CN114091027A - Information configuration method, data access method, related device and equipment - Google Patents
Information configuration method, data access method, related device and equipment Download PDFInfo
- Publication number
- CN114091027A CN114091027A CN202111454122.4A CN202111454122A CN114091027A CN 114091027 A CN114091027 A CN 114091027A CN 202111454122 A CN202111454122 A CN 202111454122A CN 114091027 A CN114091027 A CN 114091027A
- Authority
- CN
- China
- Prior art keywords
- data
- information
- application program
- verification
- configuration
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/561—Virus type analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Virology (AREA)
- General Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
In the information configuration method, trusted hardware can generate check information corresponding to an application program when the validity of the identity of the application program is verified, and the check information is configured in storage equipment which the application program needs to access, so that the access authority of the application program is determined based on the check information, and the data security of the storage equipment is guaranteed.
Description
Technical Field
The embodiment of the invention relates to the technical field of computers, in particular to an information configuration method, a data access method, a related device and equipment.
Background
A storage device (e.g., a hard disk) is typically required in the physical host to store a substantial portion of the data in the physical host. Programs in the physical host typically need to run based on data in these storage devices.
Generally, data in the storage devices can be accessed by programs (including privileged level programs) of the physical hosts without limitation, and if the physical hosts are infected by viruses, the storage devices can be accessed maliciously in the form of programs, and the data security of the storage devices is threatened. For example, the lasso virus may traverse all files in the hard disk of the computer, and then format tampering and encryption are performed on the files, thereby causing problems that data stored in the hard disk is damaged, and corresponding files cannot be read.
Therefore, how to guarantee the data security of the storage device is a problem to be solved urgently in the field.
Disclosure of Invention
In view of this, embodiments of the present invention provide an information configuration method, a data access method, and related apparatuses and devices, so as to ensure data security of a storage device.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
in a first aspect, an embodiment of the present invention provides an information configuration method, which is applied to trusted hardware, and the method includes:
acquiring a configuration request of an application program, wherein the configuration request at least comprises identity information of the application program;
verifying the validity of the identity of the application program according to the identity information;
if the identity of the application program is legal, generating verification information corresponding to the application program;
and sending configuration information to the storage equipment which needs to be accessed by the application program, wherein the configuration information comprises the verification information, so that the storage equipment determines the access authority of the application program based on the verification information.
Optionally, the information configuring method further includes:
sending a feedback message to a processor to cause the processor to execute the access of the application program to the storage device based on the feedback message.
Optionally, the generating verification information corresponding to the application program includes:
and generating encryption information for data encryption, wherein the encryption information is used as the verification information.
Optionally, the generating verification information corresponding to the application program includes:
generating encryption information for data encryption;
generating variable information, wherein the variable information varies based on a preset rule;
and combining the encrypted information and the variable information to form verification information corresponding to the application program.
Optionally, the variable information is a round value, and the generating the variable information includes: an initial value of the round value is randomly generated.
Optionally, the identity information is certificate information of a public key certificate of the application program, and the public key certificate is verified based on a chip private key of the trusted hardware.
Optionally, the sending the feedback message to the processor includes:
encrypting the verification information based on a public key in the public key certificate;
generating a feedback message based on the encrypted ciphertext;
sending the generated feedback message to the processor.
Optionally, the step of generating the verification information corresponding to the application program includes: and taking the identity information of the application program as verification information.
Optionally, the configuration request includes feature information of the application program, and the step of generating verification information corresponding to the application program includes: taking the characteristic information of the application program as verification information; or, the characteristic information of the application program and the identity information of the application program are used as verification information.
Optionally, the configuration information further includes permission configuration information of the application program, and the access permission of the application program at least includes a write permission.
In a second aspect, an embodiment of the present invention provides an information configuration method, which is applied to a storage device, and the method includes:
acquiring configuration information, wherein the configuration information comprises verification information corresponding to an application program, and the verification information is generated by trusted hardware when the identity of the application program is verified to be legal;
configuring the verification information to determine access rights of the application based on the verification information.
Optionally, the configuration information further includes permission configuration information of the application program, and the access permission of the application program at least includes a write permission.
In a third aspect, an embodiment of the present invention provides an information configuration method, which is applied to a processor, and the method includes:
sending a configuration request to trusted hardware, wherein the configuration request at least comprises identity information of the application program, so that the trusted hardware verifies the validity of the identity of the application program based on the identity information, and when the identity of the application program is legal, generating verification information corresponding to the application program, so that a storage device which the application program needs to access configures the verification information, and the access authority of the application program is confirmed based on the verification information;
and acquiring a feedback message sent by trusted hardware to execute the access of the application program to the storage device based on the feedback message.
Optionally, before sending the configuration request to the trusted hardware, the method further includes:
generating a public and private key pair belonging to the application program according to the information of the application program;
sending a public key in the public and private key pair to the trusted hardware, so that the trusted hardware carries out private key signature on the public key based on a chip private key of a chip where the trusted hardware is located, and a public key certificate belonging to the application program is generated;
and acquiring the public key certificate.
Optionally, after the feedback message sent by the trusted hardware is obtained, the method further includes:
and based on the private key of the application program, decrypting to obtain the verification information in the feedback message.
Optionally, the configuration request further includes permission configuration information of the application program, and the access permission of the application program at least includes a write permission.
In a fourth aspect, an embodiment of the present invention provides a data access method, which is applied to a storage device, and includes:
acquiring data to be processed of an application program, wherein the data to be processed comprises data to be written and data to be verified;
verifying the data to be verified based on pre-configured verification information to determine the access authority of the application program; wherein the access rights comprise at least write rights;
and if the data to be verified passes the verification, writing the data to be written into the storage equipment.
Optionally, the verifying the data to be verified based on the preconfigured verification information includes:
acquiring data to be written in the data to be processed;
encrypting the data to be written based on the verification information to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as verification data;
and comparing the data to be verified with the verification data, and if the data to be verified and the verification data are matched, the data to be verified passes the verification.
Optionally, the verification information is identity information of the application program, and/or feature information of the application program.
Optionally, the storage device is configured with write protection enabling information, and when the write protection enabling information indicates that the write protection function is enabled, the step of verifying the data to be verified based on the pre-configured verification information is executed.
In a fifth aspect, an embodiment of the present invention provides a data access method, applied to a processor, including:
generating data to be processed of an application program, wherein the data to be processed comprises data to be written and data to be verified;
and sending the data to be processed to a storage device, so that the storage device writes the data to be written in according to the authority of the application program after verifying the data to be verified according to verification information.
Optionally, in the step of generating the to-be-processed data of the application program, the to-be-verified data is set at the head of the to-be-processed data, and the to-be-written data is set at the tail of the to-be-processed data.
Optionally, the generating the to-be-processed data of the application program includes:
acquiring data to be written of an application program;
encrypting the data to be written based on the verification information of the application program to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as the data to be verified;
and merging the data to be verified and the data to be written into the data to be processed.
Optionally, in the step of generating the to-be-processed data of the application program, the identity information of the application program and/or the characteristic information of the application program is/are the to-be-verified data.
In a sixth aspect, an embodiment of the present invention provides an information configuring apparatus, including:
the device comprises a request acquisition module, a configuration module and a configuration module, wherein the request acquisition module is used for acquiring a configuration request of an application program, and the configuration request at least comprises identity information of the application program;
the identity authentication module is used for authenticating the validity of the identity of the application program according to the identity information;
the information generating module is used for generating verification information corresponding to the application program when the identity of the application program is legal;
and the information sending module is used for sending configuration information to the storage device which needs to be accessed by the application program, wherein the configuration information comprises the verification information, so that the storage device determines the access authority of the application program based on the verification information.
In a seventh aspect, an embodiment of the present invention provides an information configuring apparatus, including:
the information acquisition module is used for acquiring configuration information, the configuration information comprises check information corresponding to the application program, and the check information is generated by trusted hardware when the identity of the application program is verified to be legal;
and the information configuration module is used for configuring the verification information so as to determine the access authority of the application program based on the verification information.
In an eighth aspect, an embodiment of the present invention provides an information configuring apparatus, including:
a request sending module, configured to send a configuration request to trusted hardware, where the configuration request at least includes identity information of an application program, so that the trusted hardware verifies validity of the identity of the application program based on the identity information, and when the identity of the application program is valid, generates verification information corresponding to the application program, so that a storage device to which the application program needs to access configures the verification information, and confirms access permission of the application program based on the verification information;
and the feedback message acquisition module is used for acquiring a feedback message sent by the trusted hardware so as to execute the access of the application program to the storage device based on the feedback message.
In a ninth aspect, an embodiment of the present invention provides a data access apparatus, including:
the data acquisition module is used for acquiring data to be processed of the application program, wherein the data to be processed comprises data to be written and data to be verified;
the data verification module is used for verifying the data to be verified based on pre-configured verification information so as to determine the access authority of the application program; wherein the access rights comprise at least write rights;
and the data writing module is used for writing the data to be written into the storage equipment if the data to be verified passes the verification.
In a tenth aspect, an embodiment of the present invention provides a data access apparatus, including:
the data generating module is used for generating data to be processed of the application program, wherein the data to be processed comprises data to be written and data to be verified;
and the data sending module is used for sending the data to be processed to a storage device so that the storage device writes the data to be written in according to the authority of the application program after checking the data to be checked according to the checking information.
In an eleventh aspect, an embodiment of the present invention provides trusted hardware configured to perform an information configuration method applied to the trusted hardware.
In a twelfth aspect, an embodiment of the present invention provides a storage device, where the storage device includes a controller configured to execute an information configuration method applied to the storage device, and execute a data access method applied to the storage device.
Optionally, the controller includes a verification module, the verification module includes a calculation engine and a verification parameter register, the calculation engine is configured to perform encryption calculation, and the verification parameter register is configured to store the verification information.
In a thirteenth aspect, an embodiment of the present invention provides a processor, where the processor is configured to execute an information configuration method applied to the processor, and a data access method applied to the processor.
In a fourteenth aspect, an embodiment of the present invention provides a data processing system, including:
the trusted hardware, the storage device, and the processor.
In a fifteenth aspect, an embodiment of the present invention provides a storage medium, where the storage medium stores one or more computer-executable instructions for executing an information configuration method applied to trusted hardware, or an information configuration method applied to a processor, or an information configuration method applied to a storage device, or a data access method applied to a processor, or a data access method applied to a storage device.
In the information configuration method, trusted hardware can generate check information corresponding to the application program when verifying the validity of the identity of the application program, and configure the check information in a storage device to be accessed by the application program, so that the storage device determines the access authority of the application program based on the check information.
It can be seen that, in the scheme provided by the embodiment of the present invention, the storage device is configured with the verification information corresponding to the application program, so that the storage device can perform the authentication of the identity of the application program based on the verification information of the application program, thereby resisting the attack of viruses on the data in the storage device. Moreover, the identity of the application program is verified based on the storage device, and data protection is realized from the perspective of hardware, so that even if a privileged program is used, access to hard disk data cannot be realized on the premise that verification cannot be performed, and the data security of the storage device is guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
FIG. 1 is a block diagram of a data processing system;
FIG. 2 is a diagram illustrating an example method for accessing data in a hard disk;
FIG. 3 is a block diagram of a data processing system according to an embodiment of the present invention;
fig. 4 is an optional flow of an information configuration method according to an embodiment of the present invention;
fig. 5 is an alternative flowchart of step S12 provided by the embodiment of the present invention;
fig. 6 is an alternative flowchart of step S15 provided by the embodiment of the present invention;
FIG. 7 is an alternative flow chart of a data access method provided by an embodiment of the present invention;
FIG. 8 is a diagram illustrating a structure of data to be processed according to an embodiment of the present invention;
fig. 9 is an alternative flowchart of step S21 provided by the embodiment of the present invention;
fig. 10 is an alternative flowchart of step S23 provided by the embodiment of the present invention;
FIG. 11 is a schematic diagram illustrating a data access flow provided by an embodiment of the present invention;
FIG. 12 is an alternative block diagram of an information configuration apparatus for trusted hardware angle according to an embodiment of the present invention;
fig. 13 is an alternative block diagram of an information configuration apparatus for storing device angles according to an embodiment of the present invention;
FIG. 14 is an alternative block diagram of an information configuration apparatus for processor angle provided by an embodiment of the present invention;
FIG. 15 is an alternative block diagram of a data access apparatus for a storage device according to an embodiment of the present invention;
fig. 16 is an alternative block diagram of a processor-oriented data access device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 shows a schematic architecture diagram of a data processing system, and referring to fig. 1, the system architecture may include a hardware layer 11, a kernel layer 12, and an application layer 13. The hardware layer 11 is configured to provide corresponding hardware support for system operation, the kernel layer 12 is configured to provide an operating space for an operating system kernel, and the application layer 13 is configured to provide an operating space for the application program 10.
The hardware layer 11 may include hardware devices for implementing system operation, and for convenience of description, only a processor (CPU) 14, a controller 15, and a hard disk 16 are shown in this example. The processor 14 is a core of system operation and control, and is an execution unit for information processing and application program operation; the controller 15 and the hard disk 16 may be understood as storage devices of the system, wherein the controller 15 is adapted to provide an interface for the hard disk 16 to enable communication between the processor 14 and the hard disk 16.
The kernel layer 12 may include a hard disk drive 17, a file system 18, and a Virtual File System (VFS) 19; the hard disk drive 17 is used to control hard disk addressing and hard disk access data, the file system 18 is a system provided in an operating system and used to manage the hard disk file read-write method, data organization and data storage form, and the virtual file system 19 is used to provide a unified operating interface and application programming interface for various file systems.
When the application 10 in the application layer 13 needs to access data in the hard disk, the kernel layer 12 functions to determine file access information from the file system 18 based on an interface provided by the virtual file system 19, and to access data in the hard disk based on the hard disk drive 17. The hardware layer 11 shows that the processor 14 accesses data in the hard disk 16 through the controller 15.
In an alternative implementation, the system may perform access control on the hard disk data based on the user's rights, thereby providing protection for the hard disk data. The virtual file system or the file system based on the kernel layer provides different authorities for different users, and whether the access can be executed is judged according to the identity of the user and the authority of the identity for operating (such as reading, writing and executable) files and directories.
For example, referring to the example diagram of the hard disk data access method shown in fig. 2, when an application accesses data in a hard disk, a VFS or a file system in a kernel layer may query the authority of a user using the application from authority information stored in the hard disk, for example, the authority information may include read (read)/write (write)/executable (execute) authorities respectively corresponding to a file owner (owner)/group)/other users (other), so as to perform corresponding access control and read and write file data in the hard disk.
However, with continued reference to fig. 2, for this type of access control, a virus (e.g., a lemonavirus) may access the hard disk as long as it obtains a corresponding user right, or the virus may attack the hard disk by using a kernel vulnerability based on a privilege level right of the system.
Based on this, in the information configuration method, trusted hardware may generate check information corresponding to the application program when verifying the validity of the identity of the application program, and configure the check information in a storage device that the application program needs to access, so as to determine the access right of the application program based on the check information.
It can be seen that, in the scheme provided by the embodiment of the present invention, the storage device is configured with the corresponding verification information, so that the storage device can perform the authentication of the identity of the application program based on the verification information, thereby resisting the attack of the virus on the data in the storage device. Moreover, the identity of the application program is verified based on the storage device, and data protection is realized from the perspective of hardware, so that even if a privileged program is used, access to hard disk data cannot be realized on the premise that verification cannot be performed, and the data security of the storage device is guaranteed.
And the corresponding verification information is generated by the trusted hardware, so that the privilege level program cannot acquire the corresponding verification information, the information security of the verification information is guaranteed, and the data of the hard disk cannot be randomly accessed by the privilege level program.
The following describes the information configuration scheme provided by the embodiment of the present invention in detail.
In an alternative implementation, fig. 3 shows an architecture diagram of a data processing system, and in combination with fig. 1, compared with the system architecture shown in fig. 1, the system architecture shown in fig. 3 further includes a memory 20 and trusted hardware 21 in the hardware layer 11, where the memory 20 is used to provide a data basis for data processing by the processor 14, and the trusted hardware 21 is a device that can provide a trusted environment for data processing.
The Trusted hardware 21 may be, for example, TPM (Trusted Platform Module) hardware, which is a hardware chip conforming to a Trusted computing standard specification issued by a Trusted computing organization and is composed of a measurable core trust source CRTM (core of Trusted for measurement) and a TPM chip; alternatively, the trusted hardware 21 may also be a security Processor (PSP), where the security Processor is a security Processor that is specially configured to be responsible for data security, and the security Processor may have a data processing function, so as to process more security related services and ensure data security of the system.
In terms of the arrangement of the trusted hardware, the trusted hardware may be arranged outside the processor or integrated with the processor in the same chip. In this example, the trusted hardware (e.g. the secure processor) may be built inside a CPU SOC (CPU chip on chip), and a firmware program of the trusted hardware may be issued by a CPU manufacturer, and services such as certificate management, cryptographic operation, and security function management are integrated inside the trusted hardware.
In the system architecture, the storage device 22 may be an external storage device (i.e., a storage device located outside an on-chip), the storage device 22 communicates with the processor 14 through a bus, the storage device 22 includes a controller 15 and a storage device, in this example, the storage device may be a hard disk 16, wherein the controller 15 further includes a check module 24 in addition to a control logic 23 for logic control, and the check module 24 may determine an access authority of the application 10, so that the controller 15 may perform access control on data in the storage device (e.g., the hard disk 16) based on the access authority of the application 10. In other examples, the storage device 22 may also be other external storage devices, such as a magnetic disk, an optical disk, and the like, or may also be a removable external storage device, such as a removable hard disk and the like.
In some alternative implementations, the verification module 24 may perform authentication of the identity of the application based on a password verification to determine its corresponding access rights. Based on this, the check module may include a calculation engine 25 (for example, a MAC calculation engine, where MAC is an abbreviation of Message Authentication Codes and means Message Authentication code), and the corresponding check algorithm may be a digest calculation algorithm such as SM3/SHA3 (SM 3 is one of cryptographic algorithms, and SHA3 is a third generation secure hash algorithm). Meanwhile, the verification module 24 may further include a verification parameter register 26 for storing corresponding key information, verification parameters, and the like.
The data isolation protection of the hard disk is realized by constructing secret isolation and authentication management of the data in the storage device and introducing trusted hardware to be used as verification configuration management of the controller.
Based on the optional architecture shown in fig. 3, in an optional implementation, fig. 4 shows an optional flow of the information configuration method provided by the embodiment of the present invention, and as shown in fig. 4, the flow may include:
step S10, the processor sends a configuration request of the application program to the trusted hardware, where the configuration request at least includes identity information of the application program.
In the process of executing the application program by the processor, if the application program has a requirement for data access to the storage device, the processor can send a configuration request of the application program to the trusted hardware to trigger a subsequent information configuration flow and perform corresponding verification information configuration.
It will be appreciated that the application is executed by a processor and accordingly access to the storage device by the application is also effected by the processor, corresponding to the configuration process of the application being performed, and the corresponding steps are also performed by the processor.
The identity information of the application program is used for indicating whether the application program is legal or not, whether the application program has corresponding access authority or not, and the like. The identity information may be identity data representing the application, may also be identity data representing a user of the application, or may simultaneously represent the application and the user of the application.
The identity information may be certificate information of a public key certificate of the application program, the public key certificate may be a public key certificate signed by a chip private key of trusted hardware, and correspondingly, the certificate information may be certificate information of the public key certificate signed by the trusted hardware and used for authenticating the application program by the trusted hardware.
In an optional example, the public key certificate verification process may include: the processor generates a public and private key pair (namely a matched public key and a private key) belonging to the application program according to the information of the application program, and trusted hardware (such as a security processor) performs private key signature on the public key based on a chip private key of a chip where the trusted hardware is located to generate a public key certificate belonging to the application program, so that the application program obtains the public key certificate.
Specifically, after a public and private key pair belonging to the application program is generated, the trusted hardware manufacturer can confirm the identity of the application program, and after the identity is confirmed, the application program public key certificate is formed by using a chip private key signature of the trusted hardware.
In an alternative implementation, the configuration request may further include characteristic information of the application program, for example, an identification code of the application program, configuration information, or operation information, and the characteristic information may be at least part of basic data for generating the verification information.
Or, in some optional examples, the configuration request may further include authority configuration information of the application program, for example, read/write authority, and the access authority of the application program at least includes write authority.
Correspondingly, after the processor sends the configuration request, the trusted hardware can obtain the configuration request.
And step S11, the trusted hardware verifies the validity of the identity of the application program according to the identity information.
After the trusted hardware acquires the configuration request, the trusted hardware can verify the validity of the identity according to the identity information in the configuration request. When the identity information is the certificate information of the public key certificate of the application program, the trusted hardware can verify the public key certificate of the application program according to the certificate information, determine the validity of the public key certificate and further determine the validity of the identity of the application program.
When verifying the public key certificate of the application program according to the certificate information, the certificate can be verified by using the chip public key based on the certificate information, and the validity of the public key certificate is determined. If the identity of the application program is legal, executing step S12, and if the identity of the application program is illegal, returning an exception message to the processor, and exiting the information configuration flow.
And step S12, the trusted hardware generates the verification information corresponding to the application program.
When the identity of the application program is legal, the trusted hardware can generate verification information corresponding to the application program, so that the storage device configures the verification information.
The verification information is information for performing application authentication, and the verification information may be information for performing verification directly. Correspondingly, the identity information of the application program can be used as the verification information, and further when the application program accesses data, the identity information of the application program can be sent as the data to be verified, so that the verification of the application program can be realized.
Similarly, in other optional examples, the characteristic information of the application program may also be used as the verification information, or the characteristic information and the identity information of the application program may also be used as the verification information, and accordingly, when the application program accesses data, the data to be verified may also be obtained based on the corresponding information, so as to implement the verification of the application program.
Step S13, the trusted hardware sends configuration information to the storage device which the application program needs to access;
after the verification information is generated, the verification information may be sent to a storage device as configuration information, so as to configure the verification information in the storage device, and enable the storage device to determine the access right of the application program based on the verification information.
In an optional example, the configuration information may further include permission configuration information of the application program, so that the storage device determines a permission corresponding to the application program based on the permission configuration information. For example, an application program may be configured to have a write permission (i.e., to control application program write enable), so that when performing a write operation of the application program, if the identity of the application program is verified to be legitimate, it is determined that the application program has the write permission, and then the write operation of the application program is performed.
It should be noted that the storage device is a device having an access right configuration function, so that the configuration of the access right can be realized based on the function. In an optional example, the access right configuration function may also be turned on or off based on instructions of trusted hardware. For example, the access right may be a write right, the instruction for controlling the write right may be a write protection enabling instruction, the write protection enabling instruction may configure write protection enabling information, and when the write protection enabling information indicates that a write protection function is enabled, the step of verifying the data to be verified based on the pre-configured verification information is performed. For example, it is possible to check for write _ protect =1 or write _ protect =0 in the check parameter register in the module, where write _ protect =1 is enabled for write protection and write _ protect =0 is disabled for write protection. The time for controlling the access authority configuration function to be opened or closed can be that when the system is started, the trusted hardware is controlled to send out the write protection enabling instruction based on the selection of the user, or when the system runs, the trusted hardware is controlled to send out the write protection enabling instruction based on the selection of the user.
Correspondingly, after the trusted hardware sends configuration information to the storage device to be accessed by the application program, the storage device may obtain the configuration information, so as to obtain the verification information in the configuration information.
Step S14, the storage device configures the verification information to determine the access authority of the application program based on the verification information;
after the verification information corresponding to the application program is acquired, the storage device can configure the verification information, so that the verification of the access authority of the application program is realized in the subsequent access process of the application program. The access right may include read, write, and executable rights, so that the storage device performs operations such as reading and writing to the storage device based on the authentication of the application program. In an optional example, the access right at least comprises a writing right, so that the writing operation of the application program is controlled, and when the verification passes, the corresponding application program has the writing right.
In performing the configuration information, the configuration process may be executed by a controller of the storage device, and the verification information may be stored in a verification parameter register of the storage device.
Step S15, the trusted hardware sends a feedback message to the processor;
it is to be understood that after the trusted hardware sends the configuration information, a processor is notified by a feedback message to cause the processor to execute the access of the application program to the storage device based on the feedback message.
When the application program accesses data, the data to be verified can be generated in a mode matched with the verification information, for example, the data to be verified is generated based on the characteristic data and the identity data of the application program, so that the storage device can verify the data to be verified, and the access right of the application program can be confirmed.
It can be understood that, in the access to the storage device, having the write right may make the application program change the data stored in the storage device, which is crucial to the data security, and in some typical security threats, such as a leso virus, the data is rewritten to the storage device after being encrypted, so that a user can decrypt and retrieve the data in the storage device only by obtaining a corresponding key.
According to the scheme provided by the embodiment of the invention, the corresponding verification information is configured for the storage equipment, so that the storage equipment can verify the identity of the application program based on the verification information, and the attack of viruses on the data in the storage equipment is resisted.
Moreover, the identity of the application program is verified based on the storage device, and data protection is realized from the perspective of hardware, so that even if a privileged program is used, access to hard disk data cannot be realized on the premise that verification cannot be performed, and the data security of the storage device is guaranteed. And the corresponding verification information is generated by the trusted hardware, so that the privilege level program cannot acquire the corresponding verification information, the information security of the verification information is guaranteed, and the data of the hard disk cannot be randomly accessed by the privilege level program.
In another optional example, the verification information may include encryption information used for encryption, so that the data is encrypted based on the encryption information, thereby increasing the complexity of the later data verification and ensuring the security of the data. During verification, the storage device may generate verification data for verification based on the encryption information, and the application program may acquire the verification information and generate data to be verified for verification based on the encryption information in the verification information, so as to implement verification of the data.
Accordingly, referring to the alternative flowchart of step S12 shown in fig. 5, the step S12 of generating the verification information corresponding to the application program may include:
step S121: generating encryption information for data encryption;
the encryption information is used for data encryption, and specifically, the encryption information may include a key used for encryption, or may further include encryption algorithm information used for data encryption. In an alternative example, the encryption may be performed by calculating a data digest, such as a MAC algorithm, and accordingly, the key may be a MAC-key.
The encryption information is used as the verification information, so that the data can be encrypted, the complexity of data verification is improved, and the safety of the data is guaranteed.
In some optional examples, the verification information may further include variable information as an encrypted data basis, and the variable information may be changed based on a preset rule, so that the variable information is represented as different values at different times, thereby further improving complexity of data encryption and ensuring security of data. Accordingly, the step S12 of generating the verification information corresponding to the application program may further include:
step S122: generating variable information;
the variable information may include an initial value and a corresponding algorithm (for embodying a change rule of the variable information), so that when the change rule and the initial value of the variable information are determined, a current value of the variable information may be calculated.
For example, the variable information may be round value, which is added by 1 after each operation is performed, and after the initial value is determined, round value corresponding to each operation may be determined.
When the verification information has both the encryption information and the variable information, the step S12 further includes:
step S123: and combining the encrypted information and the variable information to form verification information corresponding to the application program.
The encrypted information and the variable information may be merged based on different identifiers or different positions, so as to obtain the verification information through merging, and then the verification information is sent to a storage device.
Accordingly, when the storage device performs configuration of the verification information in step S14, the verification information may be stored in a verification parameter register of the storage device, where when the verification information includes variable information at the same time, a value in the verification parameter register changes based on a preset rule.
When the application program accesses data, the storage device may generate verification data based on the configured verification information, and the application program may also generate data to be verified based on the verification information, and compare and verify the generated data to be verified and the verification data generated by the storage device, thereby determining the access right of the application program. Therefore, in the embodiment of the present invention, the check information is further sent to the processor through a feedback message. Specifically, the feedback message includes the check information.
And sending the verification information to a processor, so that data to be verified corresponding to the application program can be generated based on the verification information, and then the application program is executed to access the storage device based on the verification information.
In an alternative example, the trusted hardware may encrypt the check information based on a public key of a corresponding application program in a public key certificate, and send an encrypted ciphertext to the processor. Accordingly, the processor may decrypt the ciphertext based on a private key corresponding to the public key of the application, thereby obtaining the verification information.
Accordingly, referring to the alternative flowchart of step S15 shown in fig. 6, the step S15 may include:
step S151, encrypting the verification information based on the public key in the public key certificate;
when the identity information of the application program is the certificate information of the public key certificate of the application program, the verification information may be encrypted based on the public key in the public key certificate. Accordingly, the processor may decrypt the verification information in the feedback message based on the private key of the application.
Step S152, generating a feedback message based on the encrypted ciphertext;
after the verification information is encrypted, the generated ciphertext may be sent to the application as at least a portion of the feedback message.
And step S153, sending the generated feedback message to the processor.
Based on the feedback message including the encrypted verification information, the processor may obtain the corresponding ciphertext based on the feedback message, and further obtain the corresponding verification message. Specifically, the processor may decrypt and obtain the check information in the feedback message based on the private key of the application program.
It should be noted that, when the verification information includes variable information, the variable information has the same change rule and initial value as those of the storage device at the application program end, and changes synchronously with the variable information at the storage device end, so that the values of the variable information at the application program end and the storage device end are always consistent.
The data is verified in an encryption mode, so that the complexity of later data verification can be improved, and the safety of the data is further guaranteed.
In the following, taking the writing of the data by the execution application as an example, a data access flow after the configuration of the check information is described, referring to an optional flow chart of the data access method shown in fig. 7, where the data access flow includes:
step S21, the processor generates data to be processed of the application program, wherein the data to be processed comprises data to be written and data to be verified;
when the storage device to be accessed by the application program needs to be subjected to security verification, data to be processed including the data to be written and the data to be verified at the same time needs to be generated when the data is written.
It is understood that the data to be verified matches the verification information configured in the storage device. Specifically, when the verification information configured in the storage device is the identity information of the application program, the data to be verified may be the identity information of the application program; similarly, when the characteristic information of the application program is verification information, or the characteristic information and the identity information of the application program are simultaneously used as verification information, correspondingly, the data to be verified of the application program corresponds to the characteristic information of the application program, or the characteristic information of the application program and the identity information of the application program are used for realizing the verification of the application program based on the corresponding data to be verified.
The data to be processed can be set into data with a fixed format so as to realize normal use of a verification function in the controller. For example, taking 256-bit data as the data to be checked as an example, the data to be checked may be set at the head of the data to be processed, and the data to be written may be set at the tail of the data to be processed. Referring to the schematic structural diagram of the data to be processed shown in fig. 8, when an application needs to write data into a storage device, 256-bit data needs to be generated as the data to be checked each time the data is written, and the data to be checked is set at the head of the data to be written.
It should be noted that the format of the data to be processed may be completely transparent to the file system management in the kernel of the operating system.
Returning to fig. 7, referring to step S22, the processor sends the data to be processed to the storage device;
after the to-be-processed data is generated, the to-be-processed data can be sent to a storage device, so that the storage device writes the to-be-written data according to the authority of the application program after verifying the to-be-verified data according to verification information.
Step S23, the storage device checks the data to be checked based on the pre-configured checking information;
verifying the data to be verified to determine the access authority of the application program; when data writing is carried out, the access authority at least comprises a writing authority;
by judging whether the application program has the write-in authority, the data in the storage device can be protected from being tampered by the application program without the authority, for example, the data in the storage device can be prevented from being encrypted by the Leso virus, and therefore the safety of the data is guaranteed.
If the data to be verified passes the verification, step S24 is executed, and if the data to be verified does not pass the verification, the writer is considered to be illegal or subject to virus attack, and the access process exits abnormally.
In other optional examples, the storage device further confirms whether the write protection function is enabled before checking, and if the write protection function is not enabled, directly performs step S24. In a specific example, it may be determined whether write protect is equal to 1, and if not, it indicates that the write protect function is not enabled, and step S24 is executed.
Step S24, the storage device writes the data to be written into the storage device;
it can be understood that, if the data to be verified passes the verification, the application program has a corresponding access right. When the access right at least comprises a writing right, the data to be verified passes verification, and then the data to be written can be written into the storage device.
It should be understood that the writing manner of the application program may be, for example, a DMA (Direct Memory Access) manner.
According to the scheme provided by the embodiment of the invention, the corresponding verification information is configured for the storage equipment, so that the storage equipment can verify the identity of the application program based on the verification information, and the attack of viruses on the data in the storage equipment is resisted.
Moreover, the identity of the application program is verified based on the storage device, and data protection is realized from the perspective of hardware, so that even if a privileged program is used, access to hard disk data cannot be realized on the premise that verification cannot be performed, and the data security of the storage device is guaranteed. And the corresponding verification information is generated by the trusted hardware, so that the privilege level program cannot acquire the corresponding verification information, the information security of the verification information is guaranteed, and the data of the hard disk cannot be randomly accessed by the privilege level program.
In another optional example, the verification information includes encryption information for encryption, and accordingly, when data access is performed, data to be verified for verification may be generated by encrypting the data based on the encryption information.
Accordingly, referring to the alternative flowchart of step S21 shown in fig. 9, the step of generating the data to be processed of step S21 may include:
step S211: acquiring data to be written of an application program;
when the verification information includes encryption information used for encryption, data to be written may be encrypted based on the encryption information, so that data verification is implemented based on encrypted data obtained by encryption as data to be verified.
Correspondingly, after the data to be written of the application program is generated, the data to be written can be obtained and used as a data basis for generating the data to be verified.
Step S212: encrypting the data to be written based on the verification information of the application program to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as the data to be verified;
after the data to be written is obtained, the encryption of the data to be written may be performed based on the encryption information in the verification information.
Specifically, when the verification information only includes the encryption information, taking the encryption information as a key for encryption as an example, the encryption of the data to be written is performed based on the key. In an optional example, the key may be a MAC-key, and correspondingly, a MAC algorithm may be adopted, and the encryption of the data to be written is performed based on the MAC-key, and the encrypted data of the data to be written is used as the data to be verified.
In a further optional example, when the verification information further includes variable information, the step S212 may specifically be: and encrypting the data to be written based on the encryption information and the variable information to obtain the encrypted data of the data to be written, and taking the encrypted data of the data to be written as the data to be verified.
Wherein the variable information may participate in encryption as a digest parameter. For example, the encryption information is a key MAC-key, the variable information is round value, the encryption algorithm is SM3, and correspondingly, the encrypted data MAC = SM3 (data | | | MAC-key | | round value to be written).
It should be noted that, after the encryption calculation is performed, the variable information is changed based on a preset change rule. For example, if the variable information is a round value, the corresponding round value is incremented by 1 after each encryption operation is performed.
Step S213: merging the data to be verified and the data to be written into the data to be processed;
based on the fixed format set by the data to be processed, the data to be checked and the data to be written can be merged into the data to be processed. For example, taking 256-bit MAC value as the data to be checked as an example, the MAC value may be set at the head of the data, and the data to be written may be set at the rear of the MAC value.
Correspondingly, referring to the alternative flowchart of step S23 shown in fig. 10, in step S23, the corresponding verification process may include:
step S231, acquiring data to be written in the data to be processed;
after the data to be processed is received, the data to be written in the data to be processed can be determined based on the format of the data to be processed.
Step S232, based on the verification information, encrypting the data to be written to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as verification data;
after the data to be written is acquired, the data may be encrypted based on the configured verification information.
Specifically, when the verification information only includes the encryption information, taking the encryption information as a key for encryption as an example, the encryption of the data to be written is performed based on the key. In an optional example, the key may be a MAC-key, and correspondingly, a MAC algorithm may be adopted, and the encryption of the data to be written is performed based on the MAC-key, and the encrypted data of the data to be written is used as the check data. Specifically, the verification module in the controller may be used to generate the verification data, and specifically, the calculation engine may be used to perform the cryptographic calculation.
In a further optional example, when the verification information further includes variable information, the step S232 may specifically be: and encrypting the data to be written based on the encryption information and the variable information to obtain the encrypted data of the data to be written, and taking the encrypted data of the data to be written as verification data. For example, the encryption information is a key MAC-key, the variable information is round value, the encryption algorithm is SM3, and correspondingly, the encrypted data MAC = SM3 (data | | | MAC-key | | round value to be written).
It should be noted that, after the encryption calculation is performed, the variable information is changed based on a preset change rule. For example, if the variable information is a round value, the corresponding round value is incremented by 1 after each encryption operation is performed.
Step S233, comparing the data to be verified and the verification data;
if the data to be verified is matched with the verification data, the data to be verified passes the verification; and if the data to be verified is not matched with the verification data, the data to be verified is not verified.
And when the data to be verified does not pass the verification, the access process is abnormally exited.
Therefore, the data is verified in an encryption mode, the complexity of later data verification can be improved, and the safety of the data is further guaranteed.
It should be noted that the application itself may utilize a plurality of security technologies, such as encryption virtualization, TEE (Trusted Execution Environment), and the like, to ensure the security of the application, and to resist the attack of the virus on the application itself, which is not limited in the embodiment of the present invention.
In a specific example, referring to a schematic diagram of a data access flow shown in fig. 11, the data access flow includes:
when an application program needs to write data, calculating a corresponding MAC value (hereinafter referred to as an original MAC) as data to be checked based on the data to be written, wherein:
original MAC = SM3 (data to be written | | | MAC-key | | | round value)
And generates the data to be processed in the format shown in fig. 8 through the step of generating the formatted data, and adds 1 to the round value.
Correspondingly, the controller in the storage device firstly judges whether the write protection function is enabled, if not, the DMA copy is directly executed, and the data to be written is copied to the storage device. If yes, utilizing an SM3 calculation engine to calculate a check MAC value as check data based on the MAC-key and the round value, specifically:
check MAC = SM3 (to-be-written data | | | MAC-key | | | round value)
And further adding 1 to the round value, and judging whether the calculated checking data is equal to the data to be checked, namely judging whether the checking MAC is equal to the original MAC, if so, executing DMA copy, copying the data to be written to the hard disk, and if not, exiting by mistake.
In the following, from the perspective of the apparatus, the solution provided by the embodiment of the present invention is introduced, and each apparatus described below may be considered as a functional module that needs to be configured to implement the above method provided by the embodiment of the present invention; the contents of the devices described below may be referred to in correspondence with the contents of the methods described above.
In an alternative implementation, fig. 12 shows an alternative block diagram of an information configuration apparatus provided by an embodiment of the present invention, where the information configuration apparatus is applicable to trusted hardware, and as shown in fig. 12, the information configuration apparatus may include:
a request obtaining module 100, configured to obtain a configuration request of an application, where the configuration request at least includes identity information of the application;
the identity authentication module 110 is configured to authenticate the validity of the identity of the application according to the identity information;
an information generating module 120, configured to generate, when the identity of the application is legal, verification information corresponding to the application;
an information sending module 130, configured to send configuration information to a storage device that the application needs to access, where the configuration information includes the verification information, so that the storage device determines an access right of the application based on the verification information.
Optionally, the information configuring apparatus further includes:
a feedback message sending module 140, configured to send a feedback message to a processor, so that the processor executes the access of the application program to the storage device based on the feedback message.
Optionally, the information generating module 120 is configured to generate verification information corresponding to the application program, and includes:
and generating encryption information for data encryption, wherein the encryption information is used as the verification information.
Optionally, the information generating module 120 is configured to generate verification information corresponding to the application program, and includes:
generating encryption information for data encryption;
generating variable information, wherein the variable information varies based on a preset rule;
and combining the encrypted information and the variable information to form verification information corresponding to the application program.
Optionally, the variable information is a round value, and the information generating module 120 is configured to generate the variable information, and includes: an initial value of the round value is randomly generated.
Optionally, the identity information is certificate information of a public key certificate of the application program, and the public key certificate is verified based on a chip private key of the trusted hardware.
Optionally, the feedback message sending module 140 is configured to send a feedback message to the processor, and includes:
encrypting the verification information based on a public key in the public key certificate;
generating a feedback message based on the encrypted ciphertext;
sending the generated feedback message to the processor.
Optionally, the information generating module 120 is configured to generate the verification information corresponding to the application program, and includes: and taking the identity information of the application program as verification information.
Optionally, the configuration request includes feature information of the application program, and the information generating module 120 is configured to generate verification information corresponding to the application program, and includes: taking the characteristic information of the application program as verification information; or, the characteristic information of the application program and the identity information of the application program are used as verification information.
Optionally, the configuration information further includes permission configuration information of the application program, and the access permission of the application program at least includes a write permission.
In an alternative implementation, fig. 13 shows an alternative block diagram of an information configuration apparatus provided in an embodiment of the present invention, where the information configuration apparatus is applicable to a storage device, and as shown in fig. 13, the information configuration apparatus may include:
an information obtaining module 200, configured to obtain configuration information, where the configuration information includes verification information corresponding to an application program, and the verification information is generated by trusted hardware when the identity of the application program is verified to be legitimate;
an information configuration module 210, configured to configure the verification information to determine the access right of the application program based on the verification information.
Optionally, the configuration information further includes permission configuration information of the application program, and the access permission of the application program at least includes a write permission.
In an alternative implementation, fig. 14 shows an alternative block diagram of an information configuring apparatus provided in an embodiment of the present invention, where the information configuring apparatus is applicable to a device for executing an application program, and specifically may be a processor, as shown in fig. 14, the information configuring apparatus may include:
a request sending module 300, configured to send a configuration request to trusted hardware, where the configuration request at least includes identity information of the application program, so that the trusted hardware verifies validity of the identity of the application program based on the identity information, and when the identity of the application program is valid, generates check information corresponding to the application program, so that a storage device that the application program needs to access configures the check information, and confirms access permission of the application program based on the check information;
a feedback message obtaining module 310, configured to obtain a feedback message sent by trusted hardware, so as to execute access of an application program to the storage device based on the feedback message.
Optionally, the information configuring apparatus further includes:
a key generation module 320, configured to generate a public-private key pair belonging to the application according to the information of the application;
a key sending module 330, configured to send a public key in the public-private key pair to the trusted hardware, so that the trusted hardware performs a private key signature on the public key based on a chip private key of a chip where the trusted hardware is located, and generates a public key certificate belonging to the application program;
the certificate obtaining module 340 is configured to obtain the public key certificate.
Optionally, the information configuring apparatus further includes:
and a decryption module 350, configured to decrypt, based on the private key of the application program, to obtain the verification information in the feedback message.
Optionally, the configuration information further includes permission configuration information of the application program, and the access permission of the application program at least includes a write permission.
In an alternative implementation, fig. 15 shows an alternative block diagram of a data access apparatus provided in an embodiment of the present invention, where the data access apparatus is applicable to a storage device, and as shown in fig. 15, the data access apparatus may include:
the data acquiring module 400 is configured to acquire to-be-processed data of an application program, where the to-be-processed data includes to-be-written data and to-be-verified data;
the data checking module 410 is configured to check the data to be checked based on pre-configured checking information to determine an access right of the application program; wherein the access rights comprise at least write rights;
a data writing module 420, configured to write the data to be written into the storage device when the data to be verified passes verification.
Optionally, the data checking module 410 is configured to check the data to be checked based on preconfigured checking information, and includes:
acquiring data to be written in the data to be processed;
encrypting the data to be written based on the verification information to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as verification data;
and comparing the data to be verified with the verification data, and if the data to be verified and the verification data are matched, the data to be verified passes the verification.
Optionally, the verification information is identity information of the application program, and/or feature information of the application program.
Optionally, the storage device is configured with write protection enabling information, and when the write protection enabling information indicates that a write protection function is enabled, the data verification module 410 executes the step of verifying the data to be verified based on the pre-configured verification information.
In an alternative implementation, fig. 16 shows an alternative block diagram of a data access apparatus, which may be applied to a device for executing an application program, and specifically may be a processor, according to an alternative implementation, as shown in fig. 16, the data access apparatus may include:
the data generating module 500 is configured to generate to-be-processed data of an application program, where the to-be-processed data includes to-be-written data and to-be-verified data;
a data sending module 510, configured to send the data to be processed to a storage device, so that after the storage device verifies the data to be verified according to verification information, the data to be written is written according to the authority of the application program.
Optionally, the data generating module 500 is configured to set the data to be verified at a head of the data to be processed and set the data to be written at a tail of the data to be processed in a process of generating the data to be processed of the application program.
Optionally, the data generating module 500 is configured to generate to-be-processed data of an application program, and includes:
acquiring data to be written of an application program;
encrypting the data to be written based on the verification information of the application program to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as the data to be verified;
and merging the data to be verified and the data to be written into the data to be processed.
Optionally, the data generating module 500 is configured to, in the process of generating to-be-processed data of an application program, use the identity information of the application program and/or the feature information of the application program as to-be-verified data.
Embodiments of the present invention further provide a trusted hardware, where the trusted hardware may be configured to execute the information configuration method from the trusted hardware perspective provided in the embodiments of the present invention, and specific contents may refer to the description of the corresponding parts above, and are not further described here.
Embodiments of the present invention further provide a storage device, where the storage device may be configured to execute the information configuration method for a storage device angle and the data access method for a storage device angle provided in the embodiments of the present invention, and specific contents may refer to the descriptions of the above corresponding parts, and are not further described here.
The embodiment of the invention also provides a storage device, which comprises a controller, wherein the controller can be configured to execute the information configuration method of the angle of the storage device and the data access method of the angle of the storage device provided by the embodiment of the invention.
Optionally, the controller includes a verification module, the verification module includes a calculation engine and a verification parameter register, the calculation engine is configured to perform encryption calculation, and the verification parameter register is configured to store the verification information.
The method specifically executed by the storage device can refer to the description of the corresponding part above, and is not further described here.
Embodiments of the present invention further provide a processor, where the processor is configured to execute the processor-angle information configuration method and the processor-angle data access method provided in the embodiments of the present invention, and specific contents may refer to the descriptions of the corresponding parts above, and are not further described here.
An embodiment of the present invention further provides a data processing system, where the structure of the data processing system may be shown in fig. 3, and the data processing system may include: the trusted hardware provided by the embodiment of the invention, the storage device provided by the embodiment of the invention, and the processor provided by the embodiment of the invention.
An embodiment of the present invention further provides a storage medium, where the storage medium stores one or more computer-executable instructions, where the one or more computer-executable instructions are used in an information configuration method for a trusted hardware angle provided in an embodiment of the present invention, or an information configuration method for a storage device angle provided in an embodiment of the present invention, or an information configuration method for a processor angle provided in an embodiment of the present invention, or a data access method for a storage device angle provided in an embodiment of the present invention, or a data access method for a processor angle provided in an embodiment of the present invention.
While various embodiments of the present invention have been described above, various alternatives described in the various embodiments can be combined and cross-referenced without conflict to extend the variety of possible embodiments that can be considered disclosed and disclosed in connection with the embodiments of the present invention.
Although the embodiments of the present invention have been disclosed, the present invention is not limited thereto. Various changes and modifications may be effected therein by one skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (35)
1. An information configuration method applied to trusted hardware includes:
acquiring a configuration request of an application program, wherein the configuration request at least comprises identity information of the application program;
verifying the validity of the identity of the application program according to the identity information;
if the identity of the application program is legal, generating verification information corresponding to the application program;
and sending configuration information to the storage equipment which needs to be accessed by the application program, wherein the configuration information comprises the verification information, so that the storage equipment determines the access authority of the application program based on the verification information.
2. The information configuration method according to claim 1, further comprising:
sending a feedback message to a processor to cause the processor to execute the access of the application program to the storage device based on the feedback message.
3. The information configuration method according to claim 2, wherein the generating of the verification information corresponding to the application program includes:
and generating encryption information for data encryption, wherein the encryption information is used as the verification information.
4. The information configuration method according to claim 2, wherein the generating of the verification information corresponding to the application program includes:
generating encryption information for data encryption;
generating variable information, wherein the variable information varies based on a preset rule;
and combining the encrypted information and the variable information to form verification information corresponding to the application program.
5. The information configuring method according to claim 4, wherein the variable information is a round value; the generating variable information includes: an initial value of the round value is randomly generated.
6. The information configuration method according to claim 3 or 4, wherein the identity information is certificate information of a public key certificate of the application program, and the public key certificate is based on a chip private key signature of the trusted hardware.
7. The information configuration method of claim 6, wherein the sending the feedback message to the processor comprises:
encrypting the verification information based on a public key in the public key certificate;
generating a feedback message based on the encrypted ciphertext;
sending the generated feedback message to the processor.
8. The information configuration method according to claim 1, wherein the step of generating the verification information corresponding to the application program includes: and taking the identity information of the application program as verification information.
9. The information configuration method according to claim 1, wherein the configuration request includes feature information of the application program, and the step of generating the verification information corresponding to the application program includes: taking the characteristic information of the application program as verification information; or, the characteristic information of the application program and the identity information of the application program are used as verification information.
10. The information configuration method according to claim 1, wherein the configuration information further includes authority configuration information of the application program, and the access authority of the application program includes at least write authority.
11. An information configuration method, applied to a storage device, includes:
acquiring configuration information, wherein the configuration information comprises verification information corresponding to an application program, and the verification information is generated by trusted hardware when the identity of the application program is verified to be legal;
configuring the verification information to determine access rights of the application based on the verification information.
12. The information configuration method according to claim 11, wherein the configuration information further includes authority configuration information of the application program, and the access authority of the application program includes at least write authority.
13. An information configuration method applied to a processor includes:
sending a configuration request to trusted hardware, wherein the configuration request at least comprises identity information of an application program, so that the trusted hardware verifies the validity of the identity of the application program based on the identity information, and generates check information corresponding to the application program when the identity of the application program is legal, so that a storage device to be accessed by the application program configures the check information to confirm the access authority of the application program based on the check information;
and acquiring a feedback message sent by the trusted hardware so as to execute the access of the application program to the storage device based on the feedback message.
14. The information configuration method according to claim 13, wherein before sending the configuration request to the trusted hardware, the method further comprises:
generating a public and private key pair belonging to the application program according to the information of the application program;
sending a public key in the public and private key pair to the trusted hardware, so that the trusted hardware carries out private key signature on the public key based on a chip private key of a chip where the trusted hardware is located, and a public key certificate belonging to the application program is generated;
and acquiring the public key certificate.
15. The information configuration method according to claim 13, wherein after obtaining the feedback message sent by the trusted hardware, the method further comprises:
and based on the private key of the application program, decrypting to obtain the verification information in the feedback message.
16. The information configuration method according to claim 13, wherein the configuration request further includes permission configuration information of the application program, and the access permission of the application program includes at least write permission.
17. A data access method is applied to a storage device and comprises the following steps:
acquiring data to be processed of an application program, wherein the data to be processed comprises data to be written and data to be verified;
verifying the data to be verified based on pre-configured verification information to determine the access authority of the application program; wherein the access rights comprise at least write rights;
and if the data to be verified passes the verification, writing the data to be written into the storage equipment.
18. The data access method of claim 17, wherein the verifying the data to be verified based on the pre-configured verification information comprises:
acquiring data to be written in the data to be processed;
encrypting the data to be written based on the verification information to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as verification data;
and comparing the data to be verified with the verification data, and if the data to be verified and the verification data are matched, the data to be verified passes the verification.
19. The data access method of claim 17, wherein the verification information is identity information of the application program and/or characteristic information of the application program.
20. The data access method according to claim 17, wherein the storage device is configured with write protection enabling information, and when the write protection enabling information indicates that a write protection function is enabled, the step of verifying the data to be verified based on the pre-configured verification information is performed.
21. A data access method, applied to a processor, comprising:
generating data to be processed of an application program, wherein the data to be processed comprises data to be written and data to be verified;
and sending the data to be processed to a storage device, so that the storage device writes the data to be written in according to the authority of the application program after verifying the data to be verified according to verification information.
22. The data access method according to claim 21, wherein in the step of generating the to-be-processed data of the application program, the to-be-verified data is set at a head of the to-be-processed data, and the to-be-written data is set at a tail of the to-be-processed data.
23. The data access method according to claim 21 or 22, wherein the generating the to-be-processed data of the application program comprises:
acquiring data to be written of the application program;
encrypting the data to be written based on the verification information of the application program to obtain encrypted data of the data to be written, and taking the encrypted data of the data to be written as the data to be verified;
and merging the data to be verified and the data to be written into the data to be processed.
24. The data access method according to claim 21 or 22, wherein in the step of generating the data to be processed of the application program, the identity information of the application program and/or the characteristic information of the application program are/is the data to be verified.
25. An information configuring apparatus, comprising:
the device comprises a request acquisition module, a configuration module and a configuration module, wherein the request acquisition module is used for acquiring a configuration request of an application program, and the configuration request at least comprises identity information of the application program;
the identity authentication module is used for authenticating the validity of the identity of the application program according to the identity information;
the information generating module is used for generating verification information corresponding to the application program when the identity of the application program is legal;
and the information sending module is used for sending configuration information to the storage device which needs to be accessed by the application program, wherein the configuration information comprises the verification information, so that the storage device determines the access authority of the application program based on the verification information.
26. An information configuring apparatus, comprising:
the information acquisition module is used for acquiring configuration information, wherein the configuration information comprises check information corresponding to an application program, and the check information is generated by trusted hardware;
and the information configuration module is used for configuring the verification information so as to determine the access authority of the application program based on the verification information.
27. An information configuring apparatus, comprising:
a request sending module, configured to send a configuration request to trusted hardware, where the configuration request at least includes identity information of an application program, so that the trusted hardware verifies validity of the identity of the application program based on the identity information, and when the identity of the application program is valid, generates verification information corresponding to the application program, so that a storage device to be accessed by the application program configures the verification information, and confirms access permission of the application program based on the verification information;
and the feedback message acquisition module is used for acquiring the feedback message sent by the trusted hardware so as to execute the access of the application program to the storage device based on the feedback message.
28. A data access device, comprising:
the data acquisition module is used for acquiring data to be processed of the application program, wherein the data to be processed comprises data to be written and data to be verified;
the data verification module is used for verifying the data to be verified based on pre-configured verification information so as to determine the access authority of the application program; wherein the access rights comprise at least write rights;
and the data writing module is used for writing the data to be written into the storage equipment when the data to be verified passes verification.
29. A data access device, comprising:
the data generating module is used for generating data to be processed of the application program, wherein the data to be processed comprises data to be written and data to be verified;
and the data sending module is used for sending the data to be processed to a storage device so that the storage device writes the data to be written in according to the authority of the application program after checking the data to be checked according to the checking information.
30. Trusted hardware, characterized in that it is configured to perform the information configuration method according to any of claims 1-10.
31. A storage device, characterized in that the storage device comprises a controller configured to execute the information configuration method according to any one of claims 11 to 12 and the data access method according to any one of claims 17 to 20.
32. The storage device of claim 31, wherein the controller comprises a verification module, the verification module comprising a calculation engine and a verification parameter register, the calculation engine configured to perform cryptographic calculations, the verification parameter register configured to store verification information.
33. A processor, characterized in that the processor is configured to execute the information configuration method of any one of claims 13 to 16 and the data access method of any one of claims 21 to 24.
34. A data processing system, comprising:
the trusted hardware of claim 30, the storage device of any one of claims 31-32, and the processor of claim 33.
35. A storage medium storing one or more computer-executable instructions for performing the information provisioning method of any one of claims 1-10, or the information provisioning method of any one of claims 11-12, or the information provisioning method of any one of claims 13-16, or the data access method of any one of claims 17-20, or the data access method of any one of claims 21-24.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111454122.4A CN114091027B (en) | 2021-12-01 | 2021-12-01 | Information configuration method, data access method, related device and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111454122.4A CN114091027B (en) | 2021-12-01 | 2021-12-01 | Information configuration method, data access method, related device and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114091027A true CN114091027A (en) | 2022-02-25 |
| CN114091027B CN114091027B (en) | 2023-08-29 |
Family
ID=80306097
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111454122.4A Active CN114091027B (en) | 2021-12-01 | 2021-12-01 | Information configuration method, data access method, related device and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114091027B (en) |
Citations (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070226505A1 (en) * | 2006-03-27 | 2007-09-27 | Brickell Ernie F | Method of using signatures for measurement in a trusted computing environment |
| CN201549223U (en) * | 2009-05-04 | 2010-08-11 | 同方股份有限公司 | Trusted secure portable storage device |
| CN102393836A (en) * | 2011-10-31 | 2012-03-28 | 北京天地融科技有限公司 | Mobile memory and access control method and system for mobile memory |
| US20140317690A1 (en) * | 2011-05-06 | 2014-10-23 | Tele-Id.Nl B.V. | Method and System for Allowing Access to a Protected Part of a Web Application |
| CN104318176A (en) * | 2014-10-28 | 2015-01-28 | 东莞宇龙通信科技有限公司 | Terminal and data management method and device thereof |
| CN105282117A (en) * | 2014-07-21 | 2016-01-27 | 中兴通讯股份有限公司 | Access control method and device |
| US20160085763A1 (en) * | 2014-09-24 | 2016-03-24 | Intel Corporation | Contextual application management |
| CN106161028A (en) * | 2015-04-17 | 2016-11-23 | 国民技术股份有限公司 | Safety chip, communication terminal and the method improving communication security |
| CN106528690A (en) * | 2016-10-31 | 2017-03-22 | 维沃移动通信有限公司 | Method for accessing storage medium by application and mobile terminal |
| CN106657052A (en) * | 2016-12-16 | 2017-05-10 | 湖南国科微电子股份有限公司 | Access management method and system for storage data |
| CN106899963A (en) * | 2017-02-07 | 2017-06-27 | 上海斐讯数据通信技术有限公司 | Mobile hard disk and application method with sharing functionality |
| CN107330305A (en) * | 2017-06-28 | 2017-11-07 | 北京小米移动软件有限公司 | To the access right control method and device of data in the external storage of mobile terminal |
| CN108390892A (en) * | 2018-03-31 | 2018-08-10 | 北京联想核芯科技有限公司 | A kind of control method and device of remote storage system secure access |
| CN109257391A (en) * | 2018-11-30 | 2019-01-22 | 北京锐安科技有限公司 | A kind of access authority opening method, device, server and storage medium |
| CN109522060A (en) * | 2018-10-16 | 2019-03-26 | 深圳壹账通智能科技有限公司 | The restoring method and terminal device of business scenario |
| CN110457925A (en) * | 2019-08-12 | 2019-11-15 | 深圳市网心科技有限公司 | Data isolation method, device, terminal and storage medium are applied in the storage of inside and outside |
| CN111159762A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | Method and system for verifying credibility of main body under mandatory access control |
| CN111431707A (en) * | 2020-03-19 | 2020-07-17 | 腾讯科技(深圳)有限公司 | Service data information processing method, device, equipment and readable storage medium |
| CN111756698A (en) * | 2020-05-27 | 2020-10-09 | 浪潮电子信息产业股份有限公司 | Message transmission method, device, equipment and computer readable storage medium |
| CN111885196A (en) * | 2020-07-31 | 2020-11-03 | 支付宝(杭州)信息技术有限公司 | Method, device and system for accessing equipment data of Internet of things cloud platform |
| CN112433817A (en) * | 2020-11-27 | 2021-03-02 | 海光信息技术股份有限公司 | Information configuration method, direct storage access method and related device |
| CN112540831A (en) * | 2020-12-23 | 2021-03-23 | 海光信息技术股份有限公司 | Virtual trusted environment loading and running method, data processing device and safety processing device |
| CN112784262A (en) * | 2021-01-06 | 2021-05-11 | 北京小米移动软件有限公司 | Data access method, device, terminal and storage medium |
| CN113010911A (en) * | 2021-02-07 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data access control method and device and computer readable storage medium |
| CN113282951A (en) * | 2021-03-12 | 2021-08-20 | 北京字节跳动网络技术有限公司 | Security verification method, device and equipment for application program |
| CN113468618A (en) * | 2021-05-28 | 2021-10-01 | 邓丰赣 | Mobile hard disk multi-security-level interaction method and system |
-
2021
- 2021-12-01 CN CN202111454122.4A patent/CN114091027B/en active Active
Patent Citations (26)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070226505A1 (en) * | 2006-03-27 | 2007-09-27 | Brickell Ernie F | Method of using signatures for measurement in a trusted computing environment |
| CN201549223U (en) * | 2009-05-04 | 2010-08-11 | 同方股份有限公司 | Trusted secure portable storage device |
| US20140317690A1 (en) * | 2011-05-06 | 2014-10-23 | Tele-Id.Nl B.V. | Method and System for Allowing Access to a Protected Part of a Web Application |
| CN102393836A (en) * | 2011-10-31 | 2012-03-28 | 北京天地融科技有限公司 | Mobile memory and access control method and system for mobile memory |
| CN105282117A (en) * | 2014-07-21 | 2016-01-27 | 中兴通讯股份有限公司 | Access control method and device |
| US20160085763A1 (en) * | 2014-09-24 | 2016-03-24 | Intel Corporation | Contextual application management |
| CN104318176A (en) * | 2014-10-28 | 2015-01-28 | 东莞宇龙通信科技有限公司 | Terminal and data management method and device thereof |
| CN106161028A (en) * | 2015-04-17 | 2016-11-23 | 国民技术股份有限公司 | Safety chip, communication terminal and the method improving communication security |
| CN106528690A (en) * | 2016-10-31 | 2017-03-22 | 维沃移动通信有限公司 | Method for accessing storage medium by application and mobile terminal |
| CN106657052A (en) * | 2016-12-16 | 2017-05-10 | 湖南国科微电子股份有限公司 | Access management method and system for storage data |
| CN106899963A (en) * | 2017-02-07 | 2017-06-27 | 上海斐讯数据通信技术有限公司 | Mobile hard disk and application method with sharing functionality |
| CN107330305A (en) * | 2017-06-28 | 2017-11-07 | 北京小米移动软件有限公司 | To the access right control method and device of data in the external storage of mobile terminal |
| CN108390892A (en) * | 2018-03-31 | 2018-08-10 | 北京联想核芯科技有限公司 | A kind of control method and device of remote storage system secure access |
| CN109522060A (en) * | 2018-10-16 | 2019-03-26 | 深圳壹账通智能科技有限公司 | The restoring method and terminal device of business scenario |
| CN109257391A (en) * | 2018-11-30 | 2019-01-22 | 北京锐安科技有限公司 | A kind of access authority opening method, device, server and storage medium |
| CN110457925A (en) * | 2019-08-12 | 2019-11-15 | 深圳市网心科技有限公司 | Data isolation method, device, terminal and storage medium are applied in the storage of inside and outside |
| CN111159762A (en) * | 2019-12-23 | 2020-05-15 | 北京工业大学 | Method and system for verifying credibility of main body under mandatory access control |
| CN111431707A (en) * | 2020-03-19 | 2020-07-17 | 腾讯科技(深圳)有限公司 | Service data information processing method, device, equipment and readable storage medium |
| CN111756698A (en) * | 2020-05-27 | 2020-10-09 | 浪潮电子信息产业股份有限公司 | Message transmission method, device, equipment and computer readable storage medium |
| CN111885196A (en) * | 2020-07-31 | 2020-11-03 | 支付宝(杭州)信息技术有限公司 | Method, device and system for accessing equipment data of Internet of things cloud platform |
| CN112433817A (en) * | 2020-11-27 | 2021-03-02 | 海光信息技术股份有限公司 | Information configuration method, direct storage access method and related device |
| CN112540831A (en) * | 2020-12-23 | 2021-03-23 | 海光信息技术股份有限公司 | Virtual trusted environment loading and running method, data processing device and safety processing device |
| CN112784262A (en) * | 2021-01-06 | 2021-05-11 | 北京小米移动软件有限公司 | Data access method, device, terminal and storage medium |
| CN113010911A (en) * | 2021-02-07 | 2021-06-22 | 腾讯科技(深圳)有限公司 | Data access control method and device and computer readable storage medium |
| CN113282951A (en) * | 2021-03-12 | 2021-08-20 | 北京字节跳动网络技术有限公司 | Security verification method, device and equipment for application program |
| CN113468618A (en) * | 2021-05-28 | 2021-10-01 | 邓丰赣 | Mobile hard disk multi-security-level interaction method and system |
Non-Patent Citations (4)
| Title |
|---|
| JIANXIONG SHAO等: "Formal Analysis of Enhanced Authorization in the TPM 2.0", pages 1 - 12, Retrieved from the Internet <URL:《网页在线公开:https://dl.acm.org/doi/abs/10.1145/2714576.2714610》> * |
| SHARAYU N. BONDE: "Data Retrieval with secure CP-ABE in Splittened Storage", pages 1 - 6, XP033081628, Retrieved from the Internet <URL:《网页在线公开:https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=7889837》> DOI: 10.1109/CESYS.2016.7889837 * |
| 杨中皇等: "基于SEAndroid的移动设备远程管理", 《西安邮电大学学报》, vol. 23, no. 3, pages 13 - 20 * |
| 谢清钟等: "金融自助设备安全访问控制***研究及设计", 《科技创新》, pages 64 - 66 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114091027B (en) | 2023-08-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11630904B2 (en) | System, apparatus and method for configurable trusted input/output access from authorized software | |
| CN109313690B (en) | Self-contained encrypted boot policy verification | |
| US10547604B2 (en) | Information recording apparatus with shadow boot program for authentication with a server | |
| US9135417B2 (en) | Apparatus for generating secure key using device and user authentication information | |
| KR100737628B1 (en) | Attestation using both fixed token and portable token | |
| US10771264B2 (en) | Securing firmware | |
| US7986786B2 (en) | Methods and systems for utilizing cryptographic functions of a cryptographic co-processor | |
| US8898477B2 (en) | System and method for secure firmware update of a secure token having a flash memory controller and a smart card | |
| US9507964B2 (en) | Regulating access using information regarding a host machine of a portable storage drive | |
| KR20190063264A (en) | Method and Apparatus for Device Security Verification Utilizing a Virtual Trusted Computing Base | |
| WO2020192406A1 (en) | Method and apparatus for data storage and verification | |
| US10897359B2 (en) | Controlled storage device access | |
| US10282549B2 (en) | Modifying service operating system of baseboard management controller | |
| KR20090078551A (en) | Method and apparatus for authorizing host in portable storage device and providing information for authorizing host, and computer readable medium thereof | |
| US11838282B2 (en) | Information recording apparatus with server-based user authentication for accessing a locked operating system storage | |
| WO2022052665A1 (en) | Wireless terminal and interface access authentication method for wireless terminal in uboot mode | |
| CN116566613A (en) | Securing communications with a secure processor using platform keys | |
| CN114091027B (en) | Information configuration method, data access method, related device and equipment | |
| CN117786667B (en) | Process authority management method, system and storage medium for controllable computation | |
| JP5355351B2 (en) | Computer | |
| WO2023200487A1 (en) | Firmware controlled secrets | |
| JP5126530B2 (en) | External storage device with function to measure computer environment | |
| CN114840863A (en) | Secure storage method and system based on trusted embedded device and FTP | |
| CN115756515A (en) | Method, device and equipment for verifying container software deployment permission and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |