WO2023273933A1

WO2023273933A1 - Method for authenticating system on chip, and related product

Info

Publication number: WO2023273933A1
Application number: PCT/CN2022/099768
Authority: WO
Inventors: 张常辉; 张伟; 任聪
Original assignee: 寒武纪行歌(南京)科技有限公司
Priority date: 2021-06-30
Filing date: 2022-06-20
Publication date: 2023-01-05
Also published as: CN115544484A

Abstract

A method for authenticating a system on chip, and a related product, which relate to the technical field of authentication. The related product comprises a system on chip, an authentication device, a computer program product and an authentication system. The product may be comprised in a computing processing apparatus of a combined processing apparatus, wherein the computing processing apparatus may comprise one or more data processing apparatuses; the combined processing apparatus may further comprise an interface apparatus and other processing apparatuses; the computing processing apparatus interacts with the other processing apparatuses, so as to jointly complete a computing operation specified by a user; and the combined processing apparatus may further comprise a storage apparatus, which is respectively connected to a device and the other processing apparatuses, and is used for storing the data of the device and the other processing apparatuses. By means of the method and the related product, it is possible to authenticate whether a system on chip in a running stage can be trusted.

Description

Method for authenticating system on chip and related products

Cross References to Related Applications

This disclosure claims the priority of the Chinese patent application with the application number 2021107347893 and the title of the invention "Method for Authenticating System-on-Chip and Related Products" filed on June 30, 2021.

technical field

The present disclosure relates generally to the field of authentication technologies. More specifically, the present disclosure relates to a method for authenticating a system on chip, a system on chip for performing the aforementioned method, an authentication device and a computer program product, and an authentication system including the aforementioned system on chip and the authentication device.

Background technique

With the continuous improvement of SoC technology, it is widely used in many technical fields. The so-called System on Chip (System on Chip, abbreviated as "SoC") refers to a system that integrates all the functions required by microelectronics application products on a single chip. At present, the research on SoCs is mostly biased towards the computing power of SoCs, but the research on the security of SoCs (especially the SoCs in the running stage) is not enough. In particular, in the existing related technologies, even if there is an operation to authenticate the security of the system-on-chip, this operation needs to be implemented by building additional dedicated hardware (such as a trusted platform module TPM (Trusted Platform Module)). In view of this, it can be seen that the current system-on-chip certification process is not only cumbersome and inefficient, but also increases the cost of certification.

Contents of the invention

In view of the technical problems mentioned in the background technology section above, this disclosure proposes a scheme for authenticating a system on chip. With the solution disclosed in the present disclosure, the system-on-chip authentication can be realized without adding additional dedicated hardware. Especially, for the SoC in the running stage, the authentication scheme disclosed in the present disclosure not only reduces the cost of certification for the SoC, but also ensures the security of the SoC, and further improves the safety certification level of the SoC. To this end, the present disclosure provides a scheme for authenticating a system on chip in the following aspects.

In a first aspect, the present disclosure provides a method for authenticating a system-on-chip, including: receiving an authentication request for authenticating the system-on-chip from an authentication device, wherein the authentication request includes first authentication information; according to the The first authentication information and the second authentication information determine an authentication evidence; and send the authentication evidence to the authentication device, so that the authentication device uses the authentication evidence to authenticate whether the system-on-chip in the running phase is credible.

In a second aspect, the present disclosure provides a method for authenticating a system-on-chip, comprising: generating an authentication request for initiating authentication of the system-on-chip, wherein the authentication request includes first authentication information; sending the authentication request to the system-on-chip, so that when the authentication request is received in the system-on-chip, determining authentication evidence based on the second authentication information and the first authentication information; receiving from the system-on-chip the authentication evidence; and authenticating whether the system-on-chip in the running phase is authentic according to the authentication evidence.

In a third aspect, the present disclosure provides a method for authenticating a system-on-chip, including: executing at an authentication device: initiating an authentication request for authenticating the system-on-chip, wherein the authentication request includes first authentication information; sending the authentication request to the system-on-chip; executing at the system-on-chip in the running phase: receiving the authentication request from the authentication device; according to the first authentication information and the second The authentication information determines authentication evidence; and sends the authentication evidence to the authentication device; performs at the authentication device: receiving the authentication evidence; and whether the system-on-a-chip in the running phase is trusted according to the authentication evidence Authenticate.

In a fourth aspect, the present disclosure provides a system-on-chip, including: a processor; and a memory storing a program that, when executed by the processor, causes the system-on-chip to perform the first aspect of the present disclosure Methods are provided as well as in the various examples below.

In a fifth aspect, the present disclosure provides an authentication device for authenticating a system on chip, including: a processor; and a memory storing a program that, when executed by the processor, causes the authentication The device executes the method provided by the second aspect of the present disclosure and the methods in the following multiple embodiments.

In a sixth aspect, the present disclosure provides a computer program product, including a computer program for authenticating a system-on-chip, when the computer program is executed by a processor, the method and the method provided in the first aspect of the present disclosure are implemented. It will hereinafter describe the methods of multiple embodiments, or realize the method provided by the second aspect of the present disclosure and its methods in hereinafter described multiple embodiments.

In a seventh aspect, the present disclosure provides an authentication system for authenticating a system-on-chip, including: at least one system-on-chip as described above, which is configured to execute the method provided in the first aspect of the present disclosure and will be described in The method in the multiple embodiments described below, so as to generate the authentication evidence; and the aforementioned authentication device, which is configured to execute the method provided by the second aspect of the present disclosure and its multiple embodiments described below A method for authenticating whether the system-on-chip in the running phase is authentic according to the authentication evidence.

Through the solutions provided in the above multiple aspects, the present disclosure can realize effective security authentication of the system on chip, especially effective authentication of the system on chip during the running phase. Specifically, the scheme of the present disclosure determines the authentication evidence through the first authentication information on the authentication device side and the second authentication information on the SoC side, so that the authentication device uses the authentication evidence to authenticate whether the SoC in the running phase is credible. Through the authentication scheme disclosed in the present disclosure, no additional dedicated hardware needs to be added in the whole authentication process, thereby effectively reducing the authentication cost. Thus, the system on chip can be applied to low-cost technical fields (such as low-cost Internet of Things field), thereby broadening the application market of the system on chip. Further, in some implementation scenarios, the authentication evidence of the present disclosure may include sensitive information about the SoC, for example, the sensitive information may include encrypted system configuration parameters and system memory filling values. Based on such setting, through the authentication of the aforementioned sensitive information, the solution of the present disclosure can not only confirm whether the SoC in the startup phase is credible, but also can confirm in time whether the SoC in the running phase is credible. Therefore, the solution disclosed in the present disclosure ensures the security of the system on chip, and further enhances the security authentication level of the system on chip.

Description of drawings

The above and other objects, features and advantages of exemplary embodiments of the present disclosure will become readily understood by reading the following detailed description with reference to the accompanying drawings. In the drawings, several embodiments of the present disclosure are shown by way of illustration and not limitation, and the same or corresponding reference numerals indicate the same or corresponding parts, wherein:

FIG. 1 is a structural diagram showing a board according to an embodiment of the present disclosure;

FIG. 2 is a structural diagram illustrating a combination processing device according to an embodiment of the present disclosure;

3 is a schematic diagram showing the internal structure of a computing device according to an embodiment of the present disclosure;

FIG. 4 is a schematic diagram showing the internal structure of a processor core according to an embodiment of the present disclosure;

FIG. 5 is a schematic diagram illustrating a data writing process between processing cores of different clusters according to an embodiment of the present disclosure;

Figure 6A is a flowchart illustrating a method for authenticating a system-on-chip according to one embodiment of the present disclosure;

FIG. 6B is a flowchart illustrating a method of generating authentication evidence according to one embodiment of the present disclosure;

FIG. 7A is a flowchart illustrating a method for authenticating a system on chip according to another embodiment of the present disclosure;

FIG. 7B is a flow chart illustrating a method for authenticating a system-on-chip according to an authentication evidence according to another embodiment of the present disclosure;

FIG. 8 is a schematic diagram illustrating an authentication interaction process between devices in an authentication system according to an embodiment of the present disclosure; and

Fig. 9 is a schematic diagram illustrating an authentication interaction process between devices in an authentication system according to another embodiment of the present disclosure.

detailed description

The following will clearly and completely describe the technical solutions in the embodiments of the present disclosure with reference to the accompanying drawings in the embodiments of the present disclosure. Apparently, the described embodiments are part of the embodiments of the present disclosure, but not all of them. Based on the implementation manners in the present disclosure, all other implementation manners obtained by those skilled in the art without creative efforts fall within the protection scope of the present disclosure.

It should be understood that the terms "first", "second", "third" and "fourth" in the claims, specification and drawings of the present disclosure are used to distinguish different objects, rather than to describe a specific order . The terms "comprising" and "comprises" used in the specification and claims of the present disclosure indicate the presence of described features, integers, steps, operations, elements and/or components, but do not exclude one or more other features, integers , steps, operations, elements, components, and/or the presence or addition of collections thereof.

It should also be understood that the terminology used in the present disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the present disclosure. As used in this disclosure and the claims, the singular forms "a", "an" and "the" are intended to include plural referents unless the context clearly dictates otherwise. It should be further understood that the term "and/or" used in the present disclosure and claims refers to any combination and all possible combinations of one or more of the associated listed items, and includes these combinations.

As used in this specification and claims, the term "if" may be interpreted as "when" or "once" or "in response to determining" or "in response to detecting" depending on the context. Similarly, the phrase "if determined" or "if [the described condition or event] is detected" may be construed, depending on the context, to mean "once determined" or "in response to the determination" or "once detected [the described condition or event] ]” or “in response to detection of [described condition or event]”.

Specific embodiments of the present disclosure will be described in detail below in conjunction with the accompanying drawings.

FIG. 1 shows a schematic structural diagram of a board 10 according to an embodiment of the present disclosure. As shown in FIG. 1 , the board 10 includes a chip 101, which is a system-on-chip SoC, or system-on-chip, integrated with one or more combination processing devices, and the combination processing device is an artificial intelligence computing unit for It supports various deep learning and machine learning algorithms to meet the intelligent processing requirements in complex scenarios in the fields of computer vision, speech, natural language processing, and data mining. In particular, deep learning technology is widely used in the field of cloud intelligence. A notable feature of cloud intelligence applications is the large amount of input data, which has high requirements for the storage capacity and computing power of the platform. The board 10 of this embodiment is suitable for cloud intelligence applications. Applications, with huge off-chip storage, on-chip storage and a lot of computing power.

The chip 101 is connected to an external device 103 through an external interface device 102 . The external device 103 is, for example, a server, a computer, a camera, a display, a mouse, a keyboard, a network card or a wifi interface, and the like. The data to be processed can be transmitted to the chip 101 by the external device 103 through the external interface device 102 . The calculation result of the chip 101 can be sent back to the external device 103 via the external interface device 102 . According to different application scenarios, the external interface device 102 may have different interface forms, such as a PCIe interface and the like.

The board 10 also includes a storage device 104 for storing data, which includes one or more storage units 105 . The storage device 104 is connected and data transmitted with the control device 106 and the chip 101 through the bus. The control device 106 in the board 10 is configured to regulate the state of the chip 101 . To this end, in an application scenario, the control device 106 may include a microcontroller (Micro Controller Unit, MCU).

FIG. 2 is a block diagram showing the combined processing means in the chip 101 of this embodiment. As shown in FIG. 2 , combined processing means 20 includes computing means 201, interface means 202, processing means 203 and DRAM 204.

The computing device 201 is configured to perform operations specified by the user, and is mainly implemented as a single-core intelligent processor or a multi-core intelligent processor for performing deep learning or machine learning calculations, which can interact with the processing device 203 through the interface device 202 to Work together to complete user-specified operations.

The interface device 202 is used to transmit data and control instructions between the computing device 201 and the processing device 203 . For example, the computing device 201 may obtain input data from the processing device 203 via the interface device 202 and write it into a storage device on the computing device 201 . Further, the computing device 201 may obtain control instructions from the processing device 203 via the interface device 202 and write them into the control cache on the chip of the computing device 201 . Alternatively or optionally, the interface device 202 may also read data in the storage device of the computing device 201 and transmit it to the processing device 203 .

As a general processing device, the processing device 203 performs basic control including but not limited to data transfer, starting and/or stopping the computing device 201 . According to different implementations, the processing device 203 may be one or more types of a central processing unit (central processing unit, CPU), a graphics processing unit (graphics processing unit, GPU) or other general-purpose and/or special-purpose processors. Processors, including but not limited to digital signal processors (digital signal processors, DSPs), application specific integrated circuits (application specific integrated circuits, ASICs), field-programmable gate arrays (field-programmable gate arrays, FPGAs) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc., and the number thereof can be determined according to actual needs. As mentioned above, as far as the computing device 201 of the present disclosure is concerned, it can be regarded as having a single-core structure or a homogeneous multi-core structure. However, when considering the integration of the computing device 201 and the processing device 203 together, they are considered to form a heterogeneous multi-core structure.

The DRAM 204 is used to store data to be processed, and is a DDR memory, usually 16G or larger in size, for storing data of the computing device 201 and/or the processing device 203.

FIG. 3 shows a schematic diagram of the internal structure of the computing device 201 . The computing device 201 is used for processing input data such as computer vision, speech, natural language, and data mining. The computing device 201 in the figure adopts a multi-core hierarchical structure design, and the computing device 201 is a system-on-chip, which includes multiple clusters, and each cluster includes multiple processor cores. In other words, the computing device 201 is structured at the level of SoC-cluster-processor core.

Viewed from the system-on-chip level, as shown in FIG. 3 , the computing device 201 includes an external storage controller 301 , a peripheral communication module 302 , an on-chip interconnection module 303 , a synchronization module 304 and multiple clusters 305 .

There can be multiple external storage controllers 301, and two are exemplarily shown in the figure, which are used to respond to the access request sent by the processor core to access external storage devices, such as the DRAM 204 in Figure 2, so as to read from off-chip Get data or write data. The peripheral communication module 302 is used for receiving a control signal from the processing device 203 through the interface device 202 to start the computing device 201 to execute tasks. The on-chip interconnection module 303 connects the external memory controller 301 , the peripheral communication module 302 and multiple clusters 305 to transmit data and control signals among the various modules. The synchronization module 304 is a global synchronization barrier controller (global barrier controller, GBC), which is used to coordinate the work progress of each cluster and ensure the synchronization of information. A plurality of clusters 305 are the computing cores of the computing device 201 , exemplarily four are shown in the figure. With the development of hardware, the computing device 201 of the present disclosure may also include 8, 16, 64, or even more clusters 305 . Cluster 305 is used to efficiently execute deep learning algorithms.

In view of the cluster level, as shown in FIG. 3 , each cluster 305 includes a plurality of processor cores (IPU core) 306 and a storage core (MEM core) 307.

Four processor cores 306 are exemplarily shown in the figure, and the present disclosure does not limit the number of processor cores 306 . Its internal architecture is shown in Figure 4. Each processor core 306 includes three modules: a control module 41 , an operation module 42 and a storage module 43 .

The control module 41 is used to coordinate and control the work of the operation module 42 and the storage module 43 to complete the task of deep learning, which includes an instruction fetch unit (instruction fetch unit, IFU) 411 and an instruction decoding unit (instruction decode unit, IDU) 412. The instruction fetching unit 411 is used to obtain instructions from the processing device 203 , and the instruction decoding unit 412 decodes the obtained instructions and sends the decoding results to the computing module 42 and the storage module 43 as control information.

The operation module 42 includes a vector operation unit 421 and a matrix operation unit 422 . The vector operation unit 421 is used to perform vector operations, and can support complex operations such as vector multiplication, addition, and nonlinear transformation; the matrix operation unit 422 is responsible for the core calculation of the deep learning algorithm, namely matrix multiplication and convolution.

The storage module 43 is used to store or carry relevant data, including a neuron storage unit (neuron RAM, NRAM) 431, a weight storage unit (weight RAM, WRAM) 432, an input/output direct memory access module (input/output direct memory access) , IODMA) 433, moving direct memory access module (move direct memory access, MVDMA) 434. NRAM 431 is used to store the input and output data and intermediate results calculated by processor core 306; WRAM 432 is used to store the weights of the deep learning network; IODMA 433 controls the access of NRAM 431/WRAM 432 and DRAM 204 through broadcast bus 309 MVDMA 434 is used to control the memory access of NRAM 431/WRAM 432 and SRAM 308.

Returning to FIG. 3, the storage core 307 is mainly used for storage and communication, that is, storing shared data or intermediate results between the processor cores 306, and performing communication between the cluster 305 and the DRAM 204, communication between the clusters 305, processors communication between the cores 306 and the like. In other embodiments, the storage core 307 has a scalar operation capability, and is used for performing scalar operations.

The storage core 307 includes a shared memory unit (SRAM) 308, a broadcast bus 309, a cluster direct memory access module (cluster direct memory access, CDMA) 310 and a global direct memory access module (global direct memory access, GDMA) 311. The SRAM 308 assumes the role of a high-performance data transfer station. The data multiplexed between different processor cores 306 in the same cluster 305 does not need to be obtained from the DRAM 204 through the processor cores 306 respectively, but is transferred to the processor through the SRAM 308. Inter-nuclear 306 transit. The storage core 307 only needs to quickly distribute the multiplexed data from the SRAM 308 to multiple processor cores 306, so as to improve the communication efficiency between cores and greatly reduce on-chip and off-chip input/output access.

The broadcast bus 309, the CDMA 310 and the GDMA 311 are respectively used to perform communication between the processor cores 306, communication between the clusters 305, and data transmission between the clusters 305 and the DRAM 204. They will be described separately below.

The broadcast bus 309 is used to complete high-speed communication among the processor cores 306 in the cluster 305. The broadcast bus 309 of this embodiment supports inter-core communication methods including unicast, multicast and broadcast. Unicast refers to point-to-point (that is, a single processor core to a single processor core) data transmission, multicast is a communication method that transmits a piece of data from the SRAM 308 to specific processor cores 306, and broadcasting is to transfer a data A communication method in which data is transmitted from SRAM 308 to all processor cores 306 belongs to a special case of multicast.

The CDMA 310 is used to control the memory access of the SRAM 308 between different clusters 305 in the same computing device 201. FIG. 5 shows a schematic diagram when one processor core intends to write data to another cluster of processor cores to illustrate the working principle of CDMA 310. In this application scenario, the same computing device includes multiple clusters. For convenience of illustration, only cluster 0 and cluster 1 are shown in the figure, and cluster 0 and cluster 1 include multiple processor cores respectively. Also for the convenience of illustration, cluster 0 in the figure only shows processor core 0, and cluster 1 only shows processor core 1. Processor core 0 intends to write data to processor core 1.

First, processor core 0 sends a unicast write request to write data into local SRAM 0, CDMA 0 acts as the master (master), and CDMA 1 acts as the slave (slave) end. The master pushes the write request to the slave, that is, the master sends the write address AW and write data W, and transfers the data to SRAM 1 of cluster 1. Then, the slave sends a write response B as a response, and finally processor core 1 of cluster 1 sends a unicast read request to read data from SRAM 1.

Returning to FIG. 3 , the GDMA 311 cooperates with the external storage controller 301 to control the memory access from the SRAM 308 of the cluster 305 to the DRAM 204, or to read data from the DRAM 204 to the SRAM 308. It can be seen from the foregoing that the communication between the DRAM 204 and the NRAM 431 or WRAM 432 can be realized through two channels. The first channel is to directly contact DRAM 204 and NRAM 431 or WRAM 432 through IODAM 433; the second channel is to first transmit data between DRAM 204 and SRAM 308 through GDMA 311, and then make data transfer between SRAM 308 and NRAM through MVDMA 434 431 or WRAM 432 transfer. Although it appears that the second channel requires more components to participate and the data flow is longer, in fact, in some embodiments, the bandwidth of the second channel is much greater than that of the first channel. Therefore, communication between DRAM 204 and NRAM 431 or WRAM 432 may be more efficient through the second channel. The embodiment of the present disclosure can select a data transmission channel according to its own hardware conditions.

In other embodiments, the functionality of the GDMA 311 and the functionality of the IODMA 433 may be integrated into the same component. For the convenience of description, this disclosure considers GDMA 311 and IODMA 433 as different components. For those skilled in the art, as long as their functions and technical effects are similar to those of this disclosure, they belong to the protection scope of this disclosure. Further, the function of GDMA 311, the function of IODMA 433, the function of CDMA 310, and the function of MVDMA 434 can also be realized by the same component. protection scope of this disclosure.

The hardware architecture and its internal structure of the present disclosure have been described in detail above with reference to FIGS. 1-5 . It is to be understood that the foregoing description is illustrative only and not restrictive. According to different application scenarios and hardware specifications, those skilled in the art may also make changes to the board card and its internal structure of the present disclosure, and these changes still fall within the protection scope of the present disclosure.

As mentioned above, in order to realize the authentication of the SoC, so as to ensure that the SoC has a trusted software and hardware operating environment during the running phase, this disclosure proposes to use the authentication device to interact with the SoC to obtain authentication evidence from the SoC , so that the authenticity of the system on chip can be authenticated by using the authentication evidence. In one implementation scenario, the generation of authentication evidence at the system-on-chip side of the present disclosure involves the application of a device identity combination engine (DICE). As known to those skilled in the art, the DICE issued by the Trusted Computing Group (TCG, Trusted Computing Group) aims to provide enhanced security and unique device identification and authentication capabilities for the embedded field where resources are relatively scarce. In operation, DICE can divide the entire boot process into multiple layers, and use a unique device secret (UDS, Unique Device Secret) known only to DICE to create confidential information unique to each software layer in secure boot. In some implementation scenarios, schemes of the present disclosure use DICE to form authentication evidence for authentication.

The scheme for authenticating a system on chip of the present disclosure will be described in detail below.

FIG. 6A is a flowchart illustrating a method 600 for authenticating a system-on-chip according to one embodiment of the present disclosure. It can be understood that the system-on-chip here may be the system-on-chip described above in conjunction with FIG. 1 to FIG. 5 , so the above description about the system-on-chip is also applicable to the following description.

As shown in FIG. 6A , at step S601 , an authentication request for authenticating a system on chip is received from an authentication device, wherein the authentication request includes first authentication information. In an embodiment, the aforementioned first authentication information may be dynamically generated by the authentication device, and may be used to indicate the validity of the authentication evidence in the context of the present disclosure. In some implementation scenarios, the first authentication information may include a random number, such as a Nonce value. It can be understood that, here, the random number is used as an example to describe the first authentication information for the purpose of illustration only. However, the present disclosure does not place any limitation on the specific content of the first authentication information, and therefore other information that can be used to indicate the timeliness of the authentication evidence is also applicable to the solution of the present disclosure.

Next, at step S602, an authentication proof is determined according to the first authentication information and the second authentication information. In an embodiment, the second authentication information can be obtained from the system on chip. In this case, the second authentication information may include sensitive information of the SoC and a key dynamically generated based on the device identity combination engine DICE. In some embodiments, the aforementioned sensitive information may include encrypted system configuration parameters (SysCfg) and system memory fill values (MemFill). The encryption here may include, but not limited to, encryption based on one-way operations (such as HASH, HMAC, and MD5, etc.).

Regarding the above-mentioned key generation process, in one embodiment, the present disclosure proposes to obtain the unique identification information (SoCID) of the system on chip, and let the device identification combination engine DICE perform the following steps: use the unique identification information to generate the unique device secret UDS , and generate an asymmetrically encrypted key based on the unique device secret. For the generation of the aforementioned unique device secret UDS, in one embodiment, a random number is dynamically generated based on a device identification combination engine, and a one-way operation is performed on the random number and the unique identification information (the one-way operation here includes but is not limited to HASH, HMAC and other algorithms) to obtain the unique device secret UDS. In addition, in an implementation scenario, unique identification information SoCID may be generated each time the system on chip is started. Through such a generation method, the authentication scheme of the present disclosure does not need to securely store the unique identification information SoCID, thereby simplifying the authentication operation.

For the aforementioned generation of asymmetric encryption keys based on the unique device secret, in one embodiment, the following operations can be performed by the device identity combination engine DICE: The integrity of image loading is measured to obtain the measurement value of each software layer; then, a one-way operation is performed on the measurement value of all software layers and the unique device secret (the one-way operation here includes but is not limited to HASH, HMAC and other algorithms) to obtain the initial value of the key; finally, perform a key derivation operation (such as a KDF key derivation function) on the initial value of the key to obtain the key.

It can be seen from the above description that the solution of the present disclosure only needs to deploy the one-way operation in DICE in the process of obtaining the initial value of the key, instead of deploying the one-way operation hierarchically in each software layer as in the prior art Therefore, the disclosed solution effectively simplifies the entire deployment process and improves the key generation efficiency. In addition, it can be understood that the above-mentioned specific generation process of the UDS and the key is only a possible implementation, and the solution of the present disclosure is not limited thereto. According to the teaching of the present disclosure, those skilled in the art can also take other suitable steps or ways to realize the generation of UDS and key.

In some application scenarios, the keys mentioned above in this disclosure may include public keys and private keys. Based on this, the process of generating the authentication evidence in the aforementioned step S602 can be realized through the steps S602-1 and S602-2 shown in FIG. 6B. Specifically, at step S602-1, DICE may encrypt and sign sensitive information (such as the aforementioned SysCfg and MemFill) and first authentication information (such as the aforementioned Nonce value) according to the aforementioned private key. Next, at step S602-2, DICE may generate an authentication evidence according to the public key, the encrypted and signed sensitive information, and the first authentication information.

After the determination of the authentication evidence is completed, then, at step S603, the authentication evidence is sent to the authentication device, so that the authentication device uses the authentication evidence to authenticate whether the SoC in the running phase is credible.

The authentication process on the SOC side of the present disclosure is exemplarily described above with reference to FIG. 6A and FIG. 6B . The authentication process of the SOC initiated from the authentication device side will be described below in conjunction with FIG. 7A and FIG. 7B .

FIG. 7A is a flowchart illustrating a method 700 for authenticating a system on chip according to another embodiment of the present disclosure. It can be understood that the system-on-chip here may be the system-on-chip described above in conjunction with FIG. 1 to FIG. 5 , so the above description about the system-on-chip is also applicable to the following description.

As shown in FIG. 7A , at step S701 , an authentication request for initiating authentication of the SoC is generated, wherein the authentication request includes first authentication information. In one embodiment, the aforementioned first authentication information can be dynamically generated by the authentication device every time the authentication request is generated, and can be used to indicate the timeliness of the authentication evidence in the context of the present disclosure, so that the authentication evidence generated this time only valid during this certification process. In some implementation scenarios, the foregoing first authentication information may include a random number, such as a Nonce value. It can be understood that, here, the random number is used as an example to describe the first authentication information for the purpose of illustration only. However, the present disclosure does not place any limitation on the specific content of the first authentication information, and therefore other information that can be used to indicate the timeliness of the authentication evidence is also applicable to the solution of the present disclosure. Next, at step S702, an authentication request is sent to the SOC, so that when the SOC receives the authentication request, the authentication evidence is determined based on the second authentication information and the first authentication information. It can be understood that the second authentication information and authentication evidence here may be the authentication evidence described above in conjunction with FIG. 6 , so the foregoing descriptions about the second authentication information and authentication evidence are also applicable to the description below.

Next, at step S703, an authentication evidence is received from the system on chip, and at step S704, whether the system on chip at the running stage is authentic is authenticated according to the authentication evidence. In one embodiment, when the authentication device determines whether the SoC is authentic according to the authentication evidence, it may be implemented through the steps shown in FIG. 7B . Specifically, at step S704-1, reference evidence related to authenticating the SoC is obtained. In some implementation scenarios, the foregoing reference evidence includes a reference public key and reference sensitive information. As for the reference public key, in one embodiment, it can be obtained by performing an encryption operation on the public key in the aforementioned keys. Next, the aforementioned reference public key may be stored in a memory (such as a database) on the side of the authentication device.

In some implementation scenarios, the above benchmark sensitive information may also be stored in a memory on the side of the authentication device. Likewise, the baseline sensitive information here may also include the sensitive information mentioned above on the system-on-chip side, that is, encrypted system configuration parameters and system memory filling values. Similarly, encryption here may also include, but not limited to, encryption operations performed based on one-way operations (such as HASH, HMAC, and MD5, etc.). In addition, in order to ensure the security and reliability of the certification, during the deployment phase of the public certification scheme, that is, before the system on chip and certification equipment are officially delivered and put into use, the system configuration parameters and system The memory fill value should be configured to have the same value to facilitate authentication during later runtime stages.

Next, at step S704-2, it is judged whether the reference evidence matches the authentication evidence. In one embodiment, the aforementioned judging operation can be performed based on whether the public key and sensitive information match or not. Specifically, the public key in the authentication evidence can be verified according to the aforementioned reference public key. In one scenario, the public key in the aforementioned authentication evidence may be encrypted by using an encryption operation (such as HASH, HMAC, etc.) used by the aforementioned reference public key. Next, it is judged whether the aforementioned encrypted public key is consistent with the reference public key (for example, whether they are the same), and when the encrypted public key is consistent with the reference public key, it is determined that the public key in the aforementioned authentication evidence has passed the verification. Otherwise, it can be determined that the verification fails. Thereafter, since the public key in the authentication evidence has been verified, the sensitive information in the aforementioned authentication evidence can be decrypted according to the public key. Next, it may be judged whether the aforementioned benchmark sensitive information matches the decrypted sensitive information, so as to judge whether the benchmark evidence matches the authentication evidence according to the matching result. It can be understood that the aforementioned determination operation is only a possible implementation manner, and the solution of the present disclosure is not limited thereto. According to the teaching of the present disclosure, those skilled in the art may also take other appropriate steps or methods to determine whether the aforementioned reference evidence matches the authentication evidence.

When it is determined that the aforementioned benchmark evidence matches the authentication evidence, for example, the system configuration parameters and system memory filling values at the authentication device and the system-on-chip side are the same, then the process advances to step S704-3, that is, the on-chip The system is trustworthy. Conversely, when it is determined that the aforementioned benchmark evidence does not match the authentication evidence, for example, the system configuration parameters and/or system memory filling values at the authentication device and the system-on-chip side are different, then the process proceeds to step S704-4, that is, The system-on-chip at the run stage is determined to be untrusted. In the implementation scenario of the present disclosure, when the benchmark evidence and the authentication evidence do not match during the running phase (for example, the system configuration parameters and/or system memory filling values change), it can be determined that the software and hardware operating environment of the system on chip has occurred Unexpected changes. In view of this unexpected change, the authentication device as the authentication initiator can infer that the system-on-chip is already in an untrusted state at this time, and can perform further measures to eliminate potential risks, such as forcibly shutting down the entire system-on-chip, overhaul or maintenance.

FIG. 8 is a schematic diagram illustrating an authentication interaction process 800 between devices in an authentication system according to an embodiment of the present disclosure.

As shown in FIG. 8 , the authentication system of the present disclosure may include an authentication device and at least one SoC. It can be understood that the system on chip here may be the system on chip described above in conjunction with FIGS. 1 to 7 , and the authentication device here may be the authentication device described above in connection with FIGS. 6 and 7 . Therefore, the foregoing descriptions about the system on chip and the authentication device are also applicable to the following descriptions. The interaction between the authentication device and the SoC will be described in detail below.

At the authentication device:

At step S801, an authentication request for authenticating the SoC is initiated, wherein the authentication request includes first authentication information. It can be understood that the first authentication information here is the first authentication information described above in conjunction with FIG. 6 to FIG. timeliness. In an implementation scenario, as mentioned above, the first authentication information may include a dynamically randomly generated Nonce value. It can be understood that, here, the random number is used as an example to describe the first authentication information for the purpose of illustration only. Next, at step S802, the aforementioned authentication request is sent to the system on chip, so as to wait for the system on chip to return the authentication proof.

At the SoC in the run phase:

At step S803, an authentication request from the authentication device is received and at step S804, authentication evidence is determined according to the first authentication information and the second authentication information. It can be understood that the second authentication information and authentication evidence here may be the second authentication information and authentication evidence described above in conjunction with FIG. 6 and FIG. 7 . As an implementation scenario, as mentioned above, the above-mentioned second authentication information may include the sensitive information of the system on chip and the public key and private key dynamically generated based on the device identity combination engine DICE, and the above-mentioned authentication evidence may include the above-mentioned public key, The sensitive information and the first authentication information encrypted and signed by the aforementioned private key.

Next, at step S805, the aforementioned authentication evidence is sent to the authentication device, so that the aforementioned authentication device performs a subsequent authentication process based on the authentication evidence.

Execute at the authentication device:

At step S806, an authentication proof from the SoC side is received. Next, at step S807, whether the system-on-chip in the running stage is authentic is authenticated according to the authentication evidence. For the authentication of whether the system on chip is authentic, in one embodiment, it can be implemented with reference to the authentication process described in step S704-1, step S704-2, step S704-3 and step S704-4 in FIG. 7 .

According to different implementation scenarios, the authentication device and the system-on-chip in FIG. 8 may be arranged at different distances. Therefore, the two can communicate and connect in different ways to achieve authentication. When the two are relatively close to each other, they can be connected through short-distance communication technology (such as Bluetooth communication technology, Wi-Fi communication technology, etc.) to complete the authentication. Conversely, when the two are far apart, they can be connected through long-distance communication technology (such as 4G/5G communication technology) to complete the authentication.

In an implementation scenario, the system-on-a-chip of the present disclosure may be arranged at a vehicle (for example, at an autonomous driving vehicle). When the system on a chip is applied to the field of automatic driving, in some implementation scenarios, the system on a chip can be arranged in a vehicle terminal. In order to realize the authentication operation of the present disclosure, the aforementioned vehicle-mounted terminal may include a vehicle-mounted information collection device (such as a sensor, a camera, etc.) and a vehicle-mounted central control device (such as a processor), so that the convenience of device authentication in the field of automatic driving can be improved. sex and safety. In addition, based on the trusted system-on-chip processing of various information in the device, the security level and performance of the device in the self-driving vehicle can be greatly improved, so that the system-on-chip of the present disclosure can better serve the self-driving vehicle.

FIG. 9 is a schematic diagram illustrating an authentication interaction process 900 between devices in an authentication system according to another embodiment of the present disclosure.

As shown in FIG. 9 , the authentication system includes an authentication device and at least one SoC. It can be understood that the system-on-chip here may be the system-on-chip described above in conjunction with FIG. 1 to FIG. 8 , so the foregoing description about the system-on-chip is also applicable to the following description. In this embodiment, an authentication system including an authentication device and a system-on-chip is taken as an example for illustration:

Perform the following exemplary operations at the SoC, thereby completing the deployment of the SoC and waiting for the authentication process initiated by the authentication device:

In the startup phase, after the system-on-chip is powered on (BootUp), it first executes a solidified boot program, which can be stored in the BootRom (Boot Read-Only Memory) in the system-on-chip (Boot Read-Only Memory, a memory used to store the boot program, which can be viewed as as a small block of mask ROM or write-protected flash). During the startup process, the system-on-chip can run the above-mentioned startup program to generate the chip's unique SoCID (that is, the aforementioned unique identification information). In the embodiment of the present disclosure, as mentioned above, the system on chip generates a unique SoCID of the chip every time it is started. In an implementation scenario, the BootRom here may be a diskless boot ROM interface. In this scenario, the solution disclosed in the present disclosure can construct a diskless workstation by remotely starting the service, so that the unique SoCID of the chip can be obtained efficiently.

Next, use the device identity combination engine (DICE) to perform the following operations to generate the public key and the private key: first, DICE generates a random number (random num), and performs a one-way algorithm on the random number and SoCID (including but not limited to HASH, HMAC and other algorithms) to generate UDS (that is, the aforementioned unique device secret), for example, UDS=HMAC(SoCID||random num). Then, DICE uses the HASH algorithm to measure the integrity of the loading image of each software layer in the system on chip, and obtains the measurement values H(L0), H(L1)...H(Ln) of each software layer respectively; then, the aforementioned measurement Value and UDS perform a one-way algorithm to obtain the initial value K ₀ of the password, for example, K ₀ =HMAC(UDS,H(L0), H(L1)…H(Ln)); Finally, take K ₀ as input and derive it through the key An algorithm (eg KDF derivation function) generates an asymmetric key pair K _pub (ie public key) and K _priv (ie private key), eg {K _pub , K _priv }=KDF{K ₀ }.

Through the above operations, the system-on-a-chip of the present disclosure completes the startup deployment and waits for authentication. In some application scenarios, the public key and system sensitive information may be stored in a database at the authentication device after the startup deployment is completed, so as to be used for later authentication operations of the authentication device.

In order to achieve effective authentication, the authentication device sends an authentication request with a Nonce ("N" as shown in the figure) to the SoC during the running phase of the SoC, so that the Nonce value can be transferred step by step after the Nonce is received by the SoC to DICE. Then, DICE can use the aforementioned private key K _priv to encrypt and sign the Nonce, system configuration parameter SysCfg, and key memory value MemFill, and use the aforementioned public key, encrypted signed Nonce, system configuration parameter SysCfg, and key memory value MemFill as authentication Evidence ("E" as shown in the figure, which is expressed as E={N, H(SysCfg), H(MemFill)}K _priv for example) is sent to the authentication device. In one embodiment, the authentication device dynamically generates the aforementioned Nonce value during each generation of the authentication request.

After the authentication device receives the aforementioned authentication evidence, it uses the reference public key H(K _pub ) stored in the database of the authentication device to verify the authenticity of K _pub (specifically, the encryption operation used by H(K _pub ) is used to K _pub is encrypted, and it is judged whether the encrypted K _pub is consistent with H(K _pub ). If the authenticity of K _pub is true, K _pub is used to decrypt the encrypted information in the aforementioned authentication evidence. Next, use the baseline sensitive information stored in the database of the authentication device to match (for example, whether they are the same) with the system configuration parameters (SysCfg) and key memory values (MemFill) in the aforementioned evidence. When the baseline sensitive information on the SoC side matches the SysCfg and MemFill in the aforementioned authentication evidence, it can be determined that the SoC in the running stage is credible. On the contrary, it is determined that the SoC in the running stage is untrustworthy.

The solution of the present disclosure has been described in detail above with reference to the accompanying drawings. According to different application scenarios, the devices or devices disclosed in this disclosure may include servers, cloud servers, server clusters, data processing devices, robots, computers, printers, scanners, tablet computers, smart terminals, PC equipment, Internet of Things terminals, mobile terminals , mobile phone, driving recorder, navigator, sensor, camera, camera, video camera, projector, watch, earphone, mobile storage, wearable device, visual terminal, automatic driving terminal, transportation, household appliances, and/or medical equipment . Said vehicles include airplanes, ships and/or vehicles; said household appliances include televisions, air conditioners, microwave ovens, refrigerators, rice cookers, humidifiers, washing machines, electric lights, gas stoves, range hoods; said medical equipment includes nuclear magnetic resonance instruments, Ultrasound and/or electrocardiograph. The devices or devices disclosed in the present disclosure can also be applied to fields such as the Internet, the Internet of Things, data centers, energy, transportation, public management, manufacturing, education, power grids, telecommunications, finance, retail, construction sites, and medical care.

Further, the device or device disclosed herein can also be used in application scenarios related to artificial intelligence, big data, and/or cloud computing, such as cloud, edge, and terminal. In one or more embodiments, the device or device with high computing power according to the present disclosure can be applied to cloud devices (such as cloud servers), and the device or device with low power consumption can be applied to terminal devices and/or edge terminals Devices (such as smartphones or cameras). In one or more embodiments, the hardware information of the cloud device and the hardware information of the terminal device and/or the edge device are compatible with each other, so that according to the hardware information of the terminal device and/or the edge device, the hardware resources of the cloud device can be Match appropriate hardware resources to simulate the hardware resources of terminal devices and/or edge devices, so as to complete the unified management, scheduling and collaborative work of device-cloud integration or cloud-edge-end integration.

It should be noted that, for the purpose of brevity, the present disclosure expresses some methods and their embodiments as a series of actions and combinations thereof, but those skilled in the art can understand that the solution of the present disclosure is not limited by the order of the described actions . Therefore, according to the disclosure or teaching of the present disclosure, those skilled in the art may understand that certain steps may be performed in other orders or simultaneously. Further, those skilled in the art can understand that the embodiments described in the present disclosure can be regarded as optional embodiments, that is, the actions or modules involved therein are not necessarily required for the realization of one or some solutions of the present disclosure. In addition, according to different schemes, the description of some embodiments in this disclosure also has different emphases. In view of this, those skilled in the art may understand the part that is not described in detail in a certain embodiment of the present disclosure, and may also refer to related descriptions of other embodiments.

In terms of specific implementation, based on the disclosure and teachings of the present disclosure, those skilled in the art may understand that several embodiments disclosed in the present disclosure may also be implemented in other ways not disclosed herein. For example, with respect to each unit in the above-mentioned device or device embodiment, this paper divides them on the basis of considering logical functions, but there may be other division methods in actual implementation. As another example, multiple units or components may be combined or integrated into another system, or some features or functions in units or components may be selectively disabled. As far as the connection relationship between different units or components is concerned, the connections discussed above in conjunction with the drawings may be direct or indirect couplings between units or components. In some scenarios, the aforementioned direct or indirect coupling involves a communication connection using an interface, where the communication interface may support electrical, optical, acoustic, magnetic or other forms of signal transmission.

In the present disclosure, a unit described as a separate component may or may not be physically separated, and a component shown as a unit may or may not be a physical unit. The aforementioned components or units may be located at the same location or distributed over multiple network units. In addition, according to actual needs, some or all of the units may be selected to achieve the purpose of the solutions described in the embodiments of the present disclosure. In addition, in some scenarios, multiple units in the embodiments of the present disclosure may be integrated into one unit, or each unit exists physically independently.

In some implementation scenarios, the above integrated units may be implemented in the form of software program modules. If implemented in the form of a software program module and sold or used as a stand-alone product, the integrated unit may be stored in a computer readable memory. Based on this, when the solution of the present disclosure is embodied in the form of a software product (such as a computer-readable storage medium), the software product can be stored in a memory, and it can include several instructions to make a computer device (such as a personal computer, a server, or Network devices, etc.) execute some or all of the steps of the methods described in the embodiments of the present disclosure. The aforementioned memory may include but not limited to U disk, flash disk, read-only memory ("Read Only Memory", abbreviated as ROM), random access memory ("Random Access Memory", abbreviated as RAM), mobile hard disk, magnetic disk Or various media such as CDs that can store program codes.

In other implementation scenarios, the above-mentioned integrated units may also be implemented in the form of hardware, that is, specific hardware circuits, which may include digital circuits and/or analog circuits. The physical realization of the hardware structure of the circuit may include but not limited to physical devices, and the physical devices may include but not limited to devices such as transistors or memristors. In view of this, various devices (such as computing devices or other processing devices) described herein may be implemented by appropriate hardware processors, such as CPU, GPU, FPGA, DSP, and ASIC. Further, the aforementioned storage unit or storage device can be any suitable storage medium (including magnetic storage medium or magneto-optical storage medium, etc.), which can be, for example, a variable resistance memory ("Resistive Random Access Memory", abbreviated as RRAM), dynamic random access memory ("Dynamic Random Access Memory", abbreviated as DRAM), static random access memory ("Static Random Access Memory", abbreviated as SRAM), enhanced dynamic random access memory ("Enhanced Dynamic Random Access Memory", abbreviated as "EDRAM"), high bandwidth memory ("High Bandwidth Memory", abbreviated as "HBM"), hybrid memory cube ("Hybrid Memory Cube", abbreviated as "HMC"), ROM and RAM, etc.

The foregoing can be better understood in light of the following terms:

Clause A1. A method for authenticating a system on chip, comprising:

receiving an authentication request for authenticating a system-on-chip from an authentication device, wherein the authentication request includes first authentication information;

determining authentication evidence according to the first authentication information and the second authentication information; and

The authentication evidence is sent to the authentication device, so that the authentication device uses the authentication evidence to authenticate whether the system-on-chip in the running phase is authentic.

Clause A2. The method according to Clause A1, wherein the first authentication information is dynamically generated by the authentication device, and the second authentication information includes sensitive information of the system-on-chip and an authentication information dynamically generated based on a device identity combination engine. key, the method also includes:

The second authentication information is acquired at the system on chip.

Clause A3. The method of clause A2, wherein the key is dynamically generated based on a device identity combination engine, the method further comprising:

Obtain unique identification information of the system on chip;

Make the device identification combination engine perform the following operations:

using the unique identification information to generate a unique device secret; and

The key for asymmetric encryption is generated based on the unique device secret.

Clause A4. The method of Clause A3, wherein in using the unique identification information to generate a unique device secret, the device identity combination engine performs:

Generate random numbers dynamically; and

A one-way operation is performed on the random number and the unique identification information to obtain the unique device secret.

Clause A5. The method of Clause A3, wherein in generating the key for asymmetric encryption based on the unique device secret, the device identity combination engine performs:

Measuring the image loading integrity of each software layer in the system-on-chip based on the unique device secret to obtain a measurement value for each software layer;

performing a one-way operation on all of said software layer metrics and said unique device secret to obtain an initial key value; and

performing a key derivation operation on the initial value of the key to obtain the key.

Clause A6. The method of any one of clauses A2-A5, wherein said key comprises a public key and a private key, wherein determining authentication evidence based on said first authentication information and said second authentication information comprises in said During the operation phase of the above-mentioned system-on-chip, perform the following operations:

cryptographically signing the sensitive information and the first authentication information according to the private key; and

The authentication evidence is generated according to the public key, the encrypted and signed sensitive information and the first authentication information.

Clause A7. The method of Clause A6, wherein the sensitive information includes encrypted system configuration parameters and system memory fill values.

Clause A8. A method for authenticating a system on chip, comprising:

generating an authentication request for initiating authentication of the system-on-chip, where the authentication request includes first authentication information;

sending the authentication request to the system-on-chip, so that when the authentication request is received at the system-on-chip, an authentication proof is determined based on the second authentication information and the first authentication information;

receiving the authentication evidence from the system-on-chip; and

Authenticate whether the system-on-chip in the running phase is authentic according to the authentication evidence.

Clause A9. The method of Clause A8, wherein the first authentication information comprises a random number, the method comprising:

During each generation of the authentication request, the random number is dynamically generated.

Clause A10. The method of Clause A8, wherein authenticating based on the authentication evidence whether the system-on-a-chip in the runtime phase is authentic comprises:

Obtain benchmark evidence relevant to certifying said system-on-chip;

judging whether the benchmark evidence matches the authentication evidence;

determining that the system-on-chip of the runtime phase is authentic in response to the baseline evidence matching the authentication evidence; or

In response to the baseline evidence not matching the authentication evidence, it is determined that the run-stage system-on-chip is not authentic.

Clause A11. The method of clause A10, wherein the authentication evidence includes a public key and a private key cryptographically signed sensitive information, the public key and the private key being dynamically generated based on a device identity combination engine Yes, the reference data includes the reference sensitive information and the reference public key, and judging whether the reference evidence matches the authentication evidence includes:

verifying the public key in the authentication evidence based on the reference public key;

Decrypting the sensitive information in the authentication evidence according to the public key in response to the public key in the authentication evidence passing the verification;

judging whether the benchmark sensitive information matches the decrypted sensitive information; and

Judging whether the reference evidence matches the authentication evidence according to the matching result.

Clause A12. The method of Clause A10 or Clause A11, wherein the baseline sensitive information includes encrypted system configuration parameters and system memory fill values.

Clause A13. A method for authenticating a system on a chip comprising:

Execute at the authentication device:

An authentication request for initiating authentication of the system-on-chip, where the authentication request includes first authentication information;

sending the authentication request to the system on chip;

Execute at the SoC in the run phase:

receiving the authentication request from the authentication device;

sending the authentication evidence to the authentication device;

Execute at the authentication device:

receiving said proof of authentication; and

Clause A14. A system on a chip comprising:

processor; and

A memory storing a program which, when executed by the processor, causes the system-on-chip to perform the method according to any one of clauses A1-A7.

Clause A15. An authentication device for authenticating a system on a chip, comprising:

processor; and

A memory storing a program which, when executed by the processor, causes the authentication device to perform the method according to any one of clauses A8-A12.

Clause A16. A computer program product comprising a computer program for authenticating a system-on-chip, which computer program, when executed by a processor, implements any of clauses A1-A7 or clauses A8-A12 method.

Clause A17. An authentication system for authenticating a system on a chip, comprising:

At least one system-on-chip according to clause A14 configured to perform the method according to any one of clauses A1-A7 in order to generate said proof of authentication; and

An authentication device according to clause A15, configured to perform the method according to any one of clauses A8-A12, in order to authenticate whether said system-on-chip in a run phase is authentic based on said authentication evidence.

While the specification has shown and described various embodiments of the disclosure, it will be obvious to those skilled in the art that such embodiments are provided by way of example only. Many modifications, changes and substitutions will occur to those skilled in the art without departing from the idea and spirit of the present disclosure. It should be understood that various alternatives to the embodiments of the disclosure described herein may be employed in practicing the disclosure. It is intended that the appended claims define the scope of protection of the present disclosure and therefore cover modular compositions, equivalents or alternatives within the scope of these claims.

Claims

A method for authenticating a system-on-chip, comprising:

receiving an authentication request for authenticating a system-on-chip from an authentication device, wherein the authentication request includes first authentication information;

determining authentication evidence according to the first authentication information and the second authentication information; and

The authentication evidence is sent to the authentication device, so that the authentication device uses the authentication evidence to authenticate whether the system-on-chip in the running phase is authentic.
The method according to claim 1, wherein the first authentication information is dynamically generated by the authentication device, and the second authentication information includes sensitive information of the SoC and a key dynamically generated based on a device identification combination engine , the method also includes:

The second authentication information is acquired at the system on chip.
The method according to claim 2, wherein the key is dynamically generated based on a device identity combination engine, the method further comprising:

Obtain unique identification information of the system on chip;

Make the device identification combination engine perform the following operations:

using the unique identification information to generate a unique device secret; and

The key for asymmetric encryption is generated based on the unique device secret.
The method of claim 3, wherein in using the unique identification information to generate a unique device secret, the device identification combination engine performs:

Generate random numbers dynamically; and

A one-way operation is performed on the random number and the unique identification information to obtain the unique device secret.
The method of claim 3, wherein in generating the key for asymmetric encryption based on the unique device secret, the device identity combination engine performs:

Measuring the image loading integrity of each software layer in the system-on-chip based on the unique device secret to obtain a measurement value for each software layer;

performing a one-way operation on all of said software layer metrics and said unique device secret to obtain an initial key value; and

performing a key derivation operation on the initial value of the key to obtain the key.
A method according to any one of claims 2 to 5, wherein said key comprises a public key and a private key, wherein determining from said first authentication information and said second authentication information that an authentication proof is included on said chip During the running phase of the system, perform the following operations:

cryptographically signing the sensitive information and the first authentication information according to the private key; and

The authentication evidence is generated according to the public key, the encrypted and signed sensitive information and the first authentication information.
The method of claim 6, wherein the sensitive information includes encrypted system configuration parameters and system memory fill values.
A method for authenticating a system-on-chip, comprising:

generating an authentication request for initiating authentication of the system-on-chip, where the authentication request includes first authentication information;

sending the authentication request to the system-on-chip, so that when the authentication request is received at the system-on-chip, an authentication proof is determined based on the second authentication information and the first authentication information;

receiving the authentication evidence from the system-on-chip; and

Authenticate whether the system-on-chip in the running phase is authentic according to the authentication evidence.
The method according to claim 8, wherein the first authentication information includes a random number, the method comprising:

During each generation of the authentication request, the random number is dynamically generated.
The method according to claim 8, wherein authenticating whether the system-on-chip in the running phase is authentic according to the authentication evidence comprises:

Obtain benchmark evidence relevant to certifying said system-on-chip;

judging whether the benchmark evidence matches the authentication evidence;

determining that the system-on-chip of the runtime phase is authentic in response to the baseline evidence matching the authentication evidence; or

In response to the baseline evidence not matching the authentication evidence, it is determined that the run-stage system-on-chip is not authentic.
The method according to claim 10, wherein the authentication evidence includes a public key and sensitive information encrypted and signed by a private key, the public key and the private key are a key pair dynamically generated based on a device identity combination engine, The reference data includes the reference sensitive information and the reference public key, and judging whether the reference evidence matches the authentication evidence includes:

verifying the public key in the authentication evidence based on the reference public key;

Decrypting the sensitive information in the authentication evidence according to the public key in response to the public key in the authentication evidence passing the verification;

judging whether the benchmark sensitive information matches the decrypted sensitive information; and

Judging whether the reference evidence matches the authentication evidence according to the matching result.
The method of claim 10 or 11, wherein the baseline sensitive information includes encrypted system configuration parameters and system memory fill values.
A method for authenticating a system-on-chip, comprising:

Execute at the authentication device:

An authentication request for initiating authentication of the system-on-chip, where the authentication request includes first authentication information;

sending the authentication request to the system on chip;

Execute at the SoC in the run phase:

receiving the authentication request from the authentication device;

determining authentication evidence according to the first authentication information and the second authentication information; and

sending the authentication evidence to the authentication device;

Execute at the authentication device:

receiving said proof of authentication; and

Authenticate whether the system-on-chip in the running phase is authentic according to the authentication evidence.
A system on a chip comprising:

processor; and

A memory storing a program, which, when the program is executed by the processor, causes the system-on-chip to execute the method according to any one of claims 1-7.
An authentication device for authenticating a system-on-chip, comprising:

processor; and

A memory storing a program, which, when the program is executed by the processor, causes the authentication device to execute the method according to any one of claims 8-12.
A computer program product comprising a computer program for authenticating a system on a chip, said computer program, when executed by a processor, implementing the method according to any one of claims 1-7 or 8-12 .
An authentication system for authenticating a system-on-chip, comprising:

at least one system-on-chip according to claim 14, configured to perform a method according to any one of claims 1-7, in order to generate said authentication evidence; and

The authentication device according to claim 15, configured to execute the method according to any one of claims 8-12, so as to authenticate whether the system-on-chip in the running phase is authentic according to the authentication evidence.