WO2020132962A1 - Secure element, data processing device, and data processing method - Google Patents

Secure element, data processing device, and data processing method Download PDF

Info

Publication number
WO2020132962A1
WO2020132962A1 PCT/CN2018/123970 CN2018123970W WO2020132962A1 WO 2020132962 A1 WO2020132962 A1 WO 2020132962A1 CN 2018123970 W CN2018123970 W CN 2018123970W WO 2020132962 A1 WO2020132962 A1 WO 2020132962A1
Authority
WO
WIPO (PCT)
Prior art keywords
data
processor system
dram
storage space
pcie interface
Prior art date
Application number
PCT/CN2018/123970
Other languages
French (fr)
Chinese (zh)
Inventor
潘时林
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN201880088541.0A priority Critical patent/CN111699467B/en
Priority to PCT/CN2018/123970 priority patent/WO2020132962A1/en
Publication of WO2020132962A1 publication Critical patent/WO2020132962A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers

Definitions

  • the embodiments of the present application provide a secure element, a data processing device, and a data processing method, which are used to expand the available storage space of the secure element, with low cost and high security.
  • the SE needs to perform unsecure processing on the data obtained from the outside and perform secure processing on the data before storing the data in the external storage space to ensure the security of the data.
  • solution security processing and security processing are corresponding.
  • the data after the security processing needs to be decoded to obtain the required data and ensure that the obtained data is complete.
  • the SE obtains the data of the reference storage space in the DRAM through the PCIE interface, and performs security processing on the obtained data to obtain the required data; it can effectively expand the storage space available to the SE and ensure the safety of the data.
  • the PCIE interface is further used to receive storage completion information from the host processor system through the PCIE bus, and the storage completion information is used to indicate that the second data has been stored To the target storage space; wherein, the original data stored in the target storage space is replaced with the second data; the security processing system is also used to generate the second data or the first data for verification 4.
  • Target MAC for data integrity; after receiving the storage completion information from the PCIE interface, replace the original MAC with the target MAC; the original MAC is used to verify the integrity of the original data.
  • the SE replaces the original MAC with the target MAC; it can avoid power failure during data writing so that the data cannot be recovered problem.
  • the secure processor system includes: a stream cipher unit, a key generator, and a random access memory RAM, and the stream cipher unit is respectively associated with the key generator and the RAM Coupling; the stream cipher unit for obtaining at least one key from the key generator and at least one MAC from the RAM; using the at least one key to decrypt the first data or encrypt the first Four data; use the at least one MAC to perform a MAC check on the first data, wherein the at least one key and the at least one MAC correspond to the first data or the second data in the The address in the target storage space.
  • encryption and decryption are hardware specifically used to encrypt and decrypt data, and the encryption and decryption efficiency is high.
  • an encryption and decryption engine is used to perform encryption and decryption operations on the data and a MAC verification controller is used to perform MAC verification, which can improve the efficiency of data processing.
  • the embodiment of the present application provides a data processing method, which is applied to a secure element SE.
  • the SE includes: a PCIE interface and a secure processor system.
  • the PCIE interface is connected to a PCIE interface in a host processor system through a PCIE bus. Coupling, the PCIE interface in the main processor system is coupled to DRAM through a dynamic random access memory DRAM interface in the main processor system; wherein the main processor system includes a main processor for running an operating system Or at least one of application programs; the PCIE interface reads the first data in the DRAM through the PCIE bus; the secure processor system receives the first data from the PCIE interface and processes the The first data to get the third data;
  • the method further includes: the PCIE interface receives from the host processor system through the PCIE bus Storing completion information used to indicate that the second data has been stored in the target storage space, wherein the original data stored in the target storage space is replaced with the second data; the security process The system generates a target MAC for verifying the integrity of the second data or the fourth data; after receiving the storage completion information from the PCIE interface, the original MAC is replaced with the target MAC; the The original MAC is used to verify the integrity of the original data
  • the secure processor system receives the first data from the PCIE interface and desecures the first data to obtain the third data.
  • the encryption and decryption engine decrypts the first data using the key A data to obtain the third data;
  • the MAC verification controller performs MAC verification on the first data using the at least one MAC.
  • an embodiment of the present application provides a data processing apparatus, including the security processor system and the main processor system described in the above first aspect and any optional implementation manner.
  • the data processing apparatus further includes the DRAM described in the first aspect above and any optional implementation manner.
  • the data processing apparatus further includes the NVM described in the first aspect above and any optional implementation manner.
  • an embodiment of the present application provides a device, including a memory and a processor; the memory is used to store program instructions, and the processor is used to execute the program instructions to perform the second aspect and any optional implementation manner method.
  • the processor is located inside the SE.
  • FIG. 1 shows a schematic structural diagram of a data processing device 10 according to an embodiment of the present application.
  • the data processing device 10 may include: SOC100 and SE120.
  • SOC100 corresponds to the main processor system in this application; the part of SE120 other than PCIE interface 112 corresponds to the secure processor system in this application.
  • SOC100 and SE120 are coupled via PCIE bus.
  • the PCIE interface 112 inside the SE120 and the PCIE interface 104 inside the SOC are connected through the PCIE bus; the PCIE interface 104 inside the SOC is coupled to the DRAM 107 through the DRAM interface 103. It can be understood that both SE120 and SOC100 access the DRAM 107 through the DRAM interface 103.
  • the SE120 can directly access the data in the DRAM 107 through the PCIE bus without the participation of the CPU 101. In other words, the SE120 can directly read the data in the DRAM 107 through the PCIE bus, and can also directly write data to the DRAM 107 through the PCIE bus.
  • SE120 is a chip inside the data processing device 10.
  • the SE120 has an encryption/decryption logic circuit inside, which can prevent external malicious parsing attacks and protect data security.
  • SOC is called a chip-level system, also known as a system-on-chip, meaning that it is a product, such as an integrated circuit with a dedicated target, which contains the complete system and has the entire content of embedded software.
  • the stream cipher unit 111 may be a piece of hardware inside the SE 120 that is specifically used to implement encryption and decryption and integrity verification.
  • the software executed by the processor 108 implements the control function of the stream cipher unit 111.
  • Cache memory 109, RAM 113, ROM 114, flash memory 115, and OTP memory 116 are used to store different types of data or instructions, which will not be described in detail here.
  • MMU 110 is responsible for the mapping of virtual addresses to physical addresses, and provides memory access permission checks for hardware mechanisms.
  • the encryption unit 117 is used to implement various security services provided by the SE 120, such as security authentication and data encryption.
  • the IO interface 118 is used to communicate with other components. It should be understood that the above is only a specific implementation form of SE, which is not limited in this application.
  • the data processing device 10 is only an example provided by the embodiments of the present application, and the data processing device 10 may have more or fewer components than those shown, and two or more components may be combined, or It can be realized with different configurations of components.
  • an embodiment of the present application provides a flowchart of a data processing method. As shown in FIG. 2, the method may include: 201.
  • the SE 120 sends a read request to the SOC 100.
  • the process of SE120 sending a read request is as follows: the processor 108 sends a read request to the PCIE interface 112; the PCIE interface 112 sends the read request to the PCIE interface 104 in the SOC through the PCIE bus; the PCIE interface 104 sends the read request to the CPU 101 Fetch request.
  • the above read request is used to read the first data stored in the second address (target storage space) in the NVM 105, or used to read the first data stored in the reference storage space in the DRAM 107.
  • the reference storage space is a storage space in the DRAM 107 for storing data from the SE 120.
  • the above read request may include a first start address and first length information, where the first start address is the start address where the first data is stored in the NVM 105, and the first length information is the size of the storage space occupied by the first data.
  • the first start address and the first length information can be combined to determine the second address in the NVM 105, that is, the address where the first data is stored.
  • DRAM107 serves as a relay station for data transmission between SE120 and SOC100, so that SE120 can accurately and quickly read the encrypted data in NVM105, which can well solve the shortage of non-volatile storage resources inside SE120 The problem.
  • FIG. 2 describes the flow of SE120 reading encrypted data (first data) in NVM105.
  • the flow of SE120 storing encrypted data in NVM105 is described below.
  • FIG. 3 is a flowchart of another data processing method provided by an embodiment of the present application. As shown in FIG. 3, the method may include: 301.
  • the stream cipher unit 111 encrypts the fourth data to obtain second data.
  • the above fourth data may be data to be stored in the NVM 105 by the SE 120.
  • the stream cipher unit 111 acquires the above fourth data from the cache memory 109 or RAM 113, and encrypts the fourth data.
  • the above second data may be the first data in FIG. 2, and the above fourth data may be the third data in FIG. 2.
  • the stream cipher unit 111 generates N MACs corresponding to the N sets of data included in the fourth data, and any one of the N MACs is used to check one of the N sets of data included in the fourth data Data integrity.
  • the N MACs correspond to the N sets of data included in the fourth data.
  • the stream cipher unit 111 may use any verification algorithm such as SHA-256 algorithm or AES-CMAC algorithm to generate a MAC, which is not limited in this application.
  • FIG. 4 is a schematic diagram of another data processing method provided by the present application. As shown in FIG. 4, the method may include: 401.
  • the stream cipher unit 111 obtains fourth data from the cache memory 109.
  • the stream cipher unit 111 may also obtain the above fourth data from the RAM 113 or other memory. It can be understood that the cache memory 109 may be replaced with other memories.
  • the above fourth data is data to be stored by the SE120 to the NVM105. In practical applications, when the storage space of the RAM 113 or other memory in the SE120 is insufficient, the data can also be stored to the NVM outside the SE120.
  • the stream cipher unit 111 divides the fourth data occupying 15KB of storage space by using 4KB of storage space as a standard to obtain 4 sets of data. Among them, 3 sets of data occupy 4KB storage space, 1 set of data occupy 3KB storage space, 4 sets of data encrypted by these 4 sets of data occupy 4 different pages in NVM105. It can be understood that the stream cipher unit 111 uses different keys for encrypting any two sets of data included in the fourth data. Optionally, the stream cipher unit 111 writes the above-mentioned second data to the reference storage space of the DRAM 107.
  • the stream cipher unit 111 generates at least one MAC corresponding to the fourth data or the second data, and writes to the RAM 113.
  • the stream cipher unit 111 generates N MACs corresponding to the N sets of data included in the second data. That is, the stream cipher unit 111 generates a MAC based on each set of data included in the second data. Any one of the N MACs is used to check the integrity of a group of data in the N groups of data included in the second data.
  • the stream cipher unit 111 generates N MACs corresponding to the N sets of data included in the fourth data, and any one of the N MACs is used to check one of the N sets of data included in the fourth data Data integrity. That is, the stream cipher unit 111 generates a MAC based on each set of data included in the fourth data.
  • the stream cipher unit 111 acquiring at least one key corresponding to the third address from the key generator 119 may be the stream cipher unit 111 acquiring the key generator 119 according to the target address acquired from the MMU 110 and the root key acquired from the OTP memory 116,
  • the specific implementation manners of the generated N keys are the same as those in the embodiment corresponding to FIG. 4 and will not be described in detail here. It can be understood that the at least one key is generated by the key generator 119 using the root key and the third address.
  • the key generator 119 Before performing 701, the key generator 119 generates at least one key described above. In practical applications, before the SE 120 reads data from the NVM 105, the key generator 119 needs to use the storage address of the data to be read in the NVM 105 to generate a corresponding key in order to decrypt the read data.
  • the stream cipher unit 111 reads the second data from the DRAM 107 through the PCIE bus, and uses the at least one MAC and the at least one key to decrypt and verify the second data. Before executing 703, the following operations can be performed: SE120 sends a read request to SOC100, which is used to read the second data stored at the third address in NVM105; SOC100 stores the second data stored at the third address in NVM105 The data is moved to DRAM 107; SOC100 sends SE120 the fifth address in DRAM 107 that stores the second data.
  • the stream cipher unit 111 reading the second data from the DRAM 107 through the PCIE bus may be the stream cipher unit 111 reading the data stored in the fifth address in the DRAM 107 through the PCIE bus.
  • SE120 reads data from DRAM 107 in units of pages.
  • each page stores 4KB of data
  • the 16 bytes (one MAC) stored in the RAM 113 can verify the 4 KB data stored in the NVM 105, and the storage space of the RAM 113 can be expanded by 256 times.
  • the storage space of the RAM 113 is 128 KB
  • a 16-byte MAC stored in the RAM 113 is used to check 4 KB of data
  • the RAM 113 can support the expansion of the storage space to 32 MB.
  • the stream cipher unit 111 includes a MAC verification controller 1111 and an encryption and decryption engine 1112.
  • the encryption and decryption engine 1112 is used to decrypt the second data read from the DRAM 107 through the PCIE bus to obtain fourth data; generate at least one MAC (first MAC) according to the second data or the fourth data, and send to the MAC school ⁇ Controller1111.
  • the RF circuit 910 can be used to receive and send signals during receiving and sending information or during a call. In particular, after receiving the downlink information of the base station, it is processed by the SOC 100; in addition, the uplink data is sent to the base station.
  • the RF circuit 910 includes but is not limited to an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (LNA), a duplexer, and the like.
  • the RF circuit 910 can also communicate with other devices in the network through wireless communication.
  • the RAM 922 may be used to store software programs and modules.
  • the SOC 100 executes various functional applications and data processing of the data processing device by running the software programs and modules stored in the RAM 922.
  • the random access memory 922 may mainly include a storage program area and a storage data area, where the storage program area may store an operating system, application programs required by at least one function (such as a sound playback function, an image playback function, etc.), etc.; the storage data area may store Data created according to the use of the data processing device (such as audio data, phone book, etc.), etc.
  • the data processing device may further include at least one sensor 950, such as a light sensor, a motion sensor, and other sensors.
  • the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 941 according to the brightness of the ambient light, and the proximity sensor may close the display panel 941 when the data processing device moves to the ear And/or backlight.
  • the accelerometer sensor can detect the magnitude of acceleration in various directions (generally three axes), and can detect the magnitude and direction of gravity when at rest, and can be used to identify the posture of data processing devices (such as horizontal and vertical screen switching) , Related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer, tap), etc.
  • other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc. can also be configured, I will not repeat them here.
  • the data processing device may further include a camera, a Bluetooth module, etc., and will not be repeated here.
  • the term “coupling” mentioned in this application is used to express the communication or interaction between different components, and may include direct connection or indirect connection through other components.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

A secure element (SE) (120), a data processing device (10), and a data processing method. The SE (120) comprises: a PCIE interface (112) coupled with a dynamic random access memory (DRAM) interface (103) in a main processor system by means of a PCIE bus, wherein the DRAM interface (103) is coupled with a DRAM (107), and the PCIE interface (112) is used for reading first data in the DRAM (107) or writing second data into the DRAM (107) by means of the PCIE bus; and a secure processor system used for receiving the first data from the PCIE interface (112) and processing the first data to obtain third data, or processing fourth data to obtain the second data and sending the processed second data to the PCIE interface (112). The data processing device (10) can effectively expand the available storage space of the SE (120) while ensuring data security, and thus has low costs and high security.

Description

安全元件、数据处理装置及数据处理方法Security element, data processing device and data processing method 技术领域Technical field
本申请涉及电子技术领域,尤其涉及一种安全元件、数据处理装置及数据处理方法。The present application relates to the field of electronic technology, and in particular, to a security element, data processing device, and data processing method.
背景技术Background technique
如今,手机、平板电脑、可穿戴设备等逐渐成为人们日常生活中不可或缺的工具。在实际生活中,手机上的移动支付、移动金融、汽车钥匙等对安全性要求较高的安全应用得到了广泛的应用。手机下一步的发展方向是集成所有的银行卡、公交卡、钥匙、身份证等功能。实现这些功能不仅需要开发相应的软件应用,更关键的是需要为手机芯片提供硬件级的安全解决方案,以便保证用户的财产和数据安全。Today, mobile phones, tablet computers, wearable devices, etc. have gradually become indispensable tools in people's daily lives. In actual life, mobile applications such as mobile payment, mobile finance, and car keys that require high security have been widely used. The next development direction of mobile phones is to integrate all functions such as bank cards, bus cards, keys, and ID cards. Realizing these functions not only requires the development of corresponding software applications, but more importantly, it is necessary to provide hardware-level security solutions for mobile phone chips in order to ensure the safety of users' property and data.
当前,通常利用安全芯片来保证手机上的数据安全。安全芯片(安全元件)就是可信任平台模块,是一个可独立进行密钥生成、加解密的装置,内部拥有独立的处理器和存储单元,可存储密钥和特征数据,为手机提供加密和安全认证服务。利用安全芯片对数据进行加密时,密钥被存储在安全芯片的硬件中,被窃的数据无法解密,从而保护商业隐私和数据安全。当前采用的一种方案是在手机上的SOC芯片之外设置一个安全芯片,即该安全芯片不与该SOC芯片集成在一起,该SOC芯片与该安全芯片通过串行外设接口(Serial Peripheral Interface,SPI)传递消息。然而,当前主流的安全芯片一般只有有限的存储空间,只能支持少量应用。如果手机未来要支持更多的安全应用,安全芯片需要更多的存储空间,这样成本会非常高。因此,需要研究低成本的方案。Currently, security chips are often used to ensure data security on mobile phones. The security chip (security element) is a trusted platform module. It is a device that can independently generate keys and encrypt and decrypt. It has an independent processor and storage unit inside, which can store keys and feature data to provide encryption and security for mobile phones. Certification Services. When encrypting data with a security chip, the key is stored in the hardware of the security chip, and the stolen data cannot be decrypted, thereby protecting commercial privacy and data security. One currently adopted scheme is to set a security chip outside the SOC chip on the mobile phone, that is, the security chip is not integrated with the SOC chip, and the SOC chip and the security chip pass the serial peripheral interface (Serial Peripheral Interface) , SPI) transfer messages. However, current mainstream security chips generally have limited storage space and can only support a small number of applications. If the mobile phone needs to support more security applications in the future, the security chip needs more storage space, and the cost will be very high. Therefore, it is necessary to study low-cost solutions.
发明内容Summary of the invention
本申请实施例提供了一种安全元件、数据处理装置及数据处理方法,用于扩展安全元件可用的存储空间,成本低、安全性高。The embodiments of the present application provide a secure element, a data processing device, and a data processing method, which are used to expand the available storage space of the secure element, with low cost and high security.
第一方面本申请实施例提供了一种安全元件SE,包括:PCIE接口,通过PCIE总线与主处理器***中的PCIE接口耦合,所述主处理器***中的PCIE接口通过所述主处理器***中的动态随机存取存储器DRAM接口耦合至DRAM;所述PCIE接口,用于通过所述PCIE总线读取所述DRAM中的第一数据,或者向所述DRAM写入第二数据;其中,所述主处理器***包括主处理器,用于运行操作***或应用程序中的至少一项;安全处理器***,用于从所述PCIE接口接收所述第一数据并处理所述第一数据以得到第三数据,或者处理第四数据以得到所述第二数据并向所述PCIE接口发送处理后的所述第二数据。According to a first aspect, an embodiment of the present application provides a secure element SE, including: a PCIE interface, which is coupled to a PCIE interface in a host processor system through a PCIE bus, and a PCIE interface in the host processor system passes through the host processor The dynamic random access memory DRAM interface in the system is coupled to the DRAM; the PCIE interface is used to read the first data in the DRAM through the PCIE bus or write the second data to the DRAM; wherein, The main processor system includes a main processor for running at least one of an operating system or an application program; a secure processor system for receiving the first data from the PCIE interface and processing the first data To obtain third data, or process fourth data to obtain the second data and send the processed second data to the PCIE interface.
所述安全元件可以应用到手机、平板电脑、笔记本电脑、可穿戴设备等有一定安全性要求的数据处理装置中。所述主处理器***可以位于片上***(System On Chip,SOC)中,例如手机中的SOC。所述安全元件(Secure Element,SE)通过PCIE(Peripheral Component Interconnect Express)接口与所述主处理器***中的PCIE接口耦合。SE中的PCIE接口依次经主处理器***中的PCIE接口、DRAM接口来访问DRAM。PCIE接口的特点使得SE 可以直接访问所述动态随机存取存储器(Dynamic Random Access Memory,DRAM)。可以理解,所述SE可以直接访问所述DRAM,无需通过主处理器***中的处理器,访问时延和性能可以得到保证。也就是说,所述SE可以通过PCIE接口直接读写DRAM中的数据;也可以对PCIE接口通过PCIE总线从DRAM获取的数据做处理得到所需的数据;还可以将处理后的数据通过PCIE接口写入DRAM。可以理解,所述DRAM可以作为所述SE的扩展存储空间,实现简单。本申请实施例中,SE通过PCIE总线直接访问该SE外部的DRAM,可以有效扩展该SE可用的存储资源,成本低、访问时延低。The security element can be applied to data processing devices with certain security requirements, such as mobile phones, tablet computers, notebook computers, and wearable devices. The main processor system may be located in a system on chip (System On Chip, SOC), such as an SOC in a mobile phone. The Secure Element (SE) is coupled to the PCIE interface in the host processor system through a PCIE (Peripheral Component Interconnect Express) interface. The PCIE interface in the SE accesses the DRAM through the PCIE interface and the DRAM interface in the main processor system in turn. The characteristics of the PCIE interface enable the SE to directly access the dynamic random access memory (Dynamic Random Access Memory, DRAM). It can be understood that the SE can directly access the DRAM without going through the processor in the main processor system, and the access delay and performance can be guaranteed. In other words, the SE can directly read and write data in the DRAM through the PCIE interface; it can also process the data obtained from the DRAM through the PCIE bus through the PCIE bus to obtain the required data; and can also process the processed data through the PCIE interface Write to DRAM. It can be understood that the DRAM can be used as an extended storage space of the SE, and the implementation is simple. In the embodiment of the present application, the SE directly accesses the DRAM outside the SE through the PCIE bus, which can effectively expand the storage resources available to the SE, with low cost and low access delay.
在一个可选的实现方式中,所述PCIE接口,还用于通过所述PCIE总线获取所述DRAM的参考存储空间中的所述第一数据,所述参考存储空间为所述DRAM中用于存储来自所述安全处理器***的数据的存储空间;所述安全处理器***,具体用于从所述PCIE接口接收所述第一数据并对所述第一数据解安全处理以得到所述第三数据,所述解安全处理包括解密或消息认证码MAC校验中的至少一项。所述SE可以认为限定了一个安全认证边界,可以防各种错误攻击(anti-tampering),例如侧信道攻击。也就是说,SE内部的数据被认为是安全的,SE外部的数据被认为是不安全的。因此,所述SE需要对从其外部获取的数据做解安全处理以及在将数据存储至其外部的存储空间之前对数据做安全处理,以保证数据的安全。其中,解安全处理和安全处理是相对应的。安全处理后的数据需要做解安全处理来得到所需的数据并保证得到的数据是完整的。在该实现方式中,SE通过PCIE接口获取DRAM中参考存储空间的数据,并对获取的数据做解安全处理以得到所需的数据;可以有效地扩展SE可用的存储空间并保证数据的安全。In an optional implementation manner, the PCIE interface is also used to acquire the first data in the reference storage space of the DRAM through the PCIE bus, and the reference storage space is used in the DRAM A storage space for storing data from the secure processor system; the secure processor system is specifically used to receive the first data from the PCIE interface and desecure the first data to obtain the first Three data, the desecuring process includes at least one of decryption or MAC verification of the message authentication code. The SE can be considered to define a security authentication boundary, which can prevent various anti-tampering, such as side channel attacks. In other words, the data inside the SE is considered safe, and the data outside the SE is considered insecure. Therefore, the SE needs to perform unsecure processing on the data obtained from the outside and perform secure processing on the data before storing the data in the external storage space to ensure the security of the data. Among them, solution security processing and security processing are corresponding. The data after the security processing needs to be decoded to obtain the required data and ensure that the obtained data is complete. In this implementation, the SE obtains the data of the reference storage space in the DRAM through the PCIE interface, and performs security processing on the obtained data to obtain the required data; it can effectively expand the storage space available to the SE and ensure the safety of the data.
在一个可选的实现方式中,所述安全处理器***,还用于向所述PCIE接口发送读取请求,所述读取请求用于读取所述参考存储空间中的所述第一数据;其中,所述第一数据被所述主处理器***从非易失存储器NVM中的目标存储空间搬移至所述参考存储空间;所述PCIE接口,还用于通过所述PCIE总线向所述主处理器***发送所述读取请求。非易失存储器(Non-Volatile Memory,NVM)可以是eMMC(Embedded Multi Media Card)、通用闪存(Universal Flash Storage,UFS)或者其他类型的非易失存储器。在该实现方式中,SE以DRAM作为中转站来读取其外部的NVM中的数据,可以有效解决其内部的存储空间不足的问题,实现简单。In an optional implementation manner, the secure processor system is further configured to send a read request to the PCIE interface, where the read request is used to read the first data in the reference storage space ; Wherein, the first data is moved from the target storage space in the non-volatile memory NVM to the reference storage space by the host processor system; the PCIE interface is also used to send the data to the PCIE bus The main processor system sends the read request. Non-volatile memory (Non-Volatile Memory, NVM) may be eMMC (Embedded Multi Media), universal flash memory (Universal Flash Storage, UFS) or other types of non-volatile memory. In this implementation, the SE uses DRAM as a relay station to read the data in its external NVM, which can effectively solve the problem of insufficient internal storage space and achieve simple implementation.
在一个可选的实现方式中,所述安全处理器***,具体用于对所述第四数据进行安全处理以得到所述第二数据并向所述PCIE接口发送所述第二数据,所述安全处理包括加密或消息认证码MAC处理中的至少一项;所述PCIE接口,具体用于通过所述PCIE总线将所述第二数据写入所述DRAM的参考存储空间,所述参考存储空间为所述DRAM中用于存储来自所述安全处理器***的数据的存储空间。所述安全处理器***可以包括随机存取存储器(Random Access Memory,RAM)。所述安全处理器***对所述第四数据做MAC处理可以是所述安全处理器***生成用于校验所述第四数据的完整性的至少一个MAC并存储至其内部的RAM。在该实现方式中,SE通过PCIE总线将安全处理后的数据存储至其外部的DRAM,既可以解决其内部的存储资源不足的问题,又可以保证数据的安全。In an optional implementation manner, the secure processor system is specifically configured to perform secure processing on the fourth data to obtain the second data and send the second data to the PCIE interface. The security processing includes at least one of encryption or MAC processing of the message authentication code; the PCIE interface is specifically used to write the second data to the reference storage space of the DRAM through the PCIE bus, and the reference storage space It is a storage space in the DRAM for storing data from the secure processor system. The secure processor system may include random access memory (Random Access Memory, RAM). The MAC processing of the fourth data by the security processor system may be that the security processor system generates at least one MAC for checking the integrity of the fourth data and stores it in its internal RAM. In this implementation, the SE stores the securely processed data to its external DRAM through the PCIE bus, which can not only solve the problem of insufficient internal storage resources, but also ensure the security of the data.
在一个可选的实现方式中,所述安全处理器***,还用于向所述PCIE接口发送地址指示信息,所述地址指示信息用于指示所述主处理器***将所述参考存储空间中的所述第二 数据搬移至所述NVM中的目标存储空间;所述PCIE接口,还用于通过所述PCIE总线将所述地址指示信息向所述主处理器***发送。在该实现方式中,SE通过PCIE总线向主处理器***发送地址指示信息以指示该主处理器***将DRAM的参考存储空间的数据搬移至NVM中的目标存储空间,以便于后续可以准确地读取这些数据,实现简单。In an optional implementation manner, the secure processor system is further configured to send address indication information to the PCIE interface, and the address indication information is used to instruct the host processor system to store the reference storage space The second data is moved to a target storage space in the NVM; the PCIE interface is also used to send the address indication information to the host processor system through the PCIE bus. In this implementation, the SE sends address indication information to the host processor system through the PCIE bus to instruct the host processor system to move the data of the DRAM's reference storage space to the target storage space in the NVM so that it can be accurately read later Taking these data, the implementation is simple.
在一个可选的实现方式中,所述PCIE接口,还用于通过所述PCIE总线接收来自所述主处理器***的存储完成信息,所述存储完成信息用于指示所述第二数据已存储至所述目标存储空间;其中,所述目标存储空间存储的原始数据被替换为所述第二数据;所述安全处理***,还用于生成用于校验所述第二数据或所述第四数据的完整性的目标MAC;在从所述PCIE接口接收所述存储完成信息后,将原始MAC替换为所述目标MAC;所述原始MAC用于校验所述原始数据的完整性。在该实现方式中,在确定NVM中的目标存储空间存储的原始数据被替换为第二数据之后,SE将原始MAC替换为目标MAC;可以避免数据写入过程中发生掉电以致数据无法恢复的问题。In an optional implementation manner, the PCIE interface is further used to receive storage completion information from the host processor system through the PCIE bus, and the storage completion information is used to indicate that the second data has been stored To the target storage space; wherein, the original data stored in the target storage space is replaced with the second data; the security processing system is also used to generate the second data or the first data for verification 4. Target MAC for data integrity; after receiving the storage completion information from the PCIE interface, replace the original MAC with the target MAC; the original MAC is used to verify the integrity of the original data. In this implementation, after it is determined that the original data stored in the target storage space in the NVM is replaced with the second data, the SE replaces the original MAC with the target MAC; it can avoid power failure during data writing so that the data cannot be recovered problem.
在一个可选的实现方式中,所述安全处理器***包括:流密码单元、密钥生成器以及随机存取存储器RAM,所述流密码单元分别与所述密钥生成器和所述RAM相耦合;所述流密码单元,用于从所述密钥生成器获至少一个密钥以及从所述RAM获取至少一个MAC;利用所述至少一个密钥解密所述第一数据或加密所述第四数据;利用所述至少一个MAC对所述第一数据做MAC校验,其中,所述至少一个密钥和所述至少一个MAC对应于所述第一数据或所述第二数据在所述目标存储空间中的地址。可选的,加解密为专门用于对数据做加解密的硬件,加解密效率高。在该实现方式中,采用加解密引擎对数据做加解密操作以及利用MAC校验控制器做MAC校验,可以提高数据处理的效率。In an optional implementation manner, the secure processor system includes: a stream cipher unit, a key generator, and a random access memory RAM, and the stream cipher unit is respectively associated with the key generator and the RAM Coupling; the stream cipher unit for obtaining at least one key from the key generator and at least one MAC from the RAM; using the at least one key to decrypt the first data or encrypt the first Four data; use the at least one MAC to perform a MAC check on the first data, wherein the at least one key and the at least one MAC correspond to the first data or the second data in the The address in the target storage space. Optionally, encryption and decryption are hardware specifically used to encrypt and decrypt data, and the encryption and decryption efficiency is high. In this implementation, an encryption and decryption engine is used to perform encryption and decryption operations on the data and a MAC verification controller is used to perform MAC verification, which can improve the efficiency of data processing.
第二方面本申请实施例提供了一种数据处理方法,应用于安全元件SE,所述SE包括:PCIE接口和安全处理器***,所述PCIE接口通过PCIE总线与主处理器***中的PCIE接口耦合,所述主处理器***中的PCIE接口通过所述主处理器***中的动态随机存取存储器DRAM接口耦合至DRAM;其中,所述主处理器***包括主处理器,用于运行操作***或应用程序中的至少一项;所述PCIE接口通过所述PCIE总线读取所述DRAM中的第一数据;所述安全处理器***从所述PCIE接口接收所述第一数据并处理所述第一数据以得到第三数据;In the second aspect, the embodiment of the present application provides a data processing method, which is applied to a secure element SE. The SE includes: a PCIE interface and a secure processor system. The PCIE interface is connected to a PCIE interface in a host processor system through a PCIE bus. Coupling, the PCIE interface in the main processor system is coupled to DRAM through a dynamic random access memory DRAM interface in the main processor system; wherein the main processor system includes a main processor for running an operating system Or at least one of application programs; the PCIE interface reads the first data in the DRAM through the PCIE bus; the secure processor system receives the first data from the PCIE interface and processes the The first data to get the third data;
或者,所述安全处理器***处理第四数据以得到所述第二数据并向所述PCIE接口发送处理后的所述第二数据;所述PCIE接口通过所述PCIE总线向所述DRAM写入所述第二数据。本申请实施例中,SE通过PCIE总线直接访问该SE外部的DRAM,可以有效扩展该SE可用的存储资源,成本低、访问时延低。Alternatively, the security processor system processes the fourth data to obtain the second data and sends the processed second data to the PCIE interface; the PCIE interface writes to the DRAM through the PCIE bus The second data. In the embodiment of the present application, the SE directly accesses the DRAM outside the SE through the PCIE bus, which can effectively expand the storage resources available to the SE, with low cost and low access delay.
在一个可选的实现方式中,所述PCIE接口通过所述PCIE总线读取所述DRAM中的第一数据包括:所述PCIE接口通过所述PCIE总线获取所述DRAM的参考存储空间中的所述第一数据,所述参考存储空间为所述DRAM中用于存储来自所述安全处理器***的数据的存储空间;In an optional implementation manner, the PCIE interface reading the first data in the DRAM through the PCIE bus includes: the PCIE interface acquiring all the data in the reference storage space of the DRAM through the PCIE bus The first data, the reference storage space is a storage space in the DRAM for storing data from the secure processor system;
所述安全处理器***从所述PCIE接口接收所述第一数据并处理所述第一数据以得到第三数据包括:所述安全处理器***从所述PCIE接口接收所述第一数据并对所述第一数据解安全处理以得到所述第三数据,所述解安全处理包括解密或解消息认证码MAC校验中 的至少一项。The security processor system receiving the first data from the PCIE interface and processing the first data to obtain third data includes the security processor system receiving the first data from the PCIE interface and The first data is de-secured to obtain the third data, and the de-secure processing includes at least one of decryption or decryption of the message authentication code MAC check.
在一个可选的实现方式中,所述安全处理器***处理第四数据以得到所述第二数据并向所述PCIE接口发送处理后的所述第二数据包括:所述安全处理器***对所述第四数据进行安全处理以得到所述第二数据并向所述PCIE接口发送所述第二数据,所述安全处理包括加密或消息认证码MAC处理中的至少一项;In an optional implementation manner, processing the fourth data by the secure processor system to obtain the second data and sending the processed second data to the PCIE interface includes: the secure processor system pair Performing security processing on the fourth data to obtain the second data and sending the second data to the PCIE interface, where the security processing includes at least one of encryption or MAC processing of a message authentication code;
所述PCIE接口通过所述PCIE总线向所述DRAM写入所述第二数据包括:The PCIE interface writing the second data to the DRAM through the PCIE bus includes:
所述PCIE接口通过所述PCIE总线将所述第二数据写入所述DRAM的参考存储空间,所述参考存储空间为所述DRAM中用于存储来自所述安全处理器***的数据的存储空间。The PCIE interface writes the second data to a reference storage space of the DRAM through the PCIE bus, and the reference storage space is a storage space in the DRAM for storing data from the secure processor system .
在一个可选的实现方式中,所述安全处理器***处理第四数据以得到所述第二数据并向所述PCIE接口发送处理后的所述第二数据包括:所述安全处理器***对所述第四数据进行安全处理以得到所述第二数据并向所述PCIE接口发送所述第二数据,所述安全处理包括加密或消息认证码MAC处理中的至少一项;In an optional implementation manner, processing the fourth data by the secure processor system to obtain the second data and sending the processed second data to the PCIE interface includes: the secure processor system pair Performing security processing on the fourth data to obtain the second data and sending the second data to the PCIE interface, where the security processing includes at least one of encryption or MAC processing of a message authentication code;
所述PCIE接口通过所述PCIE总线向所述DRAM写入所述第二数据包括:所述PCIE接口通过所述PCIE总线将所述第二数据写入所述DRAM的参考存储空间,所述参考存储空间为所述DRAM中用于存储来自所述安全处理器***的数据的存储空间。The PCIE interface writing the second data to the DRAM through the PCIE bus includes: the PCIE interface writing the second data to the reference storage space of the DRAM through the PCIE bus, the reference The storage space is a storage space in the DRAM for storing data from the secure processor system.
在一个可选的实现方式中,所述方法还包括:所述安全处理器***向所述PCIE接口发送地址指示信息,所述地址指示信息用于指示所述主处理器***将所述参考存储空间中的所述第二数据搬移至所述NVM中的目标存储空间;所述PCIE接口通过所述PCIE总线将所述地址指示信息向所述主处理器***发送。In an optional implementation manner, the method further includes the security processor system sending address indication information to the PCIE interface, where the address indication information is used to instruct the host processor system to store the reference The second data in the space is moved to a target storage space in the NVM; the PCIE interface sends the address indication information to the host processor system through the PCIE bus.
在一个可选的实现方式中,所述安全处理器***向所述PCIE接口发送地址指示信息之后,所述方法还包括:所述PCIE接口通过所述PCIE总线接收来自所述主处理器***的存储完成信息,所述存储完成信息用于指示所述第二数据已存储至所述目标存储空间,其中,所述目标存储空间存储的原始数据被替换为所述第二数据;所述安全处理***生成用于校验所述第二数据或所述第四数据的完整性的目标MAC;在从所述PCIE接口接收所述存储完成信息后,将原始MAC替换为所述目标MAC;所述原始MAC用于校验所述原始数据的完整性In an optional implementation manner, after the security processor system sends the address indication information to the PCIE interface, the method further includes: the PCIE interface receives from the host processor system through the PCIE bus Storing completion information used to indicate that the second data has been stored in the target storage space, wherein the original data stored in the target storage space is replaced with the second data; the security process The system generates a target MAC for verifying the integrity of the second data or the fourth data; after receiving the storage completion information from the PCIE interface, the original MAC is replaced with the target MAC; the The original MAC is used to verify the integrity of the original data
在一个可选的实现方式中,所述安全处理器***包括:流密码单元、密钥生成器以及随机存取存储器RAM,所述流密码单元分别与所述密钥生成器和所述RAM相耦合;所述安全处理器***从所述PCIE接口接收所述第一数据并对所述第一数据解安全处理以得到所述第三数据包括:所述流密码单元从所述PCIE接口接收所述第一数据;所述流密码单元从所述密钥生成器获至少一个密钥以及从所述RAM获取至少一个MAC;利用所述至少一个密钥解密所述第一数据;利用所述至少一个MAC对所述第一数据做MAC校验,其中,所述至少一个密钥和所述至少一个MAC对应于所述第一数据或所述第二数据在所述目标存储空间中的地址。在该实现方式中,SE利用其内部存储的密钥对从外部获取的数据进行解密以及利用其内部存储的至少一个MAC来校验从外部获取的数据的完整性,可以避免密钥和MAC被其他设备获取,提高安全性。In an optional implementation manner, the secure processor system includes: a stream cipher unit, a key generator, and a random access memory RAM, and the stream cipher unit is respectively associated with the key generator and the RAM Coupling; the secure processor system receiving the first data from the PCIE interface and desecuring the first data to obtain the third data includes: the stream cipher unit receiving the data from the PCIE interface The first data; the stream cipher unit obtains at least one key from the key generator and at least one MAC from the RAM; decrypts the first data using the at least one key; uses the at least one One MAC performs a MAC check on the first data, wherein the at least one key and the at least one MAC correspond to addresses of the first data or the second data in the target storage space. In this implementation, the SE uses its internally stored key to decrypt the data obtained from the outside and uses at least one MAC of its internally stored to verify the integrity of the data obtained from the outside, so that the key and MAC can be avoided Access to other equipment to improve safety.
在一个可选的实现方式中,所述安全处理器***包括:流密码单元、密钥生成器以及随机存取存储器RAM,所述流密码单元分别与所述密钥生成器和所述RAM相耦合;所述 安全处理器***处理第四数据以得到所述第二数据并向所述PCIE接口发送处理后的所述第二数据包括:所述流密码单元从所述密钥生成器获取至少一个密钥,并利用所述至少一个密钥对所述第四数据进行加密以得到所述第二数据;生成用于校验所述第四数据或所述第二数据的完整性的至少一个MAC并存储至所述RAN;向所述PCIE接口发送处理后的所述第二数据。在该实现方式中,SE在通过PCIE总线将数据写入DRAM之前,对该数据进行加密并将用于校验该数据的完整性的MAC存储至其内部的RAM,以便于保证数据的安全。In an optional implementation manner, the secure processor system includes: a stream cipher unit, a key generator, and a random access memory RAM, and the stream cipher unit is respectively associated with the key generator and the RAM Coupling; processing the fourth data by the secure processor system to obtain the second data and sending the processed second data to the PCIE interface includes: the stream cipher unit obtaining at least at least one from the key generator A key, and use the at least one key to encrypt the fourth data to obtain the second data; generating at least one for verifying the integrity of the fourth data or the second data MAC and store to the RAN; send the processed second data to the PCIE interface. In this implementation, the SE encrypts the data and writes the MAC used to verify the integrity of the data to its internal RAM before writing the data to the DRAM via the PCIE bus, so as to ensure the security of the data.
在一个可选的实现方式中,所述安全处理器***还包括:参考存储器和内存管理单元MMU,所述参考存储器和所述MMU均与所述密钥生成器耦合;所述流密码单元包括MAC校验控制器和加解密引擎;所述安全处理器***从所述PCIE接口接收所述第一数据并对所述第一数据解安全处理以得到所述第三数据之前,所述方法还包括:所述MMU将所述第一数据在所述目标存储空间中的地址映射为目标地址;所述密钥生成器根据所述目标地址和从所述参考存储器获取的根密钥,生成所述至少一个密钥;In an optional implementation manner, the secure processor system further includes: a reference memory and a memory management unit MMU, both the reference memory and the MMU are coupled with the key generator; the stream cipher unit includes The MAC verification controller and the encryption and decryption engine; before the secure processor system receives the first data from the PCIE interface and desecures the first data to obtain the third data, the method further The method includes: the MMU maps the address of the first data in the target storage space to a target address; the key generator generates the data according to the target address and the root key obtained from the reference memory Describe at least one key;
所述安全处理器***从所述PCIE接口接收所述第一数据并对所述第一数据解安全处理以得到所述第三数据包括:所述加解密引擎利用所述密钥解密所述第一数据以得到所述第三数据;所述MAC校验控制器利用所述至少一个MAC对所述第一数据做MAC校验。The secure processor system receives the first data from the PCIE interface and desecures the first data to obtain the third data. The encryption and decryption engine decrypts the first data using the key A data to obtain the third data; the MAC verification controller performs MAC verification on the first data using the at least one MAC.
第三方面,本申请实施例提供了一种数据处理装置,包括上述第一方面以及任一种可选实现方式中所述的安全处理器***和主处理器***。In a third aspect, an embodiment of the present application provides a data processing apparatus, including the security processor system and the main processor system described in the above first aspect and any optional implementation manner.
在一个可选的实现方式中,所述数据处理装置还包括上述第一方面以及任一种可选实现方式中所述的DRAM。In an optional implementation manner, the data processing apparatus further includes the DRAM described in the first aspect above and any optional implementation manner.
在一个可选的实现方式中,所述数据处理装置还包括上述第一方面以及任一种可选实现方式中所述的NVM。In an optional implementation manner, the data processing apparatus further includes the NVM described in the first aspect above and any optional implementation manner.
第四方面,本申请实施例提供了一种计算机可读存储介质,所述计算机存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行上述第二方面以及任一种可选实现方式的方法。可选地,所述处理器位于SE内部。According to a fourth aspect, an embodiment of the present application provides a computer-readable storage medium that stores a computer program, where the computer program includes program instructions, which when executed by a processor causes the processing The device executes the above second aspect and any optional implementation method. Optionally, the processor is located inside the SE.
第五方面,本申请实施例提供了一种计算机程序产品,所述计算机程序产品包括程序指令,所述程序指令当被处理器执行时使所述处理器执行上述第二方面以及任一种可选实现方式的方法。可选地,所述处理器位于SE内部。According to a fifth aspect, an embodiment of the present application provides a computer program product, where the computer program product includes program instructions, which when executed by a processor causes the processor to perform the second aspect described above and any Choose the method of implementation. Optionally, the processor is located inside the SE.
第六方面,本申请实施例提供了一种设备,包括存储器和处理器;存储器用于保存程序指令,处理器用于执行所述程序指令以执行上述第二方面以及任一种可选实现方式的方法。可选地,所述处理器位于SE内部。According to a sixth aspect, an embodiment of the present application provides a device, including a memory and a processor; the memory is used to store program instructions, and the processor is used to execute the program instructions to perform the second aspect and any optional implementation manner method. Optionally, the processor is located inside the SE.
附图说明BRIEF DESCRIPTION
图1为本申请实施例提供的一种数据处理装置10的结构示意图;FIG. 1 is a schematic structural diagram of a data processing device 10 according to an embodiment of the present application;
图2为本申请实施例提供的一种数据处理方法流程图;2 is a flowchart of a data processing method provided by an embodiment of the present application;
图3为本申请实施例提供的另一种数据处理方法流程图;3 is a flowchart of another data processing method provided by an embodiment of the present application;
图4为本申请实施例提供的又一种数据处理方法的示意图;4 is a schematic diagram of another data processing method provided by an embodiment of the present application;
图5为本申请实施例提供的一种密钥生成器生成密钥的方法流程图;5 is a flowchart of a method for generating a key by a key generator provided by an embodiment of this application;
图6示出了NVM存储的第二数据与RAM存储的MAC的示意图;6 shows a schematic diagram of second data stored by NVM and MAC stored by RAM;
图7为本申请提供的另一种数据处理方法流程图;7 is a flowchart of another data processing method provided by this application;
图8为本申请实施例提供的一种数据处理装置的结构示意图;8 is a schematic structural diagram of a data processing device according to an embodiment of the present application;
图9为本申请实施例提供的另一种数据处理装置结构的框图。9 is a block diagram of another data processing device structure provided by an embodiment of the present application.
具体实施方式detailed description
为了使本技术领域的人员更好地理解本申请实施例方案,下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行清楚地描述,显然,所描述的实施例仅仅是本申请一部分的实施例,而不是全部的实施例。In order to enable those skilled in the art to better understand the solutions in the embodiments of the present application, the technical solutions in the embodiments of the present application will be described clearly in conjunction with the drawings in the embodiments of the present application. Obviously, the described embodiments are only It is a part of the embodiments of this application, but not all the embodiments.
本申请的说明书实施例和权利要求书及上述附图中的术语“第一”、“第二”、和“第三”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。此外,术语“包括”和“具有”以及他们的任何变形,意图在于覆盖不排他的包含,例如,包含了一系列步骤或单元。方法、***、产品或设备不必限于清楚地列出的那些步骤或单元,而是可包括没有清楚地列出的或对于这些过程、方法、产品或设备固有的其它步骤或单元。“和/或”用于表示在其所连接的两个对象之间选择一个或全部。例如“A和/或B”表示A、B或A+B。The terms "first", "second", and "third" in the description examples and claims of the present application and the above drawings are used to distinguish similar objects, and are not required to describe a specific order or The order. In addition, the terms "including" and "having" and any variations thereof are intended to cover non-exclusive inclusions, for example, including a series of steps or units. A method, system, product, or device need not be limited to those steps or units that are clearly listed, but may include other steps or units that are not clearly listed or inherent to these processes, methods, products, or equipment. "And/or" is used to select one or all of the two objects connected to it. For example, "A and/or B" means A, B, or A+B.
目前,集成到SOC主芯片的SE(inSE)的内部不包括非易失存储器(NVM),原因是目前SOC主芯片工艺非常先进(主流已经到7nm),而在这种工艺下NVM的介质flash无法集成到SOC主芯片。另外,由于SOC工艺一直演进攀升,集成到SOC的SE的安全认证功能受SOC主芯片工艺的影响而带来很多认证的工作量。鉴于上述原因,本申请实施例提供的一种方案是SOC和SE未集成在一起,即SOC和eSE是两个独立的部件,但是不限定于此。本申请提供的数据处理装置可以是台式电脑、笔记本电脑、手机、平板电脑、个人数字助理、可穿戴设备等包含SE的装置;也可以是以上电子设备中的一部分模组,如电路板、芯片、芯片组或其上运行的必要软件的组合。本申请提供的安全元件可以应用到手机、平板电脑、个人数字助理、笔记本电脑等有一定安全性需求数据处理装置。At present, the SE (inSE) integrated into the SOC main chip does not include non-volatile memory (NVM), because the current SOC main chip process is very advanced (mainstream has reached 7nm), and in this process, NVM media flash Unable to integrate into SOC main chip. In addition, because the SOC process has been evolving and climbing, the security authentication function of the SE integrated into the SOC is affected by the SOC main chip process and brings a lot of authentication workload. In view of the above reasons, a solution provided by the embodiments of the present application is that SOC and SE are not integrated, that is, SOC and eSE are two independent components, but it is not limited thereto. The data processing device provided in this application may be a desktop computer, a notebook computer, a mobile phone, a tablet computer, a personal digital assistant, a wearable device and other devices containing SE; it may also be a part of the modules in the above electronic equipment, such as circuit boards, chips , A chipset or a combination of necessary software running on it. The security element provided in this application can be applied to mobile phones, tablet computers, personal digital assistants, notebook computers and other data processing devices with certain security requirements.
图1示出了本申请一个实施例的数据处理装置10的结构示意图。如图1所示,数据处理装置10可包括:SOC100和SE120。SOC100对应于本申请中的主处理器***;SE120中除PCIE接口112之外的部分对应于本申请中的安全处理器***。SOC100和SE120通过PCIE总线耦合。从图1可以看出,SE120内部的PCIE接口112与SOC内部的PCIE接口104通过PCIE总线连接;SOC内部的PCIE接口104通过DRAM接口103耦合至DRAM107。可以理解,SE120和SOC100均通过DRAM接口103访问DRAM107。SE120通过PCIE总线可直接访问DRAM107中的数据,而不需要CPU101的参与。也就是说,SE120可以通过PCIE总线直接读取DRAM107中的数据,也可以通过PCIE总线直接向DRAM107写入数据。可选的,SE120为数据处理装置10内部的一个芯片,SE120的内部具有加密/解密逻辑电路,可以防止外部恶意解析攻击,保护数据安全。SOC称为芯片级***,也称为片上***,意指它是一个产品,例如是一个有专用目标的集成电路,其中包含完整***并有嵌入软件的全部内容。FIG. 1 shows a schematic structural diagram of a data processing device 10 according to an embodiment of the present application. As shown in FIG. 1, the data processing device 10 may include: SOC100 and SE120. SOC100 corresponds to the main processor system in this application; the part of SE120 other than PCIE interface 112 corresponds to the secure processor system in this application. SOC100 and SE120 are coupled via PCIE bus. As can be seen from FIG. 1, the PCIE interface 112 inside the SE120 and the PCIE interface 104 inside the SOC are connected through the PCIE bus; the PCIE interface 104 inside the SOC is coupled to the DRAM 107 through the DRAM interface 103. It can be understood that both SE120 and SOC100 access the DRAM 107 through the DRAM interface 103. The SE120 can directly access the data in the DRAM 107 through the PCIE bus without the participation of the CPU 101. In other words, the SE120 can directly read the data in the DRAM 107 through the PCIE bus, and can also directly write data to the DRAM 107 through the PCIE bus. Optionally, SE120 is a chip inside the data processing device 10. The SE120 has an encryption/decryption logic circuit inside, which can prevent external malicious parsing attacks and protect data security. SOC is called a chip-level system, also known as a system-on-chip, meaning that it is a product, such as an integrated circuit with a dedicated target, which contains the complete system and has the entire content of embedded software.
SOC100可包括:中央处理器(Central Processing Unit,CPU)101、NVM接口102、DRAM接口103以及PCIE接口104。CPU101通过NVM接口102可以读写NVM105中的 数据;通过DRAM接口103可以读写DRAM107中的数据。CPU101可用于读取和执行计算机可读指令。具体的,CPU101可用于调用存储于DRAM107中的程序,并执行该程序包含的指令,以控制SOC100中的各部件来实现本申请实施例中SOC100(主处理器***)的相应功能。NVM105可以是eMMC(Embedded Multi Media Card)、通用闪存(Universal Flash Storage,UFS)或者其他类型的非易失存储器。重放保护内存块(Replay Protected Memory Block,RPMB)106,即图1中的黑色区域,是NVM105中的一个具有安全特性的分区。NVM105在写入数据到RPMB106时,会校验数据的合法性,只有指定的主机(Host)才能够写入,同时在读数据时,也提供了签名机制,保证主机读取到的数据是RPMB内部数据,而不是攻击者伪造的数据。指定的主机可以是CPU101。The SOC 100 may include: a central processing unit (Central Processing Unit, CPU) 101, an NVM interface 102, a DRAM interface 103, and a PCIE interface 104. The CPU 101 can read and write data in the NVM 105 through the NVM interface 102; and can read and write data in the DRAM 107 through the DRAM interface 103. The CPU 101 can be used to read and execute computer-readable instructions. Specifically, the CPU 101 can be used to call a program stored in the DRAM 107 and execute instructions contained in the program to control each component in the SOC 100 to realize the corresponding function of the SOC 100 (main processor system) in the embodiments of the present application. NVM105 can be eMMC (Embedded Multi Media), universal flash memory (Universal Flash Storage, UFS) or other types of non-volatile memory. Replay protected memory block (Replay Protected Memory Block, RPMB) 106, which is the black area in FIG. 1, is a partition with security features in NVM105. When writing data to RPMB106, NVM105 will verify the legality of the data, and only the designated host (Host) can write. At the same time, when reading data, it also provides a signature mechanism to ensure that the data read by the host is internal to RPMB Data, not forged by attackers. The designated host may be CPU101.
SE120可包括:处理器108、高速缓冲(Cache)存储器109、内存管理单元(Memory Management Unit,MMU)110、流密码单元111、PCIE接口112、随机存取存储器(Random Access Memory,RAM)113、只读存储器(Read-Only Memory,ROM)114、闪存(flash)115、一次性可编程(One Time Programmable,OTP)存储器116、加密单元(crypto)117以及IO接口118。处理器108用于控制执行SE120(安全处理器***和PCIE接口)的各种操作,例如,数据访问、数据处理、安全认证、完整性校验等操作,以实现本申请实施例中SE120的相应功能。流密码单元111用于通过PCIE总线读取DRAM107中的第一数据,对读取的第一数据进行解密以得到第三数据,对该第一数据或该第三数据做MAC校验,将通过校验的数据传输至RAM113或Cache存储器109;还用于获取RAM113或Cache存储器109中的第四数据,对该第四数据进行加密处理以及生成该第四数据或该第四数据加密得到的第二数据的消息认证码(Message authentication code,MAC),通过PCIE总线将该第二数据写入DRAM107,将生成的MAC存储至RAM113。流密码单元111可以是SE120内部一个专门用于实现加解密以及完整性校验的硬件。可选的,由处理器108运行的软件实现对流密码单元111的控制功能。Cache存储器109、RAM113、ROM114、闪存115以及OTP存储器116,用于存储不同类型的数据或指令等,这里不再详述。MMU 110负责虚拟地址到物理地址的映射,并提供硬件机制的内存访问权限检查。加密单元117用于实现SE120提供的各种安全服务,例如安全认证、数据加密等。IO接口118用于与其他部件之间进行通信。应理解,以上只是SE的一种具体实现形式,本申请对此并不限定。The SE 120 may include: a processor 108, a cache memory 109, a memory management unit (Memory Management Unit, MMU) 110, a stream cipher unit 111, a PCIE interface 112, a random access memory (Random Access Memory, RAM) 113, A read-only memory (Read-Only Memory, ROM) 114, a flash memory (flash) 115, a one-time programmable (OTP) memory 116, an encryption unit (crypto) 117, and an IO interface 118. The processor 108 is used to control and execute various operations of the SE120 (secure processor system and PCIE interface), for example, data access, data processing, security authentication, integrity verification, and other operations, to implement the corresponding SE120 in the embodiments of the present application Features. The stream cipher unit 111 is used to read the first data in the DRAM 107 through the PCIE bus, decrypt the read first data to obtain third data, and perform a MAC check on the first data or the third data, which will pass The verified data is transferred to the RAM 113 or the Cache memory 109; it is also used to obtain the fourth data in the RAM 113 or the Cache memory 109, perform encryption processing on the fourth data, and generate the fourth data or the encrypted fourth data In the message authentication code (MAC) of the second data, the second data is written into the DRAM 107 through the PCIE bus, and the generated MAC is stored in the RAM 113. The stream cipher unit 111 may be a piece of hardware inside the SE 120 that is specifically used to implement encryption and decryption and integrity verification. Optionally, the software executed by the processor 108 implements the control function of the stream cipher unit 111. Cache memory 109, RAM 113, ROM 114, flash memory 115, and OTP memory 116 are used to store different types of data or instructions, which will not be described in detail here. MMU 110 is responsible for the mapping of virtual addresses to physical addresses, and provides memory access permission checks for hardware mechanisms. The encryption unit 117 is used to implement various security services provided by the SE 120, such as security authentication and data encryption. The IO interface 118 is used to communicate with other components. It should be understood that the above is only a specific implementation form of SE, which is not limited in this application.
应当理解,数据处理装置10仅为本申请实施例提供的一个例子,并且,数据处理装置10可具有比示出的部件更多或更少的部件,可以组合两个或更多个部件,或者可具有部件的不同配置实现。基于图1中的数据处理装置10,本申请实施例提供了一种数据处理方法流程图,如图2所示,该方法可包括:201、SE120向SOC100发送读取请求。SE120发送读取请求的过程如下:处理器108向PCIE接口112发送读取请求;PCIE接口112通过PCIE总线将该读取请求发送至SOC中的PCIE接口104;PCIE接口104向CPU101发送给该读取请求。上述读取请求用于读取NVM105中的第二地址(目标存储空间)存储的第一数据,或者,用于读取DRAM107中的参考存储空间存储的第一数据。其中,所述参考存储空间为DRAM107中用于存储来自SE120的数据的存储空间。上述读取请求可以包括第一起始地址和第一长度信息,该第一起始地址为NVM105中存储该第一数据的起始地址,第一长 度信息为该第一数据占用的存储空间的大小。该第一起始地址和该第一长度信息结合起来可以确定NVM105中的第二地址,即存储该第一数据的地址。It should be understood that the data processing device 10 is only an example provided by the embodiments of the present application, and the data processing device 10 may have more or fewer components than those shown, and two or more components may be combined, or It can be realized with different configurations of components. Based on the data processing device 10 in FIG. 1, an embodiment of the present application provides a flowchart of a data processing method. As shown in FIG. 2, the method may include: 201. The SE 120 sends a read request to the SOC 100. The process of SE120 sending a read request is as follows: the processor 108 sends a read request to the PCIE interface 112; the PCIE interface 112 sends the read request to the PCIE interface 104 in the SOC through the PCIE bus; the PCIE interface 104 sends the read request to the CPU 101 Fetch request. The above read request is used to read the first data stored in the second address (target storage space) in the NVM 105, or used to read the first data stored in the reference storage space in the DRAM 107. Wherein, the reference storage space is a storage space in the DRAM 107 for storing data from the SE 120. The above read request may include a first start address and first length information, where the first start address is the start address where the first data is stored in the NVM 105, and the first length information is the size of the storage space occupied by the first data. The first start address and the first length information can be combined to determine the second address in the NVM 105, that is, the address where the first data is stored.
202、处理器101将NVM105中的目标存储空间存储的第一数据搬移至DRAM107的参考存储空间。NVM105中的第二地址对应的存储空间为目标存储空间。也就是说,处理器101将NVM105中的第二地址存储的第一数据搬移至DRAM107的参考存储空间。可选的,NVM105为eMMC,eMMC中的RPMB106的全部或者一部分分配给SE100使用,即RPMB106的全部或者一部分作为SE120的扩展NVM。可选的,处理器101在执行203之前,确定DRAM107中存储第一数据的参考存储空间对应的第一地址。202. The processor 101 moves the first data stored in the target storage space in the NVM 105 to the reference storage space of the DRAM 107. The storage space corresponding to the second address in the NVM 105 is the target storage space. That is, the processor 101 moves the first data stored in the second address in the NVM 105 to the reference storage space of the DRAM 107. Optionally, the NVM 105 is an eMMC, and all or a part of the RPMB 106 in the eMMC is allocated for use by the SE 100, that is, all or a part of the RPMB 106 is used as the extended NVM of the SE 120. Optionally, before executing 203, the processor 101 determines the first address corresponding to the reference storage space where the first data is stored in the DRAM 107.
203、SOC100向SE120发送第一地址。SOC100发送第一地址过程如下:处理器101向PCIE接口104发送该第一地址;PCIE接口104通过PCIE总线将该第一地址发送至SE120内部的PCIE接口112;PCIE接口1112向CPU108发送给该第一地址。上述第一地址为上述DRAM107中存储上述第一数据的地址,即参考存储空间的地址。204、SE120通过PCIE总线读取DRAM107中的上述第一地址(参考存储空间)存储的上述第一数据。具体的读取过程如下:PCIE接口112通过PCIE总线获取DRAM107中的参考存储空间中的第一数据;流密码单元111从PCIE接口112接口该第一数据。205、流密码单元111对上述第一数据进行解密,得到第三数据。206、流密码单元111校验上述第一数据或者上述第三数据的完整性。可选地,步骤206和205之间的顺序可以调换,本实施例对此不做限定。207、流密码单元111在第一数据或者上述第三数据的完整性校验成功后,存储上述第三数据。可选的,流密码单元111将第三数据存储至RAM113或高速缓冲存储器109。203. SOC100 sends the first address to SE120. The process of SOC100 sending the first address is as follows: the processor 101 sends the first address to the PCIE interface 104; the PCIE interface 104 sends the first address to the PCIE interface 112 inside the SE120 through the PCIE bus; the PCIE interface 1112 sends the first address to the CPU 108 to the first One address. The first address is an address in the DRAM 107 that stores the first data, that is, an address in a reference storage space. 204. The SE 120 reads the first data stored in the first address (reference storage space) in the DRAM 107 through the PCIE bus. The specific reading process is as follows: The PCIE interface 112 obtains the first data in the reference storage space in the DRAM 107 through the PCIE bus; the stream cipher unit 111 interfaces the first data from the PCIE interface 112. 205. The stream cipher unit 111 decrypts the above first data to obtain third data. 206. The stream cipher unit 111 verifies the integrity of the first data or the third data. Optionally, the order between steps 206 and 205 can be reversed, which is not limited in this embodiment. 207. The stream cipher unit 111 stores the third data after the integrity verification of the first data or the third data is successful. Optionally, the stream cipher unit 111 stores the third data to the RAM 113 or the cache memory 109.
本申请实施例中,DRAM107作为SE120和SOC100之间进行数据传输的中转站,使得SE120可以准确地、快速地读取NVM105中的加密数据,可以很好地解决SE120内部的非易失存储资源不足的问题。In the embodiment of the present application, DRAM107 serves as a relay station for data transmission between SE120 and SOC100, so that SE120 can accurately and quickly read the encrypted data in NVM105, which can well solve the shortage of non-volatile storage resources inside SE120 The problem.
图2中描述了SE120读取NVM105中的加密数据(第一数据)的流程,下面介绍SE120将加密后的数据存储至NVM105的流程。图3为本申请实施例提供的另一种数据处理方法流程图,如图3所示,该方法可包括:301、流密码单元111加密第四数据以得到第二数据。上述第四数据可以是SE120待存储至NVM105的数据。可选的,流密码单元111从高速缓冲存储器109或RAM113获取上述第四数据,并对该第四数据进行加密。上述第二数据可以是图2中的第一数据,上述第四数据可以是图2中的第三数据。FIG. 2 describes the flow of SE120 reading encrypted data (first data) in NVM105. The flow of SE120 storing encrypted data in NVM105 is described below. FIG. 3 is a flowchart of another data processing method provided by an embodiment of the present application. As shown in FIG. 3, the method may include: 301. The stream cipher unit 111 encrypts the fourth data to obtain second data. The above fourth data may be data to be stored in the NVM 105 by the SE 120. Optionally, the stream cipher unit 111 acquires the above fourth data from the cache memory 109 or RAM 113, and encrypts the fourth data. The above second data may be the first data in FIG. 2, and the above fourth data may be the third data in FIG. 2.
302、流密码单元111生成上述第四数据或上述第二数据对应的至少一个MAC(目标MAC),并存储至RAM113。流密码单元111可以利用上述至少一个MAC校验从外部存储器,例如DRAM107,读取的上述第四数据或者上述第二数据的完整性。可选的,流密码单元111生成上述第二数据包括的N组数据对应的N个MAC,上述N个MAC中的任一个MAC用于校验上述第二数据包括的N组数据中的一组数据的完整性。也就是说,上述N个MAC与上述第二数据包括的N组数据一一对应。N为大于0的整数。可选的,流密码单元111生成上述第四数据包括的N组数据对应的N个MAC,上述N个MAC中的任一个MAC用于校验上述第四数据包括的N组数据中的一组数据的完整性。也就是说,上述N个MAC与上述第四数据包括的N组数据一一对应。在实际应用中,流密码单元111可采用SHA-256算法、AES-CMAC算法等任意校验算法生成MAC,本申请不做限定。302. The stream cipher unit 111 generates at least one MAC (target MAC) corresponding to the fourth data or the second data, and stores it in the RAM 113. The stream cipher unit 111 may use the at least one MAC to verify the integrity of the fourth data or the second data read from an external memory, such as the DRAM 107. Optionally, the stream cipher unit 111 generates N MACs corresponding to the N sets of data included in the second data, and any one of the N MACs is used to check one of the N sets of data included in the second data Data integrity. In other words, the N MACs correspond to the N sets of data included in the second data. N is an integer greater than 0. Optionally, the stream cipher unit 111 generates N MACs corresponding to the N sets of data included in the fourth data, and any one of the N MACs is used to check one of the N sets of data included in the fourth data Data integrity. In other words, the N MACs correspond to the N sets of data included in the fourth data. In practical applications, the stream cipher unit 111 may use any verification algorithm such as SHA-256 algorithm or AES-CMAC algorithm to generate a MAC, which is not limited in this application.
303、流密码单元111将上述第二数据写入DRAM107的参考存储空间。上述参考存储空间为DRAM107中用于存储来自上述SE120的数据的存储空间。流密码单元111将上述第二数据写入DRAM107的参考存储空间可以是流密码单元111向PCIE接口112发送所述第二数据;PCIE接口112通过PCIE总线将所述第二数据写入DRAM107的参考存储空间。在实际应用中,DRAM107的特定存储空间,即参考存储空间,分配给SE120来使用。304、SE120向SOC100发送地址指示信息。SE120向SOC100发送地址指示信息的过程如下:处理器108向PCIE接口112发送地址指示信息;PCIE接口112通过PCIE总线将该地址指示信息发送给PCIE接口104;PCIE接口104将该地址指示信息发送给CPU101。上述地址指示信息用于指示SOC100将参考存储空间中的第二数据搬移至NVM中的目标存储空间。可选的,上述地址指示信息包含NVM105中的第三地址,该第三地址对应NVM105中的目标存储空间,该第三地址可以是图2中的第二地址。303. The stream cipher unit 111 writes the above second data into the reference storage space of the DRAM 107. The above reference storage space is a storage space in the DRAM 107 for storing data from the above SE120. The reference storage space in which the stream cipher unit 111 writes the above-mentioned second data to the DRAM 107 may be a reference that the stream cipher unit 111 sends the second data to the PCIE interface 112; the PCIE interface 112 writes the second data to the DRAM 107 through the PCIE bus. storage. In practical applications, the specific storage space of the DRAM 107, that is, the reference storage space, is allocated to the SE120 for use. 304. SE120 sends address indication information to SOC100. The process of SE120 sending address indication information to SOC100 is as follows: processor 108 sends address indication information to PCIE interface 112; PCIE interface 112 sends the address indication information to PCIE interface 104 through the PCIE bus; PCIE interface 104 sends the address indication information to CPU101. The above address indication information is used to instruct the SOC 100 to move the second data in the reference storage space to the target storage space in the NVM. Optionally, the above address indication information includes a third address in NVM105, the third address corresponds to the target storage space in NVM105, and the third address may be the second address in FIG. 2.
305、CPU101将DRAM107的上述参考存储空间存储的上述第二数据搬移至NVM105中的目标存储空间。上述目标存储空间在上述NVM中的存储地址为上述第三地址。306、SOC100向SE100发送存储完成信息。SOC100向SE100发送存储完成信息的过程如下:CPU101向PCIE接口104发送存储完成信息;PCIE接口104通过PCIE总线向PCIE接口112发送该存储完成信息;PCIE接口112向处理器108发送该存储完成信息。上述存储完成信息用于指示上述第二数据已存储至上述目标存储空间。所述目标存储空间存储的原始数据被替换为所述第二数据。307、处理器108在接收到上述存储完成信息后,将原始MAC替换为目标MAC。所述原始MAC用于校验所述原始数据的完整性。上述目标存储空间对应N页,上述第二数据包括的N组数据分别存储于上述N页中的不同页,N为大于0的整数。上述原始MAC用于校验上述N页写入上述第二数据之前存储的原始数据的完整性,或者,校验上述N页写入上述第二数据之前存储的原始数据解密得到的数据的完整性。305. The CPU 101 moves the second data stored in the reference storage space of the DRAM 107 to a target storage space in the NVM 105. The storage address of the target storage space in the NVM is the third address. 306. SOC100 sends the storage completion information to SE100. The process of SOC100 sending storage completion information to SE100 is as follows: CPU101 sends storage completion information to PCIE interface 104; PCIE interface 104 sends the storage completion information to PCIE interface 112 through the PCIE bus; PCIE interface 112 sends the storage completion information to processor 108. The storage completion information is used to indicate that the second data has been stored in the target storage space. The original data stored in the target storage space is replaced with the second data. 307. After receiving the storage completion information, the processor 108 replaces the original MAC with the target MAC. The original MAC is used to check the integrity of the original data. The target storage space corresponds to N pages, and the N sets of data included in the second data are respectively stored in different pages of the N pages, and N is an integer greater than 0. The original MAC is used to verify the integrity of the original data stored before the N pages are written to the second data, or to verify the integrity of the data obtained by decrypting the original data stored before the N pages are written to the second data .
本申请实施例中,SE100将加密后的数据通过DRAM107存储至NVM105,既可以保证数据的安全,又可以有效地扩展SE100内部的非易失存储空间。In the embodiment of the present application, the SE100 stores the encrypted data to the NVM 105 through the DRAM 107, which can not only ensure the security of the data, but also effectively expand the non-volatile storage space inside the SE100.
前述实施例未详细介绍SE的加解密过程,下面介绍SE实现加解密的方式。图4为本申请提供的另一种数据处理方法的示意图,如图4所示,该方法可包括:401、流密码单元111从高速缓冲存储器109获取第四数据。可选的,流密码单元111也可从RAM113或者其他存储器获取上述第四数据。可以理解,高速缓冲存储器109可以替换为其他存储器。上述第四数据为SE120待存储至NVM105的数据。在实际应用中,当SE120中的RAM113或者其他存储器的存储空间不足时,也可以将数据存储至SE120外部的NVM。The foregoing embodiments do not describe the encryption and decryption process of the SE in detail, and the following describes how the SE implements the encryption and decryption. FIG. 4 is a schematic diagram of another data processing method provided by the present application. As shown in FIG. 4, the method may include: 401. The stream cipher unit 111 obtains fourth data from the cache memory 109. Optionally, the stream cipher unit 111 may also obtain the above fourth data from the RAM 113 or other memory. It can be understood that the cache memory 109 may be replaced with other memories. The above fourth data is data to be stored by the SE120 to the NVM105. In practical applications, when the storage space of the RAM 113 or other memory in the SE120 is insufficient, the data can also be stored to the NVM outside the SE120.
402、流密码单元111从密钥生成器119获取至少一个密钥。密钥生成器119可以根据从MMU110获取的目标地址以及从参考存储器获取的根密钥,生成上述至少一个密钥。参考存储器可以是OTP存储器116。MMU110用于将第三地址映射为上述目标地址。上述目标地址可以是上述第三地址映射的物理地址,也可以是其他形式的地址,相对应的,第三地址可以是逻辑地址。SE120待将上述第四数据加密得到的第二数据存储至NVM105中的第三地址对应的目标存储空间。上述目标存储空间包括N页(page),即N个存储块,每一页存储上述第二数据包括的N组数据中的一组。可选的,一页存储4KB的数据。可选的,MMU110将上述第三地址映射为包括N个参考地址的目标地址。密钥生成器119可以通过 合理的密钥生成函数(Key derivation function,KDF)根据上述根密钥和上述N个参考地址,生成N个密钥,上述N个密钥与上述N页一一对应且与上述第三地址对应。也就是说,SE120利用上述第三地址和根密钥可以生成与上述N页一一对应的N个密钥。上述N个密钥分别用于对上述第四数据包括的N组数据进行加密,得到上述第二数据包括的N组数据。上述第四数据包括的每一组数据加密得到的数据存储至上述N页中的一页。可以理解,上述N页中的每一页存储的数据对应的密钥不同。密钥生成器119可以采用任一种加密算法来根据上述目标地址和上述根密钥生成上述至少一个密钥,本申请对此不做限定。图5为本申请实施例提供的一种密钥生成器生成密钥的方法流程图。如图5所示,密钥生成器119利用根密钥和目标地址生成N个密钥,并将生成的N个密钥传输至流密码单元111。402. The stream cipher unit 111 acquires at least one key from the key generator 119. The key generator 119 may generate the at least one key according to the target address obtained from the MMU 110 and the root key obtained from the reference memory. The reference memory may be the OTP memory 116. The MMU 110 is used to map the third address to the above target address. The target address may be a physical address mapped by the third address, or an address in another form. Correspondingly, the third address may be a logical address. The SE 120 is to store the second data obtained by encrypting the fourth data in the target storage space corresponding to the third address in the NVM 105. The target storage space includes N pages, that is, N storage blocks, and each page stores one of the N sets of data included in the second data. Optionally, one page stores 4KB of data. Optionally, the MMU 110 maps the third address to a target address including N reference addresses. The key generator 119 can generate N keys according to the root key and the N reference addresses through a reasonable key generation function (KDF), and the N keys correspond to the N pages in one-to-one correspondence And corresponds to the third address mentioned above. In other words, the SE 120 can generate N keys corresponding to the N pages one-to-one using the third address and the root key. The N keys are used to encrypt the N sets of data included in the fourth data to obtain the N sets of data included in the second data. The data obtained by encrypting each group of data included in the fourth data is stored in one of the N pages. It can be understood that the key corresponding to the data stored in each page of the foregoing N pages is different. The key generator 119 may use any encryption algorithm to generate the at least one key according to the target address and the root key, which is not limited in this application. 5 is a flowchart of a method for generating a key by a key generator provided by an embodiment of this application. As shown in FIG. 5, the key generator 119 generates N keys using the root key and the target address, and transmits the generated N keys to the stream cipher unit 111.
403、流密码单元111利用上述至少一个密钥对上述第四数据进行加密,通过PCIE总线将上述第四数据加密得到的第二数据写入DRAM107。流密码单元111利用上述至少一个密钥对上述第四数据进行加密可以是流密码单元111利用上述N个密钥分别对上述第四数据包括的N组数据进行加密,得到上述第二数据包括的N组数据。流密码单元111以占用存储空间MKB为标准对上述第四数据进行划分,得到N组数据,每组数据加密后的数据占用NVM105中的一页。M可以是4、8、16等。举例来说,流密码单元111以占用4KB存储空间为标准对占用15KB存储空间的第四数据进行划分,得到4组数据。其中,3组数据占用4KB存储空间,1组数据占用3KB存储空间,这4组数据加密得到的4组数据占用NVM105中的4个不同页。可以理解,流密码单元111对上述第四数据包括的任意两组数据进行加密采用的密钥不同。可选的,流密码单元111将上述第二数据写入DRAM107的参考存储空间。403. The stream cipher unit 111 encrypts the fourth data using the at least one key, and writes the encrypted second data to the DRAM 107 through the PCIE bus. The stream cipher unit 111 uses the at least one key to encrypt the fourth data may be the stream cipher unit 111 uses the N keys to encrypt the N sets of data included in the fourth data to obtain the second data N sets of data. The stream cipher unit 111 divides the above fourth data based on the occupied storage space MKB as a standard to obtain N sets of data, and the encrypted data of each set of data occupies one page in the NVM 105. M can be 4, 8, 16, etc. For example, the stream cipher unit 111 divides the fourth data occupying 15KB of storage space by using 4KB of storage space as a standard to obtain 4 sets of data. Among them, 3 sets of data occupy 4KB storage space, 1 set of data occupy 3KB storage space, 4 sets of data encrypted by these 4 sets of data occupy 4 different pages in NVM105. It can be understood that the stream cipher unit 111 uses different keys for encrypting any two sets of data included in the fourth data. Optionally, the stream cipher unit 111 writes the above-mentioned second data to the reference storage space of the DRAM 107.
404、流密码单元111生成上述第四数据或上述第二数据对应的至少一个MAC,并写入RAM113。可选的,流密码单元111生成上述第二数据包括的N组数据对应的N个MAC。也就是说,流密码单元111根据第二数据包括的每组数据生成一个MAC。上述N个MAC中的任一个MAC用于校验上述第二数据包括的N组数据中的一组数据的完整性。可选的,流密码单元111生成上述第四数据包括的N组数据对应的N个MAC,上述N个MAC中的任一个MAC用于校验上述第四数据包括的N组数据中的一组数据的完整性。也就是说,流密码单元111根据第四数据包括的每组数据生成一个MAC。404. The stream cipher unit 111 generates at least one MAC corresponding to the fourth data or the second data, and writes to the RAM 113. Optionally, the stream cipher unit 111 generates N MACs corresponding to the N sets of data included in the second data. That is, the stream cipher unit 111 generates a MAC based on each set of data included in the second data. Any one of the N MACs is used to check the integrity of a group of data in the N groups of data included in the second data. Optionally, the stream cipher unit 111 generates N MACs corresponding to the N sets of data included in the fourth data, and any one of the N MACs is used to check one of the N sets of data included in the fourth data Data integrity. That is, the stream cipher unit 111 generates a MAC based on each set of data included in the fourth data.
405、CPU101将上述第二数据从DRAM107搬移至NVM105中的目标存储空间。在执行404之前,SE120向SOC100中的CPU101发送地址指示信息,SOC100根据上述地址指示信息来搬移上述第二数据。地址指示信息用于指示SOC100将参考存储空间中的第二数据搬移至NVM中的目标存储空间。可选的,上述地址指示信息包含NVM105中的第三地址,该第三地址对应NVM105中的目标存储空间。可选的,SOC100将上述第二数据包括的N组数据分别存储于上述目标存储空间包括的N页中的不同页,N为大于0的整数。在实际应用中,SOC100可以占用NVM105中的多页来存储上述第二数据,每一页占用的存储空间大小相同。RAM113存储的上述N个MAC与上述N页一一对应。图6示出了NVM存储的第二数据与RAM存储的MAC的示意图。如图6所示,目标存储空间包括页1至页N,页1至页N中的每一页存储第二数据包括的一组数据,每一页可以存储4KB的数据;RAM113存储有用于校验页1至页N中的每一页存储的数据的MAC。举例来说,RAM113 中的页1对应的MAC可以用来校验目标存储空间中的页1存储的一组数据的完整性。405. The CPU 101 moves the second data from the DRAM 107 to the target storage space in the NVM 105. Before performing 404, the SE 120 sends address instruction information to the CPU 101 in the SOC 100, and the SOC 100 moves the second data according to the address instruction information. The address indication information is used to instruct the SOC 100 to move the second data in the reference storage space to the target storage space in the NVM. Optionally, the address indication information includes a third address in the NVM105, and the third address corresponds to the target storage space in the NVM105. Optionally, the SOC 100 stores the N sets of data included in the second data in different pages among the N pages included in the target storage space, where N is an integer greater than 0. In practical applications, SOC100 can occupy multiple pages in NVM105 to store the above second data, and each page occupies the same storage space. The N MACs stored in the RAM 113 correspond one-to-one to the N pages. 6 shows a schematic diagram of second data stored by NVM and MAC stored by RAM. As shown in FIG. 6, the target storage space includes pages 1 to N, and each page of pages 1 to N stores a set of data included in the second data, and each page can store 4KB of data; RAM 113 stores Check the MAC of the data stored in each of Page 1 to Page N. For example, the MAC corresponding to page 1 in RAM 113 can be used to verify the integrity of a set of data stored in page 1 in the target storage space.
本申请实施例中,SE120对待存储至NVM105的每一页数据采用一个不同的密钥进行加密,并生成每一页数据对应的MAC,以便于在读取这些数据时对每一页数据进行解密和完整性校验,提高数据的安全性。In the embodiment of the present application, SE120 uses a different key to encrypt each page of data to be stored in NVM105, and generates a MAC corresponding to each page of data, so as to decrypt each page of data when reading these data And integrity verification, improve data security.
图4介绍了SE对第四数据进行加密以及将加密后的数据存储至外部的NVM的过程,下面介绍SE从外部的NVM读取加密后的数据以及解密和校验加密后的数据的过程。图7为本申请提供的另一种数据处理方法流程图,如图7所示,该方法可包括:701、流密码单元111从密钥生成器119获取第三地址对应的至少一个密钥。SE120待读取NVM105中的上述第三地址对应的目标存储空间存储的第二数据。流密码单元111从密钥生成器119获取第三地址对应的至少一个密钥可以是流密码单元111获取密钥生成器119根据从MMU110获取的目标地址以及从OTP存储器116获取的根密钥,生成的N个密钥,具体实现方式与图4对应的实施例中的方式相同,这里不再详述。可以理解,上述至少一个密钥是密钥生成器119利用上述根密钥和上述第三地址生成的。在执行701之前,密钥生成器119生成上述至少一个密钥。在实际应用中,SE120在从NVM105读取数据之前,密钥生成器119需要利用待读取的数据在NVM105中的存储地址生成相应的密钥,以便于对读取的数据进行解密。FIG. 4 introduces the process of the SE encrypting the fourth data and storing the encrypted data to the external NVM. The following introduces the process of the SE reading the encrypted data from the external NVM and decrypting and verifying the encrypted data. FIG. 7 is a flowchart of another data processing method provided by the present application. As shown in FIG. 7, the method may include: 701. The stream cipher unit 111 obtains at least one key corresponding to the third address from the key generator 119. The SE120 is to read the second data stored in the target storage space corresponding to the third address in the NVM 105. The stream cipher unit 111 acquiring at least one key corresponding to the third address from the key generator 119 may be the stream cipher unit 111 acquiring the key generator 119 according to the target address acquired from the MMU 110 and the root key acquired from the OTP memory 116, The specific implementation manners of the generated N keys are the same as those in the embodiment corresponding to FIG. 4 and will not be described in detail here. It can be understood that the at least one key is generated by the key generator 119 using the root key and the third address. Before performing 701, the key generator 119 generates at least one key described above. In practical applications, before the SE 120 reads data from the NVM 105, the key generator 119 needs to use the storage address of the data to be read in the NVM 105 to generate a corresponding key in order to decrypt the read data.
702、流密码单元111从RAM113获取上述第三地址对应的至少一个MAC。参见图4中的404,SE120在将第二数据存储至NVM中的上述第三地址对应的目标存储空间的过程中,生成第二数据或第四数据对应的N个MAC,并存储至RAM113。可以理解,上述第三地址与上述N个MAC相对应。因此,流密码单元111可以从RAM113获取上述第三地址对应的至少一个MAC。上述第三地址对应的至少一个MAC可以是与上述第三地址在NVM105中对应的N页相对应的N个MAC,每一页对应一个MAC。举例来说,若SE120待读取NVM105中的第四地址对应的页1和页2存储的数据,则流密码单元111从RAM113获取该第四地址对应的MAC1和MAC2。其中,MAC1用于校验页1存储的数据的完整性,MAC2用于页2存储的数据的完整性。702. The stream cipher unit 111 acquires at least one MAC corresponding to the third address from the RAM 113. Referring to 404 in FIG. 4, during the process of storing the second data in the target storage space corresponding to the third address in the NVM, the SE 120 generates N MACs corresponding to the second data or the fourth data, and stores them in the RAM 113. It can be understood that the third address corresponds to the N MACs. Therefore, the stream cipher unit 111 may acquire at least one MAC corresponding to the third address from the RAM 113. The at least one MAC corresponding to the third address may be N MACs corresponding to N pages corresponding to the third address in the NVM 105, and each page corresponds to one MAC. For example, if the SE 120 is to read the data stored in the pages 1 and 2 corresponding to the fourth address in the NVM 105, the stream cipher unit 111 obtains the MAC1 and MAC2 corresponding to the fourth address from the RAM 113. Among them, MAC1 is used to verify the integrity of the data stored on page 1, and MAC2 is used to complete the data stored on page 2.
703、流密码单元111通过PCIE总线从DRAM107读取第二数据,并利用上述至少一个MAC和上述至少一个密钥对上述第二数据进行解密和校验。在执行703之前,可执行如下操作:SE120向SOC100发送读取请求,该读取请求用于读取NVM105中的第三地址存储的第二数据;SOC100将NVM105中的第三地址存储的第二数据搬移至DRAM107;SOC100向SE120发送DRAM107中存储上述第二数据的第五地址。流密码单元111通过PCIE总线从DRAM107读取第二数据可以是流密码单元111通过PCIE总线读取DRAM107中的第五地址存储的数据。703. The stream cipher unit 111 reads the second data from the DRAM 107 through the PCIE bus, and uses the at least one MAC and the at least one key to decrypt and verify the second data. Before executing 703, the following operations can be performed: SE120 sends a read request to SOC100, which is used to read the second data stored at the third address in NVM105; SOC100 stores the second data stored at the third address in NVM105 The data is moved to DRAM 107; SOC100 sends SE120 the fifth address in DRAM 107 that stores the second data. The stream cipher unit 111 reading the second data from the DRAM 107 through the PCIE bus may be the stream cipher unit 111 reading the data stored in the fifth address in the DRAM 107 through the PCIE bus.
利用上述至少一个MAC和上述至少一个密钥对上述第二数据进行解密和校验可以是利用上述至少一个密钥对上述第二数据进行解密,得到第四数据;利用上述至少一个MAC对上述第二数据或上述第四数据进行完整性校验。利用上述至少一个密钥对上述第二数据进行解密,得到第四数据可以是利用上述N个密钥分别对上述第二数据包括的N组数据进行解密。在实际应用中,第二数据存储至NVM105中的N页,每页存储一组数据,每页对应的一个密钥,流密码单元111可以对每页存储的数据分别进行解密。也就是说,流密码 单元111对每页存储的数据进行解密采用的密钥不同。利用上述至少一个MAC对上述第二数据或上述第四数据进行完整性校验可以是利用上述N个MAC分别对上述第二数据包括的N组数据进行校验;也可以是利用上述N个MAC分别对上述第四数据包括的N组数据进行校验。可选的,第四数据存储至NVM105中的N页,每页存储一组数据,每页对应的一个MAC,流密码单元111可以对每页存储的数据分别进行完整性校验。可选的,第四数据存储至NVM105中的N页,每页存储一组数据,每页对应的一个MAC,流密码单元111可以对每页存储的数据解密得到的数据分别进行完整性校验。SE120从DRAM107读取数据的单位为页(page)。可选的,每一页存储4KB数据,每个MAC占用16byte。可以理解,RAM113存储的16byte(一个MAC)可以校验NVM105中存储的4KB数据,可以将RAM113的存储空间扩展256倍。举例来说,RAM113的存储空间大小为128KB,RAM113存储的一个16byte的MAC用于校验4KB的数据,RAM113可以支持扩展到32MB的存储空间。Decrypting and verifying the second data using the at least one MAC and the at least one key may be decrypting the second data using the at least one key to obtain fourth data; using the at least one MAC to perform the second data Perform integrity check on the second data or the fourth data mentioned above. Decrypting the second data using the at least one key to obtain the fourth data may be using the N keys to decrypt N sets of data included in the second data, respectively. In practical applications, the second data is stored in N pages of the NVM 105, each page stores a set of data, and each page corresponds to a key, and the stream cipher unit 111 can decrypt the data stored on each page separately. That is, the stream cipher unit 111 uses a different key to decrypt the data stored on each page. Using the at least one MAC to perform an integrity check on the second data or the fourth data may be using the N MACs to verify N sets of data included in the second data; or using the N MACs Verify the N sets of data included in the above fourth data respectively. Optionally, the fourth data is stored to N pages in the NVM 105, each page stores a set of data, and each page corresponds to a MAC, and the stream cipher unit 111 can perform integrity verification on the data stored on each page, respectively. Optionally, the fourth data is stored to N pages in the NVM 105, each page stores a set of data, and each page corresponds to a MAC. The stream cipher unit 111 can perform integrity verification on the data obtained by decrypting the data stored on each page. . SE120 reads data from DRAM 107 in units of pages. Optionally, each page stores 4KB of data, and each MAC occupies 16byte. It can be understood that the 16 bytes (one MAC) stored in the RAM 113 can verify the 4 KB data stored in the NVM 105, and the storage space of the RAM 113 can be expanded by 256 times. For example, the storage space of the RAM 113 is 128 KB, a 16-byte MAC stored in the RAM 113 is used to check 4 KB of data, and the RAM 113 can support the expansion of the storage space to 32 MB.
704、流密码单元111在上述第二数据或上述第二数据解密得到的第四数据通过完整性校验后,将上述第四数据存储至高速缓冲存储器109。高速缓冲存储器109可以替代为RAM113或者其他存储器。704. The stream cipher unit 111 stores the fourth data in the cache memory 109 after the second data or the fourth data obtained by decrypting the second data passes the integrity check. The cache memory 109 may be replaced with RAM 113 or other memory.
本申请实施例中,SE120对从NVM105读取的每一页数据分别进行解密和完整性校验,可以方便地读取存储在NVM105中的每一页数据,并保证每一页数据的安全。In the embodiment of the present application, the SE120 separately decrypts and checks the integrity of each page of data read from the NVM105, which can conveniently read each page of data stored in the NVM105 and ensure the security of each page of data.
前述实施例未详细介绍流密码单元111的结构,下面结合流密码单元111的结构描述流密码单元111对从DRAM107读取的第二数据进行解密和完整性校验的过程。图8为本申请实施例提供的一种数据处理装置的结构示意图。如图8所示,流密码单元111包括MAC校验控制器1111和加解密引擎1112。加解密引擎1112用于对通过PCIE总线从DRAM107读取的第二数据进行解密得到第四数据;根据上述第二数据或者上述第四数据生成至少一个MAC(第一MAC),并发送给MAC校验控制器1111。加解密引擎1112还用于对来自高速缓冲存储器109或RAM113的第四数据进行加密得到第二数据;根据上述第二数据或者上述第四数据生成至少一个MAC(第二MAC),并存储至RAM113。加解密引擎1112加解密的方式以及生成MAC的方式与前述实施例中流密码单元111的实现方式相同,这里不再详述。MAC校验控制器1111,用于接收加解密引擎1112发送的第一MAC以及比对从RAM113获取的第二MAC和上述第一MAC。图8中的数据处理装置可以实现如下数据读取操作:801、密钥生成器119从OTP存储器116获取根密钥以及从MMU110获取目标地址。802、密钥生成器119根据上述根密钥和上述目标地址生成N个密钥,并发送给加解密引擎1112。803、加解密引擎1112通过PCIE总线读取第二数据,并利用上述N个密钥分别对第二数据包括的每组数据进行解密,得到第四数据。804、加解密引擎1112生成上述第四二数据包括的N组数据对应的第一MAC(N个MAC)或者生成上述第四数据包括的N组数据对应的第一MAC(N个MAC),并发送给MAC校验控制器1111。805、MAC校验控制器1111接收加解密引擎1112发送的第一MAC以及比对从RAM113获取的第二MAC和上述第一MAC。类似的,在SE120向DRAM107写入数据的过程中,加解密引擎1112利用从密钥生成器119获取的N个密钥分别对第四数据包括的每组数据进行加密,得到第二数据;生成上述第二数据包括的N组数据对应的第二MAC(N个MAC)或者生成上述第四数据包括的N组数据对应的第二MAC(N个MAC),并存储至RAM113。The foregoing embodiment does not describe the structure of the stream cipher unit 111 in detail. The process of decrypting and integrity checking the second data read from the DRAM 107 by the stream cipher unit 111 is described below in conjunction with the structure of the stream cipher unit 111. 8 is a schematic structural diagram of a data processing device according to an embodiment of the present application. As shown in FIG. 8, the stream cipher unit 111 includes a MAC verification controller 1111 and an encryption and decryption engine 1112. The encryption and decryption engine 1112 is used to decrypt the second data read from the DRAM 107 through the PCIE bus to obtain fourth data; generate at least one MAC (first MAC) according to the second data or the fourth data, and send to the MAC school测Controller1111. The encryption and decryption engine 1112 is also used to encrypt the fourth data from the cache memory 109 or RAM 113 to obtain second data; generate at least one MAC (second MAC) based on the second data or the fourth data, and store it in the RAM 113 . The method of encryption and decryption by the encryption and decryption engine 1112 and the method of generating the MAC are the same as the implementation of the stream cipher unit 111 in the foregoing embodiment, and will not be described in detail here. The MAC verification controller 1111 is configured to receive the first MAC sent by the encryption and decryption engine 1112 and compare the second MAC acquired from the RAM 113 with the first MAC. The data processing apparatus in FIG. 8 can implement the following data reading operation: 801. The key generator 119 obtains the root key from the OTP memory 116 and obtains the target address from the MMU 110. 802. The key generator 119 generates N keys according to the root key and the target address, and sends them to the encryption and decryption engine 1112. 803. The encryption and decryption engine 1112 reads the second data through the PCIE bus and uses the N The key decrypts each set of data included in the second data to obtain fourth data. 804. The encryption and decryption engine 1112 generates a first MAC (N MACs) corresponding to the N sets of data included in the fourth second data or generates a first MAC (N MACs) corresponding to the N sets of data included in the fourth data, and Sent to the MAC verification controller 1111. 805. The MAC verification controller 1111 receives the first MAC sent by the encryption and decryption engine 1112 and compares the second MAC obtained from the RAM 113 with the first MAC. Similarly, in the process of writing data to the DRAM 107 by the SE 120, the encryption and decryption engine 1112 uses N keys obtained from the key generator 119 to encrypt each group of data included in the fourth data to obtain second data; The second MAC (N MACs) corresponding to the N sets of data included in the second data or the second MAC (N MACs) corresponding to the N sets of data included in the fourth data are generated and stored in the RAM 113.
本申请实施例中,加解密引擎1112可以同时实现解密以及生成MAC的操作,也可以同时实现加密以及生成MAC的操作,能够有效提高SE读写数据的速率。或者,加解密或MAC操作的先后顺序是可调换的,本实施例对此不作限定。In the embodiment of the present application, the encryption and decryption engine 1112 can realize the operations of decryption and MAC generation at the same time, and can also realize the operations of encryption and MAC generation at the same time, which can effectively increase the rate of reading and writing data of the SE. Alternatively, the sequence of encryption and decryption or MAC operations can be changed, which is not limited in this embodiment.
从前述实施例可以看出,NVM105中的部分存储空间可以作为SE120的内部非易失存储空间的扩展,DRAM107的部分存储空间可以作为SE120内部的RAM113的扩展。可以理解,本申请的数据处理装置可以在保证数据安全的前提下,解决SE的内部存储空间不足的问题,实现简单、成本低。由于SE120可以直接读写DRAM107中的数据,故可以将SE120的操作***、应用程序以及运行空间都放在DRAM107,SE120内部的RAM113可以只存储用于解密的密钥(临时密钥)和用于校验完整性的MAC,SE120的处理器108可以直接通过PCIE总线获取DRAM107中的指令和数据,并运行。在实际应用中,数据处理装置上电启动时,SE120可要求CPU101将存储在NVM105的操作***和所有数据搬运到DRAM107,以便于SE120获取到这些数据;也可以读取数据到高速缓冲存储器109重新让流密码单元111加密处理,并存放到DRAM107。It can be seen from the foregoing embodiment that part of the storage space in the NVM 105 can be used as an expansion of the internal nonvolatile storage space of the SE120, and part of the storage space of the DRAM 107 can be used as an expansion of the RAM 113 inside the SE120. It can be understood that the data processing device of the present application can solve the problem of insufficient internal storage space of the SE on the premise of ensuring data security, and is simple to implement and low in cost. Since the SE120 can directly read and write data in the DRAM107, the operating system, application programs and running space of the SE120 can be placed in the DRAM107, and the RAM113 inside the SE120 can only store the key used for decryption (temporary key) and To verify the integrity of the MAC, the processor 108 of the SE120 can directly obtain the instructions and data in the DRAM 107 through the PCIE bus and run it. In practical applications, when the data processing device is powered on, SE120 may require CPU101 to transfer the operating system and all data stored in NVM105 to DRAM107, so that SE120 can obtain these data; it can also read the data to cache memory 109 and re-start The stream cipher unit 111 is encrypted and stored in the DRAM 107.
图9为本申请实施例提供的另一种数据处理装置结构的框图。参考图9,数据处理装置包括:射频(Radio Frequency,RF)电路910、非易失存储器921、随机存储器922、输入单元930、显示单元940、传感器950、音频电路960、无线保真(wireless fidelity,WiFi)模块970、SOC 100、电源990以及SE120等部件。其中,SOC 100和SE120通过PCIE总线耦合。图1示出了SE120内部的结构以及SOC 100的内部结构,这里不再详述。9 is a block diagram of another data processing device structure provided by an embodiment of the present application. 9, the data processing device includes: a radio frequency (Radio Frequency) circuit 910, a non-volatile memory 921, a random access memory 922, an input unit 930, a display unit 940, a sensor 950, an audio circuit 960, wireless fidelity (wireless fidelity) , WiFi) module 970, SOC 100, power supply 990, SE120 and other components. Among them, SOC100 and SE120 are coupled through PCIE bus. FIG. 1 shows the internal structure of SE120 and the internal structure of SOC 100, which will not be described in detail here.
非易失存储器921可以是图1中的NVM105,NVM105可以是相变存储器(Phase Change Memory,PCM,)、磁阻式存储器(Magnetoresistive RAM,MRAM)、电阻式/阻变存储器、铁电存储器(Ferroelectric RAM,FeRAM)、赛道存储器、石墨烯存储器、忆阻器(Memristor)。随机存储器922可以是图1中的DRAM107,还可以是双倍速率同步动态随机存储器以及其他类型的随机存储器。本申请中的数据处理装置还可以包括其他存储器,本申请不做限定。The non-volatile memory 921 may be the NVM105 in FIG. 1, and the NVM105 may be a phase change memory (Phase Change Memory, PCM,), a magnetoresistive memory (Magnetoresistive RAM, MRAM), a resistive/resistive memory, a ferroelectric memory ( Ferroelectric RAM, FeRAM), track memory, graphene memory, memristor. The random access memory 922 may be the DRAM 107 in FIG. 1, and may also be double-rate synchronous dynamic random access memory and other types of random access memory. The data processing device in this application may also include other memory, which is not limited in this application.
本领域技术人员可以理解,图9中示出的数据处理装置结构并不构成对数据处理装置的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。下面结合图9对数据处理装置的各个构成部件进行具体的介绍:Those skilled in the art can understand that the structure of the data processing device shown in FIG. 9 does not constitute a limitation on the data processing device, and may include more or fewer components than those illustrated, or combine certain components, or different components Layout. The following describes the components of the data processing device in detail with reference to FIG. 9:
RF电路910可用于收发信息或通话过程中,信号的接收和发送,特别地,将基站的下行信息接收后,给SOC 100处理;另外,将上行的数据发送给基站。通常,RF电路910包括但不限于天线、至少一个放大器、收发信机、耦合器、低噪声放大器(Low Noise Amplifier,LNA)、双工器等。此外,RF电路910还可以通过无线通信与网络中其他设备通信。上述无线通信可以使用任一通信标准或协议,包括但不限于全球移动通讯***(Global System of Mobile communication,GSM)、通用分组无线服务(General Packet Radio Service,GPRS)、码分多址(Code Division Multiple Access,CDMA)、宽带码分多址(Wideband Code Division Multiple Access,WCDMA)、长期演进(Long Term Evolution,LTE)、电子邮件、短消息服务(Short Messaging Service,SMS)等。The RF circuit 910 can be used to receive and send signals during receiving and sending information or during a call. In particular, after receiving the downlink information of the base station, it is processed by the SOC 100; in addition, the uplink data is sent to the base station. Generally, the RF circuit 910 includes but is not limited to an antenna, at least one amplifier, a transceiver, a coupler, a low noise amplifier (LNA), a duplexer, and the like. In addition, the RF circuit 910 can also communicate with other devices in the network through wireless communication. The above wireless communication can use any communication standard or protocol, including but not limited to Global Mobile System (Global System of Mobile Communication (GSM), General Packet Radio Service (GPRS), Code Division Multiple Access (Code Division) Multiple Access (CDMA), Wideband Code Division Multiple Access (WCDMA), Long Term Evolution (LTE), Email, Short Message Service (SMS), etc.
随机存储器922可用于存储软件程序以及模块,SOC 100通过运行存储在随机存储器922的软件程序以及模块,从而执行数据处理装置的各种功能应用以及数据处理。随机存 储器922可主要包括存储程序区和存储数据区,其中,存储程序区可存储操作***、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等;存储数据区可存储根据数据处理装置的使用所创建的数据(比如音频数据、电话本等)等。The RAM 922 may be used to store software programs and modules. The SOC 100 executes various functional applications and data processing of the data processing device by running the software programs and modules stored in the RAM 922. The random access memory 922 may mainly include a storage program area and a storage data area, where the storage program area may store an operating system, application programs required by at least one function (such as a sound playback function, an image playback function, etc.), etc.; the storage data area may store Data created according to the use of the data processing device (such as audio data, phone book, etc.), etc.
输入单元930可用于接收输入的数字或字符信息,以及产生与数据处理装置的用户设置以及功能控制有关的键信号输入。具体地,输入单元930可包括触控面板931以及其他输入设备932。触控面板931,也称为触摸屏,可收集用户在其上或附近的触摸操作(比如用户使用手指、触笔等任何适合的物体或附件在触控面板931上或在触控面板931附近的操作),并根据预先设定的程式驱动相应的连接装置。可选的,触控面板931可包括触摸检测装置和触摸控制器两个部分。其中,触摸检测装置检测用户的触摸方位,并检测触摸操作带来的信号,将信号传送给触摸控制器;触摸控制器从触摸检测装置上接收触摸信息,并将它转换成触点坐标,再送给SOC 100,并能接收SOC 100发来的命令并加以执行。此外,可以采用电阻式、电容式、红外线以及表面声波等多种类型实现触控面板931。除了触控面板931,输入单元930还可以包括其他输入设备932。具体地,其他输入设备932可以包括但不限于物理键盘、功能键(比如音量控制按键、开关按键等)、轨迹球、鼠标、操作杆等中的一种或多种。The input unit 930 may be used to receive input numeric or character information, and generate key signal input related to user settings and function control of the data processing device. Specifically, the input unit 930 may include a touch panel 931 and other input devices 932. The touch panel 931, also known as a touch screen, can collect user's touch operations on or near it (for example, the user uses any suitable objects or accessories such as fingers, stylus, etc. on or near the touch panel 931 Operation), and drive the corresponding connection device according to the preset program. Optionally, the touch panel 931 may include a touch detection device and a touch controller. Among them, the touch detection device detects the user's touch orientation, and detects the signal brought by the touch operation, and transmits the signal to the touch controller; the touch controller receives touch information from the touch detection device and converts it into contact coordinates, and then sends Give SOC100, and can receive and execute the commands sent by SOC100. In addition, the touch panel 931 may be implemented in various types such as resistive, capacitive, infrared, and surface acoustic waves. In addition to the touch panel 931, the input unit 930 may also include other input devices 932. Specifically, other input devices 932 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, switch keys, etc.), trackball, mouse, joystick, and so on.
显示单元940可用于显示由用户输入的信息或提供给用户的信息以及数据处理装置的各种菜单。显示单元940可包括显示面板941,可选的,可以采用液晶显示器(Liquid Crystal Display,LCD)、有机发光二极管(Organic Light-Emitting Diode,OLED)等形式来配置显示面板941。进一步的,触控面板931可覆盖显示面板941,当触控面板931检测到在其上或附近的触摸操作后,传送给SOC 100以确定触摸事件的类型,随后SOC 100根据触摸事件的类型在显示面板941上提供相应的视觉输出。虽然在图9中,触控面板931与显示面板941是作为两个独立的部件来实现数据处理装置的输入和输入功能,但是在某些实施例中,可以将触控面板931与显示面板941集成而实现数据处理装置的输入和输出功能。The display unit 940 may be used to display information input by the user or information provided to the user and various menus of the data processing apparatus. The display unit 940 may include a display panel 941. Alternatively, the display panel 941 may be configured in the form of a liquid crystal display (Liquid Crystal) (LCD), an organic light-emitting diode (Organic Light-Emitting Diode, OLED), or the like. Further, the touch panel 931 may cover the display panel 941. When the touch panel 931 detects a touch operation on or near it, it is transmitted to the SOC 100 to determine the type of touch event, and then the SOC 100 according to the type of touch event. The corresponding visual output is provided on the display panel 941. Although in FIG. 9, the touch panel 931 and the display panel 941 are used as two independent components to realize the input and input functions of the data processing device, in some embodiments, the touch panel 931 and the display panel 941 may be Integrate and realize the input and output functions of the data processing device.
数据处理装置还可包括至少一种传感器950,比如光传感器、运动传感器以及其他传感器。具体地,光传感器可包括环境光传感器及接近传感器,其中,环境光传感器可根据环境光线的明暗来调节显示面板941的亮度,接近传感器可在数据处理装置移动到耳边时,关闭显示面板941和/或背光。作为运动传感器的一种,加速计传感器可检测各个方向上(一般为三轴)加速度的大小,静止时可检测出重力的大小及方向,可用于识别数据处理装置姿态的应用(比如横竖屏切换、相关游戏、磁力计姿态校准)、振动识别相关功能(比如计步器、敲击)等;至于数据处理装置还可配置的陀螺仪、气压计、湿度计、温度计、红外线传感器等其他传感器,在此不再赘述。The data processing device may further include at least one sensor 950, such as a light sensor, a motion sensor, and other sensors. Specifically, the light sensor may include an ambient light sensor and a proximity sensor, wherein the ambient light sensor may adjust the brightness of the display panel 941 according to the brightness of the ambient light, and the proximity sensor may close the display panel 941 when the data processing device moves to the ear And/or backlight. As a type of motion sensor, the accelerometer sensor can detect the magnitude of acceleration in various directions (generally three axes), and can detect the magnitude and direction of gravity when at rest, and can be used to identify the posture of data processing devices (such as horizontal and vertical screen switching) , Related games, magnetometer posture calibration), vibration recognition related functions (such as pedometer, tap), etc. As for the data processing device, other sensors such as gyroscope, barometer, hygrometer, thermometer, infrared sensor, etc. can also be configured, I will not repeat them here.
音频电路960、扬声器961,传声器962可提供用户与数据处理装置之间的音频接口。音频电路960可将接收到的音频数据转换后的电信号,传输到扬声器961,由扬声器961转换为声音信号输出;另一方面,传声器962将收集的声音信号转换为电信号,由音频电路960接收后转换为音频数据,再将音频数据输出SOC 100处理后,经RF电路910以发送给比如另一数据处理装置,或者将音频数据输出至随机存储器922以便进一步处理。The audio circuit 960, the speaker 961, and the microphone 962 may provide an audio interface between the user and the data processing device. The audio circuit 960 can transmit the received electrical signals into audio speakers 961, and the speakers 961 are converted into sound signals for output; on the other hand, the microphone 962 converts the collected sound signals into electrical signals, and the audio circuit 960 After receiving, it is converted into audio data, and then the audio data is output to SOC 100 for processing, and then sent to another data processing device via the RF circuit 910, or the audio data is output to the random access memory 922 for further processing.
WiFi属于短距离无线传输技术,数据处理装置通过WiFi模块970可以帮助用户收发电子邮件、浏览网页和访问流式媒体等,它为用户提供了无线的宽带互联网访问。虽然图 9示出了WiFi模块970,但是可以理解的是,其并不属于数据处理装置的必须构成,完全可以根据需要在不改变发明的本质的范围内而省略。WiFi is a short-distance wireless transmission technology. The data processing device can help users send and receive emails, browse web pages, and access streaming media through the WiFi module 970. It provides users with wireless broadband Internet access. Although FIG. 9 shows the WiFi module 970, it can be understood that it is not a necessary component of the data processing device, and can be omitted as needed without changing the scope of the essence of the invention.
SOC 100是数据处理装置的控制中心,利用各种接口和线路连接整个数据处理装置的各个部分,通过运行或执行存储在随机存储器922内的软件程序和/或模块,以及调用存储在随机存储器922或非易失存储器921内的数据,执行数据处理装置的各种功能和处理数据,从而对数据处理装置进行整体监控。可选的,SOC 100可包括多个处理单元,例如CPU或者各种业务处理器;SOC 100还可集成应用处理器和调制解调处理器,其中,应用处理器主要处理操作***、用户界面和应用程序等,调制解调处理器主要处理无线通信。可以理解的是,上述调制解调处理器也可以不集成到SOC 100中。 SOC 100 is the control center of the data processing device. It uses various interfaces and lines to connect the various parts of the entire data processing device. It runs or executes the software programs and/or modules stored in RAM 922, and calls the RAM stored in RAM 922. Or the data in the non-volatile memory 921 performs various functions of the data processing device and processes the data, thereby performing overall monitoring of the data processing device. Optionally, SOC 100 may include multiple processing units, such as a CPU or various business processors; SOC 100 may also integrate an application processor and a modem processor, where the application processor mainly processes the operating system, user interface, and Applications, etc., the modem processor mainly handles wireless communications. It can be understood that the above-mentioned modem processor may not be integrated into the SOC 100.
数据处理装置还包括给各个部件供电的电源990(比如电池),优选的,电源可以通过电源管理***与SOC 100逻辑相连,从而通过电源管理***实现管理充电、放电、以及功耗管理等功能。The data processing device further includes a power supply 990 (such as a battery) that supplies power to various components. Preferably, the power supply can be logically connected to the SOC 100 through the power management system, so as to realize functions such as charging, discharging, and power management through the power management system.
尽管未示出,数据处理装置还可以包括摄像头、蓝牙模块等,在此不再赘述。需要说明的是,本申请提到的“耦合”一词,用于表达不同部件之间的互通或互相作用,可以包括直接相连或通过其他部件间接相连。Although not shown, the data processing device may further include a camera, a Bluetooth module, etc., and will not be repeated here. It should be noted that the term “coupling” mentioned in this application is used to express the communication or interaction between different components, and may include direct connection or indirect connection through other components.
本申请实施例提供了一种计算机可读存储介质,上述计算机可读存储介质存储有计算机程序,上述计算机程序包括软件程序指令,上述程序指令被SE执行时实现前述实施例中的数据处理方法。An embodiment of the present application provides a computer-readable storage medium. The computer-readable storage medium stores a computer program. The computer program includes software program instructions. When the program instructions are executed by the SE, the data processing method in the foregoing embodiments is implemented.
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本申请实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者通过所述计算机可读存储介质进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如,固态硬盘(solid state disk,SSD))等。In the above embodiments, it can be implemented in whole or in part by software, hardware, firmware, or any combination thereof. When implemented using software, it can be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, the processes or functions according to the embodiments of the present application are generated in whole or in part. The computer may be a general-purpose computer, a dedicated computer, a computer network, or other programmable devices. The computer instructions may be stored in a computer-readable storage medium or transmitted through the computer-readable storage medium. The computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device including a server, a data center, and the like integrated with one or more available media. The usable medium may be a magnetic medium (eg, floppy disk, hard disk, magnetic tape), optical medium (eg, DVD), or semiconductor medium (eg, solid state disk (SSD)), or the like.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到各种等效的修改或替换,这些修改或替换都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以权利要求的保护范围为准。The above is only the specific implementation of this application, but the scope of protection of this application is not limited to this, any person skilled in the art can easily think of various equivalents within the technical scope disclosed in this application Modifications or replacements, these modifications or replacements should be covered within the scope of protection of this application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (15)

  1. 一种安全元件SE,其特征在于,包括:A security element SE is characterized by including:
    PCIE接口,通过PCIE总线与主处理器***中的PCIE接口耦合,所述主处理器***中的PCIE接口通过所述主处理器***中的动态随机存取存储器DRAM接口耦合至DRAM;所述PCIE接口,用于通过所述PCIE总线读取所述DRAM中的第一数据,或者向所述DRAM写入第二数据;其中,所述主处理器***包括主处理器,用于运行操作***或应用程序中的至少一项;The PCIE interface is coupled to the PCIE interface in the host processor system through the PCIE bus, and the PCIE interface in the host processor system is coupled to the DRAM through the dynamic random access memory DRAM interface in the host processor system; the PCIE The interface is used to read the first data in the DRAM or write the second data to the DRAM through the PCIE bus; wherein, the main processor system includes a main processor for running an operating system or At least one item in the application;
    安全处理器***,用于从所述PCIE接口接收所述第一数据并处理所述第一数据以得到第三数据,或者处理第四数据以得到所述第二数据并向所述PCIE接口发送处理后的所述第二数据。A security processor system, configured to receive the first data from the PCIE interface and process the first data to obtain third data, or process the fourth data to obtain the second data and send to the PCIE interface The second data after processing.
  2. 根据权利要求1所述的安全元件,其特征在于,The security element according to claim 1, characterized in that
    所述PCIE接口,还用于通过所述PCIE总线获取所述DRAM的参考存储空间中的所述第一数据,所述参考存储空间为所述DRAM中用于存储来自所述安全处理器***的数据的存储空间;The PCIE interface is also used to obtain the first data in the reference storage space of the DRAM through the PCIE bus, the reference storage space is used for storing the data from the secure processor system in the DRAM Data storage space;
    所述安全处理器***,具体用于从所述PCIE接口接收所述第一数据并对所述第一数据解安全处理以得到所述第三数据,所述解安全处理包括解密或消息认证码MAC校验中的至少一项。The secure processor system is specifically configured to receive the first data from the PCIE interface and desecure the first data to obtain the third data, and the desecuring process includes decryption or a message authentication code At least one item in the MAC check.
  3. 根据权利要求2所述的安全元件,其特征在于,The security element according to claim 2, characterized in that
    所述安全处理器***,还用于向所述PCIE接口发送读取请求,所述读取请求用于读取所述参考存储空间中的所述第一数据;其中,所述第一数据被所述主处理器***从非易失存储器NVM中的目标存储空间搬移至所述参考存储空间;The secure processor system is further configured to send a read request to the PCIE interface, where the read request is used to read the first data in the reference storage space; wherein, the first data is The main processor system is moved from the target storage space in the non-volatile memory NVM to the reference storage space;
    所述PCIE接口,还用于通过所述PCIE总线向所述主处理器***发送所述读取请求。The PCIE interface is also used to send the read request to the host processor system through the PCIE bus.
  4. 根据权利要求1至3任一项所述的安全元件,其特征在于,The security element according to any one of claims 1 to 3, characterized in that
    所述安全处理器***,具体用于对所述第四数据进行安全处理以得到所述第二数据并向所述PCIE接口发送所述第二数据,所述安全处理包括加密或消息认证码MAC处理中的至少一项;The security processor system is specifically configured to perform security processing on the fourth data to obtain the second data and send the second data to the PCIE interface, and the security processing includes encryption or a message authentication code MAC At least one item of treatment;
    所述PCIE接口,具体用于通过所述PCIE总线将所述第二数据写入所述DRAM的参考存储空间,所述参考存储空间为所述DRAM中用于存储来自所述安全处理器***的数据的存储空间。The PCIE interface is specifically used to write the second data to the reference storage space of the DRAM through the PCIE bus, and the reference storage space is used in the DRAM to store data from the secure processor system Data storage space.
  5. 根据权利要求4所述的安全元件,其特征在于,The security element according to claim 4, characterized in that
    所述安全处理器***,还用于向所述PCIE接口发送地址指示信息,所述地址指示信息用于指示所述主处理器***将所述参考存储空间中的所述第二数据搬移至所述NVM中的目标存储空间;The secure processor system is further configured to send address indication information to the PCIE interface, where the address indication information is used to instruct the host processor system to move the second data in the reference storage space to the Describe the target storage space in NVM;
    所述PCIE接口,还用于通过所述PCIE总线将所述地址指示信息向所述主处理器***发送。The PCIE interface is also used to send the address indication information to the host processor system through the PCIE bus.
  6. 根据权利要求5所述的安全元件,其特征在于,The security element according to claim 5, characterized in that
    所述PCIE接口,还用于通过所述PCIE总线接收来自所述主处理器***的存储完成信息,所述存储完成信息用于指示所述第二数据已存储至所述目标存储空间;其中,所述目 标存储空间存储的原始数据被替换为所述第二数据;The PCIE interface is also used to receive storage completion information from the host processor system through the PCIE bus, and the storage completion information is used to indicate that the second data has been stored in the target storage space; wherein, The original data stored in the target storage space is replaced with the second data;
    所述安全处理***,还用于生成用于校验所述第二数据或所述第四数据的完整性的目标MAC;在从所述PCIE接口接收所述存储完成信息后,将原始MAC替换为所述目标MAC;所述原始MAC用于校验所述原始数据的完整性。The security processing system is also used to generate a target MAC for verifying the integrity of the second data or the fourth data; after receiving the storage completion information from the PCIE interface, replace the original MAC Is the target MAC; the original MAC is used to check the integrity of the original data.
  7. 根据权利要求3或5或6所述的数据处理装置,其特征在于,所述安全处理器***包括:流密码单元、密钥生成器以及随机存取存储器RAM,所述流密码单元分别与所述密钥生成器和所述RAM相耦合;The data processing device according to claim 3, 5 or 6, wherein the secure processor system includes a stream cipher unit, a key generator, and a random access memory RAM, and the stream cipher unit is The key generator and the RAM are coupled;
    所述流密码单元,用于从所述密钥生成器获至少一个密钥以及从所述RAM获取至少一个MAC;利用所述至少一个密钥解密所述第一数据或加密所述第四数据;利用所述至少一个MAC对所述第一数据做MAC校验,其中,所述至少一个密钥和所述至少一个MAC对应于所述第一数据或所述第二数据在所述目标存储空间中的地址。The stream cipher unit is used to obtain at least one key from the key generator and at least one MAC from the RAM; use the at least one key to decrypt the first data or encrypt the fourth data ; Use the at least one MAC to perform a MAC check on the first data, wherein the at least one key and the at least one MAC correspond to the first data or the second data stored in the target Address in space.
  8. 根据权利要求7所述的安全元件,其特征在于,所述安全处理器***还包括:参考存储器和内存管理单元MMU,所述参考存储器和所述MMU均与所述密钥生成器耦合;所述流密码单元包括MAC校验控制器和加解密引擎;The secure element according to claim 7, wherein the secure processor system further comprises: a reference memory and a memory management unit MMU, both the reference memory and the MMU are coupled to the key generator; The stream cipher unit includes a MAC verification controller and an encryption and decryption engine;
    所述参考存储器,用于存储根密钥;The reference memory is used to store the root key;
    所述MMU,用于将所述第一数据或所述第二数据在所述目标存储空间中的地址映射为目标地址;The MMU is configured to map the address of the first data or the second data in the target storage space to a target address;
    所述密钥生成器,用于根据所述目标地址和从所述参考存储器获取的所述根密钥,生成所述至少一个密钥;The key generator is configured to generate the at least one key according to the target address and the root key obtained from the reference memory;
    所述加解密引擎,用于利用所述密钥解密所述第一数据或加密所述第四数据;The encryption and decryption engine is used to decrypt the first data or encrypt the fourth data using the key;
    所述MAC校验控制器,用于利用所述至少一个MAC对所述第一数据做MAC校验。The MAC verification controller is configured to perform MAC verification on the first data using the at least one MAC.
  9. 一种数据处理装置,其特征在于,包括权利要求1至8任一项所述的安全处理器***和主处理器***。A data processing device, characterized by comprising the security processor system according to any one of claims 1 to 8 and a main processor system.
  10. 根据权利要求9所述的数据处理装置,其特征在于,所述数据处理装置还包括权利要求1至8任一项所述的DRAM。The data processing device according to claim 9, wherein the data processing device further comprises the DRAM according to any one of claims 1 to 8.
  11. 根据权利要求9或10所述的数据处理装置,其特征在于,所述数据处理装置还包括权利要求3或5至8中任一项所述的NVM。The data processing device according to claim 9 or 10, wherein the data processing device further comprises the NVM according to any one of claims 3 or 5 to 8.
  12. 一种数据处理方法,其特征在于,应用于安全元件SE,所述SE包括:PCIE接口和安全处理器***,所述PCIE接口通过PCIE总线与主处理器***中的PCIE接口耦合,所述主处理器***中的PCIE接口通过所述主处理器***中的动态随机存取存储器DRAM接口耦合至DRAM;其中,所述主处理器***包括主处理器,用于运行操作***或应用程序中的至少一项;A data processing method is characterized in that it is applied to a secure element SE, and the SE includes a PCIE interface and a secure processor system. The PCIE interface is coupled to a PCIE interface in a host processor system through a PCIE bus. The host The PCIE interface in the processor system is coupled to the DRAM through the dynamic random access memory DRAM interface in the main processor system; wherein the main processor system includes a main processor for running an operating system or an application program At least one
    所述PCIE接口通过所述PCIE总线读取所述DRAM中的第一数据;所述安全处理器***从所述PCIE接口接收所述第一数据并处理所述第一数据以得到第三数据;The PCIE interface reads the first data in the DRAM through the PCIE bus; the security processor system receives the first data from the PCIE interface and processes the first data to obtain third data;
    或者,or,
    所述安全处理器***处理第四数据以得到所述第二数据并向所述PCIE接口发送处理后的所述第二数据;所述PCIE接口通过所述PCIE总线向所述DRAM写入所述第二数据。The secure processor system processes the fourth data to obtain the second data and sends the processed second data to the PCIE interface; the PCIE interface writes the DRAM to the DRAM through the PCIE bus Second data.
  13. 根据权利要求12所述的方法,其特征在于,所述PCIE接口通过所述PCIE总线 读取所述DRAM中的第一数据包括:The method according to claim 12, wherein the PCIE interface reading the first data in the DRAM through the PCIE bus includes:
    所述PCIE接口通过所述PCIE总线获取所述DRAM的参考存储空间中的所述第一数据,所述参考存储空间为所述DRAM中用于存储来自所述安全处理器***的数据的存储空间;The PCIE interface obtains the first data in a reference storage space of the DRAM through the PCIE bus, and the reference storage space is a storage space in the DRAM for storing data from the secure processor system ;
    所述安全处理器***从所述PCIE接口接收所述第一数据并处理所述第一数据以得到第三数据包括:The security processor system receiving the first data from the PCIE interface and processing the first data to obtain third data includes:
    所述安全处理器***从所述PCIE接口接收所述第一数据并对所述第一数据解安全处理以得到所述第三数据,所述解安全处理包括解密或解消息认证码MAC校验中的至少一项。The secure processor system receives the first data from the PCIE interface and desecures the first data to obtain the third data, and the desecuring process includes decryption or decryption of the message authentication code MAC check At least one item.
  14. 根据权利要求12或13所述的方法,其特征在于,所述安全处理器***处理第四数据以得到所述第二数据并向所述PCIE接口发送处理后的所述第二数据包括:The method according to claim 12 or 13, wherein the processing of the fourth data by the secure processor system to obtain the second data and sending the processed second data to the PCIE interface includes:
    所述安全处理器***对所述第四数据进行安全处理以得到所述第二数据并向所述PCIE接口发送所述第二数据,所述安全处理包括加密或消息认证码MAC处理中的至少一项;The security processor system performs security processing on the fourth data to obtain the second data and sends the second data to the PCIE interface, the security processing includes at least one of encryption or message authentication code MAC processing One item
    所述PCIE接口通过所述PCIE总线向所述DRAM写入所述第二数据包括:The PCIE interface writing the second data to the DRAM through the PCIE bus includes:
    所述PCIE接口通过所述PCIE总线将所述第二数据写入所述DRAM的参考存储空间,所述参考存储空间为所述DRAM中用于存储来自所述安全处理器***的数据的存储空间。The PCIE interface writes the second data to a reference storage space of the DRAM through the PCIE bus, and the reference storage space is a storage space in the DRAM for storing data from the secure processor system .
  15. 一种计算机可读存储介质,其特征在于,所述计算机存储介质存储有计算机程序,所述计算机程序包括程序指令,所述程序指令当被处理器执行时使所述处理器执行如权利要求12至14任一项所述的方法。A computer-readable storage medium, characterized in that the computer storage medium stores a computer program, and the computer program includes program instructions, which when executed by a processor causes the processor to execute as claimed in claim 12 The method according to any one of 14.
PCT/CN2018/123970 2018-12-26 2018-12-26 Secure element, data processing device, and data processing method WO2020132962A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201880088541.0A CN111699467B (en) 2018-12-26 2018-12-26 Secure element, data processing apparatus, and data processing method
PCT/CN2018/123970 WO2020132962A1 (en) 2018-12-26 2018-12-26 Secure element, data processing device, and data processing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2018/123970 WO2020132962A1 (en) 2018-12-26 2018-12-26 Secure element, data processing device, and data processing method

Publications (1)

Publication Number Publication Date
WO2020132962A1 true WO2020132962A1 (en) 2020-07-02

Family

ID=71126129

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/123970 WO2020132962A1 (en) 2018-12-26 2018-12-26 Secure element, data processing device, and data processing method

Country Status (2)

Country Link
CN (1) CN111699467B (en)
WO (1) WO2020132962A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116302490A (en) * 2023-02-02 2023-06-23 广州万协通信息技术有限公司 Multi-channel security chip scheduling method and security chip device

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114692124A (en) * 2022-04-18 2022-07-01 镁佳(北京)科技有限公司 Data reading and writing method and device and electronic equipment
CN117633920B (en) * 2023-12-13 2024-06-18 上海国微芯芯半导体有限公司 Sensitive data transmission bus architecture, control logic circuit and transmission system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103269326A (en) * 2012-12-22 2013-08-28 潘铁军 Safety equipment, multi-application system and safety method for ubiquitous networks
US20150195281A1 (en) * 2014-01-07 2015-07-09 Cellco Partnership D/B/A Verizon Wireless Establishing connections for secure element communications
CN104778794A (en) * 2015-04-24 2015-07-15 华为技术有限公司 Mobile payment device and method
CN105912272A (en) * 2016-04-14 2016-08-31 华为技术有限公司 Device and method controlling operation of multiple safety applications
CN107562689A (en) * 2016-07-01 2018-01-09 华为技术有限公司 A kind of system level chip and terminal

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9135200B2 (en) * 2013-06-28 2015-09-15 Futurewei Technologies, Inc. System and method for extended peripheral component interconnect express fabrics
US9436234B1 (en) * 2013-09-30 2016-09-06 Emc Corporation Configurable system board
CN103543961B (en) * 2013-10-12 2017-04-19 浙江宇视科技有限公司 PCIe-based storage extension system and method
US9823846B2 (en) * 2014-08-20 2017-11-21 Qualcomm Incorporated Systems and methods for expanding memory for a system on chip
CN108874719B (en) * 2017-05-16 2020-10-20 杭州海康威视数字技术股份有限公司 PCIe bus-based expansion storage device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103269326A (en) * 2012-12-22 2013-08-28 潘铁军 Safety equipment, multi-application system and safety method for ubiquitous networks
US20150195281A1 (en) * 2014-01-07 2015-07-09 Cellco Partnership D/B/A Verizon Wireless Establishing connections for secure element communications
CN104778794A (en) * 2015-04-24 2015-07-15 华为技术有限公司 Mobile payment device and method
CN105912272A (en) * 2016-04-14 2016-08-31 华为技术有限公司 Device and method controlling operation of multiple safety applications
CN107562689A (en) * 2016-07-01 2018-01-09 华为技术有限公司 A kind of system level chip and terminal

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116302490A (en) * 2023-02-02 2023-06-23 广州万协通信息技术有限公司 Multi-channel security chip scheduling method and security chip device
CN116302490B (en) * 2023-02-02 2024-05-31 广州万协通信息技术有限公司 Multi-channel security chip scheduling method and security chip device

Also Published As

Publication number Publication date
CN111699467A (en) 2020-09-22
CN111699467B (en) 2021-12-03

Similar Documents

Publication Publication Date Title
US9367688B2 (en) Providing geographic protection to a system
EP3274850B1 (en) Protecting a memory
US10810138B2 (en) Enhanced storage encryption with total memory encryption (TME) and multi-key total memory encryption (MKTME)
US10944558B2 (en) Key storing method, key managing method and apparatus
JP2016517241A (en) Inline encryption and decryption supported by storage devices
US20160056964A1 (en) Handling sensor data
TWI793215B (en) Data encryption and decryption method and device
US10691627B2 (en) Avoiding redundant memory encryption in a cryptographic protection system
WO2018201991A1 (en) Data processing method, system, apparatus, storage medium, and device
WO2020132962A1 (en) Secure element, data processing device, and data processing method
WO2021098823A1 (en) Memory isolation apparatus, memory isolation method, and related device
US20210034763A1 (en) Splitting Sensitive Data and Storing Split Sensitive Data in Different Application Environments
US10528746B2 (en) System, apparatus and method for trusted channel creation using execute-only code
CN106599698A (en) Method and device for picture encryption, and method and device for picture decryption
WO2022143358A1 (en) Key management method, and corresponding apparatus and system
US11698973B2 (en) Platform security mechanism
US11775657B2 (en) Systems and methods for enhancing security of device-internal encryption with externally generated entropy
CN106886699B (en) Fingerprint verification method and related equipment
CN116711008B (en) Method and system for transmitting data stream between memories
WO2022036615A1 (en) Device channel protection mechanism
US20240160581A1 (en) Cache optimization mechanism
CN117289874A (en) Address mapping relation storage method, secure access method and storage device
CN115348028A (en) Encryption storage method, decryption reading method, device, equipment and medium
JP2011232829A (en) Terminal device, data storing method and computer program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18945090

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18945090

Country of ref document: EP

Kind code of ref document: A1