WO2024066533A1 - Chip assembly and information processing method thereof, and computer readable medium - Google Patents

Chip assembly and information processing method thereof, and computer readable medium Download PDF

Info

Publication number
WO2024066533A1
WO2024066533A1 PCT/CN2023/102614 CN2023102614W WO2024066533A1 WO 2024066533 A1 WO2024066533 A1 WO 2024066533A1 CN 2023102614 W CN2023102614 W CN 2023102614W WO 2024066533 A1 WO2024066533 A1 WO 2024066533A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
chip
ciphertext
confidential
confidential information
Prior art date
Application number
PCT/CN2023/102614
Other languages
French (fr)
Chinese (zh)
Inventor
杜嘉宇
孙福山
潘跃
Original Assignee
深圳市中兴微电子技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市中兴微电子技术有限公司 filed Critical 深圳市中兴微电子技术有限公司
Publication of WO2024066533A1 publication Critical patent/WO2024066533A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C17/00Read-only memories programmable only once; Semi-permanent stores, e.g. manually-replaceable information cards
    • G11C17/14Read-only memories programmable only once; Semi-permanent stores, e.g. manually-replaceable information cards in which contents are determined by selectively establishing, breaking or modifying connecting links by permanently altering the state of coupling elements, e.g. PROM
    • G11C17/16Read-only memories programmable only once; Semi-permanent stores, e.g. manually-replaceable information cards in which contents are determined by selectively establishing, breaking or modifying connecting links by permanently altering the state of coupling elements, e.g. PROM using electrically-fusible links
    • GPHYSICS
    • G11INFORMATION STORAGE
    • G11CSTATIC STORES
    • G11C17/00Read-only memories programmable only once; Semi-permanent stores, e.g. manually-replaceable information cards
    • G11C17/14Read-only memories programmable only once; Semi-permanent stores, e.g. manually-replaceable information cards in which contents are determined by selectively establishing, breaking or modifying connecting links by permanently altering the state of coupling elements, e.g. PROM
    • G11C17/18Auxiliary circuits, e.g. for writing into memory

Definitions

  • the present disclosure relates to the field of chip technology, and in particular to a chip component and an information processing method thereof, and a computer-readable medium.
  • Security information used by a chip can be stored in a one-time programmable memory eFUSE to ensure that it cannot be modified.
  • the present disclosure provides a chip component and an information processing method thereof, and a computer-readable medium.
  • an embodiment of the present disclosure provides a method for information processing of a chip component, wherein the chip component includes a chip, an information storage device, and an eFUSE.
  • the method includes: encrypting plaintext of confidential information according to an information encryption algorithm to obtain ciphertext of the confidential information; writing the ciphertext of the confidential information into the information storage device, and writing configuration information into the eFUSE, wherein the configuration information represents the storage status of the ciphertext of the confidential information in the information storage device.
  • the present disclosure provides a method for information processing of a chip component, wherein the chip component includes a chip, an information storage device, and an eFUSE; the information storage device stores ciphertext of confidential information, and the ciphertext of the confidential information is encrypted according to an information encryption algorithm.
  • the eFUSE stores configuration information, and the configuration information represents the storage status of the ciphertext of the confidential information in the information storage device.
  • the method includes: reading the configuration information stored in the eFUSE; reading the ciphertext of the confidential information from the information storage device according to the configuration information; and decrypting the ciphertext of the confidential information according to the information encryption algorithm to obtain the plaintext of the confidential information.
  • an embodiment of the present disclosure provides a chip component, including a chip, an information storage device, and an eFUSE, wherein the chip can implement an information processing method of any chip component of the embodiment of the present disclosure.
  • the information storage includes a flash memory FLASH.
  • an embodiment of the present disclosure provides a non-temporary computer-readable medium having a computer program stored thereon, which, when executed by a processor, can implement a method for information processing in which the chip can implement any chip component of the embodiment of the present disclosure.
  • confidential information is actually stored in an information storage device (such as FLASH), and eFUSE only stores its configuration information. Therefore, no matter how large the confidential information is, the space required for eFUSE is very small, thereby being able to store a larger amount of information at a low cost of eFUSE to meet customer needs.
  • the confidential information is encrypted, and its configuration information is stored in eFUSE and cannot be modified. Therefore, although the confidential information is actually located in the information storage device, its security is still very high and cannot be cracked or tampered with.
  • FIG1 is a block diagram of a chip assembly according to an embodiment of the present disclosure.
  • FIG2 is a flow chart of a method for information processing of a chip assembly provided by an embodiment of the present disclosure
  • FIG3 is a flow chart of a method for information processing of a chip assembly provided by another embodiment of the present disclosure.
  • FIG4 is a flow chart of a method for information processing of a chip component provided by another embodiment of the present disclosure.
  • FIG5 is a flow chart of a method for information processing of a chip assembly provided by another embodiment of the present disclosure.
  • FIG. 6 is a logic diagram of a method for processing information of a chip component provided in an embodiment of the present disclosure. Process diagram
  • FIG. 7 is a block diagram of the composition of a computer-readable medium provided in an embodiment of the present disclosure.
  • the present disclosure may be described with reference to plan views and/or cross-sectional views by means of ideal schematic views of the present disclosure. Therefore, the exemplary illustrations may be modified according to manufacturing techniques and/or tolerances.
  • the present disclosure is not limited to the embodiments shown in the drawings, but includes modifications of the configurations formed based on the manufacturing process. Therefore, the regions illustrated in the drawings have schematic properties, and the shapes of the regions shown in the drawings illustrate the specific shapes of the regions of the elements, but are not intended to be limiting.
  • security information used by a chip may be stored in a one-time programmable memory (eFUSE).
  • eFUSE one-time programmable memory
  • eFUSE One-time programmable memory
  • OTP One Time Programable
  • security information Some of the information used by the chip requires high security and cannot be changed. This type of information is called "security information”. Based on the need for security information, it can be stored in eFUSE to ensure that it cannot be tampered with.
  • the eFUSE used in chips is often expensive, so the storage space is limited and is often fixed when the chip is designed.
  • the amount of security information data may vary depending on the needs (such as different services). For example, customers may require that their serial (SN) code, market code, access code, etc. be stored in the eFUSE as security information.
  • An embodiment of the present disclosure provides a method for information processing of a chip component, wherein the chip component includes a chip, an information storage device, and an eFUSE.
  • the information processing method of the embodiment of the present disclosure is executed by a chip component, that is, it is a method for the chip component to process information.
  • the chip assembly of the embodiment of the present disclosure includes a chip (processor) that actually performs data operations, and an information memory and eFUSE for storing information (or data).
  • the above chips, information storage, and eFUSE can communicate with each other, that is, the chip can write information to the information storage and eFUSE, and can also read information from the information storage and eFUSE.
  • the chip component also has an external interface for receiving external instructions (such as from software) to perform corresponding operations and feedback the results of the operations to the outside.
  • eFUSE can be integrated with the chip (i.e., on-chip storage), and information storage
  • the memory is a rewritable memory that can be stored outside the chip (i.e., off-chip storage).
  • the information storage includes a flash memory FLASH.
  • FLASH (such as off-chip FLASH) may be used as an information storage device in a chip component.
  • the method for information processing of a chip assembly includes steps S101 and S102 .
  • step S101 the plain text of the confidential information is encrypted according to the information encryption algorithm to obtain the cipher text of the confidential information.
  • the chip uses a preset encryption algorithm (called an information encryption algorithm) to encrypt the plain text of the information that needs to be kept confidential (i.e., the confidential information, that is, the information to be stored in the eFUSE) to obtain the ciphertext of the confidential information.
  • an information encryption algorithm a preset encryption algorithm to encrypt the plain text of the information that needs to be kept confidential (i.e., the confidential information, that is, the information to be stored in the eFUSE) to obtain the ciphertext of the confidential information.
  • the specific form of the information encryption algorithm is diverse, for example, it can be a symmetric encryption algorithm such as AES_CBC256.
  • step S102 the ciphertext of the confidential information is written into the information storage device, and the configuration information is written into the eFUSE.
  • the configuration information represents the storage status of the ciphertext of the confidential information in the information storage device.
  • the chip writes the ciphertext of the confidential information obtained above into the information storage device (such as FLASH), and writes the storage status (such as address) of the ciphertext of the confidential information in the information storage device into the eFUSE as configuration information, so that the written configuration information cannot be modified.
  • the information storage device such as FLASH
  • the storage status such as address
  • the configuration information when confidential information is needed, the configuration information must be obtained from the eFUSE first, and the confidential information (specifically, the ciphertext of the confidential information) is determined in the information storage according to the configuration information, and then the confidential information is obtained from the information storage. Therefore, even if the hacker tampers with the confidential information in the information storage (such as writing "fake" confidential information in other locations of the information storage), the storage of the tampered information does not match the configuration information in the eFUSE (the configuration information cannot be modified), so the chip component still will not obtain the tampered information.
  • the confidential information specifically, the ciphertext of the confidential information
  • the confidential information is actually stored in the information storage device (such as FLASH) eFUSE only stores its configuration information. Therefore, no matter how large the confidential information is, the space required by eFUSE is very small, so that more information can be stored at a low cost of eFUSE to meet customer needs.
  • the confidential information is encrypted, and its configuration information is stored in eFUSE and cannot be modified. Therefore, although the confidential information is actually located in the information storage device, its security is still very high and cannot be cracked or tampered with.
  • the configuration information includes at least one of the following: the address of the ciphertext of the confidential information in the information storage device, the size of the ciphertext of the confidential information, and the configuration of whether the confidential information is readable by the software.
  • the configuration information may include the storage address of the confidential information, the size of the information, etc., and may also include a configuration indicating whether the confidential information is readable by the software, etc., so that the confidential information can be read from the information storage in a corresponding manner based on this information.
  • the chip includes an encryption interface, and the information key is embedded in the chip.
  • encrypting the plain text of confidential information according to the information encryption algorithm to obtain the cipher text of the confidential information includes steps S1011 and S1012 .
  • step S1011 through the encryption interface, the chip uses the information key according to the information encryption algorithm to encrypt the plain text of the confidential information to obtain the cipher text of the confidential information.
  • step S1012 the encryption interface is closed.
  • confidential information can be encrypted through an encryption interface using an information key solidified in the chip, and then the encryption interface is permanently closed (such as solidifying another eFUSE built into the chip), thereby ensuring that hackers cannot obtain the information key to crack the confidential information, and cannot use the chip to re-encrypt to obtain "fake” confidential information, thereby further improving the security of the confidential information.
  • an information key can be randomly generated on the hardware.
  • the information key is fixed in the chip, so it cannot be modified or obtained again (because it is randomly generated).
  • the information key is invisible and inaccessible to the outside world (such as software).
  • the software can only implement encryption operations through the encryption interface of the chip hardware (such as the encryption and decryption module controlled by a specific register). After the encryption of the confidential information is completed, the encryption interface can be closed by hardware, so that it cannot be reused.
  • the method of the embodiment of the present disclosure further includes steps S1031 and S1032 .
  • step S1031 verification information is generated according to the ciphertext of the confidential information and/or the plaintext of the confidential information.
  • step S1032 the verification information is written into the information storage.
  • verification information (such as a "certificate" derived from confidential information (plain text, cipher text) may also be stored in an information storage device so that when the confidential information is read, the confidential information may be verified based on the verification information to determine whether it is correct.
  • the verification information can be attached to the header of the ciphertext of the confidential information, thereby serving as its "header certificate”.
  • the verification information can be a check value (such as a hash value) calculated based on the confidential information (ciphertext, plaintext), so that when reading the confidential information, its check value can be calculated again, and the correctness of the confidential information can be judged based on whether the calculated check value is the same as the check value in the verification information.
  • a check value such as a hash value
  • the verification information itself can also be encrypted by a preset encryption algorithm (such as a verification encryption algorithm).
  • a verification encryption algorithm can be an asymmetric encryption algorithm such as RSA2048, which is encrypted by a private key, and the verification information is decrypted by a public key when reading confidential information.
  • the process of writing the verification information into the information storage device can be performed before or after the process of writing the confidential information into the information storage device, or it can be performed simultaneously (such as writing as a header certificate of confidential information).
  • An embodiment of the present disclosure provides a method for information processing of a chip component, wherein the chip component includes a chip, an information storage device, and an eFUSE.
  • the information processing method of the embodiment of the present disclosure is executed by a chip component, that is, it is a method for the chip component to process information.
  • the chip assembly of the embodiment of the present disclosure includes a chip (processor) that actually performs data operations, and an information memory and eFUSE for storing information (or data).
  • the above chips, information storage, and eFUSE can communicate with each other, that is, the chip can write information to the information storage and eFUSE, and can also read information from the information storage and eFUSE; at the same time, the chip component also has an external interface to receive external Instructions (such as from software) are used to perform corresponding operations and the results of the operations are fed back to the outside.
  • external Instructions such as from software
  • the eFUSE may be integrated with the chip (ie, on-chip storage), while the information memory is a rewritable memory that may be located outside the chip (ie, off-chip storage).
  • the information storage includes FLASH.
  • FLASH (such as off-chip FLASH) may be used as an information storage device in a chip component.
  • the information storage device stores ciphertext of confidential information, which is obtained by encrypting plaintext of the confidential information according to an information encryption algorithm.
  • the eFUSE stores configuration information, which represents the storage status of the ciphertext of the confidential information in the information storage device.
  • the information in the chip component of the embodiment of the present disclosure is written by the above chip component information processing method, so the ciphertext of confidential information is stored in its information storage, and the corresponding configuration information is stored in the eFUSE.
  • the information processing method of the chip assembly according to the embodiment of the present disclosure includes steps S201 to S203 .
  • step S201 the configuration information stored in the eFUSE is read.
  • the chip When confidential information is needed, the chip first reads its configuration information from eFUSE.
  • step S202 the ciphertext of the confidential information is read from the information storage according to the configuration information.
  • the chip can actually read the ciphertext of the corresponding confidential information from the information storage (such as FLASH) according to the above configuration information.
  • the configuration information includes at least one of the following: the address of the ciphertext of the confidential information in the information storage device, the size of the ciphertext of the confidential information, and the configuration of whether the confidential information is readable by the software.
  • the corresponding information may be read from the information storage device according to the address and size of the ciphertext of the confidential information, and whether the confidential information is readable by the software may be determined according to the configuration.
  • step S203 the ciphertext of the confidential information is decrypted according to the information encryption algorithm to obtain the plaintext of the confidential information.
  • the chip After obtaining the ciphertext of the confidential information, the chip can perform corresponding decryption according to the information encryption algorithm to obtain the plaintext of the confidential information for subsequent use.
  • the prerequisite for executing the above steps is that the configuration information is stored in the eFUSE, that is, the eFUSE has been solidified. If there is no configuration information in the eFUSE (not solidified), the above steps do not need to be performed.
  • confidential information is actually stored in an information storage device (such as FLASH), and eFUSE only stores its configuration information. Therefore, no matter how large the confidential information is, the space required for eFUSE is very small, thereby being able to store a larger amount of information at a low cost of eFUSE to meet customer needs.
  • the confidential information is encrypted, and its configuration information is stored in eFUSE and cannot be modified. Therefore, although the confidential information is actually located in the information storage device, its security is still very high and cannot be cracked or tampered with.
  • reading the configuration information stored in the eFUSE includes step S2011 .
  • step S2011 in response to the chip remotely starting the bootrom, the configuration information stored in the eFUSE is read.
  • the above process of reading confidential information can be performed when the chip is in bootrom, and can only be performed when the chip is in bootrom, so that the confidential information can be used after the chip is started, and it can be ensured that the above steps are not performed in other processes, thereby further improving the security of the confidential information.
  • step S205 is further included.
  • step S205 the plain text of the confidential information is written into the random access memory RAM.
  • the plain text of the confidential information obtained by the above decryption can be stored in the RAM of the chip, so that the confidential information (plain text) can be obtained from the RAM at any time and used after the chip is started.
  • the confidential information in the RAM can also have different forms as needed. For example, whether the confidential information is readable by the software can be set when writing to the RAM based on the configuration of whether the confidential information is readable by the software.
  • the chip includes a decryption interface, and the information key is embedded in the chip.
  • decrypting the ciphertext of the confidential information according to the information encryption algorithm to obtain the plaintext of the confidential information includes step S2031 .
  • step S2031 through the decryption interface, the chip uses the information key according to the information encryption algorithm to decrypt the ciphertext of the confidential information to obtain the plaintext of the confidential information.
  • the chip when the ciphertext of the confidential information is encrypted using the fixed information key through the above writing interface, the chip may also have a hardware decryption interface.
  • the software calls the decryption interface to make the chip decrypt with the information key solidified in it, so that the outside world can only obtain the plaintext as the decryption result, but still cannot access the information key, further improving security.
  • the information storage device further stores verification information, where the verification information is generated based on the ciphertext of the confidential information and/or the plaintext of the confidential information.
  • the method of the embodiment of the present disclosure further includes steps S2041 and S2042 .
  • step S2041 the verification information stored in the information storage is read.
  • step S2042 the ciphertext of the confidential information and/or the plaintext of the confidential information is verified according to the verification information.
  • the above verification information when the above verification information is also stored in the information storage device, the above verification information can also be used to verify the correctness of the verification information during the process of reading the confidential information.
  • the verification information may be attached to the header of the ciphertext of the confidential information, so that the verification information may be read at the same time as the confidential information is read.
  • the verification information can be a check value (such as a HASH value) calculated based on the confidential information (ciphertext, plaintext), so that when reading the confidential information, its check value can be calculated again, and the correctness of the confidential information can be judged based on whether the calculated check value is the same as the check value in the verification information.
  • a check value such as a HASH value
  • the verification information itself can also be encrypted by a preset encryption algorithm (such as a verification encryption algorithm).
  • a verification encryption algorithm can be an asymmetric encryption algorithm such as RSA2048, which is encrypted by a private key, and the verification information is decrypted by a public key when reading confidential information.
  • confidential information ciphertext, plaintext
  • it can be verified based on the verification information, so the numbering and description order of the above steps does not necessarily represent their execution order.
  • a method for information processing of a chip component may specifically include steps A101 to A109 , some of which are shown in FIG. 6 .
  • step A101 when the chip is designed and produced, the information encryption algorithm, information key, and verification encryption algorithm are solidified in it, and a hardware encryption interface and decryption interface controlled by software are set in the chip.
  • the information encryption algorithm may be a symmetric encryption algorithm (AES_CBC256), and the information key used by the algorithm is a random number of a fixed size (eg, 256 bits) generated by hardware when the chip is produced.
  • AES_CBC256 symmetric encryption algorithm
  • the verification encryption algorithm is used to encrypt the verification information, which may be an asymmetric encryption algorithm (such as RSA2048), and its key is a randomly generated key pair, in which the private key is used for encryption and the public key is used for decryption.
  • asymmetric encryption algorithm such as RSA2048
  • the encryption interface can be the plaintext address, plaintext size, and DDR address where the ciphertext is stored in the memory DDR (double data rate synchronous dynamic random access memory), and another built-in eFUSE is used to calibrate whether the encryption is completed.
  • DDR double data rate synchronous dynamic random access memory
  • step A102 during the production (or development and debugging) of the security version, the hardware encryption interface is called, and the plain text of the confidential information written into the eFUSE in the related technology is encrypted using the information encryption algorithm to convert the ciphertext of the security information.
  • the ciphertext may be obtained by encrypting the plaintext using a symmetric encryption algorithm (such as AES_CBC256).
  • a symmetric encryption algorithm such as AES_CBC256
  • step A103 the ciphertext of the security information is stored in a specific storage area of the off-chip FLASH (information storage), verification information about the plaintext and ciphertext is generated, and the verification information is written as a header certificate in the header of the ciphertext of the security information.
  • HASH256 operation can be performed on the ciphertext and plaintext of the confidential information respectively to obtain a 256-bit HASH value (check value) respectively, and the two HASH values are encrypted through an asymmetric encryption algorithm (such as the private key of RSA2048) to generate a 2048-bit signature, and the 1KB header certificate and the ciphertext image of the confidential information are used as encrypted images and returned to the specific DDR space through configuration.
  • asymmetric encryption algorithm such as the private key of RSA2048
  • step A104 the address, size, and whether the security information ciphertext is readable by software in the FLASH are used as configuration information, and the configuration information is written into the eFUSE, and the eFUSE is solidified to become Read-only, permanently close the hardware encryption interface, the encryption function becomes invalid, the hardware ensures that the relevant registers become read-only, and finally erase the plaintext and ciphertext stored in DDR.
  • step A105 when the chip boots into rom, it attempts to read the fixation mark of eFUSE. If it has been fixed (configuration information has been written), the following steps are executed. If it has not been fixed, it boots into rom in a conventional manner.
  • step A106 configuration information is obtained, information of corresponding size is read from the corresponding FLASH address as ciphertext of security information, and the header certificate etc. is read at the same time.
  • step A107 the header certificate is used to perform signature verification and decryption to obtain the corresponding plaintext. If the signature verification and decryption fails, an error is reported and the process stops. If successful, the corresponding plaintext is obtained and the subsequent steps are continued.
  • a symmetric encryption algorithm (such as AES_CBC256) can be used to decrypt with a fixed information key to obtain plaintext; and an asymmetric encryption algorithm can be used to decrypt the header certificate (such as the public key of RSA2048) to obtain two 256-bit HASH values corresponding to the ciphertext and plaintext stored therein; then the ciphertext stored in the FLASH and the decrypted plaintext are respectively subjected to HASH256 operations to calculate two 256-bit HASH values corresponding to the ciphertext and plaintext respectively; finally, the stored HASH value is compared with the calculated HASH value to see if they are the same.
  • AES_CBC256 a symmetric encryption algorithm
  • the signature verification and decryption are successful, and the decrypted plaintext is used as the correct plaintext. If they are different, the signature verification and decryption fail (if the HASH values of the ciphertext are different, it means that the ciphertext has been tampered with; if the HASH values of the plaintext are different, it means that the decryption failed or the plaintext has been tampered with)
  • step A108 the plain text is written to a specific address of the RAM, and whether it is readable by the software is set according to the configuration, thereby ensuring that the subsequent code can only read the contents of the above specific address of the RAM, or cannot read it (that is, only hardware access is allowed).
  • step A109 after the chip is started, the security information can be read from the corresponding area of the RAM and used when needed.
  • an embodiment of the present disclosure provides a chip component, including a chip, an information storage device, and an eFUSE, wherein the chip can implement an information processing method of any chip component of the embodiment of the present disclosure.
  • the chip component of the disclosed embodiment can execute the above chip component information processing method (including both the above method of writing confidential information and the above method of reading confidential information), thereby meeting various needs of customers and ensuring the security of confidential information at a low eFUSE cost.
  • the information storage includes FLASH.
  • FLASH (such as off-chip FLASH) may be used as an information storage device in a chip component.
  • an embodiment of the present disclosure provides a computer-readable medium having a computer program stored thereon, and when the computer program is executed by a processor, a chip can implement a method for information processing of any chip component of the embodiment of the present disclosure.
  • a processor is a device with data processing capabilities, including but not limited to a central processing unit (CPU); a memory is a device with data storage capabilities, including but not limited to random access memory (RAM, more specifically SDRAM, DDR, etc.), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), and flash memory (FLASH); an I/O interface (read-write interface) is connected between the processor and the memory, and can realize information exchange between the memory and the processor, including but not limited to a data bus (Bus), etc.
  • CPU central processing unit
  • a memory is a device with data storage capabilities, including but not limited to random access memory (RAM, more specifically SDRAM, DDR, etc.), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), and flash memory (FLASH); an I/O interface (read-write interface) is connected between the processor and the memory, and can realize information exchange between the memory and the processor, including but not limited to a data bus (Bus
  • the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation.
  • Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit (CPU), a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit.
  • a processor such as a central processing unit (CPU), a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit.
  • Such software may be distributed on a computer-readable medium, which may include a computer storage medium (or non-transitory medium) and a communication medium (or transient medium).
  • the term computer storage media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data).
  • Computer storage media include, but are not limited to, random access memory (RAM, more specifically SDRAM, DDR, etc.), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory (FLASH) or other disk storage; CD-ROM, DVD or other optical disk storage; cassettes, tapes, disk storage or other magnetic storage; any other medium that can be used to store the desired information and can be accessed by a computer.
  • RAM random access memory
  • ROM read-only memory
  • EEPROM electrically erasable programmable read-only memory
  • FLASH compact discsable programmable read-only memory
  • CD-ROM CD-ROM, DVD or other optical disk storage
  • cassettes, tapes, disk storage or other magnetic storage any other medium that can be used to store the desired information and can be accessed by a computer.
  • communication media generally contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Human Computer Interaction (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides an information processing method of a chip assembly. The chip assembly comprises a chip, an information memory, and a one-time programmable memory eFUSE. The method comprises: encrypting a plaintext of confidential information according to an information encryption algorithm to obtain a ciphertext of the confidential information; and writing the ciphertext of the confidential information into the information memory, and writing configuration information into the eFUSE, wherein the configuration information represents the storage situation of the ciphertext of the confidential information in the information memory. The present invention further provides a chip assembly and a computer readable medium.

Description

芯片组件及其信息处理的方法、计算机可读介质Chip assembly and information processing method thereof, and computer readable medium
相关申请的交叉引用CROSS-REFERENCE TO RELATED APPLICATIONS
该专利申请要求于2022年9月30日在中国国家知识产权局提交的中国专利申请202211230338.7的优先权,该中国专利申请的公开以引用方式全文并入本文中。This patent application claims priority to Chinese patent application 202211230338.7 filed with the State Intellectual Property Office of China on September 30, 2022, and the disclosure of this Chinese patent application is incorporated herein by reference in its entirety.
技术领域Technical Field
本公开涉及芯片技术领域,特别涉及一种芯片组件及其信息处理的方法、计算机可读介质。The present disclosure relates to the field of chip technology, and in particular to a chip component and an information processing method thereof, and a computer-readable medium.
背景技术Background technique
芯片(如安全芯片)使用的安全信息可存储在一次性可编程存储器eFUSE中,以保证其无法被修改。Security information used by a chip (such as a security chip) can be stored in a one-time programmable memory eFUSE to ensure that it cannot be modified.
但相关技术中,芯片用的eFUSE的存储空间不足,难以满足客户的要求。However, in the related art, the storage space of the eFUSE used in the chip is insufficient and it is difficult to meet the requirements of customers.
发明内容Summary of the invention
本公开提供一种芯片组件及其信息处理的方法、计算机可读介质。The present disclosure provides a chip component and an information processing method thereof, and a computer-readable medium.
第一方面,本公开实施例提供一种芯片组件的信息处理的方法,所述芯片组件包括芯片、信息存储器、eFUSE,该方法包括:根据信息加密算法加密保密信息的明文得到保密信息的密文;将保密信息的密文写入所述信息存储器,将配置信息写eFUSE,配置信息表征所保密信息的密文在信息存储器中的存储情况。In a first aspect, an embodiment of the present disclosure provides a method for information processing of a chip component, wherein the chip component includes a chip, an information storage device, and an eFUSE. The method includes: encrypting plaintext of confidential information according to an information encryption algorithm to obtain ciphertext of the confidential information; writing the ciphertext of the confidential information into the information storage device, and writing configuration information into the eFUSE, wherein the configuration information represents the storage status of the ciphertext of the confidential information in the information storage device.
第二方面,本公开实施例提供一种芯片组件的信息处理的方法,其中,芯片组件包括芯片、信息存储器、eFUSE;信息存储器中存储有保密信息的密文,保密信息的密文是根据信息加密算法加密保密信 息的明文得到的,eFUSE中存储有配置信息,配置信息表征保密信息的密文在信息存储器中的存储情况,该方法包括:读取eFUSE中存储的配置信息;根据配置信息从信息存储器读取保密信息的密文;根据信息加密算法解密保密信息的密文得到保密信息的明文。In a second aspect, the present disclosure provides a method for information processing of a chip component, wherein the chip component includes a chip, an information storage device, and an eFUSE; the information storage device stores ciphertext of confidential information, and the ciphertext of the confidential information is encrypted according to an information encryption algorithm. The eFUSE stores configuration information, and the configuration information represents the storage status of the ciphertext of the confidential information in the information storage device. The method includes: reading the configuration information stored in the eFUSE; reading the ciphertext of the confidential information from the information storage device according to the configuration information; and decrypting the ciphertext of the confidential information according to the information encryption algorithm to obtain the plaintext of the confidential information.
第三方面,本公开实施例提供一种芯片组件,包括芯片、信息存储器、eFUSE,其中,芯片能实现本公开实施例的任意一种芯片组件的信息处理的方法。In a third aspect, an embodiment of the present disclosure provides a chip component, including a chip, an information storage device, and an eFUSE, wherein the chip can implement an information processing method of any chip component of the embodiment of the present disclosure.
在一些实施例中,信息存储器包括闪存存储器FLASH。In some embodiments, the information storage includes a flash memory FLASH.
第四方面,本公开实施例提供一种非暂时性计算机可读介质,其上存储有计算机程序,所述计算机程序被处理器执行时能实现所述芯片能实现本公开实施例的任意一种芯片组件的信息处理的方法。In a fourth aspect, an embodiment of the present disclosure provides a non-temporary computer-readable medium having a computer program stored thereon, which, when executed by a processor, can implement a method for information processing in which the chip can implement any chip component of the embodiment of the present disclosure.
本公开实施例中,保密信息实际存储在信息存储器(如FLASH)中,而eFUSE只存储其配置信息,故不论保密信息有多大,eFUSE所需的空间均很小,从而可在eFUSE成本低的情况下实现更大量信息的存储,满足客户的需求;同时,保密信息经过加密,且其配置信息存储在eFUSE中而不可被修改,故虽然保密信息实际位于信息存储器中,但其安全性仍很高,不可被破解或篡改。In the disclosed embodiments, confidential information is actually stored in an information storage device (such as FLASH), and eFUSE only stores its configuration information. Therefore, no matter how large the confidential information is, the space required for eFUSE is very small, thereby being able to store a larger amount of information at a low cost of eFUSE to meet customer needs. At the same time, the confidential information is encrypted, and its configuration information is stored in eFUSE and cannot be modified. Therefore, although the confidential information is actually located in the information storage device, its security is still very high and cannot be cracked or tampered with.
附图说明BRIEF DESCRIPTION OF THE DRAWINGS
在本公开实施例的附图中:In the accompanying drawings of the embodiments of the present disclosure:
图1为本公开实施例提供的芯片组件的组成框图;FIG1 is a block diagram of a chip assembly according to an embodiment of the present disclosure;
图2为本公开实施例提供的芯片组件的信息处理的方法的流程图;FIG2 is a flow chart of a method for information processing of a chip assembly provided by an embodiment of the present disclosure;
图3为本公开另一实施例提供的芯片组件的信息处理的方法的流程图;FIG3 is a flow chart of a method for information processing of a chip assembly provided by another embodiment of the present disclosure;
图4为本公开另一实施例提供的芯片组件的信息处理的方法的流程图;FIG4 is a flow chart of a method for information processing of a chip component provided by another embodiment of the present disclosure;
图5为本公开另一实施例提供的芯片组件的信息处理的方法的流程图;FIG5 is a flow chart of a method for information processing of a chip assembly provided by another embodiment of the present disclosure;
图6为本公开实施例提供的芯片组件的信息处理的方法逻辑过 程示意图;FIG. 6 is a logic diagram of a method for processing information of a chip component provided in an embodiment of the present disclosure. Process diagram;
图7为本公开实施例提供的计算机可读介质的组成框图。FIG. 7 is a block diagram of the composition of a computer-readable medium provided in an embodiment of the present disclosure.
具体实施方式Detailed ways
为使本领域的技术人员更好地理解本公开的技术方案,下面结合附图对本公开实施例提供的芯片组件及其信息处理的方法、计算机可读介质进行详细描述。In order to enable those skilled in the art to better understand the technical solution of the present disclosure, the chip assembly and its information processing method and computer-readable medium provided by the embodiments of the present disclosure are described in detail below with reference to the accompanying drawings.
在下文中将参考附图更充分地描述本公开,但是所示的实施例可以以不同形式来体现,且本公开不应当被解释为限于以下阐述的实施例。反之,提供这些实施例的目的在于使本公开透彻和完整,并将使本领域技术人员充分理解本公开的范围。The present disclosure will be described more fully below with reference to the accompanying drawings, but the embodiments shown may be embodied in different forms, and the present disclosure should not be construed as being limited to the embodiments set forth below. On the contrary, the purpose of providing these embodiments is to make the present disclosure thorough and complete, and will enable those skilled in the art to fully understand the scope of the present disclosure.
本公开实施例的附图用来提供对本公开实施例的进一步理解,并且构成说明书的一部分,与详细实施例一起用于解释本公开,并不构成对本公开的限制。通过参考附图对详细实施例进行描述,以上和其它特征和优点对本领域技术人员将变得更加显而易见。The accompanying drawings of the embodiments of the present disclosure are used to provide a further understanding of the embodiments of the present disclosure, and constitute a part of the specification, and are used together with the detailed embodiments to explain the present disclosure, and do not constitute a limitation of the present disclosure. By describing the detailed embodiments with reference to the accompanying drawings, the above and other features and advantages will become more apparent to those skilled in the art.
本公开可借助本公开的理想示意图而参考平面图和/或截面图进行描述。因此,可根据制造技术和/或容限来修改示例图示。The present disclosure may be described with reference to plan views and/or cross-sectional views by means of ideal schematic views of the present disclosure. Therefore, the exemplary illustrations may be modified according to manufacturing techniques and/or tolerances.
在不冲突的情况下,本公开各实施例及实施例中的各特征可相互组合。In the absence of conflict, the various embodiments of the present disclosure and the various features therein may be combined with each other.
本公开所使用的术语仅用于描述特定实施例,且不意欲限制本公开。如本公开所使用的术语“和/或”包括一个或多个相关列举条目的任何和所有组合。如本公开所使用的单数形式“一个”和“该”也意欲包括复数形式,除非上下文另外清楚指出。如本公开所使用的术语“包括”、“由……制成”,指定存在所述特征、整体、步骤、操作、元件和/或组件,但不排除存在或添加一个或多个其它特征、整体、步骤、操作、元件、组件和/或其群组。The terms used in the present disclosure are only used to describe specific embodiments and are not intended to limit the present disclosure. The term "and/or" as used in the present disclosure includes any and all combinations of one or more related enumerated items. The singular forms "one" and "the" as used in the present disclosure are also intended to include plural forms, unless the context clearly indicates otherwise. The terms "including", "made of..." as used in the present disclosure specify the presence of the features, wholes, steps, operations, elements and/or components, but do not exclude the presence or addition of one or more other features, wholes, steps, operations, elements, components and/or groups thereof.
除非另外限定,否则本公开所用的所有术语(包括技术和科学术语)的含义与本领域普通技术人员通常理解的含义相同。还将理解,诸如那些在常用字典中限定的那些术语应当被解释为具有与其在相关技术以及本公开的背景下的含义一致的含义,且将不解释为具有理 想化或过度形式上的含义,除非本公开明确如此限定。Unless otherwise defined, all terms (including technical and scientific terms) used in this disclosure have the same meanings as commonly understood by those of ordinary skill in the art. It will also be understood that terms such as those defined in commonly used dictionaries should be interpreted as having a meaning consistent with their meaning in the context of the relevant art and this disclosure, and will not be interpreted as having an unreasonable meaning. The meaning of the wording should not be taken in an abstract or excessive form unless the present disclosure clearly defines it as such.
本公开不限于附图中所示的实施例,而是包括基于制造工艺而形成的配置的修改。因此,附图中例示的区具有示意性属性,并且图中所示区的形状例示了元件的区的具体形状,但并不是旨在限制性的。The present disclosure is not limited to the embodiments shown in the drawings, but includes modifications of the configurations formed based on the manufacturing process. Therefore, the regions illustrated in the drawings have schematic properties, and the shapes of the regions shown in the drawings illustrate the specific shapes of the regions of the elements, but are not intended to be limiting.
在一些相关技术中,芯片(如安全芯片)使用的安全信息可存储在一次性可编程存储器(eFUSE)中。In some related technologies, security information used by a chip (eg, a security chip) may be stored in a one-time programmable memory (eFUSE).
一次性可编程存储器称为eFUSE或OTP(One Time Programable),其是一种特殊的存储器,该存储器的物理性质可保证其只能被写入一次(如写入则将熔丝结构烧断),故信息一旦写入其中就无法被再次修改(如因为熔丝已断)。One-time programmable memory is called eFUSE or OTP (One Time Programable). It is a special memory whose physical properties can ensure that it can only be written once (if written, the fuse structure will be burned out). Therefore, once the information is written into it, it cannot be modified again (for example, because the fuse is broken).
芯片用到的信息中有一部分需要很高的安全性,要求其不能被更改,而这类信息称为“安全信息”。基于安全信息的需求,可将其存储在eFUSE中,以保证其不可能被篡改。Some of the information used by the chip requires high security and cannot be changed. This type of information is called "security information". Based on the need for security information, it can be stored in eFUSE to ensure that it cannot be tampered with.
但是,芯片用的eFUSE往往成本较高,故存储空间有限,且往往是在芯片设计时即固定好的。相对的,根据需求的不同(如不同业务),安全信息的数据量可能相差,如客户可能要求将其序列(SN)码、市场码、接入码等都作为安全信息存储在eFUSE中。However, the eFUSE used in chips is often expensive, so the storage space is limited and is often fixed when the chip is designed. In contrast, the amount of security information data may vary depending on the needs (such as different services). For example, customers may require that their serial (SN) code, market code, access code, etc. be stored in the eFUSE as security information.
这导致在一些情况下,芯片用的eFUSE的存储空间不足,不能满足客户的需求。This results in that in some cases, the eFUSE storage space used by the chip is insufficient to meet customer needs.
本公开实施例提供一种芯片组件的信息处理的方法,芯片组件包括芯片、信息存储器、eFUSE。An embodiment of the present disclosure provides a method for information processing of a chip component, wherein the chip component includes a chip, an information storage device, and an eFUSE.
本公开实施例的信息处理的方法由芯片组件执行,即其是芯片组件对信息进行处理的方法。The information processing method of the embodiment of the present disclosure is executed by a chip component, that is, it is a method for the chip component to process information.
参照图1,本公开实施例的芯片组件包括实际进行数据运算的芯片(处理器),以及用于存储信息(或称数据)的信息存储器和eFUSE。1 , the chip assembly of the embodiment of the present disclosure includes a chip (processor) that actually performs data operations, and an information memory and eFUSE for storing information (or data).
应当理解,以上芯片、信息存储器、eFUSE之间是可实现信息通信的,即芯片可向信息存储器、eFUSE写入信息,也可从信息存储器、eFUSE读取信息。芯片组件还具有对外的接口,用于接收外界的指令(如来自软件)以进行相应的运算,并向外反馈运算的结果。It should be understood that the above chips, information storage, and eFUSE can communicate with each other, that is, the chip can write information to the information storage and eFUSE, and can also read information from the information storage and eFUSE. The chip component also has an external interface for receiving external instructions (such as from software) to perform corresponding operations and feedback the results of the operations to the outside.
eFUSE可以是与芯片集成在一起的(即为片内存储),而信息存 储器是可重复读写的存储器,其可设于芯片之外(即为片外存储)。eFUSE can be integrated with the chip (i.e., on-chip storage), and information storage The memory is a rewritable memory that can be stored outside the chip (i.e., off-chip storage).
在一些实施例中,信息存储器包括闪存存储器FLASH。In some embodiments, the information storage includes a flash memory FLASH.
作为本公开实施例的一种方式,可使用FLASH(如片外FLASH)作为芯片组件中的信息存储器。As one embodiment of the present disclosure, FLASH (such as off-chip FLASH) may be used as an information storage device in a chip component.
应当理解,本公开实施例中信息存储器的具体形式不限于此,其也可为其它形式的存储器。It should be understood that the specific form of the information storage device in the embodiments of the present disclosure is not limited thereto, and it may also be other forms of storage device.
参照图2,本公开实施例的芯片组件的信息处理的方法包括步骤S101和S102。2 , the method for information processing of a chip assembly according to an embodiment of the present disclosure includes steps S101 and S102 .
在步骤S101,根据信息加密算法加密保密信息的明文得到保密信息的密文。In step S101, the plain text of the confidential information is encrypted according to the information encryption algorithm to obtain the cipher text of the confidential information.
芯片利用预设的加密算法(称为信息加密算法),对需要保密的信息(即保密信息,也就是要存储在eFUSE中的信息)的明文进行加密,得到保密信息的密文。The chip uses a preset encryption algorithm (called an information encryption algorithm) to encrypt the plain text of the information that needs to be kept confidential (i.e., the confidential information, that is, the information to be stored in the eFUSE) to obtain the ciphertext of the confidential information.
信息加密算法的具体形式是多样的,例如其可为AES_CBC256等对称加密算法。The specific form of the information encryption algorithm is diverse, for example, it can be a symmetric encryption algorithm such as AES_CBC256.
在步骤S102,将保密信息的密文写入信息存储器,将配置信息写入eFUSE。In step S102, the ciphertext of the confidential information is written into the information storage device, and the configuration information is written into the eFUSE.
配置信息表征保密信息的密文在信息存储器中的存储情况。The configuration information represents the storage status of the ciphertext of the confidential information in the information storage device.
芯片将以上得到的保密信息的密文写入到信息存储器(如FLASH)中,并且,将保密信息的密文在信息存储器中的存储情况(如地址)作为配置信息,写入到eFUSE中,从而写入后的配置信息是不可修改的。The chip writes the ciphertext of the confidential information obtained above into the information storage device (such as FLASH), and writes the storage status (such as address) of the ciphertext of the confidential information in the information storage device into the eFUSE as configuration information, so that the written configuration information cannot be modified.
由此,当要需要使用保密信息时,先要从eFUSE中获取其配置信息,并根据配置信息确定保密信息(具体为保密信息的密文)在信息存储器中是如何存储的,进而从信息存储器中获取到保密信息。由此,即使黑客篡改了信息存储器中的保密信息(如在信息存储器的其它位置写入“假的”保密信息),则篡改的信息的存储情况与eFUSE中的配置信息(配置信息不可修改)并不匹配,故芯片组件仍然不会获取到被篡改的信息。Therefore, when confidential information is needed, the configuration information must be obtained from the eFUSE first, and the confidential information (specifically, the ciphertext of the confidential information) is determined in the information storage according to the configuration information, and then the confidential information is obtained from the information storage. Therefore, even if the hacker tampers with the confidential information in the information storage (such as writing "fake" confidential information in other locations of the information storage), the storage of the tampered information does not match the configuration information in the eFUSE (the configuration information cannot be modified), so the chip component still will not obtain the tampered information.
本公开实施例中,保密信息实际存储在信息存储器(如FLASH) 中,而eFUSE只存储其配置信息,故不论保密信息有多大,eFUSE所需的空间均很小,从而可在eFUSE成本低的情况下实现更大量信息的存储,满足客户的需求;同时,保密信息经过加密,且其配置信息存储在eFUSE中而不可被修改,故虽然保密信息实际位于信息存储器中,但其安全性仍很高,不可被破解或篡改。In the disclosed embodiment, the confidential information is actually stored in the information storage device (such as FLASH) eFUSE only stores its configuration information. Therefore, no matter how large the confidential information is, the space required by eFUSE is very small, so that more information can be stored at a low cost of eFUSE to meet customer needs. At the same time, the confidential information is encrypted, and its configuration information is stored in eFUSE and cannot be modified. Therefore, although the confidential information is actually located in the information storage device, its security is still very high and cannot be cracked or tampered with.
在一些实施例中,配置信息包括以下至少一项:保密信息的密文在信息存储器中的地址、保密信息的密文的大小、保密信息是否对软件可读的配置。In some embodiments, the configuration information includes at least one of the following: the address of the ciphertext of the confidential information in the information storage device, the size of the ciphertext of the confidential information, and the configuration of whether the confidential information is readable by the software.
作为本公开实施例的一种方式,配置信息可包括保密信息的存储地址、信息的大小等,还可包括表明保密信息是否对软件可读的配置等,从而可根据这些信息从信息存储器中以相应方式读取保密信息。As one mode of an embodiment of the present disclosure, the configuration information may include the storage address of the confidential information, the size of the information, etc., and may also include a configuration indicating whether the confidential information is readable by the software, etc., so that the confidential information can be read from the information storage in a corresponding manner based on this information.
在一些实施例中,芯片包括加密接口,芯片内固化有信息密钥。In some embodiments, the chip includes an encryption interface, and the information key is embedded in the chip.
参照图3,根据信息加密算法加密保密信息的明文得到保密信息的密文(S101)包括步骤S1011和S1012。3 , encrypting the plain text of confidential information according to the information encryption algorithm to obtain the cipher text of the confidential information ( S101 ) includes steps S1011 and S1012 .
在步骤S1011,通过加密接口,使芯片使用信息密钥根据信息加密算法加密保密信息的明文得到保密信息的密文。In step S1011, through the encryption interface, the chip uses the information key according to the information encryption algorithm to encrypt the plain text of the confidential information to obtain the cipher text of the confidential information.
在步骤S1012,封闭加密接口。In step S1012, the encryption interface is closed.
作为本公开实施例的一种方式,可以通过加密接口,用芯片内固化的信息密钥进行保密信息的加密,而之后永久的封闭加密接口(如对芯片内置的另一个eFUSE进行固化),从而保证黑客无法获取到信息密钥而破解保密信息,也无法利用芯片重新进行加密得到“假的”保密信息,进一步提高保密信息的安全性。As a method of the embodiment of the present disclosure, confidential information can be encrypted through an encryption interface using an information key solidified in the chip, and then the encryption interface is permanently closed (such as solidifying another eFUSE built into the chip), thereby ensuring that hackers cannot obtain the information key to crack the confidential information, and cannot use the chip to re-encrypt to obtain "fake" confidential information, thereby further improving the security of the confidential information.
例如,在芯片的生产过程中,可在硬件上随机生成信息密钥,该信息密钥固化在芯片中,故不可修改,也无法再次获得(因为是随机产生的)。此外,该信息密钥对外界(如软件)不可见也不可访问,软件只可能通过芯片的硬件的加密接口(如特定的寄存器控制的加解密模块)来实现加密操作,而在对保密信息的加密完成后,即可将加密接口硬件性的封闭,从而使其不可被再次利用。For example, during the production process of the chip, an information key can be randomly generated on the hardware. The information key is fixed in the chip, so it cannot be modified or obtained again (because it is randomly generated). In addition, the information key is invisible and inaccessible to the outside world (such as software). The software can only implement encryption operations through the encryption interface of the chip hardware (such as the encryption and decryption module controlled by a specific register). After the encryption of the confidential information is completed, the encryption interface can be closed by hardware, so that it cannot be reused.
在一些实施例中,参照图3,本公开实施例的方法还包括步骤S1031和S1032。 In some embodiments, referring to FIG. 3 , the method of the embodiment of the present disclosure further includes steps S1031 and S1032 .
在步骤S1031,根据保密信息的密文和/或保密信息的明文生成验证信息。In step S1031, verification information is generated according to the ciphertext of the confidential information and/or the plaintext of the confidential information.
在步骤S1032,将验证信息写入信息存储器。In step S1032, the verification information is written into the information storage.
作为本公开实施例的一种方式,还可在信息存储器中存储根据保密信息(明文、密文)得出的验证信息(如“证书”),以在读取保密信息时,根据验证信息对保密信息进行验证,以确定其是否正确。As a method of an embodiment of the present disclosure, verification information (such as a "certificate") derived from confidential information (plain text, cipher text) may also be stored in an information storage device so that when the confidential information is read, the confidential information may be verified based on the verification information to determine whether it is correct.
验证信息的具体形式是多样的。The specific forms of verification information are diverse.
例如,验证信息可以附加在保密信息的密文的头部,从而作为其“头证书”。For example, the verification information can be attached to the header of the ciphertext of the confidential information, thereby serving as its "header certificate".
再如,验证信息可以是根据保密信息(密文、明文)计算得到的校验值(如哈希HASH值),从而在读取保密信息时可再次计算其校验值,并根据计算的得到校验值与验证信息中的校验值是否相同判断保密信息的正确性。For example, the verification information can be a check value (such as a hash value) calculated based on the confidential information (ciphertext, plaintext), so that when reading the confidential information, its check value can be calculated again, and the correctness of the confidential information can be judged based on whether the calculated check value is the same as the check value in the verification information.
再如,验证信息本身也可以是经过预设的加密算法(如验证加密算法)加密的,例如,验证加密算法可为RSA2048等非对称加密算法,其加密通过私钥进行,而读取保密信息时通过公钥解密验证信息。For another example, the verification information itself can also be encrypted by a preset encryption algorithm (such as a verification encryption algorithm). For example, the verification encryption algorithm can be an asymmetric encryption algorithm such as RSA2048, which is encrypted by a private key, and the verification information is decrypted by a public key when reading confidential information.
再如,只要保密信息(密文、明文)产生后,即可根据其计算相应的验证信息,并将验证信息写入信息存储器,故以上步骤的编号和描述顺序不代表其必然的执行顺序,例如,将验证信息写入信息存储器的过程,可在将保密信息写入信息存储器的过程之前或之后进行,也可同时进行(如作为保密信息的头证书写入)。For example, as long as confidential information (ciphertext, plaintext) is generated, the corresponding verification information can be calculated based on it and the verification information can be written into the information storage device. Therefore, the numbering and description order of the above steps do not necessarily represent their execution order. For example, the process of writing the verification information into the information storage device can be performed before or after the process of writing the confidential information into the information storage device, or it can be performed simultaneously (such as writing as a header certificate of confidential information).
本公开实施例提供一种芯片组件的信息处理的方法,其中,芯片组件包括芯片、信息存储器、eFUSE。An embodiment of the present disclosure provides a method for information processing of a chip component, wherein the chip component includes a chip, an information storage device, and an eFUSE.
本公开实施例的信息处理的方法由芯片组件执行,即其是芯片组件对信息进行处理的方法。The information processing method of the embodiment of the present disclosure is executed by a chip component, that is, it is a method for the chip component to process information.
参照图1,本公开实施例的芯片组件包括实际进行数据运算的芯片(处理器),以及用于存储信息(或称数据)的信息存储器和eFUSE。1 , the chip assembly of the embodiment of the present disclosure includes a chip (processor) that actually performs data operations, and an information memory and eFUSE for storing information (or data).
应当理解,以上芯片、信息存储器、eFUSE之间是可实现信息通信的,即芯片可向信息存储器、eFUSE写入信息,也可从信息存储器、eFUSE读取信息;同时,芯片组件还具有对外的接口,以接收外界的 指令(如来自软件)而进行相应的运算,并向外反馈运算的结果。It should be understood that the above chips, information storage, and eFUSE can communicate with each other, that is, the chip can write information to the information storage and eFUSE, and can also read information from the information storage and eFUSE; at the same time, the chip component also has an external interface to receive external Instructions (such as from software) are used to perform corresponding operations and the results of the operations are fed back to the outside.
eFUSE可以是与芯片集成在一起的(即为片内存储),而信息存储器是可重复读写的存储器,其可设于芯片之外(即为片外存储)。The eFUSE may be integrated with the chip (ie, on-chip storage), while the information memory is a rewritable memory that may be located outside the chip (ie, off-chip storage).
在一些实施例中,信息存储器包括FLASH。In some embodiments, the information storage includes FLASH.
作为本公开实施例的一种方式,可使用FLASH(如片外FLASH)作为芯片组件中的信息存储器。As one embodiment of the present disclosure, FLASH (such as off-chip FLASH) may be used as an information storage device in a chip component.
应当理解,本公开实施例中信息存储器的具体形式不限于此,其也可为其它形式的存储器。It should be understood that the specific form of the information storage device in the embodiments of the present disclosure is not limited thereto, and it may also be other forms of storage device.
信息存储器中存储有保密信息的密文,保密信息的密文是根据信息加密算法加密保密信息的明文得到的,eFUSE中存储有配置信息,配置信息表征保密信息的密文在信息存储器中的存储情况。The information storage device stores ciphertext of confidential information, which is obtained by encrypting plaintext of the confidential information according to an information encryption algorithm. The eFUSE stores configuration information, which represents the storage status of the ciphertext of the confidential information in the information storage device.
本公开实施例的芯片组件中的信息,是通过以上的芯片组件的信息处理的方法写入的,故其信息存储器中存储有保密信息的密文,而相应的配置信息则存储在eFUSE中。The information in the chip component of the embodiment of the present disclosure is written by the above chip component information processing method, so the ciphertext of confidential information is stored in its information storage, and the corresponding configuration information is stored in the eFUSE.
参照图4,本公开实施例的芯片组件的信息处理的方法包括步骤S201至S203。4 , the information processing method of the chip assembly according to the embodiment of the present disclosure includes steps S201 to S203 .
在步骤S201,读取eFUSE中存储的配置信息。In step S201, the configuration information stored in the eFUSE is read.
当需要使用保密信息,芯片首先从eFUSE中读取到其配置信息。When confidential information is needed, the chip first reads its configuration information from eFUSE.
在步骤S202,根据配置信息从信息存储器读取保密信息的密文。In step S202, the ciphertext of the confidential information is read from the information storage according to the configuration information.
进而芯片即可根据以上配置信息,从信息存储器(如FLASH)中实际读取到相应的保密信息的密文。Then, the chip can actually read the ciphertext of the corresponding confidential information from the information storage (such as FLASH) according to the above configuration information.
在一些实施例中,配置信息包括以下至少一项:保密信息的密文在信息存储器中的地址、保密信息的密文的大小、保密信息是否对软件可读的配置。In some embodiments, the configuration information includes at least one of the following: the address of the ciphertext of the confidential information in the information storage device, the size of the ciphertext of the confidential information, and the configuration of whether the confidential information is readable by the software.
例如,可以是根据保密信息的密文的地址和大小从信息存储器中读取到相应信息,并根据配置确定保密信息是否对软件可读。For example, the corresponding information may be read from the information storage device according to the address and size of the ciphertext of the confidential information, and whether the confidential information is readable by the software may be determined according to the configuration.
在步骤S203,根据信息加密算法解密保密信息的密文得到保密信息的明文。In step S203, the ciphertext of the confidential information is decrypted according to the information encryption algorithm to obtain the plaintext of the confidential information.
在获取到保密信息的密文后,芯片即可根据信息加密算法进行对应的解密,以得到保密信息的明文,以供后续使用。 After obtaining the ciphertext of the confidential information, the chip can perform corresponding decryption according to the information encryption algorithm to obtain the plaintext of the confidential information for subsequent use.
应当理解,执行以上步骤的前提是eFUSE中存储有配置信息,即eFUSE已被固化。而若eFUSE中没有配置信息(未被固化),则不必进行以上步骤。It should be understood that the prerequisite for executing the above steps is that the configuration information is stored in the eFUSE, that is, the eFUSE has been solidified. If there is no configuration information in the eFUSE (not solidified), the above steps do not need to be performed.
本公开实施例中,保密信息实际存储在信息存储器(如FLASH)中,而eFUSE只存储其配置信息,故不论保密信息有多大,eFUSE所需的空间均很小,从而可在eFUSE成本低的情况下实现更大量信息的存储,满足客户的需求;同时,保密信息经过加密,且其配置信息存储在eFUSE中而不可被修改,故虽然保密信息实际位于信息存储器中,但其安全性仍很高,不可被破解或篡改。In the disclosed embodiments, confidential information is actually stored in an information storage device (such as FLASH), and eFUSE only stores its configuration information. Therefore, no matter how large the confidential information is, the space required for eFUSE is very small, thereby being able to store a larger amount of information at a low cost of eFUSE to meet customer needs. At the same time, the confidential information is encrypted, and its configuration information is stored in eFUSE and cannot be modified. Therefore, although the confidential information is actually located in the information storage device, its security is still very high and cannot be cracked or tampered with.
在一些实施例中,参照图5,读取eFUSE中存储的配置信息包括步骤S2011。In some embodiments, referring to FIG. 5 , reading the configuration information stored in the eFUSE includes step S2011 .
在步骤S2011,响应于芯片进行远程启动bootrom,读取eFUSE中存储的配置信息。In step S2011, in response to the chip remotely starting the bootrom, the configuration information stored in the eFUSE is read.
作为本公开实施例的一种方式,以上读取保密信息的过程可以是在芯片bootrom时进行,且可以是只能在bootrom时进行,从而芯片启动后可使用到保密信息,且可保证其它过程中不进行以上步骤,从而进一步提高保密信息的安全性。As one method of an embodiment of the present disclosure, the above process of reading confidential information can be performed when the chip is in bootrom, and can only be performed when the chip is in bootrom, so that the confidential information can be used after the chip is started, and it can be ensured that the above steps are not performed in other processes, thereby further improving the security of the confidential information.
在一些实施例中,参照图5,在根据信息加密算法解密保密信息的密文得到保密信息的明文(S203)之后,还包括步骤S205。In some embodiments, referring to FIG. 5 , after decrypting the ciphertext of the confidential information according to the information encryption algorithm to obtain the plaintext of the confidential information ( S203 ), step S205 is further included.
在步骤S205,将保密信息的明文写入随机存取存储器RAM。In step S205, the plain text of the confidential information is written into the random access memory RAM.
作为本公开实施例的一种方式,以上解密得到的保密信息的明文可存储在芯片的RAM中,从而芯片启动后可随时从RAM获取保密信息(明文)并使用。As one method of an embodiment of the present disclosure, the plain text of the confidential information obtained by the above decryption can be stored in the RAM of the chip, so that the confidential information (plain text) can be obtained from the RAM at any time and used after the chip is started.
RAM中的保密信息还可根据需要具有不同形式,如可根据保密信息是否对软件可读的配置,在写入RAM时设定其是否对软件可读。The confidential information in the RAM can also have different forms as needed. For example, whether the confidential information is readable by the software can be set when writing to the RAM based on the configuration of whether the confidential information is readable by the software.
在一些实施例中,芯片包括解密接口,芯片内固化有信息密钥。In some embodiments, the chip includes a decryption interface, and the information key is embedded in the chip.
参照图5,根据信息加密算法解密保密信息的密文得到保密信息的明文(S203)包括步骤S2031。5 , decrypting the ciphertext of the confidential information according to the information encryption algorithm to obtain the plaintext of the confidential information ( S203 ) includes step S2031 .
在步骤S2031,通过解密接口,使芯片使用信息密钥根据信息加密算法解密保密信息的密文得到保密信息的明文。 In step S2031, through the decryption interface, the chip uses the information key according to the information encryption algorithm to decrypt the ciphertext of the confidential information to obtain the plaintext of the confidential information.
作为本公开实施例的一种方式,当保密信息的密文是通过以上写入接口用固化信息密钥加密得到时,芯片还可具有硬件的解密接口。As one method of an embodiment of the present disclosure, when the ciphertext of the confidential information is encrypted using the fixed information key through the above writing interface, the chip may also have a hardware decryption interface.
由此,在通过写入接口对保密信息进行加密而写入接口被永久封闭后,在后续的读取过程中(如芯片bootrom时),软件调用解密接口,使芯片用固化在其中的信息密钥进行解密,从而外界只能获取作为解密结果的明文,但仍然无法访问信息密钥,进一步提高安全性。Therefore, after the confidential information is encrypted through the write interface and the write interface is permanently closed, in the subsequent reading process (such as when the chip bootrom), the software calls the decryption interface to make the chip decrypt with the information key solidified in it, so that the outside world can only obtain the plaintext as the decryption result, but still cannot access the information key, further improving security.
在一些实施例中,信息存储器还存储有验证信息,验证信息是根据保密信息的密文和/或保密信息的明文产生的。In some embodiments, the information storage device further stores verification information, where the verification information is generated based on the ciphertext of the confidential information and/or the plaintext of the confidential information.
参照图5,本公开实施例的方法还包括步骤S2041和S2042。5 , the method of the embodiment of the present disclosure further includes steps S2041 and S2042 .
在步骤S2041,读取信息存储器中存储的验证信息。In step S2041, the verification information stored in the information storage is read.
在步骤S2042,根据验证信息对保密信息的密文和/或保密信息的明文进行验证。In step S2042, the ciphertext of the confidential information and/or the plaintext of the confidential information is verified according to the verification information.
作为本公开实施例的一种方式,当信息存储器中还存储了以上验证信息时,则在读取保密信息的过程中,还可用以上验证信息对验证信息的正确性进行验证。As a method of an embodiment of the present disclosure, when the above verification information is also stored in the information storage device, the above verification information can also be used to verify the correctness of the verification information during the process of reading the confidential information.
应当理解,用验证信息进行验证的具体方式是多样的,且是与验证信息的形式对应的。It should be understood that the specific methods of using verification information for verification are diverse and correspond to the form of the verification information.
例如,验证信息可以附加在保密信息的密文的头部,从而可在读取保密信息的同时读取到验证信息。For example, the verification information may be attached to the header of the ciphertext of the confidential information, so that the verification information may be read at the same time as the confidential information is read.
再如,验证信息可以是根据保密信息(密文、明文)计算得到的校验值(如HASH值),从而在读取保密信息时可再次计算其校验值,并根据计算的得到校验值与验证信息中的校验值是否相同判断保密信息的正确性。For example, the verification information can be a check value (such as a HASH value) calculated based on the confidential information (ciphertext, plaintext), so that when reading the confidential information, its check value can be calculated again, and the correctness of the confidential information can be judged based on whether the calculated check value is the same as the check value in the verification information.
再如,验证信息本身也可以是经过预设的加密算法(如验证加密算法)加密的,例如,验证加密算法可为RSA2048等非对称加密算法,其加密通过私钥进行,而读取保密信息时通过公钥解密验证信息。For example, the verification information itself can also be encrypted by a preset encryption algorithm (such as a verification encryption algorithm). For example, the verification encryption algorithm can be an asymmetric encryption algorithm such as RSA2048, which is encrypted by a private key, and the verification information is decrypted by a public key when reading confidential information.
再如,只要保密信息(密文、明文)产生后,即可根据验证信息对其进行验证,故以上步骤的编号和描述顺序不代表其必然的执行顺序。For another example, once confidential information (ciphertext, plaintext) is generated, it can be verified based on the verification information, so the numbering and description order of the above steps does not necessarily represent their execution order.
再如,当验证不通过(如发现校验值不同)时,可以有多种不 同的处理方式,如可以自动终止保密信息的处理过程,也可以是发出警报等。For example, when the verification fails (such as the checksum value is different), there may be multiple Different processing methods can be used, such as automatically terminating the processing of confidential information or issuing an alarm.
示例性的,本公开实施例的一种芯片组件的信息处理的方法具体可包括步骤A101至A109,其中部分步骤在图6中示出。Illustratively, a method for information processing of a chip component according to an embodiment of the present disclosure may specifically include steps A101 to A109 , some of which are shown in FIG. 6 .
在步骤A101,在芯片设计生产时,在其中固化信息加密算法、信息密钥、验证加密算法,且在芯片中设置由软件控制的硬件的加密接口和解密接口。In step A101, when the chip is designed and produced, the information encryption algorithm, information key, and verification encryption algorithm are solidified in it, and a hardware encryption interface and decryption interface controlled by software are set in the chip.
信息加密算法可为对称加密算法(AES_CBC256),其采用的信息密钥是芯片生产时硬件产生的固定大小(如256bit)的随机数。The information encryption algorithm may be a symmetric encryption algorithm (AES_CBC256), and the information key used by the algorithm is a random number of a fixed size (eg, 256 bits) generated by hardware when the chip is produced.
验证加密算法用于对验证信息进行加密,其可为非对称加密算法(如RSA2048),其密钥是随机产生的密钥对,其中私钥用于加密,公钥用于解密。The verification encryption algorithm is used to encrypt the verification information, which may be an asymmetric encryption algorithm (such as RSA2048), and its key is a randomly generated key pair, in which the private key is used for encryption and the public key is used for decryption.
加密接口(寄存器接口)可为内存DDR(双倍速率同步动态随机存储器)中的明文地址、明文大小、密文存放的DDR地址,并通过另一个内置eFUSE标定加密是否完成。The encryption interface (register interface) can be the plaintext address, plaintext size, and DDR address where the ciphertext is stored in the memory DDR (double data rate synchronous dynamic random access memory), and another built-in eFUSE is used to calibrate whether the encryption is completed.
在步骤A102,安全版本生产(或开发调试)过程中,调用硬件加密接口,使用信息加密算法对相关技术中写入eFUSE的保密信息的明文进行加密,转换出安全信息的密文。In step A102, during the production (or development and debugging) of the security version, the hardware encryption interface is called, and the plain text of the confidential information written into the eFUSE in the related technology is encrypted using the information encryption algorithm to convert the ciphertext of the security information.
例如,可以是通过对称加密算法(如AES_CBC256)对明文进行加密得到密文。For example, the ciphertext may be obtained by encrypting the plaintext using a symmetric encryption algorithm (such as AES_CBC256).
在步骤A103,将安全信息的密文存储到片外FLASH(信息存储器)的特定存储区域中,生成关于明文和密文的验证信息,将验证信息作为头证书写在安全信息的密文的头部。In step A103, the ciphertext of the security information is stored in a specific storage area of the off-chip FLASH (information storage), verification information about the plaintext and ciphertext is generated, and the verification information is written as a header certificate in the header of the ciphertext of the security information.
例如,可以是分别对保密信息的密文和明文进行HASH256运算,分别各得到一个256bit的HASH值(校验值),并将该两个HASH值通过非对称加密算法加密(如RSA2048的私钥)生成2048bit的签名,将1KB的头证书和保密信息的密文镜像作为加密镜像,通过配置返回到特定DDR空间。For example, HASH256 operation can be performed on the ciphertext and plaintext of the confidential information respectively to obtain a 256-bit HASH value (check value) respectively, and the two HASH values are encrypted through an asymmetric encryption algorithm (such as the private key of RSA2048) to generate a 2048-bit signature, and the 1KB header certificate and the ciphertext image of the confidential information are used as encrypted images and returned to the specific DDR space through configuration.
在步骤A104,将安全信息密文在FLASH中的地址、大小、否对软件可读等作为配置信息,将配置信息写入eFUSE,固化eFUSE变为 只读,永久封闭硬件加密接口,自此加密功能失效,硬件保证相关寄存器都变成只读状态,最后擦除DDR中存放的明文和密文。In step A104, the address, size, and whether the security information ciphertext is readable by software in the FLASH are used as configuration information, and the configuration information is written into the eFUSE, and the eFUSE is solidified to become Read-only, permanently close the hardware encryption interface, the encryption function becomes invalid, the hardware ensures that the relevant registers become read-only, and finally erase the plaintext and ciphertext stored in DDR.
在步骤A105,当芯片bootrom时,尝试读取eFUSE的固化标记,若已固化(已写入配置信息)则执行以下步骤,未固化则按常规方式bootrom。In step A105, when the chip boots into rom, it attempts to read the fixation mark of eFUSE. If it has been fixed (configuration information has been written), the following steps are executed. If it has not been fixed, it boots into rom in a conventional manner.
在步骤A106,获取配置信息,从对应的FLASH地址读取出对应大小的信息作为安全信息的密文,并同时读取头证书等。In step A106, configuration information is obtained, information of corresponding size is read from the corresponding FLASH address as ciphertext of security information, and the header certificate etc. is read at the same time.
在步骤A107,用头证书进行验签解密得到相应明文,如果验签解密失败则报错并停止,成功则得到相应明文并继续后续步骤。In step A107, the header certificate is used to perform signature verification and decryption to obtain the corresponding plaintext. If the signature verification and decryption fails, an error is reported and the process stops. If successful, the corresponding plaintext is obtained and the subsequent steps are continued.
可通过解密接口,用对称加密算法(如AES_CBC256)以固化的信息密钥进行解密,得到明文;并用非对称加密算法解密(如RSA2048的公钥)头证书,得到其中存储的分别对应密文和明文的两个256bit的HASH值;再对FLASH中存储的密文和解密得到的明文分别进行HASH256运算,分别计算得到对应密文和明文的两个256bit的HASH值;最后,比较存储的HASH值与计算得到的HASH值是否相同,都相同则验签解密成功,以解密所得的明文作为正确的明文,有不同时则验签解密失败(若密文的HASH值不同则表示密文被篡改,若明文的HASH值不同则表示未能正确解密或明文被篡改)Through the decryption interface, a symmetric encryption algorithm (such as AES_CBC256) can be used to decrypt with a fixed information key to obtain plaintext; and an asymmetric encryption algorithm can be used to decrypt the header certificate (such as the public key of RSA2048) to obtain two 256-bit HASH values corresponding to the ciphertext and plaintext stored therein; then the ciphertext stored in the FLASH and the decrypted plaintext are respectively subjected to HASH256 operations to calculate two 256-bit HASH values corresponding to the ciphertext and plaintext respectively; finally, the stored HASH value is compared with the calculated HASH value to see if they are the same. If they are the same, the signature verification and decryption are successful, and the decrypted plaintext is used as the correct plaintext. If they are different, the signature verification and decryption fail (if the HASH values of the ciphertext are different, it means that the ciphertext has been tampered with; if the HASH values of the plaintext are different, it means that the decryption failed or the plaintext has been tampered with)
在步骤A108,将明文写入到RAM的特定地址,并按照配置设置其是否对软件可读,从而可保证后面的代码只能读取RAM的以上特定地址的内容,或是无法读取(即只允许硬件访问)。In step A108, the plain text is written to a specific address of the RAM, and whether it is readable by the software is set according to the configuration, thereby ensuring that the subsequent code can only read the contents of the above specific address of the RAM, or cannot read it (that is, only hardware access is allowed).
在步骤A109,芯片启动后,当需要时,即可从RAM的相应区域读取到安全信息并使用。In step A109, after the chip is started, the security information can be read from the corresponding area of the RAM and used when needed.
再次参照图1,本公开实施例提供一种芯片组件,包括芯片、信息存储器、eFUSE,其中,芯片能实现本公开实施例的任意一种芯片组件的信息处理的方法。Referring to FIG. 1 again, an embodiment of the present disclosure provides a chip component, including a chip, an information storage device, and an eFUSE, wherein the chip can implement an information processing method of any chip component of the embodiment of the present disclosure.
本公开实施例的芯片组件可执行以上的芯片组件的信息处理的方法(包括既能实现以上写入保密信息的方法,也能实现以上读取保密信息的方法),从而可在eFUSE成本较低的情况下,满足客户的各种需要,且保证保密信息的安全性。 The chip component of the disclosed embodiment can execute the above chip component information processing method (including both the above method of writing confidential information and the above method of reading confidential information), thereby meeting various needs of customers and ensuring the security of confidential information at a low eFUSE cost.
在一些实施例中,信息存储器包括FLASH。In some embodiments, the information storage includes FLASH.
作为本公开实施例的一种方式,可使用FLASH(如片外FLASH)作为芯片组件中的信息存储器。As one embodiment of the present disclosure, FLASH (such as off-chip FLASH) may be used as an information storage device in a chip component.
应当理解,本公开实施例中信息存储器的具体形式不限于此,其也可为其它形式的存储器。It should be understood that the specific form of the information storage device in the embodiments of the present disclosure is not limited thereto, and it may also be other forms of storage device.
参照图7,本公开实施例提供一种计算机可读介质,其上存储有计算机程序,计算机程序被处理器执行时能实现芯片能实现本公开实施例的任意一种芯片组件的信息处理的方法。7 , an embodiment of the present disclosure provides a computer-readable medium having a computer program stored thereon, and when the computer program is executed by a processor, a chip can implement a method for information processing of any chip component of the embodiment of the present disclosure.
处理器为具有数据处理能力的器件,其包括但不限于中央处理器(CPU)等;存储器为具有数据存储能力的器件,其包括但不限于随机存取存储器(RAM,更具体如SDRAM、DDR等)、只读存储器(ROM)、带电可擦可编程只读存储器(EEPROM)、闪存(FLASH);I/O接口(读写接口)连接在处理器与存储器间,能实现存储器与处理器的信息交互,其包括但不限于数据总线(Bus)等。A processor is a device with data processing capabilities, including but not limited to a central processing unit (CPU); a memory is a device with data storage capabilities, including but not limited to random access memory (RAM, more specifically SDRAM, DDR, etc.), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), and flash memory (FLASH); an I/O interface (read-write interface) is connected between the processor and the memory, and can realize information exchange between the memory and the processor, including but not limited to a data bus (Bus), etc.
本领域普通技术人员可以理解,上文中所公开的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。Those skilled in the art will appreciate that all or some of the steps, systems, and functional modules/units in the apparatus disclosed above may be implemented as software, firmware, hardware, or a suitable combination thereof.
在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。In hardware implementations, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation.
某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器(CPU)、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其它数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于随机存取存储器(RAM,更具体如SDRAM、DDR等)、只读存储器(ROM)、带电可擦可编程只读存储器(EEPROM)、闪存 (FLASH)或其它磁盘存储器;只读光盘(CD-ROM)、数字多功能盘(DVD)或其它光盘存储器;磁盒、磁带、磁盘存储或其它磁存储器;可以用于存储期望的信息并且可以被计算机访问的任何其它的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其它传输机制之类的调制数据信号中的其它数据,并且可包括任何信息递送介质。Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit (CPU), a digital signal processor, or a microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on a computer-readable medium, which may include a computer storage medium (or non-transitory medium) and a communication medium (or transient medium). As is well known to those of ordinary skill in the art, the term computer storage media includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules, or other data). Computer storage media include, but are not limited to, random access memory (RAM, more specifically SDRAM, DDR, etc.), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory (FLASH) or other disk storage; CD-ROM, DVD or other optical disk storage; cassettes, tapes, disk storage or other magnetic storage; any other medium that can be used to store the desired information and can be accessed by a computer. In addition, it is well known to those skilled in the art that communication media generally contain computer-readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media.
本公开已经公开了示例实施例,并且虽然采用了具体术语,但它们仅用于并仅应当被解释为一般说明性含义,并且不用于限制的目的。在一些实例中,对本领域技术人员显而易见的是,除非另外明确指出,否则可单独使用与特定实施例相结合描述的特征、特性和/或元素,或可与其它实施例相结合描述的特征、特性和/或元件组合使用。因此,本领域技术人员将理解,在不脱离由所附的权利要求阐明的本公开的范围的情况下,可进行各种形式和细节上的改变。 The present disclosure has disclosed example embodiments, and although specific terms are employed, they are used and should be interpreted only in a general illustrative sense and not for limiting purposes. In some instances, it will be apparent to those skilled in the art that, unless otherwise expressly stated, features, characteristics, and/or elements described in conjunction with a particular embodiment may be used alone or in combination with features, characteristics, and/or elements described in conjunction with other embodiments. Therefore, those skilled in the art will appreciate that various changes in form and detail may be made without departing from the scope of the present disclosure as set forth in the appended claims.

Claims (13)

  1. 一种芯片组件的信息处理的方法,所述芯片组件包括芯片、信息存储器、一次性可编程存储器eFUSE,所述方法包括:A method for information processing of a chip component, the chip component comprising a chip, an information storage device, and a one-time programmable memory eFUSE, the method comprising:
    根据信息加密算法加密保密信息的明文得到保密信息的密文;Encrypting the plain text of the confidential information according to the information encryption algorithm to obtain the cipher text of the confidential information;
    将所述保密信息的密文写入所述信息存储器,将配置信息写入所述eFUSE,Writing the ciphertext of the confidential information into the information storage device, and writing the configuration information into the eFUSE,
    其中,所述配置信息表征所述保密信息的密文在所述信息存储器中的存储情况。The configuration information represents the storage status of the ciphertext of the confidential information in the information storage device.
  2. 根据权利要求1所述的方法,其中,所述芯片包括加密接口,所述芯片内固化有信息密钥,并且,The method according to claim 1, wherein the chip includes an encryption interface, an information key is fixed in the chip, and
    其中,所述根据所述信息加密算法加密所述保密信息的明文得到所述保密信息的密文包括:Wherein, encrypting the plaintext of the confidential information according to the information encryption algorithm to obtain the ciphertext of the confidential information includes:
    通过所述加密接口,使所述芯片使用所述信息密钥根据所述信息加密算法加密所述保密信息的明文得到所述保密信息的密文;Through the encryption interface, the chip uses the information key according to the information encryption algorithm to encrypt the plain text of the confidential information to obtain the ciphertext of the confidential information;
    封闭所述加密接口。Close the encryption interface.
  3. 根据权利要求1所述的方法,其中,还包括:The method according to claim 1, further comprising:
    根据所述保密信息的密文和/或所述保密信息的明文生成验证信息;Generate verification information according to the ciphertext of the confidential information and/or the plaintext of the confidential information;
    将所述验证信息写入所述信息存储器。The verification information is written into the information storage.
  4. 根据权利要求1所述的方法,其中,所述配置信息包括以下至少一项:The method according to claim 1, wherein the configuration information includes at least one of the following:
    所述保密信息的密文在所述信息存储器中的地址、所述保密信息的密文的大小、所述保密信息是否对软件可读的配置。The address of the ciphertext of the confidential information in the information storage device, the size of the ciphertext of the confidential information, and the configuration of whether the confidential information is readable by software.
  5. 一种芯片组件的信息处理的方法,其中,所述芯片组件包括芯片、信息存储器、eFUSE,所述信息存储器中存储有保密信息的密 文,所述保密信息的密文是根据信息加密算法加密保密信息的明文得到的,所述eFUSE中存储有配置信息,所述配置信息表征所述保密信息的密文在所述信息存储器中的存储情况,所述方法包括:A method for information processing of a chip component, wherein the chip component comprises a chip, an information storage device, and an eFUSE, wherein the information storage device stores a secret key of confidential information. The ciphertext of the confidential information is obtained by encrypting the plaintext of the confidential information according to an information encryption algorithm, the eFUSE stores configuration information, and the configuration information represents the storage status of the ciphertext of the confidential information in the information storage device, and the method includes:
    读取所述eFUSE中存储的所述配置信息;Reading the configuration information stored in the eFUSE;
    根据所述配置信息从所述信息存储器读取所述保密信息的密文;reading the ciphertext of the confidential information from the information storage according to the configuration information;
    根据所述信息加密算法解密所述保密信息的密文得到保密信息的明文。The ciphertext of the confidential information is decrypted according to the information encryption algorithm to obtain the plaintext of the confidential information.
  6. 根据权利要求5所述的方法,其中,所述芯片包括解密接口,所述芯片内固化有信息密钥,并且The method according to claim 5, wherein the chip includes a decryption interface, the chip has an information key fixed therein, and
    其中,所述根据所述信息加密算法解密所述保密信息的密文得到保密信息的明文包括:Wherein, decrypting the ciphertext of the confidential information according to the information encryption algorithm to obtain the plaintext of the confidential information includes:
    通过所述解密接口,使所述芯片使用所述信息密钥根据所述信息加密算法解密所述保密信息的密文得到保密信息的明文。Through the decryption interface, the chip uses the information key to decrypt the ciphertext of the confidential information according to the information encryption algorithm to obtain the plaintext of the confidential information.
  7. 根据权利要求5所述的方法,其中,所述信息存储器还存储有验证信息,所述验证信息是根据所述保密信息的密文和/或所述保密信息的明文产生的,并且The method according to claim 5, wherein the information storage device further stores verification information, the verification information is generated based on the ciphertext of the confidential information and/or the plaintext of the confidential information, and
    其中,所述方法还包括:Wherein, the method further comprises:
    读取所述信息存储器中存储的所述验证信息;Reading the verification information stored in the information storage device;
    根据所述验证信息对所述保密信息的密文和/或所述保密信息的明文进行验证。The ciphertext of the confidential information and/or the plaintext of the confidential information are verified according to the verification information.
  8. 根据权利要求5所述的方法,其中,所述配置信息包括以下至少一项:The method according to claim 5, wherein the configuration information includes at least one of the following:
    所述保密信息的密文在所述信息存储器中的地址、所述保密信息的密文的大小、所述保密信息是否对软件可读的配置。The address of the ciphertext of the confidential information in the information storage device, the size of the ciphertext of the confidential information, and the configuration of whether the confidential information is readable by software.
  9. 根据权利要求5所述的方法,其中,所述读取所述eFUSE中存储的所述配置信息包括: The method according to claim 5, wherein the reading the configuration information stored in the eFUSE comprises:
    响应于所述芯片进行远程启动bootrom,读取所述eFUSE中存储的所述配置信息。In response to the chip remotely starting the bootrom, the configuration information stored in the eFUSE is read.
  10. 根据权利要求5所述的方法,其中,在所述根据所述信息加密算法解密所述保密信息的密文得到保密信息的明文之后,还包括:The method according to claim 5, wherein, after decrypting the ciphertext of the confidential information according to the information encryption algorithm to obtain the plaintext of the confidential information, it also includes:
    将所述保密信息的明文写入随机存取存储器RAM。The plain text of the confidential information is written into a random access memory RAM.
  11. 一种芯片组件,包括芯片、信息存储器、eFUSE,其中,A chip component includes a chip, an information storage device, and an eFUSE, wherein:
    所述芯片能实现权利要求1至4中任意一项所述的芯片组件的信息处理的方法,和/或,权利要求5至9中任意一项所述的芯片组件的信息处理的方法。The chip can implement the information processing method of the chip component described in any one of claims 1 to 4, and/or the information processing method of the chip component described in any one of claims 5 to 9.
  12. 根据权利要求11所述的芯片组件,其中,The chip assembly according to claim 11, wherein:
    所述信息存储器包括闪存存储器FLASH。The information storage device comprises a flash memory FLASH.
  13. 一种非暂时性计算机可读介质,其上存储有计算机程序,所述计算机程序被处理器执行时能实现权利要求1至4中任意一项所述的芯片组件的信息处理的方法,和/或,权利要求5至9中任意一项所述的芯片组件的信息处理的方法。 A non-transitory computer-readable medium having a computer program stored thereon, wherein the computer program, when executed by a processor, can implement the information processing method of the chip component described in any one of claims 1 to 4, and/or the information processing method of the chip component described in any one of claims 5 to 9.
PCT/CN2023/102614 2022-09-30 2023-06-27 Chip assembly and information processing method thereof, and computer readable medium WO2024066533A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202211230338.7A CN117854566A (en) 2022-09-30 2022-09-30 Chip assembly, information processing method thereof and computer readable medium
CN202211230338.7 2022-09-30

Publications (1)

Publication Number Publication Date
WO2024066533A1 true WO2024066533A1 (en) 2024-04-04

Family

ID=90475931

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/102614 WO2024066533A1 (en) 2022-09-30 2023-06-27 Chip assembly and information processing method thereof, and computer readable medium

Country Status (2)

Country Link
CN (1) CN117854566A (en)
WO (1) WO2024066533A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111475815A (en) * 2020-04-08 2020-07-31 上海汉枫电子科技有限公司 Code protection method for chip
CN112363956A (en) * 2020-11-11 2021-02-12 上海磐启微电子有限公司 Method and device for encrypting and decrypting FLASH memory
CN113076563A (en) * 2021-04-08 2021-07-06 上海磐启微电子有限公司 Flash content protection method and device
CN113297546A (en) * 2021-06-21 2021-08-24 尧云科技(西安)有限公司 Code protection method and device for composite encryption

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111475815A (en) * 2020-04-08 2020-07-31 上海汉枫电子科技有限公司 Code protection method for chip
CN112363956A (en) * 2020-11-11 2021-02-12 上海磐启微电子有限公司 Method and device for encrypting and decrypting FLASH memory
CN113076563A (en) * 2021-04-08 2021-07-06 上海磐启微电子有限公司 Flash content protection method and device
CN113297546A (en) * 2021-06-21 2021-08-24 尧云科技(西安)有限公司 Code protection method and device for composite encryption

Also Published As

Publication number Publication date
CN117854566A (en) 2024-04-09

Similar Documents

Publication Publication Date Title
US10361851B2 (en) Authenticator, authenticatee and authentication method
US8543839B2 (en) Electronic device and method of software or firmware updating of an electronic device
KR101393307B1 (en) Secure boot method and semiconductor memory system for using the method
JP5214782B2 (en) Memory device, storage medium, host device, and system
JP5793709B2 (en) Key implementation system
EP2583213B1 (en) Non-volatile memory for anti-cloning and authentication method for the same
EP1855281A2 (en) Apparatus for writing data to a medium
TWI379571B (en) Method and system for command authentication to achieve a secure interface
US8850207B2 (en) Data recording device, and method of processing data recording device
US9830479B2 (en) Key storage and revocation in a secure memory system
FR2979443A1 (en) Method for storing data in memory interfacing with secure microcontroller, involves processing input data according to one of data processing methods to achieve data processed in different data formats
CN109445705A (en) Firmware authentication method and solid state hard disk
US10387653B2 (en) Secure provisioning of semiconductor chips in untrusted manufacturing factories
EP1640844A1 (en) Secure OTP using external memory
US20140281570A1 (en) Method of performing an authentication process between data recording device and host device
WO2024066533A1 (en) Chip assembly and information processing method thereof, and computer readable medium
JP2007193800A (en) Device and method for improving security level of card authentication system
JP5591964B2 (en) Authentication method, device to be authenticated, and authentication device
US10318766B2 (en) Method for the secured recording of data, corresponding device and program
CN109598154B (en) Credible full-disk encryption and decryption method
EP4254855A1 (en) A device and a method for controlling use of a cryptographic key
CN115185879A (en) Control device, data processing method, storage system, and SOC
CN116167040A (en) Debug permission control method based on security certificate and security chip

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23869781

Country of ref document: EP

Kind code of ref document: A1