CN102521166A - Information safety coprocessor and method for managing internal storage space in information safety coprocessor - Google Patents

Information safety coprocessor and method for managing internal storage space in information safety coprocessor Download PDF

Info

Publication number
CN102521166A
CN102521166A CN2011103981778A CN201110398177A CN102521166A CN 102521166 A CN102521166 A CN 102521166A CN 2011103981778 A CN2011103981778 A CN 2011103981778A CN 201110398177 A CN201110398177 A CN 201110398177A CN 102521166 A CN102521166 A CN 102521166A
Authority
CN
China
Prior art keywords
space
safe space
safe
information security
coprocessor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011103981778A
Other languages
Chinese (zh)
Other versions
CN102521166B (en
Inventor
妙维
袁宏骏
余红斌
李张丰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Solomon Systech Shenzhen Ltd
Original Assignee
SUZHOU XITU SHIDING MICROELECTRONICS CO Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SUZHOU XITU SHIDING MICROELECTRONICS CO Ltd filed Critical SUZHOU XITU SHIDING MICROELECTRONICS CO Ltd
Priority to CN201110398177.8A priority Critical patent/CN102521166B/en
Publication of CN102521166A publication Critical patent/CN102521166A/en
Application granted granted Critical
Publication of CN102521166B publication Critical patent/CN102521166B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provides a method for managing an internal storage space in an information safety coprocessor. The method comprises the following steps of: dividing a local address space into a safety space and a non-safety space, wherein the safety space is used for storing confidential information; initializing the sizes of the safety space and the non-safety space; by using the local address space, storing the confidential information in the safety space, and configuring the sizes of the safety space and the non-safety space as required; and processing data in the information safety coprocessor, wherein when at least one input datum exists in the safety space and the input can be calculated by the output, corresponding output data are not allowed to be written in the non-safety space or an external storage space. By adoption of the method, important data are protected, and the information safety coprocessor can be conveniently used. Meanwhile, the size of the safety space can be changed as required, so that different application requirements are met, and system development is facilitated.

Description

The management method of information security coprocessor and internal storage space thereof
Technical field
The present invention relates to the information security process field, the information security coprocessor that relating in particular to accesses to your password learns algorithm and the management method of internal storage space thereof.
Background technology
Along with the fast development of network technology, information security technology becomes particularly important current.For growing network traffics, decrypt operation can not satisfy the demands to utilize software mode to encrypt perhaps to data stream merely, and the method that therefore makes up by hard-wired special purpose system chip has been called a kind of new trend.Current information security chip comprises single functional form (such as DES, 3DES, AES, RSA etc.), Mobyneb, high-end chip, SOC, ASIC or the like.In embedded system (Embedded System) is used, provide the chip of information security solution extensively to be adopted.And in a SOC system, the information security processor will occur with the form of coprocessor.
Yet the coprocessor that the protecting information safety function is provided can simply just carry out some cryptographic algorithms, and other protection is not provided; Can be the subsystem of a complicacy also, complete scheme and safe execution environment is provided.First type coprocessor ratio is easier to be embedded in the different system, but the safeguard protection of system level difficulty and complicated.Second type coprocessor provides good security protection scheme, but has limited the design flexibility of the system that uses it.
Be different from above-mentioned two types, be necessary very much to provide a kind of new coprocessor that possesses safety prevention measure, when being implemented in the dirigibility that keeps system design, can reduce the burden of system level information protection.
Summary of the invention
For solving the problems of the technologies described above; The object of the present invention is to provide a kind of information security coprocessor; It carries out the storage of information through an outside local storage space visible, that comprise configurable safe and dangerous two zones of size is provided, and the information that wherein is stored in the safety zone can not be processed the device outside and obtain.When realizing information privacy, this information security processor can make things convenient for different application requirements and system development.
Correspondingly, the present invention also aims to provide the management method of internal storage space in a kind of above-mentioned information security coprocessor.
For realizing one of foregoing invention purpose, a kind of information security coprocessor of the present invention comprises like lower unit:
The local address space cell: comprise a safe space and a non-safe space, both are all configurable, and the data that are stored in the safe space can not be by direct read-out processor;
Control module: be used for carrying out flow process control through certain steering logic;
Mathematical operation unit: be used to realize mathematical operation;
Cryptographic algorithm engine: be used to carry out cryptographic algorithm, to realize encryption or decipher function.
As further improvement of the present invention, said information security coprocessor comprises that also one is used for being responsible for the DMA engine of data transmission between ahb bus and the local address space cell.
As further improvement of the present invention, said information security coprocessor also comprises a register file.
As further improvement of the present invention, said register file comprises control register and status register.
As further improvement of the present invention, said mathematical operation comprises duplicates or XOR, or above both combination.
For realizing another goal of the invention of the present invention, the management method of internal storage space in a kind of information security coprocessor, said information security coprocessor has an outside visible local address space, and said method comprises the steps:
S1, be a safe space and a non-safe space with said local address spatial division, wherein, the data that are stored in the safe space can not be by direct read-out processor;
The size of S2, the said safe space of initialization and non-safe space;
S3, the said local address of use space are stored in the safe space with security information, dispose the size of said safe space and non-safe space as required;
S4, in said information security coprocessor, carry out data processing; Wherein, When at least one input data is present in the safe space, and import in the time of can being obtained by the output calculation, corresponding output data does not all allow to write non-safe space or external memory space.
As further improvement of the present invention, the mode of said data processing comprises mathematical operation, and wherein, said mathematical operation comprises duplicates or XOR, or above both combination.
As further improvement of the present invention, the step that " disposes the size of said safe space and non-safe space as required " among the said step S3 is specially:
The division of said safe space and non-safe space can be changed, and wherein, the size of safe space can only increase, and the zone that belonged to the safe space originally can not be modified and is non-safe space.
As further improvement of the present invention, this method also comprises through the DMA engine transmits data between ahb bus and local address space.
Compared with prior art, the present invention carries out the storage of security information through configurable, an outside visible safe space is provided, and when having protected significant data, has also made things convenient for the use to coprocessor.Simultaneously, the size of safe space can be changed as required among the present invention, thereby has made things convenient for different application requirements and system development.
Description of drawings
Fig. 1 be in an embodiment of the present invention the information security coprocessor fundamental diagram;
Fig. 2 is the use schematic flow sheet of the safe space of information security processor in an embodiment of the present invention;
Shown in Fig. 3 is four kinds of configurations of the safe space and the non-safe space of information security processor in an embodiment of the present invention;
Fig. 4 is the workflow diagram of the management method of information security coprocessor internal storage space in an embodiment of the present invention.
Embodiment
Below will combine embodiment shown in the drawings to describe the present invention.But these embodiments do not limit the present invention, and the conversion on the structure that those of ordinary skill in the art makes according to these embodiments, method or the function all is included in protection scope of the present invention.
Please with reference to shown in Figure 1; In the embodiment of the invention; A kind of information security coprocessor; Comprise like lower unit: local address space cell 10, control module 20, mathematical operation unit, cryptographic algorithm engine 40, DMA (Direct Memory Access, direct memory access) engine 50 and register file 60.A coprocessor often needs certain internal storage space, and the important safety related data that leaves in wherein needs strict protection.On the other hand, the storage space of coprocessor also requires certain external visibility to use with convenient.The present invention proposes the Managed Solution of a cover coprocessor internal storage space, when having protected significant data, also made things convenient for use coprocessor.
Wherein, In this embodiment, DMA (Direct Memory Access, direct memory access) engine 50 is used for being responsible for data transmission between ahb bus and the local address space cell; In other embodiments, the DMA engine is replaceable can realize the parts of similar functions for other.Wherein, The present invention adopts two kinds of buses to carry out data transmission: AHB (Advanced High performance Bus) system bus and APB (Advanced Peripheral Bus) peripheral bus, and AHB is mainly used in the connection between the high-performance module (like CPU, DMA and DSP etc.); APB is mainly used in the connection between the peripheral peripheral hardware of low bandwidth, for example UART, 1284 etc.
Register file 60 comprises and is used to control and the control register of the characteristic of the operator scheme of definite processor and current executed task, is used to various status information status registers that embody the present instruction execution result or the like.Register file 60 can carry out data transmission between the APB bus.
Local address space cell 10 comprises a safe space and a non-safe space, and both are all configurable, and the data that are stored in the safe space can not be by direct read-out processor; Coprocessor local address space is outside visible, is divided into safe and dangerous two.In order to prevent that the information that is stored in the safety zone from being leaked; For following two paths: (one) by the local address space through the DMA engine to ahb bus, (two) by local address space "=" (duplicating) in the mathematical operation unit perhaps after " xor " (XOR) computing to the local address space; When the input data are present in the secure address space; Do not allow output data to write non-secure address space or external memory space, solidify by hardware through the rule of depositing of the data of cryptographic algorithm engine.
About the outside non-availability property of data in external visibility and the safety zone, these two contradictions not.Whole local storage is outside visible, but the data of safety zone forbid being read.Same address, when being divided into the safety zone, this address is it is thus clear that but can not be read.When being divided into non-safety zone, this address is visible also can be read.
Control module 20 is used for carrying out flow process control through certain steering logic;
Mathematical operation unit 30 is used to realize mathematical operation, and wherein, in this embodiment, mathematical operation can comprise duplicates or XOR, or above both combination.
Cryptographic algorithm engine 40 is used to carry out cryptographic algorithm, to realize encryption or decipher function.Cryptographic algorithm is the mathematical function that is used for encryption and decryption, and cryptographic algorithm is the basis of cipher protocol.
In the present invention, because outside visible (directly or indirectly) address space of coprocessor is divided into safe and dangerous two kinds.If the data processing of coprocessor inside is used (y1 ..., yM)=f (x1 ... XN), M>0, N>0, expression; When the input parameter of function can be released by the result is counter, if the input parameter xi of function, i=1 ... N, in have at least one all or part of from the secure address space, all function result all can not all or part ofly be present in non-secure address space or the external address space.
Join shown in Figure 2, behind system's hard reset, the beginning secure launch process; In carrying out secure launch process, initialization safe space size is after clean boot finishes; Can adjust the ratio (safe space can only increase) of safe space and non-safe space, bring into use coprocessor.Can increase the safe space ratio as required once more in the process.Behind a hard reset, the secure address space of coprocessor and non-secure address space dividing can be changed, but the size in secure address space can only increase, and the zone that belonged to the secure address space originally can not be modified and is non-secure address space.
Join shown in Figure 3ly, in this embodiment, the local address space is the storage space of 4KB, and for the local address space of 4KB here, place of safety and non-place of safety allow four kinds of configurations as shown in the figure, corresponding respectively four configuration numberings: 0,1,2,3.Behind a hard reset, configuration 0 is used.Have a mark in the register file, when it is changed to 1, the next one that then changes to current numbering is numbered pairing configuration, and with this mark clear 0.
As shown in Figure 4; In an embodiment of the present invention; The management method of internal storage space in a kind of information security coprocessor; This method uses the above-mentioned information security coprocessor of mentioning to realize, said information security coprocessor has visible local address space, an outside, and this method comprises the steps:
S1, be a safe space and a non-safe space with said local address spatial division, wherein, the data that are stored in the safe space can not be by direct read-out processor; Safe space and non-safe space are outside visible, thus more convenient use, and both also are configurable, so also are convenient to do corresponding change according to demand.
About the outside non-availability property of data in external visibility and the safety zone, these two contradictions not.Whole local storage is outside visible, but the data of safety zone forbid being read.Same address, when being divided into the safety zone, this address is it is thus clear that but can not be read.When being divided into non-safety zone, this address is visible also can be read.
The size of S2, the said safe space of initialization and non-safe space; Preferably, come initialization through hard reset, the safe space after the initialization is that [0KB, 0KB), [0KB 4KB), numbers 0 corresponding to configuration in non-safe space.
S3, use said local address space, be stored in the safe space after security information is encrypted through cryptographic algorithm, dispose the size of said safe space and non-safe space as required; Here say to refer to, the safe space can suitably increase the space with adaption demand.
S4, in said information security coprocessor, carry out data processing; Wherein, When at least one input data is present in the safe space, and import in the time of can being obtained by the output calculation, corresponding output data does not all allow to write non-safe space or external memory space.Because outside visible (directly or indirectly) address space of coprocessor is divided into safe and dangerous two kinds.If the data processing of coprocessor inside is used (y1 ..., yM)=f (x1 ... XN), M>0, N>0, expression; When the input parameter of function can be released by the result is counter, if the input parameter xi of function, i=1 ... N, in have at least one all or part of from the secure address space, all function result all can not all or part ofly be present in non-secure address space or the external address space.
Wherein, preferably, the mode of said data processing comprises mathematical operation, and wherein, said mathematical operation comprises duplicates or XOR, or above both combination.
Wherein, preferably, the step that " disposes the size of said safe space and non-safe space as required " among the said step S3 is specially:
The division of said safe space and non-safe space can be changed, and wherein, the size of safe space can only increase, and the zone that belonged to the safe space originally can not be modified and is non-safe space.
Wherein, preferably, this method also comprises through the DMA engine transmits data between ahb bus and local address space.
Compared with prior art, the present invention carries out the storage of security information through configurable, an outside visible safe space is provided, and when having protected significant data, has also made things convenient for the use to coprocessor.Simultaneously, the size of safe space can be changed as required among the present invention, thereby has made things convenient for different application requirements and system development.
Device embodiments described above only is schematic; Wherein said unit as the separating component explanation can or can not be physically to separate also; The parts that show as the unit can be or can not be physical locations also; Promptly can be positioned at a place, perhaps also can be distributed on a plurality of NEs.Can realize the purpose of this embodiment scheme according to the needs selection some or all of module wherein of reality.Those of ordinary skills promptly can understand and implement under the situation of not paying creative work.
For the convenience of describing, be divided into various unit with function when describing above the device and describe respectively.Certainly, when implementing the application, can in same or a plurality of softwares and/or hardware, realize the function of each unit.
Device embodiments described above only is schematic; Wherein said unit as the separating component explanation can or can not be physically to separate also; The parts that show as the unit can be or can not be physical locations also; Promptly can be positioned at a place, perhaps also can be distributed on a plurality of NEs.Can realize the purpose of this embodiment scheme according to the needs selection some or all of module wherein of reality.Those of ordinary skills promptly can understand and implement under the situation of not paying creative work.
The application can describe in the general context of the computer executable instructions of being carried out by computing machine, for example program module.Usually, program module comprises the routine carrying out particular task or realize particular abstract, program, object, assembly, data structure or the like.Also can in DCE, put into practice the application, in these DCEs, by through communication network connected teleprocessing equipment execute the task.In DCE, program module can be arranged in this locality and the remote computer storage medium that comprises memory device.
Be to be understood that; Though this instructions is described according to embodiment; But be not that each embodiment only comprises an independently technical scheme, this narrating mode of instructions only is for clarity sake, and those skilled in the art should make instructions as a whole; Technical scheme in each embodiment also can form other embodiments that it will be appreciated by those skilled in the art that through appropriate combination.
The listed a series of detailed description of preceding text only is specifying to feasibility embodiment of the present invention; They are not in order to restriction protection scope of the present invention, allly do not break away from equivalent embodiment or the change that skill of the present invention spirit done and all should be included within protection scope of the present invention.

Claims (9)

1. an information security coprocessor is characterized in that, it comprises like lower unit:
The local address space cell: comprise a safe space and a non-safe space, both are all configurable, and the data that are stored in the safe space can not be by direct read-out processor;
Control module: be used for carrying out flow process control through certain steering logic;
Mathematical operation unit: be used to realize mathematical operation;
Cryptographic algorithm engine: be used to carry out cryptographic algorithm, to realize encryption or decipher function.
2. information security coprocessor according to claim 1 is characterized in that, said information security coprocessor comprises that also one is used for being responsible for the DMA engine of data transmission between ahb bus and the local address space cell.
3. information security coprocessor according to claim 1 is characterized in that, said information security coprocessor also comprises a register file.
4. information security coprocessor according to claim 3 is characterized in that said register file comprises control register and status register.
5. information security coprocessor according to claim 1 is characterized in that, said mathematical operation comprises duplicates or XOR, or above both combination.
6. the management method of internal storage space in the information security coprocessor is characterized in that, said information security coprocessor has an outside visible local address space, and said method comprises the steps:
S1, be a safe space and a non-safe space with said local address spatial division, wherein, the data that are stored in the safe space can not be by direct read-out processor;
The size of S2, the said safe space of initialization and non-safe space;
S3, the said local address of use space are stored in the safe space with security information, dispose the size of said safe space and non-safe space as required;
S4, in said information security coprocessor, carry out data processing; Wherein, When at least one input data is present in the safe space, and import in the time of can being obtained by the output calculation, corresponding output data does not all allow to write non-safe space or external memory space.
7. method according to claim 6 is characterized in that the mode of said data processing comprises mathematical operation, and wherein, said mathematical operation comprises duplicates or XOR, or above both combination.
8. method according to claim 6 is characterized in that, the step that " disposes the size of said safe space and non-safe space as required " among the said step S3 is specially:
The division of said safe space and non-safe space can be changed, and wherein, the size of safe space can only increase, and the zone that belonged to the safe space originally can not be modified and is non-safe space.
9. method according to claim 6 is characterized in that, this method also comprises through the DMA engine transmits data between ahb bus and local address space.
CN201110398177.8A 2011-12-05 2011-12-05 Information safety coprocessor and method for managing internal storage space in information safety coprocessor Active CN102521166B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110398177.8A CN102521166B (en) 2011-12-05 2011-12-05 Information safety coprocessor and method for managing internal storage space in information safety coprocessor

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110398177.8A CN102521166B (en) 2011-12-05 2011-12-05 Information safety coprocessor and method for managing internal storage space in information safety coprocessor

Publications (2)

Publication Number Publication Date
CN102521166A true CN102521166A (en) 2012-06-27
CN102521166B CN102521166B (en) 2015-02-11

Family

ID=46292095

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110398177.8A Active CN102521166B (en) 2011-12-05 2011-12-05 Information safety coprocessor and method for managing internal storage space in information safety coprocessor

Country Status (1)

Country Link
CN (1) CN102521166B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112181879A (en) * 2020-08-28 2021-01-05 珠海欧比特宇航科技股份有限公司 APB interface module for DMA controller, DMA controller and chip

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1451117A (en) * 2000-06-30 2003-10-22 英特尔公司 Method and apparatus for secure execution using a secure memory partition
CN1711525A (en) * 2002-11-18 2005-12-21 Arm有限公司 Virtual to physical memory address mapping within a data processing system having a secure domain and a non-secure domain
US20090172411A1 (en) * 2008-01-02 2009-07-02 Arm Limited Protecting the security of secure data sent from a central processor for processing by a further processing device
CN102064942A (en) * 2010-11-30 2011-05-18 南京理工大学 Credible integrated security processing platform

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1451117A (en) * 2000-06-30 2003-10-22 英特尔公司 Method and apparatus for secure execution using a secure memory partition
CN1711525A (en) * 2002-11-18 2005-12-21 Arm有限公司 Virtual to physical memory address mapping within a data processing system having a secure domain and a non-secure domain
US20090172411A1 (en) * 2008-01-02 2009-07-02 Arm Limited Protecting the security of secure data sent from a central processor for processing by a further processing device
CN102064942A (en) * 2010-11-30 2011-05-18 南京理工大学 Credible integrated security processing platform

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112181879A (en) * 2020-08-28 2021-01-05 珠海欧比特宇航科技股份有限公司 APB interface module for DMA controller, DMA controller and chip

Also Published As

Publication number Publication date
CN102521166B (en) 2015-02-11

Similar Documents

Publication Publication Date Title
US20230110230A1 (en) Technologies for secure i/o with memory encryption engines
KR102013841B1 (en) Method of managing key for secure storage of data, and and apparatus there-of
US9690717B2 (en) Secure object having protected region, integrity tree, and unprotected region
CN103221961B (en) Comprise the method and apparatus of the framework for the protection of multi-ser sensitive code and data
US9135450B2 (en) Systems and methods for protecting symmetric encryption keys
US20070101158A1 (en) Security region in a non-volatile memory
US8954752B2 (en) Building and distributing secure object software
CN107851163A (en) For the integrality of I/O data, anti-replay and the technology of authenticity guarantee
KR101052400B1 (en) Methods for Delegating Access, Machine-readable Storage Media, Devices, and Processing Systems
US20190042474A1 (en) Enhanced storage encryption with total memory encryption (tme) and multi-key total memory encryption (mktme)
CN105320895B (en) High-performance autonomic hardware engine for on-line encryption processing
CN104160407A (en) Using storage controller bus interfaces to secure data transfer between storage devices and hosts
US10691627B2 (en) Avoiding redundant memory encryption in a cryptographic protection system
TWI703469B (en) Secure input/output device management apparatus, method and system
EP4086802A1 (en) Dynamic memory protection device system and method
CN102521535A (en) Information safety coprocessor for performing relevant operation by using specific instruction set
CN111737773A (en) Embedded secure memory with SE security module function
CN102521166B (en) Information safety coprocessor and method for managing internal storage space in information safety coprocessor
CN103729324A (en) Security protection device of cloud storage file based on USB3.0 interface
CN102542213A (en) Information security processor and method for realizing secrecy of context information in process of operating
KR101236991B1 (en) Apparatus and method for encrypting hard disk
Henson Attack mitigation through memory encryption
CN117194286A (en) Micro control unit, processor, access method and access system
CN116305245A (en) Intelligent contract execution method and related device based on trusted execution environment
Corallo Securing Data on Compromised Hardware

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
ASS Succession or assignment of patent right

Owner name: SOLOMON-SYSTECH (SHENZHEN) CO., LTD.

Free format text: FORMER OWNER: SUZHOU XITU SHIDING MICROELECTRONICS CO., LTD.

Effective date: 20130829

C41 Transfer of patent application or patent right or utility model
COR Change of bibliographic data

Free format text: CORRECT: ADDRESS; FROM: 215021 SUZHOU, JIANGSU PROVINCE TO: 518057 SHENZHEN, GUANGDONG PROVINCE

TA01 Transfer of patent application right

Effective date of registration: 20130829

Address after: 518057, No. six building, No. two Shenzhen Software Park, central science and technology zone, Nanshan District hi tech Zone, Shenzhen, Guangdong, two

Applicant after: Solomon Systech (Shenzhen) Limited

Address before: Xinghu Street Industrial Park of Suzhou city in Jiangsu province 215021 No. 328 Creative Industry Park 2-B702 unit

Applicant before: Suzhou Xitu Shiding Microelectronics Co.,Ltd.

C14 Grant of patent or utility model
GR01 Patent grant