WO2024027356A1 - Electronic apparatus, and method for securely accessing software - Google Patents

Electronic apparatus, and method for securely accessing software Download PDF

Info

Publication number
WO2024027356A1
WO2024027356A1 PCT/CN2023/101009 CN2023101009W WO2024027356A1 WO 2024027356 A1 WO2024027356 A1 WO 2024027356A1 CN 2023101009 W CN2023101009 W CN 2023101009W WO 2024027356 A1 WO2024027356 A1 WO 2024027356A1
Authority
WO
WIPO (PCT)
Prior art keywords
physical address
software
world
level
processor
Prior art date
Application number
PCT/CN2023/101009
Other languages
French (fr)
Chinese (zh)
Inventor
谌峰
薛杉
李硕
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Publication of WO2024027356A1 publication Critical patent/WO2024027356A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • Embodiments of the present application relate to the field of computer security, and in particular, to an electronic device and a method for securely accessing software.
  • This important data includes, for example, but is not limited to, the kernel page table, the cred structure of the Linux process, the selinux database, biometric data (fingerprint data, facial image data), key data or certificate data, etc. Therefore, the requirements for the safety of the operating environment of electronic devices are getting higher and higher.
  • the software operating environment of the electronic device is set into multiple worlds (such as a normal world and a secure world), and the physical address space that can be accessed by each world is limited. Access here refers to reading instructions or data stored in the physical address space, or reading data from the physical address space. This may lead to hackers attacking the software running in each world and rewriting the instructions or data stored in the physical address space of the corresponding world through the software running in each world, causing important data to be leaked or rewritten. Therefore, how to improve the software Operational security remains an issue that needs to be addressed.
  • the electronic device and the method for securely accessing software provided by this application can improve the security of the software being run.
  • this application adopts the following technical solutions.
  • inventions of the present application provide an electronic device.
  • the electronic device includes: a processor and a controller; the processor is configured to run current software and send to the controller the information to be accessed by the current software.
  • the controller is configured to: receive the logical address and the target access permission from the processor; convert the logical address into The physical address in the memory; when the physical address is within the preset physical address space corresponding to the current world of the current software, and the target access permission is consistent with the preset physical address space of the current world.
  • the processor is allowed to access the logical address; wherein, the software running environment of the electronic device has multiple worlds, and each world in the multiple worlds corresponds to at least two physical address spaces. , and the at least two physical address spaces respectively correspond to different access rights, the current world is one of the plurality of worlds; the access rights include one of the following: reading or rewriting software stored in the physical address space , is limited to reading software stored in the physical address space, is limited to executing software stored in the physical address space.
  • the target access permission is the same as the preset access permission of the current world to the preset physical address space, or it may also mean that the target access permission is within the range of the preset access permission.
  • the preset access rights include that the current world can either read the software in the preset physical address space or rewrite the software in the preset physical address space
  • the target access rights are only for reading or rewriting the software in the preset physical address space. If the software in the logical address is only rewritten or can both read and rewrite, it can be understood that the target access rights are the same as the preset access rights of the current world to the preset physical address space.
  • the embodiments of this application define the physical address space that software running in each world can read and rewrite, the physical address space that software running in each world can only read (cannot rewrite), and the software running in each world. A physical address space that can only be executed (cannot be read and rewritten).
  • Important instructions or data in electronic devices can be stored in memory, in a physical address space that can only be read by software running in each world, or in an electronic device. Important instructions can be stored in memory, within the physical address space that can only be executed by the software running on each world; In addition, based on the world where the processor is currently located, the controller determines whether the physical address is in the preset physical address space corresponding to the current world of the current software based on the world where the software currently running on the processor is located and the access method to the logical address. and determine whether the current world's target access permissions to the physical address space are preset access permissions. Only when both conditions are met can the physical address be provided to the processor, thereby preventing hackers from attacking the software running in each world. , to rewrite the instructions or data stored in the physical address space of the corresponding world, thereby preventing important instruction programs or data from being leaked or rewritten, thereby improving the security of the operation of electronic devices.
  • the physical address provided by the controller to the processor can be an effective address, so that the processor can access instructions or data from the physical address corresponding to the memory based on the effective address; in other possible implementations , the physical address provided by the controller to the processor can be a null address. At this time, the processor can execute other process steps without obtaining instructions or data from the memory.
  • the controller is further configured to: when the physical address is outside the preset physical address space corresponding to the current world of the current software, and the target access permission is consistent with the current world of the current software. When at least one of the two preset access rights is different, a signal indicating an error is sent to the processor.
  • the processor is further configured to: perform a security protection operation based on the signal indicating an error, where the security protection operation includes at least one of the following: resetting the processor, rejecting the Access to a logical address by software currently running on a processor instructs the processor to cease operation, disables at least part of the functionality of the processor, and prevents the processor from accessing the memory.
  • the electronic device further includes the memory, and the memory is further configured to: store the at least two physical address spaces of each world in the plurality of worlds and the at least Mapping relationship between different access rights of two physical address spaces; the controller is also configured to determine the preset physical address space and the preset access corresponding to the current world according to the mapping relationship permissions.
  • the controller converts the logical address into a physical address, specifically for querying at least once a preset first page table and at least once a preset page table based on the logical address.
  • a second page table according to the first page table, convert the logical address into at least one level of intermediate addresses; according to the first page table and the second page table, when each of the at least one level of intermediate addresses When all first-level intermediate addresses are allowed to be accessed, the last-level intermediate address among the at least one-level intermediate addresses is converted into the physical address; wherein, the at least one-level intermediate address, and the access rights of each world in the plurality of worlds to the at least one level of intermediate address; the second page table records the access rights of each world in the plurality of worlds to the at least one level of intermediate address. access rights.
  • the controller converts the logical address into a physical address, which usually requires two-level address translation and detection. That is to say, after the controller obtains the logical address, it first queries the first level in the exception level EL1.
  • the page table translates and detects the logical address, and converts the logical address into an intermediate logical address; then, the controller translates and detects the intermediate logical address by querying the second-level page table set in the exception level EL2, and converts the intermediate logical address into an intermediate logical address.
  • Logical addresses are converted into physical addresses.
  • the controller translates and detects the logical address by querying the first page table, and converts the logical address into an intermediate address.
  • the intermediate address is a physical address; by querying the second page table, the intermediate address is Perform permission check, that is, compared with the method of converting a logical address into a physical address shown in the prior art, the conversion step of converting a logical address into an intermediate logical address is omitted, thereby simplifying the conversion step from a logical address to a physical address.
  • the space originally used to store the intermediate logical address is also omitted to save storage space.
  • the controller is further configured to: when there is at least one level of intermediate address that is not allowed to be accessed, transmit a signal indicating an error to the processor.
  • the electronic device includes multiple exception levels, each exception level corresponds to a section of physical address space in the memory, and software running at a low exception level prohibits access corresponding to a high exception level. physical address space, wherein the mapping relationship is stored in the physical address space corresponding to the highest exception level among the plurality of exception levels.
  • the first page table is stored in a physical address space corresponding to a first exception level among the plurality of exception levels, and the first exception level is lower than the highest exception level. Exception level; the second page table is stored in the physical address space corresponding to the highest exception level.
  • the second-level page table set at the exception level EL2 in the traditional technology for converting the intermediate logical address into an intermediate-level address and detecting the intermediate-level address is replaced with the second-level page table set at the exception level EL3.
  • the second page table is used for intermediate-level address detection. Since the security of abnormal level EL3 is much higher than the security of abnormal level EL2, it can effectively detect electronic devices. safety protection.
  • the electronic device further includes a direct memory access controller; allowing the processor to access the logical address is specifically used to: provide the physical address to the direct memory. Access controller; the direct memory access controller is used to provide instructions or data in the physical address to the processor.
  • embodiments of the present application provide a method for securely accessing software.
  • the method includes: based on the logical address to be accessed by the current software, converting the logical address into a physical address in the memory; when the physical address is between When the current software is within the preset physical address space corresponding to the current world, and the target access permission of the current software to the logical address is the same as the preset access permission of the current world to the preset physical address space.
  • the software running environment of the electronic device has multiple worlds, each of the multiple worlds corresponds to at least two physical address spaces, and the At least two physical address spaces respectively correspond to different access rights, and the current world is one of the plurality of worlds;
  • the access rights include one of the following: reading or rewriting software stored in the physical address space, reading only Retrieving software stored in the physical address space is limited to executing software stored in the physical address space.
  • the method further includes: when the physical address is outside the preset physical address space corresponding to the current world of the current software, and the target access permission is consistent with the preset physical address space. If at least one of the two access rights are different, security protection operations are performed.
  • the method further includes: determining the preset physical address space and the preset access permission corresponding to the current world according to a prestored mapping relationship; wherein the mapping relationship Used to indicate the at least two physical address spaces of each world in the plurality of worlds and different access rights to the at least two physical address spaces; the mapping relationship is stored in the memory.
  • converting the logical address into a physical address in the memory specifically includes: querying the first page table and the second page table at least once based on the logical address; according to The first page table converts the logical address into at least one level of intermediate addresses; when each level of the at least one level of intermediate addresses is allowed to be accessed, converts the at least one level of intermediate addresses into The last level of intermediate address is converted into the physical address; wherein the at least one level of intermediate address is recorded in the first page table, and the at least one level of intermediate address for each world in the plurality of worlds is recorded in the first page table.
  • the access rights of the at least one-level intermediate address are recorded in the second page table.
  • the method further includes: performing a security protection operation when there is a first-level intermediate address that is not allowed to be accessed.
  • the security protection operation includes at least one of the following: resetting the processor, denying access to logical addresses by software currently running on the processor, instructing the processor to stop running, prohibiting the At least part of the functionality of the processor prevents the processor from accessing the memory.
  • embodiments of the present application provide a device, which includes: a conversion module for converting the logical address to be accessed by the current software into a physical address in the memory based on the logical address; and an access permission module for converting the logical address to a physical address in the memory.
  • the current software is allowed to access the logical address; wherein, the software running environment of the electronic device has multiple worlds, and each world in the multiple worlds corresponds to at least two physical The address space and the at least two physical address spaces respectively correspond to different access rights, and the current world is one of the plurality of worlds; the access rights include one of the following: reading or rewriting in the physical address space
  • Stored software is limited to reading software stored in the physical address space, and is limited to executing software stored in the physical address space.
  • the device further includes: a first security protection module, configured to operate when the physical address is outside the preset physical address space corresponding to the current world of the current software, and the When at least one of the target access rights and the preset access rights are different, a security protection operation is performed.
  • a first security protection module configured to operate when the physical address is outside the preset physical address space corresponding to the current world of the current software, and the When at least one of the target access rights and the preset access rights are different, a security protection operation is performed.
  • the device further includes: a determining module, configured to determine the preset physical address space and the preset access permission corresponding to the current world according to a pre-stored mapping relationship; wherein , the mapping relationship is used to indicate the at least two physical address spaces of each world in the plurality of worlds and the different access rights to the at least two physical address spaces; the mapping relationship is stored in the memory middle.
  • a determining module configured to determine the preset physical address space and the preset access permission corresponding to the current world according to a pre-stored mapping relationship; wherein , the mapping relationship is used to indicate the at least two physical address spaces of each world in the plurality of worlds and the different access rights to the at least two physical address spaces; the mapping relationship is stored in the memory middle.
  • the conversion module is specifically configured to: based on the logical address, respectively query at least once a preset first page table and at least once a preset second page table; according to the The first page table converts the logical address into at least one level According to the first page table and the second page table, when each level of intermediate addresses in the at least one level of intermediate addresses is allowed to access, the last one of the at least one level of intermediate addresses is A level intermediate address is converted into the physical address; wherein the at least one level intermediate address is recorded in the first page table, and the access of each world in the plurality of worlds to the at least one level intermediate address Permissions; the second page table records the access permissions of each world in the plurality of worlds to the at least one level of intermediate address.
  • the device further includes: a second security protection module, configured to perform a security protection operation when there is at least one level of intermediate address that is not allowed to be accessed.
  • a second security protection module configured to perform a security protection operation when there is at least one level of intermediate address that is not allowed to be accessed.
  • the security protection operation includes at least one of the following: resetting the processor, denying access to logical addresses by software currently running on the processor, instructing the processor to stop running, prohibiting the At least part of the functionality of the processor prevents the processor from accessing the memory.
  • inventions of the present application provide a system-level chip.
  • the device includes a controller and an interface circuit.
  • the interface circuit is used to couple a memory, and an instruction program is stored in the memory.
  • the controller is configured with After calling all or part of the computer program stored in the memory, the method described in the second aspect is executed.
  • embodiments of the present application provide a computer-readable storage medium.
  • the computer-readable storage medium stores a computer program. When executed by a controller, the computer program is used to implement the method described in the second aspect. .
  • embodiments of the present application provide a computer program product, which is used to implement the method described in the second aspect when the computer program product is executed by a controller.
  • Figure 1 is a schematic diagram of the hardware structure of an electronic device provided by an embodiment of the present application.
  • Figure 2 is a schematic diagram of the software architecture of the electronic device provided by the embodiment of the present application.
  • Figure 3 is a schematic diagram of the mapping relationship between the physical address range in the memory and the access permissions of each world provided by the embodiment of the present application;
  • Figure 4 is a schematic diagram of the mapping relationship between the access rights of each world, the corresponding bits, and the physical address range in the memory provided by the embodiment of the present application;
  • Figure 5 is a flow chart of a detection method applied to a controller provided by an embodiment of the present application.
  • Figures 6A to 6C are schematic diagrams of application scenarios based on the detection method shown in Figure 5 provided by embodiments of the present application;
  • Figure 7 is a schematic diagram of the conversion process of the controller converting the logical address into the physical address provided by the embodiment of the present application;
  • Figure 8 is another flow chart of the detection method applied to the controller provided by the embodiment of the present application.
  • Figure 9 is a flow chart of a method for securely accessing software provided by an embodiment of the present application.
  • Figure 10 is a schematic structural diagram of a device provided by an embodiment of the present application.
  • FIG. 1 shows a schematic hardware architecture diagram of an electronic device 100 provided by an embodiment of the present application.
  • the electronic device 100 may be located in a terminal.
  • the terminal can be a user equipment (UE), such as a mobile phone, tablet or wearable devices (such as smart watches) and other types of portable terminal devices.
  • FIG. 1 is only an example of the electronic device 100.
  • the electronic device 100 can also be any type of equipment, such as a chip or a chipset, or a circuit board equipped with a chip or a chipset, etc. This embodiment is not limited thereto. .
  • the chip or chipset or the circuit board equipped with the chip or chipset can operate under a suitable software driver.
  • the electronic device 100 includes a processor 101 and a controller 102 .
  • the processor 101 and the controller 102 can be integrated into one or more chips, and the one or more chips can be regarded as a chipset.
  • the chip is also called a system on a chip (SOC), as shown in Figure 1.
  • the processor 101 may include components such as logical computing units and registers (including but not limited to data registers and instruction registers) for loading programs and executing instruction content.
  • the controller 102 may also exist outside the processor 101. In this implementation The example is not limited to this.
  • the processor 101 includes, for example, but is not limited to, a central processing unit (CPU) or a special-purpose processor.
  • the special-purpose processor includes an artificial intelligence processor, a neural network processor, a digital signal processor, or an image processing processor.
  • the controller 102 may include, but is not limited to, a Memory Management Unit (MMU). As long as the controller 102 can convert the logical address to the physical address and implement the subsequent judgment process, its implementation form is not limited in this embodiment.
  • Electronic device 100 may also include one or more other components, such as memory 103 .
  • the memory 103 may illustratively include volatile memory, such as dynamic random access memory (DRAM) and other components for storing instructions and data. Among them, the memory 103 can be selectively integrated into the above-mentioned SOC or provided outside the above-mentioned SOC.
  • DRAM dynamic random access memory
  • Figure 1 schematically shows the situation where the memory 103 is provided outside the SOC.
  • the memory 103 may store various operating system programs (such as general operating system programs and trusted operating system programs), application programs, instruction codes and data required for operation, etc.
  • the processor 101 and the controller 102 execute various functional applications and data processing of the electronic device 100 by loading programs and instructions and acquiring data.
  • the memory 103 may also include a cache, which may be integrated into the system-on-chip.
  • the software running architecture of the electronic device 100 may be the Arm Confidential Compute Architecture (CCA) proposed by ARM Corporation.
  • the software running environment of the electronic device 100 can include a normal world, a secure world, a realm world and a root world, as shown in Figure 2.
  • normal world, secure world, realm world and root world respectively correspond to different physical address spaces in the memory 103.
  • the software running in the normal world can only access the physical address space corresponding to the normal world;
  • the software running in the secure world can only access the physical address space corresponding to the secure world in the memory 103;
  • the software running in the realm world can only access the physical address space corresponding to the secure world.
  • the physical address space corresponding to the realm world in the memory 103 can be accessed; software running in the root world can only access the physical address space corresponding to the root world in the memory 103.
  • the normal world has the lowest security, and the root world has the highest security.
  • Software running in the normal world may include, for example, common application (AP, application) software, general operating system software and hypervisor software;
  • software running in the secure world may include, for example, but is not limited to, trusted application (trust application) ) software, trusted operating system software and secure partition management (SPM) software;
  • software running in the realm world may include, for example, realm management monitor (RMM) software and application software, running on root
  • the software in the world may include, for example, monitor software.
  • the software described in the embodiments of the present application may include instructions and data. In addition, switching between normal world, secure world and realm world is monitored and executed by the monitor.
  • Figure 2 schematically shows the four abnormality levels EL0 to EL3.
  • the above-mentioned ordinary applications usually third-party applications, such as video applications, shopping applications
  • trusted applications can run at the exception level EL0
  • general operating systems such as Windows system, Android system, Redhat Linux system or Hongmeng operating system, etc.
  • trusted operating systems can run at exception level EL1
  • hypervisors, secure partition management, and domain management monitors can run at exception level EL2
  • monitors can run at exception level EL3.
  • the abnormality level EL0 is the lowest
  • the abnormality level EL3 is the highest.
  • the realm world includes hardware that is independent of other worlds, and the hardware of the realm world is completely isolated from the hardware of all other non-root worlds.
  • Realm World can run firmware and virtual machines specific to Realm World.
  • the realm word can be initialized by the hypervisor software, and the virtual machine running in the realm word can be generated and controlled by the hypervisor software in the normal world, but the hardware execution is in the realm world. That is to say, after the realm word is initialized, the software running in the realm word, the important codes or data saved, and the status of the realm word cannot be monitored or modified by other software running on the electronic device 100, that is, they cannot be monitored or modified by the normal world. Any software monitoring or modification in.
  • important data such as the kernel page table, the cred structure of the Linux process, and the selinux database are stored in the physical address space corresponding to the realm word in the memory 103 to ensure that the important data is not monitored or modified by the software running in the normal world. . From this, it can be mentioned High operating safety of the electronic device 100 .
  • the electronic device 100 provided by the embodiment of the present application is provided with a physical address space.
  • the mapping relationship between the access permissions of the above worlds The following uses specific examples to explain in detail the mapping relationship between the physical address space and the access permissions of the above worlds.
  • FIG. 3 schematically shows the access rights of the above-mentioned worlds corresponding to the physical address space in the memory 103 , that is, the mapping relationship is shown.
  • the physical address space 0x2000 ⁇ 0x2999 corresponds to secure world read/write only, that is, the software stored in this physical address space is limited to software other than those running in the secure world.
  • the software reads and rewrites, and other worlds cannot access it;
  • the physical address space 0x3000 ⁇ 0x3999 corresponds to normal world read/write only, that is, the software stored in this physical address space is limited to running It is read and rewritten by software in the normal world, and is inaccessible to other worlds;
  • the physical address space 0x4000 ⁇ 0x4999 corresponds to root world read/write only (root world read/write only), that is, the data stored in this physical address space
  • Software is limited to reading and rewriting by software running in the root world, and is inaccessible to other worlds;
  • the physical address space 0x5000 ⁇ 0x5999 corresponds to realm world read/write only, that is, the physical address The software stored in the space can only be read and rewritten by the software running
  • mapping relationship shown above limits the physical address space that software running in each world can both read and rewrite.
  • a physical address space in the memory 103 that can only be read by the software running in each world and cannot be rewritten can also be defined.
  • the physical address space 0x7000 ⁇ 0x7999 corresponds to secure world read only, that is, the software stored in this physical address space can only be read by software running in the secure world. , software running in the secure world cannot write to it, and other worlds cannot access this space;
  • the physical address space 0x8000 ⁇ 0x8999 corresponds to normal world read only, that is, within the physical address space The stored software can only be read by software running in the normal world.
  • the physical address space 0x9000 ⁇ 0x9999 corresponds to the root world only.
  • Read root world read only
  • the physical address space 0x10000 ⁇ 0x10999 corresponds to realm world read only, that is, the software stored in this physical address space can only be read by software running in the realm world, running in the realm Software in the world cannot write to it, and other worlds cannot access the space.
  • mapping relationship also limits the memory 103 to only software running in each world executing software programs, and cannot read or rewrite software programs stored in the physical address space.
  • the physical address space 0x11000 ⁇ 0x11999 corresponds to the secure world execution only memory, that is, the software programs stored in this physical address space are limited to software running in the secure world. Reading and writing cannot be performed; the physical address space 0x12000 ⁇ 0x12999 corresponds to the normal world execution only memory, that is, the software programs stored in this physical address space are limited to software running in the normal world.
  • physical address space 0x13000 ⁇ 0x13999 corresponds to root world execution only memory, that is, the software programs stored in this physical address space are limited to software execution running in the root world; physical address space 0x14000 ⁇ 0x14999 corresponds to realm world execution only memory, that is, the software programs stored in the physical address space are limited to software running in the realm world.
  • the mapping relationship between the physical address space and the access permissions of the above-mentioned worlds may be stored in the memory 103 .
  • the memory 103 may store a page table, which is dedicated to recording the mapping relationship between the physical address space and the access rights of each world.
  • the mapping relationship is recorded in the page table in the form of a mapping table.
  • the above mapping relationship can be stored in the physical address space corresponding to the root word (that is, exception level EL3) shown in Figure 2.
  • the physical address space used to store the above mapping relationship may be, for example, the physical address spaces 0x9000 ⁇ 0x9999 as mentioned above, or may be other physical address spaces other than this physical address space.
  • the physical address space used to store the above mapping relationship can be a physical address space that can only be read by software running in the root word, but cannot be rewritten. In this way, hackers can be prevented from rewriting the above mapping relationship by attacking the software running in the root word, thereby improving the security of the operation of the electronic device 100.
  • mapping relationship shown in Figure 3 is only schematic. In actual applications, the access permissions of the above worlds to the physical address space can be divided and established based on the size of the memory capacity. The mapping relationship between the divided physical address space and the access permissions of each world. In addition, in the mapping relationship shown in Figure 3, the mapping relationship of each world is schematically shown.
  • the physical address space corresponding to the access permission is a regional space.
  • each of the multiple access permissions shown in Figure 3 can correspond to multiple physical address spaces.
  • the corresponding multiple physical address spaces can be continuous or discontinuous address spaces. For example, assume that in addition to the physical address space shown in Figure 3, the memory 103 is also provided with a physical address space 0x15000 ⁇ 0x15999.
  • This physical address space is only readable by the root world. That is to say, in this example, the physical address space read only by the root world includes two discontinuous physical address spaces: physical address space 0x9000 ⁇ 0x9999 and physical address space 0x15000 ⁇ 0x15999.
  • this software architecture only limits the physical address space that can be read and rewritten by software running in each world. This results in hackers attacking the software running in a certain world to read or rewrite the instructions or data stored in the physical address space corresponding to that world, causing important instructions or data stored in the physical address space to be leaked or rewritten. This leads to security issues of the electronic device 100 .
  • the embodiment of the present application further limits the physical address space that software running in each world can only read (cannot rewrite). and a physical address space that software running in each world can only execute (cannot read and rewrite).
  • important instructions or data in the electronic device 100 can be stored in the memory 103, and software running in each world can only read.
  • important instructions in the electronic device 100 can be stored in the memory 103, in the physical address space that can only be executed by software running in each world, thereby reducing the risk of important instructions or data being stolen or tampered with. , improving the safety of the operation of the electronic device 100 .
  • this embodiment of the present application may use multiple bits to indicate the above various access rights. That is to say, the mapping relationship between the physical address space and the access permissions of the above-mentioned worlds is the mapping relationship between the physical address space and the bits used to indicate each access permission. For example, twelve access rights are shown above, and the twelve access rights can be represented by 4 bits. The correspondence between access rights and bits is shown in Figure 4. In addition, Figure 4 also shows the mapping relationship between bits and physical address space.
  • the access rights limited to reading and rewriting by software running in the secure world can be represented by bit "1000"; the access rights limited to reading and rewriting by software running in the normal world can be represented by bit “1001” " represents; the permissions limited to reading and rewriting by software running in the root world can be represented by bit “1010”; the permissions limited to reading and rewriting by software running in the realm world can be represented by bit “1011” " represents; the permission that is limited to reading by software running in the secure world can be represented by bit "0010”; the permission that is limited to reading by software running in the normal world can be represented by bit "0100”; only The permissions that are limited to software running in the root world can be represented by bit "0101"; the permissions that are limited to software running in the realm world can be represented by bits “1010”; the permissions that are limited to software running in the secure world can be represented by bits "1010".
  • the permission to execute software in the world can be represented by bit "1100"; the permission limited to the execution of software running in the normal world can be represented by bit “1101”; the permission limited to the execution of software running in the root world Permissions can be represented by bits “1110”; permissions limited to the execution of software running in the realm world can be represented by bits "0110".
  • the above describes the physical address space in the memory 103 that is exclusively for one world to access.
  • the memory 103 can also be provided with a physical address space for all worlds to read and write.
  • the memory 103 may also be provided with a physical address space that is prohibited from being accessed by any world.
  • the physical address space that is read and written by all worlds, and the physical address space that is prohibited from being accessed by any world are different from any of the physical address spaces described above. address space.
  • the physical address space 0x6000 ⁇ 0x6999 corresponds to any read/write access in any world, that is, the software stored in this physical address space can run in any of the above worlds.
  • the memory 103 may also include a physical address space for storing information such as area description information (block descriptor) and page table description information (table descriptor).
  • block descriptor area description information
  • table descriptor page table description information
  • the physical address space is not shown in the figure.
  • the block descriptor can be represented by the bit "0001"
  • table descriptor can be represented by the bit "0011”.
  • the access of the software running in each world to the physical address space is restricted by the controller 102 based on the physical address to be accessed by the software currently running on the processor 101, the current world where the currently running software is located, and the current running software.
  • the target access rights of the software to the physical address and the mapping relationship between the physical address space and the access rights of each world are realized by executing the detection process.
  • the workflow of the processor 101 usually includes multiple stages such as fetching instructions from the memory 103, decoding the instructions, and executing the instruction content. Among them, the processor 101 needs to obtain instructions from the memory 103 during the instruction fetching stage. The processor 101 needs to read data from the memory 103 and write the completed data back to the memory 103 during the instruction content execution stage.
  • the controller 102 limits the access of software running in the current world to the physical address space, which can be applied to the instruction fetch phase and execution of the processor 101 Stage of instruction content.
  • the processor 101 needs to obtain the logical address VA1 in the memory 103 that the currently running software wants to access, and the target of the logical address VA1.
  • Access rights are provided to controller 102.
  • the target access rights may include one of reading instructions or data, writing data, or executing an instruction program.
  • the processor 101 provides the logical address VA1 to the controller 102, it may also send the target access permission to the controller 102.
  • FIG. 5 is a detection process 500 applied to the controller 102.
  • the detection process 500 includes the following processes.
  • Step 501 The controller 102 receives the logical address VA1 from the processor 101 and the target access permission to the logical address VA1.
  • the target access rights here include one of the following: reading instructions or data in the logical address, writing data to the logical address, or executing the software program stored in the logical address.
  • Step 502 The controller 102 converts the logical address VA1 into the physical address PA1.
  • Step 503 The controller 102 detects whether the physical address PA1 is within the preset physical address space corresponding to the current world of the current software.
  • step 504 is executed; when the controller 102 detects that the physical address PA1 is located in the preset physical address space corresponding to the current world of the current software.
  • step 506 performs step 506.
  • Step 504 The controller 102 detects whether the target access permission is the same as the default access permission for the default physical address space in the current world.
  • step 505 is executed; when the controller 102 detects that the target access rights are the same as the current world's preset access rights to the preset physical address space. If the access rights are different, perform step 506.
  • Access rights here include one of the following: reading or rewriting software stored in the physical address space, being limited to reading software stored in the physical address space, or being limited to executing software stored in the physical address space.
  • the target access permission is the same as the preset access permission of the current world to the preset physical address space, or it may also mean that the target access permission is within the range of the preset access permission.
  • the preset access permissions include that the current world can either read the software in the preset physical address space or rewrite the software in the preset physical address space, and the target access permission is to read or rewrite
  • the target access rights are the same as the preset access rights of the current world to the preset physical address space.
  • Step 505 Allow the processor 102 to access the logical address VA1.
  • allowing the processor 102 to access the logical address VA1 may include a variety of possible implementation methods.
  • the controller 102 can directly provide the physical address PA1 obtained by converting the logical address VA1 to the processor 101, so that the processor 101 accesses the physical address PA1 from the memory 103 to obtain the physical address PA1 from the memory 103.
  • the address PA1 reads instructions, reads data, writes data to the physical address PA1, or executes the program stored in the physical address PA1.
  • the electronic device 100 may also include a direct memory access (DMA) controller.
  • DMA direct memory access
  • the controller 102 may provide the above physical address PA1 to the DMA controller, so that the DMA controller transfers the memory
  • the instructions or data stored at the physical address PA1 in 103 are moved to the storage area that the processor 101 or other processors 101 want to store, or the data to be stored in the processor 101 or the storage area is moved to the physical address PA1.
  • the controller 102 can provide the physical address PA1 to the processor 101, and the processor 101 forwards the physical address PA1 to the DMA controller, so that the DMA controller transfers the instructions stored at the physical address PA1 in the memory 103. Either the data is moved to the storage area where the processor 101 or other processors 101 want to store it, or the data to be stored in the processor 101 or the storage area is moved to the physical address PA1.
  • Step 506 Send a signal indicating an error to the processor 101.
  • the security protection operation may include but is not limited to: at least one of the following: resetting the processor 101, rejecting the current operation of the processor 101
  • the software accesses the logical address, stops the processor 101 from running, disables at least some functions in the processor 101 and prevents the processor 101 from accessing the memory 103 .
  • the security of software operation can be improved.
  • the embodiment of the present application limits the physical address space that the software running in each world can read and rewrite.
  • the software running in each world can only read (cannot
  • the physical address space of the electronic device 100 can only be executed (cannot be read and rewritten), and the physical address space of the software running in each world can only be executed (cannot be read and rewritten).
  • Important instructions or data in the electronic device 100 can be stored in the memory 103, and the software running in each world can In the physical address space that the software can only read, or important instructions in the electronic device 100 can be stored in the memory 103, in the physical address space that the software running in each world can only execute; in addition, the controller 102 is based on the processor 101 In the world you are currently in, determine the processing address PA1 at the default physical address corresponding to the current world of the current software.
  • the physical address PA1 can be provided to the processor 101 only when the target access rights are the same as the current world's default access rights to the default physical address space, thereby preventing hackers from attacking the software running in each world.
  • Rewrite the instructions or data stored in the physical address space of the corresponding world thereby preventing important instruction programs or data from being leaked or rewritten, thereby improving the security of the operation of the electronic device 100 .
  • the controller 102 and the processor 101 can be connected through electronic circuits. After the electronic device 100 is powered on and the world where the processor 101 is currently located changes, the processor 101 can pass The above-mentioned electronic circuit provides an indication signal to the controller 102 indicating the world in which it is currently located.
  • the indication signal can be 2 bits, "00" indicates normal world, "01" indicates secure world, "10” indicates root world, and "11" indicates realm world.
  • the processor 101 can provide the instruction signal "10" to the control Device 102.
  • the controller 102 can determine the world in which the software running in the processor 101 is currently located based on the indication signal provided by the processor 101 .
  • FIGS. 6A to 6C are schematic diagrams of application scenarios of the detection process of the controller 102 .
  • the controller 102 can obtain an indication signal in advance through an electronic circuit indicating that the software currently running by the processor 101 is located in the realm world. After receiving the logical address VA2 and the access permission indicating writing data into the logical address VA2 from the processor 101, the controller 102 first converts the logical address VA2 into the physical address PA2. Next, it is determined whether physical address PA2 is within the physical address space corresponding to the current world of the current software. As can be seen from Figure 3, the physical address space corresponding to realm world includes physical address space 0x5000 ⁇ 0x5999, physical address space 0x11000 ⁇ 0x11999, and physical address space 0x15000 ⁇ 0x15999.
  • the physical address PA2 is 0x11500, that is, the physical address PA2 is located in the range of the physical address space 0x11000 to 0x11999 as shown in Figure 3. That is, the physical address PA2 is located in the physical address space corresponding to the current world of the current software. It can be seen from the mapping relationship between the physical address space and the access rights of each world shown in Figure 3 that the physical address space 0x11000 ⁇ 0x11999 corresponds to the realm world read only, that is, the software in the physical address PA2 is limited to running in Software in the realm world reads, software running in the realm world cannot write to the physical address, and software running in other worlds cannot access the physical address PA2.
  • the software currently running in the processor 101 needs to write the data in the physical address PA2, and the physical address PA2 is only read by the software in the realm world and is not allowed to be rewritten, that is, the data sent by the processor 101
  • the access rights to logical address VA2 are different from the access rights of the queried realm word to the physical address space 0x11000 ⁇ 0x11999.
  • the controller 102 transmits a signal indicating the error to the processor 101 for the processor 101 to perform security protection processing on the electronic device 100 .
  • the controller 102 can obtain an indication signal indicating that the software currently running by the processor 101 is in the normal world through electronic circuits in advance.
  • the physical address space corresponding to normal world includes physical address space 0x3000 ⁇ 0x3999, physical address space 0x8000 ⁇ 0x8999, and physical address space 0x13000 ⁇ 0x13999.
  • the physical address PA3 is 0x11501, that is, the physical address PA3 is located in the range of the physical address space 0x11000 to 0x11999 as shown in Figure 3.
  • the physical address space 0x11000 ⁇ 0x11999 corresponds to the realm world read only. That is to say, the software in physical address PA3 can only be read by software running in realm world, and software running in other worlds cannot access physical address PA3. Thus, the physical address PA3 is outside the preset physical address space corresponding to the current world of the current software.
  • the controller 102 transmits a signal indicating the error to the processor 101 for the processor 101 to perform security protection processing on the electronic device 100 .
  • the controller 102 can obtain an indication signal indicating that the software currently running by the processor 101 is located in the realm world through electronic circuits in advance. After receiving the logical address VA4 and the access permission indicating reading data from the logical address VA4 from the processor 101, the controller 102 first converts the logical address VA4 into the physical address PA4.
  • the physical address space corresponding to realm world includes physical address space 0x5000 ⁇ 0x5999, physical address space 0x11000 ⁇ 0x11999, and physical address space 0x15000 ⁇ 0x15999. Assume that the physical address PA4 is 0x11502, that is, the physical address PA4 is located in the range of the physical address space 0x11000 to 0x11999 as shown in Figure 3.
  • the physical address PA2 is located in the physical address space corresponding to the current world of the current software. It can be seen from the mapping relationship between the physical address space and the access permissions of each world shown in Figure 3 that the physical address space 0x11000 ⁇ 0x11999 corresponds to the realm world read only. That is to say, the software in the physical address PA4 can only be read by the software running in the realm world. The software running in the realm world cannot write to the physical address. Software running in other worlds cannot access the physical address PA4. The software currently running in the processor 101 needs to read data from the logical address VA4, and the physical address PA4 is also limited to software reading in the realm world.
  • the access permission to the logical address VA4 sent by the processor 101 is the same as the access permission of the queried realm word to the physical address space 0x11000 ⁇ 0x11999.
  • the controller 102 provides the physical address PA4 to the processor 101 so that the software currently running on the processor 101 reads data from the physical address PA4.
  • the controller 102 can convert the logical address provided by the processor 101 into a physical address through multi-level translation and detection.
  • the controller 102 can convert the logical address provided by the processor 101 into a physical address through two-level conversion. Specifically, the controller 102 can respectively query the first page table at least once, convert the logical address into at least one level of intermediate addresses, and detect whether each level of the at least one level of intermediate addresses is allowed to be accessed; in addition, the controller 102 may query the second page table at least once to detect whether at least one level of intermediate address is allowed to be accessed.
  • the controller 102 can translate and detect the logical address by querying the first page table, and convert the logical address into the above-mentioned intermediate address.
  • the above-mentioned intermediate addresses are all physical addresses, and the converted Perform permission check on at least one level of intermediate address; perform permission check on at least one level of intermediate address by querying the table on the second page.
  • the various levels of conversion set in the controller 102 may be set in the controller 102 through firmware in advance and cannot be changed after the controller 102 is powered on or during operation.
  • the above-mentioned first page table can be stored in the exception level EL1 shown in Figure 2, and the first page table can also be called (stage1table); the above-mentioned second page table is stored in the physical address corresponding to the exception level EL3 shown in Figure 2 In space, the second page table can also be called (stage3table).
  • the logical address can be converted into a physical address through three-level conversion.
  • the controller 102 can translate and detect the logical address by querying the first page table, and convert the logical address into a physical address.
  • the address is converted into a first intermediate address, and permission detection is performed on the first intermediate address.
  • the first intermediate address is usually a logical address; then, the controller 102 can convert the first intermediate address into a third intermediate address by querying the second page table.
  • two intermediate addresses, and perform permission detection on the second intermediate address which is usually a physical address; finally, the controller 102 can perform multi-level permissions on the converted second intermediate address by querying the third page table examine.
  • the controller 102 can convert the logical address provided by the processor 101 into a physical address through two-level translation and detection as an example. Through the example shown in Figure 7, the controller 102 can convert the logical address into a physical address. The conversion method is described in more detail.
  • the processor 101 provides the logical address VA1 to the controller 102 , assuming that the software currently running by the processor 101 is at level EL0 as shown in FIG. 2 .
  • the controller 102 queries the first page table multiple times for translation and detection, and queries the second page table multiple times for detection to output the physical address PA1.
  • horizontally, translation and detection are performed by querying the table on the first page, and vertically, detection is performed by querying the table on the second page.
  • the controller 102 executes the first-stage page table query of the first stage based on the logical address VA1.
  • the first page table query in the first stage Based on the logical address VA, after querying the first-level page table, the physical address PAlv1 of LV1 stored in the LV0 page table is found, and the physical address is detected at the same time to determine the processor 101 Whether the requested physical address access is allowed.
  • the controller 102 may transmit a message indicating an error to the processor 101; when the access is allowed, the controller 102 performs the second level of the first phase as follows Page table query.
  • the second page table query in the first stage Based on the physical address PAlv1 of LV1, the controller 102 queries the LV0 page table entry to find out the detection content recorded in LV0 to detect whether the access to the physical address PAlv1 is allowed. When the access is not allowed, When allowed, the controller 102 can transmit a signal indicating an error to the processor 101; when the access is allowed, the controller 102 continues to query the detection content recorded in LV1 to detect whether the access to the physical address PAlv1 is allowed. When the access is not allowed, When allowed, the controller 102 may transmit a signal indicating an error to the processor 101; when the access is allowed, the controller 102 performs a second-stage first-level page table lookup as follows.
  • the first page table query in the second stage the controller 102 finds the physical address PAlv2 of LV2 recorded in the LV1 page table through the physical address PAlv1, and simultaneously detects the physical address to determine whether the physical address access requested by the processor 101 is is allowed, when the access is not allowed, the controller 102 may transmit a signal indicating an error to the processor 101; when the access is allowed, the controller 102 performs the following second-stage second-level page table lookup.
  • Second page table query in the second stage Based on the physical address PAlv2 of LV1, the controller 102 queries the detection content in LV0 to detect whether access to the physical address PAlv2 is allowed. When the access is not allowed, the controller 102 can The processor 101 transmits a message indicating an error; when the access is allowed, the controller 102 continues to query the detection content recorded in LV1 to detect whether the access to the physical address PAlv2 is allowed. When the access is not allowed, the controller 102 can The processor 101 transmits a message indicating the error; when the access is allowed, the controller 102 looks up the physical address PAlv3 of LV3 stored in the LV2 page table through the physical address PAlv2, and at the same time Check the physical address.
  • the controller 102 performs the horizontal third page table query and the second page table query through multiple times of the first page table query and the second page table query. Translation and detection of one-page table, and detection of vertical second-page table. When the translation and detection of the first page table and the detection of the vertical second page table are completed, and the detection at each stage indicates that access is allowed, the controller 102 generates the physical address PA1 corresponding to the logical address VA1, that is, it is completed. Conversion from logical address to physical address.
  • the above describes the process of the controller 102 converting the logical address VA1 into the physical address PA1 through the two-level translation and detection of the first page table and the second page table through FIG. 7 . Therefore, on the basis of the detection process 500 shown in FIG. 5 , the detection process applied to the controller 102 further refines the above step 501 to obtain the detection process 800 shown in FIG. 8 .
  • the detection process 800 shown in Figure 8 includes the following steps:
  • Step 801 Based on the logical address VA1 obtained from the processor 101 and the access method to the logical address VA1, the logical address VA1 is converted into at least one level of intermediate address by querying the first page table stored in the exception level EL1 at least once.
  • Step 802 Based on the first page table, detect whether at least one level of intermediate address is allowed to be accessed; when it is detected that at least one level of intermediate address is allowed to be accessed, step 803 is executed; when it is detected that there is a level one intermediate address that is not allowed to be accessed, Execute step 809.
  • Step 803 Query the second page table stored in the exception level EL3 to detect whether at least one level of intermediate address is allowed to be accessed; when it is detected that at least one level of intermediate address is allowed to be accessed, step 804 is executed. When the intermediate address is not allowed to be accessed, step 809 is executed.
  • Step 804 Convert the last level intermediate address among at least one level of intermediate addresses into the physical address PA1, and detect whether the physical address PA1 is allowed to be accessed. When it is detected that the physical address PA1 is allowed to be accessed, step 805 is executed; when it is detected that the physical address PA1 is allowed to be accessed, step 804 is performed. When access to address PA1 is not allowed, step 809 is executed.
  • Step 805 Query the second page table to detect whether the physical address PA1 is allowed to be accessed. When it is detected that the physical address PA1 is allowed to be accessed, step 806 is executed. When it is detected that the physical address PA1 is not allowed to be accessed, step 809 is executed.
  • Step 806 Check whether the physical address PA1 is within the preset physical address space corresponding to the current world of the current software.
  • step 807 is executed; when the controller 102 detects that the physical address PA1 is located in the preset physical address space corresponding to the current world of the current software.
  • step 809 is executed; when the controller 102 detects that the physical address PA1 is located in the preset physical address space corresponding to the current world of the current software.
  • step 809 When it is outside the physical address space, perform step 809.
  • Step 807 When it is detected that the target access rights are the same as the current world's default access rights to the default physical address space, step 808 is executed; when the controller 102 detects that the target access rights are the same as the current world's default access rights to the default physical address space. When the permissions are different, perform step 809.
  • Step 808 Allow the processor 102 to access the logical address VA1.
  • Step 809 Send a signal indicating an error to the processor 101.
  • steps 806 to 809 are the same as steps 502 to 506 in the detection process 500 shown in FIG. 5 and will not be described again.
  • steps 801 to 805 refer to the relevant description of FIG. 7 and will not be described again.
  • the controller 102 converts a logical address into a physical address, which usually requires two-level address translation and detection. That is to say, after obtaining the logical address, the controller 102 first queries the third address set in the exception level EL1. The first-level page table translates and detects the logical address, and converts the logical address into an intermediate logical address; then, the controller 102 translates and detects the intermediate logical address by querying the second-level page table set in the exception level EL2. , convert the intermediate logical address into a physical address.
  • the controller 102 translates and detects the logical address by querying the first page table, and converts the logical address into an intermediate address.
  • the intermediate address The address is a physical address; by querying the second page table, permissions are checked on the converted intermediate address. That is, compared with the method of converting a logical address to a physical address shown in the prior art, it is omitted to convert the logical address into an intermediate address.
  • the logical address conversion step is to replace the second-level page table set at the exception level EL2 in the traditional technology for physical address detection with the second-level page table set at the exception level EL3 for intermediate-level physical address detection.
  • the page table can thus simplify the steps of converting logical addresses into physical addresses and effectively protect the electronic device 100 .
  • the electronic device 100 may further include a communication unit (not shown in the figure).
  • the communication unit includes, but is not limited to, a short-range communication unit or a cellular communication unit.
  • the short-range communication unit performs information interaction with other devices located outside the mobile terminal for accessing the Internet by running a short-range wireless communication protocol.
  • the short-range wireless communication protocol may include but is not limited to: various protocols supported by radio frequency identification technology, Bluetooth communication technology protocols, or infrared communication protocols, etc.
  • the cellular communication unit operates the cellular wireless
  • the wired communication protocol is connected to the wireless access network to realize information interaction between the mobile communication unit and the servers in the Internet that support various applications.
  • the communication unit can be integrated in the same SOC with the processor 101 and controller 102 described in the embodiment of this application, or can be set up separately.
  • the electronic device 100 may optionally include a bus or an interface circuit, and the interface circuit may be, for example, an input/output port I/O, or the like.
  • the bus and interface circuit can be integrated with the above-mentioned processor 101 and controller 102 in the same SOC.
  • Interface circuitry is used to couple the controller 102 with the memory 103 . It should be understood that in actual applications, the electronic device 100 may include more or fewer components than shown in FIG. 1 , which is not limited by the embodiments of this application.
  • embodiments of the present application also provide a method for securely accessing software.
  • the method for securely accessing software is applied to the electronic device 100 as shown in FIG. 1 .
  • FIG. 9 shows a process 900 of a method for securely accessing software provided by an embodiment of the present application.
  • the process 900 of the method for securely accessing software can be executed by the controller 102 and includes the following steps: Step 901, based on the logical address to be accessed by the current software, convert the logical address into a physical address in the memory; Step 902 , when the physical address is in the preset physical address space corresponding to the current world of the current software, and the target access permission of the current software to the logical address is consistent with the current world's access to the preset physical address.
  • the current software is allowed to access the logical address; wherein, the software running environment of the electronic device has multiple worlds, and each world in the multiple worlds corresponds to at least two The physical address space and the at least two physical address spaces correspond to different access rights respectively, and the current world is one of the plurality of worlds; the access rights include one of the following: reading or rewriting the physical address space Software stored in the physical address space is limited to reading software stored in the physical address space, and is limited to executing software stored in the physical address space.
  • the method 900 further includes: when the physical address is outside the preset physical address space corresponding to the current world of the current software, and the target access permission is consistent with the When at least one of the two preset access rights is different, security protection operations are performed.
  • the method 900 further includes: determining the preset physical address space and the preset access permission corresponding to the current world according to a pre-stored mapping relationship; wherein the mapping The relationship is used to indicate the at least two physical address spaces of each world in the plurality of worlds and different access rights to the at least two physical address spaces; the mapping relationship is stored in the memory.
  • converting the logical address into a physical address in the memory includes: querying the first page table at least once and the second page table at least once based on the logical address;
  • the first page table is used to convert the logical address into at least one level of intermediate addresses; when each level of the at least one level of intermediate addresses is allowed to be accessed, the last one of the at least one level of intermediate addresses is
  • the first-level intermediate address is converted into the physical address; wherein the at least one-level intermediate address and the at least one-level intermediate address of each world in the plurality of worlds are recorded in the first page table.
  • Access rights; the second page table records the access rights of the at least one-level intermediate address.
  • the method 900 further includes: performing a security protection operation when there is a first-level intermediate address that is not allowed to be accessed.
  • the security protection operation includes at least one of the following: resetting the processor, denying access to logical addresses by software currently running on the processor, instructing the processor to stop running, prohibiting the At least part of the functionality of the processor prevents the processor from accessing the memory.
  • the controller 102 includes hardware and/or software modules corresponding to each function.
  • the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving the hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions in conjunction with the embodiments for each specific application, but such implementations should not be considered to be beyond the scope of this application.
  • the controller 102 can be divided into functional modules according to the above method examples.
  • different functional modules can be divided corresponding to each function, or two or more functions can be integrated into one processing module.
  • the above integrated modules can be implemented in the form of hardware. It should be noted that the division of modules in this embodiment is schematic and is only a logical function division. In actual implementation, there may be other division methods.
  • Figure 10 shows a possible schematic diagram of the device 1000 involved in the above embodiment.
  • the previously mentioned device can be further expanded.
  • the device corresponding to Figure 10 Device 1000 may be a software device running on controller 102, or device 1000 may be a combination of software and hardware device embedded in controller 102.
  • the device 1000 may include: a conversion module 1001, configured to based on the logical address to be accessed by the current software, Convert the logical address into a physical address in the memory; allow access module 1002 for when the physical address is within the preset physical address space corresponding to the current world of the current software and the current software has When the target access permission of the logical address is the same as the preset access permission of the current world to the preset physical address space, the current software is allowed to access the logical address; wherein, the software running environment of the electronic device has Multiple worlds, each world in the multiple worlds respectively corresponds to at least two physical address spaces, and the at least two physical address spaces respectively correspond to different access rights, and the current world is the multiple worlds.
  • the access rights include one of the following: reading or rewriting software stored in the physical address space, limited to reading software stored in the physical address space, limited to executing software stored in the physical address space.
  • the device 1000 further includes: a first security protection module (not shown in the figure), configured to detect when the physical address is in a preset state corresponding to the current world of the current software. When at least one of outside the physical address space and the target access permission is different from the preset access permission, a security protection operation is performed.
  • a first security protection module (not shown in the figure), configured to detect when the physical address is in a preset state corresponding to the current world of the current software. When at least one of outside the physical address space and the target access permission is different from the preset access permission, a security protection operation is performed.
  • the device further includes: a determining module (not shown in the figure), configured to determine the preset physical address space corresponding to the current world and the preset physical address space corresponding to the current world according to a pre-stored mapping relationship.
  • the preset access rights wherein the mapping relationship is used to indicate the at least two physical address spaces of each world in the plurality of worlds and the different access rights to the at least two physical address spaces; the The mapping relationship is stored in the memory.
  • the conversion module 1001 is specifically configured to: based on the logical address, respectively query at least one preset first page table and at least one preset second page table; According to the first page table, the logical address is converted into at least one level of intermediate addresses; according to the first page table and the second page table, when each level of intermediate addresses in the at least one level of intermediate addresses is allowed During access, the last level intermediate address among the at least one level intermediate addresses is converted into the physical address; wherein the at least one level intermediate address and the at least one level intermediate address in the plurality of worlds are recorded in the first page table.
  • the access rights of each world to the at least one-level intermediate address; the second page table records the access rights of each world in the plurality of worlds to the at least one-level intermediate address.
  • the device 1000 further includes: a second security protection module (not shown in the figure), configured to perform a security protection operation when there is at least one level of intermediate address that is not allowed to be accessed.
  • a second security protection module (not shown in the figure), configured to perform a security protection operation when there is at least one level of intermediate address that is not allowed to be accessed.
  • the security protection operation includes at least one of the following: resetting the processor, denying access to logical addresses by software currently running on the processor, instructing the processor to stop running, prohibiting the At least part of the functionality of the processor prevents the processor from accessing the memory.
  • each module corresponding to the above figure 10 may include software, hardware, or a combination of both.
  • each module can be implemented in the form of software and used to drive the controller 102 to work.
  • each module may include a corresponding processor and corresponding driver software, that is, implemented in combination with software or hardware.
  • the above controller 102 may also include at least one processor and memory.
  • at least one processor can call all or part of the computer program stored in the memory to control and manage the actions of the controller 102.
  • the memory can be used to support the controller 102 to execute and store program codes and data, and the memory includes but is not limited to at least a part of the storage space, cache (Cache) or registers of the memory 103 mentioned above.
  • At least one processor may implement or execute the various exemplary plurality of logic modules described in conjunction with the present disclosure, which may be a combination of one or more microprocessors that implement computing functions.
  • at least one processor may also include other programmable logic devices, transistor logic devices, or discrete hardware components.
  • This embodiment also provides a computer-readable storage medium.
  • Computer instructions are stored in the computer-readable storage medium. When the computer instructions are run on a computer, they cause the computer to execute the above related method steps to implement the steps used in the above embodiments. A secure way to access software.
  • This embodiment also provides a computer program product.
  • the computer program product When the computer program product is run on a computer, it causes the computer to perform the above related steps to implement the method for securely accessing software in the above embodiment.
  • the computer-readable storage medium or computer program product provided by this embodiment is used to execute the corresponding method provided above. Therefore, the beneficial effects it can achieve can be referred to the corresponding method provided above. The beneficial effects will not be repeated here.
  • each functional unit in each embodiment of the present application can be integrated into one product, or each unit can be physically separated. exist, or two or more units can be integrated into one product.
  • the above modules are implemented in the form of software functional units and sold or used as independent products, they can be stored in a readable storage medium.
  • the technical solutions of the embodiments of the present application are essentially or contribute to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the software product is stored in a storage medium , including several instructions to cause a device (which can be a microcontroller, a chip, etc.) or a processor to execute all or part of the steps of the methods of various embodiments of the present application.
  • the aforementioned readable storage media include: U disk, mobile hard disk, read only memory (ROM), random access memory (RAM), magnetic disk or optical disk, etc. that can store program code. medium.

Abstract

Provided in the present application are an electronic apparatus, and a method for securely accessing software. The electronic apparatus provided in the present application comprises a processor and a controller. The processor is used for running the current software, and sending to the controller a logical address to be accessed by the current software and a target access permission of the software for the logical address; and the controller is used for converting the logical address into a physical address in the processor, and allowing, when the physical address is in a preset physical address space corresponding to the current world of the current software and the target access permission is the same as a preset access permission of the current world for the preset physical address space, the processor to access the logical address, wherein a software running environment of the electronic apparatus has a plurality of worlds, each of the plurality of worlds corresponds to at least two physical address spaces, the at least two physical address spaces respectively correspond to different access permissions, and the current world is one of the plurality of worlds. By means of the electronic apparatus provided in the present application, the security of the run software can be improved.

Description

电子装置和安全访问软件的方法Electronic devices and methods of secure access to software
本申请要求于2022年07月30日提交中国专利局、申请号为202210911423.3、申请名称为“电子装置和安全访问软件的方法”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to the Chinese patent application filed with the China Patent Office on July 30, 2022, with the application number 202210911423.3 and the application title "Electronic device and method for secure access to software", the entire content of which is incorporated into this application by reference. middle.
技术领域Technical field
本申请实施例涉及计算机安全领域,尤其涉及一种电子装置和安全访问软件的方法。Embodiments of the present application relate to the field of computer security, and in particular, to an electronic device and a method for securely accessing software.
背景技术Background technique
随着互联网技术和计算机技术的高速发展,诸如终端和服务器等电子装置的功能越来越多,为了支撑这些电子装置的运行,这些电子装置中的重要数据也越来越多。该重要数据例如包括但不限于内核页表、Linux进程的cred结构体、selinux的数据库、生物识别数据(指纹数据、面部图像数据)、密钥数据或者证书数据等。因此,对电子装置运行环境安全性的要求越来越高。With the rapid development of Internet technology and computer technology, electronic devices such as terminals and servers have more and more functions. In order to support the operation of these electronic devices, more and more important data are stored in these electronic devices. This important data includes, for example, but is not limited to, the kernel page table, the cred structure of the Linux process, the selinux database, biometric data (fingerprint data, facial image data), key data or certificate data, etc. Therefore, the requirements for the safety of the operating environment of electronic devices are getting higher and higher.
为了保障电子装置运行环境的安全性,现有技术中采用将电子装置的软件运行环境设置成多个世界(例如普通世界和安全世界等),并且限定出各世界可以访问的物理地址空间。这里的访问是指读取物理地址空间中存储的指令或数据,或者向物理地址空间中读取数据。这就有可能导致黑客通过攻击运行于各世界的软件,通过运行于各世界的软件改写相应世界的物理地址空间所存储的指令或数据,导致重要数据泄露或被改写,由此,如何提高软件运行的安全性仍然成为需要解决的问题。In order to ensure the security of the operating environment of the electronic device, in the prior art, the software operating environment of the electronic device is set into multiple worlds (such as a normal world and a secure world), and the physical address space that can be accessed by each world is limited. Access here refers to reading instructions or data stored in the physical address space, or reading data from the physical address space. This may lead to hackers attacking the software running in each world and rewriting the instructions or data stored in the physical address space of the corresponding world through the software running in each world, causing important data to be leaked or rewritten. Therefore, how to improve the software Operational security remains an issue that needs to be addressed.
发明内容Contents of the invention
本申请提供的电子装置和安全访问软件的方法,可以提高所运行的软件的安全性。为达到上述目的,本申请采用如下技术方案。The electronic device and the method for securely accessing software provided by this application can improve the security of the software being run. In order to achieve the above objectives, this application adopts the following technical solutions.
第一方面,本申请实施例提供一种电子装置,该电子装置包括:处理器和控制器;所述处理器,用于运行当前软件,并向所述控制器发送所述当前软件所要访问的逻辑地址以及所述当前软件对所述逻辑地址的目标访问权限;所述控制器,用于:接收来自所述处理器的所述逻辑地址和所述目标访问权限;将所述逻辑地址转换成存储器中的物理地址;当所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间内、且所述目标访问权限与所述当前世界对所述预设物理地址空间的预设访问权限相同时,允许所述处理器访问所述逻辑地址;其中,所述电子装置的软件运行环境具有多个世界,所述多个世界中的每个世界分别对应至少两个物理地址空间、以及所述至少两个物理地址空间分别对应不同的访问权限,所述当前世界为所述多个世界之一;所述访问权限包括以下之一:读取或改写物理地址空间中存储的软件、仅限于读取物理地址空间中存储的软件、仅限于执行物理地址空间中存储的软件。In a first aspect, embodiments of the present application provide an electronic device. The electronic device includes: a processor and a controller; the processor is configured to run current software and send to the controller the information to be accessed by the current software. A logical address and the target access permission of the current software to the logical address; the controller is configured to: receive the logical address and the target access permission from the processor; convert the logical address into The physical address in the memory; when the physical address is within the preset physical address space corresponding to the current world of the current software, and the target access permission is consistent with the preset physical address space of the current world. If the access rights are the same, the processor is allowed to access the logical address; wherein, the software running environment of the electronic device has multiple worlds, and each world in the multiple worlds corresponds to at least two physical address spaces. , and the at least two physical address spaces respectively correspond to different access rights, the current world is one of the plurality of worlds; the access rights include one of the following: reading or rewriting software stored in the physical address space , is limited to reading software stored in the physical address space, is limited to executing software stored in the physical address space.
本申请实施例中,所述目标访问权限与所述当前世界对所述预设物理地址空间的预设访问权限相同,还可以是指所述目标访问权限位于所述预设访问权限范围内。例如,当所述预设访问权限包括当前世界既可以读取所述预设物理地址空间中的软件、也可以改写所述预设物理地址空间中的软件,而目标访问权限仅为读取或者仅为改写或者既可以读取也可以改写所述逻辑地址中的软件,则都可以理解为所述目标访问权限与所述当前世界对所述预设物理地址空间的预设访问权限相同。In this embodiment of the present application, the target access permission is the same as the preset access permission of the current world to the preset physical address space, or it may also mean that the target access permission is within the range of the preset access permission. For example, when the preset access rights include that the current world can either read the software in the preset physical address space or rewrite the software in the preset physical address space, the target access rights are only for reading or rewriting the software in the preset physical address space. If the software in the logical address is only rewritten or can both read and rewrite, it can be understood that the target access rights are the same as the preset access rights of the current world to the preset physical address space.
传统技术中,仅限定了运行于各世界的软件所能读取和改写的物理地址空间。这就导致黑客通过攻击运行于某一世界的软件,来读取或改写与该世界对应的物理地址空间内存储的指令或数据,导致物理地址空间内存储的重要指令或数据被泄露或改写,从而导致电子装置的安全问题。本申请实施例通过限定出运行于各世界的软件所能读取和改写的物理地址空间、运行于各世界的软件仅能读取(无法改写)的物理地址空间、以及运行于各世界的软件仅能执行(无法读取和改写)的物理地址空间,电子装置中的重要指令或数据可以存储于存储器中、运行于各世界的软件仅能读取的物理地址空间内,或者电子装置中的重要指令可以存储于存储器中、运行于各世界的软件仅能执行的物理地址空间内; 另外,控制器基于处理器当前所位于的世界,将处理器当前运行的软件所位于的世界以及对逻辑地址的访问方式,确定物理地址是否在与当前软件的当前世界对应的预设物理地址空间内、并且确定当前世界对物理地址空间的目标访问权限是否为预设访问权限,在二者条件均满足时才可以将物理地址提供给处理器,从而可以避免黑客通过攻击运行于各世界的软件,来改写相应世界的物理地址空间所存储的指令或数据,从而避免重要指令程序或数据被泄露或被改写,从而提高电子装置运行的安全性。In traditional technology, only the physical address space that software running in each world can read and rewrite is limited. This results in hackers attacking the software running in a certain world to read or rewrite the instructions or data stored in the physical address space corresponding to that world, causing important instructions or data stored in the physical address space to be leaked or rewritten. This leads to security issues for electronic devices. The embodiments of this application define the physical address space that software running in each world can read and rewrite, the physical address space that software running in each world can only read (cannot rewrite), and the software running in each world. A physical address space that can only be executed (cannot be read and rewritten). Important instructions or data in electronic devices can be stored in memory, in a physical address space that can only be read by software running in each world, or in an electronic device. Important instructions can be stored in memory, within the physical address space that can only be executed by the software running on each world; In addition, based on the world where the processor is currently located, the controller determines whether the physical address is in the preset physical address space corresponding to the current world of the current software based on the world where the software currently running on the processor is located and the access method to the logical address. and determine whether the current world's target access permissions to the physical address space are preset access permissions. Only when both conditions are met can the physical address be provided to the processor, thereby preventing hackers from attacking the software running in each world. , to rewrite the instructions or data stored in the physical address space of the corresponding world, thereby preventing important instruction programs or data from being leaked or rewritten, thereby improving the security of the operation of electronic devices.
在一种可能的实现方式中,控制器提供给处理器的物理地址可以为有效地址,从而处理器可以基于该有效地址,从存储器对应的物理地址中访问指令或数据;在其他可能的实现方式中,控制器提供给处理器的物理地址可以为空地址,此时处理器可以执行其他流程步骤,不需要再从存储器中获得指令或数据。In one possible implementation, the physical address provided by the controller to the processor can be an effective address, so that the processor can access instructions or data from the physical address corresponding to the memory based on the effective address; in other possible implementations , the physical address provided by the controller to the processor can be a null address. At this time, the processor can execute other process steps without obtaining instructions or data from the memory.
在一种可能的实现方式中,所述控制器还用于:当满足所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间之外、和所述目标访问权限与所述预设访问权限不同二者中的至少一项时,向所述处理器发送指示错误的信号。In a possible implementation, the controller is further configured to: when the physical address is outside the preset physical address space corresponding to the current world of the current software, and the target access permission is consistent with the current world of the current software. When at least one of the two preset access rights is different, a signal indicating an error is sent to the processor.
在一种可能的实现方式中,所述处理器还用于:基于所述指示错误的信号,执行安全保护操作,所述安全保护操作包括以下至少一项:复位所述处理器、拒绝所述处理器当前运行的软件对逻辑地址的访问、指示所述处理器停止运行、禁止所述处理器的至少部分功能和阻止所述处理器访问所述存储器。In a possible implementation, the processor is further configured to: perform a security protection operation based on the signal indicating an error, where the security protection operation includes at least one of the following: resetting the processor, rejecting the Access to a logical address by software currently running on a processor instructs the processor to cease operation, disables at least part of the functionality of the processor, and prevents the processor from accessing the memory.
在一种可能的实现方式中,所述电子装置还包括所述存储器,所述存储器还用于:存储所述多个世界中每个世界的所述至少两个物理地址空间与对所述至少两个物理地址空间的不同访问权限之间的映射关系;所述控制器,还用于根据所述映射关系,确定与所述当前世界对应的所述预设物理地址空间以及所述预设访问权限。In a possible implementation, the electronic device further includes the memory, and the memory is further configured to: store the at least two physical address spaces of each world in the plurality of worlds and the at least Mapping relationship between different access rights of two physical address spaces; the controller is also configured to determine the preset physical address space and the preset access corresponding to the current world according to the mapping relationship permissions.
在一种可能的实现方式中,所述控制器将逻辑地址转换成物理地址,具体用于:基于所述逻辑地址,分别查询至少一次预先设定的第一页表和至少一次预先设定的第二页表;依据所述第一页表,将逻辑地址转换成至少一级中间地址;依据所述第一页表和所述第二页表,当所述至少一级中间地址中的每一级中间地址均被允许访问时,将所述至少一级中间地址中最后一级中间地址转换成所述物理地址;其中,所述第一页表中记录有所述至少一级中间地址、以及所述多个世界中的每个世界对所述至少一级中间地址的访问权限;所述第二页表中记录有所述多个世界中的每个世界对所述至少一级中间地址的访问权限。In a possible implementation, the controller converts the logical address into a physical address, specifically for querying at least once a preset first page table and at least once a preset page table based on the logical address. a second page table; according to the first page table, convert the logical address into at least one level of intermediate addresses; according to the first page table and the second page table, when each of the at least one level of intermediate addresses When all first-level intermediate addresses are allowed to be accessed, the last-level intermediate address among the at least one-level intermediate addresses is converted into the physical address; wherein, the at least one-level intermediate address, and the access rights of each world in the plurality of worlds to the at least one level of intermediate address; the second page table records the access rights of each world in the plurality of worlds to the at least one level of intermediate address. access rights.
传统技术中,控制器将逻辑地址转换成物理地址,通常需要二级的地址翻译和检测,也即是说,控制器在获得逻辑地址后,首先通过查询设置于异常级别EL1中的第一级页表,对逻辑地址进行翻译和检测,将逻辑地址转换成中间逻辑地址;然后,控制器通过查询设置于异常级别EL2中的第二级页表,对中间逻辑地址进行翻译和检测,将中间逻辑地址转换成物理地址。In traditional technology, the controller converts the logical address into a physical address, which usually requires two-level address translation and detection. That is to say, after the controller obtains the logical address, it first queries the first level in the exception level EL1. The page table translates and detects the logical address, and converts the logical address into an intermediate logical address; then, the controller translates and detects the intermediate logical address by querying the second-level page table set in the exception level EL2, and converts the intermediate logical address into an intermediate logical address. Logical addresses are converted into physical addresses.
本申请实施例中,控制器通过查询第一页表,对逻辑地址进行翻译和检测,将逻辑地址转换成中间地址,该中间级地址为物理地址;通过查询第二页表,对中间级地址进行权限检查,也即与现有技术所示的逻辑地址转换物理地址的方式相比,省略掉将逻辑地址转换成中间逻辑地址的转换步骤,从而可以简化由逻辑地址转换为物理地址的转换步骤的情况下,还将原来用于存储中间逻辑地址的空间省略掉,节约存储空间。In the embodiment of this application, the controller translates and detects the logical address by querying the first page table, and converts the logical address into an intermediate address. The intermediate address is a physical address; by querying the second page table, the intermediate address is Perform permission check, that is, compared with the method of converting a logical address into a physical address shown in the prior art, the conversion step of converting a logical address into an intermediate logical address is omitted, thereby simplifying the conversion step from a logical address to a physical address. In this case, the space originally used to store the intermediate logical address is also omitted to save storage space.
在一种可能的实现方式中,所述控制器还用于:当存在至少一级中间地址不被允许访问时,向所述处理器传输指示错误的信号。In a possible implementation, the controller is further configured to: when there is at least one level of intermediate address that is not allowed to be accessed, transmit a signal indicating an error to the processor.
在一种可能的实现方式中,所述电子装置包括多个异常级别,每一个异常级别均对应所述存储器中的一段物理地址空间,且运行于低异常级别的软件禁止访问与高异常级别对应的物理地址空间,其中,所述映射关系存储于与所述多个异常级别中最高异常级别对应的物理地址空间内。In a possible implementation, the electronic device includes multiple exception levels, each exception level corresponds to a section of physical address space in the memory, and software running at a low exception level prohibits access corresponding to a high exception level. physical address space, wherein the mapping relationship is stored in the physical address space corresponding to the highest exception level among the plurality of exception levels.
在一种可能的实现方式中,所述第一页表存储于所述多个异常级别中第一异常级别对应的物理地址空间内,所述第一异常级别为低于所述最高异常级别的异常级别;所述第二页表存储于所述最高异常级别对应的物理地址空间内。In a possible implementation, the first page table is stored in a physical address space corresponding to a first exception level among the plurality of exception levels, and the first exception level is lower than the highest exception level. Exception level; the second page table is stored in the physical address space corresponding to the highest exception level.
本申请实施例中,将传统技术中设置于异常级别EL2以用于将中间逻辑地址转换成中间级地址、并且对中间级地址进行检测的第二级页表,替换为设置于异常级别EL3以用于对中间级地址检测的第二页表,由于异常级别EL3的安全性远高于异常级别EL2的安全性,从而可以有效的对电子装置进行 安全保护。In the embodiment of the present application, the second-level page table set at the exception level EL2 in the traditional technology for converting the intermediate logical address into an intermediate-level address and detecting the intermediate-level address is replaced with the second-level page table set at the exception level EL3. The second page table is used for intermediate-level address detection. Since the security of abnormal level EL3 is much higher than the security of abnormal level EL2, it can effectively detect electronic devices. safety protection.
在一种可能的实现方式中,所述电子装置还包括直接存储器存取控制器;所述允许所述处理器访问所述逻辑地址,具体用于:将所述物理地址提供给所述直接存储器存取控制器;所述直接存储器存取控制器用于:将所述物理地址中的指令或数据提供给所述处理器。In a possible implementation, the electronic device further includes a direct memory access controller; allowing the processor to access the logical address is specifically used to: provide the physical address to the direct memory. Access controller; the direct memory access controller is used to provide instructions or data in the physical address to the processor.
第二方面,本申请实施例提供一种安全访问软件的方法,该方法包括:基于当前软件所要访问的逻辑地址,将所述逻辑地址转换成存储器中的物理地址;当所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间内、且所述当前软件对所述逻辑地址的目标访问权限与所述当前世界对所述预设物理地址空间的预设访问权限相同时,允许所述当前软件访问所述逻辑地址;其中,所述电子装置的软件运行环境具有多个世界,所述多个世界中的每个世界分别对应至少两个物理地址空间、以及对所述至少两个物理地址空间分别对应不同的访问权限,所述当前世界为所述多个世界之一;所述访问权限包括以下之一:读取或改写物理地址空间中存储的软件、仅限于读取物理地址空间中存储的软件、仅限于执行物理地址空间中存储的软件。In the second aspect, embodiments of the present application provide a method for securely accessing software. The method includes: based on the logical address to be accessed by the current software, converting the logical address into a physical address in the memory; when the physical address is between When the current software is within the preset physical address space corresponding to the current world, and the target access permission of the current software to the logical address is the same as the preset access permission of the current world to the preset physical address space. , allowing the current software to access the logical address; wherein the software running environment of the electronic device has multiple worlds, each of the multiple worlds corresponds to at least two physical address spaces, and the At least two physical address spaces respectively correspond to different access rights, and the current world is one of the plurality of worlds; the access rights include one of the following: reading or rewriting software stored in the physical address space, reading only Retrieving software stored in the physical address space is limited to executing software stored in the physical address space.
在一种可能的实现方式中,所述方法还包括:当满足所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间之外、和所述目标访问权限与所述预设访问权限不同二者中的至少一项时,执行安全保护操作。In a possible implementation, the method further includes: when the physical address is outside the preset physical address space corresponding to the current world of the current software, and the target access permission is consistent with the preset physical address space. If at least one of the two access rights are different, security protection operations are performed.
在一种可能的实现方式中,所述方法还包括:根据预存的映射关系,确定与所述当前世界对应的所述预设物理地址空间以及所述预设访问权限;其中,所述映射关系用于指示所述多个世界中每个世界的所述至少两个物理地址空间与对所述至少两个物理地址空间的不同访问权限;所述映射关系存储于所述存储器中。In a possible implementation, the method further includes: determining the preset physical address space and the preset access permission corresponding to the current world according to a prestored mapping relationship; wherein the mapping relationship Used to indicate the at least two physical address spaces of each world in the plurality of worlds and different access rights to the at least two physical address spaces; the mapping relationship is stored in the memory.
在一种可能的实现方式中,所述将所述逻辑地址转换成存储器中的物理地址,具体包括:基于所述逻辑地址,分别查询至少一次第一页表和至少一次第二页表;依据所述第一页表,将所述逻辑地址转换成至少一级中间地址;当所述至少一级中间地址中的每一级中间地址均被允许访问时,将所述至少一级中间地址中最后一级中间地址转换成所述物理地址;其中,所述第一页表中记录有所述至少一级中间地址、以及所述多个世界中的每个世界对所述至少一级中间地址的访问权限;所述第二页表中记录有所述至少一级中间地址的访问权限。In a possible implementation, converting the logical address into a physical address in the memory specifically includes: querying the first page table and the second page table at least once based on the logical address; according to The first page table converts the logical address into at least one level of intermediate addresses; when each level of the at least one level of intermediate addresses is allowed to be accessed, converts the at least one level of intermediate addresses into The last level of intermediate address is converted into the physical address; wherein the at least one level of intermediate address is recorded in the first page table, and the at least one level of intermediate address for each world in the plurality of worlds is recorded in the first page table. The access rights of the at least one-level intermediate address are recorded in the second page table.
在一种可能的实现方式中,所述方法还包括:当存在一级中间地址不被允许访问时,执行安全保护操作。In a possible implementation, the method further includes: performing a security protection operation when there is a first-level intermediate address that is not allowed to be accessed.
在一种可能的实现方式中,所述安全保护操作包括以下至少一项:复位处理器、拒绝所述处理器当前运行的软件对逻辑地址的访问、指示所述处理器停止运行、禁止所述处理器的至少部分功能和阻止所述处理器访问所述存储器。In a possible implementation, the security protection operation includes at least one of the following: resetting the processor, denying access to logical addresses by software currently running on the processor, instructing the processor to stop running, prohibiting the At least part of the functionality of the processor prevents the processor from accessing the memory.
第三方面,本申请实施例提供一种装置,该装置包括:转换模块,用于基于当前软件所要访问的逻辑地址,将所述逻辑地址转换成存储器中的物理地址;允许访问模块,用于当所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间内、且所述当前软件对所述逻辑地址的目标访问权限与所述当前世界对所述预设物理地址空间的预设访问权限相同时,允许所述当前软件访问所述逻辑地址;其中,所述电子装置的软件运行环境具有多个世界,所述多个世界中的每个世界分别对应至少两个物理地址空间、以及对所述至少两个物理地址空间分别对应不同的访问权限,所述当前世界为所述多个世界之一;所述访问权限包括以下之一:读取或改写物理地址空间中存储的软件、仅限于读取物理地址空间中存储的软件、仅限于执行物理地址空间中存储的软件。In a third aspect, embodiments of the present application provide a device, which includes: a conversion module for converting the logical address to be accessed by the current software into a physical address in the memory based on the logical address; and an access permission module for converting the logical address to a physical address in the memory. When the physical address is within the preset physical address space corresponding to the current world of the current software, and the target access permission of the current software to the logical address is consistent with the current world's access to the preset physical address space When the preset access rights are the same, the current software is allowed to access the logical address; wherein, the software running environment of the electronic device has multiple worlds, and each world in the multiple worlds corresponds to at least two physical The address space and the at least two physical address spaces respectively correspond to different access rights, and the current world is one of the plurality of worlds; the access rights include one of the following: reading or rewriting in the physical address space Stored software is limited to reading software stored in the physical address space, and is limited to executing software stored in the physical address space.
在一种可能的实现方式中,所述装置还包括:第一安全保护模块,用于当满足所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间之外、和所述目标访问权限与所述预设访问权限不同二者中的至少一项时,执行安全保护操作。In a possible implementation, the device further includes: a first security protection module, configured to operate when the physical address is outside the preset physical address space corresponding to the current world of the current software, and the When at least one of the target access rights and the preset access rights are different, a security protection operation is performed.
在一种可能的实现方式中,所述装置还包括:确定模块,用于根据预存的映射关系,确定与所述当前世界对应的所述预设物理地址空间以及所述预设访问权限;其中,所述映射关系用于指示所述多个世界中每个世界的所述至少两个物理地址空间与对所述至少两个物理地址空间的不同访问权限;所述映射关系存储于所述存储器中。In a possible implementation, the device further includes: a determining module, configured to determine the preset physical address space and the preset access permission corresponding to the current world according to a pre-stored mapping relationship; wherein , the mapping relationship is used to indicate the at least two physical address spaces of each world in the plurality of worlds and the different access rights to the at least two physical address spaces; the mapping relationship is stored in the memory middle.
在一种可能的实现方式中,所述转换模块具体用于:基于所述逻辑地址,分别查询至少一次预先设定的第一页表和至少一次预先设定的第二页表;依据所述第一页表,将逻辑地址转换成至少一级中 间地址;依据所述第一页表和所述第二页表,当所述至少一级中间地址中的每一级中间地址均被允许访问时,将所述至少一级中间地址中最后一级中间地址转换成所述物理地址;其中,所述第一页表中记录有所述至少一级中间地址、以及所述多个世界中的每个世界对所述至少一级中间地址的访问权限;所述第二页表中记录有所述多个世界中的每个世界对所述至少一级中间地址的访问权限。In a possible implementation, the conversion module is specifically configured to: based on the logical address, respectively query at least once a preset first page table and at least once a preset second page table; according to the The first page table converts the logical address into at least one level According to the first page table and the second page table, when each level of intermediate addresses in the at least one level of intermediate addresses is allowed to access, the last one of the at least one level of intermediate addresses is A level intermediate address is converted into the physical address; wherein the at least one level intermediate address is recorded in the first page table, and the access of each world in the plurality of worlds to the at least one level intermediate address Permissions; the second page table records the access permissions of each world in the plurality of worlds to the at least one level of intermediate address.
在一种可能的实现方式中,所述装置还包括:第二安全保护模块,用于当存在至少一级中间地址不被允许访问时,执行安全保护操作。In a possible implementation, the device further includes: a second security protection module, configured to perform a security protection operation when there is at least one level of intermediate address that is not allowed to be accessed.
在一种可能的实现方式中,所述安全保护操作包括以下至少一项:复位处理器、拒绝所述处理器当前运行的软件对逻辑地址的访问、指示所述处理器停止运行、禁止所述处理器的至少部分功能和阻止所述处理器访问所述存储器。In a possible implementation, the security protection operation includes at least one of the following: resetting the processor, denying access to logical addresses by software currently running on the processor, instructing the processor to stop running, prohibiting the At least part of the functionality of the processor prevents the processor from accessing the memory.
第四方面,本申请实施例提供一种系统级芯片,所述装置包括控制器和接口电路,所述接口电路用于耦合存储器,所述存储器中存储有指令程序;所述控制器被配置用于调用所述存储器存储的全部或部分计算机程序,执行上述第二方面所述的方法。In the fourth aspect, embodiments of the present application provide a system-level chip. The device includes a controller and an interface circuit. The interface circuit is used to couple a memory, and an instruction program is stored in the memory. The controller is configured with After calling all or part of the computer program stored in the memory, the method described in the second aspect is executed.
第五方面,本申请实施例提供一种计算机可读存储介质,所述计算机可读存储介质存储中存储有计算机程序,该计算机程序被控制器执行时用于实现如第二方面所述的方法。In a fifth aspect, embodiments of the present application provide a computer-readable storage medium. The computer-readable storage medium stores a computer program. When executed by a controller, the computer program is used to implement the method described in the second aspect. .
第六方面,本申请实施例提供一种计算机程序产品,当所述计算机程序产品被控制器执行时用于实现上述第二方面所述的方法。In a sixth aspect, embodiments of the present application provide a computer program product, which is used to implement the method described in the second aspect when the computer program product is executed by a controller.
应当理解的是,本申请的第二至六方面与本申请的第一方面的技术方案一致,各方面及对应的可行实施方式所取得的有益效果相似,不再赘述。It should be understood that the second to sixth aspects of the present application are consistent with the technical solution of the first aspect of the present application, and the beneficial effects achieved by each aspect and corresponding feasible implementations are similar, and will not be described again.
附图说明Description of the drawings
为了更清楚地说明本申请实施例的技术方案,下面将对本申请实施例的描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to explain the technical solutions of the embodiments of the present application more clearly, the drawings needed to be used in the description of the embodiments of the present application will be briefly introduced below. Obviously, the drawings in the following description are only some embodiments of the present application. , for those of ordinary skill in the art, other drawings can also be obtained based on these drawings without exerting creative labor.
图1是本申请实施例提供的电子装置的一个硬件结构示意图;Figure 1 is a schematic diagram of the hardware structure of an electronic device provided by an embodiment of the present application;
图2是本申请实施例提供的电子装置的一个软件架构示意图;Figure 2 is a schematic diagram of the software architecture of the electronic device provided by the embodiment of the present application;
图3是本申请实施例提供的存储器中的物理地址范围与各世界的访问权限之间的映射关系示意图;Figure 3 is a schematic diagram of the mapping relationship between the physical address range in the memory and the access permissions of each world provided by the embodiment of the present application;
图4是本申请实施例提供的各世界的访问权限、相应的比特位以及存储器中的物理地址范围之间的映射关系示意图;Figure 4 is a schematic diagram of the mapping relationship between the access rights of each world, the corresponding bits, and the physical address range in the memory provided by the embodiment of the present application;
图5是本申请实施例提供的应用于控制器的检测方法的一个流程图;Figure 5 is a flow chart of a detection method applied to a controller provided by an embodiment of the present application;
图6A~图6C是本申请实施例提供的基于图5所示的检测方法的应用场景示意图;Figures 6A to 6C are schematic diagrams of application scenarios based on the detection method shown in Figure 5 provided by embodiments of the present application;
图7是本申请实施例提供的控制器将逻辑地址转换成物理地址的转换流程示意图;Figure 7 is a schematic diagram of the conversion process of the controller converting the logical address into the physical address provided by the embodiment of the present application;
图8是本申请实施例提供的应用于控制器的检测方法的又一个流程图;Figure 8 is another flow chart of the detection method applied to the controller provided by the embodiment of the present application;
图9是本申请实施例提供的用于安全访问软件的方法的一个流程图;Figure 9 is a flow chart of a method for securely accessing software provided by an embodiment of the present application;
图10是本申请实施例提供的装置的一个结构示意图。Figure 10 is a schematic structural diagram of a device provided by an embodiment of the present application.
具体实施方式Detailed ways
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本申请一部分实施例,而不是全部的实施例。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application. Obviously, the described embodiments are part of the embodiments of the present application, rather than all of the embodiments. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative efforts fall within the scope of protection of this application.
本文所提及的"第一"、"第二"以及类似的词语并不表示任何顺序、数量或者重要性,而只是用来区分不同的组成部分。同样,"一个"或者"一"等类似词语也不表示数量限制,而是表示存在至少一个。"First", "second" and similar words mentioned herein do not indicate any order, quantity or importance, but are only used to distinguish different components. Likewise, similar words such as "a" or "one" do not indicate a quantitative limit, but rather indicate the presence of at least one.
在本申请实施例中,“示例性的”或者“例如”等词用于表示例子、例证或说明。本申请实施例中被描述为“示例性的”或者“例如”的任何实施例或设计方案不应被解释为比其它实施例或设计方案更优选或更具优势。确切而言,使用“示例性的”或者“例如”等词旨在以具体方式呈现相关概念。在本申请实施例的描述中,除非另有说明,“多个”的含义是指两个或两个以上。In the embodiments of this application, words such as "exemplary" or "for example" are used to express examples, illustrations or illustrations. Any embodiment or design described as "exemplary" or "such as" in the embodiments of the present application is not to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the words "exemplary" or "such as" is intended to present the concept in a concrete manner. In the description of the embodiments of this application, unless otherwise specified, the meaning of “plurality” refers to two or more.
请参考图1,其示出了本申请实施例提供的电子装置100的一个硬件架构示意图。该电子装置100可以位于一个终端内。该终端可以是一个用户设备(user equipment,UE),如手机、平板电脑或可穿戴 设备(如智能手表)等各种类型的便携式终端设备。图1仅是电子装置100的一个示例,可替换地,电子装置100还可以是任一类型设备,例如芯片或芯片组或搭载有芯片或芯片组的电路板等,本实施例对此不限定。该芯片或芯片组或搭载有芯片或芯片组的电路板可在适合的软件驱动下工作。电子装置100包括处理器101和控制器102。可选地,所述处理器101和控制器102可以集成在一个或多个芯片内,该一个或多个芯片可以被视为是一个芯片组,当一个或多个处理器被集成在同一个芯片内时该芯片也叫片上系统(system on a chip,SOC),具体如图1所示。处理器101可以包括逻辑计算单元和寄存器(包括但不限于数据寄存器和指令寄存器等)等用于加载程序、执行指令内容的部件,所述控制器102也可存在于处理器101外部,本实施例对此不限定。处理器101例如包括但不限于中央处理器(central processing unit,CPU)或者专用处理器,例如,专用处理器包括人工智能处理器、神经网络处理器、数字信号处理器或图像处理处理器。控制器102可以包括但不限于内存管理单元(Memory Management Unit,MMU)。只要控制器102可以达到进行逻辑地址至物理地址的转换并实现后续判断流程即可,其实现形式本实施例不限定。电子装置100还可以包括一个或多个其他部件,例如存储器103。存储器103可以示例性地包括易失性存储器,例如动态随机存取存储器(DRAM)等用于存储指令和数据的部件。其中,存储器103可以选择性的集成于上述SOC中或者设置于上述SOC之外。图1中示意性的示出了存储器103设置于SOC之外的情形。存储器103中可以存储各种操作系统程序(例如通用操作系统程序和可信操作系统程序)、应用程序、运行所需要的指令代码和数据等。处理器101和控制器器102通过加载程序和指令、获取数据,执行电子装置100的各种功能应用以及数据处理。可选的,存储器103还可以包括缓存(cache),缓存可以集成于片上系统中。Please refer to FIG. 1 , which shows a schematic hardware architecture diagram of an electronic device 100 provided by an embodiment of the present application. The electronic device 100 may be located in a terminal. The terminal can be a user equipment (UE), such as a mobile phone, tablet or wearable devices (such as smart watches) and other types of portable terminal devices. FIG. 1 is only an example of the electronic device 100. Alternatively, the electronic device 100 can also be any type of equipment, such as a chip or a chipset, or a circuit board equipped with a chip or a chipset, etc. This embodiment is not limited thereto. . The chip or chipset or the circuit board equipped with the chip or chipset can operate under a suitable software driver. The electronic device 100 includes a processor 101 and a controller 102 . Optionally, the processor 101 and the controller 102 can be integrated into one or more chips, and the one or more chips can be regarded as a chipset. When one or more processors are integrated into the same When inside a chip, the chip is also called a system on a chip (SOC), as shown in Figure 1. The processor 101 may include components such as logical computing units and registers (including but not limited to data registers and instruction registers) for loading programs and executing instruction content. The controller 102 may also exist outside the processor 101. In this implementation The example is not limited to this. The processor 101 includes, for example, but is not limited to, a central processing unit (CPU) or a special-purpose processor. For example, the special-purpose processor includes an artificial intelligence processor, a neural network processor, a digital signal processor, or an image processing processor. The controller 102 may include, but is not limited to, a Memory Management Unit (MMU). As long as the controller 102 can convert the logical address to the physical address and implement the subsequent judgment process, its implementation form is not limited in this embodiment. Electronic device 100 may also include one or more other components, such as memory 103 . The memory 103 may illustratively include volatile memory, such as dynamic random access memory (DRAM) and other components for storing instructions and data. Among them, the memory 103 can be selectively integrated into the above-mentioned SOC or provided outside the above-mentioned SOC. Figure 1 schematically shows the situation where the memory 103 is provided outside the SOC. The memory 103 may store various operating system programs (such as general operating system programs and trusted operating system programs), application programs, instruction codes and data required for operation, etc. The processor 101 and the controller 102 execute various functional applications and data processing of the electronic device 100 by loading programs and instructions and acquiring data. Optionally, the memory 103 may also include a cache, which may be integrated into the system-on-chip.
本申请实施例中,电子装置100的软件运行架构可以为ARM公司提出的Arm机密计算体系结构(Confidential Compute Architectur,CCA)。在ArmCCA架构下,电子装置100的软件运行环境可以包括普通世界(normal world)、安全世界(secure world)、境界世界(realm world)和根世界(root world),如图2所示。normal world、secure world、realm world和root world分别对应存储器103中不同的物理地址空间。其中,运行于normal world中的软件仅可以访问normal world对应的物理地址空间;运行于secure world中的软件仅可以访问存储器103中与secure world对应的物理地址空间;运行于realm world中的软件仅可以访问存储器103中与realm world对应的物理地址空间;运行于root world中的软件仅可以访问存储器103中与root world对应的物理地址空间。normal world的安全性最低,root world的安全性最高。运行于normal world中的软件例如可以包括普通应用(AP,application)软件、通用操作系统软件和管理程序(hypervisor)软件;运行于secure world中的软件例如可以包括但不限于可信应用(trust application)软件、可信操作系统软件和安全分区管理(secure partition management,SPM)软件;运行于realm world中的软件例如可以包括领域管理监视器(realm management monitor,RMM)软件、应用软件,运行于root world中的软件例如可以包括监控器(monitor)软件。本申请实施例中所述的软件可以包括指令和数据。此外,normal world、secure world和realm world之间的切换由监控器监测并执行。In the embodiment of the present application, the software running architecture of the electronic device 100 may be the Arm Confidential Compute Architecture (CCA) proposed by ARM Corporation. Under the ArmCCA architecture, the software running environment of the electronic device 100 can include a normal world, a secure world, a realm world and a root world, as shown in Figure 2. normal world, secure world, realm world and root world respectively correspond to different physical address spaces in the memory 103. Among them, the software running in the normal world can only access the physical address space corresponding to the normal world; the software running in the secure world can only access the physical address space corresponding to the secure world in the memory 103; the software running in the realm world can only access the physical address space corresponding to the secure world. The physical address space corresponding to the realm world in the memory 103 can be accessed; software running in the root world can only access the physical address space corresponding to the root world in the memory 103. The normal world has the lowest security, and the root world has the highest security. Software running in the normal world may include, for example, common application (AP, application) software, general operating system software and hypervisor software; software running in the secure world may include, for example, but is not limited to, trusted application (trust application) ) software, trusted operating system software and secure partition management (SPM) software; software running in the realm world may include, for example, realm management monitor (RMM) software and application software, running on root The software in the world may include, for example, monitor software. The software described in the embodiments of the present application may include instructions and data. In addition, switching between normal world, secure world and realm world is monitored and executed by the monitor.
进一步的,软件运行架构在ArmCCA架构的基础上,软件运行环境又可以划分为多个异常级别(EL,Exception Level)。图2中示意性的示出了EL0~EL3四个异常级别。上述普通应用(通常为第三方应用,例如视频类应用、购物类应用)和可信应用可以运行于异常级别EL0,通用操作系统(例如windows系统、Android系统、Redhat Linux系统或者鸿蒙操作系统等)和可信操作系统可以运行于异常级别EL1,hypervisor、安全分区管理以及领域管理监视器可以运行于异常级别EL2,监控器可以运行于异常级别EL3。其中,异常级别EL0的级别最低,异常级别EL3的级别最高。Furthermore, the software running architecture is based on the ArmCCA architecture, and the software running environment can be divided into multiple exception levels (EL, Exception Level). Figure 2 schematically shows the four abnormality levels EL0 to EL3. The above-mentioned ordinary applications (usually third-party applications, such as video applications, shopping applications) and trusted applications can run at the exception level EL0, general operating systems (such as Windows system, Android system, Redhat Linux system or Hongmeng operating system, etc.) and trusted operating systems can run at exception level EL1, hypervisors, secure partition management, and domain management monitors can run at exception level EL2, and monitors can run at exception level EL3. Among them, the abnormality level EL0 is the lowest, and the abnormality level EL3 is the highest.
需要说明的是,本申请实施例中,realm world包括独立于其他各世界的硬件,realm world的硬件与所有其他非root world的硬件完全隔离开。realm world中可以运行专属于realm world的固件和虚拟机。另外,本申请实施例中,realm word可以被hypervisor软件初始化,realm word中运行的虚拟机可以在normal world由hypervisor软件生成并控制,但硬件执行则在realm world中。也即是说,realm word被初始化后,realm word中运行的软件以及保存的重要代码或数据、以及realm word的状态无法被电子装置100上运行的其他软件监视或修改,也即无法被normal world中的任何软件监视或修改。通常,诸如内核页表、Linux进程的cred结构体、selinux的数据库等重要数据存储于存储器103中与realm word对应的物理地址空间内,以保证该重要数据不被normal world运行的软件监视或修改。由此,可以提 高电子装置100运行的安全性。It should be noted that in the embodiment of this application, the realm world includes hardware that is independent of other worlds, and the hardware of the realm world is completely isolated from the hardware of all other non-root worlds. Realm World can run firmware and virtual machines specific to Realm World. In addition, in the embodiment of this application, the realm word can be initialized by the hypervisor software, and the virtual machine running in the realm word can be generated and controlled by the hypervisor software in the normal world, but the hardware execution is in the realm world. That is to say, after the realm word is initialized, the software running in the realm word, the important codes or data saved, and the status of the realm word cannot be monitored or modified by other software running on the electronic device 100, that is, they cannot be monitored or modified by the normal world. Any software monitoring or modification in. Usually, important data such as the kernel page table, the cred structure of the Linux process, and the selinux database are stored in the physical address space corresponding to the realm word in the memory 103 to ensure that the important data is not monitored or modified by the software running in the normal world. . From this, it can be mentioned High operating safety of the electronic device 100 .
基于图1所示的电子装置100的硬件架构,图2所示的电子装置100的软件架构,为了进一步提高电子装置100的安全性,本申请实施例提供的电子装置100中设置有物理地址空间与上述各世界的访问权限之间的映射关系。下面通过具体示例,对物理地址空间与上述各世界的访问权限之间的映射关系进行详细说明。如图3所示,图3示意性的示出了存储器103中物理地址空间所对应的上述各世界的访问权限,即显示了所述映射关系。如图3所示,物理地址空间0x2000~0x2999对应于仅限于安全世界读/写(secure world read/write only),也即该物理地址空间内存储的软件,仅限于除了运行于secure world中的软件进行读取和改写,其余世界无法访问;物理地址空间0x3000~0x3999对应于仅限于普通世界读/写(normal world read/write only),也即该物理地址空间内存储的软件,仅限于运行于normal world中的软件进行读取和改写,其余世界无法访问;物理地址空间0x4000~0x4999对应于仅限于根世界读/写(root world read/write only),也即该物理地址空间内存储的软件,仅限于运行于root world中的软件读取和改写,其余世界无法访问;物理地址空间0x5000~0x5999对应于仅限于境界世界读/写(realm world read/write only),也即该物理地址空间内存储的软件,仅限于运行于realm world中的软件读取和改写,其余世界无法访问。Based on the hardware architecture of the electronic device 100 shown in FIG. 1 and the software architecture of the electronic device 100 shown in FIG. 2, in order to further improve the security of the electronic device 100, the electronic device 100 provided by the embodiment of the present application is provided with a physical address space. The mapping relationship between the access permissions of the above worlds. The following uses specific examples to explain in detail the mapping relationship between the physical address space and the access permissions of the above worlds. As shown in FIG. 3 , FIG. 3 schematically shows the access rights of the above-mentioned worlds corresponding to the physical address space in the memory 103 , that is, the mapping relationship is shown. As shown in Figure 3, the physical address space 0x2000~0x2999 corresponds to secure world read/write only, that is, the software stored in this physical address space is limited to software other than those running in the secure world. The software reads and rewrites, and other worlds cannot access it; the physical address space 0x3000~0x3999 corresponds to normal world read/write only, that is, the software stored in this physical address space is limited to running It is read and rewritten by software in the normal world, and is inaccessible to other worlds; the physical address space 0x4000~0x4999 corresponds to root world read/write only (root world read/write only), that is, the data stored in this physical address space Software is limited to reading and rewriting by software running in the root world, and is inaccessible to other worlds; the physical address space 0x5000~0x5999 corresponds to realm world read/write only, that is, the physical address The software stored in the space can only be read and rewritten by the software running in the realm world, and is inaccessible to other worlds.
以上所示的映射关系,限定了运行于各世界的软件既能读取、又能改写的物理地址空间。上述映射关系中,还可以限定出存储器103中仅限于各世界运行的软件进行读取、无法进行改写的物理地址空间。如图3所示,物理地址空间0x7000~0x7999对应于仅限于安全世界读取(secure world read only),也即该物理地址空间内存储的软件,仅限于运行于secure world中的软件进行读取,运行于secure world中的软件无法对其进行该写,其余世界无法访问该空间;物理地址空间0x8000~0x8999对应于仅限于普通世界读取(normal world read only),也即该物理地址空间内存储的软件,仅限于运行于normal world中的软件进行读取,运行于normal world中的软件无法对其进行该写,其余世界无法访问该空间;物理地址空间0x9000~0x9999对应于仅限于根世界读取(root world read only),也即该物理地址空间内存储的软件,仅限于运行于root world中的软件读取,运行于root world中的软件无法对其进行该写,其余世界无法访问该空间;物理地址空间0x10000~0x10999对应于仅限于境界世界读取(realm world read only),也即该物理地址空间内存储的软件,仅限于运行于realm world中的软件读取,运行于realm world中的软件无法对其进行该写,其余世界无法访问该空间。The mapping relationship shown above limits the physical address space that software running in each world can both read and rewrite. In the above mapping relationship, a physical address space in the memory 103 that can only be read by the software running in each world and cannot be rewritten can also be defined. As shown in Figure 3, the physical address space 0x7000~0x7999 corresponds to secure world read only, that is, the software stored in this physical address space can only be read by software running in the secure world. , software running in the secure world cannot write to it, and other worlds cannot access this space; the physical address space 0x8000~0x8999 corresponds to normal world read only, that is, within the physical address space The stored software can only be read by software running in the normal world. Software running in the normal world cannot write to it, and other worlds cannot access this space; the physical address space 0x9000~0x9999 corresponds to the root world only. Read (root world read only), that is, the software stored in the physical address space can only be read by software running in the root world. Software running in the root world cannot write to it, and other worlds cannot access it. This space; the physical address space 0x10000~0x10999 corresponds to realm world read only, that is, the software stored in this physical address space can only be read by software running in the realm world, running in the realm Software in the world cannot write to it, and other worlds cannot access the space.
进一步的,上述映射关系中,还限定了存储器103中,仅限于运行于各世界的软件执行软件程序,无法进行读取和改写物理地址空间中存储的软件程序。如图3所示,物理地址空间0x11000~0x11999对应于安全世界只可执行(secure world execution only memory),也即该物理地址空间内存储的软件程序,仅限于运行于secure world中的软件执行,无法进行读取和该写;物理地址空间0x12000~0x12999对应于普通世界只可执行(normal world execution only memory),也即该物理地址空间内存储的软件程序,仅限于运行于normal world中的软件执行;物理地址空间0x13000~0x13999对应于根世界只可执行(root world execution only memory),也即该物理地址空间内存储的软件程序,仅限于运行于root world中的软件执行;物理地址空间0x14000~0x14999对应于境界世界只可执行(realm world execution only memory),也即该物理地址空间内存储的软件程序,仅限于运行于realm world中的软件执行。Furthermore, the above mapping relationship also limits the memory 103 to only software running in each world executing software programs, and cannot read or rewrite software programs stored in the physical address space. As shown in Figure 3, the physical address space 0x11000~0x11999 corresponds to the secure world execution only memory, that is, the software programs stored in this physical address space are limited to software running in the secure world. Reading and writing cannot be performed; the physical address space 0x12000~0x12999 corresponds to the normal world execution only memory, that is, the software programs stored in this physical address space are limited to software running in the normal world. Execution; physical address space 0x13000~0x13999 corresponds to root world execution only memory, that is, the software programs stored in this physical address space are limited to software execution running in the root world; physical address space 0x14000 ~0x14999 corresponds to realm world execution only memory, that is, the software programs stored in the physical address space are limited to software running in the realm world.
本申请实施例中,物理地址空间与上述各世界的访问权限之间的映射关系可以存储于存储器103中。具体实现中,存储器103中可以存储有页表,该页表专用于记录物理地址空间与各世界的访问权限之间的映射关系,该映射关系以映射表的方式记录在所述页表中。在该种可能的实现方式中,为了避免黑客改写页表中所记录的映射关系,上述映射关系可以存储于图2所示的root word(也即异常级别EL3)所对应的物理地址空间中。用于存储上述映射关系的物理地址空间例如可以为如上所述的物理地址空间0x9000~0x9999,也可以为该物理地址空间之外的其他物理地址空间。优选的,用于存储上述映射关系的物理地址空间,可以为仅限于运行于root word中的软件读取、但不能改写的物理地址空间。这样一来,可以避免黑客通过攻击运行于root word中的软件来改写上述映射关系,从而提高电子装置100运行的安全性。In this embodiment of the present application, the mapping relationship between the physical address space and the access permissions of the above-mentioned worlds may be stored in the memory 103 . In specific implementation, the memory 103 may store a page table, which is dedicated to recording the mapping relationship between the physical address space and the access rights of each world. The mapping relationship is recorded in the page table in the form of a mapping table. In this possible implementation, in order to prevent hackers from rewriting the mapping relationship recorded in the page table, the above mapping relationship can be stored in the physical address space corresponding to the root word (that is, exception level EL3) shown in Figure 2. The physical address space used to store the above mapping relationship may be, for example, the physical address spaces 0x9000˜0x9999 as mentioned above, or may be other physical address spaces other than this physical address space. Preferably, the physical address space used to store the above mapping relationship can be a physical address space that can only be read by software running in the root word, but cannot be rewritten. In this way, hackers can be prevented from rewriting the above mapping relationship by attacking the software running in the root word, thereby improving the security of the operation of the electronic device 100.
需要说明的是,如图3所示的映射关系仅为示意性的,实际应用中,上述各世界对物理地址空间的访问权限,可以基于存储器容量的大小而对物理地址空间进行划分、以及建立所划分的物理地址空间与各世界的访问权限之间的映射关系。此外,在图3所示的映射关系中,示意性的示出了各世界的 访问权限所对应的物理地址空间均为一块区域空间,在其他可能的实现方式中,如图3所示的多种访问权限中的每一个种访问权限,均可以对应多块物理地址空间,其所对应的多块物理地址空间可以为连续的或者不连续的地址空间。举例来说,假设存储器103中除了图3所示的物理地址空间之外,还设置有物理地址空间0x15000~0x15999,该物理地址空间仅限于root world读取。也即是说,该示例中,仅限于root world读取的物理地址空间包括物理地址空间0x9000~0x9999和物理地址空间0x15000~0x15999该两块不连续的物理地址空间。It should be noted that the mapping relationship shown in Figure 3 is only schematic. In actual applications, the access permissions of the above worlds to the physical address space can be divided and established based on the size of the memory capacity. The mapping relationship between the divided physical address space and the access permissions of each world. In addition, in the mapping relationship shown in Figure 3, the mapping relationship of each world is schematically shown. The physical address space corresponding to the access permission is a regional space. In other possible implementation methods, each of the multiple access permissions shown in Figure 3 can correspond to multiple physical address spaces. The corresponding multiple physical address spaces can be continuous or discontinuous address spaces. For example, assume that in addition to the physical address space shown in Figure 3, the memory 103 is also provided with a physical address space 0x15000~0x15999. This physical address space is only readable by the root world. That is to say, in this example, the physical address space read only by the root world includes two discontinuous physical address spaces: physical address space 0x9000~0x9999 and physical address space 0x15000~0x15999.
传统技术中,基于如图2所示的软件架构,该软件架构中,仅限定了运行于各世界的软件所能读取和改写的物理地址空间。这就导致黑客通过攻击运行于某一世界的软件,来读取或改写与该世界对应的物理地址空间内存储的指令或数据,导致物理地址空间内存储的重要指令或数据被泄露或改写,从而导致电子装置100的安全问题。本申请实施例通过在限定出运行于各世界的软件所能读取和改写的物理地址空间的基础上,进一步限定出运行于各世界的软件仅能读取(无法改写)的物理地址空间、以及运行于各世界的软件仅能执行(无法读取和改写)的物理地址空间,从而,电子装置100中的重要指令或数据可以存储于存储器103中、运行于各世界的软件仅能读取的物理地址空间内,或者电子装置100中的重要指令可以存储于存储器103中、运行于各世界的软件仅能执行的物理地址空间内,从而可以降低重要指令或数据被盗取或篡改的风险,提高电子装置100运行的安全性。In traditional technology, based on the software architecture shown in Figure 2, this software architecture only limits the physical address space that can be read and rewritten by software running in each world. This results in hackers attacking the software running in a certain world to read or rewrite the instructions or data stored in the physical address space corresponding to that world, causing important instructions or data stored in the physical address space to be leaked or rewritten. This leads to security issues of the electronic device 100 . On the basis of defining the physical address space that software running in each world can read and rewrite, the embodiment of the present application further limits the physical address space that software running in each world can only read (cannot rewrite). and a physical address space that software running in each world can only execute (cannot read and rewrite). Therefore, important instructions or data in the electronic device 100 can be stored in the memory 103, and software running in each world can only read. In the physical address space, or important instructions in the electronic device 100 can be stored in the memory 103, in the physical address space that can only be executed by software running in each world, thereby reducing the risk of important instructions or data being stolen or tampered with. , improving the safety of the operation of the electronic device 100 .
进一步的,本申请实施例可以采用多位比特(bit)位来指示上述各种访问权限。也即是说,物理地址空间与上述各世界的访问权限之间的映射关系,即为物理地址空间与用于指示各访问权限的比特位之间的映射关系。例如,以上示出了十二种访问权限,该十二种访问权限可以由4个比特位表示。访问权限与比特位之间的对应关系如图4所示。此外,图4中还示出了比特位与物理地址空间之间的映射关系。其中,仅限于运行于secure world中的软件读取和改写的访问权限,可以由比特位“1000”表示;仅限于运行于normal world中的软件读取和改写的权限,可以由比特位“1001”表示;仅限于运行于root world中的软件读取和改写的权限,可以由比特位“1010”表示;仅限于运行于realm world中的软件读取和改写的权限,可以由比特位“1011”表示;仅限于运行于secure world中的软件读取的权限,可以由比特位“0010”表示;仅限于运行于normal world中的软件读取的权限,可以由比特位“0100”表示;仅限于运行于root world中的软件读取的权限,可以由比特位“0101”表示;仅限于运行于realm world中的软件读取的权限,可以由比特位“1010”表示;仅限于运行于secure world中的软件执行的权限,可以由比特位“1100”表示;仅限于运行于normal world中的软件执行的权限,可以由比特位“1101”表示;仅限于运行于root world中的软件执行的权限,可以由比特位“1110”表示;仅限于运行于realm world中的软件执行的权限,可以由比特位“0110”表示。Furthermore, this embodiment of the present application may use multiple bits to indicate the above various access rights. That is to say, the mapping relationship between the physical address space and the access permissions of the above-mentioned worlds is the mapping relationship between the physical address space and the bits used to indicate each access permission. For example, twelve access rights are shown above, and the twelve access rights can be represented by 4 bits. The correspondence between access rights and bits is shown in Figure 4. In addition, Figure 4 also shows the mapping relationship between bits and physical address space. Among them, the access rights limited to reading and rewriting by software running in the secure world can be represented by bit "1000"; the access rights limited to reading and rewriting by software running in the normal world can be represented by bit "1001" " represents; the permissions limited to reading and rewriting by software running in the root world can be represented by bit "1010"; the permissions limited to reading and rewriting by software running in the realm world can be represented by bit "1011" " represents; the permission that is limited to reading by software running in the secure world can be represented by bit "0010"; the permission that is limited to reading by software running in the normal world can be represented by bit "0100"; only The permissions that are limited to software running in the root world can be represented by bit "0101"; the permissions that are limited to software running in the realm world can be represented by bits "1010"; the permissions that are limited to software running in the secure world can be represented by bits "1010". The permission to execute software in the world can be represented by bit "1100"; the permission limited to the execution of software running in the normal world can be represented by bit "1101"; the permission limited to the execution of software running in the root world Permissions can be represented by bits "1110"; permissions limited to the execution of software running in the realm world can be represented by bits "0110".
以上介绍了存储器103中专供一个世界访问的物理地址空间,存储器103中还可以设置有供所有世界读取和该写的物理地址空间。另外,存储器103中还可以设置有禁止任何世界访问的物理地址空间,该供所有世界读取和该写的物理地址空间、以及禁止任何世界访问的物理地址空间均不同于以上描述的任一物理地址空间。例如,在图3中,物理地址空间0x6000~0x6999对应于任何世界均可读/写(any read/write access),也即该物理地址空间内存储的软件,运行于上述任何世界中的软件均可以读取和改写;物理地址空间0x16000~0x16999,禁止任何世界访问。其中,供所有世界读取和该写的权限,可以由比特位“1111”表示;禁止任何世界访问的权限,可以由比特位“0000”表示。The above describes the physical address space in the memory 103 that is exclusively for one world to access. The memory 103 can also be provided with a physical address space for all worlds to read and write. In addition, the memory 103 may also be provided with a physical address space that is prohibited from being accessed by any world. The physical address space that is read and written by all worlds, and the physical address space that is prohibited from being accessed by any world are different from any of the physical address spaces described above. address space. For example, in Figure 3, the physical address space 0x6000~0x6999 corresponds to any read/write access in any world, that is, the software stored in this physical address space can run in any of the above worlds. Can be read and rewritten; the physical address space is 0x16000~0x16999, and access from any world is prohibited. Among them, the permission for all worlds to read and write can be represented by bit "1111"; the permission to prohibit access from any world can be represented by bit "0000".
本申请实施例中,存储器103中除了包括供各世界访问的物理地址空间之外,还可以包括用于存储区域描述信息(block descriptor)以及页表描述信息(table descriptor)等信息的物理地址空间,该物理地址空间未在附图中示出。其中,block descriptor可以由比特位“0001”表示;table descriptor可以由比特位“0011”表示。In the embodiment of the present application, in addition to the physical address space for access by each world, the memory 103 may also include a physical address space for storing information such as area description information (block descriptor) and page table description information (table descriptor). , the physical address space is not shown in the figure. Among them, the block descriptor can be represented by the bit "0001"; the table descriptor can be represented by the bit "0011".
本申请实施例中,限制运行于各世界的软件对物理地址空间的访问,是控制器102基于处理器101当前运行的软件所要访问的物理地址、当前运行的软件所位于的当前世界、当前运行的软件对物理地址的目标访问权限、以及物理地址空间与各世界的访问权限之间的映射关系,通过执行检测流程来实现的。通常,处理器101的工作流程通常包括从存储器103取指令(instruction fetch)、对指令译码(decode)和执行指令内容等多个阶段。其中,处理器101在取指令阶段需要从存储器103获取指令,处理器101在执行指令内容阶段需要从存储器103读取数据、以及将操作完成的数据写回存储器103。从而,控制器102限制运行于当前世界的软件对物理地址空间的访问,可以应用于处理器101取指令阶段和执行 指令内容的阶段。具体工作中,处理器101当前所运行的软件在访问存储器103中的指令或数据之前,处理器101需要将当前运行的软件所要访问的存储器103中的逻辑地址VA1、以及对逻辑地址VA1的目标访问权限提供给控制器102。该目标访问权限可以包括读取指令或数据、写入数据或者执行指令程序中的一项。处理器101将逻辑地址VA1提供给控制器102时,还可以一并将目标访问权限发送给控制器102。可替换地,处理器101还可以将目标访问权限在独立于逻辑地址VA1的另一个指示信息中提供给控制器102,本实施例对此不限定。下面通过图5所示的检测流程500,进行更为详细的描述。请参考图5,图5为应用于控制器102的检测流程500,该检测流程500包括如下过程。In the embodiment of the present application, the access of the software running in each world to the physical address space is restricted by the controller 102 based on the physical address to be accessed by the software currently running on the processor 101, the current world where the currently running software is located, and the current running software. The target access rights of the software to the physical address and the mapping relationship between the physical address space and the access rights of each world are realized by executing the detection process. Generally, the workflow of the processor 101 usually includes multiple stages such as fetching instructions from the memory 103, decoding the instructions, and executing the instruction content. Among them, the processor 101 needs to obtain instructions from the memory 103 during the instruction fetching stage. The processor 101 needs to read data from the memory 103 and write the completed data back to the memory 103 during the instruction content execution stage. Therefore, the controller 102 limits the access of software running in the current world to the physical address space, which can be applied to the instruction fetch phase and execution of the processor 101 Stage of instruction content. In specific work, before the software currently running on the processor 101 accesses instructions or data in the memory 103, the processor 101 needs to obtain the logical address VA1 in the memory 103 that the currently running software wants to access, and the target of the logical address VA1. Access rights are provided to controller 102. The target access rights may include one of reading instructions or data, writing data, or executing an instruction program. When the processor 101 provides the logical address VA1 to the controller 102, it may also send the target access permission to the controller 102. Alternatively, the processor 101 may also provide the target access permission to the controller 102 in another indication information independent of the logical address VA1, which is not limited in this embodiment. A more detailed description will be given below through the detection process 500 shown in FIG. 5 . Please refer to FIG. 5. FIG. 5 is a detection process 500 applied to the controller 102. The detection process 500 includes the following processes.
步骤501,控制器102接收来自于处理器101的逻辑地址VA1以及对逻辑地址VA1的目标访问权限。这里的目标访问权限包括以下之一:读取所述逻辑地址中的指令或数据、向所述逻辑地址中写入数据、执行所述逻辑地址中存储的软件程序。Step 501: The controller 102 receives the logical address VA1 from the processor 101 and the target access permission to the logical address VA1. The target access rights here include one of the following: reading instructions or data in the logical address, writing data to the logical address, or executing the software program stored in the logical address.
步骤502,控制器102将逻辑地址VA1转换成物理地址PA1。Step 502: The controller 102 converts the logical address VA1 into the physical address PA1.
步骤503,控制器102检测物理地址PA1是否在与当前软件的当前世界对应的预设物理地址空间内。当控制器102检测出物理地址PA1位于与当前软件的当前世界对应的预设物理地址空间内时,执行步骤504;当控制器102检测出物理地址PA1位于与当前软件的当前世界对应的预设物理地址空间之外时,执行步骤506。Step 503: The controller 102 detects whether the physical address PA1 is within the preset physical address space corresponding to the current world of the current software. When the controller 102 detects that the physical address PA1 is located in the preset physical address space corresponding to the current world of the current software, step 504 is executed; when the controller 102 detects that the physical address PA1 is located in the preset physical address space corresponding to the current world of the current software. When it is outside the physical address space, perform step 506.
步骤504,控制器102检测目标访问权限与当前世界对预设物理地址空间的预设访问权限是否相同。当控制器102检测出目标访问权限与当前世界对预设物理地址空间的预设访问权限相同时,执行步骤505;当控制器102检测出目标访问权限与当前世界对预设物理地址空间的预设访问权限不同时,执行步骤506。这里的访问权限包括以下之一:读取或改写物理地址空间中存储的软件、仅限于读取物理地址空间中存储的软件、仅限于执行物理地址空间中存储的软件。Step 504: The controller 102 detects whether the target access permission is the same as the default access permission for the default physical address space in the current world. When the controller 102 detects that the target access rights are the same as the current world's preset access rights to the preset physical address space, step 505 is executed; when the controller 102 detects that the target access rights are the same as the current world's preset access rights to the preset physical address space. If the access rights are different, perform step 506. Access rights here include one of the following: reading or rewriting software stored in the physical address space, being limited to reading software stored in the physical address space, or being limited to executing software stored in the physical address space.
本申请实施例中,所述目标访问权限与所述当前世界对所述预设物理地址空间的预设访问权限相同,还可以是指所述目标访问权限位于所述预设访问权限范围内。例如,当所述预设访问权限包括当前世界既可以读取所述预设物理地址空间中的软件、也可以改写所述预设物理地址空间中的软件,而目标访问权限为读取或者改写所述逻辑地址中的软件,则也可以理解为所述目标访问权限与所述当前世界对所述预设物理地址空间的预设访问权限相同。In this embodiment of the present application, the target access permission is the same as the preset access permission of the current world to the preset physical address space, or it may also mean that the target access permission is within the range of the preset access permission. For example, when the preset access permissions include that the current world can either read the software in the preset physical address space or rewrite the software in the preset physical address space, and the target access permission is to read or rewrite For software in the logical address, it can also be understood that the target access rights are the same as the preset access rights of the current world to the preset physical address space.
步骤505,允许处理器102访问逻辑地址VA1。Step 505: Allow the processor 102 to access the logical address VA1.
本申请实施例中,允许处理器102访问逻辑地址VA1可以包括多种可能的实现方式。第一种可能的实现方式中,控制器102可以将对逻辑地址VA1转换得到的物理地址PA1,直接提供至处理器101,从而处理器101从存储器103中访问该物理地址PA1,以从该物理地址PA1读取指令、读取数据、向该物理地址PA1写入数据、或者执行物理地址PA1存储的程序。第二种可能的实现方式中,电子装置100还可以包括直接存储器存取(direct memory access,DMA)控制器,控制器102可以将上述物理地址PA1提供至DMA控制器,从而DMA控制器将存储器103中物理地址PA1存储的指令或者数据搬移至处理器101或其他处理器101希望存储的存储区域中,或者将处理器101或所述存储区域中待存储的数据搬移至物理地址PA1中。第三种可能的实现方式中,控制器102可以将物理地址PA1提供至处理器101,处理器101将物理地址PA1转发给DMA控制器,从而DMA控制器将存储器103中物理地址PA1存储的指令或者数据搬移至处理器101或其他处理器101希望存储的存储区域中,或者将处理器101或所述存储区域中待存储的数据搬移至物理地址PA1中。In this embodiment of the present application, allowing the processor 102 to access the logical address VA1 may include a variety of possible implementation methods. In a first possible implementation, the controller 102 can directly provide the physical address PA1 obtained by converting the logical address VA1 to the processor 101, so that the processor 101 accesses the physical address PA1 from the memory 103 to obtain the physical address PA1 from the memory 103. The address PA1 reads instructions, reads data, writes data to the physical address PA1, or executes the program stored in the physical address PA1. In a second possible implementation, the electronic device 100 may also include a direct memory access (DMA) controller. The controller 102 may provide the above physical address PA1 to the DMA controller, so that the DMA controller transfers the memory The instructions or data stored at the physical address PA1 in 103 are moved to the storage area that the processor 101 or other processors 101 want to store, or the data to be stored in the processor 101 or the storage area is moved to the physical address PA1. In a third possible implementation, the controller 102 can provide the physical address PA1 to the processor 101, and the processor 101 forwards the physical address PA1 to the DMA controller, so that the DMA controller transfers the instructions stored at the physical address PA1 in the memory 103. Either the data is moved to the storage area where the processor 101 or other processors 101 want to store it, or the data to be stored in the processor 101 or the storage area is moved to the physical address PA1.
步骤506,向处理器101发送指示错误的信号。在该种实现方式下,处理器501接收到指示错误的信号之后,可以执行安全保护操作,该安全保护操作可以包括但不限于:以下至少一项:复位处理器101、拒绝处理器101当前运行的软件对逻辑地址的访问、停止运行处理器101、禁止处理器101中的至少部分功能和阻止处理器101访问存储器103。从而,可以提高软件运行的安全性。Step 506: Send a signal indicating an error to the processor 101. In this implementation, after the processor 501 receives a signal indicating an error, it may perform a security protection operation. The security protection operation may include but is not limited to: at least one of the following: resetting the processor 101, rejecting the current operation of the processor 101 The software accesses the logical address, stops the processor 101 from running, disables at least some functions in the processor 101 and prevents the processor 101 from accessing the memory 103 . Thus, the security of software operation can be improved.
从图5所示的检测流程500中可以看出,本申请实施例通过限定出运行于各世界的软件所能读取和改写的物理地址空间、运行于各世界的软件仅能读取(无法改写)的物理地址空间、以及运行于各世界的软件仅能执行(无法读取和改写)的物理地址空间,电子装置100中的重要指令或数据可以存储于存储器103中、运行于各世界的软件仅能读取的物理地址空间内,或者电子装置100中的重要指令可以存储于存储器103中、运行于各世界的软件仅能执行的物理地址空间内;另外,控制器102基于处理器101当前所位于的世界,在确定出理地址PA1在与当前软件的当前世界对应的预设物理地址 空间内、且目标访问权限与当前世界对预设物理地址空间的预设访问权限相同时,才可以将物理地址PA1提供给处理器101,从而可以避免黑客通过攻击运行于各世界的软件,来改写相应世界的物理地址空间所存储的指令或数据,从而避免重要指令程序或数据被泄露或被改写,从而提高电子装置100运行的安全性。It can be seen from the detection process 500 shown in Figure 5 that the embodiment of the present application limits the physical address space that the software running in each world can read and rewrite. The software running in each world can only read (cannot The physical address space of the electronic device 100 can only be executed (cannot be read and rewritten), and the physical address space of the software running in each world can only be executed (cannot be read and rewritten). Important instructions or data in the electronic device 100 can be stored in the memory 103, and the software running in each world can In the physical address space that the software can only read, or important instructions in the electronic device 100 can be stored in the memory 103, in the physical address space that the software running in each world can only execute; in addition, the controller 102 is based on the processor 101 In the world you are currently in, determine the processing address PA1 at the default physical address corresponding to the current world of the current software. The physical address PA1 can be provided to the processor 101 only when the target access rights are the same as the current world's default access rights to the default physical address space, thereby preventing hackers from attacking the software running in each world. Rewrite the instructions or data stored in the physical address space of the corresponding world, thereby preventing important instruction programs or data from being leaked or rewritten, thereby improving the security of the operation of the electronic device 100 .
需要说明的是,本申请实施例中,控制器102和处理器101之间可以通过电子线路连接,电子装置100上电后、以及处理器101当前所位于的世界改变后,处理器101可以通过上述电子线路向控制器102提供指示当前所位于的世界的指示信号。例如,该指示信号可以为2个比特位,“00”指示normal world、“01”指示secure world、“10”指示root world、“11”指示realm world。举例来说,假设处理器101所运行的软件由位于secure world跳转至位于root world,处理器101所运行的软件的环境发生改变,此时处理器101可以将指示信号“10”提供给控制器102。由此,控制器102可以基于处理器101提供的指示信号确定出处理器101中运行的软件当前所位于的世界。It should be noted that in the embodiment of the present application, the controller 102 and the processor 101 can be connected through electronic circuits. After the electronic device 100 is powered on and the world where the processor 101 is currently located changes, the processor 101 can pass The above-mentioned electronic circuit provides an indication signal to the controller 102 indicating the world in which it is currently located. For example, the indication signal can be 2 bits, "00" indicates normal world, "01" indicates secure world, "10" indicates root world, and "11" indicates realm world. For example, assume that the software running on the processor 101 jumps from the secure world to the root world, and the environment of the software running on the processor 101 changes. At this time, the processor 101 can provide the instruction signal "10" to the control Device 102. Thus, the controller 102 can determine the world in which the software running in the processor 101 is currently located based on the indication signal provided by the processor 101 .
基于图5所示的控制器102的检测流程,下面结合图3所示的物理地址空间与各世界访问权限之间的映射关系,通过图6A~图6C所示的具体应用场景,对控制器102的工作过程进行更为详细的描述。请继续参看图6A~图6C,图6A~图6C是控制器102的检测流程的一个应用场景示意图。Based on the detection process of the controller 102 shown in Figure 5, combined with the mapping relationship between the physical address space and the access rights of each world shown in Figure 3, through the specific application scenarios shown in Figures 6A to 6C, the controller The working process of 102 is described in more detail. Please continue to refer to FIGS. 6A to 6C . FIGS. 6A to 6C are schematic diagrams of application scenarios of the detection process of the controller 102 .
应用场景一:控制器102可以预先通过电子线路获得指示处理器101当前运行的软件位于realm world的指示信号。控制器102从处理器101接收到逻辑地址VA2和指示向逻辑地址VA2中写入数据的访问权限后,首先将逻辑地址VA2转换成物理地址PA2。接着,确定物理地址PA2是否在与当前软件的当前世界对应的物理地址空间内。从图3中可以看出,realm world对应的物理地址空间包括物理地址空间0x5000~0x5999、物理地址空间0x11000~0x11999以及物理地址空间0x15000~0x15999。假设物理地址PA2为0x11500,也即物理地址PA2位于如图3所示的物理地址空间0x11000~0x11999范围内。也即物理地址PA2位于与当前软件的当前世界对应的物理地址空间内。从图3所示的物理地址空间与各世界访问权限之间的映射关系中可以看出,物理地址空间0x11000~0x11999对应于realm world read only,也即物理地址PA2中的软件,仅限于运行于realm world中的软件读取,运行于realm world中的软件不可以对该物理地址该写,运行于其他世界的软件无法访问物理地址PA2。也即是说,处理器101中当前运行的软件需要对物理地址PA2中的数据进行该写,而物理地址PA2仅限于realm world中的软件读取,不允许改写,也即处理器101发送的对逻辑地址VA2的访问权限、与查询到的realm word对物理地址空间0x11000~0x11999的访问权限不同。最后,控制器102将指示错误的信号传输给处理器101,以供处理器101对电子装置100执行安全防护处理。Application scenario one: The controller 102 can obtain an indication signal in advance through an electronic circuit indicating that the software currently running by the processor 101 is located in the realm world. After receiving the logical address VA2 and the access permission indicating writing data into the logical address VA2 from the processor 101, the controller 102 first converts the logical address VA2 into the physical address PA2. Next, it is determined whether physical address PA2 is within the physical address space corresponding to the current world of the current software. As can be seen from Figure 3, the physical address space corresponding to realm world includes physical address space 0x5000~0x5999, physical address space 0x11000~0x11999, and physical address space 0x15000~0x15999. Assume that the physical address PA2 is 0x11500, that is, the physical address PA2 is located in the range of the physical address space 0x11000 to 0x11999 as shown in Figure 3. That is, the physical address PA2 is located in the physical address space corresponding to the current world of the current software. It can be seen from the mapping relationship between the physical address space and the access rights of each world shown in Figure 3 that the physical address space 0x11000~0x11999 corresponds to the realm world read only, that is, the software in the physical address PA2 is limited to running in Software in the realm world reads, software running in the realm world cannot write to the physical address, and software running in other worlds cannot access the physical address PA2. That is to say, the software currently running in the processor 101 needs to write the data in the physical address PA2, and the physical address PA2 is only read by the software in the realm world and is not allowed to be rewritten, that is, the data sent by the processor 101 The access rights to logical address VA2 are different from the access rights of the queried realm word to the physical address space 0x11000~0x11999. Finally, the controller 102 transmits a signal indicating the error to the processor 101 for the processor 101 to perform security protection processing on the electronic device 100 .
应用场景二:控制器102可以预先通过电子线路获得指示处理器101当前运行的软件位于normal world的指示信号。从图3中可以看出,normal world对应的物理地址空间包括物理地址空间0x3000~0x3999、物理地址空间0x8000~0x8999以及物理地址空间0x13000~0x13999。假设物理地址PA3为0x11501,也即物理地址PA3位于如图3所示的物理地址空间0x11000~0x11999范围内。从图3所示的物理地址空间与各世界访问权限之间的映射关系中可以看出,物理地址空间0x11000~0x11999对应于realm world read only。也即物理地址PA3中的软件,仅限于运行于realm world中的软件读取,运行于其他世界的软件无法访问物理地址PA3。从而,物理地址PA3在与当前软件的当前世界对应的预设物理地址空间之外。最后,控制器102将指示错误的信号传输给处理器101,以供处理器101对电子装置100执行安全防护处理。Application scenario two: The controller 102 can obtain an indication signal indicating that the software currently running by the processor 101 is in the normal world through electronic circuits in advance. As can be seen from Figure 3, the physical address space corresponding to normal world includes physical address space 0x3000~0x3999, physical address space 0x8000~0x8999, and physical address space 0x13000~0x13999. Assume that the physical address PA3 is 0x11501, that is, the physical address PA3 is located in the range of the physical address space 0x11000 to 0x11999 as shown in Figure 3. It can be seen from the mapping relationship between the physical address space and the access permissions of each world shown in Figure 3 that the physical address space 0x11000~0x11999 corresponds to the realm world read only. That is to say, the software in physical address PA3 can only be read by software running in realm world, and software running in other worlds cannot access physical address PA3. Thus, the physical address PA3 is outside the preset physical address space corresponding to the current world of the current software. Finally, the controller 102 transmits a signal indicating the error to the processor 101 for the processor 101 to perform security protection processing on the electronic device 100 .
应用场景三:控制器102可以预先通过电子线路获得指示处理器101当前运行的软件位于realm world的指示信号。控制器102从处理器101接收到逻辑地址VA4和指示从逻辑地址VA4中读取数据的访问权限后,首先将逻辑地址VA4转换成物理地址PA4。realm world对应的物理地址空间包括物理地址空间0x5000~0x5999、物理地址空间0x11000~0x11999以及物理地址空间0x15000~0x15999。假设物理地址PA4为0x11502,也即物理地址PA4位于如图3所示的物理地址空间0x11000~0x11999范围内。也即物理地址PA2位于与当前软件的当前世界对应的物理地址空间内。从图3所示的物理地址空间与各世界访问权限之间的映射关系中可以看出,物理地址空间0x11000~0x11999对应于realm world read only。也即物理地址PA4中的软件,仅限于运行于realm world中的软件读取,运行于realm world中的软件不可以对该物理地址该写,运行于其他世界的软件无法访问物理地址PA4。处理器101中当前运行的软件需要从逻辑地址VA4中读取数据,物理地址PA4同样也仅限于realm world中的软件读 取,也即处理器101发送的对逻辑地址VA4的访问权限、与查询到的realm word对物理地址空间0x11000~0x11999的访问权限相同。最后,控制器102将物理地址PA4提供给处理器101,以供处理器101当前运行的软件从物理地址PA4中读取数据。Application scenario three: The controller 102 can obtain an indication signal indicating that the software currently running by the processor 101 is located in the realm world through electronic circuits in advance. After receiving the logical address VA4 and the access permission indicating reading data from the logical address VA4 from the processor 101, the controller 102 first converts the logical address VA4 into the physical address PA4. The physical address space corresponding to realm world includes physical address space 0x5000~0x5999, physical address space 0x11000~0x11999, and physical address space 0x15000~0x15999. Assume that the physical address PA4 is 0x11502, that is, the physical address PA4 is located in the range of the physical address space 0x11000 to 0x11999 as shown in Figure 3. That is, the physical address PA2 is located in the physical address space corresponding to the current world of the current software. It can be seen from the mapping relationship between the physical address space and the access permissions of each world shown in Figure 3 that the physical address space 0x11000~0x11999 corresponds to the realm world read only. That is to say, the software in the physical address PA4 can only be read by the software running in the realm world. The software running in the realm world cannot write to the physical address. Software running in other worlds cannot access the physical address PA4. The software currently running in the processor 101 needs to read data from the logical address VA4, and the physical address PA4 is also limited to software reading in the realm world. That is, the access permission to the logical address VA4 sent by the processor 101 is the same as the access permission of the queried realm word to the physical address space 0x11000~0x11999. Finally, the controller 102 provides the physical address PA4 to the processor 101 so that the software currently running on the processor 101 reads data from the physical address PA4.
基于图5所示的控制器102的检测流程,控制器102可以通过多级翻译和检测,将处理器101提供的逻辑地址转换成物理地址。在一种可能的实现方式中,控制器102可以通过两级转换,将处理器101提供的逻辑地址转换成物理地址。具体的,控制器102可以分别查询至少一次第一页表,将逻辑地址转换成至少一级中间地址,以及检测至少一级中间地址中的每一级中间地址是否被允许访问;此外,控制器102可以查询至少一次第二页表,检测至少一级中间地址是否被允许访问。当检测出至少一级中间地址中的每一级中间地址均被允许访问时,将至少一级中间地址中最后一级中间地址转换成物理地址;其中,第一页表中记录有至少一级中间地址、以及多个世界中的每个世界对所述至少一级中间地址的访问权限;第二页表中记录有多个世界中的每个世界对至少一级中间地址的访问权限。也即是说,控制器102可以通过查询第一页表,对逻辑地址进行翻译和检测,将逻辑地址转换成上述中间地址,需要说明的是,上述中间地址均为物理地址,以及对所转换至少一级中间地址进行权限检查;通过查询第二页表,对至少一级中间地址进行权限检查。需要说明的是,控制器102中所设置的各级转换,可以是预先通过固件设置于控制器102中的,在控制器102上电后或者运行过程中均不可以改变。上述第一页表可以存储于图2所示的异常级别EL1中,该第一页表也可以称为(stage1table);上述第二页表存储于图2所示的异常级别EL3对应的物理地址空间中,该第二页表也可以称为(stage3table)。Based on the detection process of the controller 102 shown in Figure 5, the controller 102 can convert the logical address provided by the processor 101 into a physical address through multi-level translation and detection. In a possible implementation, the controller 102 can convert the logical address provided by the processor 101 into a physical address through two-level conversion. Specifically, the controller 102 can respectively query the first page table at least once, convert the logical address into at least one level of intermediate addresses, and detect whether each level of the at least one level of intermediate addresses is allowed to be accessed; in addition, the controller 102 may query the second page table at least once to detect whether at least one level of intermediate address is allowed to be accessed. When it is detected that each level of intermediate addresses in at least one level of intermediate addresses is allowed to be accessed, the last level of intermediate addresses in at least one level of intermediate addresses is converted into a physical address; wherein, at least one level of intermediate addresses is recorded in the first page table. The intermediate address, and the access rights of each of the multiple worlds to the at least one-level intermediate address; the table on the second page records the access rights of each of the multiple worlds to the at least one-level intermediate address. That is to say, the controller 102 can translate and detect the logical address by querying the first page table, and convert the logical address into the above-mentioned intermediate address. It should be noted that the above-mentioned intermediate addresses are all physical addresses, and the converted Perform permission check on at least one level of intermediate address; perform permission check on at least one level of intermediate address by querying the table on the second page. It should be noted that the various levels of conversion set in the controller 102 may be set in the controller 102 through firmware in advance and cannot be changed after the controller 102 is powered on or during operation. The above-mentioned first page table can be stored in the exception level EL1 shown in Figure 2, and the first page table can also be called (stage1table); the above-mentioned second page table is stored in the physical address corresponding to the exception level EL3 shown in Figure 2 In space, the second page table can also be called (stage3table).
需要说明的是,在其他一些可能的实现方式中,可以通过三级转换将逻辑地址转换成物理地址,例如,控制器102可以通过查询第一页表,对逻辑地址进行翻译和检测,将逻辑地址转换成第一中间地址,以及对该第一中间地址进行权限检测,该第一中间地址通常为逻辑地址;然后,控制器102可以通过查询第二页表,将第一中间地址转换成第二中间地址,及对该第二中间地址进行权限检测,该第二中间地址通常为物理地址;最后,控制器102可以通过查询第三页表,对所转换的第二中间地址进行多级权限检查。It should be noted that in some other possible implementations, the logical address can be converted into a physical address through three-level conversion. For example, the controller 102 can translate and detect the logical address by querying the first page table, and convert the logical address into a physical address. The address is converted into a first intermediate address, and permission detection is performed on the first intermediate address. The first intermediate address is usually a logical address; then, the controller 102 can convert the first intermediate address into a third intermediate address by querying the second page table. two intermediate addresses, and perform permission detection on the second intermediate address, which is usually a physical address; finally, the controller 102 can perform multi-level permissions on the converted second intermediate address by querying the third page table examine.
本申请实施例以控制器102可以通过两级翻译和检测、将处理器101提供的逻辑地址转换成物理地址为例,通过图7所示的示例,对控制器102将逻辑地址转换成物理地址的转换方式进行更为详细的描述。如图7所示,处理器101将逻辑地址VA1提供给控制器102,假设处理器101当前运行的软件位于如图2所示的等级EL0。控制器102经过多次查询第一页表进行翻译和检测、经过多次查询第二页表进行检测以输出物理地址PA1。图7中,横向为通过查询第一页表进行翻译和检测,纵向为通过查询第二页表进行检测。具体的,控制器102基于逻辑地址VA1执行第一阶段的第一级页表查询。In the embodiment of this application, the controller 102 can convert the logical address provided by the processor 101 into a physical address through two-level translation and detection as an example. Through the example shown in Figure 7, the controller 102 can convert the logical address into a physical address. The conversion method is described in more detail. As shown in FIG. 7 , the processor 101 provides the logical address VA1 to the controller 102 , assuming that the software currently running by the processor 101 is at level EL0 as shown in FIG. 2 . The controller 102 queries the first page table multiple times for translation and detection, and queries the second page table multiple times for detection to output the physical address PA1. In Figure 7, horizontally, translation and detection are performed by querying the table on the first page, and vertically, detection is performed by querying the table on the second page. Specifically, the controller 102 executes the first-stage page table query of the first stage based on the logical address VA1.
第一阶段的第一页表查询:基于逻辑地址VA,经过查询第一级页表,查找出LV0页表中所存储的LV1的物理地址PAlv1,同时对该物理地址进行检测,确定处理器101请求的物理地址访问是否被允许,当该访问不被允许时,控制器102可以向处理器101传输指示错误的消息;当该访问被允许时,控制器102执行如下第一阶段的第二级页表查询。The first page table query in the first stage: Based on the logical address VA, after querying the first-level page table, the physical address PAlv1 of LV1 stored in the LV0 page table is found, and the physical address is detected at the same time to determine the processor 101 Whether the requested physical address access is allowed. When the access is not allowed, the controller 102 may transmit a message indicating an error to the processor 101; when the access is allowed, the controller 102 performs the second level of the first phase as follows Page table query.
第一阶段的第二页表查询:控制器102基于LV1的物理地址PAlv1,查询LV0页表项,查找出记录在LV0中的检测内容,以检测物理地址PAlv1的访问是否被允许,当访问不被允许时,控制器102可以向处理器101传输指示错误的信号;当访问允许时,控制器102继续查询记录在LV1中的检测内容,检测物理地址PAlv1的访问是否被允许,当该访问不被允许时,控制器102可以向处理器101传输指示错误的信号;当该访问允许时,控制器102执行如下第二阶段的第一级页表查询。The second page table query in the first stage: Based on the physical address PAlv1 of LV1, the controller 102 queries the LV0 page table entry to find out the detection content recorded in LV0 to detect whether the access to the physical address PAlv1 is allowed. When the access is not allowed, When allowed, the controller 102 can transmit a signal indicating an error to the processor 101; when the access is allowed, the controller 102 continues to query the detection content recorded in LV1 to detect whether the access to the physical address PAlv1 is allowed. When the access is not allowed, When allowed, the controller 102 may transmit a signal indicating an error to the processor 101; when the access is allowed, the controller 102 performs a second-stage first-level page table lookup as follows.
第二阶段的第一页表查询:控制器102通过物理地址PAlv1查找出LV1页表中所记录的LV2的物理地址PAlv2,同时对该物理地址进行检测,确定处理器101请求的物理地址访问是否被允许,当该访问不被允许时,控制器102可以向处理器101传输指示错误的信号;当该访问被允许时,控制器102执行如下第二阶段的第二级页表查询。The first page table query in the second stage: the controller 102 finds the physical address PAlv2 of LV2 recorded in the LV1 page table through the physical address PAlv1, and simultaneously detects the physical address to determine whether the physical address access requested by the processor 101 is is allowed, when the access is not allowed, the controller 102 may transmit a signal indicating an error to the processor 101; when the access is allowed, the controller 102 performs the following second-stage second-level page table lookup.
第二阶段的第二页表查询:控制器102基于LV1的物理地址PAlv2,查询LV0中的检测内容,以检测物理地址PAlv2的访问是否被允许,当访问不被允许时,控制器102可以向处理器101传输指示错误的消息;当访问允许时,控制器102继续查询记录在LV1中的检测内容,检测物理地址PAlv2的访问是否被允许,当该访问不被允许时,控制器102可以向处理器101传输指示错误的消息;当该访问允许时,控制器102通过物理地址PAlv2查找出LV2页表中所存储的LV3的物理地址PAlv3,同时 对该物理地址进行检测。Second page table query in the second stage: Based on the physical address PAlv2 of LV1, the controller 102 queries the detection content in LV0 to detect whether access to the physical address PAlv2 is allowed. When the access is not allowed, the controller 102 can The processor 101 transmits a message indicating an error; when the access is allowed, the controller 102 continues to query the detection content recorded in LV1 to detect whether the access to the physical address PAlv2 is allowed. When the access is not allowed, the controller 102 can The processor 101 transmits a message indicating the error; when the access is allowed, the controller 102 looks up the physical address PAlv3 of LV3 stored in the LV2 page table through the physical address PAlv2, and at the same time Check the physical address.
需要说明的是,基于如上所述类似的第一页表查询和第二页表查询的检测方式,控制器102通过多次的第一页表查询和第二页表查询,执行完成横向的第一页表的翻译和检测,以及纵向的第二页表的检测。当执行完第一页表的翻译和检测以及纵向的第二页表的检测,且每一阶段的检测均指示访问允许时,控制器102生成与逻辑地址VA1对应的物理地址PA1,也即完成由逻辑地址到物理地址的转换。It should be noted that based on the detection method of the first page table query and the second page table query similar to the above, the controller 102 performs the horizontal third page table query and the second page table query through multiple times of the first page table query and the second page table query. Translation and detection of one-page table, and detection of vertical second-page table. When the translation and detection of the first page table and the detection of the vertical second page table are completed, and the detection at each stage indicates that access is allowed, the controller 102 generates the physical address PA1 corresponding to the logical address VA1, that is, it is completed. Conversion from logical address to physical address.
以上通过图7介绍了控制器102通过第一页表和第二页表的两级翻译和检测,以将逻辑地址VA1转换为物理地址PA1的过程。由此,在图5为所示的检测流程500的基础上,应用于控制器102的检测流程对上述步骤501进行进一步细化,得到图8所示的检测流程800。图8所示的检测流程800包括如下步骤:The above describes the process of the controller 102 converting the logical address VA1 into the physical address PA1 through the two-level translation and detection of the first page table and the second page table through FIG. 7 . Therefore, on the basis of the detection process 500 shown in FIG. 5 , the detection process applied to the controller 102 further refines the above step 501 to obtain the detection process 800 shown in FIG. 8 . The detection process 800 shown in Figure 8 includes the following steps:
步骤801,基于从处理器101获得逻辑地址VA1以及对逻辑地址VA1的访问方式,通过查询至少一次存储于异常级别EL1中的第一页表,将逻辑地址VA1转换成至少一级中间地址。Step 801: Based on the logical address VA1 obtained from the processor 101 and the access method to the logical address VA1, the logical address VA1 is converted into at least one level of intermediate address by querying the first page table stored in the exception level EL1 at least once.
步骤802,基于第一页表,检测至少一级中间地址是否被允许访问;当检测出至少一级中间地址允许访问时,执行步骤803,当检测出存在一级中间地址不允许被访问时,执行步骤809。Step 802: Based on the first page table, detect whether at least one level of intermediate address is allowed to be accessed; when it is detected that at least one level of intermediate address is allowed to be accessed, step 803 is executed; when it is detected that there is a level one intermediate address that is not allowed to be accessed, Execute step 809.
步骤803,查询存储于异常级别EL3中的第二页表,检测至少一级中间地址是否被允许访问;当检测出至少一级中间地址被允许访问时,执行步骤804,当检测出至少一级中间地址不允许被访问时,执行步骤809。Step 803: Query the second page table stored in the exception level EL3 to detect whether at least one level of intermediate address is allowed to be accessed; when it is detected that at least one level of intermediate address is allowed to be accessed, step 804 is executed. When the intermediate address is not allowed to be accessed, step 809 is executed.
步骤804,将至少一级中间地址中的最后一级中间地址转化成物理地址PA1,检测物理地址PA1是否被允许访问,当检测出物理地址PA1被允许访问时,执行步骤805;当检测出物理地址PA1不被允许访问时,执行步骤809。Step 804: Convert the last level intermediate address among at least one level of intermediate addresses into the physical address PA1, and detect whether the physical address PA1 is allowed to be accessed. When it is detected that the physical address PA1 is allowed to be accessed, step 805 is executed; when it is detected that the physical address PA1 is allowed to be accessed, step 804 is performed. When access to address PA1 is not allowed, step 809 is executed.
步骤805,查询第二页表,检测物理地址PA1是否被允许访问;当检测出物理地址PA1允许访问时,执行步骤806;当检测出物理地址PA1不允许被访问时,执行步骤809。Step 805: Query the second page table to detect whether the physical address PA1 is allowed to be accessed. When it is detected that the physical address PA1 is allowed to be accessed, step 806 is executed. When it is detected that the physical address PA1 is not allowed to be accessed, step 809 is executed.
步骤806,检测物理地址PA1是否在与当前软件的当前世界对应的预设物理地址空间内。当控制器102检测出物理地址PA1位于与当前软件的当前世界对应的预设物理地址空间内时,执行步骤807;当控制器102检测出物理地址PA1位于与当前软件的当前世界对应的预设物理地址空间之外时,执行步骤809。Step 806: Check whether the physical address PA1 is within the preset physical address space corresponding to the current world of the current software. When the controller 102 detects that the physical address PA1 is located in the preset physical address space corresponding to the current world of the current software, step 807 is executed; when the controller 102 detects that the physical address PA1 is located in the preset physical address space corresponding to the current world of the current software. When it is outside the physical address space, perform step 809.
步骤807,检测目标访问权限与当前世界对预设物理地址空间的预设访问权限相同时,执行步骤808;当控制器102检测出目标访问权限与当前世界对预设物理地址空间的预设访问权限不同时,执行步骤809。Step 807: When it is detected that the target access rights are the same as the current world's default access rights to the default physical address space, step 808 is executed; when the controller 102 detects that the target access rights are the same as the current world's default access rights to the default physical address space. When the permissions are different, perform step 809.
步骤808,允许处理器102访问逻辑地址VA1。Step 808: Allow the processor 102 to access the logical address VA1.
步骤809,向处理器101发送指示错误的信号。Step 809: Send a signal indicating an error to the processor 101.
需要说明的是,上述步骤806~步骤809,与图5所示的检测流程500中的步骤502~步骤506相同,不再赘述。另外,上述步骤801~步骤805的具体检测方法,参考图7的相关描述,不再赘述。It should be noted that the above steps 806 to 809 are the same as steps 502 to 506 in the detection process 500 shown in FIG. 5 and will not be described again. In addition, for the specific detection method of the above-mentioned steps 801 to 805, refer to the relevant description of FIG. 7 and will not be described again.
传统技术中,控制器102将逻辑地址转换成物理地址,通常需要二级的地址翻译和检测,也即是说,控制器102在获得逻辑地址后,首先通过查询设置于异常级别EL1中的第一级页表,对逻辑地址进行翻译和检测,将逻辑地址转换成中间逻辑地址;然后,控制器102通过查询设置于异常级别EL2中的第二级页表,对中间逻辑地址进行翻译和检测,将中间逻辑地址转换成物理地址。以上通过图7和图8所示的示例可以看出,本申请实施例中,控制器102通过查询第一页表,对逻辑地址进行翻译和检测,将逻辑地址转换成中间地址,该中间级地址为物理地址;通过查询第二页表,对所转换的中间级地址进行权限检查,也即与现有技术所示的逻辑地址转换物理地址的方式相比,省略掉将逻辑地址转换成中间逻辑地址的转换步骤,并且将传统技术中设置于异常级别EL2以用于对物理地址检测的第二级页表,替换为设置于异常级别EL3以用于对中间级物理地址检测的第二级页表,从而可以在简化由逻辑地址转换为物理地址的转换步骤的情况下,还可以有效的对电子装置100进行有效的保护。In traditional technology, the controller 102 converts a logical address into a physical address, which usually requires two-level address translation and detection. That is to say, after obtaining the logical address, the controller 102 first queries the third address set in the exception level EL1. The first-level page table translates and detects the logical address, and converts the logical address into an intermediate logical address; then, the controller 102 translates and detects the intermediate logical address by querying the second-level page table set in the exception level EL2. , convert the intermediate logical address into a physical address. As can be seen from the examples shown in Figures 7 and 8 above, in the embodiment of the present application, the controller 102 translates and detects the logical address by querying the first page table, and converts the logical address into an intermediate address. The intermediate address The address is a physical address; by querying the second page table, permissions are checked on the converted intermediate address. That is, compared with the method of converting a logical address to a physical address shown in the prior art, it is omitted to convert the logical address into an intermediate address. The logical address conversion step is to replace the second-level page table set at the exception level EL2 in the traditional technology for physical address detection with the second-level page table set at the exception level EL3 for intermediate-level physical address detection. The page table can thus simplify the steps of converting logical addresses into physical addresses and effectively protect the electronic device 100 .
在本实施例中,电子装置100还可以包括通信单元(图中未示出)。该通信单元包括但不限于短距离通信单元、或蜂窝通信单元。其中,短距离通信单元通过运行短距离无线通信协议与位于移动终端外的用于接入互联网的其他设备之间进行信息交互。该短距离无线通信协议可以包括但不限于:射频识别技术支持的各种协议、蓝牙通信技术协议、或红外通信协议等。蜂窝通信单元通过运行蜂窝无 线通信协议接入无线接入网,以实现移动通信单元与互联网中对各种应用进行支持的服务器进行信息交互。该通信单元可以与本申请实施例中所述的处理器101和控制器102等集成于同一SOC中,或者可以分离设置。此外,电子装置100还可选择性地包括总线或接口电路,该接口电路例如可以为输入/输出端口I/O等。其中,总线和接口电路等均可以与上述处理器101和控制器102等集成于同一SOC中。接口电路用于将控制器102与存储器103耦合。应理解,在实际应用中,电子装置100可以包括比图1所示的更多或更少的部件,本申请实施例不作限定。In this embodiment, the electronic device 100 may further include a communication unit (not shown in the figure). The communication unit includes, but is not limited to, a short-range communication unit or a cellular communication unit. Among them, the short-range communication unit performs information interaction with other devices located outside the mobile terminal for accessing the Internet by running a short-range wireless communication protocol. The short-range wireless communication protocol may include but is not limited to: various protocols supported by radio frequency identification technology, Bluetooth communication technology protocols, or infrared communication protocols, etc. The cellular communication unit operates the cellular wireless The wired communication protocol is connected to the wireless access network to realize information interaction between the mobile communication unit and the servers in the Internet that support various applications. The communication unit can be integrated in the same SOC with the processor 101 and controller 102 described in the embodiment of this application, or can be set up separately. In addition, the electronic device 100 may optionally include a bus or an interface circuit, and the interface circuit may be, for example, an input/output port I/O, or the like. Among them, the bus and interface circuit can be integrated with the above-mentioned processor 101 and controller 102 in the same SOC. Interface circuitry is used to couple the controller 102 with the memory 103 . It should be understood that in actual applications, the electronic device 100 may include more or fewer components than shown in FIG. 1 , which is not limited by the embodiments of this application.
基于同一发明构思,本申请实施例还提供了一种安全访问软件的方法,该安全访问软件的方法应用于如图1所示的电子装置100。请继续参看图9,其示出了本申请实施例提供的安全访问软件的方法的一个流程900。该安全访问软件的方法的流程900可以被控制器102执行,包括如下所述的步骤:步骤901,基于当前软件所要访问的逻辑地址,将所述逻辑地址转换成存储器中的物理地址;步骤902,当所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间内、且所述当前软件对所述逻辑地址的目标访问权限与所述当前世界对所述预设物理地址空间的预设访问权限相同时,允许所述当前软件访问所述逻辑地址;其中,所述电子装置的软件运行环境具有多个世界,所述多个世界中的每个世界分别对应至少两个物理地址空间、以及对所述至少两个物理地址空间分别对应不同的访问权限,所述当前世界为所述多个世界之一;所述访问权限包括以下之一:读取或改写物理地址空间中存储的软件、仅限于读取物理地址空间中存储的软件、仅限于执行物理地址空间中存储的软件。Based on the same inventive concept, embodiments of the present application also provide a method for securely accessing software. The method for securely accessing software is applied to the electronic device 100 as shown in FIG. 1 . Please continue to refer to FIG. 9 , which shows a process 900 of a method for securely accessing software provided by an embodiment of the present application. The process 900 of the method for securely accessing software can be executed by the controller 102 and includes the following steps: Step 901, based on the logical address to be accessed by the current software, convert the logical address into a physical address in the memory; Step 902 , when the physical address is in the preset physical address space corresponding to the current world of the current software, and the target access permission of the current software to the logical address is consistent with the current world's access to the preset physical address. When the preset access permissions of the spaces are the same, the current software is allowed to access the logical address; wherein, the software running environment of the electronic device has multiple worlds, and each world in the multiple worlds corresponds to at least two The physical address space and the at least two physical address spaces correspond to different access rights respectively, and the current world is one of the plurality of worlds; the access rights include one of the following: reading or rewriting the physical address space Software stored in the physical address space is limited to reading software stored in the physical address space, and is limited to executing software stored in the physical address space.
在一种可能的实现方式中,所述方法900还包括:当满足所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间之外、和所述目标访问权限与所述预设访问权限不同二者中的至少一项时,执行安全保护操作。In a possible implementation, the method 900 further includes: when the physical address is outside the preset physical address space corresponding to the current world of the current software, and the target access permission is consistent with the When at least one of the two preset access rights is different, security protection operations are performed.
在一种可能的实现方式中,所述方法900还包括:根据预存的映射关系,确定与所述当前世界对应的所述预设物理地址空间以及所述预设访问权限;其中,所述映射关系用于指示所述多个世界中每个世界的所述至少两个物理地址空间与对所述至少两个物理地址空间的不同访问权限;所述映射关系存储于所述存储器中。In a possible implementation, the method 900 further includes: determining the preset physical address space and the preset access permission corresponding to the current world according to a pre-stored mapping relationship; wherein the mapping The relationship is used to indicate the at least two physical address spaces of each world in the plurality of worlds and different access rights to the at least two physical address spaces; the mapping relationship is stored in the memory.
在一种可能的实现方式中,所述将所述逻辑地址转换成存储器中的物理地址,包括:基于所述逻辑地址,分别查询至少一次第一页表和至少一次第二页表;依据所述第一页表,将所述逻辑地址转换成至少一级中间地址;当所述至少一级中间地址中的每一级中间地址均被允许访问时,将所述至少一级中间地址中最后一级中间地址转换成所述物理地址;其中,所述第一页表中记录有所述至少一级中间地址、以及所述多个世界中的每个世界对所述至少一级中间地址的访问权限;所述第二页表中记录有所述至少一级中间地址的访问权限。In a possible implementation, converting the logical address into a physical address in the memory includes: querying the first page table at least once and the second page table at least once based on the logical address; The first page table is used to convert the logical address into at least one level of intermediate addresses; when each level of the at least one level of intermediate addresses is allowed to be accessed, the last one of the at least one level of intermediate addresses is The first-level intermediate address is converted into the physical address; wherein the at least one-level intermediate address and the at least one-level intermediate address of each world in the plurality of worlds are recorded in the first page table. Access rights; the second page table records the access rights of the at least one-level intermediate address.
在一种可能的实现方式中,所述方法900还包括:当存在一级中间地址不被允许访问时,执行安全保护操作。In a possible implementation, the method 900 further includes: performing a security protection operation when there is a first-level intermediate address that is not allowed to be accessed.
在一种可能的实现方式中,所述安全保护操作包括以下至少一项:复位处理器、拒绝所述处理器当前运行的软件对逻辑地址的访问、指示所述处理器停止运行、禁止所述处理器的至少部分功能和阻止所述处理器访问所述存储器。In a possible implementation, the security protection operation includes at least one of the following: resetting the processor, denying access to logical addresses by software currently running on the processor, instructing the processor to stop running, prohibiting the At least part of the functionality of the processor prevents the processor from accessing the memory.
可以理解的是,控制器102为了实现上述功能,其包含了执行各个功能相应的硬件和/或软件模块。结合本文中所公开的实施例描述的各示例的步骤,本申请能够以硬件或硬件和计算机软件的结合形式来实现。某个功能究竟以硬件还是计算机软件驱动硬件的方式来执行,取决于技术方案的特定应用和设计约束条件。本领域技术人员可以结合实施例对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。It can be understood that, in order to implement the above functions, the controller 102 includes hardware and/or software modules corresponding to each function. In conjunction with the steps of each example described in the embodiments disclosed herein, the present application can be implemented in the form of hardware or a combination of hardware and computer software. Whether a function is performed by hardware or computer software driving the hardware depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions in conjunction with the embodiments for each specific application, but such implementations should not be considered to be beyond the scope of this application.
本实施例可以根据上述方法示例对控制器102进行功能模块的划分,例如,可以对应各个功能划分各个不同功能模块,也可以将两个或两个以上的功能集成在一个处理模块中。上述集成的模块可以采用硬件的形式实现。需要说明的是,本实施例中对模块的划分是示意性的,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式。In this embodiment, the controller 102 can be divided into functional modules according to the above method examples. For example, different functional modules can be divided corresponding to each function, or two or more functions can be integrated into one processing module. The above integrated modules can be implemented in the form of hardware. It should be noted that the division of modules in this embodiment is schematic and is only a logical function division. In actual implementation, there may be other division methods.
在采用对应各个功能划分各个功能模块的情况下,图10示出了上述实施例中涉及的装置1000的一种可能的示意图,可以对之前提到的装置进行进一步扩展,例如,图10对应装置1000可以是软件装置,运行于控制器102之上,或者装置1000可以是一个软件和硬件结合的装置,被嵌入至控制器102中。如图10所示,该装置1000可以包括:转换模块1001,用于基于当前软件所要访问的逻辑地址, 将所述逻辑地址转换成存储器中的物理地址;允许访问模块1002,用于当所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间内、且所述当前软件对所述逻辑地址的目标访问权限与所述当前世界对所述预设物理地址空间的预设访问权限相同时,允许所述当前软件访问所述逻辑地址;其中,所述电子装置的软件运行环境具有多个世界,所述多个世界中的每个世界分别对应至少两个物理地址空间、以及对所述至少两个物理地址空间分别对应不同的访问权限,所述当前世界为所述多个世界之一;所述访问权限包括以下之一:读取或改写物理地址空间中存储的软件、仅限于读取物理地址空间中存储的软件、仅限于执行物理地址空间中存储的软件。In the case of dividing each functional module corresponding to each function, Figure 10 shows a possible schematic diagram of the device 1000 involved in the above embodiment. The previously mentioned device can be further expanded. For example, the device corresponding to Figure 10 Device 1000 may be a software device running on controller 102, or device 1000 may be a combination of software and hardware device embedded in controller 102. As shown in Figure 10, the device 1000 may include: a conversion module 1001, configured to based on the logical address to be accessed by the current software, Convert the logical address into a physical address in the memory; allow access module 1002 for when the physical address is within the preset physical address space corresponding to the current world of the current software and the current software has When the target access permission of the logical address is the same as the preset access permission of the current world to the preset physical address space, the current software is allowed to access the logical address; wherein, the software running environment of the electronic device has Multiple worlds, each world in the multiple worlds respectively corresponds to at least two physical address spaces, and the at least two physical address spaces respectively correspond to different access rights, and the current world is the multiple worlds. One; the access rights include one of the following: reading or rewriting software stored in the physical address space, limited to reading software stored in the physical address space, limited to executing software stored in the physical address space.
在一种可能的实现方式中,所述装置1000还包括:第一安全保护模块(图中未示出),用于当满足所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间之外、和所述目标访问权限与所述预设访问权限不同二者中的至少一项时,执行安全保护操作。In a possible implementation, the device 1000 further includes: a first security protection module (not shown in the figure), configured to detect when the physical address is in a preset state corresponding to the current world of the current software. When at least one of outside the physical address space and the target access permission is different from the preset access permission, a security protection operation is performed.
在一种可能的实现方式中,所述装置还包括:确定模块(图中未示出),用于根据预存的映射关系,确定与所述当前世界对应的所述预设物理地址空间以及所述预设访问权限;其中,所述映射关系用于指示所述多个世界中每个世界的所述至少两个物理地址空间与对所述至少两个物理地址空间的不同访问权限;所述映射关系存储于所述存储器中。In a possible implementation, the device further includes: a determining module (not shown in the figure), configured to determine the preset physical address space corresponding to the current world and the preset physical address space corresponding to the current world according to a pre-stored mapping relationship. The preset access rights; wherein the mapping relationship is used to indicate the at least two physical address spaces of each world in the plurality of worlds and the different access rights to the at least two physical address spaces; the The mapping relationship is stored in the memory.
在一种可能的实现方式中,所述转换模块1001具体用于:基于所述逻辑地址,分别查询至少一次预先设定的第一页表和至少一次预先设定的第二页表;依据所述第一页表,将逻辑地址转换成至少一级中间地址;依据所述第一页表和所述第二页表,当所述至少一级中间地址中的每一级中间地址均被允许访问时,将所述至少一级中间地址中最后一级中间地址转换成所述物理地址;其中,所述第一页表中记录有所述至少一级中间地址、以及所述多个世界中的每个世界对所述至少一级中间地址的访问权限;所述第二页表中记录有所述多个世界中的每个世界对所述至少一级中间地址的访问权限。In a possible implementation, the conversion module 1001 is specifically configured to: based on the logical address, respectively query at least one preset first page table and at least one preset second page table; According to the first page table, the logical address is converted into at least one level of intermediate addresses; according to the first page table and the second page table, when each level of intermediate addresses in the at least one level of intermediate addresses is allowed During access, the last level intermediate address among the at least one level intermediate addresses is converted into the physical address; wherein the at least one level intermediate address and the at least one level intermediate address in the plurality of worlds are recorded in the first page table. The access rights of each world to the at least one-level intermediate address; the second page table records the access rights of each world in the plurality of worlds to the at least one-level intermediate address.
在一种可能的实现方式中,所述装置1000还包括:第二安全保护模块(图中未示出),用于当存在至少一级中间地址不被允许访问时,执行安全保护操作。In a possible implementation, the device 1000 further includes: a second security protection module (not shown in the figure), configured to perform a security protection operation when there is at least one level of intermediate address that is not allowed to be accessed.
在一种可能的实现方式中,所述安全保护操作包括以下至少一项:复位处理器、拒绝所述处理器当前运行的软件对逻辑地址的访问、指示所述处理器停止运行、禁止所述处理器的至少部分功能和阻止所述处理器访问所述存储器。In a possible implementation, the security protection operation includes at least one of the following: resetting the processor, denying access to logical addresses by software currently running on the processor, instructing the processor to stop running, prohibiting the At least part of the functionality of the processor prevents the processor from accessing the memory.
本实施例提供的装置1000,用于执行控制器102所执行的安全访问软件的方法,可以达到与上述实现方法或装置相同的效果。具体地,以上图10对应的各个模块均可以包括软件、硬件或二者结合实现。例如,每个模块可以以软件形式实现,用于驱动控制器102工作。或者,每个模块可包括对应的处理器和相应的驱动软件两部分,即以软件或硬件结合实现。The device 1000 provided in this embodiment is used to execute the secure access software method executed by the controller 102, and can achieve the same effect as the above implementation method or device. Specifically, each module corresponding to the above figure 10 may include software, hardware, or a combination of both. For example, each module can be implemented in the form of software and used to drive the controller 102 to work. Alternatively, each module may include a corresponding processor and corresponding driver software, that is, implemented in combination with software or hardware.
示例性地,以上控制器102还可以包括至少一个处理器和存储器。其中,至少一个处理器可以调用所述存储器内存储的全部或部分计算机程序,对控制器102的动作进行控制管理,例如,可以用于支持控制器102执行上述各个模块执行的步骤。存储器可以用于支持控制器102执行存储程序代码和数据等,存储器包括但不限于上述存储器103的至少一部分存储空间、缓存(Cache)或寄存器。至少一个处理器可以实现或执行结合本申请公开内容所描述的各种示例性的多个逻辑模块,其可以是实现计算功能的一个或多个微处理器组合。此外,至少一个处理器还可以包括其他可编程逻辑器件、晶体管逻辑器件、或者分立硬件组件等。Exemplarily, the above controller 102 may also include at least one processor and memory. Among them, at least one processor can call all or part of the computer program stored in the memory to control and manage the actions of the controller 102. For example, it can be used to support the controller 102 in executing the steps performed by each of the above modules. The memory can be used to support the controller 102 to execute and store program codes and data, and the memory includes but is not limited to at least a part of the storage space, cache (Cache) or registers of the memory 103 mentioned above. At least one processor may implement or execute the various exemplary plurality of logic modules described in conjunction with the present disclosure, which may be a combination of one or more microprocessors that implement computing functions. In addition, at least one processor may also include other programmable logic devices, transistor logic devices, or discrete hardware components.
本实施例还提供一种计算机可读存储介质,该计算机可读存储介质中存储有计算机指令,当该计算机指令在计算机上运行时,使得计算机执行上述相关方法步骤实现上述实施例中的用于安全访问软件的方法。This embodiment also provides a computer-readable storage medium. Computer instructions are stored in the computer-readable storage medium. When the computer instructions are run on a computer, they cause the computer to execute the above related method steps to implement the steps used in the above embodiments. A secure way to access software.
本实施例还提供了一种计算机程序产品,当该计算机程序产品在计算机上运行时,使得计算机执行上述相关步骤,以实现上述实施例中的用于安全访问软件的方法。This embodiment also provides a computer program product. When the computer program product is run on a computer, it causes the computer to perform the above related steps to implement the method for securely accessing software in the above embodiment.
其中,本实施例提供的计算机可读存储介质或者计算机程序产品均用于执行上文所提供的对应的方法,因此,其所能达到的有益效果可参考上文所提供的对应的方法中的有益效果,此处不再赘述。Among them, the computer-readable storage medium or computer program product provided by this embodiment is used to execute the corresponding method provided above. Therefore, the beneficial effects it can achieve can be referred to the corresponding method provided above. The beneficial effects will not be repeated here.
通过以上实施方式的描述,所属领域的技术人员可以了解到,为描述的方便和简洁,仅以上述各功能模块的划分进行举例说明,实际应用中,可以根据需要而将上述功能分配由不同的功能模块完成,即将装置的内部结构划分成不同的功能模块,以完成以上描述的全部或者部分功能。Through the description of the above embodiments, those skilled in the art can understand that for the convenience and simplicity of description, only the division of the above functional modules is used as an example. In practical applications, the above functions can be allocated to different modules according to needs. The functional module is completed, that is, the internal structure of the device is divided into different functional modules to complete all or part of the functions described above.
另外,在本申请各个实施例中的各功能单元可以集成在一个产品中,也可以是各个单元单独物理 存在,也可以两个或两个以上单元集成在一个产品中。对应于图9,上述模块如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个可读取存储介质中。基于这样的理解,本申请实施例的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的全部或部分可以以软件产品的形式体现出来,该软件产品存储在一个存储介质中,包括若干指令用以使得一个设备(可以是单片机,芯片等)或处理器(processor)执行本申请各个实施例方法的全部或部分步骤。而前述的可读存储介质包括:U盘、移动硬盘、只读存储器(read only memory,ROM)、随机存取存储器(random access memory,RAM)、磁碟或者光盘等各种可以存储程序代码的介质。In addition, each functional unit in each embodiment of the present application can be integrated into one product, or each unit can be physically separated. exist, or two or more units can be integrated into one product. Corresponding to Figure 9, if the above modules are implemented in the form of software functional units and sold or used as independent products, they can be stored in a readable storage medium. Based on this understanding, the technical solutions of the embodiments of the present application are essentially or contribute to the existing technology, or all or part of the technical solution can be embodied in the form of a software product, and the software product is stored in a storage medium , including several instructions to cause a device (which can be a microcontroller, a chip, etc.) or a processor to execute all or part of the steps of the methods of various embodiments of the present application. The aforementioned readable storage media include: U disk, mobile hard disk, read only memory (ROM), random access memory (RAM), magnetic disk or optical disk, etc. that can store program code. medium.
最后应说明的是:以上各实施例仅用以说明本申请的技术方案,而非对其限制;尽管参照前述各实施例对本申请进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例所记载的技术方案进行修改,或者对其中部分或者全部技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本申请各实施例技术方案的范围。 Finally, it should be noted that the above embodiments are only used to illustrate the technical solution of the present application, but not to limit it; although the present application has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art should understand that: The technical solutions described in the foregoing embodiments can still be modified, or some or all of the technical features can be equivalently replaced; and these modifications or substitutions do not deviate from the essence of the corresponding technical solutions from the technical solutions of the embodiments of the present application. scope.

Claims (18)

  1. 一种电子装置,其特征在于,包括处理器和控制器;An electronic device, characterized by including a processor and a controller;
    所述处理器,用于运行当前软件,并向所述控制器发送所述当前软件所要访问的逻辑地址以及所述当前软件对所述逻辑地址的目标访问权限;The processor is configured to run the current software and send the logical address to be accessed by the current software and the target access permission of the current software to the logical address to the controller;
    所述控制器,用于:The controller is used for:
    接收来自所述处理器的所述逻辑地址和所述目标访问权限;receiving said logical address and said target access rights from said processor;
    将所述逻辑地址转换成存储器中的物理地址;Convert the logical address into a physical address in memory;
    当所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间内、且所述目标访问权限与所述当前世界对所述预设物理地址空间的预设访问权限相同时,允许所述处理器访问所述逻辑地址;When the physical address is within the preset physical address space corresponding to the current world of the current software, and the target access permission is the same as the preset access permission of the current world to the preset physical address space, allowing the processor to access the logical address;
    其中,所述电子装置的软件运行环境具有多个世界,所述多个世界中的每个世界分别对应至少两个物理地址空间、以及所述至少两个物理地址空间分别对应不同的访问权限,所述当前世界为所述多个世界之一;Wherein, the software running environment of the electronic device has multiple worlds, each world in the multiple worlds respectively corresponds to at least two physical address spaces, and the at least two physical address spaces respectively correspond to different access rights, The current world is one of the plurality of worlds;
    所述访问权限包括以下之一:读取或改写物理地址空间中存储的软件、仅限于读取物理地址空间中存储的软件、仅限于执行物理地址空间中存储的软件。The access rights include one of the following: reading or rewriting software stored in the physical address space, being limited to reading software stored in the physical address space, or being limited to executing software stored in the physical address space.
  2. 根据权利要求1所述的电子装置,其特征在于,所述控制器还用于:The electronic device according to claim 1, characterized in that the controller is also used for:
    当满足所述物理地址在所述预设物理地址空间之外、和所述目标访问权限与所述预设访问权限不同二者中的至少一项时,向所述处理器发送指示错误的信号。When at least one of the following: the physical address is outside the preset physical address space and the target access permission is different from the preset access permission, a signal indicating an error is sent to the processor. .
  3. 根据权利要求2所述的电子装置,其特征在于,所述处理器还用于:The electronic device according to claim 2, wherein the processor is further configured to:
    基于所述指示错误的信号,执行安全保护操作,所述安全保护操作包括以下至少一项:复位所述处理器、拒绝所述处理器当前运行的软件对逻辑地址的访问、指示所述处理器停止运行、禁止所述处理器的至少部分功能和阻止所述处理器访问所述存储器。Based on the signal indicating an error, a security protection operation is performed, the security protection operation includes at least one of the following: resetting the processor, denying access to the logical address by software currently running on the processor, instructing the processor Stopping operation, disabling at least part of the functionality of the processor, and preventing the processor from accessing the memory.
  4. 根据权利要求1-3任一项所述的电子装置,其特征在于,所述电子装置还包括所述存储器;The electronic device according to any one of claims 1-3, wherein the electronic device further includes the memory;
    所述存储器还用于:存储所述多个世界中每个世界的所述至少两个物理地址空间与对所述至少两个物理地址空间的不同访问权限之间的映射关系;The memory is further configured to: store a mapping relationship between the at least two physical address spaces of each world in the plurality of worlds and different access rights to the at least two physical address spaces;
    所述控制器,还用于根据所述映射关系,确定与所述当前世界对应的所述预设物理地址空间以及所述预设访问权限。The controller is further configured to determine the preset physical address space and the preset access permission corresponding to the current world according to the mapping relationship.
  5. 根据权利要求4所述的电子装置,其特征在于,所述控制器将所述逻辑地址转换成存储器中的物理地址,具体用于:The electronic device according to claim 4, characterized in that the controller converts the logical address into a physical address in the memory, specifically for:
    基于所述逻辑地址,分别查询至少一次预先设定的第一页表和至少一次预先设定的第二页表;Based on the logical address, query the preset first page table and the preset second page table at least once respectively;
    依据所述第一页表,将逻辑地址转换成至少一级中间地址;Convert the logical address into at least one level of intermediate address according to the first page table;
    依据所述第一页表和所述第二页表,当所述至少一级中间地址中的每一级中间地址均被允许访问时,将所述至少一级中间地址中最后一级中间地址转换成所述物理地址;According to the first page table and the second page table, when each level of intermediate addresses in the at least one level of intermediate addresses is allowed to access, the last level of intermediate addresses in the at least one level of intermediate addresses is Convert to the physical address;
    其中,所述第一页表中记录有所述至少一级中间地址、以及所述多个世界中的每个世界对所述至少一级中间地址的访问权限;所述第二页表中记录有所述多个世界中的每个世界对所述至少一级中间地址的访问权限。The first page table records the at least one level intermediate address and the access rights of each world in the plurality of worlds to the at least one level intermediate address; the second page table records Each of the plurality of worlds has access to the at least one level of intermediate address.
  6. 根据权利要求5所述的电子装置,其特征在于,所述控制器还用于:The electronic device according to claim 5, wherein the controller is further used for:
    当存在至少一级中间地址不被允许访问时,向所述处理器传输指示错误的信号。When there is at least one level of intermediate address that is not allowed to be accessed, a signal indicating an error is transmitted to the processor.
  7. 根据权利要求5或6所述的电子装置,其特征在于,The electronic device according to claim 5 or 6, characterized in that:
    所述电子装置包括多个异常级别,每一个异常级别均对应所述存储器中的一段物理地址空间,且运行于低异常级别的软件禁止访问与高异常级别对应的物理地址空间,其中,所述映射关系存储于与所述多个异常级别中最高异常级别对应的物理地址空间内。The electronic device includes multiple exception levels, each exception level corresponds to a section of physical address space in the memory, and software running at a low exception level is prohibited from accessing the physical address space corresponding to a high exception level, wherein, the The mapping relationship is stored in the physical address space corresponding to the highest exception level among the plurality of exception levels.
  8. 根据权利要求7所述的电子装置,其特征在于,所述第一页表存储于所述多个异常级别中第一异常级别对应的物理地址空间内,所述第一异常级别为低于所述最高异常级别的异常级别;The electronic device according to claim 7, wherein the first page table is stored in a physical address space corresponding to a first abnormality level among the plurality of abnormality levels, and the first abnormality level is lower than the first abnormality level. The exception level of the highest exception level mentioned above;
    所述第二页表存储于所述最高异常级别对应的物理地址空间内。The second page table is stored in the physical address space corresponding to the highest exception level.
  9. 根据权利要求1所述的电子装置,其特征在于,所述电子装置还包括直接存储器存取控制器;所述允许所述处理器访问所述逻辑地址,具体用于:将所述物理地址提供给所述直接存储器存取控制 器;The electronic device according to claim 1, characterized in that the electronic device further includes a direct memory access controller; the allowing the processor to access the logical address is specifically used to: provide the physical address with Give the direct memory access control device;
    所述直接存储器存取控制器用于:将所述物理地址中的指令或数据提供给所述处理器。The direct memory access controller is configured to provide instructions or data in the physical address to the processor.
  10. 一种安全访问软件的方法,其特征在于,包括:A method for securely accessing software, which is characterized by including:
    基于当前软件所要访问的逻辑地址,将所述逻辑地址转换成存储器中的物理地址;Based on the logical address to be accessed by the current software, convert the logical address into a physical address in the memory;
    当所述物理地址在与所述当前软件的当前世界对应的预设物理地址空间内、且所述当前软件对所述逻辑地址的目标访问权限与所述当前世界对所述预设物理地址空间的预设访问权限相同时,允许所述当前软件访问所述逻辑地址;When the physical address is within the preset physical address space corresponding to the current world of the current software, and the target access permission of the current software to the logical address is consistent with the current world's access to the preset physical address space When the preset access rights are the same, the current software is allowed to access the logical address;
    其中,所述电子装置的软件运行环境具有多个世界,所述多个世界中的每个世界分别对应至少两个物理地址空间、以及对所述至少两个物理地址空间分别对应不同的访问权限,所述当前世界为所述多个世界之一;Wherein, the software running environment of the electronic device has multiple worlds, each world in the multiple worlds respectively corresponds to at least two physical address spaces, and the at least two physical address spaces respectively correspond to different access rights. , the current world is one of the multiple worlds;
    所述访问权限包括以下之一:读取或改写物理地址空间中存储的软件、仅限于读取物理地址空间中存储的软件、仅限于执行物理地址空间中存储的软件。The access rights include one of the following: reading or rewriting software stored in the physical address space, being limited to reading software stored in the physical address space, or being limited to executing software stored in the physical address space.
  11. 根据权利要求10所述的方法,其特征在于,所述方法还包括:The method of claim 10, further comprising:
    当满足所述物理地址在所述预设物理地址空间之外、和所述目标访问权限与所述预设访问权限不同二者中的至少一项时,执行安全保护操作。When at least one of the following: the physical address is outside the preset physical address space and the target access permission is different from the preset access permission, a security protection operation is performed.
  12. 根据权利要求10或11所述的方法,其特征在于,所述方法还包括:The method according to claim 10 or 11, characterized in that the method further includes:
    根据预存的映射关系,确定与所述当前世界对应的所述预设物理地址空间以及所述预设访问权限;Determine the preset physical address space and the preset access permission corresponding to the current world according to the pre-stored mapping relationship;
    其中,所述映射关系用于指示所述多个世界中每个世界的所述至少两个物理地址空间与对所述至少两个物理地址空间的不同访问权限;Wherein, the mapping relationship is used to indicate the at least two physical address spaces of each world in the plurality of worlds and different access rights to the at least two physical address spaces;
    所述映射关系存储于所述存储器中。The mapping relationship is stored in the memory.
  13. 根据权利要求10-12任一项所述的方法,其特征在于,所述将所述逻辑地址转换成存储器中的物理地址,具体包括:The method according to any one of claims 10-12, characterized in that converting the logical address into a physical address in the memory specifically includes:
    基于所述逻辑地址,分别查询至少一次预先设定的第一页表和至少一次预先设定的第二页表;Based on the logical address, query the preset first page table and the preset second page table at least once respectively;
    依据所述第一页表,将逻辑地址转换成至少一级中间地址;Convert the logical address into at least one level of intermediate address according to the first page table;
    依据所述第一页表和所述第二页表,当所述至少一级中间地址中的每一级中间地址均被允许访问时,将所述至少一级中间地址中最后一级中间地址转换成所述物理地址;According to the first page table and the second page table, when each level of intermediate addresses in the at least one level of intermediate addresses is allowed to access, the last level of intermediate addresses in the at least one level of intermediate addresses is Convert to the physical address;
    其中,所述第一页表中记录有所述至少一级中间地址、以及所述多个世界中的每个世界对所述至少一级中间地址的访问权限;所述第二页表中记录有所述多个世界中的每个世界对所述至少一级中间地址的访问权限。The first page table records the at least one level intermediate address and the access rights of each world in the plurality of worlds to the at least one level intermediate address; the second page table records Each of the plurality of worlds has access to the at least one level of intermediate address.
  14. 根据权利要求13所述的方法,其特征在于,所述方法还包括:The method of claim 13, further comprising:
    当存在至少一级中间地址不被允许访问时,执行安全保护操作。When there is at least one level of intermediate address that is not allowed to be accessed, security protection operations are performed.
  15. 根据权利要求10-14任一项所述的方法,其特征在于,所述安全保护操作包括以下至少一项:复位处理器、拒绝所述处理器当前运行的软件对逻辑地址的访问、指示所述处理器停止运行、禁止所述处理器的至少部分功能和阻止所述处理器访问所述存储器。The method according to any one of claims 10 to 14, characterized in that the security protection operation includes at least one of the following: resetting the processor, denying access to logical addresses by software currently running on the processor, indicating that all The processor ceases operation, disables at least part of the functionality of the processor, and prevents the processor from accessing the memory.
  16. 一种计算机可读存储介质,其特征在于,所述计算机可读存储介质中存储有计算机程序,该计算机程序被控制器执行时用于实现如权利要求10-15任一项所述的方法。A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, and the computer program is used to implement the method according to any one of claims 10-15 when executed by the controller.
  17. 一种计算机程序产品,其特征在于,当所述计算机程序产品被控制器执行时用于实现如权利要求10-15任一项所述的方法。A computer program product, characterized in that when the computer program product is executed by a controller, it is used to implement the method according to any one of claims 10-15.
  18. 一种系统级芯片,其特征在于,包括:A system-level chip is characterized by including:
    控制器和接口电路;controller and interface circuits;
    所述接口电路用于耦合存储器,所述存储器中存储有指令程序;The interface circuit is used to couple a memory, and an instruction program is stored in the memory;
    所述控制器被配置用于执行所述存储器中的程序指令,以实现如权利要求10-15中的任一所述方法。 The controller is configured to execute program instructions in the memory to implement the method of any one of claims 10-15.
PCT/CN2023/101009 2022-07-30 2023-06-19 Electronic apparatus, and method for securely accessing software WO2024027356A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202210911423.3 2022-07-30
CN202210911423.3A CN117521054A (en) 2022-07-30 2022-07-30 Electronic device and method for safely accessing software

Publications (1)

Publication Number Publication Date
WO2024027356A1 true WO2024027356A1 (en) 2024-02-08

Family

ID=89750044

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/101009 WO2024027356A1 (en) 2022-07-30 2023-06-19 Electronic apparatus, and method for securely accessing software

Country Status (2)

Country Link
CN (1) CN117521054A (en)
WO (1) WO2024027356A1 (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160371496A1 (en) * 2015-06-16 2016-12-22 Microsoft Technology Licensing, Llc Protected regions
CN109446835A (en) * 2018-09-30 2019-03-08 龙芯中科技术有限公司 Data access control method, device and equipment
CN110383256A (en) * 2018-02-02 2019-10-25 华为技术有限公司 A kind of Novel approach for protecting and device
CN113434453A (en) * 2020-03-06 2021-09-24 三星电子株式会社 System on chip and operation method thereof
CN113486410A (en) * 2021-06-30 2021-10-08 海光信息技术股份有限公司 Method for protecting data security, CPU core, CPU chip and electronic equipment

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160371496A1 (en) * 2015-06-16 2016-12-22 Microsoft Technology Licensing, Llc Protected regions
CN110383256A (en) * 2018-02-02 2019-10-25 华为技术有限公司 A kind of Novel approach for protecting and device
CN109446835A (en) * 2018-09-30 2019-03-08 龙芯中科技术有限公司 Data access control method, device and equipment
CN113434453A (en) * 2020-03-06 2021-09-24 三星电子株式会社 System on chip and operation method thereof
CN113486410A (en) * 2021-06-30 2021-10-08 海光信息技术股份有限公司 Method for protecting data security, CPU core, CPU chip and electronic equipment

Also Published As

Publication number Publication date
CN117521054A (en) 2024-02-06

Similar Documents

Publication Publication Date Title
US11288213B2 (en) Memory protection with hidden inline metadata
TWI705353B (en) Integrated circuit, method and article of manufacture for allowing secure communications
US11921646B2 (en) Secure address translation services using a permission table
JP4688490B2 (en) Trusted client using high security kernel in high security execution mode
KR102017828B1 (en) Security management unit, host controller interface including the same, method for operating the host controller interface, and devices including the host controller interface
US8122514B2 (en) Software enhanced trusted platform module
US10261854B2 (en) Memory integrity violation analysis method and apparatus
US8677457B2 (en) Security for codes running in non-trusted domains in a processor core
US10387305B2 (en) Techniques for compression memory coloring
JP2016522942A (en) System and method for high performance and low cost flash conversion layer
JP2013536505A (en) Secure readable memory area support for pre-boot and secure mode operations
JP4945053B2 (en) Semiconductor device, bus interface device, and computer system
JP7213879B2 (en) Memory protection device for indirect access memory controller
US20220180009A1 (en) Peripheral component interconnect express protection controller
CN110928737B (en) Method and device for monitoring memory access behavior of sample process
US11586779B2 (en) Embedded system and method
US20170083456A1 (en) Method and apparatus for preventing unauthorized access to contents of a register under certain conditions when performing a hardware table walk (hwtw)
WO2024027356A1 (en) Electronic apparatus, and method for securely accessing software
US11403003B2 (en) Memory access
US7246213B2 (en) Data address security device and method
CN114490449B (en) Memory access method and device and processor
US11188477B2 (en) Page protection layer
WO2023044715A1 (en) Electronic apparatus, and method for securely accessing software
CN116615726A (en) Method and system for memory attack mitigation
EP1862908B1 (en) Integrated circuit arrangement, a method for monitoring access requests to an integrated circuit arrangement component of an integrated circuit arrangement and a computer program product

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23849066

Country of ref document: EP

Kind code of ref document: A1