[go: up one dir, main page]

CN107194284A - A kind of method and system based on the user-isolated data of TrustZone - Google Patents

A kind of method and system based on the user-isolated data of TrustZone Download PDF

Info

Publication number
CN107194284A
CN107194284A CN201710481894.4A CN201710481894A CN107194284A CN 107194284 A CN107194284 A CN 107194284A CN 201710481894 A CN201710481894 A CN 201710481894A CN 107194284 A CN107194284 A CN 107194284A
Authority
CN
China
Prior art keywords
memory area
trustzone
security
coprocessor
operating system
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710481894.4A
Other languages
Chinese (zh)
Inventor
黄闯营
戴鸿君
于治楼
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jinan Inspur Hi Tech Investment and Development Co Ltd
Original Assignee
Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jinan Inspur Hi Tech Investment and Development Co Ltd filed Critical Jinan Inspur Hi Tech Investment and Development Co Ltd
Priority to CN201710481894.4A priority Critical patent/CN107194284A/en
Publication of CN107194284A publication Critical patent/CN107194284A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/71Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
    • G06F21/74Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2105Dual mode as a secondary aspect

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • Automation & Control Theory (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a kind of method and system based on the user-isolated data of Trustzone, method includes:Trustzone coprocessors are set in intelligent terminal and common memory region, shared drive region and secure memory region are set on the internal memory of intelligent terminal;The common domain operating system for running on common memory region stores user data to be isolated to shared drive region, fast interrupt signal is sent to the interrupt control unit of Trustzone coprocessors, so that Trustzone coprocessors enter monitoring mode;Run using the Trustzone coprocessor control secure domain operation systems for entering monitoring mode in secure memory region;The secure domain operation system for running on secure memory region reads user data to be isolated from shared drive region, and the user data to be isolated of reading is loaded into secure memory region.By technical scheme, the security of user data can be improved.

Description

TrustZone-based method and system for isolating user data
Technical Field
The invention relates to the technical field of intelligent terminals, in particular to a method and a system for isolating user data based on TrustZone.
Background
With the continuous development of mobile networks, the applications of mobile intelligent terminals such as mobile phones and notebook computers are also widely popularized. For user data with high security requirement in a mobile terminal, it is usually required to perform security isolation.
At present, different data are respectively stored mainly through virtual technologies such as a virtual machine, so that different user data are isolated, and the security of corresponding user data is improved.
However, virtualization cannot limit the access right of an application program to a memory, isolated user data is easily stolen by the corresponding application program when being loaded to the memory of the intelligent terminal, and the security of the user data is low.
Disclosure of Invention
The embodiment of the invention provides a TrustZone-based method and a TrustZone-based system for isolating user data, which can improve the security of the user data.
In a first aspect, the present invention provides a method for isolating user data based on Trustzone, including:
the method comprises the steps that a Trustzone coprocessor is arranged in an intelligent terminal in advance, and a common memory area, a shared memory area and a safe memory area are arranged on a memory of the intelligent terminal;
the common domain operating system running in the common memory area stores the user data to be isolated to the shared memory area;
a common domain operating system running in the common memory area sends a quick interrupt signal to an interrupt controller of the Trustzone coprocessor to enable the Trustzone coprocessor to enter a monitoring mode;
controlling a security domain operating system to run in the security memory area by using the Trustzone coprocessor entering a monitoring mode;
and the security domain operating system running in the security memory area reads the user data to be isolated from the shared memory area and loads the read user data to be isolated to the security memory area.
Preferably, the first and second electrodes are formed of a metal,
the controlling, by the Trustzone coprocessor entering the monitor mode, the security domain operating system to run in the security memory area includes:
and modifying the NS bit of a security configuration register of the Trustzone coprocessor entering the monitoring mode to be 0 so that the Trustzone coprocessor controls the security domain operating system to run in the security memory area.
Preferably, the first and second electrodes are formed of a metal,
the user data to be isolated comprises: at least one application program;
then, the loading the read user data to be isolated to the secure memory area includes: and controlling each application program to run on the secure memory area.
Preferably, the first and second electrodes are formed of a metal,
the user data to be isolated comprises: at least one data to be stored;
then, the loading the read user data to be isolated to the secure memory area includes: and writing the read data to be stored into the secure memory area.
Preferably, the first and second electrodes are formed of a metal,
the writing each read data to be stored into the secure memory area includes: and encrypting each read data to be stored according to an encryption key preset in the Trustzone coprocessor to form a ciphertext, and writing the formed ciphertext into the secure memory area.
In a second aspect, an embodiment of the present invention provides a system for isolating user data based on Trustzone, including:
the system comprises a Trustzone coprocessor, a setting module, a control module, a common domain operating system and a security domain operating system; wherein,
the setting module is used for setting the Trustzone coprocessor in the intelligent terminal, and setting a common memory area, a shared memory area and a safe memory area on a memory of the intelligent terminal;
the common domain operating system is used for operating in the common memory area and storing user data to be isolated to the shared memory area; sending a quick interrupt signal to an interrupt controller of the Trustzone coprocessor to enable the Trustzone coprocessor to enter a monitoring mode;
the control module is used for controlling a security domain operating system to run in the security memory area by using the Trustzone coprocessor entering a monitoring mode;
and the security domain operating system is used for operating in the security memory area under the control of the Trustzone coprocessor, reading the user data to be isolated from the shared memory area, and loading the read user data to be isolated to the security memory area.
Preferably, the first and second electrodes are formed of a metal,
the control module is used for modifying the NS bit of a security configuration register of the Trustzone coprocessor entering the monitoring mode to 0 so that the Trustzone coprocessor controls the security domain operating system to operate in the security memory area.
Preferably, the first and second electrodes are formed of a metal,
and when the user data to be isolated comprises at least one application program, the security domain operating system is used for controlling each application program to run on the security memory area.
Preferably, the first and second electrodes are formed of a metal,
and when the user data to be isolated comprises at least one piece of data to be stored, the security domain operating system is used for writing the read data to be stored into the security memory area.
Preferably, the first and second electrodes are formed of a metal,
and the security domain operating system is used for encrypting each read data to be stored according to an encryption key preset in the Trustzone coprocessor to form a ciphertext and writing the formed ciphertext into the security memory area.
The embodiment of the invention provides a method and a system for isolating user data based on Trustzone, wherein a common memory area, a shared memory area and a safe memory area are arranged on a memory of an intelligent terminal, a Trustzone coprocessor is arranged in the intelligent terminal, a common domain operating system can only run in the common memory area, when the data to be isolated provided by an application program running in the common memory area needs to be isolated, the data to be isolated can be written into the shared memory area through the common domain operating system, then a quick interrupt signal is sent to an interrupt controller of the Trustzone coprocessor, so that the Trustzone coprocessor enters a monitoring mode, and then the Trustzone coprocessor can control a safe domain operating system to run in the safe memory area through the Trustzone coprocessor in the monitoring mode to realize switching from the common domain operating system to the safe domain operating system, the security domain operating system can read corresponding data to be isolated from the shared memory area and load the read data to be isolated to the security memory area. In summary, hardware protection is provided for the memory of the intelligent terminal to set the memory of the intelligent terminal into a plurality of memory areas, and after the data to be isolated is loaded into the secure memory area, since the application program running in the normal memory area cannot directly access the secure memory area, each application program running in the normal memory area cannot steal the user data loaded into the secure memory area, thereby improving the security of the user data.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a flowchart of a method for isolating user data based on TrustZone according to an embodiment of the present invention;
fig. 2 is a flowchart of another method for isolating user data based on TrustZone according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a system for isolating user data based on TrustZone according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer and more complete, the technical solutions in the embodiments of the present invention will be described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention, and based on the embodiments of the present invention, all other embodiments obtained by a person of ordinary skill in the art without creative efforts belong to the scope of the present invention.
As shown in fig. 1, an embodiment of the present invention provides a method for isolating user data based on Trustzone, including:
step 101, setting a Trustzone coprocessor in an intelligent terminal in advance, and setting a common memory area, a shared memory area and a safe memory area on a memory of the intelligent terminal;
step 102, a common domain operating system running in the common memory area stores user data to be isolated to the shared memory area;
103, the ordinary domain operating system running in the ordinary memory area sends a fast interrupt signal to the interrupt controller of the Trustzone coprocessor to enable the Trustzone coprocessor to enter a monitoring mode;
104, controlling a security domain operating system to run in the security memory area by using the Trustzone coprocessor entering a monitoring mode;
step 105, the security domain operating system running in the security memory area reads the user data to be isolated from the shared memory area, and loads the read user data to be isolated to the security memory area.
In the above embodiment of the present invention, a common memory area, a shared memory area and a secure memory area are set on a memory of an intelligent terminal, and a Trustzone coprocessor is set in the intelligent terminal, where a common domain operating system can only operate in the common memory area, when data to be isolated provided by an application program operating in the common memory area needs to be isolated, the data to be isolated can be written into the shared memory area through the common domain operating system, and then a fast interrupt signal is sent to an interrupt controller of the Trustzone coprocessor, so that the Trustzone coprocessor enters a monitoring mode, and subsequently, the secure domain operating system can be controlled to operate in the secure memory area through the Trustzone coprocessor in the monitoring mode, so as to switch from the common domain operating system to the secure domain operating system, and the secure domain operating system can read corresponding data to be isolated from the shared memory area, and loading the read data to be isolated to a secure memory area. In summary, hardware protection is provided for the memory of the intelligent terminal to set the memory of the intelligent terminal into a plurality of memory areas, and after the data to be isolated is loaded into the secure memory area, since the application program running in the normal memory area cannot directly access the secure memory area, each application program running in the normal memory area cannot steal the user data loaded into the secure memory area, thereby improving the security of the user data.
In an embodiment of the present invention, the controlling, by the Trustzone coprocessor entering the monitoring mode, the security domain operating system to run in the security memory area includes: and modifying the NS bit of a security configuration register of the Trustzone coprocessor entering the monitoring mode to be 0 so that the Trustzone coprocessor controls the security domain operating system to run in the security memory area.
In the above embodiment of the present invention, an arm (advanced RISC machines) processor of the intelligent terminal is extended to add a coprocessor (such as a CP15 coprocessor) carrying Trustzone in the intelligent terminal. A security configuration register is arranged in the coprocessor carrying the Trustzone, an NS bit is arranged in the register and indicates the state of the current intelligent terminal, and if the NS bit is 0, the current intelligent terminal is in a security state and can operate a security domain operating system in a security memory area; if the NS bit is 1, the current intelligent terminal is in an unsafe state, and a common domain operating system can be operated in a common memory area. Meanwhile, the NS bit of the security configuration register can be changed only when the Trustzone coprocessor is in the monitoring mode, so that when the operating system environment of the intelligent terminal is switched, the switching of the common domain operating system and the security domain operating system of the intelligent terminal can be realized by changing the NS bit of the security configuration register on the premise that the Trustzone coprocessor is in the monitoring mode.
Because the application program in the secure memory area directly sets the NS bit of the secure configuration register to 1 in the non-monitoring mode, the intelligent terminal directly enters the non-secure state, so that the application program running in the common memory area can access the instruction being received by the processor and the data in the register, and the user data is stolen. Therefore, no matter whether the switching from the normal domain operating system to the secure domain operating system is required or the switching from the secure domain operating system to the normal domain operating system is required, the NS bit of the secure configuration register can be directly modified only when the Trustzone coprocessor is in the monitor mode.
In an embodiment of the present invention, the type of the user data to be isolated may specifically include an application program or data to be stored.
Specifically, when the user data to be isolated includes at least one application program, the loading the read user data to be isolated to the secure memory area includes: and controlling each application program to run on the secure memory area. The application program running in the common memory area cannot directly access the application program running in the safe memory area, and the safety of each application program running in the safe memory area can be improved.
Correspondingly, when the user data to be isolated includes at least one application program, the loading the read user data to be isolated to the secure memory area includes: and controlling each application program to run on the secure memory area. The application program running in the ordinary memory area cannot directly access each data to be stored in the secure memory area, and the security of each data to be stored in the secure memory area can be improved.
In order to further improve the security of each piece of data to be stored, in an embodiment of the present invention, the writing each piece of read data to be stored into the secure memory area includes: and encrypting each read data to be stored according to an encryption key preset in the Trustzone coprocessor to form a ciphertext, and writing the formed ciphertext into the secure memory area.
Specifically, a corresponding Encryption algorithm and a corresponding decryption algorithm, such as an Advanced Encryption Standard (AES) Encryption algorithm and an AES decryption algorithm, may be preset in the Trustzone coprocessor, and the read-write snoop function is used to snoop the data read-write request in the secure domain memory area. When the situation that data to be stored need to be written into the secure memory area is monitored, the data to be stored can be encrypted through an AES encryption algorithm to form a ciphertext, and then the ciphertext is written into the secure memory area; when it is monitored that the ciphertext written into the secure memory area needs to be read, the read ciphertext can be analyzed through an AES decryption algorithm to obtain corresponding data to be stored.
In order to more clearly illustrate the technical solution and advantages of the present invention, an embodiment of the present invention provides another method for isolating user data based on Trustzone, for example, the user data received by a smart phone is isolated according to user requirements, and as shown in fig. 2, the method specifically includes the following steps:
step 201, setting a Trustzone coprocessor in the smart phone.
Step 202, a common memory area, a shared memory area and a secure memory area are set on the memory of the smart phone.
And step 203, respectively arranging an AES encryption module and an AES decryption module which correspond to each other in the Trustzone coprocessor.
In step 204, the user operates the smart phone through the normal domain operating system running in the normal memory area.
Step 205, controlling a corresponding client program on the smartphone to receive user data through the operating normal domain operating system, and storing the received user data in the shared memory area.
And step 206, sending a fast interrupt signal to an interrupt controller of the Trustzone coprocessor through the running common domain operating system.
And step 207, controlling the Trustzone coprocessor to enter a monitoring mode when the interrupt controller receives the terminal signal.
And step 208, modifying the NS bit of the security configuration register of the Trustzone coprocessor entering the monitoring mode to be 0, so that the Trustzone coprocessor controls the security domain operating system to run in the security memory area.
Step 209 is that the operating security domain operating system reads the user data to be isolated from the shared memory area.
Step 210, monitoring a data read-write request in the secure domain memory area through a read-write monitoring function of the secure domain operating system, encrypting data to be stored through an AES encryption module preset in the Trustzone coprocessor to form a ciphertext when it is monitored that the secure domain operating system needs to write read user data into the secure memory area, and writing the formed ciphertext into the secure memory area.
And step 211, monitoring the data read-write request in the secure domain memory area through the read-write monitoring function of the secure domain operating system, and decrypting the read ciphertext through an AES decryption module preset in the Trustzone coprocessor to obtain corresponding user data when monitoring that the secure domain operating system reads the ciphertext written in the secure memory area.
In the embodiment of the invention, a user can control the corresponding application program to run in the common memory area of the smart phone through the common domain operating system, control each application program with higher security requirement to run in the secure memory area of the smart phone through the secure domain operating system, and simultaneously switch the common domain operating system to the secure domain operating system, and the user can isolate user data to be stored in the common domain operating system to the secure memory area according to actual service requirements while switching the operating system, thereby improving the security of the corresponding application program and the data to be stored.
As shown in fig. 3, an embodiment of the present invention provides a system for isolating user data based on Trustzone, including:
trustzone coprocessor 301, setting module 302, control module 303, normal domain operating system 304 and security domain operating system 305; wherein,
the setting module 302 is configured to set the Trustzone coprocessor 301 in the intelligent terminal, and set a general memory area, a shared memory area, and a secure memory area in the memory of the intelligent terminal;
the common domain operating system 304 is configured to run in the common memory region, and store user data to be isolated to the shared memory region; sending a fast interrupt signal to an interrupt controller of the Trustzone coprocessor 301 to enable the Trustzone coprocessor 301 to enter a monitoring mode;
the control module 303 is configured to control, by using the Trustzone coprocessor 301 entering the monitoring mode, the security domain operating system 305 to run in the security memory area;
the security domain operating system 305 is configured to run in the secure memory area under the control of the Trustzone co-processor 301, read the user data to be isolated from the shared memory area, and load the read user data to be isolated to the secure memory area.
In a preferred embodiment of the present invention, the control module 303 is configured to modify the NS bit of the security configuration register of the Trustzone co-processor 301 entering the monitoring mode to be 0, so that the Trustzone co-processor 301 controls the security domain operating system 305 to operate in the secure memory area.
In a preferred embodiment of the present invention, when the user data to be isolated includes at least one application program, the secure domain operating system 305 is configured to control each application program to run on the secure memory area.
In a preferred embodiment of the present invention, when the user data to be isolated includes at least one piece of data to be stored, the secure domain operating system 305 is configured to write each piece of read data to be stored into the secure memory area.
In a preferred embodiment of the present invention, the security domain operating system 305 is configured to encrypt each read data to be stored according to an encryption key preset in the Trustzone coprocessor 301 to form a ciphertext, and write the formed ciphertext into the secure memory area.
Because the information interaction, execution process, and other contents between the units in the device are based on the same concept as the method embodiment of the present invention, specific contents may refer to the description in the method embodiment of the present invention, and are not described herein again.
In summary, the embodiments of the present invention have at least the following advantages:
1. in one embodiment of the invention, a common memory area, a shared memory area and a secure memory area are arranged on a memory of an intelligent terminal, and a Trustzone coprocessor is arranged in the intelligent terminal, a common domain operating system can only operate in the common memory area, when data to be isolated provided by an application program operating in the common memory area needs to be isolated, the data to be isolated can be written into the shared memory area through the common domain operating system, then a quick interrupt signal is sent to an interrupt controller of the Trustzone coprocessor, so that the Trustzone coprocessor enters a monitoring mode, a secure domain operating system can be controlled to operate in the secure memory area through the Trustzone coprocessor in the monitoring mode, the common domain operating system is switched to the secure domain operating system, and the secure domain operating system can read corresponding data to be isolated from the shared memory area, and loading the read data to be isolated to a secure memory area. In summary, hardware protection is provided for the memory of the intelligent terminal to set the memory of the intelligent terminal into a plurality of memory areas, and after the data to be isolated is loaded into the secure memory area, since the application program running in the normal memory area cannot directly access the secure memory area, each application program running in the normal memory area cannot steal the user data loaded into the secure memory area, thereby improving the security of the user data.
2. In an embodiment of the present invention, no matter whether the normal domain operating system needs to be switched to the secure domain operating system or the secure domain operating system needs to be switched to the normal domain operating system, the NS bit of the secure configuration register can be directly modified only when the Trustzone coprocessor is in the monitoring mode, so as to prevent the application program in the secure memory area from directly entering the non-secure state in the non-monitoring mode, avoid the application program running in the normal memory area from accessing the instruction being received by the processor and the data in the register, and prevent the user data from being stolen.
3. In an embodiment of the present invention, the user data that needs to be isolated in the secure memory area is encrypted and stored through a corresponding encryption algorithm, so that the security of the user data is further improved.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising a" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
Finally, it is to be noted that: the above description is only a preferred embodiment of the present invention, and is only used to illustrate the technical solutions of the present invention, and not to limit the protection scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (10)

1. A method for isolating user data based on Trustzone is characterized by comprising the following steps:
the method comprises the steps that a Trustzone coprocessor is arranged in an intelligent terminal in advance, and a common memory area, a shared memory area and a safe memory area are arranged on a memory of the intelligent terminal;
the common domain operating system running in the common memory area stores the user data to be isolated to the shared memory area;
a common domain operating system running in the common memory area sends a quick interrupt signal to an interrupt controller of the Trustzone coprocessor to enable the Trustzone coprocessor to enter a monitoring mode;
controlling a security domain operating system to run in the security memory area by using the Trustzone coprocessor entering a monitoring mode;
and the security domain operating system running in the security memory area reads the user data to be isolated from the shared memory area and loads the read user data to be isolated to the security memory area.
2. The method of claim 1,
the controlling, by the Trustzone coprocessor entering the monitor mode, the security domain operating system to run in the security memory area includes:
and modifying the NS bit of a security configuration register of the Trustzone coprocessor entering the monitoring mode to be 0 so that the Trustzone coprocessor controls the security domain operating system to run in the security memory area.
3. The method of claim 1,
the user data to be isolated comprises: at least one application program;
then, the loading the read user data to be isolated to the secure memory area includes: and controlling each application program to run on the secure memory area.
4. The method of claim 1,
the user data to be isolated comprises: at least one data to be stored;
then, the loading the read user data to be isolated to the secure memory area includes: and writing the read data to be stored into the secure memory area.
5. The method of claim 4,
the writing each read data to be stored into the secure memory area includes: and encrypting each read data to be stored according to an encryption key preset in the Trustzone coprocessor to form a ciphertext, and writing the formed ciphertext into the secure memory area.
6. A system for isolating user data based on Trustzone, comprising:
the system comprises a Trustzone coprocessor, a setting module, a control module, a common domain operating system and a security domain operating system; wherein,
the setting module is used for setting the Trustzone coprocessor in the intelligent terminal, and setting a common memory area, a shared memory area and a safe memory area on a memory of the intelligent terminal;
the common domain operating system is used for operating in the common memory area and storing user data to be isolated to the shared memory area; sending a quick interrupt signal to an interrupt controller of the Trustzone coprocessor to enable the Trustzone coprocessor to enter a monitoring mode;
the control module is used for controlling a security domain operating system to run in the security memory area by using the Trustzone coprocessor entering a monitoring mode;
and the security domain operating system is used for operating in the security memory area under the control of the Trustzone coprocessor, reading the user data to be isolated from the shared memory area, and loading the read user data to be isolated to the security memory area.
7. The system of claim 6,
the control module is used for modifying the NS bit of a security configuration register of the Trustzone coprocessor entering the monitoring mode to 0 so that the Trustzone coprocessor controls the security domain operating system to operate in the security memory area.
8. The system of claim 6,
and when the user data to be isolated comprises at least one application program, the security domain operating system is used for controlling each application program to run on the security memory area.
9. The system of claim 6,
and when the user data to be isolated comprises at least one piece of data to be stored, the security domain operating system is used for writing the read data to be stored into the security memory area.
10. The system of claim 9,
and the security domain operating system is used for encrypting each read data to be stored according to an encryption key preset in the Trustzone coprocessor to form a ciphertext and writing the formed ciphertext into the security memory area.
CN201710481894.4A 2017-06-22 2017-06-22 A kind of method and system based on the user-isolated data of TrustZone Pending CN107194284A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710481894.4A CN107194284A (en) 2017-06-22 2017-06-22 A kind of method and system based on the user-isolated data of TrustZone

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710481894.4A CN107194284A (en) 2017-06-22 2017-06-22 A kind of method and system based on the user-isolated data of TrustZone

Publications (1)

Publication Number Publication Date
CN107194284A true CN107194284A (en) 2017-09-22

Family

ID=59879716

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710481894.4A Pending CN107194284A (en) 2017-06-22 2017-06-22 A kind of method and system based on the user-isolated data of TrustZone

Country Status (1)

Country Link
CN (1) CN107194284A (en)

Cited By (20)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107835185A (en) * 2017-11-21 2018-03-23 广州大学 A kind of mobile terminal safety method of servicing and device based on ARM TrustZone
CN108052415A (en) * 2017-11-17 2018-05-18 中国科学院信息工程研究所 A kind of malware detection platform quick recovery method and system
CN108154032A (en) * 2017-11-16 2018-06-12 中国科学院软件研究所 It is a kind of that the computer system root of trust construction method of memory integrity ensuring is had the function of based on credible performing environment
CN108155986A (en) * 2017-12-14 2018-06-12 晶晨半导体(上海)股份有限公司 A kind of key programming system and method based on credible performing environment
CN108647513A (en) * 2018-03-22 2018-10-12 华中科技大学 A kind of shared library security isolation method and system based on TrustZone
CN109684126A (en) * 2018-12-25 2019-04-26 贵州华芯通半导体技术有限公司 For the Memory Checkout method of ARM equipment and the ARM equipment of execution Memory Checkout
CN109783207A (en) * 2017-11-13 2019-05-21 厦门雅迅网络股份有限公司 Protect the method and system of dual system shared drive data safety
CN109992992A (en) * 2019-01-25 2019-07-09 中国科学院数据与通信保护研究教育中心 A credible sensitive data protection method and system
CN111414859A (en) * 2020-03-20 2020-07-14 山东大学 A Retina Recognition Method Based on TrustZone
CN111431993A (en) * 2020-03-20 2020-07-17 山东大学 Method for realizing IoT equipment heartbeat communication based on TrustZone technology
CN111913806A (en) * 2020-08-03 2020-11-10 Oppo广东移动通信有限公司 A memory area management method, electronic device and storage medium
EP3761208A4 (en) * 2018-04-02 2021-04-21 Huawei Technologies Co., Ltd. TRUST ZONE OPERATING SYSTEM AND PROCEDURES
CN113220225A (en) * 2021-04-06 2021-08-06 浙江大学 Memory data read-write method and device for RISC-V processor, processor and storage medium
CN113254969A (en) * 2021-06-08 2021-08-13 挂号网(杭州)科技有限公司 Service data processing method and device, electronic equipment and storage medium
CN113268447A (en) * 2021-06-10 2021-08-17 海光信息技术股份有限公司 Computer architecture and access control, data interaction and safe starting method in computer architecture
WO2021174512A1 (en) * 2020-03-06 2021-09-10 华为技术有限公司 Electronic device and security protection method
CN113835933A (en) * 2021-11-26 2021-12-24 北京指掌易科技有限公司 Data management method, device, medium and electronic equipment
CN114048502A (en) * 2021-10-15 2022-02-15 中国科学院信息工程研究所 Lightweight trusted channel and communication control method thereof
CN114297696A (en) * 2021-12-31 2022-04-08 湖南国科微电子股份有限公司 Data transmission method and device, electronic equipment and computer readable storage medium
CN116243862A (en) * 2023-02-17 2023-06-09 山东云海国创云计算装备产业创新中心有限公司 A space allocation method, device, equipment and storage medium for safe storage

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104091135A (en) * 2014-02-24 2014-10-08 电子科技大学 Intelligent terminal safety system and safety storage method
CN104318182A (en) * 2014-10-29 2015-01-28 中国科学院信息工程研究所 Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension
CN104581214A (en) * 2015-01-28 2015-04-29 三星电子(中国)研发中心 Multimedia content protecting method and device based on ARM TrustZone system
CN104992122A (en) * 2015-07-20 2015-10-21 武汉大学 Cell phone private information safe box based on ARM Trust Zone
US9483638B2 (en) * 2005-12-23 2016-11-01 Texas Instruments Incorporated Method and system for preventing unauthorized processor mode switches

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9483638B2 (en) * 2005-12-23 2016-11-01 Texas Instruments Incorporated Method and system for preventing unauthorized processor mode switches
CN104091135A (en) * 2014-02-24 2014-10-08 电子科技大学 Intelligent terminal safety system and safety storage method
CN104318182A (en) * 2014-10-29 2015-01-28 中国科学院信息工程研究所 Intelligent terminal isolation system and intelligent terminal isolation method both based on processor safety extension
CN104581214A (en) * 2015-01-28 2015-04-29 三星电子(中国)研发中心 Multimedia content protecting method and device based on ARM TrustZone system
CN104992122A (en) * 2015-07-20 2015-10-21 武汉大学 Cell phone private information safe box based on ARM Trust Zone

Cited By (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109783207A (en) * 2017-11-13 2019-05-21 厦门雅迅网络股份有限公司 Protect the method and system of dual system shared drive data safety
CN109783207B (en) * 2017-11-13 2023-08-22 厦门雅迅网络股份有限公司 Method and system for protecting dual-system shared memory data security
CN108154032B (en) * 2017-11-16 2021-07-30 中国科学院软件研究所 A Root of Trust Construction Method for Computer System with Memory Integrity Guarantee
CN108154032A (en) * 2017-11-16 2018-06-12 中国科学院软件研究所 It is a kind of that the computer system root of trust construction method of memory integrity ensuring is had the function of based on credible performing environment
CN108052415B (en) * 2017-11-17 2022-01-04 中国科学院信息工程研究所 Rapid recovery method and system for malicious software detection platform
CN108052415A (en) * 2017-11-17 2018-05-18 中国科学院信息工程研究所 A kind of malware detection platform quick recovery method and system
CN107835185A (en) * 2017-11-21 2018-03-23 广州大学 A kind of mobile terminal safety method of servicing and device based on ARM TrustZone
CN108155986A (en) * 2017-12-14 2018-06-12 晶晨半导体(上海)股份有限公司 A kind of key programming system and method based on credible performing environment
CN108647513A (en) * 2018-03-22 2018-10-12 华中科技大学 A kind of shared library security isolation method and system based on TrustZone
CN108647513B (en) * 2018-03-22 2020-04-28 华中科技大学 TrustZone-based shared library security isolation method and system
US11443034B2 (en) 2018-04-02 2022-09-13 Huawei Technologies Co., Ltd. Trust zone-based operating system and method
EP3761208A4 (en) * 2018-04-02 2021-04-21 Huawei Technologies Co., Ltd. TRUST ZONE OPERATING SYSTEM AND PROCEDURES
CN109684126A (en) * 2018-12-25 2019-04-26 贵州华芯通半导体技术有限公司 For the Memory Checkout method of ARM equipment and the ARM equipment of execution Memory Checkout
CN109684126B (en) * 2018-12-25 2022-05-03 贵州华芯通半导体技术有限公司 Memory verification method for ARM equipment and ARM equipment for executing memory verification
CN109992992A (en) * 2019-01-25 2019-07-09 中国科学院数据与通信保护研究教育中心 A credible sensitive data protection method and system
US12223043B2 (en) 2020-03-06 2025-02-11 Huawei Technologies Co., Ltd. Electronic apparatus and security protection method
WO2021174512A1 (en) * 2020-03-06 2021-09-10 华为技术有限公司 Electronic device and security protection method
CN111431993A (en) * 2020-03-20 2020-07-17 山东大学 Method for realizing IoT equipment heartbeat communication based on TrustZone technology
CN111414859A (en) * 2020-03-20 2020-07-14 山东大学 A Retina Recognition Method Based on TrustZone
CN111913806A (en) * 2020-08-03 2020-11-10 Oppo广东移动通信有限公司 A memory area management method, electronic device and storage medium
CN113220225A (en) * 2021-04-06 2021-08-06 浙江大学 Memory data read-write method and device for RISC-V processor, processor and storage medium
CN113220225B (en) * 2021-04-06 2022-04-12 浙江大学 Method and device for reading and writing memory data of RISC-V processor, processor, and storage medium
CN113254969A (en) * 2021-06-08 2021-08-13 挂号网(杭州)科技有限公司 Service data processing method and device, electronic equipment and storage medium
CN113268447A (en) * 2021-06-10 2021-08-17 海光信息技术股份有限公司 Computer architecture and access control, data interaction and safe starting method in computer architecture
CN114048502A (en) * 2021-10-15 2022-02-15 中国科学院信息工程研究所 Lightweight trusted channel and communication control method thereof
CN114048502B (en) * 2021-10-15 2023-08-15 中国科学院信息工程研究所 Lightweight trusted channel and communication control method thereof
CN113835933A (en) * 2021-11-26 2021-12-24 北京指掌易科技有限公司 Data management method, device, medium and electronic equipment
CN114297696A (en) * 2021-12-31 2022-04-08 湖南国科微电子股份有限公司 Data transmission method and device, electronic equipment and computer readable storage medium
CN116243862A (en) * 2023-02-17 2023-06-09 山东云海国创云计算装备产业创新中心有限公司 A space allocation method, device, equipment and storage medium for safe storage

Similar Documents

Publication Publication Date Title
CN107194284A (en) A kind of method and system based on the user-isolated data of TrustZone
CN104318182B (en) A kind of intelligent terminal shielding system and method extended based on processor security
CN105912272B (en) A kind of device and method for the operation controlling multiple security application softwares
US20200104528A1 (en) Data processing method, device and system
CN101517591B (en) Architecture for virtual security module
RU2635224C2 (en) Method and device for secure sensory input
US20130145475A1 (en) Method and apparatus for securing touch input
JP2014086092A (en) System-on-chip for processing secure content and mobile device comprising the same
CN106778337B (en) File protection method, device and terminal
CN109086620B (en) Physical isolation dual-system construction method based on mobile storage medium
EP3007066A1 (en) Method for using shared device in apparatus capable of operating two operating systems
US11748493B2 (en) Secure asset management system
CN111538995B (en) Data storage method and device and electronic equipment
TWI629891B (en) Privacy information protection method and system suitable for mobile terminal
CN108229190B (en) Transparent encryption and decryption control method, device, program, storage medium and electronic equipment
CN110807191B (en) Method and device for safe operation of application programs
WO2016122410A1 (en) Method for data protection using isolated environment in mobile device
CN103164659A (en) Method for realizing data storage safety and electronic device
CN109657490B (en) Transparent encryption and decryption method and system for office files
CN117171733A (en) Data use method, device, electronic equipment and storage medium
CN111400726B (en) Data processing method, device, equipment and machine-readable medium
CN101196877A (en) Multiple memory cell operation isolated smart card and its implementing method
WO2014206172A1 (en) Switching between untrusted environment and trusted environment in mobile device
US10085152B2 (en) Data processing method, data processing apparatus and terminal
TWI615783B (en) Point-of-sale terminal mode switching method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170922