CN115292727A - TrustZone-based root file system encryption method, device, equipment and storage medium - Google Patents
TrustZone-based root file system encryption method, device, equipment and storage medium Download PDFInfo
- Publication number
- CN115292727A CN115292727A CN202210825118.2A CN202210825118A CN115292727A CN 115292727 A CN115292727 A CN 115292727A CN 202210825118 A CN202210825118 A CN 202210825118A CN 115292727 A CN115292727 A CN 115292727A
- Authority
- CN
- China
- Prior art keywords
- file system
- key
- root file
- equipment
- encrypted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Abstract
The invention provides a TrustZone-based root file system encryption method, a TrustZone-based root file system encryption device, trustZone-based root file system encryption equipment and a storage medium, wherein the method comprises the steps of encrypting a root file system to form an encrypted root file system; generating a mirror image file of the encrypted root file system; programming the mirror image file into the equipment; encrypting the key of the encryption root file system and storing the key in a safe storage area of the equipment; and in the process of starting the equipment, reading the key stored on the equipment, decrypting the encrypted root file system by using the decrypted key, and mounting the decrypted root file system. The invention fully utilizes the high security and low cost of the ARM TrustZone technology, and increases the security of key management, thereby achieving the purpose of encrypting the root file system with high strength.
Description
Technical Field
The invention relates to the technical field of secure storage, in particular to a root file system encryption method, a root file system encryption device, root file system encryption equipment and a storage medium based on TrustZone.
Background
File system encryption is an effective means to protect user sensitive data and prevent data information leakage. In a using scene of the SHA256 server based on the Linux system, the firmware is published in an external public way usually, the key data of the terminal user is stored in the root file system, and a hacker only needs to decompress and tamper the root file system of the firmware and then burn the tampered firmware again, so that the control of the server is completed.
For the situation, the root file system can be encrypted, and important data can be prevented from being leaked and tampered. For the defects of incomplete data protection, overlarge system load and the like of the traditional encryption file system, the user requirements cannot be well met.
Although LUKS (Linux Unified Key Setup, LUKS) provides a standard for Linux hard disk partition encryption, since a Key is recorded in a file in a plaintext form, the conventional LUKS has low encryption security, a hacker can mount a hard disk to obtain configuration file information of a fixed path to obtain a Key file path and directly read the Key plaintext, the encryption security is too low, a large potential safety hazard exists, and actual requirements of customers cannot be met.
Disclosure of Invention
The invention provides a root file system encryption method, a root file system encryption device, equipment and a storage medium based on TrustZone, which are used for solving various problems that the encryption security of the existing LUKS encryption root file system is low, the user requirements cannot be well met and the like.
In a first aspect, the present invention provides a root file system encryption method based on TrustZone, including:
encrypting the root file system to form an encrypted root file system;
generating a mirror image file of the encrypted root file system;
programming the mirror image file into equipment;
encrypting the key of the encryption root file system and storing the key into a safe storage area of the equipment;
and in the process of starting the equipment, reading the key stored on the equipment, decrypting the encrypted root file system by using the decrypted key, and mounting the decrypted root file system.
According to the encryption method for the root file system based on TrustZone provided by the invention, the encryption processing for the root file system comprises the following steps:
creating a blank virtual root file system;
creating a mapping partition of a virtual root file system;
formatting the mapping partition;
mounting a mapping partition;
copying the original root file system content to the mounted mapping partition;
and closing the mapping to finish the manufacture of the encryption root file system.
According to the root file system encryption method based on TrustZone provided by the invention, the encryption of the key of the root file system encryption and the storage of the key in the safe storage area of the equipment comprises the following steps:
the method comprises the steps that a key is issued to equipment through a serial port connection mode by using a host side;
when the equipment is in a UBOOT stage, transmitting the key to a safety system of the equipment, and encrypting the key in the safety system;
the encrypted key is transmitted back to the REE file system;
the encrypted key is saved to a secure storage area in the REE file system.
According to the encryption method of the root file system based on TrustZone, provided by the invention, in the starting process of equipment, a secret key stored in a safe storage area is read;
sending the read key to a security system, and calling a TA interface for decryption;
storing the decrypted key in a security system, and calling a TA interface to read the key through a command when needed;
decrypting the root file system by using the decrypted key;
mounting decrypted root file system
According to the root file system encryption method based on TrustZone provided by the invention, the encryption of the key of the root file system and the storage of the encrypted key in the secure storage area of the equipment comprises the following steps:
when the TA calls a writing function provided by a GP standard API library interface to write the key into the persistent object, calling a corresponding system call realized in the TEE safe storage SVC, calling a series of TEE files through the TEE safe storage SVC to operate and store key data, and transmitting the key data to the TEE file system through the TEE file system interface; then, the TEE file system encrypts the key, sends the REE file operation command and the encrypted data to the REE file system through a series of RPC messages, stores the encrypted data to the Linux file system through the REE file system, and stores the encrypted key to a safe storage area on the FLASH through the Linux file system.
According to the encryption method of the root file system based on TrustZone, when equipment is in an UBOOT stage, after a secret key is transmitted to a safety system of the equipment, the secret key transmitted through a serial port is decrypted, and the original secret key is encrypted once again by using an encryption interface of the safety system; the encrypted key is passed back to the REE file system.
According to the root file system encryption method based on TrustZone provided by the invention, the mounting of the decrypted root file system comprises the following steps:
the Linux file system kernel provides a mapping Device mapper from a logic Device to a physical Device, and the mapping Device comprises a mapping Device, a mapping table and a target Device, wherein the mapping Device is a logic abstraction and establishes mapping through a mapping relation described by the mapping table and the target Device, a root file system is mapped into/dev/dm-0 equipment through the Device mapper, and the/dev/dm-0 equipment is subjected to file system formatting and then mounted to a root directory of the Linux file system.
In a second aspect, the present invention further provides a TrustZone-based root file system encryption apparatus, including:
the TrustZone processor is used for executing the security application program isolated from the common application program and accessing the memory space reserved for the security program;
the BootLoader program on the TrustZone processor is used for initializing the system;
permanent memory or one-time programmable memory on the TrustZone processor, used as storage device or storage management key;
and RAM on the TrustZone processor for storing and running the security code.
A peripheral device to provide a secure application access channel.
Therefore, the invention has the following beneficial effects:
1. the safety is high: compared with the root file system encrypted by the traditional scheme, the data of the root file system is almost equal to no encryption and is very easy to crack by people, the root file system encrypted by the method cancels the storage of the key file in a plaintext mode, and improves the storage of the key file in TrustZone in an encryption mode; the key of the plaintext is limited to be acquired in the REE, and the key of the plaintext cannot be acquired by any other mode only through the TA when the equipment is started, so that the cracking difficulty is obviously improved, and the data on the root file system can be more safely protected. The method and the system can be mainly used for protecting SHA256 server products, prevent important data on the server from being stolen or tampered by others, and greatly improve the security of the root file system data.
2. The speed is high: the TEE realizes a common cryptographic algorithm framework of encryption, decryption, signature verification and digest calculation, so the method of the invention has the advantages of short time consumption and capability of quickly decrypting and mounting the encrypted root file system on the premise of not influencing the starting speed of the system.
3. The method is easy to realize: the client interface programming implementation based on GP (Global Platform, GP) definition is simple and clear.
In a third aspect, the present invention also provides an electronic device, including:
a memory storing computer-executable instructions;
a processor configured to execute the computer-executable instructions,
wherein the computer executable instructions, when executed by the processor, implement the steps of any of the above-described TrustZone-based root File System encryption methods.
In a fourth aspect, the present invention further provides a computer-readable storage medium, wherein the computer-readable storage medium stores computer-executable instructions, which when executed by a processor, implement the steps of any one of the above-mentioned TrustZone-based root file system encryption methods.
Thus, the present invention provides an electronic device and a storage medium for TrustZone-based root file system encryption, which includes: one or more memories, one or more processors. The memory is used for storing the program codes and intermediate data generated in the program running process, storing the model output result and storing the model and the model parameters; the processor is used for processor resources occupied by code running and a plurality of processor resources occupied when the model is trained.
The present invention will be described in further detail with reference to the accompanying drawings and specific embodiments.
Drawings
Fig. 1 is a flowchart of an embodiment of a root file system encryption method based on TrustZone in the present invention.
Fig. 2 is a flowchart of the root file system encryption method based on TrustZone according to the embodiment of the present invention, about making an encrypted root file system.
Fig. 3 is a schematic diagram of TEE storage according to an embodiment of the root file system encryption method based on TrustZone of the present invention.
Fig. 4 is a schematic diagram of burning a key according to an embodiment of the root file system encryption method based on TrustZone of the present invention.
Fig. 5 is a schematic diagram of a root file system encryption method based on TrustZone according to an embodiment of the present invention, with respect to a read key.
Fig. 6 is a schematic diagram of a root file system encrypted method based on TrustZone according to an embodiment of the present invention, regarding mounting the decrypted root file system.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be obtained by a person skilled in the art without inventive step based on the embodiments of the present invention, are within the scope of protection of the present invention.
Referring to fig. 1, a TrustZone-based root file system encryption method includes the following steps:
step S1, encrypting the root file system to form an encrypted root file system.
And S2, generating an image file of the encryption root file system, namely packaging the encryption root file system to the image file.
And S3, starting the equipment, and programming the mirror image file into the equipment.
And S4, encrypting the key of the encryption root file system and storing the key into a safe storage area of the equipment, namely, programming the key to the equipment.
And S5, reading the secret key stored in the equipment in the starting process of the equipment, decrypting the encrypted root file system by using the decrypted secret key, and mounting the decrypted root file system.
Therefore, the invention provides a method for encrypting the root file system based on the ARM TrustZone technology, and in the method, the safety of key management is increased by fully utilizing the high safety and low cost of the ARM TrustZone technology, so that the aim of encrypting the root file system with high strength is fulfilled. The method improves the security of key storage on one hand, and can increase the security of the system on the other hand.
Therefore, the invention provides a method for realizing the encryption of the file system by fully utilizing the ARM TrustZone technology and completing the storage of the encryption key aiming at the problems of the LUKS encryption root file system at present, which has simple principle and convenient operation, thereby overcoming the problem that the encryption file system is cracked when the encryption key is leaked in the encryption of the file system in the prior method. In addition, the invention is applicable to any root file system encryption situation.
In this embodiment, mapping, formatting, opening, and mounting the root file system partition is performed by the cryptetup and opennssl related tools. In step S1, the encrypting process performed on the root file system includes:
creating a blank virtual root file system;
creating a mapping partition of a blank virtual root file system;
formatting the mapping partition;
mounting a mapping partition;
copying the original root file system content to the mounted mapping partition;
and closing the mapping, namely unloading and then closing to finish the manufacture of the encryption root file system.
Through the steps, the encryption of the root file system is completed, and then the encrypted root file system is packaged into the mirror image file, namely the manufactured encrypted root file system is packaged into the mirror image file.
In step S4, the starting device, programming the key to the device, that is, saving the key of the encrypted root file system to the secure storage area on the FLASH, includes:
sending the key to the device by a tool at the host end in a serial port connection mode;
communicating with a TEE of the device, transmitting the key to a security system of the device when the device is in a UBOOT stage, and encrypting the key in the security system;
the encrypted key is transmitted back to the REE file system;
the encrypted key is stored in a specific area on the FLASH, namely a secure storage area on the FLASH, in the REE file system, the area is not mapped to a logic sector, conventional data operation cannot be accessed, and normal mass production cannot be erased.
All the steps in the step S4 need only be executed once in the device production stage, and the stored key is directly read in each subsequent device start-up process.
In the step S5, in the process of starting the device, the key stored in the secure storage area is read, that is, the encrypted key stored in the FLASH is read in the self-starting script;
sending the read key to a security system, and calling a TA interface to decrypt;
storing the decrypted key in a security system, and calling a TA interface to read the key through a command when needed;
decrypting the root file system by using the decrypted key;
and mounting the decrypted root file system.
In step S4, encrypting and saving the key of the encrypted root file system to the secure storage area of the device includes:
when the TA calls a writing function provided by a GP standard API library interface to write the key into the persistent object, calling a corresponding system call realized in the TEE safe storage SVC, calling a series of TEE files through the TEE safe storage SVC to operate and store key data, and transmitting the key data to the TEE file system through the TEE file system interface; then, the TEE file system encrypts the key, sends the REE file operation command and the encrypted data to the REE file system through a series of RPC messages, stores the encrypted data to the Linux file system through the REE file system, and stores the encrypted key to a safe storage area on the FLASH through the Linux file system.
When the equipment is in the UBOOT stage, after the secret key is transmitted to the safety system of the equipment, the secret key transmitted through the serial port is decrypted, and the original secret key is encrypted again by using an encryption interface of the safety system; the encrypted key is passed back to the REE file system.
Specifically, first, an encrypted root file system (assuming that the name of the encrypted root file system is rootfs _ inc. Ext4) is obtained by creating an encrypted root file system module from the original root file system (assuming that the name of the original root file system is rootfs _ ori. Ext4). Then, when the SDK (Software Development Kit, SDK) packages the firmware, the rootfs _ inc.ext4 is used to replace the rootfs _ ori.ext4 to produce an image file with an encrypted root file system, and the image is burned into the SHA256 server. The first time the SHA256 server boots up, the key to encrypt the root file system needs to be saved to the device. And finally, reading the stored secret key to decrypt the root file system, and completing the mounting and starting of the root file system.
As shown in FIG. 2, FIG. 2 is an exemplary process of making an encrypted root file system of the present invention. In a particular embodiment, encryption of the root file system is accomplished by the LUKS tool and the cryptetup tool:
step S11, with dd command: dd if =/dev/zero of = root.ext4 bs =1M count =64, create a virtual root file system;
step S12, using luksFormat command: the created virtual root file system is formatted into a LUKS root file system, and an encrypted key needs to be input in the command, namely the encryption of the root file system is completed;
step S13, utilizing luksOpen command: the method comprises the steps of mapping a root file system into a LUKS partition/dev/mapper/LUKS according to cryptetup luksOpen rootfs.ext4 LUKS, wherein the encrypted root file system can be opened only by mapping;
step S14, with mkfs. Ext4 command: extfs, ext4/dev/mapper/luks, formatting the mapped partitions;
step S15, using mount command: mount/dev/mapper/luks/rootfs _ enc/, mount mapping partition;
step S16, with cp command: cp-arf rootfs _ ori/rootfs _ enc/, copying the content of the original root file system into a mapping partition;
step S17, using mount and luksClose commands: umount/rootfs _ enc/; and c, encrypting the file system of the root file, and closing the mapping to finish the manufacturing of the encrypted root file system.
Because the key storage of the encryption root file system is particularly important, the key is encrypted by the security system and then stored on the FLASH by fully utilizing the technical characteristics of the ARM TrustZone. Since the whole encryption and decryption processes are performed in the security system, the security of key storage is guaranteed, as shown in fig. 3, fig. 3 is a schematic diagram of TEE storage according to the present invention, which includes: the Linux file system kernel provides a mapping Device mapper from a logic Device to a physical Device, and the mapping Device comprises a mapping Device, a mapping table and a target Device, wherein the mapping Device is a logic abstraction and establishes mapping through a mapping relation described by the mapping table and the target Device, a root file system is mapped into/dev/dm-0 equipment through the Device mapper, and the/dev/dm-0 equipment is subjected to file system formatting and then mounted to a root directory of the Linux file system.
FIG. 4 is an exemplary process of burning a key according to the present invention, as shown in FIG. 4. Firstly, a tool at a host end is utilized to send a secret key to equipment in a serial port connection mode, and the secret key is encrypted in the transmission process to prevent leakage; then at the UBOOT stage of the equipment, the key is transmitted to the security system, and then the key is decrypted and encrypted, wherein the decryption and the encryption at the moment are not the same group of keys, the decryption is to decrypt the key transmitted through the serial port, and the encryption is to re-encrypt the original key by using an encryption interface of the security system; then, the encrypted key is transmitted back to the REE; and finally, storing the encrypted key in a secure storage area on the FLASH in the REE.
As shown in fig. 5, fig. 5 is an exemplary process of reading a key according to the present invention. Firstly, reading the encrypted key stored on the FLASH in the self-starting script, then sending the encrypted key to the security system, calling the TA to decrypt, storing the decrypted key in the security system, and calling the TA to read when necessary.
And finally, decrypting the root file system by using the decrypted key, mounting the decrypted root file system, and ensuring that the system is started smoothly. As shown in fig. 6, the Device Mapper in fig. 6 is registered as a block Device driver in the kernel, and includes three parts: the mapping device is a logic abstraction which establishes mapping with the target device through the mapping relation described by the mapping table, wherein the mapping relation is encryption. In FIG. 6, the/dev/nand 0p1 is mapped to the/dev/dm-0 device through the device mapper, and the/dev/dm-0 is mounted to the/root directory after being formatted by the file system.
In order to better implement the present invention, the present invention also has additional steps in terms of system security, such as encrypting the memory file system (RAMFS), closing telnet, and adding network security.
The invention also provides a root file system encryption device based on TrustZone, which comprises:
the TrustZone processor is used for executing the security application program isolated from the common application program and accessing the memory space reserved for the security program;
the BootLoader program on the TrustZone processor is used for initializing the system;
permanent memory or one-time programmable memory on the TrustZone processor, used as storage device or storage management key;
and RAM on the TrustZone processor for storing and running the security code.
Other resources, such as peripherals that are configured to be accessed only by secure applications, are used to provide secure application access channels.
Specifically, the TrustZone in this embodiment is an ARM TrustZone, and the ARM TrustZone separates two parallel execution environments: an unsecured "normal" execution environment and a secure trusted "secure" environment. The security Monitor (Monitor) controls the transition between the "safe" and "normal" environments. TrustZone introduces the concept of secure area, adding an S flag bit to the architecture to indicate whether the current system is in a secure state. The flag bit not only affects the CPU kernel and the memory subsystem, but also affects the work of the on-chip and the off-chip. The S bit can only be changed in the Monitor mode, the system only defines the inlets of the Monitor mode with limited quantity, and the security is realized in the whole system range by controlling the access to the Monitor mode to become practical and feasible.
TrustZone executes a security command in a parallel security environment to run, a security effect is achieved by adding a layer of security in each transaction stage, a trusted code area is created in a CPU kernel part, and complete system security is achieved. When the system is initialized, the system is started from the on-chip secure boot area under the secure privilege mode to complete the setting of the system secure state, and then the system is booted. At each stage of system starting, only the module passing the verification is allowed to be loaded, and the integrity of the system boot code is ensured by checking the signature stored in the safety area, so that the terminal equipment is prevented from being illegally reprogrammed by hardware.
In a real Environment, sensitive data of a user may be saved into a TEE (TEE) and processed by a Trusted Application (TA) using important algorithms and processing logic. When the sensitive data of the user needs to be used for IDentity authentication, a specific request number (ID) is defined on the REE (Rich Execution Environment, REE) side, and an authentication result is obtained from the TEE side. Sensitive data of the user is always in the TEE in the whole verification process, and the REE side cannot check the data in any TEE. For the REE, the TA in the TEE acts as a black box and only accepts limited and well-defined legal calls, and what the legal calls have is what role, what data is used and what operations are done on the REE side are not known. If the call request sent by the REE side is an illegal request, the TA in the TEE does not have any response or only returns an error code, and does not expose any data to the REE side.
The TrustZone architecture extension set builds the security performance in the processor, so that the security is directly stripped from the operating system, and the defect that the operating system is easy to attack due to openness is overcome.
Therefore, the invention has the following beneficial effects:
1. the safety is high: compared with the root file system encrypted by the traditional scheme, the data of the root file system is almost equal to no encryption and is very easy to crack by people, the root file system encrypted by the method cancels the storage of the key file in a plaintext mode, and improves the storage of the key file in TrustZone in an encryption mode; the key of the plaintext is limited to be acquired in the REE, and the key of the plaintext can not be acquired in any other mode only by the TA when the equipment is started, so that the cracking difficulty is obviously improved, and the data on the root file system can be protected more safely. The method and the system can be mainly used for protecting SHA256 server products, prevent important data on the server from being stolen or tampered by others, and greatly improve the security of the root file system data.
2. The speed is high: the TEE realizes a common cryptographic algorithm framework of encryption, decryption, signature verification and digest calculation, so the method of the invention has the advantages of short time consumption and capability of quickly decrypting and mounting the encrypted root file system on the premise of not influencing the starting speed of the system.
3. The method is easy to realize: the client interface programming implementation based on GP (Global Platform, GP) definition is concise and clear.
In one embodiment, an electronic device is provided, which may be a server. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the electronic device is configured to provide computing and control capabilities. The memory of the electronic equipment comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The database of the electronic device is used for storing data. The network interface of the electronic device is used for connecting and communicating with an external terminal through a network. The computer program is executed by a processor to implement a TrustZone based root file system encryption method.
It can be understood by those skilled in the art that the electronic device structure shown in the present embodiment is only a partial structure related to the present application, and does not constitute a limitation to the electronic device to which the present application is applied, and a specific electronic device may include more or less components than those shown in the present embodiment, or combine some components, or have different component arrangements.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include at least one of non-volatile and volatile memory. Non-volatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical storage, or the like. Volatile Memory can include Random Access Memory (RAM) or external cache Memory. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others.
In addition, the logic instructions in the memory may be implemented in the form of software functional units and stored in a computer readable storage medium when the logic instructions are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and various media capable of storing program codes.
Therefore, the invention provides an electronic device and a storage medium based on TrustZone root file system encryption, which comprises: one or more memories, one or more processors. The memory is used for storing the program codes and intermediate data generated in the program running process, storing the model output result and storing the model and the model parameters; the processor is used for processor resources occupied by code running and a plurality of processor resources occupied when the model is trained.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above embodiments are only preferred embodiments of the present invention, and the protection scope of the present invention is not limited thereby, and any insubstantial changes and substitutions made by those skilled in the art based on the present invention are within the protection scope of the present invention.
Claims (10)
1. A TrustZone-based root file system encryption method is characterized by comprising the following steps:
encrypting the root file system to form an encrypted root file system;
generating a mirror image file of the encrypted root file system;
programming the mirror image file into equipment;
encrypting the key of the encryption root file system and storing the key into a safe storage area of the equipment;
and in the process of starting the equipment, reading the key stored on the equipment, decrypting the encrypted root file system by using the decrypted key, and mounting the decrypted root file system.
2. The method of claim 1, wherein encrypting the root file system comprises:
creating a blank virtual root file system;
creating a mapping partition of a virtual root file system;
formatting the mapping partition;
mounting a mapping partition;
copying the original root file system content to the mounted mapping partition;
and closing the mapping to finish the manufacture of the encryption root file system.
3. The method according to claim 1, wherein encrypting and saving the key of the encrypted root file system to a secure storage area of the device comprises:
the method comprises the steps that a key is issued to equipment through a serial port connection mode by using a host side;
when the equipment is in a UBOOT stage, transmitting the key to a safety system of the equipment, and encrypting the key in the safety system;
the encrypted key is transmitted back to the REE file system;
the encrypted key is saved to a secure storage area in the REE file system.
4. The method of claim 1, wherein:
reading a secret key stored in a secure storage area in the starting process of the equipment;
sending the read key to a security system, and calling a TA interface for decryption;
storing the decrypted key in a security system, and calling a TA interface to read the key through a command when needed;
decrypting the root file system by using the decrypted key;
and mounting the decrypted root file system.
5. The method of claim 1, wherein encrypting and saving the key of the encrypted root file system to a secure storage area of the device comprises:
when the TA calls a write-in function provided by a GP standard API library interface to write the key into the persistent object, calling a corresponding system call realized in the TEE secure storage SVC, calling a series of TEE files through the TEE secure storage SVC to operate and store key data, and transmitting the key data to the TEE file system through a TEE file system interface; then, the TEE file system encrypts the key, sends the REE file operation command and the encrypted data to the REE file system through a series of RPC messages, stores the encrypted data to the Linux file system through the REE file system, and stores the encrypted key to a safe storage area on the FLASH through the Linux file system.
6. The method of claim 3, wherein:
when the equipment is in the UBOOT stage, after the secret key is transmitted to a safety system of the equipment, the secret key transmitted through a serial port is decrypted, and the original secret key is encrypted for one round by using an encryption interface of the safety system; the encrypted key is passed back to the REE file system.
7. The method according to any of claims 1 to 6, wherein said mounting the decrypted root file system comprises:
the Linux file system kernel provides a mapping Device mapper from a logic Device to a physical Device, and the mapping Device comprises a mapping Device, a mapping table and a target Device, wherein the mapping Device is a logic abstraction and establishes mapping through a mapping relation described by the mapping table and the target Device, a root file system is mapped into/dev/dm-0 equipment through the Device mapper, and the/dev/dm-0 equipment is subjected to file system formatting and then mounted to a root directory of the Linux file system.
8. A TrustZone-based root file system encryption device is characterized by comprising:
the TrustZone processor is used for executing the security application program isolated from the common application program and accessing the memory space reserved for the security program;
the BootLoader program on the TrustZone processor is used for initializing the system;
permanent memory or one-time programmable memory on the TrustZone processor, used as storage device or storage management key;
RAM on TrustZone processor to store and run security code.
And the peripheral equipment is used for providing a secure application access channel.
9. An electronic device, comprising:
a memory storing computer executable instructions;
a processor configured to execute the computer-executable instructions,
wherein the computer executable instructions, when executed by the processor, implement the steps of the TrustZone-based root File System encryption method according to any one of claims 1 to 7.
10. A computer readable storage medium having stored thereon computer executable instructions which, when executed by a processor, carry out the steps of the TrustZone based root file system encryption method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210825118.2A CN115292727A (en) | 2022-07-14 | 2022-07-14 | TrustZone-based root file system encryption method, device, equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210825118.2A CN115292727A (en) | 2022-07-14 | 2022-07-14 | TrustZone-based root file system encryption method, device, equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115292727A true CN115292727A (en) | 2022-11-04 |
Family
ID=83821945
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210825118.2A Pending CN115292727A (en) | 2022-07-14 | 2022-07-14 | TrustZone-based root file system encryption method, device, equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115292727A (en) |
-
2022
- 2022-07-14 CN CN202210825118.2A patent/CN115292727A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109858265B (en) | Encryption method, device and related equipment | |
| KR101067399B1 (en) | Saving and retrieving data based on symmetric key encryption | |
| KR100996784B1 (en) | Saving and retrieving data based on public key encryption | |
| CN108055133B (en) | Key security signature method based on block chain technology | |
| US7639819B2 (en) | Method and apparatus for using an external security device to secure data in a database | |
| US7305553B2 (en) | Manifest-based trusted agent management in a trusted operating system environment | |
| US7243230B2 (en) | Transferring application secrets in a trusted operating system environment | |
| US7159240B2 (en) | Operating system upgrades in a trusted operating system environment | |
| WO2019104988A1 (en) | Plc security processing unit and bus arbitration method thereof | |
| KR20050085678A (en) | Attestation using both fixed token and portable token | |
| JP6073320B2 (en) | Authority-dependent platform secret to digitally sign | |
| TW201447759A (en) | System and method for managing and diagnosing a computing device equipped with unified extensible firmware interface (UEFI)-compliant firmware | |
| JP2005527019A (en) | Multi-token seal and seal release | |
| EP4195583A1 (en) | Data encryption method and apparatus, data decryption method and apparatus, terminal, and storage medium | |
| CN112765637A (en) | Data processing method, password service device and electronic equipment | |
| US20230093105A1 (en) | Method of dynamically loading encryption engine | |
| CN115292727A (en) | TrustZone-based root file system encryption method, device, equipment and storage medium | |
| WO2022019910A1 (en) | Read protection for uefi variables | |
| CN117786667A (en) | Process authority management method, system and storage medium for controllable computation | |
| CN115357948A (en) | Hardware anti-copying encryption method and device based on TEE and encryption chip | |
| CN117648703A (en) | Data controllable use method | |
| CN115982699A (en) | Malicious attack defense method, device, equipment and medium based on secure memory | |
| CN114722410A (en) | Cipher module, cipher operation method, CPU chip and electronic equipment | |
| CN110059489A (en) | Safe electronic equipment | |
| CN117610083A (en) | File verification method and device, electronic equipment and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |