.
  • the method further includes: the REE OS sends a sixth notification to the application corresponding to the security service for exiting the security service.
  • the method further includes: the REE OS sends a seventh notification to the application corresponding to the security service for restarting the security service.
  • the security service includes any one or more of fingerprint comparison service, password verification service, and face comparison service.
  • the security context of the REE includes: registration information of the security service.
  • this application provides a trusted execution environment operating system crash processing method, which is applied to electronic devices including a trusted execution environment TEE and a rich execution environment REE.
  • the TEE provides security services for the REE, and the TEE contains the trusted execution environment.
  • Operating system TEE OS, REE contains rich execution environment operating system REE OS the method includes: in the process of TEE providing security services, if TEE OS crashes, TEE OS saves the TEE hardware state parameters, and sends the first notification to REE OS; The first notification is used to instruct REE OS to suspend security services; TEE OS restarts after receiving the second notification; among them, the second notification is a notification sent to TEE OS after REE OS suspends security services; TEE OS is based on the saved hardware status of TEE Parameter setting TEE hardware status parameters after restarting TEE OS, and sending a third notification to REE OS; the third notification is used to instruct REE OS to set the security context of REE after restarting TEE OS; TEE OS is set according to the security context of REE after restart
  • the TEE OS saves the TEE hardware state parameters, for example, it may include the TEE OS saves the current hardware state parameters of the TEE.
  • "current" refers to the hardware state parameters when the save action is executed.
  • the hardware state parameters prior to a certain length of time or other hardware state parameters set by the system can be saved.
  • the second notification may also be considered to indicate that the REE OS has suspended security services.
  • the specific form of the aforementioned notification is not limited in this application.
  • the security service includes any one or more of fingerprint comparison service, password verification service, and face comparison service.
  • the hardware state parameters of the TEE include: data of registers in the TEE.
  • this application provides a computer system that includes a trusted execution environment TEE and a rich execution environment REE.
  • the TEE provides security services for the REE; the TEE includes a trusted execution environment operating system TEE OS, a first storage unit, and a restart unit, REE includes the rich execution environment operating system REE OS, the second storage unit; TEE OS, used to run security services; the first storage unit, used in the process of TEE OS running security services, if the TEE OS crashes, save the TEE hardware State parameters; the second storage unit is used to save the REE security context; REE OS is also used to suspend the invocation of security services; the restart unit is used to restart TEE OS; the TEE OS is also used to set the hardware state parameters of the saved TEE TEE hardware state parameters after restarting TEE OS; REE OS is also used to set the security context of REE after restarting TEE OS according to the saved security context of REE, and TEE OS is also used to restart TEE according to the saved security context setting of REE The context of the
  • the device further includes: REE OS, which is also used to send a notification that the security service is unavailable to an application corresponding to the security service after the security service is suspended.
  • REE OS which is also used to send a notification that the security service is unavailable to an application corresponding to the security service after the security service is suspended.
  • the device further includes: REE OS, which is also used to suspend receiving the request for the security service sent by any application in the REE after the security service is suspended.
  • REE OS which is also used to suspend receiving the request for the security service sent by any application in the REE after the security service is suspended.
  • REE OS is also used to notify the application corresponding to the security service to exit the security service after the call to the security service is suspended; REE OS is also used to notify the security service corresponding to the security service after the call to the security service is resumed The application restarts the security service.
  • the security service includes any one or more of a fingerprint comparison service, a password verification service, and a face comparison service.
  • the hardware state parameters of the TEE include: data of registers in the TEE.
  • the security context of the REE includes: registration information of the security service.
  • the present application provides a device for implementing crash processing of a trusted execution environment operating system, including: a processing unit, a receiving unit, a storage unit, and a sending unit.
  • the processing unit is used to call the security service of the trusted execution environment TEE.
  • the receiving unit is configured to receive the first notification when the processing unit calls the security service for the REE; the first notification is used to notify the trusted execution environment operating system TEE OS that the OS has crashed.
  • the storage unit is used to store the REE security context of the rich execution environment.
  • the processing unit is also used to suspend security services.
  • the sending unit is used to send a second notification to the TEE OS; the second notification is used to instruct the TEE OS to restart.
  • the receiving unit is further configured to receive a third notification, and the third notification is a notification sent to the REE OS after the TEE OS sets the hardware state parameters of the TEE after restarting the TEE OS.
  • the processing unit is also used to set the security context of the REE after restarting the TEE OS according to the stored security context of the REE.
  • the receiving unit is further configured to receive a fourth notification, which is a notification sent to the REE OS after the TEE OS sets the context of the TEE after restarting the TEE OS.
  • the processing unit is also used to resume invoking security services.
  • the device for implementing the operating system crash processing of the trusted execution environment may be implemented by hardware, or by software, or by hardware executing corresponding software.
  • the device may refer to REE OS.
  • the sending unit is further configured to send a fifth notification to the application corresponding to the security service after the processing unit suspends invoking the security service, for notifying that the security service is unavailable.
  • the receiving unit is further configured to suspend receiving a request for a security service sent by any application in the REE after the processing unit suspends invoking the security service.
  • the sending unit is further configured to send a sixth notification to the application corresponding to the security service after the processing unit suspends invoking the security service, for exiting the security service.
  • the sending unit is further configured to send a seventh notification to the application corresponding to the security service after the processing unit resumes invoking the security service, for restarting the security service.
  • the security service includes any one or more of fingerprint comparison service, password verification service, and face comparison service.
  • the security context of the REE includes: registration information of the security service.
  • the present application provides a device for implementing crash processing of a trusted execution environment operating system, including: a processing unit, a storage unit, a sending unit, a receiving unit, and a restarting unit; the processing unit is used to provide security services.
  • the storage unit is used to save the TEE hardware state parameters if the processing unit crashes during the process of the processing unit providing security services.
  • the sending unit is used to send the first notification to the rich execution environment operating system REE OS; the first notification is used to instruct the REE OS to suspend the security service.
  • the receiving unit is configured to receive the second notification; where the second notification is a notification sent to the TEE OS after the REE OS suspends the security service.
  • the restart unit is used to restart the processing unit.
  • the processing unit is also used to set the hardware state parameters of the TEE after restarting according to the saved hardware state parameters of the TEE.
  • the sending unit is also used to send a third notification to the REE OS; the third notification is used to instruct the REE OS to set the security context of the REE after restarting.
  • the processing unit is also used to set the context of the restarted TEE according to the security context of the restarted REE.
  • the sending unit is also used to send the fourth notification to the REE OS; the fourth notification is used to instruct the REE OS to restore the security service.
  • the device for implementing the operating system crash processing of the trusted execution environment may be implemented by hardware, or by software, or by hardware executing corresponding software.
  • the device may refer to TEE OS.
  • the security service includes any one or more of fingerprint comparison service, password verification service, and face comparison service.
  • the hardware state parameters of the TEE include: data of registers in the TEE.
  • the present application provides an electronic device, which may include: one or more processors; wherein, the one or more processors include a trusted execution environment TEE and a rich execution environment REE.
  • TEE provides security for REE Services: TEE includes the trusted execution environment operating system TEE OS, and REE includes the rich execution environment operating system REE OS. Memory; and one or more computer programs.
  • One or more computer programs are stored in the memory, and the one or more computer programs include instructions.
  • the electronic device is caused to execute the trusted execution environment operating system crash handling method described in the first aspect to the third aspect and any one of the possible implementation manners.
  • the present application provides an electronic device that has the capability to implement the trusted execution environment operating system crash handling method described in the first to third aspects and any one of the possible implementations.
  • This function can be realized by hardware, or by hardware executing corresponding software.
  • the hardware or software includes one or more modules corresponding to the above-mentioned functions.
  • the present application provides a computer-readable storage medium including computer instructions.
  • the computer instructions run on an electronic device, the electronic device executes the above-mentioned first to third aspects, and any one of the possible The credible execution environment operating system crash processing method described in the implementation mode.
  • this application provides a computer program product, which when the computer program product runs on an electronic device, causes the electronic device to execute as described in the first aspect to the third aspect, and any one of the possible implementations. Trusted execution environment operating system crash processing method.
  • a circuit system in an eleventh aspect, includes a processing circuit configured to execute the trusted execution environment described in the first aspect to the third aspect and any one of the possible implementations. Operating system crash handling method.
  • an embodiment of the present application provides a chip system, which includes at least one processor and at least one interface circuit.
  • the at least one interface circuit is used to perform receiving and sending functions and send instructions to at least one processor.
  • the instruction is executed by the processor, at least one processor executes the trusted execution environment operating system crash processing method described in the first to third aspects and any one of the possible implementations.
  • FIG. 1 is a schematic structural diagram of an electronic device provided by an embodiment of this application.
  • FIG. 2 is a schematic diagram of a TrustZone framework structure provided by an embodiment of the application
  • FIG. 3 is a first schematic flowchart of a method for processing a trusted execution environment operating system crash provided by an embodiment of the application;
  • 4A is a schematic diagram 1 of an application scenario of a trusted execution environment operating system crash processing method provided by an embodiment of the application;
  • 4B is a schematic diagram 2 of an application scenario of a method for handling a trusted execution environment operating system crash provided by an embodiment of the application;
  • FIG. 5 is a second schematic flowchart of a method for processing a trusted execution environment operating system crash provided by an embodiment of the application
  • FIG. 6 is a schematic diagram of the third application scenario of the method for processing a trusted execution environment operating system crash provided by an embodiment of the application;
  • FIG. 7 is a third schematic flowchart of a method for processing a trusted execution environment operating system crash provided by an embodiment of this application.
  • FIG. 8 is a schematic diagram 4 of an application scenario of a method for processing a trusted execution environment operating system crash provided by an embodiment of the application;
  • FIG. 9 is a schematic structural diagram of a computer system provided by an embodiment of this application.
  • FIG. 10 is a schematic structural diagram 1 of an apparatus for implementing a trusted execution environment operating system crash processing provided by an embodiment of this application;
  • FIG. 11 is a second structural diagram of a device for implementing crash processing of a trusted execution environment operating system provided by an embodiment of the application;
  • FIG. 12 is a schematic structural diagram of a chip system provided by an embodiment of the application.
  • the technical solutions provided in the embodiments of the present application can be applied to electronic devices with TEE and REE.
  • TEE OS in the TEE crashes, you can restart the TEE OS separately to avoid the restart of the whole machine (including restarting the TEE OS and REE OS), reduce the total time from the TEE OS crash to the recovery of the security service after the TEE OS restarts, and improve the electronic equipment Experience.
  • the electronic device in the embodiments of the present application may be a mobile phone (mobile phone), a tablet computer (pad), a computer with wireless transceiver function, a personal digital assistant (PDA), a smart watch, Netbooks, wearable electronic devices, augmented reality (AR) devices, virtual reality (VR) devices, in-vehicle devices, wireless terminals in industrial control, and self-driving Wireless terminals in remote medical (remote medical), wireless terminals in smart grid, wireless terminals in transportation safety, wireless terminals in smart city, smart homes (Smart home) wireless terminals, artificial intelligence (AI) terminals, etc.
  • PDA personal digital assistant
  • AR augmented reality
  • VR virtual reality
  • Wireless terminals in remote medical remote medical
  • wireless terminals in smart grid wireless terminals in transportation safety
  • wireless terminals in smart city smart homes (Smart home) wireless terminals
  • smart home wireless terminals smart home wireless terminals
  • AI artificial intelligence
  • FIG. 1 shows a schematic structural diagram of an electronic device 100.
  • the electronic device 100 may include a processor 110, an external memory interface 120, an internal memory 121, a universal serial bus (USB) interface 130, a charging management module 140, a power management module 141, a battery 142, an antenna 1, and an antenna 2.
  • Mobile communication module 150 wireless communication module 160, audio module 170, speaker 170A, receiver 170B, microphone 170C, earphone jack 170D, sensor module 180, buttons 190, motor 191, indicator 192, camera 193, display screen 194, and Subscriber identification module (subscriber identification module, SIM) card interface 195, etc.
  • SIM Subscriber identification module
  • the sensor module 180 may include a pressure sensor 180A, a gyroscope sensor 180B, an air pressure sensor 180C, a magnetic sensor 180D, an acceleration sensor 180E, a distance sensor 180F, a proximity light sensor 180G, a fingerprint sensor 180H, a temperature sensor 180J, a touch sensor 180K, and the environment Light sensor 180L, bone conduction sensor 180M, etc.
  • the structure illustrated in the embodiment of the present application does not constitute a specific limitation on the electronic device 100.
  • the electronic device 100 may include more or fewer components than shown, or combine certain components, or disassemble certain components, or arrange different components.
  • the illustrated components can be implemented in hardware, software, or a combination of software and hardware.
  • the processor 110 may include one or more processing units.
  • the processor 110 may include an application processor (AP), a modem processor, a graphics processing unit (GPU), and an image signal processor. (image signal processor, ISP), controller, memory, video codec, digital signal processor (digital signal processor, DSP), baseband processor, and/or neural-network processing unit (NPU) Wait.
  • AP application processor
  • modem processor modem processor
  • GPU graphics processing unit
  • image signal processor image signal processor
  • ISP image signal processor
  • controller memory
  • video codec digital signal processor
  • DSP digital signal processor
  • NPU neural-network processing unit
  • the different processing units may be independent devices or integrated in one or more processors.
  • the controller may be the nerve center and command center of the electronic device 100.
  • the controller can generate operation control signals according to the instruction operation code and timing signals to complete the control of fetching instructions and executing instructions.
  • a memory may also be provided in the processor 110 to store instructions and data.
  • the memory in the processor 110 is a cache memory.
  • the memory can store instructions or data that have just been used or recycled by the processor 110. If the processor 110 needs to use the instruction or data again, it can be directly called from the memory. Repeated accesses are avoided, the waiting time of the processor 110 is reduced, and the efficiency of the system is improved.
  • the operating environment of the processor 110 may include TEE and REE.
  • TEE runs a trusted application (TA) and TEE OS
  • REE runs CA and REE OS.
  • the REE side is responsible for receiving the security service request sent by the user to the CA, and invokes the security service on the TEE side according to the security service request.
  • the CA receives the fingerprint entered by the user, sends the fingerprint template to the TEE side through REE OS, and the TEE security service compares the user's fingerprint with the pre-stored fingerprint template.
  • TEE returns the comparison result to CA via REE. If the comparison fails, the user will be prompted "fingerprint unlock failed, please enter your fingerprint again", etc. If the comparison is successful, the user identity verification is successful, and corresponding operations (such as payment, unlocking, etc.) can be performed.
  • the processor 110 may independently restart the TEE OS to restore the security service of the TEE. It should be noted that the REE OS is not restarted in this embodiment of the application. In this way, it is beneficial to reduce the time consumption from the collapse of the TEE OS to the restoration of the security service on the TEE side, and to improve the operating efficiency of the electronic equipment.
  • the processor 110 may include one or more interfaces.
  • the interface can include an integrated circuit (inter-integrated circuit, I2C) interface, an integrated circuit built-in audio (inter-integrated circuit sound, I2S) interface, a pulse code modulation (pulse code modulation, PCM) interface, and a universal asynchronous transmitter (universal asynchronous) interface.
  • I2C integrated circuit
  • I2S integrated circuit built-in audio
  • PCM pulse code modulation
  • UART universal asynchronous transmitter
  • MIPI mobile industry processor interface
  • GPIO general-purpose input/output
  • SIM subscriber identity module
  • USB Universal Serial Bus
  • the I2C interface is a bidirectional synchronous serial bus, including a serial data line (SDA) and a serial clock line (SCL).
  • the processor 110 may include multiple sets of I2C buses.
  • the processor 110 may be coupled to the touch sensor 180K, charger, flash, camera 193, etc., respectively through different I2C bus interfaces.
  • the processor 110 may couple the touch sensor 180K through an I2C interface, so that the processor 110 and the touch sensor 180K communicate through the I2C bus interface to implement the touch function of the electronic device 100.
  • the MIPI interface can be used to connect the processor 110 with the display screen 194, the camera 193 and other peripheral devices.
  • the MIPI interface includes a camera serial interface (camera serial interface, CSI), a display serial interface (display serial interface, DSI), and so on.
  • the processor 110 and the camera 193 communicate through a CSI interface to implement the shooting function of the electronic device 100.
  • the processor 110 and the display screen 194 communicate through a DSI interface to realize the display function of the electronic device 100.
  • the GPIO interface can be configured through software.
  • the GPIO interface can be configured as a control signal or as a data signal.
  • the GPIO interface can be used to connect the processor 110 with the camera 193, the display screen 194, the wireless communication module 160, the audio module 170, the sensor module 180, and so on.
  • the GPIO interface can also be configured as an I2C interface, I2S interface, UART interface, MIPI interface, etc.
  • the USB interface 130 is an interface that complies with the USB standard specification, and specifically may be a Mini USB interface, a Micro USB interface, a USB Type C interface, and so on.
  • the USB interface 130 can be used to connect a charger to charge the electronic device 100, and can also be used to transfer data between the electronic device 100 and peripheral devices. It can also be used to connect earphones and play audio through earphones. This interface can also be used to connect other electronic devices, such as AR devices.
  • the interface connection relationship between the modules illustrated in the embodiment of the present application is merely a schematic description, and does not constitute a structural limitation of the electronic device 100.
  • the electronic device 100 may also adopt different interface connection modes in the foregoing embodiments, or a combination of multiple interface connection modes.
  • the charging management module 140 is used to receive charging input from the charger.
  • the charger can be a wireless charger or a wired charger.
  • the charging management module 140 may receive the charging input of the wired charger through the USB interface 130.
  • the charging management module 140 may receive the wireless charging input through the wireless charging coil of the electronic device 100. While the charging management module 140 charges the battery 142, it can also supply power to the electronic device through the power management module 141.
  • the power management module 141 is used to connect the battery 142, the charging management module 140 and the processor 110.
  • the power management module 141 receives input from the battery 142 and/or the charging management module 140, and supplies power to the processor 110, the internal memory 121, the external memory, the display screen 194, the camera 193, and the wireless communication module 160.
  • the power management module 141 can also be used to monitor parameters such as battery capacity, battery cycle times, and battery health status (leakage, impedance).
  • the power management module 141 may also be provided in the processor 110.
  • the power management module 141 and the charging management module 140 may also be provided in the same device.
  • the wireless communication function of the electronic device 100 can be implemented by the antenna 1, the antenna 2, the mobile communication module 150, the wireless communication module 160, the modem processor, and the baseband processor.
  • the antenna 1 and the antenna 2 are used to transmit and receive electromagnetic wave signals.
  • Each antenna in the electronic device 100 can be used to cover a single or multiple communication frequency bands. Different antennas can also be reused to improve antenna utilization.
  • Antenna 1 can be multiplexed as a diversity antenna of a wireless local area network.
  • the antenna can be used in combination with a tuning switch.
  • the mobile communication module 150 can provide a wireless communication solution including 2G/3G/4G/5G and the like applied to the electronic device 100.
  • the mobile communication module 150 may include at least one filter, a switch, a power amplifier, a low noise amplifier (LNA), and the like.
  • the mobile communication module 150 can receive electromagnetic waves by the antenna 1, and perform processing such as filtering, amplifying and transmitting the received electromagnetic waves to the modem processor for demodulation.
  • the mobile communication module 150 can also amplify the signal modulated by the modem processor, and convert it into electromagnetic waves for radiation via the antenna 1.
  • at least part of the functional modules of the mobile communication module 150 may be provided in the processor 110.
  • at least part of the functional modules of the mobile communication module 150 and at least part of the modules of the processor 110 may be provided in the same device.
  • the modem processor may include a modulator and a demodulator.
  • the modulator is used to modulate the low frequency baseband signal to be sent into a medium and high frequency signal.
  • the demodulator is used to demodulate the received electromagnetic wave signal into a low-frequency baseband signal.
  • the demodulator then transmits the demodulated low-frequency baseband signal to the baseband processor for processing.
  • the application processor outputs a sound signal through an audio device (not limited to the speaker 170A, the receiver 170B, etc.), or displays an image or video through the display screen 194.
  • the modem processor may be an independent device.
  • the modem processor may be independent of the processor 110 and be provided in the same device as the mobile communication module 150 or other functional modules.
  • the wireless communication module 160 can provide applications on the electronic device 100 including wireless local area networks (WLAN) (such as wireless fidelity (Wi-Fi) networks), bluetooth (BT), and global navigation satellites.
  • WLAN wireless local area networks
  • BT wireless fidelity
  • GNSS global navigation satellite system
  • FM frequency modulation
  • NFC near field communication technology
  • infrared technology infrared, IR
  • the wireless communication module 160 may be one or more devices integrating at least one communication processing module.
  • the wireless communication module 160 receives electromagnetic waves via the antenna 2, frequency modulates and filters the electromagnetic wave signals, and sends the processed signals to the processor 110.
  • the wireless communication module 160 may also receive a signal to be sent from the processor 110, perform frequency modulation, amplify, and convert it into electromagnetic waves to radiate through the antenna 2.
  • the antenna 1 of the electronic device 100 is coupled with the mobile communication module 150, and the antenna 2 is coupled with the wireless communication module 160, so that the electronic device 100 can communicate with the network and other devices through wireless communication technology.
  • the wireless communication technology may include global system for mobile communications (GSM), general packet radio service (GPRS), code division multiple access (CDMA), broadband Code division multiple access (wideband code division multiple access, WCDMA), time-division code division multiple access (TD-SCDMA), long term evolution (LTE), BT, GNSS, WLAN, NFC , FM, and/or IR technology, etc.
  • the GNSS may include global positioning system (GPS), global navigation satellite system (GLONASS), Beidou navigation satellite system (BDS), quasi-zenith satellite system (quasi -zenith satellite system, QZSS) and/or satellite-based augmentation systems (SBAS).
  • GPS global positioning system
  • GLONASS global navigation satellite system
  • BDS Beidou navigation satellite system
  • QZSS quasi-zenith satellite system
  • SBAS satellite-based augmentation systems
  • the electronic device 100 implements a display function through a GPU, a display screen 194, an application processor, and the like.
  • the GPU is an image processing microprocessor, which is connected to the display screen 194 and the application processor.
  • the GPU is used to perform mathematical and geometric calculations and is used for graphics rendering.
  • the processor 110 may include one or more GPUs that execute program instructions to generate or change display information.
  • the display screen 194 is used to display images, videos, and the like.
  • the display screen 194 includes a display panel.
  • the display panel can use liquid crystal display (LCD), organic light-emitting diode (OLED), active matrix organic light-emitting diode or active-matrix organic light-emitting diode (active-matrix organic light-emitting diode).
  • LCD liquid crystal display
  • OLED organic light-emitting diode
  • active-matrix organic light-emitting diode active-matrix organic light-emitting diode
  • AMOLED flexible light-emitting diode (FLED), Miniled, MicroLed, Micro-oLed, quantum dot light-emitting diode (QLED), etc.
  • the electronic device 100 may include one or N display screens 194, and N is a positive integer greater than one.
  • the electronic device 100 can implement a shooting function through an ISP, a camera 193, a video codec, a GPU, a display screen 194, and an application processor.
  • the ISP is used to process the data fed back from the camera 193. For example, when taking a picture, the shutter is opened, the light is transmitted to the photosensitive element of the camera through the lens, the light signal is converted into an electrical signal, and the photosensitive element of the camera transmits the electrical signal to the ISP for processing and is converted into an image visible to the naked eye.
  • ISP can also optimize the image noise, brightness, and skin color. ISP can also optimize the exposure, color temperature and other parameters of the shooting scene.
  • the ISP may be provided in the camera 193.
  • the camera 193 is used to capture still images or videos.
  • the object generates an optical image through the lens and is projected to the photosensitive element.
  • the photosensitive element may be a charge coupled device (CCD) or a complementary metal-oxide-semiconductor (CMOS) phototransistor.
  • CMOS complementary metal-oxide-semiconductor
  • the photosensitive element converts the optical signal into an electrical signal, and then transmits the electrical signal to the ISP to convert it into a digital image signal.
  • ISP outputs digital image signals to DSP for processing.
  • DSP converts digital image signals into standard RGB, YUV and other formats of image signals.
  • the electronic device 100 may include one or N cameras 193, and N is a positive integer greater than one.
  • Digital signal processors are used to process digital signals. In addition to digital image signals, they can also process other digital signals. For example, when the electronic device 100 selects the frequency point, the digital signal processor is used to perform Fourier transform on the energy of the frequency point.
  • Video codecs are used to compress or decompress digital video.
  • the electronic device 100 may support one or more video codecs. In this way, the electronic device 100 can play or record videos in multiple encoding formats, such as: moving picture experts group (MPEG) 1, MPEG2, MPEG3, MPEG4, and so on.
  • MPEG moving picture experts group
  • MPEG2 MPEG2, MPEG3, MPEG4, and so on.
  • NPU is a neural-network (NN) computing processor.
  • NN neural-network
  • applications such as intelligent cognition of the electronic device 100 can be realized, such as image recognition, face recognition, voice recognition, text understanding, and so on.
  • the external memory interface 120 may be used to connect an external memory card, such as a Micro SD card, to expand the storage capacity of the electronic device 100.
  • the external memory card communicates with the processor 110 through the external memory interface 120 to realize the data storage function. For example, save music, video and other files in an external memory card.
  • the internal memory 121 may be used to store computer executable program code, where the executable program code includes instructions.
  • the processor 110 executes various functional applications and data processing of the electronic device 100 by running instructions stored in the internal memory 121.
  • the internal memory 121 may include a storage program area and a storage data area.
  • the storage program area can store an operating system, an application program (such as a sound playback function, an image playback function, etc.) required by at least one function, and the like.
  • the data storage area can store data (such as audio data, phone book, etc.) created during the use of the electronic device 100.
  • the internal memory 121 may include a high-speed random access memory, and may also include a non-volatile memory, such as at least one magnetic disk storage device, a flash memory device, a universal flash storage (UFS), and the like.
  • UFS universal flash storage
  • the internal memory 121 may be used to store a TEE OS image and the like.
  • the TEE OS image can be the most original image, or it can be a TEE OS memory snapshot that is periodically saved.
  • the electronic device 100 can call the stored TEE OS image from the internal memory 121, and then restore the TEE OS to the state before the crash and repair the abnormality.
  • the memory storage 121 may also include an area for storing data related to the TEE security service, and the storage space corresponding to the area may also be referred to as "secure memory.”
  • the electronic device 100 can implement audio functions through the audio module 170, the speaker 170A, the receiver 170B, the microphone 170C, the earphone interface 170D, and the application processor. For example, music playback, recording, etc.
  • the audio module 170 is used to convert digital audio information into an analog audio signal for output, and is also used to convert an analog audio input into a digital audio signal.
  • the audio module 170 can also be used to encode and decode audio signals.
  • the audio module 170 may be provided in the processor 110, or part of the functional modules of the audio module 170 may be provided in the processor 110.
  • the speaker 170A also called “speaker” is used to convert audio electrical signals into sound signals.
  • the electronic device 100 can listen to music through the speaker 170A, or listen to a hands-free call.
  • the receiver 170B also called “earpiece” is used to convert audio electrical signals into sound signals.
  • the electronic device 100 answers a call or voice message, it can receive the voice by bringing the receiver 170B close to the human ear.
  • the microphone 170C also called “microphone”, “microphone”, is used to convert sound signals into electrical signals.
  • the user can make a sound by approaching the microphone 170C through the human mouth, and input the sound signal into the microphone 170C.
  • the electronic device 100 may be provided with at least one microphone 170C. In other embodiments, the electronic device 100 may be provided with two microphones 170C, which can implement noise reduction functions in addition to collecting sound signals. In other embodiments, the electronic device 100 may also be provided with three, four or more microphones 170C to collect sound signals, reduce noise, identify sound sources, and realize directional recording functions.
  • the earphone interface 170D is used to connect wired earphones.
  • the earphone interface 170D may be a USB interface 130, or a 3.5mm open mobile terminal platform (OMTP) standard interface, and a cellular telecommunications industry association (cellular telecommunications industry association of the USA, CTIA) standard interface.
  • OMTP open mobile terminal platform
  • CTIA cellular telecommunications industry association of the USA, CTIA
  • the fingerprint sensor 180H is used to collect fingerprints.
  • the electronic device 100 can use the collected fingerprint characteristics to implement fingerprint unlocking, access application locks, fingerprint photographs, fingerprint answering calls, and so on.
  • the button 190 includes a power-on button, a volume button, and so on.
  • the button 190 may be a mechanical button. It can also be a touch button.
  • the electronic device 100 may receive key input, and generate key signal input related to user settings and function control of the electronic device 100.
  • the motor 191 can generate vibration prompts.
  • the motor 191 can be used for incoming call vibration notification, and can also be used for touch vibration feedback.
  • touch operations applied to different applications can correspond to different vibration feedback effects.
  • Acting on touch operations in different areas of the display screen 194, the motor 191 can also correspond to different vibration feedback effects.
  • Different application scenarios for example: time reminding, receiving information, alarm clock, games, etc.
  • the touch vibration feedback effect can also support customization.
  • the indicator 192 may be an indicator light, which may be used to indicate the charging status, power change, or to indicate messages, missed calls, notifications, and so on.
  • the SIM card interface 195 is used to connect to the SIM card.
  • the SIM card can be inserted into the SIM card interface 195 or pulled out from the SIM card interface 195 to achieve contact and separation with the electronic device 100.
  • the electronic device 100 may support 1 or N SIM card interfaces, and N is a positive integer greater than 1.
  • the SIM card interface 195 can support Nano SIM cards, Micro SIM cards, SIM cards, etc.
  • the same SIM card interface 195 can insert multiple cards at the same time. The types of the multiple cards can be the same or different.
  • the SIM card interface 195 can also be compatible with different types of SIM cards.
  • the SIM card interface 195 can also be compatible with external memory cards.
  • the electronic device 100 interacts with the network through the SIM card to implement functions such as call and data communication.
  • the electronic device 100 adopts an eSIM, that is, an embedded SIM card.
  • the eSIM card can be embedded in the electronic device 100 and cannot be separated from the electronic device 100.
  • FIG. 2 is a schematic diagram of a TrustZone framework structure that the electronic device 100 may include in an embodiment of the application.
  • the electronic device 100 includes a hardware platform 201, an ARM trusted firmware (ATF) 202, and a rich execution environment (REE) 203 and a trusted execution environment (REE) based on the hardware platform 201 and the ARM trusted firmware 202 ( TEE)204.
  • ATF ARM trusted firmware
  • REE rich execution environment
  • REE trusted execution environment
  • the hardware platform 201 is used to support the operation of the electronic device 100 and to store secure hardware resources.
  • the secure hardware resources may include: secure memory 2011, hardware keys, secure keyboards, and so on.
  • the secure memory 2011 is used to store the backup TEE OS image and to store security service related data.
  • REE203 is a common execution environment in the electronic device 100.
  • a client application (CA) 210 and a rich execution environment operating system (REE OS) 211 can be run.
  • CA210 includes applications that can provide users with security services.
  • the REE OS 211 communicates with a trusted execution environment operating system (TEE OS) 214 through a trusted execution environment client application programming interface (application programming interface, API) 212, and requests security service support.
  • TEE OS trusted execution environment operating system
  • API application programming interface
  • the REE OS211 includes a driver 220, which is used to support the completion of data transfer between the system and hardware devices, and to support the interactive work of security services between REE203 and TEE204.
  • a security service module 230 security service driver
  • clock driver etc.
  • the security service module 230 can be used to provide security services for CA210 in REE203, and/or obtain security services from TEE204 for CA210 in REE203.
  • the security service module 230 may include a security service suspension module 240, a REE security state storage module 241, and a REE security state recovery module 242.
  • the security service suspension module 240 is used to prevent the CA210 in the REE203 from sending a security service request to the REEOS211 during the restart of the TEE OS214.
  • the REE security state storage module 241 is used to save security service-related parameters on the REE 203 side, such as security context, before the TEE OS214 restarts.
  • the REE security state restoration module 242 is used to restore the security service-related parameters on the REE 203 side, such as the security context, after the TEE OS214 restarts.
  • the specific functions and interactions of each module will be described in detail below.
  • the security service suspension module 240, the REE security state storage module 241, and the REE security state recovery module 242 may be independent modules, or some of these modules may be combined, which is not limited in the embodiment of the present application.
  • the REE OS211 may also include a kernel core module 221 and a file system module 222.
  • the kernel core module 221 is the kernel of the operating system and is used to provide core service support. Including responsible for the drive of the entire hardware, as well as providing the core functions required by various systems.
  • the file system module 222 is used to provide file-related services such as file access support.
  • data is stored in the peripheral in the form of a file, and is transferred to the memory by the file system module 222 when needed. Its main function is to maintain files, manage files, protect files and improve system resource utilization.
  • TEE204 which is a trusted execution environment in the electronic device 100, can provide security services for the REE203 side.
  • TEE204 is a secure area that runs trusted applications (TA) 213 and TEE OS214 in an independent environment. It can ensure that the confidentiality and integrity of the code and data loaded in the TEE204 are protected.
  • TEE OS214 communicates with TEE OS211 by calling the internal application programming interface 215 of the trusted execution environment to provide security service support.
  • the TEE OS214 includes a crash processing module 223, which can be used to deal with the problem of abnormal crashes on the TEE204 side, resulting in the inability to provide security services for the REE203 side.
  • the crash processing module 223 includes a TEE initialization module 231, which can be used to initialize the TEE204 when the TEE204 is abnormal.
  • the TEE initialization module 231 may include a TEE security state restoration module 243, which is used to restore security service-related parameters on the TEE 204 side, such as hardware state parameters, context, etc., after the TEE OS 214 is restarted.
  • the crash processing module 223 also includes a TEE exception processing module 232, which can be used to deal with an exception that occurs in the TEE 204, for example, it can include a TEE OS214 crash exception.
  • the TEE exception processing module 232 may include a TEE security state storage module 244 and a TEE OS restart module 245.
  • the TEE security state saving module 244 is configured to save parameters related to security services on the TEE 204 side, such as hardware state parameters, before the TEE OS 214 is restarted.
  • the TEE OS restart module 245 is used to restart the TEE OS214. Among them, the specific functions and interactions of each module will be described in detail below.
  • TEE security state recovery module 243 can be independent modules, or some of them can be combined, which is not limited in the embodiment of the application. .
  • the TEE OS 214 may also include a trusted execution environment communication agent 224, a trusted operating system core framework 225, and a trusted driver 226.
  • the trusted execution environment communication agent 224 is an agent used to support the communication between the TEE and the REE.
  • the trusted operating system core framework 225 is used to provide core services of TEE204 and supports TEE OS214. Such as managing memory, processes, threads, etc.
  • the trusted driver 226 is used to provide driver services for the TEE204.
  • the driver performs fingerprint matching security services.
  • the structure illustrated in the embodiment of the present application does not constitute a specific limitation on the electronic device 100.
  • the electronic device 100 may include more or fewer components than those shown in the figure, or combine certain components, or split certain components, or arrange different components.
  • the illustrated components can be implemented in hardware, software, or a combination of software and hardware.
  • FIG. 3 is a schematic flowchart of a method for handling a trusted execution environment operating system crash provided by an embodiment of the application.
  • the method may include step S101 to step S106:
  • the electronic device when the electronic device is running the application program, when the application program involves a security service (such as a user authentication service, etc.), it will call related modules in the TEE through the REE.
  • a security service such as a user authentication service, etc.
  • REE In the process of REE calling related modules in TEE to provide security services, if an unrepairable failure occurs in TEE OS, it will cause TEE OS to crash and cause the stop or interruption of security services.
  • the reasons for the crash of TEE OS include but are not limited to: third-party driver problems, core service code vulnerabilities (bugs), and some hardware failures.
  • the electronic device is a mobile phone
  • a mobile phone manufacturer can integrate fingerprint recognition modules from other hardware manufacturers on the mobile phone.
  • the TEE OS of the mobile phone needs to use a third-party driver code to call the fingerprint recognition module.
  • the third-party driver code is abnormal, the phone itself cannot repair the third-party driver code, which may cause the TEE OS to crash.
  • the fingerprint recognition module of other hardware manufacturers has a hardware failure, the TEE OS of the mobile phone cannot drive the fingerprint recognition module, which may also cause the TEE OS to crash.
  • TEE OS uses multiple registers in the process of providing security services. If any one or several of the registers fails, it may cause the TEE OS to read and write abnormally, and then cause the TEE OS to crash.
  • the TEE OS may first save the TEE hardware state parameters.
  • the TEE hardware state parameters may include the data of each register in the TEE, for example, the sec_region register, which is used to store the base address of the memory region allocated for the security service.
  • the sec_region register When TEE OS crashes, save the value in the sec_region register.
  • the TEE OS restarts according to the method provided in this embodiment of the application, it can quickly locate the memory location before the crash according to the value of the register. It is understandable that when the TEE OS is running the security service, it will constantly read the value of the relevant register and store the calculated data in the corresponding register, so the data in the register in the TEE can reflect the status of the TEE hardware operation.
  • the TEE hardware state parameters may also be other parameters that reflect the related hardware state of the TEE, which is not limited in the embodiment of the present application.
  • the TEE OS saves the TEE hardware state parameters, for example, it may include the TEE OS saves the current security context of the TEE.
  • "current" refers to the TEE hardware state parameters when the save action is executed.
  • the hardware state parameters prior to a certain length of time or other hardware state parameters set by the system can be saved.
  • the hardware state parameters of the electronic device are saved. Then, after the TEE OS restarts, the hardware state can be quickly restored according to the saved hardware state parameters, which is conducive to quickly recovering the security services of the TEE and improving the user experience.
  • the electronic device may have performed part of the data reading and writing work related to the fingerprint comparison security service, that is, the value of at least some of the registers in the TEE has changed. Then, saving the value of the register in the TEE is beneficial to use the saved value of the register in the TEE to directly set the value of the register in the TEE after the restart after the TEE OS restarts, without the need to perform related data reading and writing after the restart.
  • the work is conducive to speeding up the restoration of TEE’s fingerprint payment-related security services.
  • the TEE OS when it is determined that the TEE OS has crashed, it is also possible to first confirm whether the hardware of the electronic device is malfunctioning, or determine which hardware is malfunctioning. If it is determined that the hardware of the electronic device has not failed, all hardware state parameters can be directly saved. If it is determined that one or some hardware of the electronic device is faulty, the state parameters of the other hardware that has not failed are saved. In some examples, the state parameters of the malfunctioning hardware or hardware may be saved as zero.
  • the electronic device saves the REE security context and suspends the security service.
  • TEE OS after the TEE OS crashes, the security service request sent by the REE side cannot be processed.
  • TEE OS sends notifications to REE OS to inform TEE OS that it has crashed. After receiving the notification, REE OS saves data related to REE side security services.
  • the REE OS suspends receiving new security service requests sent by the application program to prevent the REE OS from receiving a new security service request from still causing abnormalities due to a TEE OS crash.
  • the REE OS may not process the new security service request after receiving the new security service request, or even directly discard the received new security service request.
  • an interface for receiving security service requests is set in the REE OS, such as invoking a command interface (invoke command KPI). Set a switch in this interface. When REE OS confirms that TEE OS has crashed, the check value of this interface is set to fail. In this way, it is implemented to suspend receiving new security service requests, or not to process after receiving a new security service request.
  • the REE OS stores the REE security context, for example, it may include the REE OS storing the current security context of the REE.
  • "current" refers to the REE security context when the save action is executed.
  • the security context before a certain length of time or other security contexts set according to the system can be saved.
  • the security context of the REE may include, for example, security service-related status such as the registration information of the security service.
  • the registration information of the security service may include the allocation result of the security memory (memory used to store security service related data), the instruction buffer address, the currently registered work agent (agent) with the TEE, and the session that has currently established a connection with the TEE ( session), the security services currently registered with the TEE, etc. It is understandable that before the REE calls related modules in the TEE to provide security services, it will first register the instruction cache, proxy registration, and secure memory registration with the TEE. After the TEE crashes and restarts, the security service connection established between the REE and the TEE before the TEE crashes fails.
  • the security context of the REE is saved here to obtain the security service registration information.
  • the REE can send a security service registration request to the TEE according to the registration information to re-establish the connection, and directly restore the relevant context in the TEE according to the saved REE security context.
  • Security services may include services related to user identity verification, such as fingerprint matching services, password verification services, face matching services, and so on.
  • TEE compares the collected user fingerprints with pre-stored fingerprint templates. If the TEE OS crashes during the comparison process, it cannot support the completion of the comparison between the collected user fingerprints and the fingerprint template.
  • REE OS can suspend security services related to fingerprint matching. In some examples, REE OS can send a notification of TEE OS crash to the Alipay application. In other examples, if the Alipay application has not received the fingerprint comparison result sent by REE OS within the preset time period, it is determined that the security service request failed or abnormality occurred.
  • the REE OS may send a notification to the application corresponding to the security service in the REE for notifying that the security service in the TEE is unavailable. Then, after receiving the notification, the application suspends sending new security service requests.
  • a list can be preset in REE OS. The list is used to display the security services that are running or waiting to run among the security services that have been registered on the REE side. After the TEE OS crashes, the security services cannot continue to be provided, so The security services included in the list need to be suspended. By obtaining the security services included in the list, the registration information of the security services can be obtained, and then the application information corresponding to each security service can be obtained according to the registration information.
  • the REE OS can send a notification that the security service is unavailable to the corresponding application. After the application receives the notification, it can automatically suspend sending new security service requests.
  • the electronic device may reinitialize the TEE OS to the most original state according to the TEE OS image backed up in the secure memory.
  • the electronic device periodically saves the TEE OS memory snapshot during operation, then the electronic device can reinitialize the TEE OS to the latest correct state with the memory snapshot saved at the latest time point.
  • the electronic device sets the hardware state parameters of the TEE after restarting the TEE OS according to the hardware state parameters of the TEE saved before restarting the TEE OS.
  • the security hardware state parameters of the TEE are first restored to support the subsequent restoration of the software parameters of the TEE, such as the context.
  • the hardware state parameters of the TEE after the TEE OS restarts are set to the hardware state parameters of the TEE before the TEE OS restarts to quickly restore the hardware state.
  • the electronic device when a user uses Alipay to make a fingerprint payment, if the TEE OS crashes, the electronic device saves the value of each register in the TEE at this time. After the TEE OS restarts, the electronic device can directly set the value of the register in the TEE after restart according to the value of the saved register in the TEE, which is convenient for quickly restoring the fingerprint payment-related security services of the TEE.
  • the electronic device sets the security context of the REE after restarting the TEE OS according to the security context of the REE saved before restarting the TEE OS, and setting the security context of the TEE after restarting the TEE OS according to the security context of the REE saved before restarting the TEE OS.
  • the security context of the REE and the context of the TEE can be gradually restored. For example: gradually set the security context of the restarted REE according to the saved security context of the REE, and then gradually perform related operations related to the security service according to the set REE security context to restore the context on the TEE side. For example, completing the registration of the instruction cache, the registration of the agent, the registration of the secure memory, the restoration of the session connection between the REE OS and the application, and the restart of the security service process.
  • REE OS obtains the security service registration information according to the saved REE security context, and according to the security service registration information, sends part or all of the security service registration request to TEE OS, and REE OS restores the security service according to the registration request. register. For example, completing the registration of the instruction cache, the registration of the agent, the registration of the secure memory, the restoration of the session connection between the TEE OS and the REE OS, and the restart of the security service process. After that, TEE OS continues to send subsequent security service requests until the registration of all security services is completed. That is, the security context of REE and the context of TEE are restored to the state before TEE OS crashes, which can provide security services.
  • the TEE OS after setting the security context of the REE and the context of the TEE after restarting, the TEE OS has the ability to continue to provide security services for the applications in the REE, and the TEE OS can send a notification to the REE to restore the security suspended in step S102. service.
  • the face comparison security service requires coordinated control of multiple processes, for example, the coordinated control of the first process and the second process is required, and the order is that the first process is executed first, and then the second process is executed.
  • the electronic device restores the face comparison security service
  • the first process needs to be restored first, and then the second process is restored. Before the second process is restored, it will be confirmed whether the first process has been restored. If it has been restored, the second process starts to recover; if not, the second process waits for the first process to recover and then resumes; or, after the first process is restored first, the first process informs the second process to start the recovery.
  • the embodiment of the application does not limit this.
  • the TEE OS when the TEE OS in the TEE crashes, the TEE OS can be restarted separately, thereby avoiding the restart of the whole machine in the prior art (including restarting the TEE OS and REE OS), and reducing the recovery from the TEE OS crash to the TEE OS restarting.
  • the total time consumption of the service improves the experience of using electronic equipment.
  • the memory space data when the TEE OS crashes can be saved on the REE side, and the abnormal memory space data on the TEE side will not be lost.
  • Scenario 1 A scenario where TEE OS crashes during the process of electronic equipment providing security services.
  • the interface 11 is an interface for the mobile Alipay application to provide the user with a fingerprint payment function.
  • the mobile phone collects the fingerprint entered by the user.
  • the REE OS of the mobile phone calls the security service module in the TEE to compare the fingerprints entered by the user.
  • the mobile phone can display the interface 14 shown in (d) in Figure 4A, prompting the user to enter the fingerprint again Interface.
  • the phone restarts TEE OS alone.
  • REE OS will not be restarted. Therefore, in the process of restarting the TEE OS, the mobile phone will not black out, and the interface 14 as shown in (d) in FIG. 4A can be maintained.
  • the mobile phone can compare the fingerprint input by the user. It can be seen that, through the trusted execution environment operating system crash processing method provided by the embodiments of the present application, the time-consuming process from the TEE OS crash to the recovery of the security service can be effectively reduced.
  • Scenario 2 A scenario where the TEE OS crashes when the electronic device provides security services and other services at the same time.
  • a mobile phone is still taken as an example of an electronic device for illustration. If the user is using the fingerprint recognition function of the Alipay application during the call. The mobile phone displays an interface 15 as shown in (a) in Fig. 4B. A call function prompt area 151 is displayed in the interface 15, prompting the user to return to the call interface by clicking the call function prompt area 151. When the mobile phone switches to another page while providing the call function, the call function prompt area 151 will be displayed. After the mobile phone collects the user's fingerprints, the REE OS of the mobile phone calls the security service module in the TEE to compare the collected user fingerprints.
  • the mobile phone may display the interface 18 as shown in (d) in FIG. 4B.
  • a call function prompt area 151 is displayed in the interface 18, indicating that a call service is being provided. It can be noted that the mobile phone cannot provide fingerprint payment function at this time, but the call function of the mobile phone is not affected. It can be seen that, through the trusted execution environment operating system crash processing method provided by the embodiments of the present application, the time-consuming process from the TEE OS crash to the recovery of the security service can be effectively reduced. In addition, in the process, the mobile phone can continue to provide users with other services besides security services.
  • FIG. 5 is a schematic flowchart of another method for handling a trusted execution environment operating system crash according to an embodiment of the application.
  • the method may include steps S201 to S212:
  • TEE OS crashes TEE OS saves TEE hardware state parameters.
  • the TEE security state storage module in the TEE exception handling module can be used to save the TEE security hardware state.
  • the TEE hardware state parameters may include the data of each register in the TEE and so on.
  • step S101 For the rest of the content, reference may be made to the related description of step S101, which will not be repeated here.
  • the TEE OS sends the first notification to the REE OS.
  • the TEE learns that the TEE security state storage module saves the TEE hardware state parameters, it sends the first notification to the REE.
  • the TEE exception handling module in the TEE may send the first notification to the security service module in the REE.
  • the TEE exception handling module in the TEE saves the TEE security hardware status parameters, it notifies the specific module in the TEE OS, from the specific module in the TEE OS to the security service module in the REE, or via a certain module in the REE Send the first notification to the security service module in the REE.
  • the embodiment of the application does not limit this.
  • the first notification can be used to notify the TEE OS that the TEE OS has crashed, so that the REE OS can perform corresponding steps.
  • the first notification can be directly used to notify the REE to perform the corresponding steps.
  • the first notification may be a message with a fixed format, or a message carrying specific content. The embodiment of the application does not limit the specific format and content of the first notification.
  • step S101 For the rest of the content, reference may be made to the related description of step S101, which will not be repeated here.
  • the REE OS saves the REE security context and suspends the security service.
  • the REE side security service module may first call the REE security state saving module therein to save the REE security context, and then call the security service suspension module to suspend the security service. It is also possible to first call the security service suspension module to suspend the security service, and then call the REE security state saving module in it to save the REE security context. You can also call two modules at the same time to perform the corresponding steps respectively. That is, the embodiment of the present application does not limit the time sequence of saving the REE security context and suspending the security service.
  • step S102 For the rest of the content, reference may be made to the related description of step S102, which will not be repeated here.
  • the REE OS sends a second notification to the TEE OS.
  • the REE after the REE learns that the security service suspension module suspends the security service, it sends a second notification to the TEE exception handling module on the TEE side.
  • the security service module in the REE may send the second notification to the TEE exception handling module in the TEE.
  • the security service suspension module in the REE after the security service suspension module in the REE suspends the security service, it informs the specific module in the REE OS, from the specific module in the REE OS to the TEE exception handling module in the TEE, or to the TEE via a certain module in the TEE
  • the TEE exception handling module sends the second notification.
  • the embodiment of the application does not limit this.
  • the second notification can be used to notify the TEE OS that the REE side is ready, so that the TEE OS can execute the corresponding steps.
  • the second notification can be directly used to notify the TEE to perform the corresponding step.
  • the second notification may be a message with a fixed format, or a message carrying specific content. The embodiments of this application do not limit the specific format and content of the second notification.
  • the REE may also send a fifth notification to the application corresponding to the security service in the REE to notify that the security service in the TEE is unavailable. Then, after receiving the notification, the application suspends sending new security service requests.
  • the embodiments of this application do not limit the specific format and content of the fifth notice.
  • step S102 For the rest of the content, reference may be made to the related description of step S102, which will not be repeated here.
  • the TEE exception processing module on the TEE side invokes the TEE OS restart module therein to restart the TEE OS.
  • step S103 For the rest of the content, reference may be made to the related description of step S103, which will not be repeated here.
  • the TEE OS sets the hardware state parameters of the TEE after restarting the TEE OS according to the hardware state parameters of the TEE saved before restarting the TEE OS.
  • the TEE exception handling module notifies the TEE initialization module that the TEE OS has restarted, and the TEE side security state can be restored.
  • the TEE initialization module on the TEE side knows that the TEE OS has restarted, it calls the TEE security state recovery module and obtains the TEE hardware state parameters saved before the TEE OS restarts from the TEE security state save module, which is used to set the TEE OS restarted TEE hardware status parameters.
  • step S104 For the rest of the content, reference may be made to the related description of step S104, which will not be repeated here.
  • the TEE OS sends a third notification to the REE OS.
  • the TEE after the TEE learns that the TEE security state restoration module restores the TEE hardware state parameters, it sends a third notification to the REE.
  • the TEE initialization module in the TEE may send the third notification to the security service module in the REE.
  • the TEE initialization module in the TEE restores the TEE security hardware status parameters, it informs the specific module in the TEE OS, from the specific module in the TEE OS to the security service module in the REE, or to the security service module in the REE through a certain module in the REE.
  • the security service module in REE sends the third notification.
  • the embodiment of the application does not limit this.
  • the third notification can be used to notify the TEE that the hardware status has been restored, so that the REE OS can perform corresponding steps.
  • the third notification can be directly used to notify the REE to perform the corresponding steps.
  • the third notification may be a message with a fixed format, or a message carrying specific content. The embodiments of this application do not limit the specific format and content of the third notification.
  • step S104 For the rest of the content, reference may be made to the related description of step S104, which will not be repeated here.
  • the REE OS sets the security context of the REE after restarting the TEE OS according to the security context of the REE saved before restarting the TEE OS.
  • the REE OS instructs the TEE OS to set the context of the TEE after restarting the TEE OS according to the security context of the REE after restarting the TEE OS.
  • the TEE OS sets the context of the TEE after restarting the TEE OS according to the security context of the REE after restarting the TEE OS.
  • the TEE OS sends a fourth notification to the REE OS.
  • the security service module on the REE side calls the REE security state recovery module to start the process of recovering the security context.
  • the REE security state recovery module obtains the REE security context saved before the REE OS restart from the REE security state storage module, restores the REE security context after the restart according to the REE security context saved before the restart, and sends it to the TEE security state recovery module in the TEE Part or all of the security service registration request.
  • the TEE security state restoration module restores the context of the TEE after the corresponding security service restarts, and then sends a notification to the REE security state restoration module to report that the registration has been completed.
  • the REE security state recovery module continues to send unsent security service registration requests based on the REE security context saved before the restart.
  • the registration of all security services is completed, and the REE security context and the TEE context are restored to the state before the TEE OS crashes.
  • the last registration request sent by the REE security state recovery module to the TEE carries a fixed identifier, which is used to inform the TEE that after the security service is restored according to this registration request, the recovery of all the security contexts of the REE and the context of the TEE is completed.
  • the TEE does not receive the registration request for a preset period of time, it is known that the restoration of all the security contexts of the REE and the context of the TEE has been completed.
  • the TEE exception handling module sends a fourth notification to the REE.
  • the TEE exception handling module in the TEE may send the fourth notification to the security service module in the REE.
  • the TEE exception handling module in TEE knows that all REE security contexts and TEE context restoration work has been completed, it informs the specific module in TEE OS, and the specific module in TEE OS sends it to the security service module in REE, or Send a fourth notification to the security service module in the REE via a certain module in the REE.
  • the embodiment of the application does not limit this.
  • the fourth notification can be used to notify that the security context of the REE and the context of the TEE have been restored, so that the REE OS can perform corresponding steps.
  • the fourth notification can be directly used to notify the REE to perform the corresponding steps.
  • the fourth notification may be a message with a fixed format, or a message carrying specific content. The embodiment of the application does not limit the specific format and content of the fourth notice.
  • step S208 the setting of the security context of the REE in step S208 in the figure and the process of instructing the context of setting the TEE in step S209 are interleaved. For example, after the REE sets one or several REE security contexts in step S208, the TEE will be instructed to set the corresponding context. Then, the REE continues to set the security context of other REEs, and then instructs the TEE to set the corresponding context, and so on.
  • step S105 For the rest of the content, reference may be made to the related description of step S105, which will not be repeated here.
  • the REE side security service module stops running the security service suspension module, and then resumes the security service.
  • step S106 For the rest of the content, reference may be made to the related description of step S106, which will not be repeated here.
  • the REE OS may not actively withdraw from the security service. Since the REE OS has not been restarted in this application, the REE may retain some of the data that previously called the security service, such as the memory address, etc., and this part of the data has become invalid. In this case, after the REE OS restores the security service, that is, after step S212 is performed, the security service request sent by the application first received by the REE will initiate a security service request to the TEE based on the security service data retained by the REE. And because the security data retained before REE has expired, this connection fails.
  • the REE daemon will restart the security service, that is, send a security service request to the TEE side again.
  • a daemon is a special process that runs in the background and is used to perform specific system tasks. Some daemons are started when the system boots, and continue to run until the system shuts down. Others only start when needed, and automatically end after completing the task.
  • the daemon process restarts to establish a connection to start the security service.
  • the interface 21 is a fingerprint unlocking function interface provided by the mobile phone Alipay application.
  • the mobile phone prompts the user to unlock the fingerprint by tapping the screen.
  • the mobile phone displays an interface 22 as shown in (b) in FIG. 6.
  • the interface 22 is an interface for collecting user fingerprints.
  • the REE OS of the mobile phone calls the security service module in the TEE to compare and compare the fingerprints entered by the user. If the TEE OS crashes during the fingerprint comparison process, the mobile phone can display the interface 23 as shown in Figure 6 (c).
  • the interface 23 is used to remind the user that the unlocking failed (fingerprint comparison failed), and then enter the fingerprint again .
  • TEE OS restarts After the TEE OS restarts, as shown in (d) in FIG. 6, the user inputs a fingerprint on the interface 23.
  • the mobile phone collects the user's fingerprint again, and sends the collected user's fingerprint to the TEE for comparison.
  • the TEE comparison fails, and the interface 24 shown in (e) in FIG. 6 is displayed.
  • FIG. 7 is a schematic flowchart of another method for handling a trusted execution environment operating system crash according to an embodiment of the application.
  • the method may include step S301-step S314:
  • TEE OS crashes S301, TEE OS crashes, and TEE OS saves the TEE hardware state parameters.
  • the TEE OS sends the first notification to the REE OS.
  • the REE OS saves the REE security context and suspends the security service.
  • steps S301-S303 reference may be made to the related descriptions of steps S201-S203, which will not be repeated here.
  • the REE OS sends a sixth notification to the application corresponding to the security service for exiting the security service.
  • the REE OS may actively exit the security service.
  • the TEE OS crashes, the TEE OS is restarted independently, but the REE OS is not restarted. Therefore, REE retains part of the data used to call the security service, such as memory address, etc., and this part of the data may conflict with the data after the TEE OS restarts.
  • the TEE OS restarts after the REE receives the first security service request sent by the application, it may not be able to call the corresponding security service module in the TEE.
  • the REE OS suspends the security service, it can actively exit the security service. When TEE OS restarts, it will take the initiative to restore security services. In this way, after the TEE OS restarts, after the REE receives the first security service request sent by the application, it can call the corresponding security service module in the TEE normally.
  • the REE-side security service module sends a sixth notification to the security service application contained in the electronic device for exiting the security service; or, the sixth notification is a code with a fixed format or content, and the security service After the corresponding application receives the sixth notification, it automatically exits the security service.
  • the embodiments of this application do not limit the specific format and content of the sixth notice.
  • the REE OS sends a second notification to the TEE OS.
  • the TEE OS sets the hardware state parameters of the TEE after restarting the TEE OS according to the hardware state parameters of the TEE saved before restarting the TEE OS.
  • TEE OS sends a third notification to REE OS.
  • the REE OS sets the security context of the REE after the TEE OS is restarted according to the security context of the REE saved before the TEE OS is restarted.
  • the REE OS instructs the TEE OS to set the context of the TEE after restarting the TEE OS according to the security context of the REE after restarting the TEE OS.
  • the TEE OS sets the context of the TEE after restarting the TEE OS according to the security context of the REE after restarting the TEE OS.
  • the TEE OS sends a fourth notification to the REE OS.
  • steps S305-S312 reference may be made to related descriptions of steps S204-S211, which will not be repeated here.
  • the electronic device will actively exit the security service in the above step S304 and actively restart, and establish a new connection to provide the security service.
  • the REE side security service module sends a seventh notification to the application corresponding to the security service that has actively exited after the TEE OS crashes in the electronic device for restarting Security services that have been withdrawn; or, the seventh notification is a code with a fixed format or content, and the application corresponding to the security service automatically starts the security service after receiving the sixth notification.
  • the embodiments of this application do not limit the specific format and content of the seventh notice.
  • step S212 Exemplarily, for other content included in step S314, refer to step S212, which will not be repeated here.
  • the REE OS can actively exit the security service, and after the TEE OS restarts, the security service can be actively restarted. Since the REE OS has not been restarted in this application, the REE may retain some of the data that previously called the security service, such as the memory address, etc., and this part of the data has become invalid. After the TEE OS crashes, actively exit the security service to clear this part of the data. In this case, after the REE OS restores the security service, that is, after step S314 is performed, the security service request sent by the application received by the REE for the first time initiates the security service request to the TEE.
  • the interface 31 is a fingerprint unlocking function interface provided by the mobile phone Alipay application.
  • the mobile phone prompts the user to unlock the fingerprint by tapping the screen.
  • the mobile phone displays an interface 32 as shown in (b) of FIG. 8.
  • the interface 32 is a user fingerprint input interface.
  • the REE OS of the mobile phone calls the security service module in the TEE to compare the fingerprints entered by the user. If the TEE OS crashes during the fingerprint comparison process, the mobile phone can display the interface 33 as shown in (c) in FIG. 8.
  • the interface 33 is used to prompt the user that the unlocking failed this time (fingerprint comparison failed), and then input the fingerprint again.
  • the user can input a fingerprint on the interface 33.
  • the mobile phone collects the fingerprint entered by the user, it calls the security service on the TEE side to perform fingerprint comparison. If the fingerprint comparison is successful, the mobile phone is unlocked, and the Alipay homepage 34 shown in Figure 8 (e) is displayed. It can be seen that, compared to the solution in which the REE OS does not actively exit the security service after the TEE OS crashes, this embodiment can improve the accuracy of the first security service execution after the TEE OS is restarted.
  • Fig. 9 shows a schematic diagram of a possible structure of the computer system involved in the foregoing embodiment.
  • the computer system includes TEE901 and REE902, and TEE901 provides security services for REE902.
  • the TEE901 includes a TEE OS903, a first storage unit 904, and a restart unit 905, and the REE902 includes a REE OS906, and a second storage unit 907.
  • TEE OS903 is used to support the computer system to execute step S104 and step S105 in FIG. 3, step S206 and step S210 in FIG. 5, step S307 and step S311 in FIG. Other processes of technology.
  • the first storage unit 904 is used to support the computer system to execute step S101 in FIG. 3, step S201 in FIG. 5, step S301 in FIG. 7, and/or other processes used in the technology described herein.
  • the restart unit 905 is used to support the computer system to execute step S103 in FIG. 3, step S205 in FIG. 5, step S306 in FIG. 7, and/or other processes used in the technology described herein.
  • REE OS906, used to support the computer system to execute step S102, step S105, and step S106 in Fig. 3, step S203, step S208, and step S212 in Fig. 5, and step S303, step S304, step S309, and step 313 in Fig. 7 And step 314, and/or other processes used in the techniques described herein.
  • the second storage unit 907 is used to support the computer system to execute step S102 in FIG. 3, step S203 in FIG. 5, step S303 in FIG. 7, and/or other processes used in the technology described herein.
  • FIG. 10 shows a schematic diagram of a possible structure of the apparatus for implementing the crash processing of the trusted execution environment operating system involved in the foregoing embodiment. Including: a processing unit 1001, a receiving unit 1002, a storage unit 1003, and a sending unit 1004.
  • the processing unit 1001 is used to support the device to execute step S102, step S105 and step S106 in FIG. 3, step S203, step S208 and step S212 in FIG. 5, step S303, step S309 and step S314 in FIG. 7, And/or other processes used in the techniques described herein.
  • the receiving unit 1002 is used to support the device to perform step S202, step S207, and step S211 in FIG. 5, step S302, step S308, and step S312 in FIG. 7, and/or other processes used in the technology described herein.
  • the storage unit 1003 is used to support the device to perform step S102 in FIG. 3, step S203 in FIG. 5, step S303 in FIG. 7, and/or other processes used in the technology described herein.
  • the sending unit 1004 is used to support the device to perform step S204 and step S209 in FIG. 5, step S304, step S305, step S310 and step S313 in FIG. 7, and/or other processes used in the technology described herein.
  • FIG. 11 shows a schematic diagram of a possible structure of the apparatus for implementing the crash processing of the trusted execution environment operating system involved in the foregoing embodiment. It includes: a processing unit 1101, a storage unit 1102, a sending unit 1103, a receiving unit 1104, and a restarting unit 1105.
  • the processing unit 1101 is used to support the device to perform step S104 and step S105 in FIG. 3, step S206 and step S210 in FIG. 5, step S307 and step S311 in FIG. 7, and/or for the technology described herein Other processes.
  • the storage unit 1102 is used to support the device to perform step S101 in FIG. 3, step S201 in FIG. 5, step S301 in FIG. 7, and/or other processes used in the technology described herein.
  • the sending unit 1103 is used to support the device to perform step S202, step S207, and step S211 in FIG. 5, step S302, step S308, step S312, step S304, and step S313 in FIG. 7, and/or for the methods described herein Other processes of technology.
  • the receiving unit 1104 is used to support the device to perform step S204 and step S209 in FIG. 5, step S305 and step S310 in FIG. 7, and/or other processes used in the technology described herein.
  • the restart unit 1105 is used to support the device to perform step S103 in FIG. 3, step S205 in FIG. 5, step S306 in FIG. 7, and/or other processes used in the technology described herein.
  • the embodiment of the present application also provides a chip system.
  • the chip system includes at least one processor 1201 and at least one interface circuit 1202.
  • the processor 1201 and the interface circuit 1202 may be interconnected by wires.
  • the interface circuit 1202 can be used to receive signals from other devices.
  • the interface circuit 1202 may be used to send signals to other devices (such as the processor 1201).
  • the interface circuit 1202 can read an instruction stored in the memory, and send the instruction to the processor 1201.
  • the electronic device can be made to execute the steps in the trusted execution environment operating system crash processing method in the foregoing embodiment.
  • the chip system may also include other discrete devices, which are not specifically limited in the embodiment of the present application.
  • the embodiment of the present application also provides a computer-readable storage medium, the computer-readable storage medium stores a computer instruction, and when the computer instruction runs on an electronic device, the electronic device executes the above-mentioned related method steps to implement the above-mentioned embodiment Trusted execution environment operating system crash processing method.
  • the embodiments of the present application also provide a computer program product, which when the computer program product runs on a computer, causes the computer to execute the above-mentioned related steps, so as to implement the trusted execution environment operating system crash handling method in the above-mentioned embodiment.
  • the embodiments of the present application also provide a device, which may specifically be a component or a module.
  • the device may include a connected processor and a memory; wherein the memory is used to store computer execution instructions.
  • the processor When the device is running, the processor The computer-executable instructions stored in the executable memory are executed to make the device execute the trusted execution environment operating system crash handling method in the foregoing method embodiments.
  • the electronic devices, computer-readable storage media, computer program products, or chips provided in the embodiments of the present application are all used to execute the corresponding methods provided above. Therefore, the beneficial effects that can be achieved can be referred to those provided above. The beneficial effects in the corresponding method are not repeated here.
  • the disclosed method can be implemented in other ways.
  • the electronic device embodiments described above are merely illustrative.
  • the division of the modules or units is only a logical function division, and there may be other divisions in actual implementation, such as multiple units or components. It can be combined or integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, modules or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • the functional units in the various embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the above-mentioned integrated unit can be implemented in the form of hardware or software functional unit.
  • the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of the present application essentially or the part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a storage medium , Including several instructions to make a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor execute all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned storage media include: flash memory, mobile hard disk, read-only memory, random access memory, magnetic disk or optical disk and other media that can store program instructions.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Quality & Reliability (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Stored Programmes (AREA)

Abstract

一种可信执行环境操作系统崩溃处理方法及电子设备,涉及终端技术领域,能够在TEE侧出现不可恢复故障时,避免电子设备整机重启,减少重启的总耗时。所述方法包括:基于在安全服务运行的过程中检测到TEE OS崩溃,电子设备保存TEEOS奔溃时TEE的硬件状态参数和REE的安全上下文,并暂停安全服务;电子设备重启TEE OS;电子设备根据保存的TEE的硬件状态参数设置重启TEE OS后TEE的硬件状态参数;电子设备根据保存的REE的安全上下文设置重启TEE OS后REE的安全上下文,以及根据保存的REE的安全上下文设置重启TEE OS后TEE的上下文。

Description

可信执行环境操作系统崩溃处理方法及电子设备
本申请要求于2020年01月19日提交国家知识产权局、申请号为202010060572.4、发明名称为“可信执行环境操作系统崩溃处理方法及电子设备”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
技术领域
本申请涉及终端技术领域,尤其涉及一种可信执行环境操作系统崩溃处理方法及电子设备。
背景技术
基于ARM信任区(TrustZone)的电子设备(例如:手机,平板电脑等)包含富执行环境(rich execution environment,REE)和可信执行环境(trusted execution environment,TEE)。其中,REE也称为普通执行环境,包括运行在通用处理器上的富执行环境操作系统(rich execution environment operating system,REE OS)及客户端应用(client application,CA)。TEE也称为安全执行环境,可以运行可信执行环境操作系统(trusted execution environment operating system,TEE OS),为CA提供可信赖的安全服务(例如指纹比对服务,密码校验服务,人脸比对服务等),这些安全服务可以以可信应用(trust application,TA)的形式运行在TEE OS上。
当TEE侧出现不可恢复的故障时,TEE OS崩溃,导致电子设备常出现系统卡死、安全服务中断(例如无法解锁,无法支付等)等异常。此时,电子设备会强制整机重启,以恢复到正常使用状态。由于整机重启耗时长,且用户在电子设备重启期间无法使用该电子设备,用户体验较差。
发明内容
本申请提供的可信执行环境操作系统崩溃处理方法及电子设备,在TEE侧出现不可恢复故障时,可以避免电子设备整机重启,减少重启的总耗时,提升用户体验。
为达到上述目的,本申请采用如下技术方案:
第一方面,本申请提供一种可信执行环境操作系统崩溃处理方法,应用于包括可信执行环境TEE和富执行环境REE的电子设备,TEE为中运行有可信执行环境操作系统TEE OS和安全服务,该方法可以包括:基于在安全服务运行的过程中检测到TEE OS崩溃,电子设备保存TEEOS奔溃时TEE的硬件状态参数和REE的安全上下文,并暂停安全服务;电子设备重启TEE OS;电子设备根据保存的TEE的硬件状态参数设置重启TEE OS后TEE的硬件状态参数;电子设备根据保存的REE的安全上下文设置重启TEE OS后REE的安全上下文,以及根据保存的REE的安全上下文设置重启TEE OS后TEE的上下文;电子设备恢复安全服务。
TEE的硬件状态参数可以包括TEE中寄存器的数据。如此,在若TEE OS崩溃时,保存电子设备硬件状态参数。而后,在TEE OS重启后,可以根据保存的硬件状态参数快速恢复硬件状态,有利于快速恢复TEE的安全服务。TEE的硬件状态参数也可以称为TEE OS的硬件状态参数。
TEE上下文可以包括:TEE OS崩溃时,TEE OS中包含的已经注册的代理(agent),已经建立连接的会话(session),已经注册的安全服务等。具体的,在REE调用TEE中的相关模块提供安全服务之前,REE向TEE发送安全服务注册请求,包括指令缓存的注册,代理注册,安全内存注册等。TEE处理该请求,并生成代理以及建立会话连接,完成对应的安全服务的注册。并且,后续TEE通过该连接为REE提供安全服务,在此过程中产生的上下文为安全上下文。
REE的安全上下文可以包括:TEE OS崩溃时,已经向TEE注册的agent,已经与TEE建立连接的session,已经向REE注册的安全服务等。
也就是说,电子设备中跟安全服务相关的状态可以称之为安全上下文。TEE用于为REE提供安全服务,其上下文即为安全上下文,本文中的TEE的上下文也可以理解为TEE的安全上文。
重置硬件状态参数和安全上下文后,TEE OS已具备继续为REE中应用提供安全服务的能力,电子设备可以恢复安全服务。或者说TEE OS恢复后,安全服务的运行是基于上述新设置的硬件状态参数以及安全上下文的运行。
如此,在TEE OS崩溃时,可以单独重启TEE OS,恢复安全服务。不会造成电子设备的整机强制重启,减少重启总耗时。并且,可以根据TEE OS重启前保存的TEE的硬件状态参数设置TEE OS重启后的TEE的硬件状态参数。可以根据TEE OS重启前保存的REE的安全上下文,设置TEE OS重启后的REE的安全上下文以及TEE上下文,进一步保证安全服务的快速恢复。
在一种可能的实现方式中,REE中运行有富执行环境操作系统REE OS,该方法还包括:电子设备暂停安全服务之后,通过REE OS通知安全服务对应的应用安全服务不可用。
在一些实现方式中,所述安全服务对应的所述应用部署在REE OS中且所述应用调用所述安全服务。
在一种可能的实现方式中,该方法还包括:电子设备暂停安全服务之后,通过REE OS暂停接收REE中任一应用发送的针对安全服务的请求。
如此,可以避免在TEE OS崩溃重启期间,REE OS接收应用发送的安全服务的请求,再次向TEE OS发送对应的安全服务请求,导致安全服务仍处理错误,影响用户体验。
在一种可能的实现方式中,该方法还包括:电子设备暂停安全服务之后,通过REE OS通知安全服务对应的应用退出安全服务;电子设备恢复安全服务之后,通过REE OS通知安全服务对应的应用重启安全服务。
如此,电子设备退出安全服务,可以避免在TEE OS重启后,由于REE OS未重启,其中保存的部分上下文信息,导致的首次安全服务请求失败。
在一种可能的实现方式中,安全服务包括指纹比对服务,密码校验服务,人脸比对服务中任意一项或多项。
在一种可能的实现方式中,TEE的硬件状态参数包括:TEE中寄存器的数据。
示例性的,该寄存器可以为sec_region寄存器,用于保存为安全服务分配的内存区域的基地址。在TEE OS崩溃时,保存sec_region寄存器中的值。在TEE OS按照本 申请实施例提供的方法重启后,可以直接根据该寄存器的值快速定位到崩溃之前内存位置。
在一种可能的实现方式中,REE的安全上下文包括:所述安全服务的注册信息。
也就是说,TEE侧提供该安全服务,在REE侧的应用使用该安全服务之前,该安全服务通常需要在REE中注册,注册信息会成为REE的安全上下文的一部分。
第二方面,本申请提供一种可信执行环境操作系统崩溃处理方法,应用于包括可信执行环境TEE和富执行环境REE的电子设备,TEE为REE提供安全服务,TEE中包含可信执行环境操作系统TEE OS,REE中包含富执行环境操作系统REE OS,该方法包括:在REE调用安全服务的过程中,REE OS接收第一通知;第一通知指示TEE OS已崩溃;REE OS保存REE安全上下文,暂停安全服务,向TEE OS发送第二通知,以指示TEE OS重启;REE OS接收第三通知,第三通知为TEE OS设置重启TEE OS后的TEE的硬件状态参数后发送给REE OS的通知;REE OS根据保存的REE的安全上下文设置重启TEE OS后REE的安全上下文;REE OS接收第四通知,第四通知为TEE OS设置重启TEE OS后的TEE的上下文后,发送给REE OS的通知;REE OS恢复安全服务。
在一些可能的设计中,REE OS保存REE安全上下文,例如可以包括REE OS保存REE当前的安全上下文。其中,“当前”指的是执行该保存动作时的REE安全上下文。在另一些可能的设计中,可以保存特定时间长度之前的安全上下文或根据系统设置的其它安全上下文。
在一种可能的设计中,响应于第三通知,REE OS会根据保存的REE的安全上下文设置重启TEE OS后的REE的安全上下文。响应于第四通知,REE OS会恢复安全服务。
在一些实现方式中,第三通知也可以认为是用来指示TEE OS已为重启TEE OS后的TEE设置硬件状态参数;第四通知也可以认为是用来指示TEE OS已为重启TEE OS后的TEE设置上下文。前述通知的具体形式本申请不做限定。
在一种可能的实现方式中,REE OS暂停安全服务之后,该方法还包括:REE OS向安全服务对应的应用发送第五通知,用于通知安全服务不可用。
在一种可能的实现方式中,REE OS暂停安全服务之后,该方法还包括:REE OS暂停接收REE中任一应用发送的针对安全服务的请求。
在一些实现方式中,REE OS暂停安全服务可以认为是向安全服务对应的应用发送安全服务不可用的通知,以告知安全服务对应的应用当前时段不提供安全服务;也可以认为是暂停接收REE中任一应用发送的针对安全服务的请求;还可以认为是REE OS接收应用发送的针对安全服务的请求,但不进行处理,即不再向TEE侧发送安全服务请求,等。
在一种可能的实现方式中,REE OS暂停安全服务之后,该方法还包括:REE OS向安全服务对应的应用发送第六通知,用于退出安全服务。REE OS恢复安全服务之后,该方法还包括:REE OS向安全服务对应的应用发送第七通知,用于重启安全服务。
在一种可能的实现方式中,安全服务包括指纹对比服务,密码校验服务,人脸对 比服务中任任意一项或多项。
在一种可能的实现方式中,REE的安全上下文包括:安全服务的注册信息。
第三方面,本申请提供一种可信执行环境操作系统崩溃处理方法,应用于包括可信执行环境TEE和富执行环境REE的电子设备,TEE为REE提供安全服务,TEE中包含可信执行环境操作系统TEE OS,REE中包含富执行环境操作系统REE OS,该方法包括:在TEE提供安全服务的过程中,若TEE OS崩溃,TEE OS保存TEE硬件状态参数,向REE OS发送第一通知;第一通知用于指示REE OS暂停安全服务;TEE OS接收第二通知后,重启;其中,第二通知为REE OS暂停安全服务后发送给TEE OS的通知;TEE OS根据保存的TEE的硬件状态参数设置重启TEE OS后TEE的硬件状态参数,向REE OS发送第三通知;第三通知用于指示REE OS设置重启TEE OS后REE的安全上下文;TEE OS根据重启TEE OS后REE的安全上下文设置重启TEE OS后的TEE的上下文;之后,向REE OS发送第四通知;第四通知用于指示REE OS恢复安全服务。
其中,TEE OS保存TEE硬件状态参数,例如可以包括TEE OS保存TEE当前的硬件状态参数。其中,“当前”指的是执行该保存动作时的硬件状态参数。在另一些可能的设计中,可以保存特定时间长度之前的硬件状态参数或根据系统设置的其它硬件状态参数。
在一些实现方式中,所述第二通知也可以认为是用来指示所述REE OS已经暂停安全服务。前述通知的具体形式本申请不做限定。
在一种可能的实现方式中,安全服务包括指纹对比服务,密码校验服务,人脸对比服务中任意一项或多项。
在一种可能的实现方式中,TEE的硬件状态参数包括:TEE中寄存器的数据。
第四方面,本申请提供一种计算机系统,包括可信执行环境TEE和富执行环境REE,TEE为REE提供安全服务;TEE包括可信执行环境操作系统TEE OS、第一存储单元和重启单元,REE包括富执行环境操作系统REE OS、第二存储单元;TEE OS,用于运行安全服务;第一存储单元,用于在TEE OS运行安全服务的过程中,若TEE OS崩溃,则保存TEE硬件状态参数;第二存储单元,用于保存REE安全上下文;REE OS,还用于暂停调用安全服务;重启单元,用于重启TEE OS;TEE OS,还用于根据保存的TEE的硬件状态参数设置重启TEE OS后TEE的硬件状态参数;REE OS,还用于根据保存的REE的安全上下文设置重启TEE OS后REE的安全上下文,以及TEE OS,还用于根据保存的REE的安全上下文设置重启TEE OS后TEE的上下文;REE OS,还用于恢复调用安全服务。
在一种可能的实现方式中,装置还包括:REE OS,还用于在暂停调用安全服务之后,向安全服务对应的应用发送安全服务不可用的通知。
在一种可能的实现方式中,装置还包括:REE OS,还用于在暂停调用安全服务之后,暂停接收REE中任一应用发送的针对安全服务的请求。
在一种可能的实现方式中,REE OS,还用于在暂停调用安全服务之后,通知安全服务对应的应用退出安全服务;REE OS,还用于在恢复调用安全服务之后,通知安全服务对应的应用重启安全服务。
在一种可能的实现方式中,安全服务包括指纹比对服务,密码校验服务,人脸比对服务中任意一项或多项。
在一种可能的实现方式中,TEE的硬件状态参数包括:TEE中寄存器的数据。
在一种可能的实现方式中,REE的安全上下文包括:安全服务的注册信息。
第五方面,本申请提供一种用于实现可信执行环境操作系统崩溃处理的装置,包括:处理单元、接收单元、存储单元和发送单元。处理单元,用于调用可信执行环境TEE的安全服务。接收单元,用于在处理单元为REE调用安全服务的过程中,接收第一通知;第一通知用于通知可信执行环境操作系统TEE OS已崩溃。存储单元,用于保存富执行环境REE安全上下文。处理单元,还用于暂停安全服务。发送单元,用于向TEE OS发送第二通知;第二通知用于指示TEE OS重启。接收单元,还用于接收第三通知,第三通知为TEE OS设置重启TEE OS后的TEE的硬件状态参数后发送给REE OS的通知。处理单元,还用于根据保存的REE的安全上下文设置重启TEE OS后REE的安全上下文。接收单元,还用于接收第四通知,第四通知为TEE OS设置重启TEE OS后的TEE的上下文后,发送给REE OS的通知。处理单元,还用于恢复调用安全服务。
其中,用于实现可信执行环境操作系统崩溃处理的装置可以通过硬件实现,也可以通过软件实现,也可以通过硬件执行相应的软件实现。当是通过软件实现时,该装置可以是指REE OS。
在一种可能的实现方式中,发送单元,还用于在处理单元暂停调用安全服务之后,向安全服务对应的应用发送第五通知,用于通知安全服务不可用。
在一种可能的实现方式中,接收单元,还用于在处理单元暂停调用安全服务之后,暂停接收REE中任一应用发送的针对安全服务的请求。
在一种可能的实现方式中,发送单元,还用于在处理单元暂停调用安全服务之后,向安全服务对应的应用发送第六通知,用于退出安全服务。发送单元,还用于在处理单元恢复调用安全服务之后,向安全服务对应的应用发送第七通知,用于重启安全服务。
在一种可能的实现方式中,安全服务包括指纹对比服务,密码校验服务,人脸对比服务中任意一项或多项。
在一种可能的实现方式中,REE的安全上下文包括:安全服务的注册信息。
第六方面,本申请提供一种用于实现可信执行环境操作系统崩溃处理的装置,包括:处理单元、存储单元、发送单元、接收单元和重启单元;处理单元,用于提供安全服务。存储单元,用于在处理单元提供安全服务的过程中,若处理单元崩溃,保存TEE硬件状态参数。发送单元,用于向富执行环境操作系统REE OS发送第一通知;第一通知用于指示REE OS暂停安全服务。接收单元,用于接收第二通知后;其中,第二通知为REE OS暂停安全服务后发送给TEE OS的通知。重启单元,用于重启处理单元。处理单元,还用于根据保存的TEE的硬件状态参数设置重启后TEE的硬件状态参数。发送单元,还用于向REE OS发送第三通知;第三通知用于指示REE OS设置重启后REE的安全上下文。处理单元,还用于根据重启后REE的安全上下文设置重启后的TEE的上下文。发送单元,还用于向REE OS发送第四通知;第四通知用 于指示REE OS恢复安全服务。
其中,用于实现可信执行环境操作系统崩溃处理的装置可以通过硬件实现,也可以通过软件实现,也可以通过硬件执行相应的软件实现。当是通过软件实现时,该装置可以是指TEE OS。
在一种可能的实现方式中,安全服务包括指纹对比服务,密码校验服务,人脸对比服务中任意一项或多项。
在一种可能的实现方式中,TEE的硬件状态参数包括:TEE中寄存器的数据。
第七方面,本申请提供一种电子设备,该电子设备可以包括:一个或多个处理器;其中,一个或多个处理器包括可信执行环境TEE和富执行环境REE,TEE为REE提供安全服务;TEE中包含可信执行环境操作系统TEE OS,REE中包含富执行环境操作系统REE OS。存储器;以及一个或多个计算机程序。其中一个或多个计算机程序被存储在存储器中,一个或多个计算机程序包括指令。当指令被一个或多个处理器执行时,使得电子设备执行如上述第一方面至第三方面,以及其中任一种可能的实现方式中所述的可信执行环境操作系统崩溃处理方法。
第八方面,本申请提供一种电子设备,该电子设备具有实现如上述第一方面至第三方面,以及其中任一种可能的实现方式中所述的可信执行环境操作系统崩溃处理方法的功能。该功能可以通过硬件实现,也可以通过硬件执行相应的软件实现。该硬件或软件包括一个或多个与上述功能相对应的模块。
第九方面,本申请提供一种计算机可读存储介质,包括计算机指令,当计算机指令在电子设备上运行时,使得电子设备执行如上述第一方面至第三方面,以及其中任一种可能的实现方式中所述的可信执行环境操作系统崩溃处理方法。
第十方面,本申请提供一种计算机程序产品,当计算机程序产品在电子设备上运行时,使得电子设备执行如上述第一方面至第三方面,以及其中任一种可能的实现方式中所述的可信执行环境操作系统崩溃处理方法。
第十一方面,提供一种电路系统,电路系统包括处理电路,处理电路被配置为执行如上述第一方面至第三方面,以及其中任一种可能的实现方式中所述的可信执行环境操作系统崩溃处理方法。
第十二方面,本申请实施例提供一种芯片系统,包括至少一个处理器和至少一个接口电路,至少一个接口电路用于执行收发功能,并将指令发送给至少一个处理器,当至少一个处理器执行指令时,至少一个处理器执行如上述第一方面至第三方面,以及其中任一种可能的实现方式中所述的可信执行环境操作系统崩溃处理方法。
附图说明
图1为本申请实施例提供的一种电子设备的结构示意图;
图2为本申请实施例提供的一种TrustZone框架结构示意图;
图3为本申请实施例提供的可信执行环境操作系统崩溃处理方法的流程示意图一;
图4A为本申请实施例提供的可信执行环境操作系统崩溃处理方法的应用场景示意图一;
图4B为本申请实施例提供的可信执行环境操作系统崩溃处理方法的应用场景示意图二;
图5为本申请实施例提供的可信执行环境操作系统崩溃处理方法的流程示意图二;
图6为本申请实施例提供的可信执行环境操作系统崩溃处理方法的应用场景示意图三;
图7为本申请实施例提供的可信执行环境操作系统崩溃处理方法的流程示意图三;
图8为本申请实施例提供的可信执行环境操作系统崩溃处理方法的应用场景示意图四;
图9为本申请实施例提供的一种计算机系统的结构示意图;
图10为本申请实施例提供的一种用于实现可信执行环境操作系统崩溃处理的装置的结构示意图一;
图11为本申请实施例提供的一种用于实现可信执行环境操作系统崩溃处理的装置的结构示意图二;
图12为本申请实施例提供的一种芯片系统的结构示意图。
具体实施方式
下面结合附图对本申请实施例提供的可信执行环境操作系统崩溃处理方法及电子设备进行详细地描述。
本申请实施例提供的技术方案可适用于具有TEE和REE的电子设备。当TEE中TEE OS崩溃时,可以单独重启TEE OS,从而避免整机重启(包括重启TEE OS和REE OS),减少从TEE OS崩溃到TEE OS重启后恢复安全服务的总耗时,提升电子设备的使用体验。
示例性的,本申请的实施例中的电子设备可以是可移动电话(mobile phone)、平板电脑(pad)、带无线收发功能的电脑、个人数字助理(personal digital assistant,PDA)、智能手表、上网本、可穿戴电子设备、增强现实技术(augmented reality,AR)设备、虚拟现实(virtual reality,VR)设备、车载设备、工业控制(industrial control)中的无线终端、无人驾驶(self driving)中的无线终端、远程医疗(remote medical)中的无线终端、智能电网(smart grid)中的无线终端、运输安全(transportation safety)中的无线终端、智慧城市(smart city)中的无线终端、智慧家庭(smart home)中的无线终端、人工智能(artificial intelligence,AI)终端等。
示例性的,图1示出了电子设备100的结构示意图。
电子设备100可以包括处理器110,外部存储器接口120,内部存储器121,通用串行总线(universal serial bus,USB)接口130,充电管理模块140,电源管理模块141,电池142,天线1,天线2,移动通信模块150,无线通信模块160,音频模块170,扬声器170A,受话器170B,麦克风170C,耳机接口170D,传感器模块180,按键190,马达191,指示器192,摄像头193,显示屏194,以及用户标识模块(subscriber identification module,SIM)卡接口195等。其中,传感器模块180可以包括压力传感器180A,陀螺仪传感器180B,气压传感器180C,磁传感器180D,加速度传感器180E,距离传感器180F,接近光传感器180G,指纹传感器180H,温度传感器180J,触摸传感器180K,环境光传感器180L,骨传导传感器180M等。
可以理解的是,本申请实施例示意的结构并不构成对电子设备100的具体限定。在本申请另一些实施例中,电子设备100可以包括比图示更多或更少的部件,或者组 合某些部件,或者拆分某些部件,或者不同的部件布置。图示的部件可以以硬件,软件或软件和硬件的组合实现。
处理器110可以包括一个或多个处理单元,例如:处理器110可以包括应用处理器(application processor,AP),调制解调处理器,图形处理器(graphics processing unit,GPU),图像信号处理器(image signal processor,ISP),控制器,存储器,视频编解码器,数字信号处理器(digital signal processor,DSP),基带处理器,和/或神经网络处理器(neural-network processing unit,NPU)等。其中,不同的处理单元可以是独立的器件,也可以集成在一个或多个处理器中。
其中,控制器可以是电子设备100的神经中枢和指挥中心。控制器可以根据指令操作码和时序信号,产生操作控制信号,完成取指令和执行指令的控制。
处理器110中还可以设置存储器,用于存储指令和数据。在一些实施例中,处理器110中的存储器为高速缓冲存储器。该存储器可以保存处理器110刚用过或循环使用的指令或数据。如果处理器110需要再次使用该指令或数据,可从所述存储器中直接调用。避免了重复存取,减少了处理器110的等待时间,因而提高了系统的效率。
在本申请的一些实施例中,处理器110的运行环境可以包括TEE和REE。其中,TEE运行有可信应用程序(trusted application,TA)以及TEE OS,REE运行有CA及REE OS。REE侧负责接收用户向CA发出的安全服务请求,并根据该安全服务请求调用TEE侧的安全服务。例如,CA接收用户录入的指纹,通过REE OS将该指纹模板发送至TEE侧,由TEE的安全服务将用户的指纹与预存的指纹模板进行比对。TEE将比对结果经REE返回给CA。若比对失败,则提示用户“指纹解锁失败,请再次输入指纹”等。若比对成功,则验证用户身份成功,可以执行相应的操作(例如支付、解锁等)。
在TEE OS崩溃,中断或停止TEE的安全服务时,处理器110可以通过独立重启TEE OS以恢复TEE的安全服务。需要注意的是,在本申请实施例中不重启REE OS。这样,有利于减少TEE OS崩溃到恢复TEE侧安全服务的耗时,提升电子设备的运行效率。
在一些实施例中,处理器110可以包括一个或多个接口。接口可以包括集成电路(inter-integrated circuit,I2C)接口,集成电路内置音频(inter-integrated circuit sound,I2S)接口,脉冲编码调制(pulse code modulation,PCM)接口,通用异步收发传输器(universal asynchronous receiver/transmitter,UART)接口,移动产业处理器接口(mobile industry processor interface,MIPI),通用输入输出(general-purpose input/output,GPIO)接口,用户标识模块(subscriber identity module,SIM)接口,和/或通用串行总线(universal serial bus,USB)接口等。
I2C接口是一种双向同步串行总线,包括一根串行数据线(serial data line,SDA)和一根串行时钟线(derail clock line,SCL)。在一些实施例中,处理器110可以包含多组I2C总线。处理器110可以通过不同的I2C总线接口分别耦合触摸传感器180K,充电器,闪光灯,摄像头193等。例如:处理器110可以通过I2C接口耦合触摸传感器180K,使处理器110与触摸传感器180K通过I2C总线接口通信,实现电子设备100的触摸功能。
MIPI接口可以被用于连接处理器110与显示屏194,摄像头193等外围器件。MIPI接口包括摄像头串行接口(camera serial interface,CSI),显示屏串行接口(display serial interface,DSI)等。在一些实施例中,处理器110和摄像头193通过CSI接口通信,实现电子设备100的拍摄功能。处理器110和显示屏194通过DSI接口通信,实现电子设备100的显示功能。
GPIO接口可以通过软件配置。GPIO接口可以被配置为控制信号,也可被配置为数据信号。在一些实施例中,GPIO接口可以用于连接处理器110与摄像头193,显示屏194,无线通信模块160,音频模块170,传感器模块180等。GPIO接口还可以被配置为I2C接口,I2S接口,UART接口,MIPI接口等。
USB接口130是符合USB标准规范的接口,具体可以是Mini USB接口,Micro USB接口,USB Type C接口等。USB接口130可以用于连接充电器为电子设备100充电,也可以用于电子设备100与外围设备之间传输数据。也可以用于连接耳机,通过耳机播放音频。该接口还可以用于连接其他电子设备,例如AR设备等。
可以理解的是,本申请实施例示意的各模块间的接口连接关系,只是示意性说明,并不构成对电子设备100的结构限定。在本申请另一些实施例中,电子设备100也可以采用上述实施例中不同的接口连接方式,或多种接口连接方式的组合。
充电管理模块140用于从充电器接收充电输入。其中,充电器可以是无线充电器,也可以是有线充电器。在一些有线充电的实施例中,充电管理模块140可以通过USB接口130接收有线充电器的充电输入。在一些无线充电的实施例中,充电管理模块140可以通过电子设备100的无线充电线圈接收无线充电输入。充电管理模块140为电池142充电的同时,还可以通过电源管理模块141为电子设备供电。
电源管理模块141用于连接电池142,充电管理模块140与处理器110。电源管理模块141接收电池142和/或充电管理模块140的输入,为处理器110,内部存储器121,外部存储器,显示屏194,摄像头193,和无线通信模块160等供电。电源管理模块141还可以用于监测电池容量,电池循环次数,电池健康状态(漏电,阻抗)等参数。在其他一些实施例中,电源管理模块141也可以设置于处理器110中。在另一些实施例中,电源管理模块141和充电管理模块140也可以设置于同一个器件中。
电子设备100的无线通信功能可以通过天线1,天线2,移动通信模块150,无线通信模块160,调制解调处理器以及基带处理器等实现。
天线1和天线2用于发射和接收电磁波信号。电子设备100中的每个天线可用于覆盖单个或多个通信频带。不同的天线还可以复用,以提高天线的利用率。例如:可以将天线1复用为无线局域网的分集天线。在另外一些实施例中,天线可以和调谐开关结合使用。
移动通信模块150可以提供应用在电子设备100上的包括2G/3G/4G/5G等无线通信的解决方案。移动通信模块150可以包括至少一个滤波器,开关,功率放大器,低噪声放大器(low noise amplifier,LNA)等。移动通信模块150可以由天线1接收电磁波,并对接收的电磁波进行滤波,放大等处理,传送至调制解调处理器进行解调。移动通信模块150还可以对经调制解调处理器调制后的信号放大,经天线1转为电磁波辐射出去。在一些实施例中,移动通信模块150的至少部分功能模块可以被设置于处理器 110中。在一些实施例中,移动通信模块150的至少部分功能模块可以与处理器110的至少部分模块被设置在同一个器件中。
调制解调处理器可以包括调制器和解调器。其中,调制器用于将待发送的低频基带信号调制成中高频信号。解调器用于将接收的电磁波信号解调为低频基带信号。随后解调器将解调得到的低频基带信号传送至基带处理器处理。低频基带信号经基带处理器处理后,被传递给应用处理器。应用处理器通过音频设备(不限于扬声器170A,受话器170B等)输出声音信号,或通过显示屏194显示图像或视频。在一些实施例中,调制解调处理器可以是独立的器件。在另一些实施例中,调制解调处理器可以独立于处理器110,与移动通信模块150或其他功能模块设置在同一个器件中。
无线通信模块160可以提供应用在电子设备100上的包括无线局域网(wireless local area networks,WLAN)(如无线保真(wireless fidelity,Wi-Fi)网络),蓝牙(bluetooth,BT),全球导航卫星系统(global navigation satellite system,GNSS),调频(frequency modulation,FM),近距离无线通信技术(near field communication,NFC),红外技术(infrared,IR)等无线通信的解决方案。无线通信模块160可以是集成至少一个通信处理模块的一个或多个器件。无线通信模块160经由天线2接收电磁波,将电磁波信号调频以及滤波处理,将处理后的信号发送到处理器110。无线通信模块160还可以从处理器110接收待发送的信号,对其进行调频,放大,经天线2转为电磁波辐射出去。
在一些实施例中,电子设备100的天线1和移动通信模块150耦合,天线2和无线通信模块160耦合,使得电子设备100可以通过无线通信技术与网络以及其他设备通信。所述无线通信技术可以包括全球移动通讯系统(global system for mobile communications,GSM),通用分组无线服务(general packet radio service,GPRS),码分多址接入(code division multiple access,CDMA),宽带码分多址(wideband code division multiple access,WCDMA),时分码分多址(time-division code division multiple access,TD-SCDMA),长期演进(long term evolution,LTE),BT,GNSS,WLAN,NFC,FM,和/或IR技术等。所述GNSS可以包括全球卫星定位系统(global positioning system,GPS),全球导航卫星系统(global navigation satellite system,GLONASS),北斗卫星导航系统(beidou navigation satellite system,BDS),准天顶卫星系统(quasi-zenith satellite system,QZSS)和/或星基增强系统(satellite based augmentation systems,SBAS)。
电子设备100通过GPU,显示屏194,以及应用处理器等实现显示功能。GPU为图像处理的微处理器,连接显示屏194和应用处理器。GPU用于执行数学和几何计算,用于图形渲染。处理器110可包括一个或多个GPU,其执行程序指令以生成或改变显示信息。
显示屏194用于显示图像,视频等。显示屏194包括显示面板。显示面板可以采用液晶显示屏(liquid crystal display,LCD),有机发光二极管(organic light-emitting diode,OLED),有源矩阵有机发光二极体或主动矩阵有机发光二极体(active-matrix organic light emitting diode的,AMOLED),柔性发光二极管(flex light-emitting diode,FLED),Miniled,MicroLed,Micro-oLed,量子点发光二极管(quantum dot light emitting diodes,QLED)等。在一些实施例中,电子设备100可以包括1个或N个显示屏194,N为大于1的正整数。
电子设备100可以通过ISP,摄像头193,视频编解码器,GPU,显示屏194以及应用处理器等实现拍摄功能。
ISP用于处理摄像头193反馈的数据。例如,拍照时,打开快门,光线通过镜头被传递到摄像头感光元件上,光信号转换为电信号,摄像头感光元件将所述电信号传递给ISP处理,转化为肉眼可见的图像。ISP还可以对图像的噪点,亮度,肤色进行算法优化。ISP还可以对拍摄场景的曝光,色温等参数优化。在一些实施例中,ISP可以设置在摄像头193中。
摄像头193用于捕获静态图像或视频。物体通过镜头生成光学图像投射到感光元件。感光元件可以是电荷耦合器件(charge coupled device,CCD)或互补金属氧化物半导体(complementary metal-oxide-semiconductor,CMOS)光电晶体管。感光元件把光信号转换成电信号,之后将电信号传递给ISP转换成数字图像信号。ISP将数字图像信号输出到DSP加工处理。DSP将数字图像信号转换成标准的RGB,YUV等格式的图像信号。在一些实施例中,电子设备100可以包括1个或N个摄像头193,N为大于1的正整数。
数字信号处理器用于处理数字信号,除了可以处理数字图像信号,还可以处理其他数字信号。例如,当电子设备100在频点选择时,数字信号处理器用于对频点能量进行傅里叶变换等。
视频编解码器用于对数字视频压缩或解压缩。电子设备100可以支持一种或多种视频编解码器。这样,电子设备100可以播放或录制多种编码格式的视频,例如:动态图像专家组(moving picture experts group,MPEG)1,MPEG2,MPEG3,MPEG4等。
NPU为神经网络(neural-network,NN)计算处理器,通过借鉴生物神经网络结构,例如借鉴人脑神经元之间传递模式,对输入信息快速处理,还可以不断的自学习。通过NPU可以实现电子设备100的智能认知等应用,例如:图像识别,人脸识别,语音识别,文本理解等。
外部存储器接口120可以用于连接外部存储卡,例如Micro SD卡,实现扩展电子设备100的存储能力。外部存储卡通过外部存储器接口120与处理器110通信,实现数据存储功能。例如将音乐,视频等文件保存在外部存储卡中。
内部存储器121可以用于存储计算机可执行程序代码,所述可执行程序代码包括指令。处理器110通过运行存储在内部存储器121的指令,从而执行电子设备100的各种功能应用以及数据处理。内部存储器121可以包括存储程序区和存储数据区。其中,存储程序区可存储操作系统,至少一个功能所需的应用程序(比如声音播放功能,图像播放功能等)等。存储数据区可存储电子设备100使用过程中所创建的数据(比如音频数据,电话本等)等。此外,内部存储器121可以包括高速随机存取存储器,还可以包括非易失性存储器,例如至少一个磁盘存储器件,闪存器件,通用闪存存储器(universal flash storage,UFS)等。
在本申请的一些实施例中,内部存储器121可以用于存储TEE OS镜像等。该TEE OS镜像可以为最原始的镜像,也可以为定期保存的TEE OS内存快照。在重启TEE OS时,电子设备100可以从内部存储器121中调用已存储的TEE OS镜像,进而恢复TEE OS至崩溃前的状态,修复异常。
在本申请的另一些实施例中,在内存存储器121中也可以包括用于存储与TEE安全服务相关的数据的区域,该区域对应的存储空间也可以称之为“安全内存”。
电子设备100可以通过音频模块170,扬声器170A,受话器170B,麦克风170C,耳机接口170D,以及应用处理器等实现音频功能。例如音乐播放,录音等。
音频模块170用于将数字音频信息转换成模拟音频信号输出,也用于将模拟音频输入转换为数字音频信号。音频模块170还可以用于对音频信号编码和解码。在一些实施例中,音频模块170可以设置于处理器110中,或将音频模块170的部分功能模块设置于处理器110中。
扬声器170A,也称“喇叭”,用于将音频电信号转换为声音信号。电子设备100可以通过扬声器170A收听音乐,或收听免提通话。
受话器170B,也称“听筒”,用于将音频电信号转换成声音信号。当电子设备100接听电话或语音信息时,可以通过将受话器170B靠近人耳接听语音。
麦克风170C,也称“话筒”,“传声器”,用于将声音信号转换为电信号。当拨打电话或发送语音信息时,用户可以通过人嘴靠近麦克风170C发声,将声音信号输入到麦克风170C。电子设备100可以设置至少一个麦克风170C。在另一些实施例中,电子设备100可以设置两个麦克风170C,除了采集声音信号,还可以实现降噪功能。在另一些实施例中,电子设备100还可以设置三个,四个或更多麦克风170C,实现采集声音信号,降噪,还可以识别声音来源,实现定向录音功能等。
耳机接口170D用于连接有线耳机。耳机接口170D可以是USB接口130,也可以是3.5mm的开放移动电子设备平台(open mobile terminal platform,OMTP)标准接口,美国蜂窝电信工业协会(cellular telecommunications industry association of the USA,CTIA)标准接口。
指纹传感器180H用于采集指纹。电子设备100可以利用采集的指纹特性实现指纹解锁,访问应用锁,指纹拍照,指纹接听来电等。
按键190包括开机键,音量键等。按键190可以是机械按键。也可以是触摸式按键。电子设备100可以接收按键输入,产生与电子设备100的用户设置以及功能控制有关的键信号输入。
马达191可以产生振动提示。马达191可以用于来电振动提示,也可以用于触摸振动反馈。例如,作用于不同应用(例如拍照,音频播放等)的触摸操作,可以对应不同的振动反馈效果。作用于显示屏194不同区域的触摸操作,马达191也可对应不同的振动反馈效果。不同的应用场景(例如:时间提醒,接收信息,闹钟,游戏等)也可以对应不同的振动反馈效果。触摸振动反馈效果还可以支持自定义。
指示器192可以是指示灯,可以用于指示充电状态,电量变化,也可以用于指示消息,未接来电,通知等。
SIM卡接口195用于连接SIM卡。SIM卡可以通过插入SIM卡接口195,或从SIM卡接口195拔出,实现和电子设备100的接触和分离。电子设备100可以支持1个或N个SIM卡接口,N为大于1的正整数。SIM卡接口195可以支持Nano SIM卡,Micro SIM卡,SIM卡等。同一个SIM卡接口195可以同时插入多张卡。所述多张卡的类型可以相同,也可以不同。SIM卡接口195也可以兼容不同类型的SIM卡。SIM卡接口 195也可以兼容外部存储卡。电子设备100通过SIM卡和网络交互,实现通话以及数据通信等功能。在一些实施例中,电子设备100采用eSIM,即:嵌入式SIM卡。eSIM卡可以嵌在电子设备100中,不能和电子设备100分离。
图2为本申请实施例提供的电子设备100可以包括的一种TrustZone框架结构示意图。
示例性的,电子设备100包括硬件平台201,ARM可信固件(arm trusted firmware,ATF)202,以及基于硬件平台201和ARM可信固件202的富执行环境(REE)203和可信执行环境(TEE)204。
硬件平台201,用于支撑电子设备100运行,以及存储安全硬件资源。其中,安全硬件资源可以包括:安全内存2011,以及硬件钥匙,安全键盘等。
在本申请的一些实施例中,安全内存2011用于存储备份的TEE OS镜像,以及用于存放安全服务相关数据等。
REE203,为电子设备100中的普通执行环境。在REE203中可以运行客户端应用(CA)210和富执行环境操作系统(REE OS)211。CA210中包括可以为用户提供安全服务的应用。当需要调用安全服务时,REE OS211通过可信执行环境客户端应用编程接口(application programming interface,API)212与可信执行环境操作系统(TEE OS)214通信,请求安全服务支持。
REE OS211中包括驱动220,用于支持系统与硬件设备之间完成数据传送,以及支持REE203与TEE204之间安全服务的交互工作。如可以包括安全服务模块230(安全服务驱动),时钟驱动等。
其中,安全服务模块230,可用于为REE203中的CA210提供安全服务,和/或为REE203中的CA210从TEE204中获取安全服务。安全服务模块230可以包括安全服务暂停模块240,REE安全状态保存模块241,以及REE安全状态恢复模块242。其中,安全服务暂停模块240,用于在TEE OS214重启期间,阻止REE203中的CA210向REE OS211发送安全服务请求。REE安全状态保存模块241,用于在TEE OS214重启前,保存REE203侧与安全服务相关的参数,例如安全上下文等。REE安全状态恢复模块242,用于在TEE OS214重启后,恢复REE203侧与安全服务相关的参数,例如安全上下文等。其中,各个模块的具体作用,以及相互交互将在下文详细说明。
可以理解的是,这里安全服务暂停模块240,REE安全状态保存模块241,以及REE安全状态恢复模块242可以为独立的模块,也可以组合其中某些模块,本申请实施例对此不做限定。
可选的,REE OS211中还可以包括内核核心模块221以及文件系统模块222。
其中,内核核心模块221为操作系统的内核,用于提供核心服务支持。包括负责整个硬件的驱动,以及提供各种系统所需的核心功能。
其中,文件系统模块222,用于提供文件访问支持等文件相关的服务。电子设备100中,数据以文件的形式保存在外设,待需要的时候由文件系统模块222调入内存。其主要作用是保持文件,管理文件,保护文件以及提高系统资源利用率。
TEE204,为电子设备100中的可信执行环境,可以为REE203侧提供安全服务。TEE204为一个安全区域,在一个独立的环境中运行可信应用(TA)213以及TEE OS214。 可以确保TEE204中加载的代码和数据的机密性和完整性都得到保护。TEE OS214通过调用可信执行环境内部应用编程接口215与TEE OS211进行通信,提供安全服务支持。
TEE OS214中包括崩溃处理模块223,可用于应对TEE204侧发生异常崩溃,导致无法为REE203侧提供安全服务的问题。崩溃处理模块223中包括TEE初始化模块231,可用于TEE204发生异常时,初始化TEE204。TEE初始化模块231可以包括TEE安全状态恢复模块243,用于在TEE OS214重启后,恢复TEE204侧与安全服务相关的参数,例如硬件状态参数,上下文等。崩溃处理模块223中还包括TEE异常处理模块232,可用于应对TEE204中发生的异常,例如可以包括TEE OS214崩溃异常。TEE异常处理模块232可以包括TEE安全状态保存模块244以及TEE OS重启模块245。其中,TEE安全状态保存模块244,用于在TEE OS214重启前,保存TEE204侧与安全服务相关的参数,例如硬件状态参数等。TEE OS重启模块245,用于重启TEE OS214。其中,各个模块的具体作用,以及相互交互将在下文详细说明。
可以理解的是,这里的TEE安全状态恢复模243,TEE安全状态保存模块244,以及TEE OS重启模块245可以为独立的模块,也可以组合其中某些模块,本申请实施例对此不做限定。
可选的,TEE OS214中还可以包括可信执行环境通信代理224,可信操作系统核心框架225,以及可信驱动226。
其中,可信执行环境通信代理224,为用于支撑TEE与REE之间通信工作的代理(agent)。
其中,可信操作系统核心框架225,用于提供TEE204的核心服务,支持TEE OS214。如管理内存,进程、线程等。
其中,可信驱动226,用于为TEE204提供驱动服务。如驱动执行指纹比对安全服务等。
需要说明的是,本申请实施例示意的结构并不构成对电子设备100的具体限定。在本申请另一些实施例中,电子设备100可以包括比图示更多或更少的部件,或者组合某些部件,或者拆分某些部件,或者不同的部件布置。图示的部件可以以硬件,软件或软件和硬件的组合实现。
以下实施例中所涉及的技术方案均可以在具有如图1所示硬件架构和如图2所述的TrustZone框架的电子设备100中实现。
图3为本申请实施例提供的一种可信执行环境操作系统崩溃处理方法流程示意图,该方法可以包括步骤S101-步骤S106:
S101、若电子设备发生TEE OS崩溃,则保存TEE硬件状态参数。
示例性的,电子设备在运行应用程序的过程中,当应用程序涉及安全服务(例如用户身份验证服务等)时,会通过REE调用TEE中的相关模块。在REE调用TEE中的相关模块提供安全服务的过程中,若TEE OS发生不可修复的故障,会导致TEE OS崩溃,造成安全服务的停止或中断。
其中,造成TEE OS崩溃的原因包括但不限于:第三方驱动问题、核心服务代码漏洞(bug)、以及部分硬件故障等。例如,以电子设备是手机为例,手机厂商可以在 手机上集成其他硬件厂商的指纹识别模块。那么,手机的TEE OS需要使用第三方驱动代码调用指纹识别模块。当第三方驱动代码出现异常时,手机自身并不能对第三方驱动代码进行修复,那么可能造成TEE OS崩溃。或者,其他硬件厂商的指纹识别模块发生硬件故障,手机的TEE OS也无法驱动该指纹识别模块,也可能造成TEE OS崩溃。再例如,TEE OS提供安全服务的过程中会使用多个寄存器。若其中任一个或任几个寄存器发生故障,则可能造成TEE OS的读写异常,进而造成TEE OS崩溃。
在一种具体的实现方式中,若TEE OS发生崩溃时,TEE OS可以先保存TEE硬件状态参数。其中,TEE硬件状态参数可以包括TEE中各个寄存器的数据,例如,sec_region寄存器,用于保存为安全服务分配的内存区域的基地址。在TEE OS崩溃时,保存sec_region寄存器中的值。在TEE OS按照本申请实施例提供的方法重启后,可以直接根据该寄存器的值快速定位到崩溃之前内存位置。可以理解的是,TEE OS在运行安全服务的过程中,会不断读取相关寄存器的值,以及将计算得到的数据存储在相应寄存器中,故TEE中寄存器的数据可以体现TEE硬件运行的状态。当然,TEE硬件状态参数还可以是其他体现TEE相关硬件状态的参数,本申请实施例对此不做限定。其中,TEE OS保存TEE硬件状态参数,例如可以包括TEE OS保存TEE当前的安全上下文。其中,“当前”指的是执行该保存动作时的TEE硬件状态参数。在另一些可能的设计中,可以保存特定时间长度之前的硬件状态参数或根据系统设置的其它硬件状态参数。
需要说明的是,若TEE OS崩溃时,保存电子设备硬件状态参数。而后,在TEE OS重启后,可以根据保存的硬件状态参数快速恢复硬件状态,有利于快速恢复TEE的安全服务,提升用户体验。
举例来说,在用户使用支付宝进行指纹支付的过程中,若因驱动指纹识别模块失败或其他因素导致TEE OS崩溃,指纹支付相关的安全服务中断。此时,电子设备可能已执行一部分与指纹对比安全服务相关的数据读取与写入工作,即TEE中的至少部分寄存器的值发生变化。那么,保存TEE中寄存器的值,有利于在TEE OS重启后,利用已保存的TEE中寄存器的值直接设置重启后TEE中寄存器的值,而不需要在重启执行相关的数据读取与写入的工作,有利于加快恢复TEE的指纹支付相关安全服务。
在本申请的一些实施例中,在确定TEE OS崩溃时,也可以先确认下电子设备的硬件是否发生故障,或者确定哪些硬件发生故障。若确定电子设备的硬件未发生故障,则可以直接保存所有硬件状态参数。若确定电子设备某个或某些硬件发生故障,则保存其他未发生故障的硬件的状态参数。在一些示例中,可以将发生故障的某个或某些硬件的状态参数保存为零。
举例来说,假设支持人脸比对安全服务所需要使用的100个寄存器中,某1个寄存器发生故障。在TEE OS崩溃后,保存TEE硬件状态参数时,不保存出现故障的寄存器的值或者将该寄存器的值保存为零。以此保证在后续重置TEE硬件状态参数时,保证设置的硬件状态参数的正确性。
S102、电子设备保存REE安全上下文,并暂停安全服务。
在本申请的一些实施例中,TEE OS崩溃后,将无法处理REE侧发出的安全服务请求。TEE OS向REE OS发送通知,用于告知TEE OS已崩溃的情况。在接收到该通 知后,REE OS保存REE侧安全服务相关的数据。
在一些示例中,REE OS暂停接收应用程序发送的新的安全服务请求,以避免REE OS接收到新的安全服务请求后仍然会因为TEE OS崩溃发生异常。在另一些示例中,REE OS也可以在接收到新的安全服务请求后,不对新的安全服务请求进行处理,甚至直接丢弃接收到的新的安全服务请求。示例性的,在REE OS中设置接收安全服务请求的接口,如调用命令接口(invoke command KPI)。在该接口中设置开关,当REE OS确认TEE OS已经崩溃后,将该接口的检查值设置为失败(fail)。如此,实现暂停接收新的安全服务请求,或者在接收到新的安全服务请求后,不进行处理。
在一种实现方式中,REE OS保存REE安全上下文,例如可以包括REE OS保存REE当前的安全上下文。其中,“当前”指的是执行该保存动作时的REE安全上下文。在另一些实现方式中,可以保存特定时间长度之前的安全上下文或根据系统设置的其它安全上下文。
REE的安全上下文例如可以包括安全服务的注册信息等与安全服务相关的状态。该安全服务的注册信息可以包括安全内存(用于存放安全服务相关数据的内存)的分配结果,指令缓冲地址,当前已经向TEE注册的工作代理(agent),当前已经与TEE建立连接的会话(session),当前已经向TEE注册的安全服务等。可以理解的是,在REE调用TEE中的相关模块提供安全服务之前,会先向TEE进行指令缓存的注册,代理注册,安全内存注册等。在TEE崩溃后重启,REE与TEE之间在TEE崩溃前建立的安全服务连接失效。故,这里将REE的安全上下文进行保存,获得安全服务注册信息,REE根据注册信息可以向TEE发送安全服务注册请求,以重新建立连接,直接根据保存的REE安全上下文恢复TEE中的相关上下文。
安全服务可以包括与用户身份验证相关的服务,例如指纹比对服务,密码校验服务,人脸比对服务等。
例如,在用户使用支付宝应用的指纹支付的功能时,需要输入用户的指纹。TEE将采集到的用户指纹与预存的指纹模板进行比对。若在比对的过程中,TEE OS崩溃,则无法支持完成对采集到的用户指纹与指纹模板的比对工作。REE OS可以暂停与指纹比对相关的安全服务。在一些示例中,REE OS可以向支付宝应用发送TEE OS崩溃的通知。在另一些示例中,支付宝应用在预设时间段内一直未接收到REE OS发送的指纹比对结果,则确定本次安全服务请求失败或出现异常。
在本申请的另一些实施例中,REE OS可以向REE中安全服务对应的应用发送通知,用于通知TEE中的安全服务不可用。那么,应用程序在接收到该通知后,暂停发送新的安全服务请求。示例性的,可以在REE OS中预先设置一列表,该列表用于显示REE侧已经注册过的安全服务中正在运行或者等待运行的安全服务,在TEE OS崩溃后,无法继续提供安全服务,所以需要暂停列表中包含的安全服务。获得列表中包含的安全服务,可以得到安全服务的注册信息,进而根据注册信息获得各个安全服务对应的应用的信息。如此,可以实现根据该列表,确定列表中的安全服务对应的应用,REE OS可以向对应的应用发送安全服务不可用的通知,应用接收到该通知后,可以自动暂停发送新的安全服务请求。
S103、电子设备重启TEE OS。
示例性的,电子设备可以根据安全内存中备份的TEE OS镜像,重新初始化TEE OS到最原始的状态。或者,电子设备在运行过程中定期保存TEE OS内存快照,那么,电子设备可以用最近时间点保存的内存快照重新初始化TEE OS到最近的正确状态。
S104、电子设备根据重启TEE OS前保存的TEE的硬件状态参数设置重启TEE OS后TEE的硬件状态参数。
示例性的,在TEE OS重启完成后,先恢复TEE的安全硬件状态参数,以支持后续恢复TEE的软件参数,比如上下文等。根据步骤S101中TEE OS崩溃时保存的TEE的硬件状态参数,设置TEE OS重启后的TEE的硬件状态参数为TEE OS重启前TEE的硬件状态参数,快速恢复硬件状态。
举例来说,在用户使用支付宝进行指纹支付的过程中,若TEE OS崩溃,电子设备保存此时TEE中各个寄存器的值。在TEE OS重启后,电子设备根据已保存的TEE中寄存器的值可以直接设置重启后TEE中寄存器的值,便于快速恢复TEE的指纹支付相关安全服务。
S105、电子设备根据重启TEE OS前保存的REE的安全上下文设置重启TEE OS后REE的安全上下文,以及根据重启TEE OS前保存的REE的安全上下文设置重启TEE OS后TEE的上下文。
示例性的,在重启TEE OS之后,可以开始逐步恢复REE的安全上下文和TEE的上下文。例如:根据已保存的REE的安全上下文逐步设置重启后的REE的安全上下文,然后根据设置好的REE安全上下文逐步执行与安全服务相关的相关操作,以恢复TEE侧的上下文。例如,完成指令缓存的注册、代理的注册,安全内存的注册,恢复REE OS与应用之间会话(session)连接,重新拉起安全服务进程等。
例如:REE OS根据已保存的REE的安全上下文获得安全服务的注册信息,根据安全服务的注册信息,向TEE OS发送部分或全部安全服务的注册请求,REE OS根据该注册请求,恢复安全服务的注册。例如,完成指令缓存的注册、代理的注册,安全内存的注册,恢复TEE OS与REE OS之间会话(session)连接,重新拉起安全服务进程等。之后,TEE OS继续发送后续的安全服务请求,直至完成全部安全服务的注册。即恢复REE的安全上下文与TEE的上下文至TEE OS崩溃前的状态,可以提供安全服务。
S106、电子设备恢复安全服务。
示例性的,在设置重启后REE的安全上下文和TEE的上下文后,TEE OS已具备继续为REE中应用提供安全服务的能力,TEE OS可以向REE发送通知,以恢复上述步骤S102中暂停的安全服务。
需要说明的是,一些需要多个进程协同控制才可以执行的安全服务,在恢复该安全服务的过程中,REE OS需要按照预定顺序对其进行恢复。
示例性的,人脸比对安全服务,需要多进程协同控制,比如需要第一进程和第二进程协同控制,顺序为先执行第一进程,再执行第二进程。在电子设备恢复人脸比对安全服务的过程中,则需要先恢复第一进程,再恢复第二进程,第二进程恢复之前会确认第一进程是否已恢复。若已恢复,则第二进程开始恢复;若未恢复,则第二进程等待第一进程恢复后再恢复;或者,先恢复第一进程后,由第一进程通知第二进程开 始恢复。本申请实施例对此不做限定。
由上可见,当TEE中TEE OS崩溃时,可以单独重启TEE OS,从而避免现有技术中的整机重启(包括重启TEE OS和REE OS),减少从TEE OS崩溃到TEE OS重启后恢复安全服务的总耗时,提升电子设备的使用体验。
此外,不重启REE OS,可以由REE侧保存TEE OS崩溃时的内存空间数据,不会造成TEE侧异常内存空间数据的丢失。在TEE OS重启后,就可以根据保存的TEE侧异常内存空间数据与新建立的TEE侧内存空间的数据进行对比分析,进而可以快速分析出导致TEE OS奔溃的原因,降低维修成本。
以下,结合具体的应用场景进行说明。
场景1、电子设备提供安全服务过程中TEE OS崩溃的场景。
例如,以手机作为电子设备举例进行说明。如图4A中的(a)所示界面11,界面11为手机支付宝应用为用户提供指纹支付功能的界面。此时,手机采集用户录入的指纹。之后,手机的REE OS通过调用TEE中的安全服务模块,对用户录入的指纹进行比对等工作。
在现有技术中,若在指纹比对的过程中,TEE OS发生崩溃。手机自动关机重启以恢复安全服务。即,在TEE OS崩溃后,手机会显示如图4A中的(b)所示黑屏(关机)界面12。在手机重启期间,无法为用户提供服务。手机重启后,显示如图4A中的(c)所示主屏幕界面13。用户需要通过继续在主屏幕界面上点击支付宝应用图标,以及开启指纹支付功能等多个操作,才可以重新使用支付宝的指纹识别功能。由此可见,现有技术中恢复安全服务过程耗时较长。
在本申请实施例中,若在指纹比对的过程中,TEE OS发生崩溃,造成此次指纹比对失败,手机可以显示如图4A中的(d)所示界面14,提示用户再次输入指纹的界面。手机单独重启TEE OS。在重启TEE OS的过程中,不会重启REE OS。因此,在重启TEE OS的过程中,手机不会黑屏,可以保持如图4A中的(d)所示界面14。在重启TEE OS且恢复安全服务后,响应于用户在界面14的指纹输入操作,手机可以对用户输入的指纹进行比对。由此可见,通过本申请实施例提供的可信执行环境操作系统崩溃处理方法,可以有效减少TEE OS崩溃到恢复安全服务过程的耗时。
场景2、电子设备同时提供安全服务和其他服务的过程中TEE OS崩溃的场景。
例如,仍然以手机作为电子设备举例进行说明。若用户在通话的过程中,同时使用支付宝应用的指纹识别功能。手机显示如图4B中的(a)所示界面15。在界面15中显示有通话功能提示区域151,提示用户可以通过点击通话功能提示区域151返回通话界面。手机在提供通话功能过程中切换至其他页面时,会显示通话功能提示区域151。在手机采集到用户指纹后,手机的REE OS通过调用TEE中的安全服务模块,对采集的用户指纹进行比对等工作。
在现有技术中,若在指纹比对的过程中,TEE OS发生崩溃。手机自动关机重启以恢复安全服务。即,在TEE OS崩溃后,手机会显示如图4B中的(b)所示黑屏(关机)界面16。在手机重启期间,无法为用户提供服务(包括指纹支付功能以及通话功能)。手机重启后,显示如图4B中的(c)所示主屏幕界面17。用户需要通过在主屏幕界面17中点击通话应用图标,输入电话号码等多个操作,使用通话功能。还需要通 过在主屏幕界面17中点击支付宝应用图标等多个操作重新开启支付宝应用的指纹支付功能。由此可见,现有技术中恢复安全服务过程耗时较长。
在本申请实施例中,若在指纹比对的过程中,TEE OS发生崩溃造成此次指纹比对失败,手机可以显示如图4B中的(d)所示界面18。在界面18中显示有通话功能提示区域151,表示正在提供通话服务。可以注意到,此时手机不能提供指纹支付功能,但手机的通话功能不受影响。由此可见,通过本申请实施例提供的可信执行环境操作系统崩溃处理方法,可以有效减少TEE OS崩溃到恢复安全服务过程的耗时。此外,在该过程中,手机可以继续为用户提供除安全服务以外的其他服务。
图5为本申请实施例提供另一种的可信执行环境操作系统崩溃处理方法流程示意图,该方法可以包括步骤S201-步骤S212:
S201、TEE OS崩溃,TEE OS保存TEE硬件状态参数。
请参见图2所示的结构,在TEE为REE中的应用提供安全服务的过程中,若TEE OS崩溃,TEE异常处理模块中的TEE安全状态保存模块可用于保存TEE安全硬件状态。其中,TEE硬件状态参数可以包括TEE中各个寄存器的数据等。
其余内容可以参考步骤S101的相关描述,在此不再赘述。
S202、TEE OS向REE OS发送第一通知。
示例性的,在TEE获知TEE安全状态保存模块保存TEE硬件状态参数后,向REE发送第一通知。例如,可以由TEE中的TEE异常处理模块向REE中的安全服务模块发送第一通知。又例如,TEE中的TEE异常处理模块在保存TEE安全硬件状态参数后,告知TEE OS中的特定模块,由TEE OS中的特定模块向REE中的安全服务模块,或者经由REE中的某个模块向REE中的安全服务模块,发送第一通知。本申请实施例对此不做限定。
其中,第一通知可以用于通知TEE OS已崩溃,以便REE OS执行相应的步骤。或者,第一通知可以直接用于通知REE执行相应的步骤。具体实现中,第一通知可以为具有固定格式的消息,或者携带特定内容的消息。本申请实施例对第一通知的具体格式和内容均不做限定。
其余内容可以参考步骤S101的相关描述,在此不再赘述。
S203、REE OS保存REE安全上下文,暂停安全服务。
示例性的,REE侧安全服务模块接收到第一通知后,可以先调用其中的REE安全状态保存模块保存REE安全上下文,再调用安全服务暂停模块暂停安全服务。也可以先调用安全服务暂停模块暂停安全服务,再调用其中的REE安全状态保存模块保存REE安全上下文。还可以同时调用两个模块分别执行相应的步骤。即,本申请实施例并限定保存REE安全上下文和暂停安全服务的时间顺序。
其余内容可以参考步骤S102的相关描述,在此不再赘述。
S204、REE OS向TEE OS发送第二通知。
示例性的,在REE获知安全服务暂停模块暂停安全服务后,向TEE侧TEE异常处理模块发送第二通知,例如,可以由REE中的安全服务模块向TEE中的TEE异常处理模块发送第二通知。又例如,REE中的安全服务暂停模块暂停安全服务后,告知REE OS中的特定模块,由REE OS中的特定模块向TEE中的TEE异常处理模块,或 者经由TEE中的某个模块向TEE中的TEE异常处理模块,发送第二通知。本申请实施例对此不做限定。
其中,第二通知可以用于通知TEE OS,REE侧已准备就绪,以便TEE OS执行相应的步骤。或者,第二通知可以直接用于通知TEE执行相应的步骤。具体实现中,第二通知可以为具有固定格式的消息,或者携带特定内容的消息。本申请实施例对第二通知的具体格式和内容均不做限定。
示例性的,在REE获知安全服务暂停模块暂停安全服务后,还可以向REE中安全服务对应的应用发送第五通知,用于通知TEE中的安全服务不可用。那么,应用程序在接收到该通知后,暂停发送新的安全服务请求。本申请实施例对第五通知的具体格式和内容均不做限定。
其余内容可以参考步骤S102的相关描述,在此不再赘述。
S205、TEE OS重启。
示例性的,TEE侧的TEE异常处理模块接收到第二通知后,调用其中的TEE OS重启模块,重启TEE OS。
其余内容可以参考步骤S103的相关描述,在此不再赘述。
S206、TEE OS根据重启TEE OS前保存的TEE的硬件状态参数设置重启TEE OS后TEE的硬件状态参数。
示例性,TEE OS重启模块重启TEE OS后,TEE异常处理模块通知TEE初始化模块TEE OS已重启,可以开始恢复TEE侧安全状态。TEE侧的TEE初始化模块获知TEE OS已重启完毕,则调用TEE安全状态恢复模块,从TEE安全状态保存模块中获取TEE OS重启前其保存的TEE的硬件状态参数,用于设置TEE OS重启后的TEE的硬件状态参数。
其余内容可以参考步骤S104的相关描述,在此不再赘述。
S207、TEE OS向REE OS发送第三通知。
示例性的,在TEE获知TEE安全状态恢复模块恢复TEE硬件状态参数后,向REE发送第三通知。例如,可以由TEE中的TEE初始化模块向REE中的安全服务模块发送第三通知。又例如,TEE中的TEE初始化模块在恢复TEE安全硬件状态参数后,告知TEE OS中的特定模块,由TEE OS中的特定模块向REE中的安全服务模块,或者经由REE中的某个模块向REE中的安全服务模块,发送第三通知。本申请实施例对此不做限定。
其中,第三通知可以用于通知TEE硬件状态已恢复,以便REE OS执行相应的步骤。或者,第三通知可以直接用于通知REE执行相应的步骤。具体实现中,第三通知可以为具有固定格式的消息,或者携带特定内容的消息。本申请实施例对第三通知的具体格式和内容均不做限定。
其余内容可以参考步骤S104的相关描述,在此不再赘述。
S208、REE OS根据重启TEE OS前保存的REE的安全上下文设置重启TEE OS后REE的安全上下文。
S209、REE OS指示TEE OS根据重启TEE OS后的REE的安全上下文设置重启TEE OS后TEE的上下文。
S210、TEE OS根据重启TEE OS后的REE的安全上下文设置重启TEE OS后TEE的上下文。
S211、TEE OS向REE OS发送第四通知。
示例性的,步骤S208-S211中,REE侧的安全服务模块接收TEE发送的第三通知后,调用REE安全状态恢复模块启动恢复安全上下文的流程。REE安全状态恢复模块从REE安全状态保存模块中获取REE OS重启前保存的REE的安全上下文,根据重启前保存的REE安全上下文恢复重启后REE安全上下文,并向TEE中的TEE安全状态恢复模块发送部分或全部安全服务的注册请求。TEE安全状态恢复模块根据注册请求,恢复对应的安全服务重启后的TEE的上下文后,向REE安全状态恢复模块发送通知,反馈此次注册已完成。REE安全状态恢复模块根据重启前保存的REE的安全上下文继续发送未发送的安全服务的注册请求。在REE安全状态恢复模块与TEE安全状态恢复模块的交互过程中,完成全部安全服务的注册,恢复REE的安全上下文和TEE的上下文至TEE OS崩溃前的状态。其中,REE安全状态恢复模块向TEE发送的最后一个注册请求中携带有固定标识,用于告知TEE根据此次注册请求恢复安全服务后,即完成全部REE的安全上下文和TEE的上下文的恢复。或者,TEE预设时间段未收到注册请求后,即获知已完成全部REE的安全上下文和TEE的上下文的恢复。
在TEE获知已完成全部REE的安全上下文和TEE的上下文的恢复工作后,TEE异常处理模块向REE发送第四通知。例如,可以由TEE中的TEE异常处理模块向REE中的安全服务模块发送第四通知。又例如,TEE中的TEE异常处理模块在获知已完成全部REE安全上下文和TEE上下文的恢复工作后,告知TEE OS中的特定模块,由TEE OS中的特定模块向REE中的安全服务模块,或者经由REE中的某个模块向REE中的安全服务模块,发送第四通知。本申请实施例对此不做限定。
其中,第四通知可以用于通知REE的安全上下文和TEE的上下文已恢复,以便REE OS执行相应的步骤。或者,第四通知可以直接用于通知REE执行相应的步骤。具体实现中,第四通知可以为具有固定格式的消息,或者携带特定内容的消息。本申请实施例对第四通知的具体格式和内容均不做限定。
需要说明的是,图中步骤S208中设置REE的安全上下文,以及步骤S209中指示设置TEE的上下文的过程是交织进行的。例如,步骤S208中REE设置一个或几个REE的安全上下文后,会指示TEE设置相应的上下文。而后,REE再继续设置其他的REE的安全上下文,再指示TEE设置相应的上下文,以此类推。
其余内容可以参考步骤S105的相关描述,在此不再赘述。
S212、REE OS恢复安全服务。
REE侧安全服务模块接收到第四通知后,停止运行安全服务暂停模块,进而恢复安全服务。
其余内容可以参考步骤S106的相关描述,在此不再赘述。
在上述步骤S201-步骤S212提供的技术方案中,TEE OS崩溃后,REE OS可以不主动退出安全服务。由于本申请未重启REE OS,REE可能保留了之前调用安全服务的部分数据,如内存地址等,而这部分数据已经失效。在这种情况下,在REE OS恢复安全服务后,即执行步骤S212后,REE首次接收的应用发送的安全服务请求,会 根据REE保留的安全服务的数据,向TEE发起安全服务请求。而由于REE之前保留的安全数据已经失效,导致此次连接失败。而后,REE的守护进程会重新拉起安全服务,即再次向TEE侧发出安全服务请求。其中,守护进程(daemon)是一类在后台运行的特殊进程,用于执行特定的系统任务。一些守护进程在系统引导的时候启动,并且一直运行直到系统关闭。另一些只在需要的时候才启动,完成任务后就自动结束。在本申请实施例中,可以在安全服务启动失败后,由守候进程重启建立连接,启动安全服务。
例如,以手机作为电子设备举例。如图6中的(a)所示界面21,界面21为手机支付宝应用提供的指纹解锁功能界面。此时,手机提示用户可以通过点击屏幕进行指纹解锁。在手机检测到用户点击屏幕的操作后,手机显示如图6中的(b)所示的界面22。界面22为采集用户指纹的界面。在手机采集用户录入的指纹后,手机的REE OS通过调用TEE中的安全服务模块,对用户录入的指纹进行比对等工作。若在指纹比对的过程中,TEE OS发生崩溃,手机可以显示如图6中的(c)所示界面23,界面23用于提示用户此次解锁失败(指纹比对失败),再次输入指纹。TEE OS重启。在TEE OS重启后,如图6中(d)所示,用户在界面23上输入指纹。手机再次采集用户的指纹,并将采集到的用户指纹发送给TEE进行比对。TEE比对失败,显示如图6中的(e)所示界面24。
图7为本申请实施例提供另一种的可信执行环境操作系统崩溃处理方法流程示意图,该方法可以包括步骤S301-步骤S314:
S301、TEE OS崩溃,TEE OS保存TEE硬件状态参数。
S302、TEE OS向REE OS发送第一通知。
S303、REE OS保存REE安全上下文,暂停安全服务。
其中,步骤S301-S303可以参考步骤S201-S203的相关描述,在此不再赘述。
S304、REE OS向安全服务对应的应用发送第六通知,用于退出安全服务。
在一些实施例中,在REE OS暂停安全服务后,REE OS可以主动退出安全服务。在图5所示的实施例中,当TEE OS崩溃后,独立重启了TEE OS,但未重启REE OS。因此,REE保留了之前调用安全服务的部分数据,如内存地址等,而这部分数据可能与TEE OS重启后的数据冲突。在这种情况下,当TEE OS重启后,REE接收到应用发送的第一次安全服务请求后,可能无法调用TEE中相应的安全服务模块。在该实施例中,在TEE OS崩溃后,REE OS暂停安全服务后,可以主动退出安全服务。当TEE OS重启后,主动恢复安全服务。这样,当TEE OS重启后,REE接收到应用发送的第一次安全服务请求后,可以正常调用TEE中相应的安全服务模块。
在本申请的一些实施例中,REE侧安全服务模块向电子设备中包含的安全服务的应用发送第六通知,用于退出安全服务;或者,第六通知为固定格式或内容的代码,安全服务对应的应用接收到第六通知后,自动退出安全服务。本申请实施例对第六通知的具体格式和内容均不做限定。
S305、REE OS向TEE OS发送第二通知。
S306、TEE OS重启。
S307、TEE OS根据重启TEE OS前保存的TEE的硬件状态参数设置重启TEE OS 后TEE的硬件状态参数。
S308、TEE OS向REE OS发送第三通知。
S309、REE OS根据重启TEE OS前保存的REE的安全上下文设置重启TEE OS后的REE的安全上下文。
S310、REE OS指示TEE OS根据重启TEE OS后的REE的安全上下文设置重启TEE OS后TEE的上下文。
S311、TEE OS根据重启TEE OS后的REE的安全上下文设置重启TEE OS后的TEE的上下文。
S312、TEE OS向REE OS发送第四通知。
其中,步骤S305-S312可以参考步骤S204-S211的相关描述,在此不再赘述。
S313、向安全服务对应的应用发送第七通知,用于重启安全服务。
示例性的,在REE OS恢复安全服务之前,电子设备会上述步骤S304中主动退出安全服务主动重启,建立新的连接以提供安全服务。
在本申请的一些实施例中,以图2所示的结构为例,REE侧安全服务模块,向电子设备中TEE OS崩溃后已主动退出的安全服务对应的应用发送第七通知,用于重启已退出的安全服务;或者,第七通知为固定格式或内容的代码,安全服务对应的应用接收到第六通知后,自动启动安全服务。本申请实施例对第七通知的具体格式和内容均不做限定。
S314、REE OS恢复安全服务。
示例性的,步骤S314中包含的其他内容可参见步骤S212,在此不再进行赘述。
在上述步骤S301-步骤S314提供的技术方案中,TEE OS崩溃后,REE OS可以主动退出安全服务,并在TEE OS重启后,主动重启安全服务。由于本申请未重启REE OS,REE可能保留了之前调用安全服务的部分数据,如内存地址等,而这部分数据已经失效。在TEE OS崩溃后,主动退出安全服务,可以清除这部分数据。在这种情况下,在REE OS恢复安全服务后,即执行步骤S314后,REE首次接收的应用发送的安全服务请求,向TEE发起安全服务请求。
例如,以手机作为电子设备举例。如图8中的(a)所示界面31,界面31为手机支付宝应用提供的指纹解锁功能界面。此时,手机提示用户可以通过点击屏幕进行指纹解锁。在手机检测到用户点击屏幕的操作后,手机显示如图8中的(b)所示的界面32。界面32为用户指纹输入界面。在手机采集到用户输入的指纹后,手机的REE OS通过调用TEE中的安全服务模块,对用户录入的指纹进行比对等工作。若在指纹比对的过程中,TEE OS发生崩溃,手机可以显示如图8中的(c)所示界面33。界面33用于提示用户此次解锁失败(指纹比对失败),再次输入指纹。如图8中的(d)所示,在TEE OS重启后,用户可以在界面33上输入指纹。手机采集到用户录入的指纹后,调用TEE侧的安全服务进行指纹比对。若指纹比对成功,手机解锁,显示如图8中(e)所示的支付宝首页34。可以看到,相较于在TEE OS崩溃后,REE OS不主动退出安全服务的方案,本实施例可以提升TEE OS重启后第一次执行安全服务的正确率。
图9示出了上述实施例中所涉及的计算机系统的一种可能的结构示意图,该计算机系统包括TEE901和REE902,TEE901为REE902提供安全服务。TEE901包括TEE  OS903、第一存储单元904和重启单元905,REE902包括REE OS906、第二存储单元907。
其中,TEE OS903,用于支持计算机系统执行图3中的步骤S104和步骤S105,图5中的步骤S206和步骤S210,图7中的步骤S307和步骤S311,和/或用于本文所描述的技术的其它过程。
第一存储单元904,用于支持计算机系统执行图3中的步骤S101,图5中的步骤S201,图7中的步骤S301,和/或用于本文所描述的技术的其它过程。
重启单元905,用于支持计算机系统执行图3中的步骤S103,图5中的步骤S205,图7中的步骤S306,和/或用于本文所描述的技术的其它过程。
REE OS906,用于支持计算机系统执行图3中的步骤S102、步骤S105和步骤S106,图5中的步骤S203、步骤S208和步骤S212,图7中的步骤S303、步骤S304、步骤S309、步骤313和步骤314,和/或用于本文所描述的技术的其它过程。
第二存储单元907,用于支持计算机系统执行图3中的步骤S102,图5中的步骤S203,图7中的步骤S303,和/或用于本文所描述的技术的其它过程。
其中,上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能单元的功能描述,在此不再赘述。
图10示出了上述实施例中所涉及的用于实现可信执行环境操作系统崩溃处理的装置的一种可能的结构示意图。包括:处理单元1001,接收单元1002,存储单元1003,发送单元1004。
其中,处理单元1001,用于支持装置执行图3中的步骤S102,步骤S105和步骤S106,图5中的步骤S203,步骤S208和步骤S212,图7中的步骤S303,步骤S309和步骤S314,和/或用于本文所描述的技术的其它过程。
接收单元1002,用于支持装置执行图5中的步骤S202,步骤S207和步骤S211,图7中的步骤S302,步骤S308和步骤S312,和/或用于本文所描述的技术的其它过程。
存储单元1003,用于支持装置执行图3中的步骤S102,图5中的步骤S203,图7中的步骤S303,和/或用于本文所描述的技术的其它过程。
发送单元1004,用于支持装置执行图5中的步骤S204和步骤S209,图7中的步骤S304,步骤S305,步骤S310和步骤S313,和/或用于本文所描述的技术的其它过程。
其中,上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能单元的功能描述,在此不再赘述。
图11示出了上述实施例中所涉及的用于实现可信执行环境操作系统崩溃处理的装置的一种可能的结构示意图。包括:处理单元1101,存储单元1102,发送单元1103,接收单元1104,重启单元1105。
处理单元1101,用于支持装置执行图3中的步骤S104和步骤S105,图5中的步骤S206和步骤S210,图7中的步骤S307和步骤S311,和/或用于本文所描述的技术的其它过程。
存储单元1102,用于支持装置执行图3中的步骤S101,图5中的步骤S201,图7中的步骤S301,和/或用于本文所描述的技术的其它过程。
发送单元1103,用于支持装置执行图5中的步骤S202,步骤S207和步骤S211,图7中的步骤S302,步骤S308,步骤S312,步骤S304和步骤S313,和/或用于本文所描述的技术的其它过程。
接收单元1104,用于支持装置执行图5中的步骤S204和步骤S209,图7中的步骤S305和步骤S310,和/或用于本文所描述的技术的其它过程。
重启单元1105,用于支持装置执行图3中的步骤S103,图5中的步骤S205,图7中的步骤S306,和/或用于本文所描述的技术的其它过程。
其中,上述方法实施例涉及的各步骤的所有相关内容均可以援引到对应功能单元的功能描述,在此不再赘述。
本申请实施例还提供一种芯片系统,如图12所示,该芯片系统包括至少一个处理器1201和至少一个接口电路1202。处理器1201和接口电路1202可通过线路互联。例如,接口电路1202可用于从其它装置接收信号。又例如,接口电路1202可用于向其它装置(例如处理器1201)发送信号。示例性的,接口电路1202可读取存储器中存储的指令,并将该指令发送给处理器1201。当所述指令被处理器1201执行时,可使得电子设备执行上述实施例中的可信执行环境操作系统崩溃处理方法中的各个步骤。当然,该芯片系统还可以包含其他分立器件,本申请实施例对此不作具体限定。
本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质中存储有计算机指令,当该计算机指令在电子设备上运行时,使得电子设备执行上述相关方法步骤实现上述实施例中的可信执行环境操作系统崩溃处理方法。
本申请实施例还提供一种计算机程序产品,当该计算机程序产品在计算机上运行时,使得计算机执行上述相关步骤,以实现上述实施例中的可信执行环境操作系统崩溃处理方法方法。
另外,本申请的实施例还提供一种装置,该装置具体可以是组件或模块,该装置可包括相连的处理器和存储器;其中,存储器用于存储计算机执行指令,当装置运行时,处理器可执行存储器存储的计算机执行指令,以使装置执行上述各方法实施例中的可信执行环境操作系统崩溃处理方法。
其中,本申请实施例提供的电子设备、计算机可读存储介质、计算机程序产品或芯片均用于执行上文所提供的对应的方法,因此,其所能达到的有益效果可参考上文所提供的对应的方法中的有益效果,此处不再赘述。
通过以上的实施方式的描述,所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。上述描述的系统,装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。
在本申请所提供的几个实施例中,应该理解到,所揭露的方法,可以通过其它的方式实现。例如,以上所描述的电子设备实施例仅仅是示意性的,例如,所述模块或单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口, 模块或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。上述集成的单元既可以采用硬件的形式实现,也可以采用软件功能单元的形式实现。
所述集成的单元如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质中,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)或处理器执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:快闪存储器、移动硬盘、只读存储器、随机存取存储器、磁碟或者光盘等各种可以存储程序指令的介质。
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何在本申请揭露的技术范围内的变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。

Claims (35)

  1. 一种可信执行环境操作系统崩溃处理方法,其特征在于,应用于包括可信执行环境TEE和富执行环境REE的电子设备,所述TEE中运行有可信执行环境操作系统TEE OS和安全服务,所述方法包括:
    基于在所述安全服务运行的过程中检测到所述TEE OS崩溃,所述电子设备保存所述TEEOS奔溃时所述TEE的硬件状态参数和所述REE的安全上下文,并暂停所述安全服务;
    所述电子设备重启所述TEE OS;
    所述电子设备根据保存的所述TEE的硬件状态参数设置重启所述TEE OS后所述TEE的硬件状态参数;
    所述电子设备根据保存的所述REE的安全上下文设置重启所述TEE OS后所述REE的安全上下文,以及根据保存的所述REE的安全上下文设置重启所述TEE OS后所述TEE的上下文;
    所述电子设备恢复所述安全服务。
  2. 根据权利要求1所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述REE中运行有富执行环境操作系统REE OS,所述方法还包括:
    所述电子设备暂停所述安全服务之后,通过所述REE OS通知所述安全服务对应的应用所述安全服务不可用。
  3. 根据权利要求1或2所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述方法还包括:
    所述电子设备暂停所述安全服务之后,通过所述REE OS暂停接收所述REE中任一应用发送的针对所述安全服务的请求。
  4. 根据权利要求2或3所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述方法还包括:
    所述电子设备暂停所述安全服务之后,通过所述REE OS通知所述安全服务对应的应用退出所述安全服务;
    所述电子设备恢复所述安全服务之后,通过所述REE OS通知所述安全服务对应的应用重启所述安全服务。
  5. 根据权利要求1-4任一项所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述安全服务包括指纹比对服务、密码校验服务、以及人脸比对服务中任意一项或多项。
  6. 根据权利要求1-5任一项所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述TEE的硬件状态参数包括:所述TEE中寄存器的数据。
  7. 根据权利要求1-6任一项所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述REE的安全上下文包括:所述安全服务的注册信息。
  8. 一种可信执行环境操作系统崩溃处理方法,其特征在于,应用于包括可信执行环境TEE和富执行环境REE的电子设备,所述TEE为所述REE提供安全服务,所述TEE中包含可信执行环境操作系统TEE OS,所述REE中包含富执行环境操作系统REE OS,所述方法包括:
    在所述REE调用所述安全服务的过程中,所述REE OS接收第一通知;所述第一通知指示所述TEE OS已崩溃;
    所述REE OS保存所述REE安全上下文,暂停安全服务,向所述TEE OS发送第二通知,以指示所述TEE OS重启;
    所述REE OS接收第三通知,所述第三通知为所述TEE OS设置重启所述TEE OS后的所述TEE的硬件状态参数后发送给所述REE OS的通知;
    所述REE OS根据保存的所述REE的安全上下文设置重启所述TEE OS后所述REE的安全上下文;
    所述REE OS接收第四通知,所述第四通知为所述TEE OS设置重启所述TEE OS后的所述TEE的上下文后,发送给所述REE OS的通知;
    所述REE OS恢复所述安全服务。
  9. 根据权利要求8所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述REE OS暂停所述安全服务之后,所述方法还包括:
    所述REE OS向所述安全服务对应的应用发送第五通知,所述第五通知用于通知所述应用所述安全服务不可用。
  10. 根据权利要求8或9所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述REE OS暂停所述安全服务之后,所述方法还包括:
    所述REE OS暂停接收所述REE中任一应用发送的针对所述安全服务的请求。
  11. 根据权利要求8-10任一项所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述REE OS暂停所述安全服务之后,所述方法还包括:
    所述REE OS向所述安全服务对应的应用发送第六通知,用于退出所述安全服务;
    所述REE OS恢复所述安全服务之后,所述方法还包括:
    所述REE OS向所述安全服务对应的应用发送第七通知,用于重启所述安全服务。
  12. 根据权利要求8-11任一项所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述安全服务包括指纹对比服务、密码校验服务、人脸对比服务中任意一项或多项。
  13. 根据权利要求8-12任一项所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述REE的安全上下文包括:所述安全服务的注册信息。
  14. 一种可信执行环境操作系统崩溃处理方法,其特征在于,应用于包括可信执行环境TEE和富执行环境REE的电子设备,所述TEE为所述REE提供安全服务,所述TEE中包含可信执行环境操作系统TEE OS,所述REE中包含富执行环境操作系统REE OS,所述方法包括:
    在TEE提供安全服务的过程中,若所述TEE OS崩溃,所述TEE OS保存所述TEE硬件状态参数,向所述REE OS发送第一通知,所述第一通知用于指示所述REE OS暂停安全服务;
    所述TEE OS接收第二通知后,重启,其中,所述第二通知为REE OS暂停安全服务后发送给TEE OS的通知;
    所述TEE OS根据保存的所述TEE的硬件状态参数设置重启所述TEE OS后所述TEE的硬件状态参数,向所述REE OS发送第三通知,所述第三通知用于指示所述REE  OS设置重启所述TEE OS后所述REE的安全上下文;
    所述TEE OS根据重启所述TEE OS后所述REE的安全上下文设置重启所述TEE OS后的所述TEE的上下文;之后,向所述REE OS发送第四通知;所述第四通知用于指示所述REE OS恢复所述安全服务。
  15. 根据权利要求14所述的可信执行环境操作系统崩溃处理方法,其特征在于,所述安全服务包括指纹对比服务,密码校验服务,人脸对比服务中任意一项或多项。
  16. 根据权利要求14或15所述的可信执行环境操作系统崩溃处理方法,其特征在于,
    所述TEE的硬件状态参数包括:所述TEE中寄存器的数据。
  17. 一种计算机系统,其特征在于,包括可信执行环境TEE和富执行环境REE,所述TEE为所述REE提供安全服务;所述TEE包括可信执行环境操作系统TEE OS、第一存储单元和重启单元,所述REE包括富执行环境操作系统REE OS、第二存储单元;
    所述TEE OS,用于运行所述安全服务;
    所述第一存储单元,用于在所述TEE OS运行所述安全服务的过程中,若所述TEE OS崩溃,则保存所述TEE硬件状态参数;
    所述第二存储单元,用于保存所述REE安全上下文;
    所述REE OS,还用于暂停调用所述安全服务;
    所述重启单元,用于重启所述TEE OS;
    所述TEE OS,还用于根据保存的所述TEE的硬件状态参数设置重启所述TEE OS后所述TEE的硬件状态参数;
    所述REE OS,还用于根据保存的所述REE的安全上下文设置重启所述TEE OS后所述REE的安全上下文,以及所述TEE OS,还用于根据保存的所述REE的安全上下文设置重启所述TEE OS后所述TEE的上下文;
    所述REE OS,还用于恢复调用所述安全服务。
  18. 根据权利要求17所述的计算机系统,其特征在于,
    所述REE OS,还用于在暂停调用所述安全服务之后,向所述安全服务对应的应用发送所述安全服务不可用的通知。
  19. 根据权利要求17或18所述的计算机系统,其特征在于,
    所述REE OS,还用于在暂停调用所述安全服务之后,暂停接收所述REE中任一应用发送的针对所述安全服务的请求。
  20. 根据权利要求18或19所述的计算机系统,其特征在于,
    所述REE OS,还用于在暂停调用所述安全服务之后,通知所述安全服务对应的应用退出所述安全服务;
    所述REE OS,还用于在恢复调用所述安全服务之后,通知所述安全服务对应的应用重启所述安全服务。
  21. 根据权利要求17-20任一项所述的计算机系统,其特征在于,所述安全服务包括指纹比对服务,密码校验服务,人脸比对服务中任意一项或多项。
  22. 根据权利要求17-21任一项所述的计算机系统,其特征在于,所述TEE的硬 件状态参数包括:所述TEE中寄存器的数据。
  23. 根据权利要求17-22任一项所述的计算机系统,其特征在于,所述REE的安全上下文包括:所述安全服务的注册信息。
  24. 一种用于实现可信执行环境操作系统崩溃处理的装置,其特征在于,包括:处理单元、接收单元、存储单元和发送单元;
    所述处理单元,用于调用可信执行环境TEE的安全服务;
    所述接收单元,用于在所述处理单元调用所述安全服务的过程中,接收第一通知;所述第一通知用于通知可信执行环境操作系统TEE OS已崩溃;
    所述存储单元,用于保存富执行环境REE安全上下文;
    所述处理单元,还用于暂停调用所述安全服务;
    所述发送单元,用于向所述TEE OS发送第二通知;所述第二通知用于指示所述TEE OS重启;
    所述接收单元,还用于接收第三通知,所述第三通知为所述TEE OS设置重启所述TEE OS后的所述TEE的硬件状态参数后发送给所述REE OS的通知;
    所述处理单元,还用于根据保存的所述REE的安全上下文设置重启所述TEE OS后所述REE的安全上下文;
    所述接收单元,还用于接收第四通知,所述第四通知为所述TEE OS设置重启所述TEE OS后的所述TEE的上下文后,发送给所述REE OS的通知;
    所述处理单元,还用于恢复调用所述安全服务。
  25. 根据权利要求24所述的装置,其特征在于,
    所述发送单元,还用于在所述处理单元暂停调用所述安全服务之后,向所述安全服务对应的应用发送第五通知,用于通知所述安全服务不可用。
  26. 根据权利要求24或25所述的装置,其特征在于,
    所述接收单元,还用于在所述处理单元暂停调用所述安全服务之后,暂停接收所述REE中任一应用发送的针对所述安全服务的请求。
  27. 根据权利要求24-26任一项所述的装置,其特征在于,
    所述发送单元,还用于在所述处理单元暂停调用所述安全服务之后,向所述安全服务对应的应用发送第六通知,用于退出所述安全服务;
    所述发送单元,还用于在所述处理单元恢复调用所述安全服务之后,向所述安全服务对应的应用发送第七通知,用于重启所述安全服务。
  28. 根据权利要求24-27任一项所述的装置,其特征在于,所述安全服务包括指纹对比服务,密码校验服务,人脸对比服务中任意一项或多项。
  29. 根据权利要求24-28任一项所述的装置,其特征在于,所述REE的安全上下文包括:所述安全服务的注册信息。
  30. 一种用于实现可信执行环境操作系统崩溃处理的装置,其特征在于,包括:处理单元、存储单元、发送单元、接收单元和重启单元;
    所述处理单元,用于提供安全服务;
    所述存储单元,用于在所述处理单元提供安全服务的过程中,若所述处理单元崩溃,保存可信执行环境TEE硬件状态参数;
    所述发送单元,用于向富执行环境操作系统REE OS发送第一通知;所述第一通知用于指示所述REE OS暂停安全服务;
    所述接收单元,用于接收第二通知后;其中,所述第二通知为REE OS暂停安全服务后发送的通知;
    所述重启单元,用于重启所述处理单元;
    所述处理单元,还用于根据保存的所述TEE的硬件状态参数设置重启后所述TEE的硬件状态参数;
    所述发送单元,还用于向所述REE OS发送第三通知;所述第三通知用于指示所述REE OS设置重启后富执行环境REE的安全上下文;
    所述处理单元,还用于根据重启后所述REE的安全上下文设置重启后的所述TEE的上下文;
    所述发送单元,还用于向所述REE OS发送第四通知;所述第四通知用于指示所述REE OS恢复所述安全服务。
  31. 根据权利要求30所述的装置,其特征在于,所述安全服务包括指纹对比服务,密码校验服务,人脸对比服务任意一项或多项。
  32. 根据权利要求30或31所述的装置,其特征在于,
    所述TEE的硬件状态参数包括:所述TEE中寄存器的数据。
  33. 一种电子设备,其特征在于,所述电子设备包括:
    一个或多个处理器;其中,所述一个或多个处理器包括可信执行环境TEE和富执行环境REE,所述TEE为所述REE提供安全服务;所述TEE中包含可信执行环境操作系统TEE OS,所述REE中包含富执行环境操作系统REE OS;
    存储器;
    以及一个或多个计算机程序,其中所述一个或多个计算机程序被存储在所述存储器中,所述一个或多个计算机程序包括指令;当所述指令被所述一个或多个处理器执行时,使得所述电子设备执行如权利要求1-7中任一项所述的可信执行环境操作系统崩溃处理方法;或者,使得所述电子设备执行如权利要求8-13中任一项所述的可信执行环境操作系统崩溃处理方法;或者,使得所述电子设备执行如权利要求14-16中任一项所述的可信执行环境操作系统崩溃处理方法。
  34. 一种计算机可读存储介质,其特征在于,包括计算机指令,当所述计算机指令在电子设备上运行时,使得所述电子设备执行如权利要求1-7中任一项所述的可信执行环境操作系统崩溃处理方法;或者,使得所述电子设备执行如权利要求8-13中任一项所述的可信执行环境操作系统崩溃处理方法;或者,使得所述电子设备执行如权利要求14-16中任一项所述的可信执行环境操作系统崩溃处理方法。
  35. 一种计算机程序产品,其特征在于,当所述计算机程序产品在计算机上运行时,使得所述计算机执行如权利要求1-7中任一项所述的可信执行环境操作系统崩溃处理方法;或者,使得所述电子设备执行如权利要求8-13中任一项所述的可信执行环境操作系统崩溃处理方法;或者,使得所述电子设备执行如权利要求14-16中任一项所述的可信执行环境操作系统崩溃处理方法。
PCT/CN2020/115116 2020-01-19 2020-09-14 可信执行环境操作系统崩溃处理方法及电子设备 WO2021143168A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP20914130.8A EP4080365A4 (en) 2020-01-19 2020-09-14 TRUSTED EXECUTION ENVIRONMENT OPERATING SYSTEM FAILURE TREATMENT METHOD AND ELECTRONIC DEVICE
US17/866,196 US11874743B2 (en) 2020-01-19 2022-07-15 Method for handling trusted execution environment operating system crash and electronic device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010060572.4 2020-01-19
CN202010060572.4A CN113138878B (zh) 2020-01-19 2020-01-19 可信执行环境操作系统崩溃处理方法及电子设备

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/866,196 Continuation US11874743B2 (en) 2020-01-19 2022-07-15 Method for handling trusted execution environment operating system crash and electronic device

Publications (1)

Publication Number Publication Date
WO2021143168A1 true WO2021143168A1 (zh) 2021-07-22

Family

ID=76808783

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/115116 WO2021143168A1 (zh) 2020-01-19 2020-09-14 可信执行环境操作系统崩溃处理方法及电子设备

Country Status (4)

Country Link
US (1) US11874743B2 (zh)
EP (1) EP4080365A4 (zh)
CN (1) CN113138878B (zh)
WO (1) WO2021143168A1 (zh)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116049913A (zh) * 2022-05-24 2023-05-02 荣耀终端有限公司 数据保存方法、装置、电子设备及计算机可读存储介质

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113886119B (zh) * 2021-09-27 2022-12-09 北京三快在线科技有限公司 一种故障修复的方法及装置
CN114302404A (zh) * 2021-12-23 2022-04-08 汇顶科技(成都)有限责任公司 近场通信方法、配置方法、nfc主机以及电子设备

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105138930A (zh) * 2015-08-12 2015-12-09 山东超越数控电子有限公司 一种基于TrustZone的加密系统及方法
WO2016204892A1 (en) * 2015-06-15 2016-12-22 Intel Corporation Virtualization-based platform protection technology
CN106845285A (zh) * 2016-12-28 2017-06-13 北京握奇智能科技有限公司 一种tee系统与ree系统配合以实现服务的方法及终端设备
CN109558211A (zh) * 2018-11-27 2019-04-02 上海瓶钵信息科技有限公司 保护可信应用与普通应用的交互完整性和保密性的方法
CN109787943A (zh) * 2017-11-14 2019-05-21 华为技术有限公司 一种抵御拒绝服务攻击的方法及设备
CN110348252A (zh) * 2018-04-02 2019-10-18 华为技术有限公司 基于信任区的操作系统和方法

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9298472B2 (en) * 2004-01-27 2016-03-29 Nec Corporation High-speed restart method, information processing device, and program
CN103826162B (zh) 2014-02-28 2017-05-03 深圳市佳创视讯技术股份有限公司 基于安卓的智能机顶盒的嵌入式系统及其recovery方法
US9977914B1 (en) * 2016-02-25 2018-05-22 Sprint Communications Company L.P. Electronic device security through boot cycles
CN106547618B (zh) * 2016-10-19 2019-10-29 沈阳微可信科技有限公司 通信系统和电子设备
CN110134545B (zh) * 2019-04-03 2020-12-22 上海交通大学 基于可信执行环境的提供虚拟nvram的方法及系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016204892A1 (en) * 2015-06-15 2016-12-22 Intel Corporation Virtualization-based platform protection technology
CN105138930A (zh) * 2015-08-12 2015-12-09 山东超越数控电子有限公司 一种基于TrustZone的加密系统及方法
CN106845285A (zh) * 2016-12-28 2017-06-13 北京握奇智能科技有限公司 一种tee系统与ree系统配合以实现服务的方法及终端设备
CN109787943A (zh) * 2017-11-14 2019-05-21 华为技术有限公司 一种抵御拒绝服务攻击的方法及设备
CN110348252A (zh) * 2018-04-02 2019-10-18 华为技术有限公司 基于信任区的操作系统和方法
CN109558211A (zh) * 2018-11-27 2019-04-02 上海瓶钵信息科技有限公司 保护可信应用与普通应用的交互完整性和保密性的方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP4080365A4

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116049913A (zh) * 2022-05-24 2023-05-02 荣耀终端有限公司 数据保存方法、装置、电子设备及计算机可读存储介质
CN116049913B (zh) * 2022-05-24 2023-11-03 荣耀终端有限公司 数据保存方法、装置、电子设备及计算机可读存储介质

Also Published As

Publication number Publication date
CN113138878A (zh) 2021-07-20
EP4080365A1 (en) 2022-10-26
CN113138878B (zh) 2022-11-18
EP4080365A4 (en) 2023-06-07
US20220350707A1 (en) 2022-11-03
US11874743B2 (en) 2024-01-16

Similar Documents

Publication Publication Date Title
WO2021164554A1 (zh) 通知处理系统、方法以及电子设备
EP3822835B1 (en) Method for deleting secure service, and electronic apparatus
WO2021143168A1 (zh) 可信执行环境操作系统崩溃处理方法及电子设备
US11683850B2 (en) Bluetooth reconnection method and related apparatus
WO2021185105A1 (zh) SIM卡和eSIM卡的切换方法及电子设备
WO2021027630A1 (zh) 补丁方法、相关装置及系统
WO2021052200A1 (zh) 一种设备能力调度方法及电子设备
US20210271572A1 (en) Data Backup Method and Terminal
WO2021042894A1 (zh) 一种电子设备的sim卡掉卡恢复方法及电子设备
EP3409073B1 (en) Method and electronic device for providing tethering service
EP4152198A1 (en) Method and apparatus for storing ciphertext
WO2021017935A1 (zh) 一种唤醒锁的管理方法及电子设备
WO2021258795A1 (zh) 原子能力调用方法及终端设备
WO2021175266A1 (zh) 身份验证方法、装置和电子设备
WO2024078218A1 (zh) 系统启动方法及电子设备
CN111381996B (zh) 内存异常处理方法及装置
US11467894B2 (en) Screen freezing processing method and terminal
CN114077519B (zh) 一种系统服务恢复方法、装置和电子设备
WO2022174718A1 (zh) 一种数据备份方法和电子设备
CN116450390A (zh) 看门狗检测方法及电子设备
WO2024037500A1 (zh) 通信方法及相关装置
WO2023185623A1 (zh) 后台应用恢复方法、装置、电子设备及可读存储介质
CN114006969B (zh) 一种窗口启动方法和电子设备
WO2024093795A1 (zh) 一种设备替换的配置方法及装置
CN116560769A (zh) 应用组件分享方法及相关设备

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20914130

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020914130

Country of ref document: EP

Effective date: 20220720

NENP Non-entry into the national phase

Ref country code: DE