CN107391232A - A kind of system level chip SOC and SOC systems - Google Patents

A kind of system level chip SOC and SOC systems Download PDF

Info

Publication number
CN107391232A
CN107391232A CN201710657396.0A CN201710657396A CN107391232A CN 107391232 A CN107391232 A CN 107391232A CN 201710657396 A CN201710657396 A CN 201710657396A CN 107391232 A CN107391232 A CN 107391232A
Authority
CN
China
Prior art keywords
soc
data
key
internal
memory
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710657396.0A
Other languages
Chinese (zh)
Inventor
刘子行
杜朝晖
应志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Haiguang Information Technology Co Ltd
Original Assignee
Analog Microelectronics (shanghai) Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Analog Microelectronics (shanghai) Co Ltd filed Critical Analog Microelectronics (shanghai) Co Ltd
Priority to CN201710657396.0A priority Critical patent/CN107391232A/en
Publication of CN107391232A publication Critical patent/CN107391232A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/565Static detection by checking file integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0869Generation of secret information including derivation or calculation of cryptographic keys or passwords involving random numbers or seeds
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Computing Systems (AREA)
  • Mathematical Optimization (AREA)
  • Mathematical Analysis (AREA)
  • Pure & Applied Mathematics (AREA)
  • Virology (AREA)
  • Algebra (AREA)
  • Mathematical Physics (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of system level chip SOC and SOC systems, belongs to data encryption processing technology field.The SOC includes:One or more cores;Internal security internal memory, it is located inside SOC, and the internal security internal memory is initialized by internal security memory interface, and data are stored in inside the internal security internal memory from processor.The SOC systems include:Carried out data transmission between multiple SOC, the multiple SOC by bus;Wherein, identity is mutually authenticated by digital signature in advance between the multiple SOC and cipher key agreement algorithm negotiates key, and encryption and decryption is carried out to the data of transmission by the key.By using system level chip SOC provided by the invention and SOC systems, can solve the technical problem that data can be eavesdropped by bus transfer by rogue program between SOC in SEV technologies.

Description

A kind of system level chip SOC and SOC systems
Technical field
The present invention relates to data encryption processing technology field, and in particular to a kind of system level chip SOC and SOC systems.
Background technology
SEV (security encryption virtualization) technology of Advanced Micro Devices to virtual machine by being made Physical memory is encrypted, and different virtual machines uses different keys, even if can so ensure operationally Hypervisor (virtual machine management program) can not see the internal memory of virtual machine.
But this scheme has the hidden danger of following secure context:
SEV is to do encipherment protection to the virutal machine memory page, but does not ensure that the integrality of data.
The internal memory that virtual machine uses is provided by host, thus while memory content is encrypted, but on host Rogue program number, can be protected at data the methods of ciphertext collision attack after modification encryption due to lacking by Replay Attack According to the mechanism of integrality, virtual machine can not know, such hacker can just reach the purpose of malicious intrusions virtual-machine data.
In computer systems, data are stored in internal memory, although and internal memory is private resource to User space program, It is public resource for operating system to be, when operating system is broken, the security of internal memory can not just ensure that.Therefore such as How the safety for the data for ensureing to be stored in internal memory is a problem.
The content of the invention
The invention provides a kind of system level chip SOC and SOC systems, solve in SEV technologies that data pass through between SOC The technical problem that bus transfer may be eavesdropped by rogue program.
The present invention provides a kind of system level chip SOC, and the SOC includes:
One or more cores;
Internal security internal memory, it is located inside SOC, and the internal security internal memory is carried out just by internal security memory interface Beginningization, and data are stored in inside the internal security internal memory from processor.
In addition, the present invention also provides a kind of SOC systems, the SOC systems include:
Carried out data transmission between multiple SOC as described above, the multiple SOC by bus;
Wherein, identity is mutually authenticated by digital signature in advance between the multiple SOC and cipher key agreement algorithm is consulted Go out key, and encryption and decryption is carried out to the data of transmission by the key.
The cipher key agreement algorithm includes the close SM2 algorithms of Diffie-Hellman algorithms or state.
Be additionally provided with crypto-engine unit inside the multiple SOC, the crypto-engine unit be used for the SOC it Between identity is mutually authenticated by digital signature in advance and cipher key agreement algorithm negotiates key.
In the data trailer of the transmission, the HMAC to data text is also added, the SOC verifies to HMAC.
Random number generation unit is provided with inside the SOC, the random number generation unit is used to produce random number, and The random number is mixed into key, generates new key, the SOC carries out carrying out encryption and decryption to data using the key.
A kind of system level chip SOC of the present invention and SOC systems, so as to solve in SEV technologies data between SOC pass through it is total The technical problem that line is transmitted and eavesdropped by rogue program.
Brief description of the drawings
Fig. 1 is system level chip SOC structural representations;
The schematic diagram of Fig. 2 Security Data Transmissions between multiple SOC.
Embodiment
Below by drawings and examples, technical scheme is described in further detail.
As shown in figure 1, the embodiment of the present invention provides a kind of system level chip SOC, the SOC includes:
One or more cores 21 or 22;
Internal security internal memory 23 is located inside SOC.
Use to internal secure memory (internal safe memory) provides following interface, and we are referred to as safety Memory interface:
1st, secure memory-safe_memory_init is initialized
2nd, the space-safe_memory_allocate for specifying size is distributed
Internal security internal memory 23 is initialized by internal security memory interface, and data are stored in from core 21 or 22 Inside the internal security internal memory 23.
In initialization procedure, caller can by code or data duplication into the internal security internal memory 23 being assigned to, Then ensure that the code that copies in internal security internal memory or data are safe by digital signature.
After internal security internal memory 23 initializes, instruction or data in internal security internal memory remain stored in SOC Inside, for caller use, SOC do not provide interface modification secure memory in content.
Due to internal security internal memory 23 in use, the code only in secure memory can change secure memory In data, it can be considered that secure memory is safe and trusty.
In more SOC environment, because application program often switches between multiple SOC, moved when on application program SOC1 After moving on on SOC2, because data are still stored in SOC1, it must be accessed by the bus between SOC to realize.
This just brings a potential safety hazard, if data are transmitted in bus with clear-text way, it is possible to by malice journey Sequence intercepts from bus.
As shown in Fig. 2 also providing a kind of SOC systems in a preferred embodiment, the SOC systems include:
Multiple SOC1 as described above or SOC2, SOC1 include internal security internal memory 33a, core 31a and 32a, SOC2 bag Internal security internal memory 33b, core 31b and 32b are included, is carried out data transmission between the multiple SOC by bus;
Wherein, identity is mutually authenticated by digital signature in advance between the multiple SOC and cipher key agreement algorithm is consulted Go out key, and encryption and decryption is carried out to the data of transmission by the key.
The cipher key agreement algorithm includes the close SM2 algorithms of Diffie-Hellman algorithms or state.
Crypto-engine unit 35a and 35b, crypto-engine unit 35a are respectively arranged with inside SOC1 and SOC2 And 35b be used for SOC1 and SOC2 identity is mutually authenticated by digital signature in advance and cipher key agreement algorithm negotiate it is close Key.
Crypto-engine unit 35a inside SOC1 the data encryption to be transmitted, is sent to bus by shared key, SOC2 receives data from bus, with identical secret key decryption, so as to protect the safety of data.
Meanwhile in the data trailer of transmission, it also added HMAC (the Hash-based Message to data text Authentication Code), SOC1 and SOC2 are verified to HMAC by the verification to HMAC, protect data Integrality.
Require emphasis, may be by bus if the encrypted more data of the shared key between SOC1 and SOC2 Upper listener-in analyzes encryption mode, so as to forge ciphertext, it is therefore desirable to increases a counting unit on SOC.SOC1 and Be respectively arranged with random number generation unit 34a and 34b inside SOC2, random number generation unit 34a and 34b be used to producing with Machine number, and the random number is mixed into key, generate new key, SOC1 and SOC2 and using the key enter data Row encryption and decryption.
Random number generation unit 34a and 34b on SOC1 and SOC2 start to be 0, and all can after communicating every time It is synchronous to add 1.By the way that counter is mixed into key (the KDF algorithms generated using key), so as to which key is protected.
Compared with single SOC, under more SOC environment, the data in secure memory are in random number generation unit 34a and 34b meeting Transmission, but be encrypted in transmitting procedure, therefore can ensure safe and trusty.
In the above-described embodiments, the description to each embodiment all emphasizes particularly on different fields, and does not have the portion being described in detail in some embodiment Point, it may refer to the associated description of other embodiment.
Professional should further appreciate that, each example described with reference to the embodiments described herein Unit and algorithm steps, it can be realized with electronic hardware, computer software or the combination of the two, it is hard in order to clearly demonstrate The interchangeability of part and software, the composition and step of each example are generally described according to function in the above description. These functions are performed with hardware or software mode actually, application-specific and design constraint depending on technical scheme. Professional and technical personnel can realize described function using distinct methods to each specific application, but this realization It is it is not considered that beyond the scope of this invention.
The method that is described with reference to the embodiments described herein can use hardware, computing device the step of algorithm Software module, or the two combination are implemented.Software module can be placed in random access memory (RAM), internal memory, read-only storage (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technical field In any other form of storage medium well known to interior.
The embodiment being somebody's turn to do above, the purpose of the present invention, technical scheme and beneficial effect are carried out further in detail Describe in detail it is bright, should be understood that more than should be only the present invention embodiment, the guarantor being not intended to limit the present invention Scope is protected, within the spirit and principles of the invention, any modification, equivalent substitution and improvements done etc., should be included in this Within the protection domain of invention.

Claims (6)

1. a kind of system level chip SOC, it is characterised in that the SOC includes:
One or more cores;
Internal security internal memory, it is located inside SOC, and the internal security internal memory is carried out initial by internal security memory interface Change, and data are stored in inside the internal security internal memory from processor.
2. a kind of SOC systems, it is characterised in that the SOC systems include:
Carried out data transmission between multiple SOC as claimed in claim 1, the multiple SOC by bus;
Wherein, identity is mutually authenticated by digital signature in advance between the multiple SOC and cipher key agreement algorithm negotiate it is close Key, and encryption and decryption is carried out to the data of transmission by the key.
3. SOC systems according to claim 2, it is characterised in that the cipher key agreement algorithm includes Diffie- The close SM2 algorithms of Hellman algorithms or state.
4. SOC systems according to claim 2, it is characterised in that be additionally provided with crypto-engine inside the multiple SOC Unit, the crypto-engine unit is used between the SOC identity be mutually authenticated by digital signature in advance and key is assisted Business's negotiating algorithm goes out key.
5. SOC systems according to claim 2, it is characterised in that in the data trailer of the transmission, also add to data The HMAC of text, the SOC verify to HMAC.
6. SOC systems according to claim 2, it is characterised in that generating random number list is provided with inside the SOC Member, the random number generation unit is used to produce random number, and the random number is mixed into key, generates new key, institute SOC is stated to carry out carrying out encryption and decryption to data using the key.
CN201710657396.0A 2017-08-03 2017-08-03 A kind of system level chip SOC and SOC systems Pending CN107391232A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710657396.0A CN107391232A (en) 2017-08-03 2017-08-03 A kind of system level chip SOC and SOC systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710657396.0A CN107391232A (en) 2017-08-03 2017-08-03 A kind of system level chip SOC and SOC systems

Publications (1)

Publication Number Publication Date
CN107391232A true CN107391232A (en) 2017-11-24

Family

ID=60343218

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710657396.0A Pending CN107391232A (en) 2017-08-03 2017-08-03 A kind of system level chip SOC and SOC systems

Country Status (1)

Country Link
CN (1) CN107391232A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417538A (en) * 2019-07-30 2019-11-05 广州小鹏汽车科技有限公司 Vehicle and its method and system of internal security communication
CN110727931A (en) * 2019-10-16 2020-01-24 青岛海信电子设备股份有限公司 Data storage device and method
TWI748570B (en) * 2020-07-22 2021-12-01 瑞昱半導體股份有限公司 Data processing device
CN114064556A (en) * 2020-07-29 2022-02-18 瑞昱半导体股份有限公司 Data processing apparatus
CN114201747A (en) * 2021-11-29 2022-03-18 海光信息技术股份有限公司 Dynamic measurement root implementation method, device, system and storage medium
US11809337B2 (en) 2020-07-22 2023-11-07 Realtek Semiconductor Corporation Graphics processing device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462011A (en) * 2013-09-24 2015-03-25 株式会社东芝 Information processing device and semiconductor device
CN105678191A (en) * 2016-03-02 2016-06-15 上海瓶钵信息科技有限公司 Method for improving system safety by utilizing SoC Internal memory, terminal and system
CN105981398A (en) * 2013-12-03 2016-09-28 三星电子株式会社 Contents security method and electronic apparatus for providing contents security function

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104462011A (en) * 2013-09-24 2015-03-25 株式会社东芝 Information processing device and semiconductor device
CN105981398A (en) * 2013-12-03 2016-09-28 三星电子株式会社 Contents security method and electronic apparatus for providing contents security function
CN105678191A (en) * 2016-03-02 2016-06-15 上海瓶钵信息科技有限公司 Method for improving system safety by utilizing SoC Internal memory, terminal and system

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110417538A (en) * 2019-07-30 2019-11-05 广州小鹏汽车科技有限公司 Vehicle and its method and system of internal security communication
CN110417538B (en) * 2019-07-30 2022-10-14 广州小鹏汽车科技有限公司 Vehicle and method and system for internal safety communication of vehicle
CN110727931A (en) * 2019-10-16 2020-01-24 青岛海信电子设备股份有限公司 Data storage device and method
CN110727931B (en) * 2019-10-16 2023-08-08 青岛海信电子设备股份有限公司 Data storage device and method
TWI748570B (en) * 2020-07-22 2021-12-01 瑞昱半導體股份有限公司 Data processing device
US11809337B2 (en) 2020-07-22 2023-11-07 Realtek Semiconductor Corporation Graphics processing device
CN114064556A (en) * 2020-07-29 2022-02-18 瑞昱半导体股份有限公司 Data processing apparatus
CN114201747A (en) * 2021-11-29 2022-03-18 海光信息技术股份有限公司 Dynamic measurement root implementation method, device, system and storage medium

Similar Documents

Publication Publication Date Title
EP3574622B1 (en) Addressing a trusted execution environment
CN107391232A (en) A kind of system level chip SOC and SOC systems
EP3403185B1 (en) Memory operation encryption
CN104639516B (en) Identity identifying method, equipment and system
TWI601405B (en) Method and apparatus for cloud-assisted cryptography
CN107743133A (en) Mobile terminal and its access control method and system based on trustable security environment
US9798677B2 (en) Hybrid cryptographic key derivation
CN103107994B (en) Vitualization environment data security partition method and system
CA3048894A1 (en) Addressing a trusted execution environment using encryption key
CN109858265A (en) A kind of encryption method, device and relevant device
GB2531885A (en) Address-dependent key generator by XOR tree
CN103955654A (en) USB (Universal Serial Bus) flash disk secure storage method based on virtual file system
CN104335548A (en) Secure data processing
CN108768963A (en) The communication means and system of trusted application and safety element
CN103378971A (en) Data encryption system and method
CN105678173A (en) vTPM safety protection method based on hardware transactional memory
CN106992978A (en) Network safety managing method and server
Hu Study of file encryption and decryption system using security key
CN109344632A (en) A kind of OPENSTACK volumes of encryption method based on hardware encryption card
Magdum et al. A secure data transfer algorithm for USB mass storage devices to protect documents
CN107609405B (en) External secure memory device and system-on-chip SOC
CN108985079B (en) Data verification method and verification system
CN108154037A (en) Inter-process data transmission method and device
CN112583580A (en) Quantum key processing method and related equipment
CN116881945B (en) Solid state disk encryption and decryption method and system based on TPCM and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20180110

Address after: 300143 Tianjin Haitai Huayuan Industrial Zone No. 18 West North 2-204 industrial incubation -3-8

Applicant after: Hai Guang Information Technology Co., Ltd.

Address before: 201203 3F, No. 1388, 02-01, Zhang Dong Road, Pudong New Area, Shanghai

Applicant before: Analog Microelectronics (Shanghai) Co., Ltd.

TA01 Transfer of patent application right
RJ01 Rejection of invention patent application after publication

Application publication date: 20171124

RJ01 Rejection of invention patent application after publication