CN108073351A - The date storage method and credible chip of nonvolatile storage space in chip - Google Patents
The date storage method and credible chip of nonvolatile storage space in chip Download PDFInfo
- Publication number
- CN108073351A CN108073351A CN201610998449.0A CN201610998449A CN108073351A CN 108073351 A CN108073351 A CN 108073351A CN 201610998449 A CN201610998449 A CN 201610998449A CN 108073351 A CN108073351 A CN 108073351A
- Authority
- CN
- China
- Prior art keywords
- data
- owner
- space
- storage address
- chip
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0602—Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
- G06F3/061—Improving I/O performance
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/78—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
- G06F21/79—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0628—Interfaces specially adapted for storage systems making use of a particular technique
- G06F3/0638—Organizing or formatting or addressing of data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F3/00—Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
- G06F3/06—Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
- G06F3/0601—Interfaces specially adapted for storage systems
- G06F3/0668—Interfaces specially adapted for storage systems adopting a particular infrastructure
- G06F3/0671—In-line storage system
- G06F3/0673—Single storage device
- G06F3/0679—Non-volatile semiconductor memory device, e.g. flash memory, one time programmable memory [OTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses the date storage methods and credible chip of nonvolatile storage space in a kind of chip.Wherein, this method includes:Nonvolatile storage space is created in the chips, wherein, the attribute of nonvolatile storage space includes at least:For being characterized in the parameter that owner's data are stored in nonvolatile storage space, the storage address scope of owner's data;Wherein, the maximum data length when storage address scope of owner's data is for characterizing permission to chip request data.When the present invention solves the prior art initial data is read from the non-volatile space of credible and secure chip, the technical issues of initial data accuracy read is poor.
Description
Technical field
The present invention relates to field of data storage, in particular to a kind of data of nonvolatile storage space in chip
Storage method and credible chip.
Background technology
User can create non-volatile space in credible and secure chip, can be that non-volatile space assigns as shown in table 1
Attribute:
Table 1
Fig. 1 shows a kind of interaction schematic diagram of the non-volatile spatial data of user's acquisition according to prior art, such as Fig. 1 institutes
Show, specifically comprise the following steps:
(1) owner C initiates to access non-volatile space request to credible chip T;
(2) credible chip T responds owner C requests, it is desirable that its feedback cipher password, non-volatile space number and data are long
Degree;
(3) owner C passbacks password, non-volatile space number, the non-volatile data length to be accessed give credible chip T;
(4) credible chip T verifies the correctness of password and non-volatile spatial index number and the data in non-volatile space
Whether length L meets following formula:
L≤|Last_adress-First_adress| (1)
In above formula, First_adress represents non-volatile space initial physical addresses, and Last_adress represents non-volatile sky
Between last position physical address.
If password and non-volatile space number are correct, the data length L obtained also meets formula (1), then credible core
Piece returns to the owner C data to be accessed, and flow terminates.Otherwise, direct termination process.
The existing world TCG standard security chip specifications fixed size in the non-volatile space of credible and secure chip accesses
It authorizing, its state identification data is defaulted as 0 in the specification, easily obscures with 0 phase of owner's data, when causing user's acquisition data,
The partial data got may be state identification data 0, and the data 0 that non-user really stores.For example, owner C has applied for 6
The non-volatile space of byte houses the data of 4 bytes, as shown in table 2:Owner space number is 1, the entitled C of owner,
The size in corresponding non-volatile space is numbered as 6 bytes in owner space, i.e. data length maximum can be 6 bytes, corresponding object
Reason address is FFFFF0~FFFFF6,4 bytes is housed in its physical address, the data of owner's write-in are " 1101 ", and TCG is marked
Quasi- acquiescence without write-in data two bytes for 00, i.e., owner's data be 110100 (the digital representation status data of overstriking italic,
Digital representation owner's data of not overstriking, owner's data as shown in Table 1).
Table 2
Nv_index | User_name | Password | Nv_Size | Nv_F&L_adress | Data |
1 | C | **** | 6 | FFFFF0~FFFFF6 | 110100 |
When storage data are longer, and often change when, owner C differ surely remember oneself to have deposited how long, and what has been deposited
Data, such as owner C and when owner obtains data length 5 to user, and respond credible chip requirement feedack:With
Family inputs correct password * * * *, Nv_index number 1, after credible chip is connected to information, verification password and Nv index numbers
Correctness also verifies its length 5<6, be in its admissible scope, therefore owner's C data length is returned to as 11010, so
The initial data of owner C becomes 11010 by 1101, causes the mistake of data.
When initial data is read from the non-volatile space of credible and secure chip for the above-mentioned prior art, the original that reads
The technical issues of beginning data accuracy is poor, currently no effective solution has been proposed.
The content of the invention
An embodiment of the present invention provides the date storage method and credible chip of nonvolatile storage space in a kind of chip,
When reading initial data at least to solve the prior art from the non-volatile space of credible and secure chip, the initial data that reads
The technical issues of accuracy is poor.
One side according to embodiments of the present invention provides a kind of data storage of nonvolatile storage space in chip
Method, including:Nonvolatile storage space is created in the chips, wherein, the attribute of nonvolatile storage space includes at least:With
In the parameter for being characterized in storage owner's data in nonvolatile storage space, the storage address scope of owner's data;Wherein, owner
Maximum data length when the storage address scope of data is for characterizing from permission to chip request data.
Another aspect according to embodiments of the present invention additionally provides a kind of method for obtaining the data of storage in the chips,
Including:Receive the access request of the nonvolatile storage space for access chip;Respond access request, be verified information and
Need the data length asked;In authentication information in the case of, judge to need whether the data length asked is in
In nonvolatile storage space within the scope of the storage address of pre-set owner's data;If necessary to the data length of request
Within the scope of storage address in owner's data, then allow the content for returning to owner's data;Wherein, the storage of owner's data
Maximum data length when location scope is for characterizing from permission to chip request data.
Another aspect according to embodiments of the present invention additionally provides a kind of credible chip, including:Memory, including non-easy
The property lost memory space, wherein, the attribute of nonvolatile storage space includes at least:For being characterized in nonvolatile storage space
Store the parameter of owner's data, the storage address scope of owner's data;Wherein, the storage address scope of owner's data is used to characterize
Maximum data length when allowing to chip request data.
Another aspect according to embodiments of the present invention additionally provides a kind of system for obtaining the data of storage in the chips,
Including:Access equipment end, for sending the access request of the nonvolatile storage space for access chip;Credible chip, with
Access equipment end communicates, and for responding access request, obtains the verification information that access equipment end returns and the data that needs are asked
Length, in authentication information in the case of, the data length if necessary to request is in the storage address of owner's data
Within the scope of, then allow the content for returning to owner's data;Wherein, the storage address scope of owner's data allows for characterizing to core
Maximum data length during piece request data.
Another aspect according to embodiments of the present invention additionally provides a kind of device for obtaining the data of storage in the chips,
Including:Receiving module, for receiving the access request of the nonvolatile storage space for access chip;Respond module is used for
Access request is responded, be verified information and needs the data length asked;Judgment module, for passing through in authentication information
In the case of, whether judge to need the data length asked in pre-set owner's data in nonvolatile storage space
Within the scope of storage address;Control module, for being in the storage address model of owner's data if necessary to the data length asked
Within enclosing, then allow the content for returning to owner's data;Wherein, the storage address scope of owner's data allows for characterizing to chip
Maximum data length during request data.
In embodiments of the present invention, by the way of the storage address scope of owner's data is limited, by creating in the chips
It builds after non-volatile storage space, writes owner's data to nonvolatile storage space, and determined according to the size of owner's data
The storage address scope of owner's data returns to owner's needs according to the storage address scope of the size of owner's data and owner's data
The data of acquisition have achieved the purpose that accurate acquisition owner's data, it is achieved thereby that ensureing that owner obtains the correct of initial data
Property technique effect, and then when solving the prior art initial data is read from the non-volatile space of credible and secure chip, read
The technical issues of initial data accuracy got is poor.
Description of the drawings
Attached drawing described herein is used for providing a further understanding of the present invention, forms the part of the application, this hair
Bright schematic description and description does not constitute improper limitations of the present invention for explaining the present invention.In the accompanying drawings:
Fig. 1 is the interaction schematic diagram that a kind of user obtains non-volatile spatial data according to prior art;
Fig. 2 is a kind of hardware block diagram of optional terminal according to embodiments of the present invention;
Fig. 3 is the date storage method flow of nonvolatile storage space in a kind of chip according to embodiments of the present invention
Figure;
Fig. 4 is the date storage method of nonvolatile storage space in a kind of optional chip according to embodiments of the present invention
Flow chart;
Fig. 5 is a kind of method of optional owner's data for accessing nonvolatile storage space according to embodiments of the present invention
Flow chart;
Fig. 6 is a kind of structure diagram of optional TCG trust chains according to embodiments of the present invention;
Fig. 7 is a kind of method flow diagram of the data of acquisition storage according to embodiments of the present invention in the chips;
Fig. 8 is a kind of structure diagram of credible chip according to embodiments of the present invention;
Fig. 9 is a kind of system structure diagram of the data of acquisition storage according to embodiments of the present invention in the chips;
Figure 10 is a kind of apparatus structure schematic diagram of the data of acquisition storage according to embodiments of the present invention in the chips;With
And
Figure 11 is a kind of structure diagram of optional terminal according to embodiments of the present invention.
Specific embodiment
In order to which those skilled in the art is made to more fully understand the present invention program, below in conjunction in the embodiment of the present invention
The technical solution in the embodiment of the present invention is clearly and completely described in attached drawing, it is clear that described embodiment is only
The embodiment of a part of the invention, instead of all the embodiments.Based on the embodiments of the present invention, ordinary skill people
Member's all other embodiments obtained without making creative work should all belong to the model that the present invention protects
It encloses.
It should be noted that term " first " in description and claims of this specification and above-mentioned attached drawing, "
Two " etc. be the object for distinguishing similar, without being used to describe specific order or precedence.It should be appreciated that it so uses
Data can exchange in the appropriate case, so as to the embodiment of the present invention described herein can with except illustrating herein or
Order beyond those of description is implemented.In addition, term " comprising " and " having " and their any deformation, it is intended that cover
Cover it is non-exclusive include, be not necessarily limited to for example, containing the process of series of steps or unit, method, system, product or equipment
Those steps or unit clearly listed, but may include not list clearly or for these processes, method, product
Or the intrinsic other steps of equipment or unit.
First, the part noun or term occurred during the embodiment of the present application is described is suitable for following solution
It releases:
Non-volatile memory (Non-volatile memory, referred to as Nv), as a kind of memory technology, can ensure
When device looses power, the data stored in equipment will not lose, and be commonly used to the very sensitive data of protection user.
Owner's data refer to the data that user stores into storage device, wherein, owner refers to the master operated to data
Body.
It is credible, refer to an entity always by it is a kind of it is expected in a manner of for specific object run.
Trust computing (Trusted computing) is widely used based on hardware peace in calculating and communication system
Credible calculating platform under full module support can improve the security of system entirety using the credible calculating platform.Its core
Mechanism is by trust chain mechanism construction trusted computation environment.
Credible and secure chip, is a kind of chip for having and generating encryption and decryption cipher key function, and credible and secure chip also can be into
The data of row high speed is encrypted and decrypts and serve as at the auxiliary that protection basic input output system and operating system are not modified
Manage device.
Embodiment 1
According to embodiments of the present invention, a kind of side of the date storage method of nonvolatile storage space in chip is additionally provided
Method embodiment.
The embodiment of the method that the embodiment of the present application 1 is provided can be in mobile terminal, terminal or similar fortune
It calculates and is performed in device.Fig. 2 shows a kind of calculating for being used to implement the date storage method of nonvolatile storage space in chip
The hardware block diagram of machine terminal (or mobile equipment).As shown in Fig. 2, terminal 10 (or mobile equipment 10) can include
(processor 102 can be included but not for one or more (using 102a, 102b ... ... in figure, 102n to show) processor 102
Be limited to the processing unit of Micro-processor MCV or programmable logic device FPGA etc.), for store the memory 104 of data and
For the transport module 4 of communication function.In addition, can also include:Display, input/output interface (I/O interfaces) lead to
By the use of universal serial bus (USB) port (can as a port in the port of I/O interfaces by including), network interface, power supply and/
Or camera.It will appreciated by the skilled person that structure shown in Fig. 2 is only to illustrate, not to above-mentioned electronic device
Structure cause to limit.For example, terminal 10 may also include more either less components or tool than shown in Fig. 2
There is the configuration different from shown in Fig. 2.
It is to be noted that said one or multiple processors 102 and/or other data processing circuits lead to herein
Can often it be referred to as " data processing circuit ".The data processing circuit all or part of can be presented as software, hardware, firmware
Or any other combination.In addition, data processing circuit can be single independent processing module or all or part of be attached to meter
In any one in other elements in calculation machine terminal 10 (or mobile equipment).As involved in the embodiment of the present application,
The data processing circuit controls (such as the selection for the variable resistor end path being connected with interface) as a kind of processor.
Memory 104 can be used for the software program and module of storage application software, such as the chip in the embodiment of the present invention
Corresponding program instruction/the data storage device of date storage method of middle nonvolatile storage space, processor 102 pass through operation
The software program and module being stored in memory 104 so as to perform various functions application and data processing, that is, are realized
The leak detection method for the application program stated.Memory 104 may include high speed random access memory, may also include non-volatile memories
Device, such as one or more magnetic storage device, flash memory or other non-volatile solid state memories.In some instances, deposit
Reservoir 104 can further comprise that, compared with the remotely located memory of processor 102, these remote memories can pass through network
It is connected to terminal 10.The example of above-mentioned network includes but not limited to internet, intranet, LAN, mobile logical
Letter net and combinations thereof.
Herein it should be noted that in some optional embodiments, above-mentioned computer equipment shown in Fig. 2 (or movement is set
It is standby) hardware element (including circuit), software element can be included (including the computer generation that may be stored on the computer-readable medium
Code) or both hardware element and software element combination.It should be pointed out that Fig. 2 is only a reality of particular embodiment
Example, and it is intended to show that the type that may be present in the component in above computer equipment (or mobile equipment).
Under above-mentioned running environment, this application provides the data of nonvolatile storage space in chip as shown in Figure 3
Storage method.Fig. 3 be according to embodiments of the present invention 1 chip in nonvolatile storage space date storage method flow
Figure, includes the following steps:
Step S302, creates nonvolatile storage space in the chips, wherein, the attribute of nonvolatile storage space is at least
Including:For being characterized in the parameter that owner's data are stored in nonvolatile storage space, the storage address scope of owner's data;Its
In, the maximum data length when storage address scope of owner's data is for characterizing permission to chip request data.
In the technical solution limited in above-mentioned steps S302, the memory module of above-mentioned non-volatile storage space may be employed
Big end pattern and little endian mode, big end pattern refers to that the high byte of data is stored in the low address of memory, and the low word of data
Section is stored in the high address of memory;And little endian mode refers to that the high byte of data is stored in the high address of memory, and data
Low byte be stored in inherent low address, which can weigh the position of the height of address and data and effectively combine
Come, the weights of high address partial data are high, and the weights of low address partial data are low.
It should be noted that one of attribute of nonvolatile storage space owner data are deposited into non-volatile deposit for user
The data in space are stored up, for example, the data of user's storage are " 1101 ", then the data are and store to arrive nonvolatile storage space
Owner's data;The length of the storage address scope of another attribute owner's data of nonvolatile storage space is read for permission user
The maximum data length of negated volatile memory, for example, the storage address scope of owner's data is:FFFFF0~
FFFFF6, then maximum data length when allowing user to chip request data are 7.In addition, it creates in the chips non-volatile
The data that memory space can ensure, in device looses power, to store in the chips will not lose, and compare so as to be used for storing
Important data.
Based in the scheme disclosed in above-described embodiment step S302, it can know and create non-volatile memories in the chips
Space, it is ensured that the data of user's storage in the chips will not lose in device looses power, and then improve data storage
Security.
Optionally, the attribute of nonvolatile storage space at least further includes at least one following:Space number, space owner
Title, spatial authority password, space size and space physics address range.
In a kind of optional embodiment, table 3 is the attribute list for the nonvolatile storage space for having been written into owner's data,
As shown in table 3.
Table 3
In table 3, the space number of owner is 1, the entitled C of space owner, and the owner space that owner space number is 1 is big
Small is 6 bytes, i.e., data length maximum can be 6 bytes, and corresponding space physics address range is FFFFF0~FFFFF6,
4 bytes are housed in its physical address, storage address scope is FFFFF1~FFFFF4, and owner's data of write-in are
“1101”。
Optionally, after Fig. 4 shows establishment nonvolatile storage space in the chips, non-volatile memories are empty in chip
Between date storage method flow diagram, as shown in figure 4, this method further includes following steps:
Step S304 writes owner's data to nonvolatile storage space, and determines owner according to the size of owner's data
The storage address scope of data, wherein, by the initial storage address and end storage address of the data block of owner's data come really
Determine storage address scope.
In a kind of optional embodiment in the case where the memory module of owner's data is little endian mode, it is assumed that owner
The size of data be L, the initial storage address of the data block of owner's data, i.e. memory address where the low byte of owner's data
For Min_adress, the end storage address of the data block of owner's data, i.e. memory address where the high byte of owner's data
For Max_adress, then L, Min_adress and Max_adress meet following formula:
L≤|Max_adress-Min_adress| (2)
Therefore, can be determined according to the initial storage address Min_adress of the size L of owner's data and owner's data
The end address Max_adress of owner's data, and then can determine the storage address scope of owner's data.For example, to non-volatile
Property memory space write-in owner's data for " 1101 ", the size of owner's data is the storage of 4 bytes, then owner's data
The length of location scope is also for 4 bytes, if the initial storage address of owner's data is FFFFF1 at this time, the end of owner's data
Tail address is FFFFF4, and the storage address scope of the data block of owner's data is FFFFF1~FFFFF4.
Optionally, Fig. 5 is shown is writing owner's data to nonvolatile storage space, and according to the size of owner's data
After the storage address scope for determining owner's data, the method flow diagram of owner's data of nonvolatile storage space is accessed, such as
Shown in Fig. 5, this method comprises the following steps:
Step S502 receives to access the access request of nonvolatile storage space;
Step S504 responds access request, is verified information and needs the data length asked;
Whether step S506 in authentication information in the case of, judges to need the data length asked in category
Within the scope of the storage address of master data;
Step S508, the data length if necessary to request are within the scope of the storage address of owner's data, then allow
Return to the content of owner's data.
As a kind of optional embodiment, access equipment end initiates to access nonvolatile space request to credible chip, can
After letter chip receives the nonvolatile space request of access equipment end transmission, the request at response access equipment end, and require to visit
Ask the length information of equipment end feedback validation information and owner's data;Access equipment end to credible chip send verification information with
And the length information of owner's data, for example, the length of the owner's data accessed is 4 bytes;Credible chip authentication-access equipment end
Whether the verification information of return meets the requirements, and in the case where verification information meets the requirements, judges to need the data length asked
Whether it is within the scope of the storage address of owner's data, for example, it is desired to the data length of request is 4 bytes, owner's data
Storage address scope is FFFFF1~FFFFF4, and the maximum storage length of owner's data is 4 bytes, and the data length of request meets
Formula (2), therefore, credible chip allow to access owner's data, and return to the category that storage address scope is FFFFF1~FFFFF4
Master data.
It should be noted that above-mentioned verification information can be used for authentication-access equipment end whether have access permission and really
The position that access equipment end accesses data is determined, so as to further improve the accuracy for accessing data.
Optionally, the data length if necessary to request is in outside the storage address scope of owner's data, then stops to obtain
Flow and/or the output of owner's data are taken for characterizing the prompt message of request failure.
It is satisfactory in the verification information that credible chip authentication-access equipment end returns as a kind of optional embodiment
In the case of, credible chip determine whether to need the data length asked whether the storage address scope in owner's data it
Interior, the data length if necessary to request is in outside the storage address scope of owner's data, for example, it is desired to which the data of request are long
It spends for 4 bytes, and the storage address scope of owner's data is FFFFF1~FFFFF3, the maximum storage length of owner's data is 3
Byte, the data length of request are unsatisfactory for formula (2), and therefore, credible chip does not allow to access owner's data, directly terminates stream
Journey, and export the prompt message of this time request failure.
Optionally, verification information includes at least at least one following:Need the space accessed number, password password.
As a kind of optional embodiment, verify space number that above-mentioned needs access can confirm that in credible chip whether
There is space number, further verifies that password password can confirm that whether the user of current accessed there are access rights, so as to
To further improve the accuracy for accessing data.
Optionally, in the case of the failure of authentication information, the prompt message that can not obtain owner's data is returned.
In a kind of optional embodiment, it is 2 that user, which needs the space accessed number, but space is not present in credible chip
Owner's data that number is 2 in this case, stop to obtain the flow of owner's data, and send and prompt to access equipment end
Information prompts there is no spaces to number the owner's data for being 2.In an alternative embodiment, user needs the sky accessed
Between number be 2, in credible chip there are space number be 2 owner's data, when detecting that password password is not right, in such case
Under, it can equally stop to obtain the flow of owner's data, and prompt message is sent to access equipment end, prompt cipher password is not just
Really, and it is required to operate again.
In a kind of preferred embodiment, owner C has applied for the nonvolatile space of 6 bytes, houses 4 bytes
Data, as shown in table 4:Owner space number Nv_index be 1, space owner's title User_name be C, owner space number 1
Corresponding space size Nv_Size is 6 bytes, i.e. data length maximum can be 6 bytes;Its corresponding physical address is FFFFF0
~FFFFF6 houses 4 bytes in physical address, and the data of owner's write-in are " 1101 ", and TCG standard defaults do not have what is write
Owner's data Data be 00, i.e., Data data item datas be 110100 (the digital representation status data of overstriking italic, not overstriking
Digital representation owner's data, owner's data as shown in table 4).
Table 4
When the data of storage are longer and during frequent change, owner may forget that data length is stored in memory space is
Data how long obtain the length of data as 5 for example, surely belonging to mainly to ask to credible chip, and have responded credible chip to negate
The information of feedback, including:After the correct password password * * * * and space number Nv_index 1 of owner's input, credible chip
After being connected to above-mentioned verification information, verify that password password and space number feedback are correct, and verify the data length 5 that its requirement obtains
More than the length 4 of owner's data, since request data length is not in the range of it allows access, credible chip prompting please
Data is asked to terminate the flow for obtaining owner's data beyond the scope that prestores.
Trust computing can carry out security protection while computing is calculated, and make result of calculation always with expected consistent, meter
It is measurable and controllable to calculate whole process, is not disturbed.
The key element of trust computing is chain-of-trust and trusted root, wherein, trust computing can pass through trust chain mechanism structure
Frame trusted computation environment.In the case where trusted root is to include the credible chip of nonvolatile storage space, there are another kinds
Optional embodiment, it is specific as follows:
At present trust computing have domestic credible platform control module (Trusted Platform Control Module,
) and two kinds of technology roads of the credible platform module of world TCG normal structures (Trusted Platform Module, TPM) TPCM
Line.
The key element of trust computing is chain-of-trust and trusted root, the credible platform module (Trusted in TCG specifications
Platform Module, TPM) be credible calculating platform hardware trusted root, TPM is to provide shielded secure storage, password
The safety chip of operational capability.TPM, which is connected with computing platform by physics mode and passes through external bus, to be connected on CPU, example
As taken the mode being directly fixed on mainboard on PC machine platform and being connected by lpc bus.
The definition to credible (trusted) is given in TCG specifications:One entity always by it is a kind of it is expected in a manner of be
Specific object run.The core mechanism of trust computing is by trust chain mechanism construction trusted computation environment, and operation is real at present
It is on the basis of whether the previous operational process of system of establishing is believable that whether body is credible.Based on this trusting relationship, if system from
One initial root of trust sets out, and in the conversion each time of platform computing environment, this trust can be by way of transmission
Maintenance is gone down, and so as to establish first level verification level-one in computing platform, level-one trusts the chain-of-trust of level-one, and the computing environment is just
Always it is believable, it can just be trusted by local user or remote entity.Fig. 6 shows the structure diagram of TCG trust chains,
As shown in fig. 6, solid arrow represents credible measurement connection in figure, dotted arrow represents credible report connection, overstriking solid arrow
Represent trusted storage connection, overstriking dotted arrow represents trustable network connection.
The key technology of trust computing includes credible measurement, credible report, and trusted storage such as connects at several portions with trustable network
Point.
Credible platform control module TPCM realizes the basic function of credible platform module, function composition and with TPM bases
This is identical, but since the core measurement root CRTM of TPM is in basic input-output system BIOS, from the protection of TPM, because
This, TPCM proposes new credible measurement root design, solves the problems, such as the starting metric point of credible measurement root, changes startup and degree
Amount order on this basis, establishes the trust chain using the chip as root of trust and measures flow, realize whole by the chip controls
The startup of a system, I/O Interface Controllers and system configuration etc. embody control action of the chip to system credibility.
In the operation control transmittance process of computing platform, trusted root TPCM judges that its next stage performs the authenticity of code
Whether be tampered with integrality, if not provided, system, which will run control, is transferred to the credible execution code of next stage, system can
Believe scope because being expanded to next stage function code;Similarly, this system control is constantly transferred, it is possible to realize building for trust chain
Vertical and transmittance process, it is final to realize the credible structure of system scope.One complete system transitive trust process will be opened from trusted root
Begin, system control order is transferred to believable BIOS by credible platform control module, then is transferred to believable operating system dress
Device is carried, believable operating system is transferred to from believable operating system loading device, then is transferred to from believable operating system credible
Application.
Credible and secure chip has the function of generation encryption and decryption key, can also carry out the data encryption and decryption of high speed,
And serve as protection BIOS and the secondary processor that is not modified of operating system.
TPM safety chip purposes is very extensive, and cooperation special-purpose software can realize following purposes:
(1) store, manage BIOS startup passwords and harddisk password.These previous affairs are all done by BIOS, are played
Friend may know that, as long as having forgotten password removes CMOS batteries, to CMOS electric discharge just remove password.Nowadays these keys
It is actually stored in the storage unit for being solidificated in chip, even its information of power down will not also lose.It is managed compared to BIOS
Password is managed, the security of TPM safety chips will greatly improve.
(2) TPM safety chips can be into the wider encryption of line range.TPM safety chips are except that can carry out traditional start
It encrypts and hard disk is encrypted outer, moreover it is possible to which system login, application software login are encrypted.Such as MSN, QQ, network game
And the log-on message and password of Web bank, it is transmitted again after being encrypted by TPM, does not have to thus worry information
It is stolen with password by people.
(3) the arbitrary subregion of hard disk is encrypted.Any one fdisk on book can be encrypted, it can also be quick by some
The file of sense is put into the subregion to ensure safety.Such as some book manufacturers use One-key recovery function, be exactly the purposes collection
One of middle embodiment (system image is placed in an encrypted subregion of TPM by it).Also some large scale business software companys are (such as:
Microsoft the means of encrypted partition can also) be utilized it as (such as:Famous BitLocker).
It should be noted that for foregoing each method embodiment, in order to be briefly described, therefore it is all expressed as a series of
Combination of actions, but those skilled in the art should know, the present invention and from the limitation of described sequence of movement because
According to the present invention, some steps may be employed other orders or be carried out at the same time.Secondly, those skilled in the art should also know
It knows, embodiment described in this description belongs to preferred embodiment, and involved action and module are not necessarily of the invention
It is necessary.
Through the above description of the embodiments, those skilled in the art can be understood that according to above-mentioned implementation
The method of example can add the mode of required general hardware platform to realize by software, naturally it is also possible to by hardware, but it is very much
In the case of the former be more preferably embodiment.Based on such understanding, technical scheme is substantially in other words to existing
The part that technology contributes can be embodied in the form of software product, which is stored in a storage
In medium (such as ROM/RAM, magnetic disc, CD), used including some instructions so that a station terminal equipment (can be mobile phone, calculate
Machine, server or network equipment etc.) method that performs each embodiment of the present invention.
Embodiment 2
According to embodiments of the present invention, a kind of embodiment of the method for obtaining the data of storage in the chips is additionally provided.
This application provides the methods of the data of acquisition storage as shown in Figure 7 in the chips.Fig. 7 is real according to the present invention
Apply the method flow diagram of the data of the acquisition storage of example 2 in the chips.Include the following steps:
Step S702 receives the access request of the nonvolatile storage space for access chip;
Step S704 responds access request, is verified information and needs the data length asked;
Whether step S706 in authentication information in the case of, judges to need the data length asked in non-
In volatile memory within the scope of the storage address of pre-set owner's data;
Step S708, the data length if necessary to request are within the scope of the storage address of owner's data, then allow
Return to the content of owner's data;When wherein, the storage address scope of owner's data allows for characterizing to chip request data
Maximum data length.
In the scheme limited in above-mentioned steps S702 to step S708, above-mentioned access chip can be credible chip, should
Nonvolatile storage space is included in credible chip.The memory module of above-mentioned non-volatile storage space may be employed big end pattern and
Little endian mode, owner's data memory module in the case of little endian mode, it is assumed that the size of owner's data is L, owner's number
According to data block initial storage address, i.e., the memory address where the low byte of owner's data be Min_adress, owner's number
According to data block end storage address, i.e., the memory address where the high byte of owner's data be Max_adress, then L,
Min_adress and Max_adress meet following formula:
L≤|Max_adress-Min_adress|
Access nonvolatile space request is initiated to credible chip at access equipment end, credible chip receives access equipment
After the nonvolatile space request that end is sent, the request at response access equipment end, and require access equipment end feedback validation information
And the length information of owner's data;The length that access equipment end sends verification information and owner's data to credible chip is believed
Breath, for example, the length of the owner's data accessed is 4 bytes;Whether the verification information that credible chip authentication-access equipment end returns
It meets the requirements, in the case where verification information meets the requirements, judges to need whether the data length asked is in owner's data
Within the scope of storage address, for example, it is desired to which the data length of request is 4 bytes, the storage address scope of owner's data is
FFFFF1~FFFFF4, the maximum storage length of owner's data is 4 bytes, and the data length of request meets formula:
L≤|Max_adress-Min_adress|
Therefore, credible chip allows to access owner's data, and returns to the category that storage address scope is FFFFF1~FFFFF4
Master data.
It should be noted that above-mentioned verification information can be used for authentication-access equipment end whether have access permission and really
The position that access equipment end accesses data is determined, so as to further improve the accuracy for accessing data.Above-mentioned non-volatile memory
Big end pattern and little endian mode may be employed in the memory module in space, and big end pattern refers to that the high byte of data is stored in memory
In low address, and the low byte of data is stored in the high address of memory;And little endian mode refers to that the high byte of data is stored in
In the high address of memory, and the low byte of data is stored in inherent low address, which can be by the height of address
Effectively combine with the position power of data, the weights of high address partial data are high, and the weights of low address partial data are low.
Based in the scheme disclosed in above-described embodiment step S702 to step S708, can know by creating in the chips
It builds after non-volatile storage space, writes owner's data to nonvolatile storage space, and determined according to the size of owner's data
The storage address scope of owner's data returns to owner's needs according to the storage address scope of the size of owner's data and owner's data
The data of acquisition have achieved the purpose that accurate acquisition owner's data, it is achieved thereby that ensureing that owner obtains the correct of initial data
Property technique effect, and then when solving the prior art initial data is read from the non-volatile space of credible and secure chip, read
The technical issues of initial data accuracy got is poor.
Optionally, the attribute of nonvolatile storage space at least further includes at least one following:Space is numbered, space owner
Title, spatial authority password, space size and space physics address range.
In a kind of optional embodiment, table 5 is the attribute list for the nonvolatile storage space for having been written into owner's data,
As shown in table 5.
Table 5
In table 5, the space number of owner is 1, the entitled C of space owner, and the owner space that owner space number is 1 is big
Small is 6 bytes, i.e., data length maximum can be 6 bytes, and corresponding space physics address range is FFFFF0~FFFFF6,
4 bytes are housed in its physical address, storage address scope is FFFFF1~FFFFF4, and owner's data of write-in are
“1101”。
Optionally, before receiving for the access request of the nonvolatile storage space of access chip, method further includes:
Owner's data are write to nonvolatile storage space, and the storage address model of owner's data is determined according to the size of owner's data
It encloses, wherein, storage address scope is determined by the initial storage address and end storage address of the data block of owner's data.
In a kind of optional embodiment in the case where the memory module of owner's data is little endian mode, it is assumed that owner
The size of data be L, the initial storage address of the data block of owner's data, i.e. memory address where the low byte of owner's data
For Min_adress, the end storage address of the data block of owner's data, i.e. memory address where the high byte of owner's data
For Max_adress, then L, Min_adress and Max_adress meet following formula:
L≤|Max_adress-Min_adress|
Therefore, can be determined according to the initial storage address Min_adress of the size L of owner's data and owner's data
The end address Max_adress of owner's data, and then can determine the storage address scope of owner's data.For example, to non-volatile
Property memory space write-in owner's data for " 1101 ", the size of owner's data is the storage of 4 bytes, then owner's data
The length of location scope is also for 4 bytes, if the initial storage address of owner's data is FFFFF1 at this time, the end of owner's data
Tail address is FFFFF4, and the storage address scope of the data block of owner's data is FFFFF1~FFFFF4.
Optionally, the data length if necessary to request is in outside the storage address scope of owner's data, then stops to obtain
Flow and/or the output of owner's data are taken for characterizing the prompt message of request failure.
It is satisfactory in the verification information that credible chip authentication-access equipment end returns as a kind of optional embodiment
In the case of, credible chip determine whether to need the data length asked whether the storage address scope in owner's data it
Interior, the data length if necessary to request is in outside the storage address scope of owner's data, for example, it is desired to which the data of request are long
It spends for 4 bytes, and the storage address scope of owner's data is FFFFF1~FFFFF3, the maximum storage length of owner's data is 3
Byte, the data length of request be unsatisfactory for formula L≤| Max_adress-Min_adress |, therefore, credible chip does not allow to visit
It asks owner's data, direct termination process, and exports the prompt message of this time request failure.
Embodiment 3
According to embodiments of the present invention, a kind of embodiment of credible chip is additionally provided.
This application provides the structure diagrams of credible chip as shown in Figure 8.Fig. 8 is according to embodiments of the present invention 3
The structure diagram of credible chip, the credible chip include:Memory 801.Wherein,
Memory 801, including nonvolatile storage space, wherein, the attribute of nonvolatile storage space includes at least:With
In the parameter for being characterized in storage owner's data in nonvolatile storage space, the storage address scope of owner's data;Wherein, owner
Maximum data length when the storage address scope of data is for characterizing from permission to chip request data.
In the technical solution limited in above-mentioned memory 801, the memory module of above-mentioned non-volatile storage space can adopt
With big end pattern and little endian mode, big end pattern refers to that the high byte of data is stored in the low address of memory, and data is low
Byte is stored in the high address of memory;And little endian mode refers to that the high byte of data is stored in the high address of memory, and count
According to low byte be stored in inherent low address, which can weigh the position of the height of address and data and effectively combine
Get up, the weights of high address partial data are high, and the weights of low address partial data are low.
It should be noted that one of attribute of nonvolatile storage space owner data are deposited into non-volatile deposit for user
The data in space are stored up, for example, the data of user's storage are " 1101 ", then the data are and store to arrive nonvolatile storage space
Owner's data;The length of the storage address scope of another attribute owner's data of nonvolatile storage space is read for permission user
The maximum data length of negated volatile memory, for example, the storage address scope of owner's data is:FFFFF0~
FFFFF6, then maximum data length when allowing user to chip request data are 7.In addition, it creates in the chips non-volatile
The data that memory space can ensure, in device looses power, to store in the chips will not lose, and compare so as to be used for storing
Important data.
From the foregoing, it will be observed that nonvolatile storage space is created in the chips, it is ensured that the data of user's storage in the chips
It in device looses power, will not lose, and then improve the security of data storage.
Embodiment 4
According to embodiments of the present invention, a kind of system embodiment for obtaining the data of storage in the chips is additionally provided.
This application provides the systems of the data of acquisition storage as shown in Figure 9 in the chips.Fig. 9 is real according to the present invention
The system structure diagram of the data of the acquisition storage of example 4 in the chips is applied, which includes:Access equipment end 901 and credible
Chip 903.Wherein,
Access equipment end 901, for sending the access request of the nonvolatile storage space for access chip;
Credible chip 903 communicates with access equipment end, for responding access request, obtains testing for access equipment end return
The data length that card information and needs are asked, in authentication information in the case of, if necessary to the data length of request
Within the scope of storage address in owner's data, then allow the content for returning to owner's data;Wherein, the storage of owner's data
Maximum data length when location scope is for characterizing from permission to credible chip request data.
In a kind of optional embodiment, nonvolatile storage space is included in above-mentioned credible chip.It is above-mentioned non-volatile to deposit
Big end pattern and little endian mode may be employed in the memory module in storage space, in the feelings that the memory module of owner's data is little endian mode
Under condition, it is assumed that the size of owner's data be L, the low byte of the initial storage address, i.e. owner's data of the data block of owner's data
The memory address at place be Min_adress, the high byte of the end storage address, i.e. owner's data of the data block of owner's data
The memory address at place is Max_adress, then L, Min_adress and Max_adress meet following formula:
L≤|Max_adress-Min_adress|
Access nonvolatile space request is initiated to credible chip at access equipment end, credible chip receives access equipment
After the nonvolatile space request that end is sent, the request at response access equipment end, and require access equipment end feedback validation information
And the length information of owner's data;The length that access equipment end sends verification information and owner's data to credible chip is believed
Breath, for example, the length of the owner's data accessed is 4 bytes;Whether the verification information that credible chip authentication-access equipment end returns
It meets the requirements, in the case where verification information meets the requirements, judges to need whether the data length asked is in owner's data
Within the scope of storage address, for example, it is desired to which the data length of request is 4 bytes, the storage address scope of owner's data is
FFFFF1~FFFFF4, the maximum storage length of owner's data is 4 bytes, and the data length of request meets formula:
L≤|Max_adress-Min_adress|
Therefore, credible chip allows to access owner's data, and returns to the category that storage address scope is FFFFF1~FFFFF4
Master data.
It should be noted that above-mentioned verification information can be used for authentication-access equipment end whether have access permission and really
The position that access equipment end accesses data is determined, so as to further improve the accuracy for accessing data.Above-mentioned non-volatile memory
Big end pattern and little endian mode may be employed in the memory module in space, and big end pattern refers to that the high byte of data is stored in memory
In low address, and the low byte of data is stored in the high address of memory;And little endian mode refers to that the high byte of data is stored in
In the high address of memory, and the low byte of data is stored in inherent low address, which can be by the height of address
Effectively combine with the position power of data, the weights of high address partial data are high, and the weights of low address partial data are low.
From the foregoing, it will be observed that after by creating non-volatile storage space in the chips, write and belong to nonvolatile storage space
Master data, and determine according to the size of owner's data the storage address scope of owner's data, according to the size and category of owner's data
The storage address scope of master data, which returns to owner, needs the data obtained, has achieved the purpose that accurate acquisition owner's data, so as to
The technique effect for ensureing the correctness that owner obtains initial data is realized, and then solves the prior art from credible and secure chip
Non-volatile space in when reading initial data, the technical issues of initial data accuracy read is poor.
Optionally, credible chip 903 is additionally operable to write owner's data to nonvolatile storage space, and according to owner's data
Size determine the storage address scopes of owner's data, wherein, pass through the initial storage address and end of the data block of owner's data
Tail storage address determines storage address scope.
Embodiment 5
According to embodiments of the present invention, a kind of acquisition for being used to implement above-described embodiment 2 is additionally provided to store in the chips
The device of data, as shown in Figure 10, the device include:Receiving module 1001, respond module 1003, judgment module 1005 and control
Module 1007.Wherein,
Receiving module 1001, for receiving the access request of the nonvolatile storage space for access chip;
Respond module 1003 for responding access request, is verified information and needs the data length asked;
Judgment module 1005, in the case of, judging to need the data length asked to be in authentication information
Within the scope of the no storage address in pre-set owner's data in nonvolatile storage space;
Control module 1007, for if necessary to ask data length be in owner's data storage address scope it
It is interior, then allow the content for returning to owner's data;Wherein, the storage address scope of owner's data allows to ask to chip for characterizing
Maximum data length during data.
Above-mentioned access chip can be credible chip, and nonvolatile storage space is included in the credible chip.It is above-mentioned non-easy
Big end pattern and little endian mode may be employed in the memory module for losing memory space, is little endian mode in the memory module of owner's data
In the case of, it is assumed that the size of owner's data is L, and the initial storage address of the data block of owner's data, i.e., owner's data is low
Memory address where byte is Min_adress, the height of the end storage address, i.e. owner's data of the data block of owner's data
Memory address where byte is Max_adress, then L, Min_adress and Max_adress meet following formula:
L≤|Max_adress-Min_adress|
Access nonvolatile space request is initiated to credible chip at access equipment end, credible chip receives access equipment
After the nonvolatile space request that end is sent, the request at response access equipment end, and require access equipment end feedback validation information
And the length information of owner's data;The length that access equipment end sends verification information and owner's data to credible chip is believed
Breath, for example, the length of the owner's data accessed is 4 bytes;Whether the verification information that credible chip authentication-access equipment end returns
It meets the requirements, in the case where verification information meets the requirements, judges to need whether the data length asked is in owner's data
Within the scope of storage address, for example, it is desired to which the data length of request is 4 bytes, the storage address scope of owner's data is
FFFFF1~FFFFF4, the maximum storage length of owner's data is 4 bytes, and the data length of request meets formula:
L≤|Max_adress-Min_adress|
Therefore, credible chip allows to access owner's data, and returns to the category that storage address scope is FFFFF1~FFFFF4
Master data.
It should be noted that above-mentioned verification information can be used for authentication-access equipment end whether have access permission and really
The position that access equipment end accesses data is determined, so as to further improve the accuracy for accessing data.Above-mentioned non-volatile memory
Big end pattern and little endian mode may be employed in the memory module in space, and big end pattern refers to that the high byte of data is stored in memory
In low address, and the low byte of data is stored in the high address of memory;And little endian mode refers to that the high byte of data is stored in
In the high address of memory, and the low byte of data is stored in inherent low address, which can be by the height of address
Effectively combine with the position power of data, the weights of high address partial data are high, and the weights of low address partial data are low.
From the foregoing, it will be observed that after by creating non-volatile storage space in the chips, write and belong to nonvolatile storage space
Master data, and determine according to the size of owner's data the storage address scope of owner's data, according to the size and category of owner's data
The storage address scope of master data, which returns to owner, needs the data obtained, has achieved the purpose that accurate acquisition owner's data, so as to
The technique effect for ensureing the correctness that owner obtains initial data is realized, and then solves the prior art from credible and secure chip
Non-volatile space in when reading initial data, the technical issues of initial data accuracy read is poor.
Herein it should be noted that above-mentioned receiving module 1001, respond module 1003, judgment module 1005 and control module
1007 correspond to the step S702 to step S708 in embodiment 2, the example and answer that four modules and corresponding step are realized
It is identical with scene, but it is not limited to 2 disclosure of that of above-described embodiment.It should be noted that above-mentioned module as device one
Part may operate in the terminal 10 of the offer of embodiment 1.
Optionally, the attribute of nonvolatile storage space at least further includes at least one following:Space is numbered, space owner
Title, spatial authority password, space size and space physics address range.
In a kind of optional embodiment, table 6 is the attribute list for the nonvolatile storage space for having been written into owner's data,
As shown in table 6.
Table 6
In table 6, the space number of owner is 1, the entitled C of space owner, and the owner space that owner space number is 1 is big
Small is 6 bytes, i.e., data length maximum can be 6 bytes, and corresponding space physics address range is FFFFF0~FFFFF6,
4 bytes are housed in its physical address, storage address scope is FFFFF1~FFFFF4, and owner's data of write-in are
“1101”。
Optionally, as shown in Figure 10, the device of the data of above-mentioned acquisition storage in the chips further includes:Writing module
1009, for writing owner's data to nonvolatile storage space, and depositing for owner's data is determined according to the size of owner's data
Address range is stored up, wherein, storage is determined by the initial storage address and end storage address of the data block of owner's data
Location scope.
In a kind of optional embodiment in the case where the memory module of owner's data is little endian mode, it is assumed that owner
The size of data be L, the initial storage address of the data block of owner's data, i.e. memory address where the low byte of owner's data
For Min_adress, the end storage address of the data block of owner's data, i.e. memory address where the high byte of owner's data
For Max_adress, then L, Min_adress and Max_adress meet following formula:
L≤|Max_adress-Min_adress|
Therefore, can be determined according to the initial storage address Min_adress of the size L of owner's data and owner's data
The end address Max_adress of owner's data, and then can determine the storage address scope of owner's data.For example, to non-volatile
Property memory space write-in owner's data for " 1101 ", the size of owner's data is the storage of 4 bytes, then owner's data
The length of location scope is also for 4 bytes, if the initial storage address of owner's data is FFFFF1 at this time, the end of owner's data
Tail address is FFFFF4, and the storage address scope of the data block of owner's data is FFFFF1~FFFFF4.
Optionally, the data length if necessary to request is in outside the storage address scope of owner's data, then stops to obtain
Flow and/or the output of owner's data are taken for characterizing the prompt message of request failure.
It is satisfactory in the verification information that credible chip authentication-access equipment end returns as a kind of optional embodiment
In the case of, credible chip determine whether to need the data length asked whether the storage address scope in owner's data it
Interior, the data length if necessary to request is in outside the storage address scope of owner's data, for example, it is desired to which the data of request are long
It spends for 4 bytes, and the storage address scope of owner's data is FFFFF1~FFFFF3, the maximum storage length of owner's data is 3
Byte, the data length of request be unsatisfactory for formula L≤| Max_adress-Min_adress |, therefore, credible chip does not allow to visit
It asks owner's data, direct termination process, and exports the prompt message of this time request failure.
Embodiment 6
The embodiment of the present invention can provide a kind of terminal, which can be in terminal group
Any one computer terminal.Optionally, in the present embodiment, above computer terminal can also replace with mobile whole
The terminal devices such as end.
Optionally, in the present embodiment, above computer terminal can be located in multiple network equipments of computer network
At least one network equipment.
Optionally, Figure 11 is a kind of structure diagram of terminal according to embodiments of the present invention.As shown in figure 11, should
Terminal A can include:One or more (one is only shown in figure) processors 1103 and memory 1101.
Wherein, memory can be used for storage software program and module, such as the security breaches detection in the embodiment of the present invention
Corresponding program instruction/the module of method and apparatus, processor are stored in software program and module in memory by operation,
So as to perform various functions application and data processing, that is, realize the detection method of above-mentioned system vulnerability attack.Memory can
Including high speed random access memory, nonvolatile memory can also be included, as one or more magnetic storage device, flash memory,
Or other non-volatile solid state memories.In some instances, memory can further comprise remotely setting compared with processor
The memory put, these remote memories can pass through network connection to terminal A.The example of above-mentioned network is including but not limited to mutual
Networking, intranet, LAN, mobile radio communication and combinations thereof.
Processor can call the information and application program of memory storage by transmitting device, to perform following step:
Nonvolatile storage space is created in the chips, wherein, the attribute of nonvolatile storage space includes at least:It is non-for being characterized in
The parameter of owner's data, the storage address scope of owner's data are stored in volatile memory;Wherein, the storage of owner's data
Maximum data length when address range is for characterizing from permission to chip request data.
Optionally, above-mentioned processor can also carry out the program code of following steps:It is write to nonvolatile storage space
Owner's data, and determine according to the size of owner's data the storage address scope of owner's data, wherein, pass through the number of owner's data
Storage address scope is determined according to the initial storage address and end storage address of block.
Optionally, above-mentioned processor can also carry out the program code of following steps:It receives to access non-volatile deposit
Store up the access request in space;Access request is responded, be verified information and needs the data length asked;In authentication information
In the case of, judge to need whether the data length asked is within the scope of the storage address of owner's data;If it needs
The data length to be asked is within the scope of the storage address of owner's data, then allows the content for returning to owner's data.
Optionally, above-mentioned processor can also carry out the program code of following steps:If necessary to the data length of request
Outside storage address scope in owner's data, then stop to obtain the flow of owner's data and/or output for characterizing request
The prompt message of failure.
Using the embodiment of the present invention, provide a kind of scheme for the method for obtaining the data of storage in the chips, by
After creating non-volatile storage space in chip, owner's data are write to nonvolatile storage space, and according to owner's data
Size determines the storage address scope of owner's data, is returned according to the storage address scope of the size of owner's data and owner's data
Owner needs the data obtained, has achieved the purpose that accurate acquisition owner's data, it is achieved thereby that ensureing that owner obtains original number
According to correctness technique effect, and then solve the prior art and read original number from the non-volatile space of credible and secure chip
According to when, the technical issues of initial data accuracy read is poor.
It will appreciated by the skilled person that the structure shown in Figure 11 is only to illustrate, terminal can also be
Smart mobile phone (such as Android phone, iOS mobile phones), tablet computer, applause computer and mobile internet device (Mobile
Internet Devices, MID), the terminal devices such as PAD.Figure 11 it does not cause to limit to the structure of above-mentioned electronic device.Example
Such as, terminal 11 may also include the component more or less than shown in Figure 11 (such as network interface, display device),
Or with the configuration different from shown in Figure 11.
One of ordinary skill in the art will appreciate that all or part of step in the various methods of above-described embodiment is can
To be completed by program come command terminal device-dependent hardware, which can be stored in a computer readable storage medium
In, storage medium can include:Flash disk, read-only memory (Read-Only Memory, ROM), random access device (Random
Access Memory, RAM), disk or CD etc..
Embodiment 7
The embodiment of the present invention additionally provides a kind of storage medium.Optionally, in the present embodiment, above-mentioned storage medium can
The acquisition provided for preserving above-described embodiment 2 stores the program code performed by the method for data in the chips.
Optionally, in the present embodiment, above-mentioned storage medium can be located in computer network Computer terminal group
In any one terminal or in any one mobile terminal in mobile terminal group.
Optionally, in the present embodiment, storage medium is arranged to storage for performing the program code of following steps:It connects
Receive the access request of the nonvolatile storage space for access chip;Access request is responded, be verified information and needs to ask
The data length asked;In authentication information in the case of, whether judge to need the data length asked in non-volatile
In property memory space within the scope of the storage address of pre-set owner's data;Data length if necessary to request is in category
Within the scope of the storage address of master data, then allow the content for returning to owner's data;Wherein, the storage address scope of owner's data
For characterizing maximum data length when allowing to chip request data.
Optionally, in the present embodiment, storage medium is arranged to the program code that storage is additionally operable to perform following steps:
Owner's data are write to nonvolatile storage space, and the storage address model of owner's data is determined according to the size of owner's data
It encloses, wherein, storage address scope is determined by the initial storage address and end storage address of the data block of owner's data.
Optionally, in the present embodiment, storage medium is arranged to the program code that storage is additionally operable to perform following steps:
Data length if necessary to request is in outside the storage address scope of owner's data, then stops to obtain the stream of owner's data
The prompt message that journey and/or output fail for characterization request.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.
In the above embodiment of the present invention, all emphasize particularly on different fields to the description of each embodiment, do not have in some embodiment
The part of detailed description may refer to the associated description of other embodiment.
In several embodiments provided herein, it should be understood that disclosed technology contents can pass through others
Mode is realized.Wherein, the apparatus embodiments described above are merely exemplary, such as the division of unit, is only one kind
Division of logic function, can there is an other dividing mode in actual implementation, such as multiple units or component can combine or can
To be integrated into another system or some features can be ignored or does not perform.Another, shown or discussed is mutual
Coupling, direct-coupling or communication connection can be by some interfaces, the INDIRECT COUPLING or communication connection of unit or module,
Can be electrical or other forms.
The unit illustrated as separating component may or may not be physically separate, be shown as unit
Component may or may not be physical location, you can be located at a place or can also be distributed to multiple networks
On unit.Some or all of unit therein can be selected to realize the purpose of this embodiment scheme according to the actual needs.
In addition, each functional unit in each embodiment of the present invention can be integrated in a processing unit, it can also
That unit is individually physically present, can also two or more units integrate in a unit.Above-mentioned integrated list
The form that hardware had both may be employed in member is realized, can also be realized in the form of SFU software functional unit.
If integrated unit is realized in the form of SFU software functional unit and is independent production marketing or in use, can
To be stored in a computer read/write memory medium.Based on such understanding, technical scheme substantially or
Saying all or part of the part contribute to the prior art or the technical solution can be embodied in the form of software product
Out, which is stored in a storage medium, is used including some instructions so that a computer equipment
(can be personal computer, server or network equipment etc.) performs all or part of step of each embodiment method of the present invention
Suddenly.And foregoing storage medium includes:USB flash disk, read-only memory (ROM, Read-Only Memory), random access memory
The various media that can store program code such as (RAM, Random Access Memory), mobile hard disk, magnetic disc or CD.
It the above is only the preferred embodiment of the present invention, it is noted that come for those skilled in the art
It says, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications also should be regarded as
Protection scope of the present invention.
Claims (14)
1. a kind of credible chip, which is characterized in that including:
Memory, including nonvolatile storage space, wherein, the attribute of the nonvolatile storage space includes at least:For
It is characterized in the nonvolatile storage space and stores the parameter of owner's data and the storage address scope of owner's data;
Wherein, the maximum data when storage address scope of owner's data allows for characterizing to chip request data is long
Degree.
2. a kind of system for obtaining the data of storage in the chips, which is characterized in that including:
Access equipment end, for sending the access request of the nonvolatile storage space for access chip;
Credible chip communicates with the access equipment end, for responding the access request, obtains the access equipment end and returns
Verification information and the data length asked of needs, the verification information is being verified in the case of, if the needs please
The data length asked is within the scope of the storage address of owner's data, then allows the content for returning to owner's data;
Wherein, the maximum when storage address scope of owner's data is for characterizing permission to the credible chip request data
Data length.
3. a kind of date storage method of nonvolatile storage space in chip, which is characterized in that including:
Nonvolatile storage space is created in the chips, wherein, the attribute of the nonvolatile storage space includes at least:For
It is characterized in the parameter that owner's data are stored in the nonvolatile storage space, the storage address scope of owner's data;
Wherein, the maximum data when storage address scope of owner's data is for characterizing permission to the chip request data
Length.
4. according to the method described in claim 3, it is characterized in that, the attribute of the nonvolatile storage space at least further includes
It is at least one following:Space number, space owner's title, spatial authority password, space size and space physics address range.
5. the method according to claim 3 or 4, which is characterized in that after creating nonvolatile storage space in the chips,
The method further includes:Owner's data are write to the nonvolatile storage space, and according to the big of owner's data
The small storage address scope for determining owner's data, wherein, pass through the initial storage address of the data block of owner's data
The storage address scope is determined with end storage address.
6. according to the method described in claim 5, it is characterized in that, writing the owner to the nonvolatile storage space
Data, and after determining according to the size of owner's data the storage address scope of owner's data, the method is also wrapped
It includes:
It receives to access the access request of the nonvolatile storage space;
The access request is responded, be verified information and needs the data length asked;
The verification information is being verified in the case of, is judging the data length for needing to ask whether in the owner
Within the scope of the storage address of data;
If the data length for needing to ask is within the scope of the storage address of owner's data, allow to return to institute
State the content of owner's data.
7. if according to the method described in claim 6, it is characterized in that, the data length for needing to ask is in the category
Outside the storage address scope of master data, then stop to obtain the flow of owner's data and/or output for characterizing request mistake
The prompt message lost.
8. according to the method described in claim 6, it is characterized in that, the verification information is including at least at least one following:
Need the space accessed number, password password.
9. according to the method described in claim 6, it is characterized in that, in the case where verifying verification information failure,
The prompt message of owner's data can not be obtained by returning.
A kind of 10. method for obtaining the data of storage in the chips, which is characterized in that including:
Receive the access request of the nonvolatile storage space for access chip;
The access request is responded, be verified information and needs the data length asked;
The verification information is being verified in the case of, is judging the data length for needing to ask whether in described non-easy
In the property lost memory space within the scope of the storage address of pre-set owner's data;
If the data length for needing to ask is within the scope of the storage address of owner's data, allow to return to institute
State the content of owner's data;
Wherein, the maximum data when storage address scope of owner's data is for characterizing permission to the chip request data
Length.
11. according to the method described in claim 10, it is characterized in that, the attribute of the nonvolatile storage space at least also wraps
It includes at least one following:Space is numbered, space owner's title, spatial authority password, space size and space physics address range.
12. the method according to claim 10 or 11, which is characterized in that deposited receiving for the non-volatile of access chip
Before the access request for storing up space, the method further includes:Owner's data are write to the nonvolatile storage space, and
The storage address scope of owner's data is determined according to the size of owner's data, wherein, pass through owner's data
The initial storage address of data block and end storage address determine the storage address scope.
13. according to the method described in claim 10, it is characterized in that, if described need the data length asked to be in described
Outside the storage address scope of owner's data, then stop to obtain the flow of owner's data and/or output for characterizing request
The prompt message of failure.
14. a kind of device for obtaining the data of storage in the chips, which is characterized in that including:
Receiving module, for receiving the access request of the nonvolatile storage space for access chip;
Respond module for responding the access request, is verified information and needs the data length asked;
Judgment module for verifying the verification information in the case of, judges that the data length for needing to ask is
Within the scope of the no storage address in pre-set owner's data in the nonvolatile storage space;
Control module, if for the storage address scope that the data length asked is needed to be in owner's data it
It is interior, then allow the content for returning to owner's data;
Wherein, the maximum data when storage address scope of owner's data is for characterizing permission to the chip request data
Length.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610998449.0A CN108073351B (en) | 2016-11-11 | 2016-11-11 | Data storage method of nonvolatile storage space in chip and credible chip |
TW106127335A TW201818258A (en) | 2016-11-11 | 2017-08-11 | Data storage method utilized in non-volatile storage space in integrated circuit, and trusted integrated circuit |
PCT/CN2017/108254 WO2018086469A1 (en) | 2016-11-11 | 2017-10-30 | Data storage method utilized in non-volatile storage space in integrated circuit, and trusted integrated circuit |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610998449.0A CN108073351B (en) | 2016-11-11 | 2016-11-11 | Data storage method of nonvolatile storage space in chip and credible chip |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108073351A true CN108073351A (en) | 2018-05-25 |
CN108073351B CN108073351B (en) | 2021-06-15 |
Family
ID=62109463
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610998449.0A Active CN108073351B (en) | 2016-11-11 | 2016-11-11 | Data storage method of nonvolatile storage space in chip and credible chip |
Country Status (3)
Country | Link |
---|---|
CN (1) | CN108073351B (en) |
TW (1) | TW201818258A (en) |
WO (1) | WO2018086469A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109634541A (en) * | 2018-12-06 | 2019-04-16 | 中国船舶重工集团公司第七0七研究所 | A kind of Printer Information method for safety monitoring based on trust computing |
TWI687837B (en) * | 2018-12-18 | 2020-03-11 | 英業達股份有限公司 | Hardware structure of a trusted computer and trusted booting method for a computer |
US10783253B2 (en) | 2018-12-13 | 2020-09-22 | Inventec (Pudong) Technology Corporation | Hardware structure of a trusted computer and trusted booting method for a computer |
CN112784322A (en) * | 2019-11-08 | 2021-05-11 | 精品科技股份有限公司 | Bit lock disk management system |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111625831B (en) * | 2019-02-28 | 2023-05-30 | 阿里巴巴集团控股有限公司 | Trusted security measurement method and device |
TWI745784B (en) * | 2019-11-08 | 2021-11-11 | 精品科技股份有限公司 | Disc security system |
TWI728635B (en) * | 2020-01-02 | 2021-05-21 | 系微股份有限公司 | Storage device information management method compatible with different storage specifications |
TWI748633B (en) * | 2020-09-07 | 2021-12-01 | 神雲科技股份有限公司 | Server device and server system |
CN115079803B (en) * | 2022-05-20 | 2024-03-29 | 上海瑞浦青创新能源有限公司 | Abnormal power-down data storage device suitable for microcontroller |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101477494A (en) * | 2009-01-20 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Data write-in method and memory system |
US20120303922A1 (en) * | 2011-05-24 | 2012-11-29 | International Business Machines Corporation | Implementing storage adapter performance optimization with enhanced resource pool allocation |
CN103645863A (en) * | 2013-12-12 | 2014-03-19 | 北京奇虎科技有限公司 | Data reading and writing-in methods and systems of shared memory |
CN105159847A (en) * | 2015-08-12 | 2015-12-16 | 北京因特信安软件科技有限公司 | Disk change record method based on trusted chip |
CN105955916A (en) * | 2016-04-29 | 2016-09-21 | 华为技术有限公司 | Method, device and system for writing immediate data |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5742677A (en) * | 1995-04-03 | 1998-04-21 | Scientific-Atlanta, Inc. | Information terminal having reconfigurable memory |
US8286883B2 (en) * | 2007-11-12 | 2012-10-16 | Micron Technology, Inc. | System and method for updating read-only memory in smart card memory modules |
CN101986325A (en) * | 2010-11-01 | 2011-03-16 | 山东超越数控电子有限公司 | Computer security access control system and method |
US9152793B2 (en) * | 2012-09-28 | 2015-10-06 | Intel Corporation | Methods, systems and apparatus to self authorize platform code |
CN104951405B (en) * | 2014-03-28 | 2019-09-06 | 三星电子株式会社 | Storage system and the method that storage system is executed and verifies write-protect |
US10146942B2 (en) * | 2015-02-24 | 2018-12-04 | Dell Products, Lp | Method to protect BIOS NVRAM from malicious code injection by encrypting NVRAM variables and system therefor |
-
2016
- 2016-11-11 CN CN201610998449.0A patent/CN108073351B/en active Active
-
2017
- 2017-08-11 TW TW106127335A patent/TW201818258A/en unknown
- 2017-10-30 WO PCT/CN2017/108254 patent/WO2018086469A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101477494A (en) * | 2009-01-20 | 2009-07-08 | 成都市华为赛门铁克科技有限公司 | Data write-in method and memory system |
US20120303922A1 (en) * | 2011-05-24 | 2012-11-29 | International Business Machines Corporation | Implementing storage adapter performance optimization with enhanced resource pool allocation |
CN103645863A (en) * | 2013-12-12 | 2014-03-19 | 北京奇虎科技有限公司 | Data reading and writing-in methods and systems of shared memory |
CN105159847A (en) * | 2015-08-12 | 2015-12-16 | 北京因特信安软件科技有限公司 | Disk change record method based on trusted chip |
CN105955916A (en) * | 2016-04-29 | 2016-09-21 | 华为技术有限公司 | Method, device and system for writing immediate data |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109634541A (en) * | 2018-12-06 | 2019-04-16 | 中国船舶重工集团公司第七0七研究所 | A kind of Printer Information method for safety monitoring based on trust computing |
CN109634541B (en) * | 2018-12-06 | 2022-06-10 | 中国船舶重工集团公司第七0七研究所 | Printer information security monitoring method based on trusted computing |
US10783253B2 (en) | 2018-12-13 | 2020-09-22 | Inventec (Pudong) Technology Corporation | Hardware structure of a trusted computer and trusted booting method for a computer |
TWI687837B (en) * | 2018-12-18 | 2020-03-11 | 英業達股份有限公司 | Hardware structure of a trusted computer and trusted booting method for a computer |
CN112784322A (en) * | 2019-11-08 | 2021-05-11 | 精品科技股份有限公司 | Bit lock disk management system |
Also Published As
Publication number | Publication date |
---|---|
TW201818258A (en) | 2018-05-16 |
CN108073351B (en) | 2021-06-15 |
WO2018086469A1 (en) | 2018-05-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108073351A (en) | The date storage method and credible chip of nonvolatile storage space in chip | |
CN103051451B (en) | The encryption certification of safe managed execution environments | |
CN102930199B (en) | Secure machine registration in many tenant subscription environment | |
CN104113551B (en) | A kind of platform authorization method, platform service end and applications client and system | |
CN106716957B (en) | Efficient and reliable authentication | |
CN105874464B (en) | System and method for introducing variation in subsystem output signal to prevent device-fingerprint from analyzing | |
JP6949064B2 (en) | Authentication and approval method and authentication server | |
CN107750363A (en) | The communication with hardware accelerator is protected to increase workflow safe | |
CN108345806A (en) | A kind of hardware encryption card and encryption method | |
CN107222485A (en) | A kind of authorization method and relevant device | |
CN101960464A (en) | Information processing device | |
CN107133520A (en) | The credible measurement method and apparatus of cloud computing platform | |
CN108881299A (en) | The safe O&M method and device thereof of private clound platform information system | |
CN108073823A (en) | Data processing method, apparatus and system | |
CN106330448A (en) | User legality verification method and system, and devices | |
CN110008758A (en) | ID obtaining method and device, electronic equipment and storage medium | |
CN105099983A (en) | Authorization method, authority setting method and devices | |
CN105283921A (en) | Non-volatile memory operations | |
CN107819768A (en) | Service end actively disconnects method, terminal device and the storage medium of illegal long connection | |
CN108229210A (en) | A kind of method, terminal and computer readable storage medium for protecting data | |
CN112468497B (en) | Block chain terminal equipment authorization authentication method, device, equipment and storage medium | |
CN106302479B (en) | A kind of single-point logging method and system for multi-service internet site | |
CN108343315A (en) | Key management method and terminal device | |
CN109699030A (en) | Unmanned plane authentication method, device, equipment and computer readable storage medium | |
CN113051035B (en) | Remote control method, device, system and host |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |