CN112711752A - Embedded equipment safety system - Google Patents
Embedded equipment safety system Download PDFInfo
- Publication number
- CN112711752A CN112711752A CN202011629861.8A CN202011629861A CN112711752A CN 112711752 A CN112711752 A CN 112711752A CN 202011629861 A CN202011629861 A CN 202011629861A CN 112711752 A CN112711752 A CN 112711752A
- Authority
- CN
- China
- Prior art keywords
- module
- subsystem
- storage resource
- embedded
- software
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000004891 communication Methods 0.000 claims abstract description 24
- 238000007726 management method Methods 0.000 claims abstract description 24
- 238000013468 resource allocation Methods 0.000 claims abstract description 20
- 238000012795 verification Methods 0.000 claims abstract description 13
- 238000011084 recovery Methods 0.000 claims abstract description 12
- 238000012544 monitoring process Methods 0.000 claims description 4
- 230000003068 static effect Effects 0.000 claims description 4
- 230000002159 abnormal effect Effects 0.000 claims description 3
- 230000005540 biological transmission Effects 0.000 claims description 3
- 238000001514 detection method Methods 0.000 claims description 3
- 238000000034 method Methods 0.000 abstract description 6
- 230000009286 beneficial effect Effects 0.000 abstract description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/445—Program loading or initiating
- G06F9/44505—Configuring for program initiating, e.g. using registry, configuration files
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Storage Device Security (AREA)
Abstract
An embedded device security system, comprising a security architecture subsystem, a security boot subsystem, a software encryption subsystem, and a security storage subsystem: the safety framework subsystem is in communication connection with the safety starting subsystem, the software encryption subsystem and the safety storage subsystem; the safety promoter system comprises an embedded processor, a nonvolatile memory, an FPGA and an external boot ROM; the software encryption subsystem comprises a key generation module, a key verification module and a software operation module; the safe storage subsystem comprises a storage resource description module, a storage resource allocation module, a storage resource recovery module and a storage resource safety management module. The method and the device are beneficial to ensuring that the system is not tampered and damaged by malicious programs or unauthorized persons when being started, so that the embedded equipment is not easily replaced or tampered and damaged by the malicious programs, the equipment safety is ensured, the safe operation of software and the safe storage of resources can be carried out, and the reliability and the safety of the embedded equipment are obviously improved.
Description
Technical Field
The invention relates to the technical field of embedded equipment, in particular to a safety system of embedded equipment.
Background
The embedded device mainly comprises an embedded processor, related supporting hardware and an embedded software system, and is an independent working device integrating software and hardware; the embedded processor mainly comprises a single chip microcomputer or a microcontroller, and related supporting hardware comprises a display card, a storage medium, communication equipment, reading equipment of an IC card or a credit card and the like; the embedded system is different from a general computer processing system, does not have a large-capacity storage medium like a hard disk, and mostly uses a flash memory as the storage medium, wherein the embedded software comprises bottom layer software related to hardware, an operating system, a graphical interface, a communication protocol, a database system, a standardized browser, application software and the like; with the wide application of embedded devices in the important field of security, more and more embedded devices are illegally invaded and damaged, the problem that important information data is stolen to be secret and the like already causes huge economic loss, and for system hardware, safety problems of hardware trojans, side channel attacks, reverse hardware engineering and the like exist; for system software, there are security problems such as code integrity attack, application software attack, private data theft attack, and the like, so the security performance of the embedded device needs to be improved, so that the embedded device can operate safely and normally.
Disclosure of Invention
Objects of the invention
In order to solve the technical problems in the background art, the invention provides an embedded device security system which is beneficial to ensuring that the system is not tampered and damaged by malicious programs or unauthorized persons when being started, so that the embedded device is not easily replaced or tampered and damaged by the malicious programs, the device security is ensured, the safe operation of software and the safe storage of resources can be carried out, and the reliability and the security of the embedded device are obviously improved.
(II) technical scheme
The invention provides an embedded equipment safety system, which comprises a safety framework subsystem, a safety starting subsystem, a software encryption subsystem and a safety storage subsystem:
the safety architecture subsystem is in communication connection with the safety starting subsystem, the software encryption subsystem and the safety storage subsystem, and is used for constructing an embedded equipment network safety system;
the safety promoter system comprises an embedded processor, a nonvolatile memory, an FPGA and an external boot ROM; the embedded processor also comprises an address bus, a data bus and a control bus, the embedded processor is in communication connection with the nonvolatile memory through the address bus, the data bus and the control bus, the address bus and the control bus are in communication connection with the external boot ROM through the FPGA, and the data bus is in communication connection with the external boot ROM;
the software encryption subsystem comprises a key generation module, a key verification module and a software operation module; the key generation module is used for generating an encryption key; the key checking module is used for acquiring a decryption key and checking the key; the software running module is used for starting software running or stopping software running according to the checking result;
the safe storage subsystem comprises a storage resource description module, a storage resource allocation module, a storage resource recovery module and a storage resource safety management module; the storage resource description module is used for providing a compact embedded system CPU system architecture and storage resource description and sending storage resource description information to the storage resource allocation module; the storage resource allocation module establishes a storage resource pool through the information provided by the storage resource description module, and reasonably allocates the storage resources in the storage resource pool in a static and dynamic combination mode according to the application requirements of the embedded system; the storage resource recovery module is used for performing recovery management on the storage resources released by the system and compressing and decompressing the temporarily unused data; and the storage resource security management module is used for monitoring the storage resources which are distributed to the application by the storage resource distribution module.
Preferably, the specific steps of the secure boot subsystem are as follows:
establishing a safe starting authentication environment and executing a safe starting authentication module;
after the embedded processor is reset, a safety starting authentication module in the external starting ROM is preferentially executed, and safety authentication detection is carried out on a starting program of the embedded equipment;
and judging whether the starting program is safe or not according to the execution result of the safe starting authentication module, if the starting program is safe, starting to execute the starting program, and if the starting program is unsafe, stopping executing the starting program.
Preferably, in the secure boot subsystem, the FPGA chip integrates a communication module, a pci eip interface, an embedded CPU, and an algorithm module; the algorithm module provides three types of algorithm IP cores of SM2, SM3 and SM 4; the PCIeIP interface is used for providing a PCIe fast channel to the outside; the communication module comprises a management channel and an algorithm channel, wherein the management channel is used for realizing transmission management of the data packet in the signal channel, and the algorithm channel distributes mutually independent logic resources and high-speed buffer areas for the algorithms supported in the algorithm module; the algorithm module is used for carrying out operation based on a preset algorithm.
Preferably, in the secure boot subsystem, the enable terminal of the nonvolatile memory is connected with the CS1 chip select signal terminal of the embedded processor, and the address space of the nonvolatile memory is configured by the address register corresponding to CS 1; the enabling end of the external boot ROM is connected with a CS0 chip selection signal end of the embedded processor; the address signal and the CS0 chip selection signal are firstly decoded and controlled by the FPGA and then are connected to the external boot ROM, and the address space of the external boot ROM is configured by an address register corresponding to the CS 0.
Preferably, the specific working process of the software encryption subsystem is as follows:
when burning software, the key generation module acquires the MAC address of the embedded equipment and obtains an encryption key through a secure hash algorithm on the MAC address;
when software is started, a key verification module acquires an MAC address of embedded equipment of the software to be started at present and obtains a decryption key by operating the MAC address;
the key verification module compares whether the decryption key is consistent with the encryption key, when the decryption key is consistent with the encryption key, the software running module starts software running, and when the decryption key is inconsistent with the encryption key, the software running module stops software running.
Preferably, in the software encryption subsystem, the key generation module includes an encrypted plaintext acquisition submodule, an encrypted seed acquisition submodule and an encrypted key generation submodule; the key checking module comprises a decrypted plaintext obtaining sub-module, a decrypted key generating sub-module, a comparison checking sub-module and a decrypted seed obtaining sub-module.
Preferably, the encrypted plaintext acquisition submodule is used for acquiring the MAC address of the embedded device when burning the software, so as to obtain an encrypted plaintext; the encryption seed obtaining submodule is used for obtaining the serial number or the model of the embedded equipment when burning the software so as to obtain an encryption seed; the encryption key generation submodule is used for operating the encrypted plaintext and the encryption seed to obtain an encryption key;
the decryption plaintext acquisition submodule is used for acquiring the MAC address of the embedded equipment to be started at present so as to obtain a decryption plaintext; the decryption key generation submodule is used for operating the decrypted plaintext and the decrypted seed to obtain a decryption key; the comparison and check submodule is used for comparing whether the decryption key is consistent with the encryption key; and the decryption seed obtaining submodule is used for obtaining the serial number or the equipment model of the embedded equipment so as to obtain the decryption seed.
Preferably, in the secure storage subsystem, the storage resource description module includes a system architecture description submodule and a system storage resource description submodule, and the storage resource allocation module includes a storage resource pool establishment submodule and a system storage resource allocation submodule; the system architecture description submodule comprises a CPU architecture and an MCU bus architecture of the embedded MCU.
Preferably, the storage resource pool establishing submodule is used for completing the establishment of a system resource pool of the storage resources; the system storage resource submodule is used for distributing the storage resources according to the application requirements of the embedded system.
Preferably, in the secure storage subsystem, the storage resource security management module is further configured to discover an abnormal condition of an illegal access to the storage resource and a physical damage to the storage resource, so as to ensure a safe and reliable operation of the system.
The technical scheme of the invention has the following beneficial technical effects:
the safety framework subsystem constructs an embedded equipment network safety system; the safe starting subsystem is used for safely starting the embedded equipment system, the software encryption subsystem is used for safely and stably running software, and the safe storage subsystem can safely store resources;
the method and the device are beneficial to ensuring that the system is not tampered and damaged by malicious programs or unauthorized persons when being started, so that the embedded equipment is not easily replaced or tampered and damaged by the malicious programs, the equipment safety is ensured, the safe operation of software and the safe storage of resources can be carried out, and the reliability and the safety of the embedded equipment are obviously improved.
Drawings
Fig. 1 is a system block diagram of an embedded device security system according to the present invention.
Fig. 2 is a system block diagram of a secure boot subsystem in an embedded device security system according to the present invention.
Fig. 3 is a system block diagram of a software encryption subsystem in an embedded device security system according to the present invention.
Fig. 4 is a system block diagram of a key generation module in an embedded device security system according to the present invention.
Fig. 5 is a system block diagram of a key checking module in the security system of an embedded device according to the present invention.
Fig. 6 is a flowchart illustrating a secure boot of a secure boot subsystem in a security system of an embedded device according to the present invention.
Fig. 7 is a flowchart illustrating the operation of a software encryption subsystem in the security system of an embedded device according to the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail with reference to the accompanying drawings in conjunction with the following detailed description. It should be understood that the description is intended to be exemplary only, and is not intended to limit the scope of the present invention. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present invention.
As shown in fig. 1 to 7, the embedded device security system provided by the present invention includes a security architecture subsystem, a security boot subsystem, a software encryption subsystem, and a security storage subsystem:
the safety architecture subsystem is in communication connection with the safety starting subsystem, the software encryption subsystem and the safety storage subsystem, and is used for constructing an embedded equipment network safety system;
the safety promoter system comprises an embedded processor, a nonvolatile memory, an FPGA and an external boot ROM; the embedded processor also comprises an address bus, a data bus and a control bus, the embedded processor is in communication connection with the nonvolatile memory through the address bus, the data bus and the control bus, the address bus and the control bus are in communication connection with the external boot ROM through the FPGA, and the data bus is in communication connection with the external boot ROM;
the software encryption subsystem comprises a key generation module, a key verification module and a software operation module; the key generation module is used for generating an encryption key; the key checking module is used for acquiring a decryption key and checking the key; the software running module is used for starting software running or stopping software running according to the checking result;
the safe storage subsystem comprises a storage resource description module, a storage resource allocation module, a storage resource recovery module and a storage resource safety management module; the storage resource description module is used for providing a compact embedded system CPU system architecture and storage resource description and sending storage resource description information to the storage resource allocation module; the storage resource allocation module establishes a storage resource pool through the information provided by the storage resource description module, and reasonably allocates the storage resources in the storage resource pool in a static and dynamic combination mode according to the application requirements of the embedded system; the storage resource recovery module is used for performing recovery management on the storage resources released by the system and compressing and decompressing the temporarily unused data; and the storage resource security management module is used for monitoring the storage resources which are distributed to the application by the storage resource distribution module.
In an alternative embodiment, the specific steps of the secure boot subsystem for secure boot are as follows: establishing a safe starting authentication environment and executing a safe starting authentication module; after the embedded processor is reset, a safety starting authentication module in the external starting ROM is preferentially executed, and safety authentication detection is carried out on a starting program of the embedded equipment; and judging whether the starting program is safe or not according to the execution result of the safe starting authentication module, if the starting program is safe, starting to execute the starting program, and if the starting program is unsafe, stopping executing the starting program.
In an optional embodiment, in the secure boot subsystem, the FPGA chip integrates a communication module, a pcie ip interface, an embedded CPU, and an algorithm module; the algorithm module provides three types of algorithm IP cores of SM2, SM3 and SM 4; the PCIeIP interface is used for providing a PCIe fast channel to the outside; the communication module comprises a management channel and an algorithm channel, wherein the management channel is used for realizing transmission management of the data packet in the signal channel, and the algorithm channel distributes mutually independent logic resources and high-speed buffer areas for the algorithms supported in the algorithm module; the algorithm module is used for performing operation based on a preset algorithm; the enabling end of the nonvolatile memory is connected with a CS1 chip selection signal end of the embedded processor, and the address space of the nonvolatile memory is configured by an address register corresponding to the CS 1; the enabling end of the external boot ROM is connected with a CS0 chip selection signal end of the embedded processor; the address signal and the CS0 chip selection signal are firstly decoded and controlled by the FPGA and then are connected to the external boot ROM, and the address space of the external boot ROM is configured by an address register corresponding to the CS 0.
In an alternative embodiment, the specific working process of the software encryption subsystem is as follows: when burning software, the key generation module acquires the MAC address of the embedded equipment and obtains an encryption key through a secure hash algorithm on the MAC address; when software is started, a key verification module acquires an MAC address of embedded equipment of the software to be started at present and obtains a decryption key by operating the MAC address; the key verification module compares whether the decryption key is consistent with the encryption key, when the decryption key is consistent with the encryption key, the software running module starts software running, and when the decryption key is inconsistent with the encryption key, the software running module stops software running.
In an optional embodiment, in the software encryption subsystem, the key generation module includes an encrypted plaintext acquisition sub-module, an encrypted seed acquisition sub-module, and an encrypted key generation sub-module; the key checking module comprises a decrypted plaintext obtaining sub-module, a decrypted key generating sub-module, a comparison checking sub-module and a decrypted seed obtaining sub-module; the encrypted plaintext acquisition submodule is used for acquiring the MAC address of the embedded equipment when burning software so as to obtain an encrypted plaintext; the encryption seed obtaining submodule is used for obtaining the serial number or the model of the embedded equipment when burning the software so as to obtain an encryption seed; the encryption key generation submodule is used for operating the encrypted plaintext and the encryption seed to obtain an encryption key; the decryption plaintext acquisition submodule is used for acquiring the MAC address of the embedded equipment to be started at present so as to obtain a decryption plaintext; the decryption key generation submodule is used for operating the decrypted plaintext and the decrypted seed to obtain a decryption key; the comparison and check submodule is used for comparing whether the decryption key is consistent with the encryption key; and the decryption seed obtaining submodule is used for obtaining the serial number or the equipment model of the embedded equipment so as to obtain the decryption seed.
In an optional embodiment, in the secure storage subsystem, the storage resource description module includes a system architecture description submodule and a system storage resource description submodule, and the storage resource allocation module includes a storage resource pool establishment submodule and a system storage resource allocation submodule; the system architecture description submodule comprises a CPU architecture and an MCU bus architecture of an embedded MCU; the storage resource pool establishing submodule is used for completing the establishment of a system resource pool of the storage resources; the system storage resource submodule is used for distributing the application requirements according to the embedded system and distributing the storage resources; the storage resource safety management module is also used for discovering the abnormal conditions of illegal access of the storage resources and physical damage of the storage resources so as to ensure the safe and reliable operation of the system.
In the invention, when in use, the safety architecture subsystem constructs an embedded equipment network safety system; the safety starting subsystem comprises an embedded processor, a nonvolatile memory, an FPGA (field programmable gate array) and an external starting ROM (read only memory), the embedded processor also comprises an address bus, a data bus and a control bus, the embedded processor is in communication connection with the nonvolatile memory through the address bus, the data bus and the control bus, the address bus and the control bus are in communication connection with the external starting ROM through the FPGA, the data bus is in communication connection with the external starting ROM and is used for safely starting the embedded equipment system, and the software encryption subsystem comprises a secret key generation module, a secret key verification module and a software operation module; the key generation module is used for generating an encryption key, the key verification module is used for acquiring a decryption key and verifying the key, and the software operation module is used for starting or stopping software operation according to a verification result and is used for safe and stable operation of the software; the safe storage subsystem comprises a storage resource description module, a storage resource allocation module, a storage resource recovery module and a storage resource safety management module, wherein the storage resource description module provides a compact embedded system CPU system framework and storage resource description and sends storage resource description information to the storage resource allocation module, the storage resource allocation module establishes a storage resource pool through the information provided by the storage resource description module and reasonably allocates the storage resources in the storage resource pool in a static and dynamic combined mode according to the application requirements of the embedded system, the storage resource recovery module is used for recovering and managing the storage resources released by the system and compressing and decompressing the temporarily unused data, and the storage resource safety management module is used for monitoring the storage resources allocated to the application by the storage resource allocation module, the safe storage of resources is realized;
the method and the device are beneficial to ensuring that the system is not tampered and damaged by malicious programs or unauthorized persons when being started, so that the embedded equipment is not easily replaced or tampered and damaged by the malicious programs, the equipment safety is ensured, the safe operation of software and the safe storage of resources can be carried out, and the reliability and the safety of the embedded equipment are obviously improved.
It is to be understood that the above-described embodiments of the present invention are merely illustrative of or explaining the principles of the invention and are not to be construed as limiting the invention. Therefore, any modification, equivalent replacement, improvement and the like made without departing from the spirit and scope of the present invention should be included in the protection scope of the present invention. Further, it is intended that the appended claims cover all such variations and modifications as fall within the scope and boundaries of the appended claims or the equivalents of such scope and boundaries.
Claims (10)
1. An embedded device security system, comprising a security architecture subsystem, a security boot subsystem, a software encryption subsystem, and a security storage subsystem:
the safety architecture subsystem is in communication connection with the safety starting subsystem, the software encryption subsystem and the safety storage subsystem, and is used for constructing an embedded equipment network safety system;
the safety promoter system comprises an embedded processor, a nonvolatile memory, an FPGA and an external boot ROM; the embedded processor also comprises an address bus, a data bus and a control bus, the embedded processor is in communication connection with the nonvolatile memory through the address bus, the data bus and the control bus, the address bus and the control bus are in communication connection with the external boot ROM through the FPGA, and the data bus is in communication connection with the external boot ROM;
the software encryption subsystem comprises a key generation module, a key verification module and a software operation module; the key generation module is used for generating an encryption key; the key checking module is used for acquiring a decryption key and checking the key; the software running module is used for starting software running or stopping software running according to the checking result;
the safe storage subsystem comprises a storage resource description module, a storage resource allocation module, a storage resource recovery module and a storage resource safety management module; the storage resource description module is used for providing a compact embedded system CPU system architecture and storage resource description and sending storage resource description information to the storage resource allocation module; the storage resource allocation module establishes a storage resource pool through the information provided by the storage resource description module, and reasonably allocates the storage resources in the storage resource pool in a static and dynamic combination mode according to the application requirements of the embedded system; the storage resource recovery module is used for performing recovery management on the storage resources released by the system and compressing and decompressing the temporarily unused data; and the storage resource security management module is used for monitoring the storage resources which are distributed to the application by the storage resource distribution module.
2. The embedded device security system of claim 1, wherein the steps of the secure boot subsystem for secure boot are as follows:
establishing a safe starting authentication environment and executing a safe starting authentication module;
after the embedded processor is reset, a safety starting authentication module in the external starting ROM is preferentially executed, and safety authentication detection is carried out on a starting program of the embedded equipment;
and judging whether the starting program is safe or not according to the execution result of the safe starting authentication module, if the starting program is safe, starting to execute the starting program, and if the starting program is unsafe, stopping executing the starting program.
3. The embedded device security system of claim 1, wherein the FPGA chip integrates the communication module, the pcie ip interface, the embedded CPU, and the algorithm module in the secure boot subsystem; the algorithm module provides three types of algorithm IP cores of SM2, SM3 and SM 4; the PCIeIP interface is used for providing a PCIe fast channel to the outside; the communication module comprises a management channel and an algorithm channel, wherein the management channel is used for realizing transmission management of the data packet in the signal channel, and the algorithm channel distributes mutually independent logic resources and high-speed buffer areas for the algorithms supported in the algorithm module; the algorithm module is used for carrying out operation based on a preset algorithm.
4. The embedded device security system of claim 1, wherein in the secure boot subsystem, the enable terminal of the non-volatile memory is connected to the CS1 chip select signal terminal of the embedded processor, and the address space of the non-volatile memory is configured by the address register corresponding to the CS 1; the enabling end of the external boot ROM is connected with a CS0 chip selection signal end of the embedded processor; the address signal and the CS0 chip selection signal are firstly decoded and controlled by the FPGA and then are connected to the external boot ROM, and the address space of the external boot ROM is configured by an address register corresponding to the CS 0.
5. The embedded device security system of claim 1, wherein the software encryption subsystem operates as follows:
when burning software, the key generation module acquires the MAC address of the embedded equipment and obtains an encryption key through a secure hash algorithm on the MAC address;
when software is started, a key verification module acquires an MAC address of embedded equipment of the software to be started at present and obtains a decryption key by operating the MAC address;
the key verification module compares whether the decryption key is consistent with the encryption key, when the decryption key is consistent with the encryption key, the software running module starts software running, and when the decryption key is inconsistent with the encryption key, the software running module stops software running.
6. The embedded device security system of claim 1, wherein in the software encryption subsystem, the key generation module comprises an encrypted plaintext acquisition sub-module, an encrypted seed acquisition sub-module, and an encrypted key generation sub-module; the key checking module comprises a decrypted plaintext obtaining sub-module, a decrypted key generating sub-module, a comparison checking sub-module and a decrypted seed obtaining sub-module.
7. The embedded device security system of claim 6, wherein the encrypted plaintext acquisition submodule is configured to acquire the MAC address of the embedded device during burning of the software to obtain the encrypted plaintext; the encryption seed obtaining submodule is used for obtaining the serial number or the model of the embedded equipment when burning the software so as to obtain an encryption seed; the encryption key generation submodule is used for operating the encrypted plaintext and the encryption seed to obtain an encryption key;
the decryption plaintext acquisition submodule is used for acquiring the MAC address of the embedded equipment to be started at present so as to obtain a decryption plaintext; the decryption key generation submodule is used for operating the decrypted plaintext and the decrypted seed to obtain a decryption key; the comparison and check submodule is used for comparing whether the decryption key is consistent with the encryption key; and the decryption seed obtaining submodule is used for obtaining the serial number or the equipment model of the embedded equipment so as to obtain the decryption seed.
8. The embedded device security system of claim 1, wherein in the secure storage subsystem, the storage resource description module comprises a system architecture description submodule and a system storage resource description submodule, and the storage resource allocation module comprises a storage resource pool establishment submodule and a system storage resource allocation submodule; the system architecture description submodule comprises a CPU architecture and an MCU bus architecture of the embedded MCU.
9. The embedded device security system of claim 8, wherein the storage resource pool establishment sub-module is configured to complete establishment of the system resource pool of storage resources; the system storage resource submodule is used for distributing the storage resources according to the application requirements of the embedded system.
10. The embedded device security system of claim 1, wherein in the secure storage subsystem, the storage resource security management module is further configured to discover an abnormal situation of an illegal access to the storage resource or a physical damage to the storage resource, so as to ensure a secure and reliable operation of the system.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011629861.8A CN112711752A (en) | 2020-12-31 | 2020-12-31 | Embedded equipment safety system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011629861.8A CN112711752A (en) | 2020-12-31 | 2020-12-31 | Embedded equipment safety system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112711752A true CN112711752A (en) | 2021-04-27 |
Family
ID=75547750
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011629861.8A Pending CN112711752A (en) | 2020-12-31 | 2020-12-31 | Embedded equipment safety system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112711752A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113886834A (en) * | 2021-09-29 | 2022-01-04 | 南方科技大学 | ARM architecture-based GPU trusted execution method, system, equipment and storage medium |
| CN114861191A (en) * | 2022-04-27 | 2022-08-05 | 北京计算机技术及应用研究所 | Embedded equipment safety starting framework and method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104765987A (en) * | 2015-04-17 | 2015-07-08 | 深圳市西迪特科技有限公司 | System and method for embedded device software encryption |
| CN104866343A (en) * | 2015-05-15 | 2015-08-26 | 长城信息产业股份有限公司 | Security startup method for embedded equipment and securely-started embedded equipment |
| CN107092562A (en) * | 2017-04-10 | 2017-08-25 | 中云信安(深圳)科技有限公司 | A kind of embedded device secure storage management system and method |
| CN110851885A (en) * | 2019-11-08 | 2020-02-28 | 北京计算机技术及应用研究所 | Embedded system safety protection architecture system |
-
2020
- 2020-12-31 CN CN202011629861.8A patent/CN112711752A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104765987A (en) * | 2015-04-17 | 2015-07-08 | 深圳市西迪特科技有限公司 | System and method for embedded device software encryption |
| CN104866343A (en) * | 2015-05-15 | 2015-08-26 | 长城信息产业股份有限公司 | Security startup method for embedded equipment and securely-started embedded equipment |
| CN107092562A (en) * | 2017-04-10 | 2017-08-25 | 中云信安(深圳)科技有限公司 | A kind of embedded device secure storage management system and method |
| CN110851885A (en) * | 2019-11-08 | 2020-02-28 | 北京计算机技术及应用研究所 | Embedded system safety protection architecture system |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113886834A (en) * | 2021-09-29 | 2022-01-04 | 南方科技大学 | ARM architecture-based GPU trusted execution method, system, equipment and storage medium |
| CN113886834B (en) * | 2021-09-29 | 2022-06-21 | 南方科技大学 | ARM architecture-based GPU trusted execution method, system, equipment and storage medium |
| CN114861191A (en) * | 2022-04-27 | 2022-08-05 | 北京计算机技术及应用研究所 | Embedded equipment safety starting framework and method |
| CN114861191B (en) * | 2022-04-27 | 2024-04-05 | 北京计算机技术及应用研究所 | Embedded equipment safe starting architecture and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109858265B (en) | Encryption method, device and related equipment | |
| CN111723383B (en) | Data storage and verification method and device | |
| CN102624699B (en) | Method and system for protecting data | |
| CN107463838B (en) | Method for safety monitoring, device, system and storage medium based on SGX | |
| CN202795383U (en) | Device and system for protecting data | |
| WO2021164166A1 (en) | Service data protection method, apparatus and device, and readable storage medium | |
| US20100185843A1 (en) | Hardware encrypting storage device with physically separable key storage device | |
| CN107908574B (en) | Safety protection method for solid-state disk data storage | |
| CN105260663A (en) | Secure storage service system and method based on TrustZone technology | |
| JP2006501581A (en) | Encapsulation of reliable platform module functions by TCPA inside server management coprocessor subsystem | |
| US11469880B2 (en) | Data at rest encryption (DARE) using credential vault | |
| CN107430658A (en) | Fail-safe software certification and checking | |
| CN109086620B (en) | Physical isolation dual-system construction method based on mobile storage medium | |
| US20170201528A1 (en) | Method for providing trusted service based on secure area and apparatus using the same | |
| CN112711752A (en) | Embedded equipment safety system | |
| CN116126463A (en) | Memory access method, configuration method, computer system and related devices | |
| CN113127141B (en) | Container system management method and device, terminal equipment and storage medium | |
| CN109583196B (en) | Key generation method | |
| WO2020207292A1 (en) | Data security processing system and method, storage medium, processor, and hardware security card | |
| CN113342896A (en) | Scientific research data security protection system based on cloud fusion and working method thereof | |
| CN111339578A (en) | Key access method, device, system, equipment and storage medium | |
| CN112363800A (en) | Network card memory access method, security processor, network card and electronic equipment | |
| CN115361140B (en) | Method and device for verifying security chip key | |
| CN110781472A (en) | Fingerprint data storage and verification method, terminal and storage medium | |
| CN115776405A (en) | Embedded equipment terminal safety protection method, device and system for smart power grid |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210427 |