[go: up one dir, main page]

CN102521166B - Information safety coprocessor and method for managing internal storage space in information safety coprocessor - Google Patents

Information safety coprocessor and method for managing internal storage space in information safety coprocessor Download PDF

Info

Publication number
CN102521166B
CN102521166B CN201110398177.8A CN201110398177A CN102521166B CN 102521166 B CN102521166 B CN 102521166B CN 201110398177 A CN201110398177 A CN 201110398177A CN 102521166 B CN102521166 B CN 102521166B
Authority
CN
China
Prior art keywords
space
secure
safe
coprocessor
local address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201110398177.8A
Other languages
Chinese (zh)
Other versions
CN102521166A (en
Inventor
妙维
袁宏骏
余红斌
李张丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Solomon Systech Shenzhen Ltd
Original Assignee
Solomon Systech Shenzhen Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Solomon Systech Shenzhen Ltd filed Critical Solomon Systech Shenzhen Ltd
Priority to CN201110398177.8A priority Critical patent/CN102521166B/en
Publication of CN102521166A publication Critical patent/CN102521166A/en
Application granted granted Critical
Publication of CN102521166B publication Critical patent/CN102521166B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Storage Device Security (AREA)

Abstract

本发明提供一种信息安全协处理器中内部存储空间的管理方法,包括如下步骤:将所述本地地址空间划分为一安全空间和一非安全空间,其中,所述安全空间用于存储保密信息;初始化所述安全空间和非安全空间的大小;使用所述本地地址空间,将保密信息存储于安全空间,根据需要配置所述安全空间和非安全空间的大小;在所述信息安全协处理器内进行数据处理,其中,当有至少一个输入数据存在于安全空间中,并且输入可以由输出演算得到时,相应的输出数据均不允许写入非安全空间或外部存储空间。本发明在保护了重要数据的同时,也方便了对协处理器的使用。同时,本发明中安全空间的大小可以根据需要进行更改,从而方便了不同的应用需求和系统开发。

The present invention provides a method for managing internal storage space in an information security coprocessor, comprising the following steps: dividing the local address space into a safe space and a non-safe space, wherein the safe space is used to store confidential information ; Initialize the size of the secure space and the non-secure space; use the local address space to store confidential information in the secure space, and configure the size of the secure space and the non-secure space as required; in the information security coprocessor Data processing is carried out within, wherein, when at least one input data exists in the secure space, and the input can be calculated from the output, the corresponding output data is not allowed to be written into the non-secure space or the external storage space. While protecting important data, the invention also facilitates the use of coprocessors. At the same time, the size of the safe space in the present invention can be changed as required, thereby facilitating different application requirements and system development.

Description

信息安全协处理器及其内部存储空间的管理方法Information Security Coprocessor and Management Method of Its Internal Storage Space

技术领域 technical field

本发明涉及信息安全处理领域,尤其涉及使用密码学算法的信息安全协处理器及其内部存储空间的管理方法。 The invention relates to the field of information security processing, in particular to an information security coprocessor using cryptographic algorithms and a management method for its internal storage space.

背景技术 Background technique

随着网络技术的迅猛发展,信息安全技术在当前变得尤为重要。对于日益增长的网络流量,单纯利用软件方式对数据流进行加密或者解密运算已经不能满足需求,因此构建由硬件实现的专用密码芯片的方法称为了一种新趋势。当前的信息安全芯片包括单功能型(比如DES、3DES、AES、RSA等)、多功能型、高端芯片、SOC、ASIC等等。 在嵌入式系统(Embedded System)应用中,提供信息安全解决方案的芯片被广泛采用。而在一个SOC系统中,信息安全处理器将以协处理器的形式出现。 With the rapid development of network technology, information security technology has become particularly important at present. For the ever-increasing network traffic, simply using software to encrypt or decrypt the data stream can no longer meet the demand, so the method of building a dedicated cryptographic chip implemented by hardware is called a new trend. Current information security chips include single-function types (such as DES, 3DES, AES, RSA, etc.), multi-function types, high-end chips, SOC, ASIC, etc. In embedded system (Embedded System) applications, chips that provide information security solutions are widely used. In a SOC system, the information security processor will appear in the form of a co-processor.

然而,一个提供信息安全防护功能的协处理器,可以简单的只是进行一些密码学算法,而不提供其它的保护;也可以是一个复杂的子系统,提供完整的方案和安全的执行环境。第一种类型的协处理器比较容易嵌入到不同系统中,但系统层面的安全保护困难且复杂。第二种类型的协处理器提供很好的安全防护方案,但是限制了使用它的系统的设计灵活性。 However, a coprocessor that provides information security protection functions can simply perform some cryptographic algorithms without providing other protection; it can also be a complex subsystem that provides a complete solution and a secure execution environment. The first type of coprocessor is relatively easy to embed in different systems, but the security protection at the system level is difficult and complex. The second type of coprocessor provides a good security solution, but limits the design flexibility of the system that uses it.

区别于上述两种类型,非常有必要提供一种新的具备安全防护措施的协处理器,以实现在保持系统设计的灵活性的同时,可以减少系统层面信息保护的负担。 Different from the above two types, it is very necessary to provide a new coprocessor with security protection measures, so as to reduce the burden of information protection at the system level while maintaining the flexibility of system design.

发明内容 Contents of the invention

为解决上述技术问题,本发明的目的在于提供一种信息安全协处理器,其通过提供了一个外部可见的、包含大小可配置的安全和不安全两个区域的本地存储空间来进行信息的存储,其中存储在安全区域的信息不会被处理器外部得到。在实现信息保密的同时,该信息安全处理器可方便不同的应用需求和系统开发。 In order to solve the above-mentioned technical problems, the object of the present invention is to provide an information security coprocessor, which stores information by providing an externally visible local storage space that includes two areas, safe and unsafe, with configurable sizes , where information stored in the secure area is not accessible outside the processor. While realizing information confidentiality, the information security processor can facilitate different application requirements and system development.

相应地,本发明的目的还在于提供一种上述信息安全协处理器中内部存储空间的管理方法。 Correspondingly, the purpose of the present invention is also to provide a method for managing the internal storage space in the information security coprocessor.

为实现上述发明目的之一,本发明的一种信息安全协处理器,包括如下单元: In order to achieve one of the purposes of the above invention, an information security coprocessor of the present invention includes the following units:

本地地址空间单元:包括一安全空间和一非安全空间,两者均可配置,存储于安全空间的数据不能被直接读出处理器; Local address space unit: including a safe space and a non-safe space, both of which can be configured, and the data stored in the safe space cannot be directly read out of the processor;

控制单元:用于通过一定的控制逻辑进行流程控制; Control unit: used for process control through certain control logic;

数学运算单元:用于实现数学运算; Mathematical operation unit: used to realize mathematical operations;

密码算法引擎:用于执行密码学算法,以实现加密或解密功能。 Cryptographic algorithm engine: used to execute cryptographic algorithms to realize encryption or decryption functions.

作为本发明的进一步改进,所述信息安全协处理器还包括一用于负责AHB总线和本地地址空间单元之间数据传输的DMA引擎。 As a further improvement of the present invention, the information security coprocessor also includes a DMA engine responsible for data transmission between the AHB bus and the local address space unit.

作为本发明的进一步改进,所述信息安全协处理器还包括一寄存器堆。 As a further improvement of the present invention, the information security coprocessor further includes a register file.

作为本发明的进一步改进,所述寄存器堆包括控制寄存器和状态寄存器。 As a further improvement of the present invention, the register file includes a control register and a status register.

作为本发明的进一步改进,所述数学运算包括复制、或者异或运算、或者以上两者的组合。 As a further improvement of the present invention, the mathematical operation includes copying, or XOR operation, or a combination of the above two.

为实现本发明的另一发明目的,一种信息安全协处理器中内部存储空间的管理方法,所述信息安全协处理器具有一外部可见的本地地址空间,所述方法包括如下步骤: In order to achieve another object of the present invention, a method for managing internal storage space in an information security coprocessor, the information security coprocessor has an externally visible local address space, the method includes the following steps:

S1、将所述本地地址空间划分为一安全空间和一非安全空间,其中,存储于安全空间的数据不能被直接读出处理器; S1. Dividing the local address space into a secure space and a non-secure space, wherein the data stored in the secure space cannot be directly read out of the processor;

S2、初始化所述安全空间和非安全空间的大小; S2. Initialize the size of the safe space and the non-safe space;

S3、使用所述本地地址空间,将保密信息存储于安全空间,根据需要配置所述安全空间和非安全空间的大小; S3. Using the local address space, store the confidential information in a secure space, and configure the size of the secure space and the non-secure space as required;

S4、在所述信息安全协处理器内进行数据处理,其中,当有至少一个输入数据存在于安全空间中时,并且输入可以由输出演算得到时,相应的输出数据均不允许写入非安全空间或外部存储空间。 S4. Perform data processing in the information security coprocessor, wherein, when at least one input data exists in the safe space, and the input can be obtained by output calculation, the corresponding output data is not allowed to be written into non-safe space or external storage.

作为本发明的进一步改进,所述数据处理的方式包括数学运算,其中,所述数学运算包括复制、或者异或运算、或者以上两者的组合。 As a further improvement of the present invention, the data processing manner includes mathematical operations, wherein the mathematical operations include copying, or XOR operations, or a combination of the above two.

作为本发明的进一步改进,所述步骤S3中“根据需要配置所述安全空间和非安全空间的大小”的步骤具体为: As a further improvement of the present invention, the step of "configuring the size of the safe space and the non-safe space according to needs" in the step S3 is specifically:

所述安全空间和非安全空间的划分可以更改,其中,安全空间的大小只能增加,且原来属于安全空间的区域不能被更改为非安全空间。 The division of the safe space and the non-safe space can be changed, wherein the size of the safe space can only be increased, and the area originally belonging to the safe space cannot be changed into a non-safe space.

作为本发明的进一步改进,该方法还包括通过DMA引擎在AHB总线和本地地址空间之间传输数据。 As a further improvement of the present invention, the method also includes transferring data between the AHB bus and the local address space through the DMA engine.

与现有技术相比,本发明通过提供了一个可配置的、外部可见的安全空间来进行保密信息的存储,在保护了重要数据的同时,也方便了对协处理器的使用。同时,本发明中安全空间的大小可以根据需要进行更改,从而方便了不同的应用需求和系统开发。 Compared with the prior art, the present invention provides a configurable and externally visible security space for storing confidential information, which not only protects important data, but also facilitates the use of coprocessors. At the same time, the size of the safe space in the present invention can be changed as required, thereby facilitating different application requirements and system development.

附图说明 Description of drawings

图1是本发明一实施方式中信息安全协处理器的的工作原理图; Fig. 1 is a working principle diagram of an information security coprocessor in an embodiment of the present invention;

图2是本发明一实施方式中信息安全处理器的安全空间的使用流程示意图; Fig. 2 is a schematic diagram of the use flow of the security space of the information security processor in an embodiment of the present invention;

图3示出的是本发明一实施方式中信息安全处理器的安全空间与非安全空间的四种配置; FIG. 3 shows four configurations of safe space and non-safe space of an information security processor in an embodiment of the present invention;

图4是本发明一实施方式中信息安全协处理器内部存储空间的管理方法的工作流程图。 Fig. 4 is a working flowchart of the method for managing the internal storage space of the information security coprocessor in an embodiment of the present invention.

具体实施方式 Detailed ways

以下将结合附图所示的具体实施方式对本发明进行详细描述。但这些实施方式并不限制本发明,本领域的普通技术人员根据这些实施方式所做出的结构、方法、或功能上的变换均包含在本发明的保护范围内。 The present invention will be described in detail below in conjunction with specific embodiments shown in the accompanying drawings. However, these embodiments do not limit the present invention, and any structural, method, or functional changes made by those skilled in the art according to these embodiments are included in the protection scope of the present invention.

请参照图1所示,在本发明一具体实施方式中,一种信息安全协处理器,包括如下单元:本地地址空间单元10、控制单元20、数学运算单元、密码算法引擎40、DMA (Direct Memory Access,直接内存存取)引擎50以及寄存器堆60。一个协处理器往往需要一定的内部存储空间,而存放在其中的重要安全相关数据需要严格的保护。另一方面,协处理器的存储空间也要求一定的外部可见性以方便使用。本发明提出了一套协处理器内部存储空间的管理方案,在保护了重要数据的同时,也方便了对协处理器的使用。 Please refer to shown in Fig. 1, in a specific embodiment of the present invention, a kind of information security coprocessor comprises following units: local address space unit 10, control unit 20, mathematical operation unit, cryptographic algorithm engine 40, DMA (Direct Memory Access, direct memory access) engine 50 and register file 60. A coprocessor often needs a certain amount of internal storage space, and the important safety-related data stored in it needs strict protection. On the other hand, the memory space of the coprocessor also requires a certain degree of external visibility for ease of use. The invention proposes a set of management schemes for the internal storage space of the coprocessor, which not only protects important data, but also facilitates the use of the coprocessor.

其中,在本实施方式中,DMA (Direct Memory Access,直接内存存取)引擎50用于负责AHB总线和本地地址空间单元之间数据传输,在其他实施方式中,DMA引擎可替换为其他能实现类似功能的部件。其中,本发明采用两种总线进行数据传输:AHB(Advanced High performance Bus)系统总线和APB(Advanced Peripheral Bus)外围总线,AHB主要用于高性能模块(如CPU、DMA和DSP等)之间的连接;APB主要用于低带宽的周边外设之间的连接,例如UART、1284等。 Wherein, in this embodiment, DMA (Direct Memory Access, direct memory access) engine 50 is used for being responsible for the data transmission between AHB bus and local address space unit, in other embodiments, DMA engine can be replaced by other can realize Parts with similar functions. Wherein, the present invention adopts two kinds of buses to carry out data transmission: AHB (Advanced High performance Bus) system bus and APB (Advanced Peripheral Bus) peripheral bus, AHB is mainly used for high-performance modules (such as CPU, DMA and DSP etc.) between Connection; APB is mainly used for connection between low-bandwidth peripherals, such as UART, 1284, etc.

寄存器堆60包括用于用于控制和确定处理器的操作模式以及当前执行任务的特性的控制寄存器、用于体现当前指令执行结果的各种状态信息状态寄存器等等。寄存器堆60可于APB总线之间进行数据传输。 The register file 60 includes control registers for controlling and determining the operating mode of the processor and the characteristics of the currently executing task, various state information status registers for reflecting the execution results of the current instruction, and the like. The register file 60 can perform data transmission between APB buses.

本地地址空间单元10包括一安全空间和一非安全空间,两者均可配置的,存储于安全空间的数据不能被直接读出处理器;协处理器本地地址空间外部可见,被划分为安全和不安全两块。为了防止存储在安全区域的信息被泄漏,对于以下两个路径:(一)由本地地址空间经DMA引擎到AHB总线、(二)由本地地址空间经数学运算单元中的“=”(复制)或者“xor”(异或)运算后到本地地址空间,当有输入数据存在于安全地址空间中时,不允许输出数据写入非安全地址空间或外部存储空间,经密码算法引擎的数据的存放规则由硬件固化。 The local address space unit 10 includes a safe space and a non-safe space, both of which are configurable, and the data stored in the safe space cannot be directly read out of the processor; the coprocessor local address space is externally visible and is divided into safe and Unsafe two pieces. In order to prevent the information stored in the security area from being leaked, for the following two paths: (1) from the local address space to the AHB bus via the DMA engine, (2) from the local address space via the "=" (copy) in the mathematical operation unit Or "xor" (exclusive OR) operation to the local address space, when there is input data in the secure address space, the output data is not allowed to be written into the non-secure address space or external storage space, and the data stored by the cryptographic algorithm engine Rules are hardened by hardware.

关于外部可见性和安全区域中数据的外部不可得性,这两个并不矛盾。整个本地存储器是外部可见的,但安全区域的数据是禁止被读出的。同一个地址,当被划分为安全区域时,该地址可见但不能被读取。当被划分为非安全区域时,该地址可见并能够被读取。 Regarding external visibility and external unavailability of data in a secure enclave, these two are not contradictory. The entire local memory is externally visible, but data in the secure area is prohibited from being read. The same address, when classified as a security zone, is visible but not readable. When classified as a non-secure area, the address is visible and can be read.

控制单元20用于通过一定的控制逻辑进行流程控制; The control unit 20 is used for process control through certain control logic;

数学运算单元30用于实现数学运算,其中,在本实施方式中,数学运算可包括复制、或者异或运算、或者以上两者的组合。 The mathematical operation unit 30 is used to implement mathematical operations, wherein, in this embodiment, the mathematical operations may include copying, or XOR operations, or a combination of the above two.

密码算法引擎40用于执行密码学算法,以实现加密或解密功能。密码算法是用于加密和解密的数学函数,密码算法是密码协议的基础。 The cryptographic algorithm engine 40 is used to execute cryptographic algorithms to implement encryption or decryption functions. A cryptographic algorithm is a mathematical function used for encryption and decryption, and a cryptographic algorithm is the basis of a cryptographic protocol.

于本发明中,由于协处理器的外部可见(直接或间接)地址空间被划分为安全和不安全两种。如果将协处理器内部的数据处理用(y1, …, yM) = f(x1, …, xN), M>0,N>0,表示,当函数的输入参数可以由结果反推出来时,只要函数的输入参数xi,i=1,…,N,中有至少一个全部或部分来自安全地址空间,所有函数结果都不能全部或部分存在于非安全地址空间或外部地址空间中。 In the present invention, since the externally visible (direct or indirect) address space of the coprocessor is divided into two types: safe and unsafe. If the data processing inside the coprocessor is used (y1, ..., yM) = f(x1, ..., xN), M>0, N>0, it means that when the input parameters of the function can be deduced from the result, As long as at least one of the input parameters xi, i=1,...,N of the function comes from the secure address space in whole or in part, all function results cannot exist in the non-secure address space or the external address space in whole or in part.

参图2所示,当系统硬复位后,开始安全启动过程,在执行安全启动过程中,初始化安全空间大小,安全启动结束后,可以调整安全空间和非安全空间的比例(安全空间只能增加),开始使用协处理器。过程中可以根据需要再次增加安全空间比例。在一次硬复位后,协处理器的安全地址空间和非安全地址空间的划分可以更改,但是安全地址空间的大小只能增加,并且原来属于安全地址空间的区域不能被更改为非安全地址空间。 As shown in Figure 2, when the system is hard reset, the secure boot process starts. During the secure boot process, the size of the security space is initialized. ), start using the coprocessor. During the process, the safe space ratio can be increased again as needed. After a hard reset, the division of the coprocessor's secure address space and non-secure address space can be changed, but the size of the secure address space can only be increased, and the area originally belonging to the secure address space cannot be changed to a non-secure address space.

参图3所示,在本实施方式中,本地地址空间为4KB的存储空间,对于此处4KB的本地地址空间,安全区和非安全区允许如图所示的四种配置,分别对应四个配置编号:0、1、2、3。在一次硬复位后,配置0被采用。寄存器堆中存在一个标记,当它被置为1,则变更为当前编号的下一个编号所对应的配置,并将该标记清0。 As shown in Figure 3, in this embodiment, the local address space is a 4KB storage space. For the 4KB local address space here, the security area and the non-security area allow four configurations as shown in the figure, corresponding to four Configuration number: 0, 1, 2, 3. After a hard reset, configuration 0 is adopted. There is a flag in the register file. When it is set to 1, it will be changed to the configuration corresponding to the next number of the current number, and the flag will be cleared to 0.

如图4所示,在本发明的一具体实施方式中,一种信息安全协处理器中内部存储空间的管理方法,该方法使用上述提及的信息安全协处理器来实现,所述信息安全协处理器具有一外部可见的本地地址空间,该方法包括如下步骤: As shown in Figure 4, in a specific embodiment of the present invention, a method for managing internal storage space in an information security coprocessor is implemented using the above-mentioned information security coprocessor, and the information security The coprocessor has an externally visible local address space, and the method includes the following steps:

S1、将所述本地地址空间划分为一安全空间和一非安全空间,其中,存储于安全空间的数据不能被直接读出处理器;安全空间和非安全空间均为外部可见的,所以比较方便使用,且两者也是可配置的,这样也方便于根据需求作相应的更改。 S1. Divide the local address space into a secure space and a non-secure space, wherein the data stored in the secure space cannot be directly read out of the processor; both the secure space and the non-secure space are externally visible, so it is more convenient Use, and both are also configurable, so it is convenient to make corresponding changes according to needs.

关于外部可见性和安全区域中数据的外部不可得性,这两个并不矛盾。整个本地存储器是外部可见的,但安全区域的数据是禁止被读出的。同一个地址,当被划分为安全区域时,该地址可见但不能被读取。当被划分为非安全区域时,该地址可见并能够被读取。 Regarding external visibility and external unavailability of data in a secure enclave, these two are not contradictory. The entire local memory is externally visible, but data in the secure area is prohibited from being read. The same address, when classified as a security zone, is visible but not readable. When classified as a non-secure area, the address is visible and can be read.

S2、初始化所述安全空间和非安全空间的大小;优选地,通过硬复位来初始化,初始化后的安全空间为[0KB, 0KB),非安全空间[0KB, 4KB),对应于配置编号0。 S2, initialize the size of the safe space and the non-safe space; preferably, initialize by hard reset, the safe space after initialization is [0KB, 0KB), and the non-safe space is [0KB, 4KB), corresponding to configuration number 0.

S3、使用所述本地地址空间,将保密信息通过密码学算法加密后存储于安全空间,根据需要配置所述安全空间和非安全空间的大小;这里说指的是,安全空间的可适当增加空间以适应需求。 S3. Using the local address space, encrypt the confidential information through a cryptographic algorithm and store it in the safe space, and configure the size of the safe space and the non-safe space according to the needs; here it means that the space of the safe space can be appropriately increased to suit the needs.

S4、在所述信息安全协处理器内进行数据处理,其中,当有至少一个输入数据存在于安全空间中时,并且输入可以由输出演算得到时,相应的输出数据均不允许写入非安全空间或外部存储空间。由于协处理器的外部可见(直接或间接)地址空间被划分为安全和不安全两种。如果将协处理器内部的数据处理用(y1, …, yM) = f(x1, …, xN), M>0,N>0,表示,当函数的输入参数可以由结果反推出来时,只要函数的输入参数xi,i=1,…,N,中有至少一个全部或部分来自安全地址空间,所有函数结果都不能全部或部分存在于非安全地址空间或外部地址空间中。 S4. Perform data processing in the information security coprocessor, wherein, when at least one input data exists in the safe space, and the input can be obtained by output calculation, the corresponding output data is not allowed to be written into non-safe space or external storage. Since the externally visible (direct or indirect) address space of the coprocessor is divided into two types, safe and unsafe. If the data processing inside the coprocessor is used (y1, ..., yM) = f(x1, ..., xN), M>0, N>0, it means that when the input parameters of the function can be deduced from the result, As long as at least one of the input parameters xi, i=1,...,N of the function comes from the secure address space in whole or in part, all function results cannot exist in the non-secure address space or the external address space in whole or in part.

其中,优选地,所述数据处理的方式包括数学运算,其中,所述数学运算包括复制、或者异或运算、或者以上两者的组合。 Wherein, preferably, the data processing manner includes mathematical operations, wherein the mathematical operations include copying, or XOR operations, or a combination of the above two.

其中,优选地,所述步骤S3中“根据需要配置所述安全空间和非安全空间的大小”的步骤具体为: Wherein, preferably, the step of "configuring the size of the safe space and the non-safe space according to needs" in the step S3 is specifically:

所述安全空间和非安全空间的划分可以更改,其中,安全空间的大小只能增加,且原来属于安全空间的区域不能被更改为非安全空间。 The division of the safe space and the non-safe space can be changed, wherein the size of the safe space can only be increased, and the area originally belonging to the safe space cannot be changed into a non-safe space.

其中,优选地,该方法还包括通过DMA引擎在AHB总线和本地地址空间之间传输数据。 Wherein, preferably, the method further includes transferring data between the AHB bus and the local address space through the DMA engine.

与现有技术相比,本发明通过提供了一个可配置的、外部可见的安全空间来进行保密信息的存储,在保护了重要数据的同时,也方便了对协处理器的使用。同时,本发明中安全空间的大小可以根据需要进行更改,从而方便了不同的应用需求和系统开发。 Compared with the prior art, the present invention provides a configurable and externally visible security space for storing confidential information, which not only protects important data, but also facilitates the use of coprocessors. At the same time, the size of the safe space in the present invention can be changed as required, thereby facilitating different application requirements and system development.

以上所描述的装置实施方式仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施方式方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。 The device implementations described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without creative effort.

为了描述的方便,描述以上装置时以功能分为各种单元分别描述。当然,在实施本申请时可以把各单元的功能在同一个或多个软件和/或硬件中实现。 For the convenience of description, when describing the above devices, functions are divided into various units and described separately. Of course, when implementing the present application, the functions of each unit can be implemented in one or more pieces of software and/or hardware.

以上所描述的装置实施方式仅仅是示意性的,其中所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施方式方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。 The device implementations described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without creative effort.

本申请可以在由计算机执行的计算机可执行指令的一般上下文中描述,例如程序模块。一般地,程序模块包括执行特定任务或实现特定抽象数据类型的例程、程序、对象、组件、数据结构等等。也可以在分布式计算环境中实践本申请,在这些分布式计算环境中,由通过通信网络而被连接的远程处理设备来执行任务。在分布式计算环境中,程序模块可以位于包括存储设备在内的本地和远程计算机存储介质中。 This application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including storage devices.

应当理解,虽然本说明书按照实施方式加以描述,但并非每个实施方式仅包含一个独立的技术方案,说明书的这种叙述方式仅仅是为清楚起见,本领域技术人员应当将说明书作为一个整体,各实施方式中的技术方案也可以经适当组合,形成本领域技术人员可以理解的其他实施方式。 It should be understood that although this description is described according to implementation modes, not each implementation mode only contains an independent technical solution, and this description in the description is only for clarity, and those skilled in the art should take the description as a whole, and each The technical solutions in the embodiments can also be properly combined to form other embodiments that can be understood by those skilled in the art.

上文所列出的一系列的详细说明仅仅是针对本发明的可行性实施方式的具体说明,它们并非用以限制本发明的保护范围,凡未脱离本发明技艺精神所作的等效实施方式或变更均应包含在本发明的保护范围之内。 The series of detailed descriptions listed above are only specific descriptions for feasible implementations of the present invention, and they are not intended to limit the protection scope of the present invention. Any equivalent implementation or implementation that does not depart from the technical spirit of the present invention All changes should be included within the protection scope of the present invention.

Claims (3)

1.一种信息安全协处理器中内部存储空间的管理方法,其特征在于,所述信息安全协处理器具有一外部可见的本地地址空间,所述方法包括如下步骤: 1. A method for managing internal storage space in an information security coprocessor, characterized in that the information security coprocessor has an externally visible local address space, and the method comprises the steps of: S1、将所述本地地址空间划分为一安全空间和一非安全空间,其中,存储于安全空间的数据不能被直接读出处理器; S1. Dividing the local address space into a secure space and a non-secure space, wherein the data stored in the secure space cannot be directly read out of the processor; S2、初始化所述安全空间和非安全空间的大小; S2. Initialize the size of the safe space and the non-safe space; S3、使用所述本地地址空间,将保密信息存储于安全空间,根据需要配置所述安全空间和非安全空间的大小;所述安全空间和非安全空间的划分可更改,且安全空间的大小只能增加,并且原来属于安全空间的区域不能被更改为非安全空间; S3. Using the local address space, store confidential information in a secure space, and configure the size of the secure space and the non-secure space as required; the division of the secure space and the non-secure space can be changed, and the size of the secure space only can be added, and the area originally belonging to the safe space cannot be changed to a non-safe space; S4、在所述信息安全协处理器内进行数据处理,其中,当有至少一个输入数据存在于安全空间中时,并且输入可以由输出演算得到时,相应的输出数据均不允许写入非安全空间或外部存储空间。 S4. Perform data processing in the information security coprocessor, wherein, when at least one input data exists in the safe space, and the input can be obtained by output calculation, the corresponding output data is not allowed to be written into non-safe space or external storage. 2.根据权利要求1所述的方法,其特征在于,所述数据处理的方式包括数学运算,其中,所述数学运算包括复制、或者异或运算、或者复制和异或运算的组合。 2 . The method according to claim 1 , wherein the data processing method includes mathematical operations, wherein the mathematical operations include copying, or XOR operations, or a combination of copying and XOR operations. 3.根据权利要求1所述的方法,其特征在于,该方法还包括通过DMA引擎在AHB总线和本地地址空间之间传输数据。 3. The method according to claim 1, further comprising transferring data between the AHB bus and the local address space through a DMA engine.
CN201110398177.8A 2011-12-05 2011-12-05 Information safety coprocessor and method for managing internal storage space in information safety coprocessor Expired - Fee Related CN102521166B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110398177.8A CN102521166B (en) 2011-12-05 2011-12-05 Information safety coprocessor and method for managing internal storage space in information safety coprocessor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110398177.8A CN102521166B (en) 2011-12-05 2011-12-05 Information safety coprocessor and method for managing internal storage space in information safety coprocessor

Publications (2)

Publication Number Publication Date
CN102521166A CN102521166A (en) 2012-06-27
CN102521166B true CN102521166B (en) 2015-02-11

Family

ID=46292095

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110398177.8A Expired - Fee Related CN102521166B (en) 2011-12-05 2011-12-05 Information safety coprocessor and method for managing internal storage space in information safety coprocessor

Country Status (1)

Country Link
CN (1) CN102521166B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112181879B (en) * 2020-08-28 2022-04-08 珠海欧比特宇航科技股份有限公司 APB interface module for DMA controller, DMA controller and chip
CN112148791B (en) * 2020-09-15 2024-05-24 张立旭 Distributed data dynamic adjustment storage method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1451117A (en) * 2000-06-30 2003-10-22 英特尔公司 Method and apparatus for secure execution using a secure memory partition
CN1711525A (en) * 2002-11-18 2005-12-21 Arm有限公司 Virtual-to-physical memory address mapping within a data processing system having secure and non-secure domains
CN102064942A (en) * 2010-11-30 2011-05-18 南京理工大学 Credible integrated security processing platform

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8775824B2 (en) * 2008-01-02 2014-07-08 Arm Limited Protecting the security of secure data sent from a central processor for processing by a further processing device

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1451117A (en) * 2000-06-30 2003-10-22 英特尔公司 Method and apparatus for secure execution using a secure memory partition
CN1711525A (en) * 2002-11-18 2005-12-21 Arm有限公司 Virtual-to-physical memory address mapping within a data processing system having secure and non-secure domains
CN102064942A (en) * 2010-11-30 2011-05-18 南京理工大学 Credible integrated security processing platform

Also Published As

Publication number Publication date
CN102521166A (en) 2012-06-27

Similar Documents

Publication Publication Date Title
US12174754B2 (en) Technologies for secure I/O with memory encryption engines
CN107851151B (en) Protecting state information of virtual machines
US10073977B2 (en) Technologies for integrity, anti-replay, and authenticity assurance for I/O data
EP3317999B1 (en) Loading and virtualizing cryptographic keys
CN114692131A (en) Cryptographic computing with decomposed memory
KR101052400B1 (en) Methods for Delegating Access, Machine-readable Storage Media, Devices, and Processing Systems
JP6682752B2 (en) Techniques for strengthening data encryption using secure enclaves
EP1768033A1 (en) Operating a cell processor over a network
US20210303443A1 (en) Method and apparatus for protecting trace data of a remote debug session
KR20190142910A (en) Heterogeneous isolated execution for commodity gpus
CN116260606A (en) Secret computation with legacy peripheral
AU2013226133A1 (en) Using storage controller bus interfaces to secure data transfer between storage devices and hosts
CN105320895A (en) High-performance autonomous hardware engine for in-line cryptographic processing
WO2014084908A1 (en) Virtualizing a hardware monotonic counter
WO2014098998A1 (en) Securing data transmissions between processor packages
EP3913513A1 (en) Secure debug of fpga design
EP2973154A1 (en) Method, apparatus, system, and computer readable medium to provide secure operation
CN115309673A (en) Dynamic memory protection device, system and method
Dhanuskodi et al. Creating the first confidential gpus
US20240073013A1 (en) High performance secure io
CN113051192A (en) TDX island with self-contained range enabling TDX KEYID scaling
CN102521166B (en) Information safety coprocessor and method for managing internal storage space in information safety coprocessor
CN110443078A (en) A kind of safe storage system based on privilege classification
Maene et al. Atlas: Application confidentiality in compromised embedded systems
CN117708832A (en) High-performance heterogeneous trusted execution environment implementation method and system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
ASS Succession or assignment of patent right

Owner name: SOLOMON-SYSTECH (SHENZHEN) CO., LTD.

Free format text: FORMER OWNER: SUZHOU XITU SHIDING MICROELECTRONICS CO., LTD.

Effective date: 20130829

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 215021 SUZHOU, JIANGSU PROVINCE TO: 518057 SHENZHEN, GUANGDONG PROVINCE

TA01 Transfer of patent application right

Effective date of registration: 20130829

Address after: 518057, No. six building, No. two Shenzhen Software Park, central science and technology zone, Nanshan District hi tech Zone, Shenzhen, Guangdong, two

Applicant after: Solomon Systech (Shenzhen) Ltd.

Address before: Xinghu Street Industrial Park of Suzhou city in Jiangsu province 215021 No. 328 Creative Industry Park 2-B702 unit

Applicant before: Suzhou C2 Microsystems Co.,Ltd.

C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20150211

CF01 Termination of patent right due to non-payment of annual fee