WO2021174512A1 - 电子装置和安全防护方法 - Google Patents

电子装置和安全防护方法 Download PDF

Info

Publication number
WO2021174512A1
WO2021174512A1 PCT/CN2020/078092 CN2020078092W WO2021174512A1 WO 2021174512 A1 WO2021174512 A1 WO 2021174512A1 CN 2020078092 W CN2020078092 W CN 2020078092W WO 2021174512 A1 WO2021174512 A1 WO 2021174512A1
Authority
WO
WIPO (PCT)
Prior art keywords
processor
electronic device
software
data
security
Prior art date
Application number
PCT/CN2020/078092
Other languages
English (en)
French (fr)
Inventor
潘时林
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN202080002140.6A priority Critical patent/CN113692583A/zh
Priority to PCT/CN2020/078092 priority patent/WO2021174512A1/zh
Priority to EP20923164.6A priority patent/EP4095725A4/en
Publication of WO2021174512A1 publication Critical patent/WO2021174512A1/zh
Priority to US17/902,220 priority patent/US20220414216A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the embodiments of the present application relate to the technical field of system security, and in particular, to an electronic device and a security protection method.
  • the prior art usually divides the execution environment of smart terminals into mutually independent execution environments, namely REE (Rich Execution Environment, ordinary execution environment) and TEE (Trust Execution Environment, trusted execution) environment).
  • REE Raich Execution Environment, ordinary execution environment
  • TEE Titan Execution Environment, trusted execution environment
  • the REE usually runs a general operating system (such as the Android system), and the TEE usually runs an operating system with a higher security level.
  • Client Application (CA) with low security requirements runs in REE
  • TA Trusted Application
  • TEE is a CA deployed in a common operating system
  • the security service provided by TEE is usually to control CA access in REE by setting access authority.
  • REE and TEE are usually supported by common hardware, that is, when REE is running, TEE cannot run, so it is impossible to monitor the operation of REE.
  • the TEE is usually unable to perceive it, so that the CA running in the REE has the ability to arbitrarily invoke the security services provided by the TEE.
  • TEE leaks, important data such as biometric data (fingerprint data, facial image data) and keys are leaked, which threatens the interests of users.
  • biometric data fingerprint data, facial image data
  • keys are leaked, which threatens the interests of users.
  • how to perform security protection when REE/TEE and even the entire working system is running has become a problem that needs to be solved.
  • the electronic device provided in this application improves the safety of the electronic device by using a safety protection device to monitor the electronic device in real time during the operation of the electronic device.
  • an embodiment of the present application provides an electronic device, the electronic device includes a safety protection device and a first processor, and there is safety isolation between the safety protection device and the first processor; the first The processor is configured to run under the drive of software, and the software includes an operating system and applications; the security protection device is configured to perform security detection on the software, and when it is detected that the software has been tampered with, the The electronic device performs a safety protection operation.
  • the safety protection device By setting the safety protection device, the software running by the first processor can be safely detected when the electronic device is powered on, when the electronic device is awakened, and during the running process of the first processor, so that the electronic device is powered on and in operation. Both can be protected, thereby reducing the risk of theft or modification of security data such as secret key data and facial image data, and improving the security performance of the electronic device.
  • the safety isolation described in this application includes at least one of the following: working system isolation, power supply isolation, or clock signal isolation.
  • the security protection operation described in this application includes at least one of the following: triggering an alarm, resetting the electronic device, denying the service requested by the software, instructing the first processor to stop running, Instruct the first processor to stop running the software, prohibit at least part of the functions of the software, or prevent the software from accessing data stored in the electronic device.
  • the security detection described in this application includes: detecting whether at least one of the instructions or data of the software is preset information.
  • the preset information here may include pre-stored software instructions or data, and may also include a hash reference value obtained by hashing the software instructions or data.
  • the first processor includes an on-chip tracking unit; the on-chip tracking unit is configured to store an instruction sequence for data rewriting when the first processor performs data rewriting.
  • the on-chip tracking unit is configured to store an instruction sequence for data rewriting when the first processor performs data rewriting.
  • dedicated memory In dedicated memory.
  • the safety detection includes: detecting whether the instruction sequence stored in the dedicated memory is a reference instruction sequence.
  • the data in the software includes variable data and immutable data.
  • the change of variable data is usually triggered based on instructions during the execution of the instruction sequence. Since the instruction sequence is usually generated after the electronic device is compiled based on the program written by the developer, it usually does not change.
  • the electronic device detects a data change in the software or receives an interrupt for data rewriting sent by the first processor, the electronic device can determine whether the instruction sequence stored in the dedicated memory is a reference instruction sequence. When it is determined that the instruction sequence stored in the dedicated memory is not a reference instruction sequence, it is considered that the data has been tampered with.
  • the electronic device includes a memory, the memory is used to store instructions and data of the software; the dedicated memory is set in the memory, and is dedicated to the on-chip tracking unit and all The storage space of the safety protection device for reading and writing.
  • the safety protection device includes a second processor; the second processor is configured to: perform periodic safety inspections on the software based on a time set by a timer; or The interrupt event sent by the first processor performs safety detection on the software.
  • the security protection device further includes a hash accelerator, and the hash accelerator is coupled with the second processor; when performing security detection on the software, the second processor, Used to: control the hash accelerator to obtain the software, perform a hash operation on the obtained software to obtain a reference value; compare the reference value with a pre-stored hash reference value, and determine the reference value based on the comparison result Whether the software has been tampered with.
  • the safety protection device further includes a watchdog
  • the electronic device further includes a reset unit
  • the watchdog is coupled with the second processor and the reset unit; the first The second processor is also used to periodically send a heartbeat command to the watchdog; the watchdog is used to pass the reset when the heartbeat command sent by the second processor is not received within a predetermined time The unit resets the electronic device.
  • the operating system includes a rich execution environment REE and a trusted execution environment TEE.
  • the safety protection device is specifically used for: when the operating environment of the first processor is converted from REE to TEE, the operating environment for driving the first processor is converted The software and the software running in the TEE periodically perform the safety detection; when the operating environment of the first processor is converted from the TEE to the REE, the safety detection is stopped.
  • an embodiment of the present application provides a security protection method applied to an electronic device.
  • the security protection method includes: a first processor in the electronic device runs under the drive of software, and the software includes an operating system and The security protection device in the electronic device is used to perform security detection on the software, and there is a security isolation between the security protection device and the first processor; when it is detected that the software has been tampered with, the The safety protection device performs a safety protection operation on the electronic device.
  • FIG. 1 is a schematic structural diagram of an electronic device provided by an embodiment of the present application.
  • FIG. 2 is a schematic structural diagram of the processor 101 in the electronic device shown in FIG. 1 provided by an embodiment of the present application;
  • Fig. 3 is a schematic structural diagram of a safety protection device provided by an embodiment of the present application.
  • FIG. 4 is a schematic diagram of interaction between various components in an electronic device provided by an embodiment of the present application.
  • FIG. 5 is a flowchart of a security protection method provided by an embodiment of the present application.
  • FIG. 6 is another flowchart of the security protection method provided by the embodiment of the present application.
  • FIG. 7 is a flowchart of an application scenario of the security protection method provided by an embodiment of the present application.
  • FIG. 8 is a flowchart of another application scenario of the security protection method provided by an embodiment of the present application.
  • FIG. 9 is a flowchart of another application scenario of the security protection method provided by an embodiment of the present application.
  • words such as “exemplary” or “for example” are used as examples, illustrations, or illustrations. Any embodiment or design solution described as “exemplary” or “for example” in the embodiments of the present application should not be construed as being more preferable or advantageous than other embodiments or design solutions. To be precise, words such as “exemplary” or “for example” are used to present related concepts in a specific manner. In the description of the embodiments of the present application, unless otherwise specified, the meaning of "plurality" means two or more. For example, multiple processing units refer to two or more processing units.
  • FIG. 1 shows a schematic diagram of a hardware architecture of an electronic device provided by an embodiment of the present application.
  • the electronic device 100 may be located in a terminal.
  • the terminal may be a User Equipment (UE), such as various types of portable terminal devices such as a mobile phone, a tablet computer, or a wearable device (such as a smart watch).
  • UE User Equipment
  • the electronic device 100 may specifically be a chip or a chip set or a circuit board equipped with a chip or a chip set.
  • the chip or chipset or the circuit board equipped with the chip or chipset can work under the necessary software drive.
  • the electronic device 100 shown in FIG. 1 includes a processor 101.
  • the processor 101 includes at least one central processing unit.
  • the processor 101 can run rich execution environment REE software and trusted execution environment TEE software, as shown in FIG. 2.
  • REE software or TEE software includes but is not limited to: operating system software, compilation software, or application software, etc.
  • the software here can include but is not limited to: instructions and data.
  • the operating system software based on the rich execution environment REE may also be referred to as general operating system software, such as Android operating system, Windows operating system, or iOS operating system. These operating systems can be used to support general non-secure general application software.
  • CA is usually a third-party application (for example, a video application, a shopping application).
  • the operating system software based on the trusted execution environment TEE can also be called trusted application system software.
  • the trusted application system is used to support security application software.
  • the security application software can also be called TA, such as performing signatures, encryption and decryption calculations, and human Face-to-peer security service application.
  • the security of TEE software is higher than that of REE software, so the security level of TA is higher than that of CA.
  • TEE is strictly restricted and cannot be accessed by ordinary CAs. Therefore, there is a safety isolation between TEE software and REE software to ensure the safety of TA software and CA software.
  • the electronic device 100 shown in FIG. 1 further includes a safety protection device 102.
  • the safety protection device 102 includes a processor 21.
  • the processor 21 is used to run security system software, where the security system software may include, but is not limited to: systems or applications. Among them, the system or application is composed of instructions and data required during operation.
  • the processor 21 can perform a security check on the software running on the processor 101 when the electronic device 100 is powered on, when the electronic device 100 is awakened, or when the processor 101 is running, to ensure that the processor 101 runs
  • the software is normal. For example, security checks are performed on instructions loaded by the processor 101, data obtained, etc., to ensure that the instructions loaded by the processor 21, data obtained, etc.
  • the normal rewriting means that the rewriting of some variable information in the electronic device 100 is rewritten by the processor based on a preset program call path.
  • the processor 21 detects that the software running by the processor 101 has been tampered with, it can perform a security protection operation on the electronic device.
  • the security protection operations here may include, but are not limited to: triggering an alarm, resetting the electronic device 100, denying the service requested by the software (for example, biometric identification service, password unlocking service, or secret key acquisition service, etc.), instructing the processor 101 to stop running, Instruct the processor 101 to stop running the software, prohibit at least part of the functions of the software running by the processor 101, or prevent the software from accessing data stored in the electronic device 100.
  • the software for example, biometric identification service, password unlocking service, or secret key acquisition service, etc.
  • the processor 21 may also communicate with the processor 101 through the bus under the condition that the software running by the processor 101 is normal. This communication includes but is not limited to: the processor 101 sends an interrupt request to the processor 21 based on the running CA or TA.
  • the processor 21 can obtain the CA or TA instructions and data loaded by the processor 101 based on the interrupt request of the processor 101, and perform security inspections on the CA or TA instructions and data, so as to ensure the safe operation of the CA or TA and prevent attacks. .
  • the processor 101 after the processor 101 responds to the unlocking instruction sent by the user, it sends interrupt information to the processor 21 that it enters the execution of the unlocking event, and then the processor 101 continues to execute the unlocking event.
  • the processor 21 performs security protection on the CA instructions, TA instructions, and data acquired or generated by the processor 101 while the processor 101 is running during the process of the processor 101 executing the unlock event, so as to avoid unlocking with the face.
  • the relevant secret key data, fingerprint data and/or facial image data have been tampered with or stolen. It should be noted here that the processor 21 does not change the operating logic of the processor 101 during the security protection process.
  • the safety protection device 102 and the processor 101 are safely isolated.
  • the hardware design of the safety protection device 102 ensures that the software running by the processor 101 cannot interfere with the operation of the safety protection device 102.
  • the safety isolation here may include, but is not limited to: working system isolation, power supply isolation, or clock signal isolation.
  • Working system isolation specifically refers to the fact that the processor 101 cannot access the safety protection device 102 based on the running software.
  • the inaccessibility of the safety protection device 102 here refers to the inability to access the operating program (including instructions and data) of the processor 21, and the processor 21 is running. Data obtained or generated at the time.
  • Power isolation means that the processor 101 cannot control the power-on or power-off of one or more components in the safety protection device 102 (for example, the processor 21).
  • each component in the safety protection device 102 (such as the processor 21) can be directly powered by an external power source (such as a battery or a power adapter, etc.), and the processor 101 cannot control the startup and shutdown of each component in the safety protection device 102. , Enter or exit the low-power state, etc.
  • the processor 101 and the processor 21 are both started separately, or the processor 21 can be started first; when the electronic device 100 is powered off, the processor 101 and the processor 21 are both started separately closure.
  • Clock signal isolation means that the processor 101 cannot control the clock cycle of one or more components (for example, the processor 21) in the safety protection device 102.
  • the clock cycle of each component in the safety protection device 102 (for example, the processor 21) can be directly provided by an external clock signal source, and the processor 101 cannot perform the clock cycle of each component in the safety protection device 102. Change.
  • the security protection device 102 can monitor the operating system of the processor 101, applications and data running on the processor 101 in real time or periodically to ensure the security of the electronic device 100, and thereby Ensure data security.
  • the electronic device 100 further includes a storage device 103.
  • the storage device 103 is the memory of the electronic device 100, and may include, but is not limited to, a random access memory RAM and a read-only memory ROM.
  • the storage device 103 may store instructions and data.
  • the processor 101 or the processor 21 executes various functional applications and data processing of the electronic device by loading instructions and obtaining data.
  • the read-only memory may store startup key data that needs to be loaded when the processor 101 or the processor 21 is started.
  • the random access memory may store instruction codes such as operating systems or applications to be run by the processor 101 or the processor 21 and data required for the operation, and may also include various intermediate calculation results, data or configuration data generated by the running process.
  • the random access memory may include volatile memory (such as SRAM, DRAM, or SDRAM, etc.) and non-volatile memory.
  • the storage space for storing the running software of the REE in the storage device 103 is the first storage space; the storage space for storing the running software of the TEE in the storage device 103 is the second storage space; the storage space for storing the running software of the processor 21 in the storage device 103 It is the third storage space.
  • the first storage space, the second storage space, and the third storage space correspond to corresponding physical addresses in each memory. Therefore, when each system is running, the corresponding memory is accessed based on the physical address of each memory to obtain operating software such as instruction code or data.
  • the processor 101 can only access the operating software stored in the first storage space; during the TEE operation of the processor 101, it can access the operating software stored in the first storage space and the operation stored in the second storage space.
  • Software Driven by the security system running on it, the processor 21 can access the operating software stored in the first storage space, the second storage space, and the third storage space. Therefore, when the electronic device 100 is powered on, when the system 100 is awakened, and during the operation of the processor 101, the processor 21 can determine the instructions such as the REE and TEE by accessing the operating software stored in the first storage space and the second storage space.
  • a shared memory is also provided in the storage device 103.
  • the processor 101 sends an interrupt request to the processor 21 based on the running CA or TA, it can write indication information for indicating the event to be executed into the shared memory.
  • the processor 21 can obtain the indication information from the shared memory, and based on the indication information, perform a safety check on the CA instruction, TA instruction and related data (such as configuration information) for running the event, so as to ensure that the CA or TA operates safely.
  • the shared memory may be cleared so that the processor 101 can continue to write the indication information into the shared memory.
  • the processor 101 can control the storage device 103 based on software running on it.
  • the specific control may include but is not limited to: control on, control off, control to enter or exit the low power consumption state.
  • the processor 21 can also control the storage device 103 based on the software running on it. Specific control can include but is not limited to: control shutdown, or control reset, etc.
  • control shutdown or control reset, etc.
  • the turning on, turning off, entering or exiting the low power consumption state of the storage device 103 is controlled by the processor 101.
  • the processor 21 detects that the instruction or data run by the processor 101 is abnormal, it can control the storage device 103 to shut down or reset. Therefore, it is possible to prevent the electronic device 100 from being attacked and causing important data to be leaked.
  • the electronic device 100 may include various types of registers. Including but not limited to: address register used to store instruction address, reset register used to store reset instruction of electronic device, data register used to store data needed during operation, or instruction register used to store instruction to be executed, etc. .
  • it also includes configuration registers for storing system configuration information.
  • the configuration register may store resource configuration information based on the trusted zone (Trustzone) in the processor 101.
  • the resource configuration information may, for example, configure which memories in the storage device can be accessed when the processor 101 is running REE, and which memories can only be accessed by the processor 101. Accessed when the processor 101 is running TEE.
  • the processor 21 shown in this embodiment can access some or all of the registers in the electronic device 100, and can also rewrite some or all of the registers. Specifically, the processor 21 can access the registers in the electronic device 100 when the electronic device 100 is powered on, when the system 100 is awakened, and while the processor 101 is running, to determine the information stored in the register (for example, the configuration in the configuration information register). Information) whether it has been changed. Generally, the data stored in some registers changes dynamically, and these registers can also be called dynamic registers. For example, the resource configuration information stored in the configuration register may be different in different processes; in the same process, the resource configuration information may also be different as instructions are executed.
  • the change of the data in the dynamic register is usually triggered based on the instruction during the execution of the instruction sequence. Since the instruction sequence is usually generated after the electronic device 100 is compiled based on the program written by the developer, it usually does not change. However, the instruction sequence written by the hacker when rewriting the data in the dynamic register is usually different from the reference instruction sequence. Therefore, further, after the processor 21 detects the data change in the dynamic register, it can determine whether the instruction sequence run by the processor 101 is a reference instruction sequence. When it is determined that the sequence is a reference instruction sequence, it means that the change of the dynamic register is a normal change. At this time, the processor 21 can change the reference sequence of the dynamic register. When it is determined that the instruction sequence run by the processor 101 is not a reference instruction sequence, it is considered that the dynamic register has been tampered with, and a reset instruction can be written to the reset register in the processor 101 to reset the electronic device 100.
  • important configuration data may also be dynamically changed while the processor 101 is running.
  • the important configuration data is usually stored in DRAM.
  • DRAM may include but not limited to: page table entry data, process PID/UID information, or important system security authority configuration data.
  • the processor 21 detects that the important configuration data is changed, it can also use the above-mentioned benchmark instruction sequence comparison method to verify whether the change is normal, which will not be repeated here.
  • the electronic device 100 further includes an on-chip tracking unit, as shown in FIG. 4.
  • the on-chip tracking unit may be a coresight system, which is usually provided inside the processor 101 and coupled with the core of the processor 101, and is used to obtain the instruction sequence of the processor 101 during the operation of the processor 101.
  • a dedicated memory is also provided in the storage device 103, as shown in FIG. 4.
  • the dedicated memory can be set in the RAM of the storage device 103, dedicated to the on-chip tracking unit and the security protection device 102 (for example, the processor 21 or the hash accelerator 22 in the security protection device 102) to store data read and write data space.
  • FIG. 4 schematically shows that the physical address of the dedicated memory in the storage device 103 is (0x10xxxx, 0x11xxxx), and the physical address of the dedicated memory is also illustrative and set according to the needs of the scene.
  • coresight when the processor 101 rewrites the data in the dynamic register based on instructions, coresight may be called to obtain the instruction sequence of the processor 101, and coresight may store the obtained instruction sequence in a dedicated memory. After coresight stores the instruction sequence in the dedicated memory, the processor 101 may send an interrupt to the processor 21 indicating data rewriting. The processor 21 can obtain the instruction sequence stored in the dedicated memory and verify the instruction sequence after receiving an interrupt instructing data rewriting sent by the processor 101 or when detecting a data change in the dynamic register.
  • the instruction sequence When it is determined that the instruction sequence is a reference instruction sequence, it can be determined that the rewriting of data in the dynamic register is a normal rewrite; when it is determined that the instruction sequence is not a reference instruction sequence or there is no instruction sequence stored in the dedicated memory, it can be determined that the data in the dynamic register is If it is tampered with, you can write a reset command to the system reset register at this time.
  • the coresight system is an on-chip tracking and debugging system in the prior art, and will not be described in detail.
  • the processor 101 after the processor 101 obtains the instruction sequence from the dedicated memory, it can also clear the dedicated memory, so that when the dynamic register is rewritten next time, coresight continues to write the instruction sequence into the dedicated memory.
  • the electronic device 100 may store preset information of instructions and data of the software run by the processor 101.
  • the preset information may be original instructions and data, or a hash reference value obtained by HASH operations such as original instructions or original data.
  • the processor 101 obtains the instruction code or data from the storage device 103, or obtains the instruction code or data from the register, it can compare the instruction code or data with preset information to determine whether the software running by the processor 101 Has been tampered with.
  • the HASH operation may also be performed on the obtained instruction code or data. So as to get the HASH value such as instruction code or data.
  • the processor 21 may compare the calculated HASH value with the corresponding hash reference value to determine whether the instruction or data has been tampered with.
  • the aforementioned reference instruction sequence may also be a reference value after HASH operation. After obtaining the instruction sequence, the processor 21 may also perform a HASH operation on the instruction sequence, and then compare the calculated HASH value with a reference value to determine whether the instruction sequence has been tampered with.
  • the HASH operation on the acquired instruction or data is realized by an arithmetic unit.
  • the safety protection device 102 further includes a hash accelerator 22, as shown in FIG. 3.
  • the hash accelerator 22 is coupled with the processor 21.
  • the processor 21 is driven by the running software to control the hash accelerator 22 to obtain the instruction, data or instruction sequence to be detected from the storage device 103.
  • the hash accelerator 22 performs a HASH operation on the data, instruction or instruction sequence to be detected, so that the processor 21 is used to determine the data to be detected based on the hash reference value and the HASH value of the data, instruction or instruction sequence to be detected , Whether the instruction or instruction sequence has been rewritten.
  • the hash accelerator 22 and the processor 21 may be coupled in the same processor, or may be independent processors.
  • the hash accelerator 22 here may be, for example, a SHA256 algorithm device, and the hash accelerator 22 may be a Hash Accelerator IP or a crypto engine hash.
  • the safety protection device 102 further includes a timer 23, as shown in FIG. 3.
  • the timer 23 is coupled with the processor 21. Under the control of the processor 21, the timer 23 sets the timing time based on the clock cycle provided by the clock source.
  • the safety protection device 102 is further provided with a watchdog 24, as shown in FIG. 3. Among them, the watchdog 24 can be connected to the hardware reset unit in the electronic device 100. When the safety protection device 102 stops working due to its own reasons, the software running by other processors in the electronic device 100 will continue to run without monitoring. By setting the watchdog 24, it is possible to prevent the operation of other processors from being attacked when the safety protection device 102 hangs up.
  • the processor 21 can periodically send a heartbeat command to the watchdog 24; when the watchdog 24 does not receive the heartbeat command sent by the processor 101 within the predetermined time set by the timer 23, it can The electronic device 100 is reset by the hardware reset unit in the electronic device 100.
  • the safety protection device 102 further includes a random access memory RAM.
  • the RAM here can be SRAM.
  • the RAM is coupled with the processor 21 and is used to store instructions for driving the processor 21 to run.
  • the processor 21 usually first accesses the third storage space in the storage device 103 after being powered on, loads and runs the executable program stored in the storage device 103.
  • the abnormality may be caused by an external attack on the electronic device 100.
  • the processor 21 accesses RAM at this time and runs the RAM to store Instructions.
  • the instructions stored in the RAM are used to instruct the electronic device 100 to perform a reset operation.
  • the safety protection device 102 further includes a read-only memory ROM and an OTP (One Time Programmable) memory.
  • OTP can be Efuse memory.
  • the startup program code of the safety protection device 102 is stored in the ROM. After the processor 21 is powered on, the startup program code can be loaded from the ROM to start the safety protection device 102. The startup key data can be stored in Efuse. After the processor 21 loads the startup program, it can further obtain the startup key data from Efuse and use it to verify the startup program, so that the safety protection device 10 can be started safely.
  • the security protection device 102 and at least one processor 101 are integrated in the first semiconductor chip in the electronic device 100, thereby forming a system-on-chip SOC (System on Chip), as shown in FIG. 1 .
  • the safety protection device 102 may also be provided with a power management unit and a clock signal source.
  • the power management unit may be coupled with an external power source (for example, a battery or a power adapter, etc.), and the power management unit may provide electrical energy provided by the external power source to the processor 21 so that the processor 21 is powered on.
  • the input end of the clock signal management unit is coupled with an external clock source.
  • the clock signal input terminal of the processor 21 may be coupled to a clock signal management unit, and the clock signal management unit may provide a clock signal input by an external clock source to the processor 21, so that the processor 21 can work in a clock cycle provided by the clock signal.
  • the power management unit, clock signal management unit, hardware reset unit, power supply and clock source are not controlled by the processor 101, and other hardware circuits control its power on/off, reset, and enter/exit sleep mode. Wait. In this way, the power and timing of the processor 101 and the safety protection device 102 can be separated, and the power-on/off, reset and clock cycle modification of the safety protection device 102 are not controlled by the system program running by the processor 101. The safety of the safety protection device 10 is improved.
  • the storage device 103 may be integrated in the above-mentioned first semiconductor chip SOC, or may be integrated in a second semiconductor chip different from the first semiconductor chip SOC in the electronic device 100.
  • the electronic device 100 may further include a communication unit 106.
  • the communication unit 106 includes, but is not limited to, a near field communication unit and a mobile communication unit.
  • the near field communication unit performs information exchange with a terminal located outside the mobile terminal for accessing the Internet by running a short-range wireless communication protocol.
  • the short-range wireless communication protocol may include, but is not limited to: various protocols supported by radio frequency identification technology, Bluetooth communication technology protocol, infrared communication protocol, and the like.
  • the mobile communication unit accesses the Internet by running the cellular wireless communication protocol and the wireless access network, so as to realize the information interaction between the mobile communication unit and the server supporting various applications in the Internet.
  • the communication unit 106 may be integrated in the above-mentioned first semiconductor chip.
  • the electronic device 100 further includes a bus, an input/output port I/O, a storage controller 107, and the like.
  • the storage controller 107 is used to control the storage device 103.
  • the bus, the input/output port I/O, the storage controller 107, etc. can all be integrated with the aforementioned security protection device 102, the processor 101, etc. in the aforementioned first semiconductor chip.
  • the electronic device 100 may include more or less components than those shown in FIG. 1, which is not limited in the embodiment of the present application.
  • the safety protection device 102 can perform the protection on the processor 101 when the electronic device 100 is powered on, when the electronic device 100 is awakened, and when the processor 101 is running.
  • the running software performs safety detection, so that the electronic device 100 can be protected both when it is powered on and when it is running.
  • this embodiment can fully monitor the REE or TEE regardless of whether the REE is running or the TEE is running.
  • the risk of security data such as secret key data and facial image data being stolen or modified improves the security performance of the electronic device 100.
  • the electronic device 100 may further include a media unit 104, an AI (Artificial Intelligence) unit 105, and the like.
  • the media unit 104 may also include special processors such as an image processor GPU and a digital signal processor (digital signal processor, DSP);
  • the AI unit 105 may also include a neural network processor (Neural-network Processing Unit, NPU). ) And other dedicated processors.
  • the security protection device 102 can also perform real-time security protection on the various dedicated processors included in the media unit 104 and the AI unit 105, the software run by the relevant registers, and the stored data.
  • the security protection of other units please refer to the security The security protection method of the protection device 102 on the software running by the processor 101 and the related data stored therein will not be described in detail here.
  • the security protection device 102 shown in the embodiment of the present application can perform security protection on the software running on each processor in each electronic device 100 based on a preset polling cycle; it can also perform security protection based on the information indicated by the interrupt when an external interrupt is received.
  • the event provides security protection for the software that executes the event.
  • the security protection method for the processor 21 in the security protection device 102 will be described through the embodiments shown in FIGS. 5-9.
  • FIG. 5 shows a flow chart of the security protection method.
  • the method is executed by the processor 21 and includes:
  • the external interrupt information here is sent by other components communicating with the processor 21. It may be sent by the processor 101, may be sent by an external power supply, or may be sent by an external input/output device (for example, a keyboard, a mouse, a display screen, etc.).
  • the processor 101 here may include, but is not limited to: CPU, NPU, GPU, and so on.
  • the external interruption information carries identification information, and different identification information indicates different events, and the processor 21 can determine the event indicated by the external interruption information through the identification information.
  • the events indicated by the external interrupt information may include, but are not limited to: the processor 101 rewrites variable data, the electronic device switches from the power-off mode to the power-on mode, the electronic device switches from the sleep mode to the wake-up mode, and the processor 101 establishes a process to An event is executed, and the event may include, but is not limited to: a face recognition event, a fingerprint recognition event, an unlock event, a payment event, or an event in which the environment in which the processor 101 operates is converted from REE to TEE, etc.
  • the processor 21 is connected to the power management unit or the external power supply of the electronic device 100, and when the power management unit or the external power supply starts to supply power, the power management unit or the external power supply may send instructions to the processor 21 on the processor 21 Electric information.
  • the processor 21 can also be coupled with an external input/output device (such as a keyboard, mouse, display screen, etc.). When the user wakes up the screen through actions such as clicking the mouse, tapping the keyboard, or touching the screen, the external input/output device can be The processor 21 sends information instructing the processor 21 to switch from the sleep mode to the wake-up mode.
  • the software executable code used to drive the operation of the electronic device, data or instructions stored in some registers, and security data (such as the boot key, fingerprint data, face template, etc.) Data, etc.), or one-time security configuration information (for example, to configure the system resources that the processor 101 can access when running REE and TEE respectively), etc., cannot be changed during the operation of the processor 101.
  • the instruction or data is usually the same as the corresponding preset information pre-stored in the safety protection device 102; or the HASH value after the HASH operation of this type of program, instruction or data is different from the corresponding program, instruction or data pre-stored in the processor 21
  • the HASH reference value is the same. Some data may be rewritten during the operation of the electronic device, such as the data stored in some variable registers, the page table of the electronic device, some configuration information, etc. This type of data corresponds to the pre-stored in the safety protection device 102.
  • the preset information may be different; or the HASH value after the HASH operation of this type of data may be different from the pre-stored HASH reference value of the software, where the data rewriting is usually implemented by the processor 101 based on the running instruction sequence.
  • the processor 21 may first determine whether the event indicated by the external interrupt information is a data rewriting event. When it is determined that the event indicated by the external interrupt information is a data rewrite event, the relevant process of the security protection method corresponding to the data rewrite event is executed. Among them, step 601-step 602 show the related process of the security protection method corresponding to the data rewriting event. When the processor 21 determines that the event indicated by the external interrupt information is not a data rewriting event, step 503 is executed.
  • the above-mentioned software used to drive the operation of the electronic device may include, but is not limited to: an operating system or an application.
  • the system program running REE the system program running TEE
  • the configuration information is, for example, used to configure the resources that the processor 101 can access under running different software environments.
  • the resources here may include storage devices.
  • the stored data for example, audio data, image data, text data
  • instructions, etc. may also include configuration information, operands or instructions stored in registers.
  • the events indicated by the external interrupt are different, the programs (instructions and data) that drive the electronic device are also different, and the corresponding detection rules are also different.
  • the safety protection device 102 may pre-store the detection rules corresponding to each event.
  • the detection rules here may include but are not limited to: detection period (for example, cycle detection based on a timer setting or one detection, and the timer setting time is, for example, It can be 1ms, 2ms), the content to be detected (such as detecting one or more of the system program, application program, configuration information, system list, and security data), and the corresponding security protection operation method when the software is tampered with.
  • the content to be detected usually includes memory address information and register address information for storing the program (instruction and data) to be detected.
  • an event needs to detect multiple content (for example, when performing a face unlock event, it is necessary to detect the facial recognition program (corresponding to the RAM physical address 0x05xxxx-0x06xxxx), the unlocking program (corresponding to the RAM physical address 0x07xxxx-0x08xxxx), and configuration information (corresponding to the register) Number c1), security data (corresponding to the four items of RAM physical address 0x10xxxx-0x11xxxx), where each item corresponds to one or more address information, and the processor 21 determines each item based on the memory address information and register address information The content is checked one by one.
  • a hash reference value corresponding to each item of content may also be stored.
  • the processor 21 can control an arithmetic unit (for example, the hash accelerator 22 shown in FIG. 3) to perform a HASH operation on each item of content, and compare the measured value after the HASH operation with the pre-stored hash reference value of the corresponding content, It is determined whether the measured value of each item is the same as the corresponding hash reference value to determine whether the software driving the processor 101 has been tampered with.
  • the processor 21 determines whether the software that drives the operation of the electronic device has been tampered with. In this embodiment, based on the comparison result of the measured value of each item of content with the corresponding hash reference value, the processor 21 determines that when the measured value of one item of content is different from the corresponding hash reference value, It means that the content has been tampered with, that is, the software that drives the operation of the electronic device has been tampered with. At this time, the electronic device 100 has a security risk. Thus, the processor 21 can perform a security protection operation on the electronic device 100 based on the security protection operation method corresponding to the event indicated by the external interrupt.
  • the security protection operations performed here may include, but are not limited to: triggering an alarm, resetting the electronic device 100, denying the service requested by the software, instructing the processor 101 to stop running, instructing the processor 101 to stop running the software, prohibiting at least some of the functions of the software, Or prevent the software from accessing the data stored in the electronic device.
  • the processor 21 may write a system reset instruction to a reset register with a system reset function.
  • the hardware for example, the processor 101, the memory, and the register
  • the aforementioned denial of the service requested by the software may include, but is not limited to, for example: denial of unlocking, denial of access, refusal to provide a secret key, or biometric identification failure.
  • the processor 21 determines that the measured values of all contents are the same as the corresponding hash reference value, it terminates the event detection based on the detection period in the above detection rule, or re-executes steps 503 to step 504.
  • the detection step will end the event detection until the time set by the timer expires.
  • the rewriting of the data by the processor 101 is performed based on the instruction sequence of data rewriting.
  • the instruction sequence is registered in advance and will not change when the electronic device is running.
  • the processor 21 After the processor 21 receives the external interrupt for instructing the data rewriting event, it can determine whether the software running by the processor 101 has been tampered by detecting whether the instruction sequence for data rewriting has changed.
  • shared memory may be provided in the memory. Both the processor 21 and the processor 101 can write information to the shared memory or read information from the shared memory. After the processor 101 rewrites the data, the processor 101 can write the modified part into the shared memory, and send external interrupt information to the processor 21.
  • the external interrupt information here is used to instruct the processor 101 to execute to which position in the instruction sequence (for example, when the processor 101 executes 70 instructions and sends a message point to the processor 21 before executing the 71 instruction) and performs data rewriting .
  • the processor 21 receives the external interrupt message, it can determine whether the instruction sequence executed by the processor 101 is a reference instruction sequence based on whether the position of the instruction sequence currently executed by the processor 101 is a preset position.
  • the modification information in the shared memory can be queried, and the corresponding reference value can be updated based on the modification information.
  • the processor 21 determines based on the external interrupt information sent by the processor 101 that the position of the instruction sequence executed by the processor 101 is not the preset position, or the modification information of the modified data is not queried in the shared memory, then A security protection operation is performed on the electronic device 100.
  • the security protection operation here may be, for example, writing a reset command to a reset register with a reset function.
  • security protection against data rewriting events can also be determined by using an on-chip tracking unit to obtain an instruction sequence.
  • the storage device 103 is usually provided with a dedicated memory as shown in FIG. 4, and the dedicated memory is dedicated to the on-chip tracking unit and the processor 21 to write data or perform access queries.
  • the on-chip tracking unit may be coresight. This optional implementation is shown in Figure 6. specific,
  • the processor 101 responds to external interrupt information indicating a data rewriting event, obtain an instruction sequence stored in a dedicated memory.
  • the processor 101 rewrites some data, it triggers the on-chip tracking unit to capture and store the instruction sequence fragments used to rewrite the data in the dedicated memory.
  • the processor 101 sends external interrupt information to the processor 21.
  • the external interrupt information In addition to the identification information described in step 501, the external interrupt information also carries the rewritten data and the reference value of the corresponding data.
  • the processor 21 determines the event indicated by the external interrupt information. When the event indicated by the external interrupt information is a data rewriting event, the processor 21 may obtain the instruction sequence stored in the dedicated memory.
  • the processor 21 may perform a HASH operation on the acquired instruction sequence. Then, the calculated HASH value is compared with the pre-stored HASH reference value of the instruction sequence used for data rewriting to determine whether the two are the same. If the two are different, it can be determined that the instruction sequence obtained from the dedicated memory is not the preset instruction sequence, indicating that the data has been tampered with. At this time, the processor 21 can perform security protection operations on the electronic device 100, such as writing a reset instruction to the reset register. . If the two are the same, it can be determined that the instruction sequence obtained from the dedicated memory is the preset instruction sequence.
  • the processor 21 updates the reference value of the rewritten data, so that the updated reference value is used for the next data detection. The value is compared.
  • the processor 21 can also clear the instruction sequence stored in the dedicated memory, so that the processor 101 continues to use the on-chip tracking unit to write the instruction sequence into it when the data is rewritten.
  • the configuration information of the dedicated memory may also be detected.
  • the configuration information of the dedicated memory is used to configure which processors or systems can access the dedicated memory, or which processors or systems can write data to the memory.
  • the configuration information of the dedicated memory is stored in the configuration information register of the processor 21.
  • the processor 21 can query the configuration information of the dedicated memory from the configuration information register, and perform a HASH operation on it. Then compare the HASH value after the HASH operation with the pre-stored HASH reference value of the configuration information of the dedicated memory to determine whether the two are the same.
  • the processor 21 may write a reset instruction to the reset register to reset the electronic device 100.
  • the processor 21 can periodically detect after power-on or wake-up. Whether the software that drives the processor 101 is rewritten.
  • the detection period can be set by a timer.
  • the processor 21 detects that the software used to drive the operation of the processor 101 is written, it performs a security protection operation on the electronic device 100.
  • the software for period detection by setting the timer may include, but is not limited to: instructions and data of the system program, configuration information for system configuration, and safety data.
  • FIG. 7 shows a schematic diagram of the processor 21 detecting the software that drives the electronic device to run when the electronic device exits the sleep mode.
  • the processor 21 responds to the external interrupt information of exiting the sleep mode and obtains the system program that drives the electronic device to run (the system program here includes the mirror system program of each processor, including but not limited to the program that runs TEE and the program that runs REE. Program), page table data, data stored in the register corresponding to the processor 101, and data stored in the register corresponding to the memory management unit.
  • the system program here includes the mirror system program of each processor, including but not limited to the program that runs TEE and the program that runs REE. Program
  • page table data data stored in the register corresponding to the processor 101
  • data stored in the register corresponding to the memory management unit data stored in the register corresponding to the memory management unit.
  • the processor 21 performs hash calculation on the four items of the system program that drives the processor 101 to run, the page table data, the data stored in the register corresponding to the processor 101, and the data stored in the register corresponding to the memory management unit.
  • the processor 21 compares the reference value of each entry obtained after the hash operation with the pre-stored hash reference value of the corresponding entry, and determines the hash value after the hash operation of the four entries and the hash reference of the corresponding entry. The values are the same.
  • the processor 21 may perform a global reset on the electronic device.
  • FIG. 8 shows a schematic diagram of the processor 21 detecting the software running by the processor 101 when the environment in which the processor 101 is running is converted from REE to TEE.
  • the physical address range of 0x05xxxx-0x06xxxx in the storage device 103 is used to store a program whose operating environment is converted from REE to TEE.
  • the processor 101 triggers the conversion of the operating environment from REE to TEE based on the instruction, the processor 101 sends external interrupt information to the processor 21, and the external interrupt information is used to instruct the operating environment of the processor 101 to convert from REE to TEE.
  • the processor 21 responds to the external interrupt information, based on the pre-stored detection rules corresponding to the conversion of the operating environment of the processor 101 from REE to TEE, and executes the detection steps shown in FIG.
  • the operating environment for driving the processor 101 is determined by The program converted from REE to TEE performs the hash operation; compares the value after the hash operation with the hash reference value corresponding to the program to determine whether the two are the same; when the two are different, write to the reset register of the electronic device 100 A reset instruction is entered, so that the electronic device 100 is reset based on the reset instruction.
  • the value after the hash operation is the same as the hash reference value corresponding to the program, continue to perform the above detection steps until the processor 21 detects that the operating environment of the processor 101 is converted from TEE to REE.
  • FIG. 9 shows a schematic diagram of the processor 21 detecting software running on the processor 101 when the processor 101 executes a face unlock event.
  • the physical address range of 0x08xxxx-0x09xxxx in the storage device 103 is used to store the application program of the facial recognition application.
  • an external input/output device such as a screen
  • the processor 101 sends external interrupt information to the processor 21, and the external interrupt information is used to instruct the electronic device to execute the face unlock event.
  • the processor 21 executes the detection steps shown in FIG.
  • the processor 101 can be provided with the secret key for obtaining the face template, The processor may obtain a face template based on the secret key data for face comparison.
  • the processor 21 has different detection cycles according to different events executed by the processor 101, and the security protection operation performed on the electronic device 100 after detecting that the application program has been tampered with is also different. different.
  • the accuracy of detection can be improved, and the safe operation of the electronic device 100 can be ensured.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Virology (AREA)
  • Storage Device Security (AREA)

Abstract

一种电子装置和安全防护方法,该电子装置包括安全防护装置和第一处理器,安全防护装置和第一处理器之间存在安全隔离;第一处理器,用于在软件的驱动下运行,该软件包括操作系统和应用;安全防护装置,用于对该软件进行安全检测,在检测出该软件被篡改时,对电子装置执行安全保护操作。从而可以在电子装置运行过程中对电子装置进行实时监控,避免秘钥数据等重要数据被盗窃或修改,提高电子装置的安全性。

Description

电子装置和安全防护方法 技术领域
本申请实施例涉及系统安全技术领域,尤其涉及一种电子装置和安全防护方法。
背景技术
随着互联网技术和智能终端的高速发展,越来越多的应用在智能终端上运行,该应用通常涉及各个领域,诸如电子支付类应用、生物识别类应用、即时通信类应用等,由于该应用关乎用户自身的利益,因此,对智能终端运行环境安全性的要求越来越高。
为了保障智能终端运行环境的安全性,现有技术中通常将智能终端的执行环境划分为相互独立的执行环境,即REE(Rich Execution Environment,普通执行环境)和TEE(Trust Execution Environment,可信执行环境)。REE中通常运行通用的操作系统(例如Android系统),TEE中通常运行安全级别较高的操作系统。安全性要求不高的客户端应用(Client Application,CA)运行在REE中,安全性要求较高的可信应用(Trusted Application,TA)运行在TEE中,并为部署在通用操作系统中的CA提供安全服务。TEE提供的安全服务通常是通过设置访问权限来控制REE中的CA访问。
相关技术中,REE和TEE通常由共同硬件作为支撑,也即是说,当REE运行时,TEE无法运行,因此无法对REE运行情况进行监控。当REE在运行时受到攻击并且获取到访问权限时,TEE通常无法感知,这样运行在REE中的CA就有能力任意调用TEE提供的安全服务。当TEE出现漏洞时,导致诸如生物识别数据(指纹数据、面部图像数据)、密钥等重要数据泄露,使得用户利益受到威胁。由此,如何在REE/TEE乃至整个工作系统运行时进行安全防护成为需要解决的问题。
发明内容
本申请提供的电子装置,通过利用安全防护装置在电子装置运行过程中对电子装置进行实时监控,提高电子装置的安全性。
为达到上述目的,本申请采用如下技术方案:
第一方面,本申请实施例提供一种电子装置,所述电子装置包括安全防护装置和第一处理器,所述安全防护装置和所述第一处理器之间存在安全隔离;所述第一处理器,用于在软件的驱动下运行,所述软件包括操作系统和应用;所述安全防护装置,用于对所述软件进行安全检测,在检测出所述软件被篡改时,对所述电子装置执行安全保护操作。通过设置安全防护装置,可以在电子装置上电时、电子装置被唤醒时以及第一处理器运行过程中,对第一处理器运行的软件进行安全检测,使得电子装置在上电时、运行中均可以受到保护,从而降低诸如秘钥数据、面部图像数据等安全数据被盗取或修改的风险,提高电子装置的安全性能。
在一种可能的设计中,本申请所述的安全隔离包括以下至少一项:工作系统隔离、电源隔离、或时钟信号隔离。
通过将安全防护装置与第一处理器之间工作系统隔离,可以避免黑客通过更改加载在第一处理器内存中的运行程序来访问或篡改安全防护装置的运行程序或程序运行过程中产生的数据,从而提高安全防护装置的安全性。通过将安全防护装置与第一处理器之间电源隔离,可以避免第一处理器遭到攻击时,安全防护装置被恶意下电。在电子装置全部下电的情况下(例如终端设备关机),安全防护装置才会下电。通过将安全防护装置与第一处理器之间时钟信号隔离,可以避免第一处理器遭到攻击时,安全防护装置的时钟周期被恶意篡改。由此,在第一处理器运行时,安全防护装置可以对第一处理器的操作系统、应用和数据实时监控或周期性的监控,保障电子装置的安全性,进而保证数据的安全性。
在一种可能的设计中,本申请所述的安全保护操作包括以下至少一项:触发告警、复位所述电子装置、拒绝所述软件所请求的服务、指示所述第一处理器停止运行、指示所述第一处理器停止运行所述软件、禁止所述软件的至少部分功能、或阻止所述软件访问所述电子装置内存储的数据。
在一种可能的设计中,本申请所述的安全检测包括:检测所述软件的指令或数据中至少一项是否为预设信息。
这里的预设信息可以包括预先存储的软件的指令或数据,也可以包括对软件的指令或数据进行哈希计算后得到的哈希基准值。
在一种可能的设计中,所述第一处理器包括片上追踪单元;所述片上追踪单元用于:在所述第一处理器进行数据改写时,将用于进行数据改写的指令序列存储在专用内存中。
在一种可能的设计中,所述安全检测包括:检测所述专用内存中存储的所述指令序列是否为基准指令序列。
通常,所述软件中的数据包括可变数据和不可变数据。其中,可变数据的更改通常是在执行指令序列的过程中基于指令而触发的,由于指令序列通常是电子装置基于开发人员编写出的程序编译后生成的,其通常不会改变。当电子装置在检测出软件中的数据改变或者接收到第一处理器发送的进行数据改写的中断时,电子装置可以确定专用内存中存储的指令序列是否为基准指令序列。在确定出专用内存中存储的指令序列不是基准指令序列时,则认为数据被篡改。
在一种可能的设计中,所述电子装置包括内存,所述内存用于存储所述软件的指令和数据;所述专用内存是设置在所述内存中,专用于所述片上追踪单元和所述安全防护装置进行读写的存储空间。
在一种可能的设计中,所述安全防护装置包括第二处理器;所述第二处理器,用于:基于定时器设定的时间对所述软件进行周期性的安全检测;或者基于所述第一处理器发送的中断事件对所述软件进行安全检测。
在一种可能的设计中,所述安全防护装置还包括哈希加速器,所述哈希加速器与所述第二处理器耦合;在对所述软件进行安全检测时,所述第二处理器,用于:控制所述哈希加速器获取所述软件,对所获取的软件进行哈希运算以得到参考值;将所述参考值与预先存储的哈希基准值进行比较,基于比较结果,确定所述软件是否被篡改。
在一种可能的设计中,所述安全防护装置还包括看门狗,所述电子装置还包括复位单元,所述看门狗与所述第二处理器以及所述复位单元耦合;所述第二处理器还用于周 期性的向所述看门狗发送心跳指令;所述看门狗,用于在预定时间内未接收到所述第二处理器发送的心跳指令时,通过所述复位单元使所述电子装置复位。
通过设置看门狗,可以防止安全防护装置挂死的情况下其他处理器的运行遭到攻击。
在一种可能的设计中,所述操作系统包括富执行环境REE和可信执行环境TEE。
在一种可能的设计中,所述安全防护装置具体用于:在所述第一处理器的运行环境由REE转换为TEE时,对用于驱动所述第一处理器的运行环境进行转换的软件和运行在所述TEE中的软件周期性的进行所述安全检测;在所述第一处理器的运行环境由TEE转换为REE时,停止进行所述安全检测。
第二方面,本申请实施例提供一种安全防护方法,应用于电子装置,该安全防护方法包括:所述电子装置中的第一处理器在软件的驱动下运行,所述软件包括操作系统和应用所述电子装置中的所述安全防护装置对所述软件进行安全检测,所述安全防护装置和所述第一处理器之间存在安全隔离;在检测出所述软件被篡改时,所述安全防护装置对所述电子装置执行安全保护操作。
附图说明
为了更清楚地说明本申请实施例的技术方案,下面将对本申请实施例的描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。
图1是本申请实施例提供的电子装置的一个结构示意图;
图2是本申请实施例提供的如图1所示的电子装置中的处理器101的一个结构示意图;
图3是本申请实施例提供的安全防护装置的一个结构示意图;
图4是本申请实施例提供的电子装置中各部件之间的交互示意图;
图5是本申请实施例提供的安全防护方法的一个流程图;
图6是本申请实施例提供的安全防护方法的又一个流程图;
图7是本申请实施例提供的安全防护方法的一个应用场景流程图;
图8是本申请实施例提供的安全防护方法的又一个应用场景流程图;
图9是本申请实施例提供的安全防护方法的又一个应用场景流程图。
具体实施方式
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。
本文所提及的"第一"、或"第二"以及类似的词语并不表示任何顺序、数量或者重要性,而只是用来区分不同的组成部分。同样,"一个"或者"一"等类似词语也不表示数量限制,而是表示存在至少一个。"连接"或者"相连"等类似的词语并非限定于物理的或者机械 的连接,而是可以包括电性的连接,不管是直接的还是间接的,等同于广义上的耦合或联通。
在本申请实施例中,“示例性的”或者“例如”等词用于表示作例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。在本申请实施例的描述中,除非另有说明,“多个”的含义是指两个或两个以上。例如,多个处理单元是指两个或两个以上的处理单元。
为使本申请的目的、技术方案和优点更加清楚,下面将结合本申请中的附图,对本申请中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。
请参考图1,其示出了本申请实施例提供的电子装置的一个硬件架构示意图。该电子装置100可以位于一个终端内。该终端可以是一个用户设备(User Equipment,UE),如手机、平板电脑或可穿戴设备(如智能手表)等各种类型的便携式终端设备。电子装置100具体可以是芯片或芯片组或搭载有芯片或芯片组的电路板。该芯片或芯片组或搭载有芯片或芯片组的电路板可在必要的软件驱动下工作。
图1所示的电子装置100包括处理器101。处理器101包括至少一个中央处理器。通常,处理器101中可以运行富执行环境REE软件和可信执行环境TEE软件,如图2所示。其中REE软件或TEE软件包括但不限于:操作系统软件、编译软件、或应用软件等。这里的软件可以包括但不限于:指令和数据。具体的,基于富执行环境REE的操作系统软件也可以称为通用操作系统软件,通用操作系统如安卓操作系统、Windows操作系统或iOS操作系统等。这些操作系统可以用来支持一般的非安全类普通应用软件。在这些非安全类普通应用软件中,部分可以调用可信执行环境TEE中的安全应用软件TA,该类软件也可以称为CA。CA通常为第三方应用(例如视频类应用、购物类应用)。基于可信执行环境TEE的操作系统软件也可以称为可信应用系统软件,可信应用系统用来支持安全应用软件,该安全应用软件也可以称为TA,比如执行签名、加解密计算、人脸比对等安全服务的应用。TEE软件的安全性高于REE软件的安全性,因此TA的安全级别高于CA。TEE是严格受限的,无法被普通CA所访问。因此TEE软件和REE软件之间存在安全隔离以保证TA软件和CA软件的安全性。
如图1所示的电子装置100还包括安全防护装置102。安全防护装置102包括处理器21。处理器21用于运行安全系统软件,这里的安全系统软件可以包括但不限于:系统或应用。其中,系统或应用分别由运行过程中所需要的指令和数据组成。在安全系统软件的驱动下,处理器21可以在电子装置100上电时、电子装置100被唤醒时或处理器101运行过程中,对处理器101运行的软件进行安全检测,确保处理器101运行的软件正常。例如,对处理器101所加载的指令、所获取的数据等进行安全检测,确保处理器21所加载的指令、获取的数据等未被改写或正常改写,即避免相关数据被篡改。这里的正常改写是指电子装置100中某些可变信息的改写是处理器基于预先设置的程序调用路径改写的。当处理器21检测出处理器101运行的软件被篡改时,可以对电子装置执行安全保护操作。这里的安全保护操作可以包括但不限于:触发告警、复位电子装置100、拒绝软件所请求 的服务(例如生物识别服务、密码解锁服务、或秘钥获取服务等)、指示处理器101停止运行、指示处理器101停止运行软件、禁止处理器101运行的软件的至少部分功能、或阻止软件访问电子装置100内存储的数据。
此外,处理器21在确保处理器101运行的软件正常的情况下,还可以通过总线与处理器101通信。该通信包括但不限于:处理器101基于所运行的CA或TA向处理器21发送中断请求。处理器21可以基于处理器101的中断请求,获取处理器101所加载的CA或TA的指令和数据,对CA或TA的指令和数据进行安全检测,从而确保CA或TA安全运行,防止受到攻击。例如,在本实施例的一个场景中,当处理器101响应于用户发送的解锁指令后,向处理器21发送其进入执行解锁事件的中断信息,然后处理器101继续执行解锁事件。处理器21响应中断,在处理器101执行解锁事件的过程中,对处理器101运行的CA的指令、TA的指令以及处理器101运行时获取或产生的数据等进行安全防护,避免与面部解锁有关的秘钥数据、指纹数据和/或面部图像数据被篡改或窃取。这里需要说明的是,处理器21在执行安全防护的过程中,不改变处理器101的运行逻辑。
在本实施例中,安全防护装置102与处理器101之间安全隔离。也即是说,安全防护装置102的硬件设计保证处理器101运行的软件无法干扰安全防护装置102的运行。具体的,这里的安全隔离可以包括但不限于:工作系统隔离、电源隔离、或时钟信号隔离。工作系统隔离具体是指:处理器101基于运行的软件无法访问安全防护装置102,这里的无法访问安全防护装置102是指无法访问处理器21的运行程序(包括指令和数据)、处理器21运行时获取或产生的数据等。电源隔离是指:处理器101无法控制安全防护装置102中的一个或多个部件(例如处理器21)的上电或下电。也即是说,安全防护装置102中的各部件(例如处理器21)可以由外部电源(例如电池或电源适配器等)直接供电,处理器101无法控制安全防护装置102中的各部件启动、关闭、进入或退出低功耗状态等。当电子装置100在外部电源的作用下上电时,处理器101和处理器21均分别启动,或者处理器21可以先启动;当电子装置100下电时,处理器101和处理器21均分别关闭。时钟信号隔离是指:处理器101无法控制安全防护装置102中的一个或多个部件(例如处理器21)的时钟周期。也即是说,安全防护装置102中的各部件(例如处理器21)工作时的时钟周期可以由外部时钟信号源直接提供,处理器101无法对安全防护装置102中的各部件的时钟周期进行更改。
通过将安全防护装置102与至少一个处理器101之间工作系统隔离,可以避免黑客通过更改加载在处理器101内存中的运行程序来访问或篡改处理器21的运行程序或程序运行过程中产生的数据,从而提高安全防护装置的安全性。通过将安全防护装置102与至少一个处理器101之间电源隔离,可以避免处理器101遭到攻击时,安全防护装置102被恶意下电。在电子装置100全部下电的情况下(例如终端设备关机),安全防护装置102才会下电。通过将安全防护装置102与至少一个处理器101之间时钟信号隔离,可以避免处理器101遭到攻击时,安全防护装置102的时钟周期被恶意篡改。由此,在处理器101运行时,安全防护装置102可以对处理器101的操作系统、运行在处理器101上的应用和数据实时监控或周期性的监控,保障电子装置100的安全性,进而保证数据的安全性。
本实施例中,如图1所示,电子装置100还包括存储设备103。存储设备103为电子装置100的内存,可以包括但不限于:随机存取存储器RAM、和只读存储器ROM。
存储设备103中可以存储有指令和数据。处理器101或处理器21通过加载指令和获取数据,执行电子设备的各种功能应用以及数据处理。具体的,只读存储器可以存储处理器101或处理器21启动时需要加载的启动秘钥数据。随机存取存储器可以存储处理器101或处理器21所要运行的诸如操作系统或应用等指令代码以及运行所需要的数据,还可以包括运行进程产生的各类中间运算结果、数据或配置数据等。其中,随机存取存储器可以包括易失性存储器(如SRAM、DRAM或SDRAM等)和非易失性存储器。
存储设备103中存储REE的运行软件的存储空间为第一存储空间;存储设备103中存储TEE的运行软件的存储空间为第二存储空间;存储设备103中存储处理器21的运行软件的存储空间为第三存储空间。其中,第一存储空间、第二存储空间、第三存储空间在各存储器中对应相应的物理地址。从而,各系统运行时基于各存储器的物理地址访问相应的存储器,以获取诸如指令代码或数据等运行软件。这里需要说明的是,处理器101运行REE期间,仅可以访问第一存储空间存储的运行软件;处理器101运行TEE期间,可以访问第一存储空间存储的运行软件和第二存储空间存储的运行软件;处理器21在其上所运行的安全系统的驱动下,可以访问第一存储空间、第二存储空间和第三存储空间存储的运行软件。从而,在电子装置100上电时、系统100被唤醒时以及处理器101运行过程中,处理器21可以通过访问第一存储空间和第二存储空间存储的运行软件来确定REE和TEE的诸如指令代码或数据等运行软件是否被篡改,从而对处理器101的运行环境安全防护。需要说明的是,本实施例中对于各处理器运行时所能访问的存储空间的限制可以通过硬件设计实现,其为当前的通用技术,在此不再赘述。
可选的,存储设备103中还设置有共享内存。当处理器101基于所运行的CA或TA向处理器21发送中断请求时,可以将用于指示其所要执行的事件的指示信息写入共享内存中。处理器21在接收到中断请求后,可以从共享内存中获取指示信息,并基于该指示信息对运行该事件的CA指令、TA指令和相关数据(例如配置信息)进行安全检测,从而确保CA或TA安全运行。在一些实现方式中,当处理器21从共享内存中获取指示信息后,还可以清空共享内存,以供处理器101继续向共享内存中写入指示信息。
在本实施例中,处理器101基于其上所运行的软件,可以控制存储设备103。具体控制可以包括但不限于:控制开启、控制关闭、控制进入或退出低功耗状态。处理器21基于其上所运行的软件,也可以控制存储设备103。具体控制可以包括但不限于:控制关闭、或控制复位等。通常,存储设备103的开启、关闭、进入或退出低功耗状态等由处理器101控制。当处理器21在检测到处理器101运行的指令或数据异常时,可以控制存储设备103关闭或复位。从而,可以避免电子装置100遭到攻击导致重要数据泄露。
在本实施例中,电子装置100可以包括各种类型的寄存器。包括但不限于:用于存储指令地址的地址寄存器、用于存储电子装置复位指令的复位寄存器、用于存储运行过程中需要的数据的数据寄存器、或用于存储需要执行的指令的指令寄存器等。此外,还包括用于存储系统配置信息的配置寄存器。例如,配置寄存器可以存储有处理器101中基于可信任区域(Trustzone)的资源配置信息,该资源配置信息例如可以配置存储设备中哪些存储器可以在处理器101运行REE时访问,哪些存储器仅可以由处理器101运行TEE时访问。
本实施例所示的处理器21,可以访问电子装置100中的部分或全部寄存器,还可以对部分或全部寄存器进行指令改写。具体的,处理器21可以在电子装置100上电时、系统 100被唤醒时以及处理器101运行过程中,访问电子装置100中的寄存器,确定寄存器中存储的信息(例如配置信息寄存器中的配置信息)是否被更改。通常,某些寄存器存储的数据是动态变化的,也可以称这些寄存器为动态寄存器。例如,配置寄存器中存储的资源配置信息在不同进程中有可能不同;在同一进程中,随着指令的执行资源配置信息也可能不同。动态寄存器中数据的更改通常是在执行指令序列的过程中基于指令而触发的,由于指令序列通常是电子装置100基于开发人员编写出的程序编译后生成的,其通常不会改变。而黑客改写动态寄存器中的数据时写入的指令序列与基准指令序列通常不同。因此,进一步的,处理器21在检测出动态寄存器中的数据更改后,可以确定处理器101运行的指令序列是否为基准指令序列。当确定出该序列为基准指令序列时,则说明动态寄存器的更改是正常更改。此时,处理器21可以更改动态寄存器的基准序列。当确定出处理器101运行的指令序列不是基准指令序列时,则认为动态寄存器被篡改,可以向处理器101中的复位寄存器写入复位指令,以使电子装置100复位。
此外,处理器101运行时,重要配置数据也可能动态更改。该重要配置数据通常存储在DRAM中,例如可以包括但不限于:页表项数据,进程PID/UID信息,或者系统重要安全权限配置数据等。当处理器21检测出重要配置数据更改时,也可以采用上述基准指令序列比较的方法进行验证是否为正常更改,在此不再赘述。
可选的,电子装置100还包括片上追踪单元,如图4所示。其中,片上追踪单元可以为coresight系统,其通常设置于处理器101内部与处理器101的内核耦合,用于在处理器101运行过程中获取处理器101的指令序列。
可选的,存储设备103中还设置有专用内存,如图4所示。该专用内存可以设置于存储设备103中的RAM中,专用于片上追踪单元和安全防护装置102(例如安全防护装置102中的处理器21或者哈希加速器22)读取数据和写入数据的存储空间。其中,图4示意性的示出了专用内存在存储设备103中的物理地址为(0x10xxxx,0x11xxxx),专用内存的物理地址也为示意性的,根据场景的需要设定。
在图4中,当处理器101基于指令对动态寄存器中的数据改写时,可以调用coresight以获取处理器101的指令序列,coresight可以将获取到的指令序列存储在专用内存中。待coresight将指令序列存储在专用内存之后,处理器101可以向处理器21发送指示数据改写的中断。处理器21在接收到处理器101发送的指示数据改写的中断后或者检测到动态寄存器中的数据更改时,可以获取专用内存中存储的指令序列,并对该指令序列进行校验。当确定该指令序列是基准指令序列时,可以确定动态寄存器中数据的改写是正常改写;当确定该指令序列不是基准指令序列或者该专用内存中没有存储指令序列时,可以确定动态寄存器中的数据被篡改,此时可以向系统复位寄存器写入复位指令。其中,coresight系统为现有技术中的片上追踪调试系统,不再对其进行赘述。此外,处理器101从专用内存中获取到指令序列后,还可以清空专用内存,以使下一次动态寄存器被改写时,coresight继续向专用内存中写入指令序列。
在本实施例中,电子装置100中可以存储有处理器101运行的软件的指令和数据的预设信息。该预设信息可以是原始的指令和数据,也可以是对原始指令或原始数据等HASH运算得到的哈希基准值。处理器101从存储设备103中获取到指令代码或数据后,或者从寄存器中获取到指令代码或数据后,可以将指令代码或数据与预设信息进行比较,以确定 处理器101运行的软件是否被篡改。
具体的,当预设信息为HASH运算得到的哈希基准值时,还可以对所获取到的指令代码或数据等进行HASH运算。从而得到诸如指令代码或数据等的HASH值。处理器21可以将计算得到HASH值与相应的哈希基准值进行比较,以确定指令或数据等是否被篡改。进一步的,上述基准指令序列也可以为经过HASH运算后的基准值。处理器21在获取到指令序列后,也可以对指令序列进行HASH运算,然后将计算后的HASH值与基准值进行比较,以确定指令序列是否被篡改。
可选的,对获取到的指令或数据等进行HASH运算是通过运算器实现的。具体的,安全防护装置102还包括哈希加速器22,如图3所示。哈希加速器22与处理器21耦合。处理器21在运行软件的驱动下控制哈希加速器22从存储设备103中获取待检测的指令、数据或指令序列。然后,哈希加速器22对待检测的数据、指令或指令序列进行HASH运算,以使处理器21基于待检测的数据、指令或指令序列的哈希基准值与HASH值,用于判断待检测的数据、指令或指令序列是否被改写。其中,哈希加速器22可以与处理器21耦合在同一个处理器中,也可以分别为独立的处理器。这里的哈希加速器22例如可以为SHA256算法设备,该哈希加速器22可以为Hash Accelerator IP,也可以为crypto engine hash。
本实施例中,安全防护装置102还包括定时器23,如图3所示。定时器23与处理器21耦合。在处理器21的控制下,定时器23基于时钟源提供的时钟周期来设置定时时间。可选的,安全防护装置102还设置有看门狗(Watchdog)24,如图3所示。其中,看门狗24可以与电子装置100中的硬件复位单元连接。当安全防护装置102由于自身原因而停止工作时,电子装置100中其他处理器运行的软件将在无法监控的情况下继续运行。通过设置看门狗24,可以防止安全防护装置102挂死的情况下其他处理器的运行遭到攻击。当安全防护装置102正常运行时,处理器21可以定时向看门狗24发送心跳指令;当看门狗24在定时器23设定的预定时间未接收到处理器101发送的心跳指令时,可以通过电子装置100中的硬件复位单元使电子装置100复位。
可选的,安全防护装置102还包括随机存取存储器RAM。这里的RAM可以为SRAM。RAM与处理器21耦合,用于存储驱动处理器21运行的指令。处理器21通常在上电后首先访问存储设备103中的第三存储空间,加载并运行存储设备103中存储的可执行程序。当存储设备103由于异常导致处理器102无法访问时,该异常可能是由于电子装置100受到外部攻击导致的,为了避免电子装置100持续受到外部攻击,处理器21此时访问RAM,运行RAM中存储的指令。RAM中存储的指令用于指示对电子装置100进行复位操作。
可选的,安全防护装置102还包括只读存储器ROM和OTP(One Time Programmable,一次性可编程)存储器。其中,OTP可以为Efuse存储器。其中,ROM中存储有安全防护装置102的启动程序代码。在处理器21上电后,可以从ROM中加载启动程序代码以使安全防护装置102启动。Efuse中可以存储有启动秘钥数据。当处理器21加载启动程序后,可以进一步从Efuse获取启动秘钥数据并用于校验启动程序,从而使得安全防护装置10安全启动。
在一种可能的实现方式中,安全防护装置102与至少一个处理器101集成于电子装置100中的第一半导体芯片内,从而形成一个系统级芯片SOC(System on Chip),如图1所 示。此外,在安全防护装置102中还可以设置有电源管理单元和时钟信号源。电源管理单元可以与外部电源(例如电池或电源适配器等)耦合,电源管理单元可以将外部电源提供的电能提供给处理器21,以使处理器21上电。时钟信号管理单元的输入端与外部时钟源耦合。处理器21的时钟信号输入端可以耦合至时钟信号管理单元,时钟信号管理单元可以将外部时钟源输入的时钟信号提供给处理器21,以使处理器21在时钟信号提供的时钟周期下工作。
需要说明的是,电源管理单元、时钟信号管理单元、硬件复位单元、电源和时钟源等均不受处理器101的控制,由其它硬件电路控制其上/下电、复位、进入/退出休眠模式等。这样一来,可以将处理器101和安全防护装置102的电源和时序分离开,安全防护装置102的上/下电、复位和时钟周期的修改等不受处理器101运行的系统程序的控制,提高安全防护装置10的安全性。可选的,存储设备103可以集成于上述第一半导体芯片SOC内,也可以集成于电子装置100中不同于第一半导体芯片SOC的第二半导体芯片内。
在本实施例中,电子装置100还可以包括通信单元106,如图1所示,该通信单元106包括但不限于近场通信单元、移动通信单元。其中,近场通信单元通过运行短距离无线通信协议与位于移动终端外的用于接入互联网的终端之间进行信息交互。该短距离无线通信协议可以包括但不限于:射频识别技术支持的各种协议、蓝牙通信技术协议、红外通信协议等。移动通信单元通过运行蜂窝无线通信协议与无线接入网接入互联网,以实现移动通信单元与互联网中对各种应用进行支持的服务器进行信息交互。该通信单元106可以集成于上述第一半导体芯片内。此外,电子装置100还包括总线、输入/输出端口I/O、存储控制器107等。存储控制器107用于控制存储设备103。其中,总线、输入/输出端口I/O、存储控制器107等均可以与上述安全防护装置102、处理器101等集成于上述第一半导体芯片内。应理解,在实际应用中,电子装置100可以包括比图1所示的更多或更少的部件,本申请实施例不作限定。
基于图1所示的电子装置100的硬件结构,本申请实施例提供的安全防护装置102可以在电子装置100上电时、电子装置100被唤醒时以及处理器101运行过程中,对处理器101运行的软件进行安全检测,使得电子装置100在上电时、运行时均可以受到保护。与相关技术中REE或TEE运行时无法更好的对REE或TEE进行监控相比,本实施例无论在REE运行时还是在TEE运行时,都可以对REE或者TEE进行充分的安全监控,降低诸如秘钥数据、面部图像数据等安全数据被盗取或修改的风险,提高电子装置100的安全性能。
如图1所示,电子装置100还可以包括媒体单元104、AI(Artificial Intelligence,人工智能)单元105等。其中,媒体单元104中还可以包括诸如图像处理器GPU、数字信号处理器(digital signal processor,DSP)等专用处理器;AI单元105还可以包括诸如神经网络处理器(Neural-network Processing Unit,NPU)等专用处理器。安全防护装置102还可以对媒体单元104、AI单元105中所包括的各种专用处理器、相关寄存器运行的软件、存储的数据等进行实时安全防护,其对其他各单元的安全防护可以参考安全防护装置102对处理器101运行的软件及存储的相关数据的安全防护方法,在此不再详细描述。
本申请实施例所示的安全防护装置102可以基于预先设置的轮询周期对各电子装置100中各处理器运行的软件等进行安全防护;还可以在接收到外部中断时,基于中断所指 示的事件对执行该事件的软件进行安全防护。下面,通过图5-图9所示的实施例,对应用于安全防护装置102中的处理器21的安全防护方法进行说明。
请参考图5,其示出了安全防护方法的一个流程图。该方法由处理器21执行,包括:
501,响应外部中断信息。这里的外部中断信息是与处理器21通信的其他部件发送的。可以是处理器101发送的,可以是外部供电电源发送的,还可以是外部输入/输出设备(例如键盘、鼠标、显示屏等)发送的。这里的处理器101可以包括但不限于:CPU、NPU、GPU等。该外部中断信息中携带有标识信息,不同的标识信息指示不同的事件,处理器21可以通过该标识信息确定出外部中断信息所指示的事件。外部中断信息所指示的事件可以包括但不限于:处理器101改写可变数据、电子装置由下电模式转为上电模式、电子装置由休眠模式转为唤醒模式、处理器101建立某进程以执行某个事件,该事件可以包括但不限于:人脸识别事件、指纹识别事件、解锁事件、支付事件、或者处理器101运行的环境由REE转换为TEE的事件等。具体的,处理器21与电子装置100的电源管理单元或外部供电电源连接,当电源管理单元或外部供电电源开始供电时,电源管理单元或外部供电电源可以向处理器21发送指示处理器21上电的信息。处理器21还可以与外部输入/输出设备(例如键盘、鼠标、显示屏等)耦合,当用户通过诸如点击鼠标、敲打键盘、触摸屏幕等动作以唤醒屏幕时,外部输入/输出设备可以向处理器21发送指示处理器21由休眠模式转为唤醒模式的信息。
502,确定外部中断信息所指示的事件是否为数据改写事件。在本实施例中,用于驱动电子装置运行的软件可执行代码(系统程序、应用程序等)、某些寄存器存储的数据或指令、安全数据(例如开机启动秘钥、指纹数据、人脸模板数据等)、或者一次性安全配置信息(例如用于配置处理器101在运行REE和TEE时分别可以访问的系统资源)等在处理器101运行过程中是不可以被更改的,该类程序、指令或数据与安全防护装置102中预先存储的相应的预设信息通常相同;或者对该类程序、指令或数据HASH运算后的HASH值与处理器21中预先存储的相应程序、指令或数据的HASH基准值相同。而一些数据在电子装置运行过程中可能被改写,例如某些可变寄存器中存储的数据、电子装置的页表、某些配置信息等,该类数据与安全防护装置102中预先存储的相应的预设信息有可能不同;或者对该类数据HASH运算后的HASH值有可能与预先存储的该软件的HASH基准值不同,其中,数据的改写通常是处理器101基于运行的指令序列实现的。
由于数据改写后,其相应的HASH基准值也改变,因此安全防护装置102针对数据改写事件的安全防护与其他事件的安全防护流程不同。处理器21在响应外部中断信息后,可以首先判断该外部中断信息所指示的事件是否为数据改写事件。在确定出外部中断信息指示的事件为数据改写事件时,执行数据改写事件相应的安全防护方法的相关流程。其中,步骤601-步骤602示出了数据改写事件相应的安全防护方法的相关流程。处理器21在确定出外部中断信息指示的事件不是数据改写事件时,执行步骤503。
503,基于外部中断指示的事件以及预设的与该事件对应的检测规则,对用于驱动处理器101运行的软件进行检测。上述用于驱动电子装置运行的软件可以包括但不限于:操作系统或应用。例如,运行REE的系统程序、运行TEE的系统程序、电子装置的配置信息,该配置信息例如用于配置处理器101在运行不同的软件环境下可以访问的资源,这里的资源可以包括存储设备中所存储的数据(例如音频数据、图像数据、文本数据)或指令 等,还可以包括寄存器中所存储的配置信息、操作数或指令等。
外部中断所指示的事件不同,对驱动电子装置运行的程序(指令和数据)也不同,其对应的检测规则也不相同。安全防护装置102中可以预先存储有与各事件对应的检测规则,这里的检测规则可以包括但不限于:检测周期(例如基于定时器设定的时间循环检测或一次检测,定时器设定时间例如可以为1ms、2ms)、所要检测的内容(例如检测系统程序、应用程序、配置信息、系统列表、安全数据中的一项或多项)、软件被篡改时对应的安全保护操作方法。所要检测的内容中,通常包括用于存储所要检测的程序(指令和数据)的存储器地址信息和寄存器地址信息。通常,一个事件需要检测多项内容(例如在执行面部解锁事件时,需要检测面部识别程序(对应RAM物理地址0x05xxxx-0x06xxxx)、解锁程序(对应RAM物理地址0x07xxxx-0x08xxxx)、配置信息(对应寄存器编号c1)、安全数据(对应RAM物理地址0x10xxxx-0x11xxxx)四项内容),其中,每一项内容对应一个或多个地址信息,处理器21基于存储器地址信息和寄存器地址信息,对每一项内容进行逐一检测。
具体的,上述所要检测的内容中,还可以存储有与每一项内容对应的哈希基准值。处理器21可以控制运算器(例如图3所示的哈希加速器22)对每一项内容进行HASH运算,将HASH运算后的测量值与预先存储的对应内容的哈希基准值进行比对,确定每一项内容的测量值与相应的哈希基准值是否相同,以确定驱动处理器101运行的软件是否被篡改。
504,基于检测结果,确定驱动电子装置运行的软件是否被篡改。在本实施例中,处理器21基于每一项内容的测量值与相应的哈希基准值的比对结果,在确定出当存在一项内容的测量值与相应的哈希基准值不同时,说明该项内容被篡改,也即驱动电子装置运行的软件被篡改,此时电子装置100存在安全风险。从而,处理器21可以基于与外部中断所指示的事件对应的安全保护操作方法,对电子装置100执行安全保护操作。这里所执行的安全保护操作可以包括但不限于:触发告警、复位电子装置100、拒绝软件所请求的服务、指示处理器101停止运行、指示处理器101停止运行软件、禁止软件的至少部分功能、或阻止软件访问电子装置内存储的数据。具体的,处理器21可以向具有系统复位功能的复位寄存器写入系统复位的指令。此时,电子装置100中的硬件(例如处理器101、存储器、寄存器)在复位指令的驱动下执行复位操作。上述拒绝软件所请求的服务例如可以包括但不限于:拒绝解锁、拒绝访问、拒绝提供秘钥、或生物识别失败等。
处理器21基于比对结果,确定出全部内容的测量值与相应哈希基准值均相同时,基于上述检测规则中的检测周期,结束此次事件检测,或者重新执行步骤503-步骤504所示的检测步骤,直到定时器设定的时间结束时来结束此次事件检测。
在本实施例中,处理器101对数据的改写是基于数据改写的指令序列执行的。该指令序列是提前注册过的,并且在电子装置运行时不会改变。处理器21在接收到用于指示数据改写事件的外部中断后,可以通过检测进行数据改写的指令序列是否改变来确定处理器101运行的软件是否被篡改。
在一种可能的实现方式中,存储器中可以设置有共享内存。处理器21和处理器101均可以向该共享内存中写入信息,或者从该共享内存中读取信息。当处理器101对数据被改写后,处理器101可以将被修改的部分写入共享内存中,并向处理器21发送外部中断 信息。这里的外部中断信息用于指示处理器101执行至指令序列中的哪个位置(例如当处理器101执行完70条指令后在执行第71条指令之前向处理器21发送消息点)并且进行数据改写。处理器21在接收到外部中断消息后,可以基于当前处理器101所执行至的指令序列位置是否为预设位置来确定出处理器101所执行的指令序列是否为基准指令序列。当确定出处理器101所执行的指令序列为基准指令序列时,可以查询共享内存中的修改信息,基于修改信息更新对应的基准值。当处理器21基于处理器101发送的外部中断信息确定出处理器101所执行所执行至的指令序列位置不是预设位置、或者在共享内存中未查询到被修改的数据的修改信息时,则对电子装置100执行安全保护操作。这里的安全保护操作例如可以为向具有复位功能的复位寄存器写入复位指令。
在另外一种可能的实现方式中,针对数据改写事件进行安全防护可以还通过利用片上追踪单元获取指令序列的方法来确定。在该实现方式中,通常存储设备103中设置有如图4所示的专用内存,该专用内存专用于片上追踪单元和处理器21写入数据或进行访问查询。该片上追踪单元可以为coresight。该可选的实现方式如图6所示。具体的,
601,响应指示数据改写事件的外部中断信息,获取专用内存中存储的指令序列。当处理器101对某些数据进行改写时,会触发片上追踪单元将用于改写数据的指令序列片段抓取并存储在专用内存中。然后,处理器101向处理器21发送外部中断信息。该外部中断信息中除了携带有步骤501所述的标识信息外,还携带有所改写的数据以及相应数据的参考值。处理器21在步骤501接收到外部中断信息后,判断外部中断信息所指示的事件。当外部中断信息指示的事件是数据改写事件时,处理器21可以获取专用内存中存储的指令序列。
602,检测从专用内存中获取到的指令序列是否为预设指令序列。具体的,处理器21可以对获取到的指令序列进行HASH运算。然后,将计算后的HASH值与预先存储的用于进行数据改写的指令序列的HASH基准值进行比较,确定二者是否相同。如果二者不同,则可以确定从专用内存中获取的指令序列不是预设指令序列,说明数据被篡改,此时处理器21可以对电子装置100执行安全保护操作,例如向复位寄存器写入复位指令。如果二者相同,则可以确定从专用内存中获取的指令序列是预设指令序列,此时处理器21更新被改写的数据的基准值,以使下一次进行数据检测时利用该更新后的基准值进行比对。此外,处理器21还可以清空专用内存中存储的指令序列,以便于处理器101在进行数据改写时继续利用片上追踪单元向其中写入指令序列。
在一些可选的实现方式中,在处理器21在执行图6所示的各步骤之前,还可以检测专用内存的配置信息。专用内存的配置信息用于配置哪些处理器或系统可以访问该专用内存,或者哪些处理器或系统可以向该内存写入数据。通常,该专用内存的配置信息存储在处理器21的配置信息寄存器中。处理器21可以从配置信息寄存器中查询出专用内存的配置信息,并对其进行HASH运算。然后将HASH运算后的HASH值与预先存储的专用内存的配置信息的HASH基准值进行比对,确定二者是否相同。当二者相同时,确定该专用内存的配置信息未改写,也即专用内存的数据是由片上追踪单元写入的。当二者不同时,则说明该专用内存的配置信息已经更改,处理器21无法确定专用内存中的数据是否由片上追踪单元写入的。为了保证电子装置100的数据安全性,此时处理器21可以向复位寄存器写入复位指令,以使电子装置100复位。
下面,通过具体场景对图5所示的实施例进行详细说明。在本实施例中,当外部中断信息用于指示由下电模式转为上电模式或者指示由休眠模式转为唤醒模式时,处理器21在上电后或者唤醒后,可以周期性的检测用于驱动处理器101运行的软件是否被改写。这里,可以通过定时器设定检测周期。当处理器21检测到用于驱动处理器101运行的软件被写时,对电子装置100执行安全保护操作。这里,通过设定定时器进行周期检测的软件可以包括但不限于:系统程序的指令和数据、用于进行系统配置的配置信息、安全数据。
如图7所示,图7示出了电子装置退出休眠模式时,处理器21对驱动电子装置运行的软件进行检测的示意图。
701,处理器21响应于退出休眠模式的外部中断信息,获取驱动电子装置运行的系统程序(这里的系统程序包括每一个处理器的镜像系统程序,包括但不限于运行TEE的程序、运行REE的程序)、页表数据、处理器101对应的寄存器中存储的数据、内存管理单元对应的寄存器存储的数据。
702,处理器21将驱动处理器101运行的系统程序、页表数据、处理器101对应的寄存器中存储的数据、内存管理单元对应的寄存器中存储的数据该四项条目分别进行哈希计算。
703,处理器21将哈希运算后得到的每一条目的参考值与预先存储的相应条目的哈希基准值进行比较,确定四项条目哈希运算后的哈希值与相应条目的哈希基准值否相同。
704当处理器21检测出存在至少一项条目的参考值与相应的哈希基准值不同时,处理器21可以对电子装置进行全局复位。
如图8所示,图8示出了处理器101运行的环境由REE转化TEE时,处理器21对处理器101运行的软件进行检测的示意图。
假设存储设备103中的0x05xxxx-0x06xxxx物理地址范围内用于存储运行环境由REE转换为TEE的程序。处理器101基于指令触发运行环境由REE转换为TEE时,处理器101向处理器21发送外部中断信息,该外部中断信息用于指示处理器101的运行环境由REE转换为TEE。处理器21响应外部中断信息,基于预先存储的与处理器101的运行环境由REE转换为TEE对应的检测规则,执行如图8所示的检测步骤:对用于驱动处理器101的运行环境由REE转换为TEE的程序进行哈希运算;将哈希运算后的值与该程序对应的哈希基准值进行比较,确定二者是否相同;当二者不同时,向电子装置100的复位寄存器写入复位指令,从而电子装置100基于复位指令进行复位。在该应用场景中,当哈希运算后的值与该程序对应的哈希基准值相同时,继续执行上述检测步骤,直到处理器21检测出处理器101的运行环境由TEE转换为REE。
如图9所示,图9示出了处理器101执行面部解锁事件时,处理器21对处理器101运行的软件进行检测的示意图。
假设存储设备103中的0x08xxxx-0x09xxxx物理地址范围内用于存储面部识别应用的应用程序。电子装置基于指令触发运行面部解锁事件时,外部输入/输出设备(例如屏幕)或者处理器101向处理器21发送外部中断信息,该外部中断信息用于指示电子装置执行面部解锁事件。处理器21响应外部中断信息,基于预先存储的与面部解锁事件对应的检测规则,执行如图9所示的检测步骤:对驱动电子装置执行面部识别事件的应用程序进行哈希运算;将哈希运算后的值与该应用程序的基准值进行比较,确定二者是否相同;当二 不同时,拒绝解锁;当二者相同时,可以向处理器101提供用于获取人脸模板的秘钥,处理器可以基于该秘钥数据获取人脸模板以供进行人脸比对。
从图8、图9中可以看出,处理器21根据处理器101所执行的事件的不同,其检测周期不同、检测出应用程序被篡改后对电子设备100所执行的安全保护操作的方式也不同。通过基于处理器101所执行的事件采用有针对性的处理方式,可以提高检测的准确性,进而保障电子装置100安全运行。
最后应说明的是:以上各实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述各实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。

Claims (13)

  1. 一种电子装置,其特征在于,所述电子装置包括安全防护装置和第一处理器,所述安全防护装置和所述第一处理器之间存在安全隔离;
    所述第一处理器,用于在软件的驱动下运行,所述软件包括操作系统和应用;
    所述安全防护装置,用于对所述软件进行安全检测,在检测出所述软件被篡改时,对所述电子装置执行安全保护操作。
  2. 根据权利要求1所述的电子装置,其特征在于,所述安全保护操作包括以下一项或多项:触发告警、复位所述电子装置、拒绝所述软件所请求的服务、指示所述第一处理器停止运行、指示所述第一处理器停止运行所述软件、禁止所述软件的至少部分功能、或阻止所述软件访问所述电子装置内存储的数据。
  3. 根据权利要求1或2所述的电子装置,其特征在于,所述安全隔离包括以下至少一项:工作系统隔离、电源隔离或时钟信号隔离。
  4. 根据权利要求1-3任一项所述的电子装置,其特征在于,所述安全检测包括:
    检测所述软件的指令或数据中至少一项是否为预设信息。
  5. 根据权利要求1-4任一项所述的电子装置,其特征在于,所述第一处理器包括片上追踪单元;
    所述片上追踪单元用于:在所述第一处理器进行数据改写时,将用于进行数据改写的指令序列存储在专用内存中。
  6. 根据权利要求5所述的电子装置,其特征在于,所述安全检测包括:检测所述专用内存中存储的所述指令序列是否为基准指令序列。
  7. 根据权利要求5或6所述的电子装置,其特征在于,所述电子装置包括内存,所述内存用于存储所述软件的指令和数据;
    所述专用内存是设置在所述内存中,专用于所述片上追踪单元和所述安全防护装置进行读写的存储空间。
  8. 根据权利要求1-7任一项所述的电子装置,其特征在于,所述安全防护装置包括第二处理器;
    所述第二处理器,用于:基于定时器设定的时间对所述软件进行周期性的安全检测;或者基于所述第一处理器发送的中断事件对所述软件进行安全检测。
  9. 根据权利要求8所述的电子装置,其特征在于,所述安全防护装置还包括哈希加速器,所述哈希加速器与所述第二处理器耦合;
    在对所述软件进行安全检测时,所述第二处理器,用于:
    控制所述哈希加速器获取所述软件,对所获取的软件进行哈希运算以得到参考值;
    将所述参考值与预先存储的哈希基准值进行比较,基于比较结果,确定所述软件是否被篡改。
  10. 根据权利要求8或9所述的安全防护装置,其特征在于,所述安全防护装置还包括看门狗,所述电子装置还包括复位单元,所述看门狗与所述第二处理器以及所述复位单元耦合;
    所述第二处理器还用于周期性的向所述看门狗发送心跳指令;
    所述看门狗,用于在预定时间内未接收到所述第二处理器发送的心跳指令时,通过所述复位单元使所述电子装置复位。
  11. 根据权利要求1-10任一项所述的电子装置,其特征在于,所述操作系统包括富执行环境REE和可信执行环境TEE。
  12. 根据权利要求11所述的电子装置,其特征在于,所述安全防护装置具体用于:
    在所述第一处理器的运行环境由REE转换为TEE时,对用于驱动所述第一处理器的运行环境进行转换的软件和运行在所述TEE中的软件周期性的进行所述安全检测;
    在所述第一处理器的运行环境由TEE转换为REE时,停止进行所述安全检测。
  13. 一种安全防护方法,应用于电子装置,其特征在于,所述方法包括:
    所述电子装置中的第一处理器在软件的驱动下运行,所述软件包括操作系统和应用;
    所述电子装置中的所述安全防护装置对所述软件进行安全检测,所述安全防护装置和所述第一处理器之间存在安全隔离;
    在检测出所述软件被篡改时,所述安全防护装置对所述电子装置执行安全保护操作。
PCT/CN2020/078092 2020-03-06 2020-03-06 电子装置和安全防护方法 WO2021174512A1 (zh)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN202080002140.6A CN113692583A (zh) 2020-03-06 2020-03-06 电子装置和安全防护方法
PCT/CN2020/078092 WO2021174512A1 (zh) 2020-03-06 2020-03-06 电子装置和安全防护方法
EP20923164.6A EP4095725A4 (en) 2020-03-06 2020-03-06 ELECTRONIC DEVICE AND SECURITY PROTECTION METHOD
US17/902,220 US20220414216A1 (en) 2020-03-06 2022-09-02 Electronic apparatus and security protection method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2020/078092 WO2021174512A1 (zh) 2020-03-06 2020-03-06 电子装置和安全防护方法

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US17/902,220 Continuation US20220414216A1 (en) 2020-03-06 2022-09-02 Electronic apparatus and security protection method

Publications (1)

Publication Number Publication Date
WO2021174512A1 true WO2021174512A1 (zh) 2021-09-10

Family

ID=77613817

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2020/078092 WO2021174512A1 (zh) 2020-03-06 2020-03-06 电子装置和安全防护方法

Country Status (4)

Country Link
US (1) US20220414216A1 (zh)
EP (1) EP4095725A4 (zh)
CN (1) CN113692583A (zh)
WO (1) WO2021174512A1 (zh)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150113642A1 (en) * 2005-12-23 2015-04-23 Texas Instruments Incorporated Method and system for preventing unauthorized processor mode switches
CN106909835A (zh) * 2016-12-28 2017-06-30 中软信息系统工程有限公司 一种基于cpu时空隔离机制实现内核完整性度量的方法
CN107194284A (zh) * 2017-06-22 2017-09-22 济南浪潮高新科技投资发展有限公司 一种基于TrustZone隔离用户数据的方法及系统
CN109522754A (zh) * 2018-11-28 2019-03-26 中国科学院信息工程研究所 一种移动终端可信隔离环境核心控制方法

Family Cites Families (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB9922665D0 (en) * 1999-09-25 1999-11-24 Hewlett Packard Co A method of enforcing trusted functionality in a full function platform
US8955104B2 (en) * 2004-07-07 2015-02-10 University Of Maryland College Park Method and system for monitoring system memory integrity
CA2504336A1 (en) * 2005-04-15 2006-10-15 Symbium Corporation Method and apparatus for building an autonomic controller system
US9158916B2 (en) * 2012-10-17 2015-10-13 Intel Corporation Unauthorized access and/or instruction prevention, detection, and/or remediation, at least in part, by storage processor
US9817992B1 (en) * 2015-11-20 2017-11-14 Sprint Communications Company Lp. System and method for secure USIM wireless network access
CN106603487B (zh) * 2016-11-04 2020-05-19 中软信息系统工程有限公司 一种基于cpu时空隔离机制对tls协议处理进行安全改进的方法
WO2018119904A1 (zh) * 2016-12-29 2018-07-05 华为技术有限公司 一种实现安全操作系统切换的片上系统和方法
KR101922798B1 (ko) * 2017-03-07 2018-11-27 한국과학기술원 범용성 및 트러스트존 기능 연동을 보장하는 모바일 기기상의 안전한 실행 환경 생성 방법 및 장치
US10805349B2 (en) * 2017-03-29 2020-10-13 At&T Intellectual Property I, L.P. Method and system to secure and dynamically share IOT information cross multiple platforms in 5G network
CN109670312A (zh) * 2017-10-13 2019-04-23 华为技术有限公司 安全控制方法及计算机系统
CA3095222A1 (en) * 2018-03-27 2020-09-25 Avidbots Corp Safety systems for semi-autonomous devices and methods of using the same
CN110348252B (zh) * 2018-04-02 2021-09-03 华为技术有限公司 基于信任区的操作系统和方法
US10880099B2 (en) * 2018-05-23 2020-12-29 Wipro Limited Method and system for protecting computing devices from malwares

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150113642A1 (en) * 2005-12-23 2015-04-23 Texas Instruments Incorporated Method and system for preventing unauthorized processor mode switches
CN106909835A (zh) * 2016-12-28 2017-06-30 中软信息系统工程有限公司 一种基于cpu时空隔离机制实现内核完整性度量的方法
CN107194284A (zh) * 2017-06-22 2017-09-22 济南浪潮高新科技投资发展有限公司 一种基于TrustZone隔离用户数据的方法及系统
CN109522754A (zh) * 2018-11-28 2019-03-26 中国科学院信息工程研究所 一种移动终端可信隔离环境核心控制方法

Also Published As

Publication number Publication date
EP4095725A4 (en) 2023-01-11
CN113692583A (zh) 2021-11-23
EP4095725A1 (en) 2022-11-30
US20220414216A1 (en) 2022-12-29

Similar Documents

Publication Publication Date Title
US10762216B2 (en) Anti-theft in firmware
EP3673363B1 (en) System and method for booting within a heterogeneous memory environment
KR101122517B1 (ko) 런타임 보안 보장을 위한 자율 메모리 검사기 및 이의 방법
US8561138B2 (en) System and method to provide added security to a platform using locality-based data
US9734339B2 (en) Retrieving system boot code from a non-volatile memory
US10591975B2 (en) Memory access management for low-power use cases of a system on chip via secure non-volatile random access memory
US9479331B2 (en) Managing security in a system on a chip (SOC) that powers down a secure processor
EP3186742B1 (en) System and method for improved security for a processor in a portable computing device (pcd)
CN110659498A (zh) 可信计算度量方法及其系统、计算机可读存储介质
WO2020135814A1 (zh) 一种锁定方法及相关电子设备
CN112749397A (zh) 一种系统和方法
EP3757838B1 (en) Warm boot attack mitigations for non-volatile memory modules
US11556346B2 (en) Security enhancement in hierarchical protection domains
JP2015001800A (ja) スリープ状態からレジュームする方法、携帯式電子機器およびコンピュータ・プログラム
CN114077395A (zh) 对在待机模式期间在dram中发生不期望的内容改变的防护
US10248486B2 (en) Memory monitor
WO2022077388A1 (zh) 一种处理器的安全度量装置及方法
WO2021174512A1 (zh) 电子装置和安全防护方法
CN115905108A (zh) 一种用于risc-v芯片的iopmp架构实现方法
CN116601629A (zh) 一种终端芯片及其度量方法
CN117807639A (zh) 检测和响应环境条件引起的对半导体封装件的安全攻击
CN117807644A (zh) 响应于篡改活动检测而管控对复位的响应

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20923164

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020923164

Country of ref document: EP

Effective date: 20220825

NENP Non-entry into the national phase

Ref country code: DE