Nothing Special   »   [go: up one dir, main page]

CN108073351B - Data storage method of nonvolatile storage space in chip and credible chip - Google Patents

Data storage method of nonvolatile storage space in chip and credible chip Download PDF

Info

Publication number
CN108073351B
CN108073351B CN201610998449.0A CN201610998449A CN108073351B CN 108073351 B CN108073351 B CN 108073351B CN 201610998449 A CN201610998449 A CN 201610998449A CN 108073351 B CN108073351 B CN 108073351B
Authority
CN
China
Prior art keywords
data
owner
owner data
space
chip
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610998449.0A
Other languages
Chinese (zh)
Other versions
CN108073351A (en
Inventor
付颖芳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201610998449.0A priority Critical patent/CN108073351B/en
Priority to TW106127335A priority patent/TW201818258A/en
Priority to PCT/CN2017/108254 priority patent/WO2018086469A1/en
Publication of CN108073351A publication Critical patent/CN108073351A/en
Application granted granted Critical
Publication of CN108073351B publication Critical patent/CN108073351B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/061Improving I/O performance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • G06F21/79Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data in semiconductor storage media, e.g. directly-addressable memories
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0628Interfaces specially adapted for storage systems making use of a particular technique
    • G06F3/0638Organizing or formatting or addressing of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/0671In-line storage system
    • G06F3/0673Single storage device
    • G06F3/0679Non-volatile semiconductor memory device, e.g. flash memory, one time programmable memory [OTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Human Computer Interaction (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data storage method of a nonvolatile storage space in a chip and a credible chip. Wherein, the method comprises the following steps: creating a non-volatile storage space in a chip, wherein the attributes of the non-volatile storage space at least comprise: the parameter is used for representing the storage of owner data in the nonvolatile storage space, and the storage address range of the owner data; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed. The method and the device solve the technical problem that when the original data are read from the nonvolatile space of the credible security chip in the prior art, the accuracy of the read original data is poor.

Description

Data storage method of nonvolatile storage space in chip and credible chip
Technical Field
The invention relates to the field of data storage, in particular to a data storage method of a nonvolatile storage space in a chip and a credible chip.
Background
A user may create a non-volatile space in the trusted security chip, and may assign the attributes shown in table 1 to the non-volatile space:
TABLE 1
Figure BDA0001150967770000011
Fig. 1 shows an interaction diagram of a user acquiring nonvolatile spatial data according to the prior art, as shown in fig. 1, specifically including the following steps:
(1) the owner C initiates a request for accessing the nonvolatile space to the trusted chip T;
(2) the trusted chip T responds to the request of the owner C and requires the owner to feed back a password, a nonvolatile space number and data length;
(3) the owner C returns a password, a nonvolatile space number to be accessed and a nonvolatile data length to the trusted chip T;
(4) the credible chip T verifies the correctness of the password and the nonvolatile space index number, and whether the data length L of the nonvolatile space meets the following formula:
L≤|Last_adress-First_adress| (1)
in the above formula, First _ addresses represents the initial physical address of the nonvolatile space, and Last _ addresses represents the Last physical address of the nonvolatile space.
If the password and the nonvolatile space number are correct, the length L of the acquired data also meets the formula (1), the trusted chip returns the data to be accessed by the owner C, and the process is ended. Otherwise, the flow is terminated directly.
The existing international TCG standard security chip standardizes the fixed size and access authorization of a nonvolatile space of a trusted security chip, and the state identification data in the standard is defaulted to 0 and is easily confused with owner data 0, so that when a user acquires data, part of the acquired data may be the state identification data 0 instead of the data 0 really stored by the user. For example, owner C applies for a 6-byte nonvolatile space that stores 4 bytes of data, as shown in table 2: the owner space number is 1, the owner name is C, the size of the nonvolatile space corresponding to the owner space number is 6 bytes, that is, the data length can be 6 bytes at the maximum, the corresponding physical addresses are FFFFF0 to FFFFF6, 4 bytes are stored in the physical addresses, the owner writes data as "1101", the TCG standard defaults to 00 of two bytes in which data is not written, that is, the owner data is 110100 (the bold italic numbers indicate status data, the bold non-bold numbers indicate owner data, such as the owner data shown in table 1).
TABLE 2
Nv_index User_name Password Nv_Size Nv_F&L_adress Data
1 C **** 6 FFFFF0~FFFFF6 110100
When the stored data is long and changes frequently, the owner C may not remember how long it has stored and what data it has stored, for example, when the owner C and the owner obtain the data length 5 to the user, and in response to the information that the trusted chip requires to be fed back: the user inputs the correct password, the number of the Nv index is 1, and after the trusted chip receives the information, the correctness of the password and the number of the Nv index is verified, the length of the password and the length of the Nv index are also verified to be 5<6 and is within the allowable range, so that the data length of the password and the Nv index is 11010, the original data of the owner C is changed from 1101 to 11010, and data errors are caused.
Aiming at the technical problem that the accuracy of the read original data is poor when the original data is read from the nonvolatile space of the credible security chip in the prior art, an effective solution is not provided at present.
Disclosure of Invention
The embodiment of the invention provides a data storage method of a nonvolatile storage space in a chip and a credible chip, which at least solve the technical problem that the accuracy of read original data is poor when the original data is read from the nonvolatile space of the credible security chip in the prior art.
According to an aspect of the embodiments of the present invention, there is provided a data storage method of a non-volatile storage space in a chip, including: creating a non-volatile storage space in a chip, wherein the attributes of the non-volatile storage space at least comprise: the parameter is used for representing the storage of owner data in the nonvolatile storage space, and the storage address range of the owner data; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed.
According to another aspect of the embodiments of the present invention, there is also provided a method of acquiring data stored in a chip, including: receiving an access request for accessing a non-volatile memory space of a chip; responding to the access request to obtain verification information and the data length required to be requested; under the condition that the verification information passes, judging whether the data length required to be requested is within the storage address range of owner data preset in the nonvolatile storage space; if the data length required to be requested is within the range of the storage address of the owner data, allowing the content of the owner data to be returned; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed.
According to another aspect of the embodiments of the present invention, there is also provided a trusted chip, including: a memory comprising a non-volatile storage space, wherein attributes of the non-volatile storage space include at least: the parameter is used for representing the storage of owner data in the nonvolatile storage space, and the storage address range of the owner data; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed.
According to another aspect of the embodiments of the present invention, there is also provided a system for acquiring data stored in a chip, including: the access device end is used for sending an access request for accessing the nonvolatile storage space of the chip; the trusted chip is communicated with the access equipment end and used for responding to the access request and acquiring verification information returned by the access equipment end and the data length required to be requested, and under the condition that the verification information passes, if the data length required to be requested is within the range of the storage address of the owner data, the content of the owner data is allowed to be returned; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed.
According to another aspect of the embodiments of the present invention, there is also provided an apparatus for acquiring data stored in a chip, including: the receiving module is used for receiving an access request for accessing the nonvolatile storage space of the chip; the response module is used for responding to the access request to obtain the verification information and the data length required to be requested; the judging module is used for judging whether the data length required to be requested is within the storage address range of owner data preset in the nonvolatile storage space or not under the condition that the verification information passes; the control module is used for allowing the content of the owner data to be returned if the length of the data needing to be requested is within the range of the storage address of the owner data; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed.
In the embodiment of the invention, a mode of limiting the storage address range of the owner data is adopted, the owner data is written into the nonvolatile storage space after the nonvolatile storage space is created in the chip, the storage address range of the owner data is determined according to the size of the owner data, and the data required to be acquired by the owner is returned according to the size of the owner data and the storage address range of the owner data, so that the aim of accurately acquiring the owner data is fulfilled, the technical effect of ensuring the correctness of acquiring the original data by the owner is realized, and the technical problem of poor accuracy of the read original data when the original data is read from the nonvolatile space of the credible security chip in the prior art is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of a user interaction in acquiring non-volatile spatial data according to the prior art;
FIG. 2 is a block diagram of an alternative hardware configuration of a computer terminal according to an embodiment of the present invention;
FIG. 3 is a flowchart of a method for storing data in a non-volatile memory space of a chip according to an embodiment of the present invention;
FIG. 4 is a flow chart of an alternative method for storing data in non-volatile memory space on a chip according to an embodiment of the present invention;
FIG. 5 is a flowchart of an alternative method of accessing owner data of a non-volatile memory space in accordance with an embodiment of the present invention;
FIG. 6 is a block diagram of an alternative TCG trust chain in accordance with an embodiment of the present invention;
FIG. 7 is a flow diagram of a method of retrieving data stored in a chip according to an embodiment of the invention;
FIG. 8 is a schematic diagram of a trusted chip according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of a system for retrieving data stored in a chip according to an embodiment of the present invention;
FIG. 10 is a block diagram of an apparatus for retrieving data stored in a chip according to an embodiment of the present invention; and
fig. 11 is a block diagram of an alternative computer terminal according to an embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, some terms or terms appearing in the description of the embodiments of the present application are applicable to the following explanations:
as a storage technology, Non-volatile memory (Nv) is used to ensure that data stored in a device is not lost when the device is powered down, and is often used to protect data that is very sensitive to a user.
Owner data refers to data stored in the storage device by a user, wherein the owner refers to a main body for operating the data.
Trusted means that an entity always operates in a predictable manner for a particular target.
Trusted computing (Trusted computing) is a Trusted computing platform based on hardware security module support widely used in computing and communication systems, and the use of the Trusted computing platform can improve the security of the whole system. The core mechanism is to construct a trusted computing environment through a trust chain mechanism.
The trusted security chip is a chip with the function of generating encryption and decryption keys, can also perform high-speed data encryption and decryption, and serves as an auxiliary processor for protecting a basic input and output system and an operating system from being modified.
Example 1
According to the embodiment of the invention, the embodiment of the method for storing the data of the nonvolatile storage space in the chip is also provided.
The method provided by the embodiment 1 of the present application can be executed in a mobile terminal, a computer terminal or a similar computing device. Fig. 2 shows a hardware configuration block diagram of a computer terminal (or mobile device) for implementing a data storage method of a non-volatile memory space in a chip. As shown in fig. 2, the computer terminal 10 (or mobile device 10) may include one or more (shown as 102a, 102b, … …, 102 n) processors 102 (the processors 102 may include, but are not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 104 for storing data, and a transmission module 4 for communication functions. Besides, the method can also comprise the following steps: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power source, and/or a camera. It will be understood by those skilled in the art that the structure shown in fig. 2 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 2, or have a different configuration than shown in FIG. 2.
It should be noted that the one or more processors 102 and/or other data processing circuitry described above may be referred to generally herein as "data processing circuitry". The data processing circuitry may be embodied in whole or in part in software, hardware, firmware, or any combination thereof. Further, the data processing circuit may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the application, the data processing circuit acts as a processor control (e.g. selection of a variable resistance termination path connected to the interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the data storage method of the non-volatile storage space in the chip in the embodiment of the present invention, and the processor 102 executes various functional applications and data processing by running the software programs and modules stored in the memory 104, that is, implements the vulnerability detection method of the application program. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
It should be noted here that in some alternative embodiments, the computer device (or mobile device) shown in fig. 2 described above may include hardware elements (including circuitry), software elements (including computer code stored on a computer-readable medium), or a combination of both hardware and software elements. It should be noted that fig. 2 is only one example of a particular specific example and is intended to illustrate the types of components that may be present in the computer device (or mobile device) described above.
Under the operating environment, the application provides a data storage method of a nonvolatile storage space in a chip as shown in fig. 3. Fig. 3 is a flowchart of a data storage method of a non-volatile memory space in a chip according to embodiment 1 of the present invention, including the following steps:
step S302, a nonvolatile storage space is created in the chip, wherein the attribute of the nonvolatile storage space at least comprises: the parameter is used for representing the storage of owner data in the nonvolatile storage space, and the storage address range of the owner data; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed.
In the technical solution defined in the step S302, the storage mode of the nonvolatile storage space may adopt a big-end mode and a small-end mode, where the big-end mode refers to that the high bytes of the data are stored in the low address of the memory, and the low bytes of the data are stored in the high address of the memory; the small-end mode means that the high byte of data is stored in the high address of the memory, and the low byte of data is stored in the internal low address, the storage mode can effectively combine the high and low of the address and the bit weight of the data, the weight of the data in the high address part is high, and the weight of the data in the low address part is low.
It should be noted that, one of the attributes of the nonvolatile storage space is data stored in the nonvolatile storage space by the user, for example, if the data stored by the user is "1101", the data is the owner data stored in the nonvolatile storage space; another attribute of the non-volatile memory space is that the length of the memory address range of the owner data is the maximum data length that allows the user to read the non-volatile memory space, for example, the memory address range of the owner data is: FFFFF 0-FFFFF 6 allows the maximum data length of a user to request data from the chip to be 7. In addition, the nonvolatile storage space is created in the chip, so that the data stored in the chip can not be lost when the equipment is powered off, and the nonvolatile storage space can be used for storing more important data.
Based on the scheme disclosed in step S302 of the foregoing embodiment, it can be known that a nonvolatile storage space is created in the chip, and it can be ensured that data stored in the chip by a user is not lost when the device is powered off, thereby improving the security of data storage.
Optionally, the attribute of the non-volatile storage space further includes at least one of: space number, space owner name, space authorization password, space size and space physical address range.
In an alternative embodiment, table 3 is an attribute table of a non-volatile memory space into which owner data has been written, as shown in table 3.
TABLE 3
Figure BDA0001150967770000071
In table 3, the space number of the owner is 1, the space owner name is C, the size of the owner space with the owner space number 1 is 6 bytes, that is, the data length can be 6 bytes at the maximum, the corresponding space physical address ranges are fffffff 0 to fffffff 6, 4 bytes are stored in the physical addresses, the storage address ranges are fffffff 1 to FFFFF4, and the written owner data is "1101".
Optionally, fig. 4 is a schematic flowchart illustrating a data storage method of a non-volatile memory space in a chip after the non-volatile memory space is created in the chip, and as shown in fig. 4, the method further includes the following steps:
step S304 writes the owner data into the nonvolatile memory space, and determines the memory address range of the owner data according to the size of the owner data, wherein the memory address range is determined by the initial memory address and the end memory address of the data block of the owner data.
In an alternative embodiment, when the storage mode of the owner data is the small-end mode, assuming that the size of the owner data is L, the initial storage address of the data block of the owner data, that is, the memory address where the low byte of the owner data is located is Min _ address, and the last storage address of the data block of the owner data, that is, the memory address where the high byte of the owner data is located is Max _ address, L, Min _ address and Max _ address satisfy the following equation:
L≤|Max_adress-Min_adress| (2)
therefore, the last address Max _ address of the owner data and the storage address range of the owner data can be determined from the size L of the owner data and the initial storage address Min _ address of the owner data. For example, if the owner data written in the nonvolatile memory space is "1101" and the size of the owner data is 4 bytes, the length of the storage address range of the owner data is 4 bytes, and if the initial storage address of the owner data at this time is fffffff 1, the end address of the owner data is fffffffff 4, and the storage address ranges of the data blocks of the owner data are fffffffff 1 to fff 4.
Optionally, fig. 5 is a flowchart illustrating a method for accessing owner data of a non-volatile memory space after writing the owner data into the non-volatile memory space and determining a storage address range of the owner data according to the size of the owner data, where as shown in fig. 5, the method includes the following steps:
step S502, receiving an access request for accessing the nonvolatile storage space;
step S504, respond to and visit the request, receive the data length that authentication information and need request;
step S506, under the condition that the verification information passes, judging whether the data length required to be requested is within the storage address range of the owner data;
in step S508, if the data length required to be requested is within the range of the storage address of the owner data, the content of the owner data is allowed to be returned.
As an optional embodiment, the access device side initiates a request for accessing the nonvolatile space to the trusted chip, and after receiving the nonvolatile space request sent by the access device side, the trusted chip responds to the request of the access device side and requires the access device side to feed back verification information and length information of the owner data; the access device side sends verification information and length information of owner data to the trusted chip, for example, the length of the accessed owner data is 4 bytes; the trusted chip verifies whether the verification information returned by the access device side meets the requirement, and under the condition that the verification information meets the requirement, whether the data length needing to be requested is within the storage address range of the owner data is judged, for example, the data length needing to be requested is 4 bytes, the storage address range of the owner data is FFFFFFF 1-FFFFF 4, the maximum storage length of the owner data is 4 bytes, and the requested data length meets the formula (2), so that the trusted chip allows the access to the owner data, and returns the owner data with the storage address ranges FFF 1-FFFFF 4.
It should be noted that the verification information may be used to verify whether the access device side has the right to access and determine the location of the access device side for accessing the data, so as to further improve the accuracy of accessing the data.
Optionally, if the data length required to be requested is outside the storage address range of the owner data, the process of acquiring the owner data is suspended, and/or prompt information for representing the failure of the request is output.
As an optional embodiment, in a case that the trusted chip verifies that the verification information returned by the access device side meets the requirement, the trusted chip further determines whether the data length that needs to be requested is within the storage address range of the owner data, and if the data length that needs to be requested is outside the storage address range of the owner data, for example, the data length that needs to be requested is 4 bytes, the storage address range of the owner data is FFFFF1 to FFFFF3, the maximum storage length of the owner data is 3 bytes, and the requested data length does not satisfy formula (2), so that the trusted chip does not allow access to the owner data, directly terminates the flow, and outputs prompt information that the request fails.
Optionally, the verification information at least includes at least one of the following: the space number, password, which needs to be accessed.
As an optional embodiment, verifying the space number to be accessed may confirm whether the space number is stored in the trusted chip, and further verifying the password may confirm whether the user currently accessing has an access right, so as to further improve the accuracy of accessing data.
Optionally, in the case that the verification information fails, a prompt message that the owner data cannot be acquired is returned.
In an optional embodiment, the space number that the user needs to access is 2, but the trusted chip does not have owner data with the space number of 2, in this case, the process of acquiring the owner data is stopped, and a prompt message is sent to the access device to prompt that the owner data with the space number of 2 does not exist. In another optional embodiment, the space number that the user needs to access is 2, and the trusted chip has owner data with the space number of 2, and when it is detected that the password is not correct, the process of acquiring the owner data is also stopped, and a prompt message is sent to the access device to prompt that the password is incorrect and require the access device to operate again.
In a preferred embodiment, owner C applies for a 6-byte nonvolatile space that holds 4 bytes of data, as shown in Table 4: the owner space number Nv _ index is 1, the space owner name User _ name is C, and the space Size Nv _ Size corresponding to the owner space number 1 is 6 bytes, that is, the maximum data length can be 6 bytes; the corresponding physical addresses are fffffff 0 to FFFFF6, 4 bytes are stored in the physical addresses, the Data written by the owner is "1101", the TCG standard defaults that the Data of the owner Data not written is 00, that is, the Data entry Data is 110100 (the italicized numbers indicate status Data, and the non-italicized numbers indicate owner Data, such as the owner Data shown in table 4).
TABLE 4
Figure BDA0001150967770000091
When the stored data is long and changes frequently, the owner may not remember how long the data length is stored in the storage space, for example, when the owner mainly seeks to obtain the data length 5 to the trusted chip and responds to the information that the trusted chip requires feedback, including: after the owner inputs the correct password and the space number Nv _ index 1, the trusted chip receives the verification information, verifies that the password and the space number are fed back correctly, verifies that the length 5 of the data required to be acquired is larger than the length 4 of the owner data, and prompts that the requested data exceeds a pre-stored range because the requested data length is not in the range allowed to be accessed by the trusted chip, and then terminates the process of acquiring the owner data.
The trusted computing can perform safety protection while computing operation, so that the computing result is always consistent with expectation, and the whole computing process can be measured and controlled without interference.
The core elements of trusted computing are a chain of trust and a root of trust, where trusted computing may frame a trusted computing environment through a chain of trust mechanism. In the case that the root of trust is a trusted chip containing a non-volatile memory space, there is another alternative embodiment, which is specifically as follows:
currently, Trusted computing has two technical routes, namely a domestic Trusted Platform Control Module (TPCM) and a Trusted Platform Module (TPM) of the international TCG standard organization.
The core elements of Trusted computing are a Trusted chain and a Trusted root, a Trusted Platform Module (TPM) in the TCG specification is a hardware Trusted root of a Trusted computing Platform, and the TPM is a security chip providing protected secure storage and cryptographic operation capabilities. The TPM is physically connected to the computing platform and to the CPU via an external bus, for example a PC platform, which is directly fixed to the motherboard and connected via an LPC bus.
The definition of trustworthiness (trusted) is given in the TCG specification: an entity is always operating in a predictable manner for a particular target. The core mechanism of trusted computing is to construct a trusted computing environment through a trust chain mechanism, and whether a current running entity is trusted is the basis of establishing whether the previous running process of a system is trusted. Based on the trust relationship, if the system starts from an initial trust root, the trust can be maintained in a transfer mode at each conversion of the platform computing environment, so that a first-level verification first-level trust chain is established on the computing platform, the computing environment is always trusted, and the computing environment can be trusted by a local user or a remote entity. Fig. 6 shows a schematic structural diagram of a TCG trust chain, as shown in fig. 6, in which a solid arrow represents a trusted measurement connection, a dashed arrow represents a trusted report connection, a bold solid arrow represents a trusted storage connection, and a bold dashed arrow represents a trusted network connection.
The key technology of the trusted computing comprises a trusted measurement, a trusted report, a trusted storage, a trusted network connection and the like.
The trusted platform control module TPCM realizes the basic function of the trusted platform module, the function composition is basically the same as that of the TPM, but because the core measurement root CRTM of the TPM is in the BIOS of the basic input and output system and is not protected by the TPM, the TPCM proposes a new trusted measurement root design, solves the problem of the initial measurement point of the trusted measurement root, changes the starting and measurement sequence, establishes the trust chain measurement flow taking the chip as the trust root on the basis, realizes the control of the chip on the starting, I/O interface control, system configuration and the like of the whole system, and embodies the control effect of the chip on the system credibility.
In the operation control transmission process of the computing platform, the TPCM judges whether the authenticity and the integrity of the next-level execution code are tampered, if not, the system transmits the operation control right to the next-level trusted execution code, and the trusted range of the system is expanded to the next-level function code; similarly, the system control power is continuously transmitted, so that the establishment and transmission process of a trust chain can be realized, and finally the trusted construction of the system range is realized. A complete system trusted transfer process is started from a trusted root, and the system control right is sequentially transferred from the trusted platform control module to the trusted BIOS, then to the trusted operating system loader, then from the trusted operating system loader to the trusted operating system, and then from the trusted operating system to the trusted application.
The trusted security chip has the function of generating encryption and decryption keys, can also perform high-speed data encryption and decryption, and serves as an auxiliary processor for protecting the BIOS and the operating system from being modified.
The TPM security chip has wide application range, and can realize the following application by matching with special software:
(1) and storing and managing the BIOS starting password and the hard disk password. In the past, the transactions are all done by BIOS, and friends who play may know that the password is cleared only by taking off the CMOS battery and discharging the CMOS battery after forgetting the password. These keys are now actually stored in memory locations that are fixed to the chip, and their information is not lost even if power is lost. Compared with the BIOS management password, the security of the TPM security chip is greatly improved.
(2) The TPM security chip can perform a wide range of encryption. The TPM security chip can encrypt system login and application software login except for traditional startup encryption and hard disk encryption. For example, the login information and the password of the MSN, the QQ, the online game and the online bank can be encrypted by the TPM and then transmitted, so that the information and the password are not worried about being stolen by people.
(3) Any partition of the hard disk is encrypted. Any hard disk partition on the notebook can be encrypted, and some sensitive files can be put into the partition to make security. For example, some vendors use a one-key recovery function, which is one of the centralized embodiments of this use (which places the system image in a TPM-encrypted partition). There are also large commercial software companies (e.g., Microsoft) that utilize it as a means of encrypting partitions (e.g., the well-known BitLocker).
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
Through the above description of the embodiments, those skilled in the art can clearly understand that the method according to the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but the former is a better implementation mode in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal device (such as a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
Example 2
According to the embodiment of the invention, the embodiment of the method for acquiring the data stored in the chip is also provided.
The present application provides a method of acquiring data stored in a chip as shown in fig. 7. Fig. 7 is a flowchart of a method of acquiring data stored in a chip according to embodiment 2 of the present invention. The method comprises the following steps:
step S702, receiving an access request for accessing the nonvolatile memory space of the chip;
step S704, responding to the access request to obtain verification information and the data length required to be requested;
step S706, under the condition that the verification information passes, judging whether the data length required to be requested is within the storage address range of the owner data preset in the nonvolatile storage space;
step 708, if the data length required to be requested is within the range of the storage address of the owner data, allowing the content of the owner data to be returned; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed.
In the scheme defined in steps S702 to S708, the access chip may be a trusted chip, and the trusted chip includes a nonvolatile memory space. When the storage mode of the owner data is the small-end mode, assuming that the size of the owner data is L, the initial storage address of the data block of the owner data, that is, the memory address where the low byte of the owner data is located, is Min _ address, and the last storage address of the data block of the owner data, that is, the memory address where the high byte of the owner data is located, is Max _ address, L, Min _ address and Max _ address satisfy the following formula:
L≤|Max_adress-Min_adress|
initiating a request for accessing the nonvolatile space to a trusted chip at an access equipment end, responding the request of the access equipment end after the trusted chip receives the nonvolatile space request sent by the access equipment end, and requiring the access equipment end to feed back verification information and length information of owner data; the access device side sends verification information and length information of owner data to the trusted chip, for example, the length of the accessed owner data is 4 bytes; the trusted chip verifies whether the verification information returned by the access device side meets the requirement, and under the condition that the verification information meets the requirement, whether the data length required to be requested is within the storage address range of the owner data is judged, for example, the data length required to be requested is 4 bytes, the storage address range of the owner data is FFFFF 1-FFFFF 4, the maximum storage length of the owner data is 4 bytes, and the requested data length meets the formula:
L≤|Max_adress-Min_adress|
thus, the trusted chip allows access to owner data and returns owner data having a memory address range of FFFFF1 through FFFFF 4.
It should be noted that the verification information may be used to verify whether the access device side has the right to access and determine the location of the access device side for accessing the data, so as to further improve the accuracy of accessing the data. The storage mode of the nonvolatile storage space can adopt a big-end mode and a small-end mode, wherein the big-end mode refers to that high bytes of data are stored in a low address of the memory, and the low bytes of the data are stored in a high address of the memory; the small-end mode means that the high byte of data is stored in the high address of the memory, and the low byte of data is stored in the internal low address, the storage mode can effectively combine the high and low of the address and the bit weight of the data, the weight of the data in the high address part is high, and the weight of the data in the low address part is low.
Based on the solutions disclosed in steps S702 to S708 in the above embodiments, it can be known that after a nonvolatile storage space is created in a chip, owner data is written into the nonvolatile storage space, a storage address range of the owner data is determined according to the size of the owner data, and data that needs to be obtained by the owner is returned according to the size of the owner data and the storage address range of the owner data, so as to achieve the purpose of accurately obtaining the owner data, thereby achieving the technical effect of ensuring the correctness of obtaining the original data by the owner, and further solving the technical problem that when the original data is read from the nonvolatile space of a trusted security chip in the prior art, the accuracy of the read original data is poor.
Optionally, the attribute of the non-volatile storage space further includes at least one of: space number, space owner name, space authorization code, space size and space physical address range.
In an alternative embodiment, table 5 is an attribute table of the non-volatile storage space into which owner data has been written, as shown in table 5.
TABLE 5
Figure BDA0001150967770000131
In table 5, the space number of the owner is 1, the space owner name is C, the size of the owner space with the owner space number 1 is 6 bytes, that is, the data length can be 6 bytes at the maximum, the corresponding space physical address ranges are fffffff 0 to fffffff 6, 4 bytes are stored in the physical addresses, the storage address ranges are fffffff 1 to FFFFF4, and the written owner data is "1101".
Optionally, before receiving an access request for accessing the nonvolatile memory space of the chip, the method further includes: and writing the owner data into the nonvolatile storage space, and determining the storage address range of the owner data according to the size of the owner data, wherein the storage address range is determined by the initial storage address and the end storage address of the data block of the owner data.
In an alternative embodiment, when the storage mode of the owner data is the small-end mode, assuming that the size of the owner data is L, the initial storage address of the data block of the owner data, that is, the memory address where the low byte of the owner data is located is Min _ address, and the last storage address of the data block of the owner data, that is, the memory address where the high byte of the owner data is located is Max _ address, L, Min _ address and Max _ address satisfy the following equation:
L≤|Max_adress-Min_adress|
therefore, the last address Max _ address of the owner data and the storage address range of the owner data can be determined from the size L of the owner data and the initial storage address Min _ address of the owner data. For example, if the owner data written in the nonvolatile memory space is "1101" and the size of the owner data is 4 bytes, the length of the storage address range of the owner data is 4 bytes, and if the initial storage address of the owner data at this time is fffffff 1, the end address of the owner data is fffffffff 4, and the storage address ranges of the data blocks of the owner data are fffffffff 1 to fff 4.
Optionally, if the data length required to be requested is outside the storage address range of the owner data, the process of acquiring the owner data is suspended, and/or prompt information for representing the failure of the request is output.
As an optional embodiment, in a case that the trusted chip verifies that the verification information returned by the access device side meets the requirement, the trusted chip further determines whether the data length required to be requested is within the storage address range of the owner data, and if the data length required to be requested is outside the storage address range of the owner data, for example, the data length required to be requested is 4 bytes, the storage address range of the owner data is fffffff 1 to FFFFF3, the maximum storage length of the owner data is 3 bytes, and the requested data length does not satisfy the formula L ≦ Max _ addresses-Min _ addresses |, so that the trusted chip does not allow access to the owner data, directly terminates the flow, and outputs prompt information indicating that the request fails.
Example 3
According to the embodiment of the invention, the embodiment of the trusted chip is also provided.
The present application provides a schematic diagram of a trusted chip as shown in fig. 8. Fig. 8 is a schematic structural diagram of a trusted chip according to embodiment 3 of the present invention, where the trusted chip includes: and a memory 801. Wherein,
a memory 801 comprising a non-volatile storage space, wherein the properties of the non-volatile storage space comprise at least: the parameter is used for representing the storage of owner data in the nonvolatile storage space, and the storage address range of the owner data; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed.
In the technical solution defined by the memory 801, the storage mode of the nonvolatile storage space may adopt a big-end mode and a small-end mode, where the big-end mode refers to that high bytes of data are stored in a low address of the memory, and low bytes of data are stored in a high address of the memory; the small-end mode means that the high byte of data is stored in the high address of the memory, and the low byte of data is stored in the internal low address, the storage mode can effectively combine the high and low of the address and the bit weight of the data, the weight of the data in the high address part is high, and the weight of the data in the low address part is low.
It should be noted that, one of the attributes of the nonvolatile storage space is data stored in the nonvolatile storage space by the user, for example, if the data stored by the user is "1101", the data is the owner data stored in the nonvolatile storage space; another attribute of the non-volatile memory space is that the length of the memory address range of the owner data is the maximum data length that allows the user to read the non-volatile memory space, for example, the memory address range of the owner data is: FFFFF 0-FFFFF 6 allows the maximum data length of a user to request data from the chip to be 7. In addition, the nonvolatile storage space is created in the chip, so that the data stored in the chip can not be lost when the equipment is powered off, and the nonvolatile storage space can be used for storing more important data.
Therefore, the nonvolatile storage space is created in the chip, so that the data stored in the chip by a user can be prevented from being lost when the equipment is powered off, and the safety of data storage is further improved.
Example 4
According to an embodiment of the present invention, there is also provided a system embodiment for acquiring data stored in a chip.
The present application provides a system for acquiring data stored in a chip as shown in fig. 9. Fig. 9 is a schematic structural diagram of a system for acquiring data stored in a chip according to embodiment 4 of the present invention, where the system includes: an access device side 901 and a trusted chip 903. Wherein,
an access device terminal 901, configured to send an access request for accessing a nonvolatile memory space of a chip;
the trusted chip 903 is in communication with the access device end and is used for responding to the access request, acquiring verification information returned by the access device end and the data length required to be requested, and allowing the content of the owner data to be returned if the data length required to be requested is within the range of the storage address of the owner data under the condition that the verification information passes; the storage address range of the owner data is used for representing the maximum data length when the data is allowed to be requested to the credible chip.
In an alternative embodiment, the trusted chip includes a non-volatile memory space. When the storage mode of the owner data is the small-end mode, assuming that the size of the owner data is L, the initial storage address of the data block of the owner data, that is, the memory address where the low byte of the owner data is located, is Min _ address, and the last storage address of the data block of the owner data, that is, the memory address where the high byte of the owner data is located, is Max _ address, L, Min _ address and Max _ address satisfy the following formula:
L≤|Max_adress-Min_adress|
initiating a request for accessing the nonvolatile space to a trusted chip at an access equipment end, responding the request of the access equipment end after the trusted chip receives the nonvolatile space request sent by the access equipment end, and requiring the access equipment end to feed back verification information and length information of owner data; the access device side sends verification information and length information of owner data to the trusted chip, for example, the length of the accessed owner data is 4 bytes; the trusted chip verifies whether the verification information returned by the access device side meets the requirement, and under the condition that the verification information meets the requirement, whether the data length required to be requested is within the storage address range of the owner data is judged, for example, the data length required to be requested is 4 bytes, the storage address range of the owner data is FFFFF 1-FFFFF 4, the maximum storage length of the owner data is 4 bytes, and the requested data length meets the formula:
L≤|Max_adress-Min_adress|
thus, the trusted chip allows access to owner data and returns owner data having a memory address range of FFFFF1 through FFFFF 4.
It should be noted that the verification information may be used to verify whether the access device side has the right to access and determine the location of the access device side for accessing the data, so as to further improve the accuracy of accessing the data. The storage mode of the nonvolatile storage space can adopt a big-end mode and a small-end mode, wherein the big-end mode refers to that high bytes of data are stored in a low address of the memory, and the low bytes of the data are stored in a high address of the memory; the small-end mode means that the high byte of data is stored in the high address of the memory, and the low byte of data is stored in the internal low address, the storage mode can effectively combine the high and low of the address and the bit weight of the data, the weight of the data in the high address part is high, and the weight of the data in the low address part is low.
According to the method, after the nonvolatile storage space is created in the chip, the owner data is written into the nonvolatile storage space, the storage address range of the owner data is determined according to the size of the owner data, and the data required to be acquired by the owner is returned according to the size of the owner data and the storage address range of the owner data, so that the aim of accurately acquiring the owner data is fulfilled, the technical effect of ensuring the correctness of the original data acquired by the owner is achieved, and the technical problem that the accuracy of the read original data is poor when the original data is read from the nonvolatile space of the credible security chip in the prior art is solved.
Optionally, the trusted chip 903 is further configured to write owner data into the nonvolatile memory space, and determine a storage address range of the owner data according to the size of the owner data, where the storage address range is determined by an initial storage address and a last storage address of a data block of the owner data.
Example 5
According to an embodiment of the present invention, there is also provided an apparatus for acquiring data stored in a chip, as shown in fig. 10, for implementing the above embodiment 2, the apparatus including: a receiving module 1001, a response module 1003, a judging module 1005 and a control module 1007. Wherein,
a receiving module 1001, configured to receive an access request for accessing a nonvolatile memory space of a chip;
a response module 1003, configured to respond to the access request, to obtain the authentication information and the data length required to be requested;
a determining module 1005, configured to determine, when the verification information passes, whether a data length that needs to be requested is within a storage address range of owner data preset in the nonvolatile storage space;
a control module 1007, configured to allow the content of the owner data to be returned if the data length that needs to be requested is within the range of the storage address of the owner data; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed.
The access chip may be a trusted chip, and the trusted chip includes a nonvolatile memory space. When the storage mode of the owner data is the small-end mode, assuming that the size of the owner data is L, the initial storage address of the data block of the owner data, that is, the memory address where the low byte of the owner data is located, is Min _ address, and the last storage address of the data block of the owner data, that is, the memory address where the high byte of the owner data is located, is Max _ address, L, Min _ address and Max _ address satisfy the following formula:
L≤|Max_adress-Min_adress|
initiating a request for accessing the nonvolatile space to a trusted chip at an access equipment end, responding the request of the access equipment end after the trusted chip receives the nonvolatile space request sent by the access equipment end, and requiring the access equipment end to feed back verification information and length information of owner data; the access device side sends verification information and length information of owner data to the trusted chip, for example, the length of the accessed owner data is 4 bytes; the trusted chip verifies whether the verification information returned by the access device side meets the requirement, and under the condition that the verification information meets the requirement, whether the data length required to be requested is within the storage address range of the owner data is judged, for example, the data length required to be requested is 4 bytes, the storage address range of the owner data is FFFFF 1-FFFFF 4, the maximum storage length of the owner data is 4 bytes, and the requested data length meets the formula:
L≤|Max_adress-Min_adress|
thus, the trusted chip allows access to owner data and returns owner data having a memory address range of FFFFF1 through FFFFF 4.
It should be noted that the verification information may be used to verify whether the access device side has the right to access and determine the location of the access device side for accessing the data, so as to further improve the accuracy of accessing the data. The storage mode of the nonvolatile storage space can adopt a big-end mode and a small-end mode, wherein the big-end mode refers to that high bytes of data are stored in a low address of the memory, and the low bytes of the data are stored in a high address of the memory; the small-end mode means that the high byte of data is stored in the high address of the memory, and the low byte of data is stored in the internal low address, the storage mode can effectively combine the high and low of the address and the bit weight of the data, the weight of the data in the high address part is high, and the weight of the data in the low address part is low.
According to the method, after the nonvolatile storage space is created in the chip, the owner data is written into the nonvolatile storage space, the storage address range of the owner data is determined according to the size of the owner data, and the data required to be acquired by the owner is returned according to the size of the owner data and the storage address range of the owner data, so that the aim of accurately acquiring the owner data is fulfilled, the technical effect of ensuring the correctness of the original data acquired by the owner is achieved, and the technical problem that the accuracy of the read original data is poor when the original data is read from the nonvolatile space of the credible security chip in the prior art is solved.
It should be noted here that the receiving module 1001, the responding module 1003, the determining module 1005 and the control module 1007 correspond to steps S702 to S708 in embodiment 2, and the four modules are the same as the corresponding steps in the implementation example and application scenario, but are not limited to the disclosure in embodiment 2. It should be noted that the above modules may be operated in the computer terminal 10 provided in embodiment 1 as a part of the apparatus.
Optionally, the attribute of the non-volatile storage space further includes at least one of: space number, space owner name, space authorization code, space size and space physical address range.
In an alternative embodiment, table 6 is an attribute table of the non-volatile storage space into which owner data has been written, as shown in table 6.
TABLE 6
Figure BDA0001150967770000181
In table 6, the space number of the owner is 1, the space owner name is C, the size of the owner space with the owner space number 1 is 6 bytes, that is, the data length can be 6 bytes at the maximum, the corresponding physical address ranges of the spaces are fffffff 0 to fffffff 6, 4 bytes are stored in the physical addresses, the storage address ranges are fffffff 1 to FFFFF4, and the written owner data is "1101".
Optionally, as shown in fig. 10, the apparatus for acquiring data stored in the chip further includes: the writing module 1009 is configured to write the owner data into the nonvolatile storage space, and determine a storage address range of the owner data according to the size of the owner data, where the storage address range is determined by an initial storage address and an end storage address of a data block of the owner data.
In an alternative embodiment, when the storage mode of the owner data is the small-end mode, assuming that the size of the owner data is L, the initial storage address of the data block of the owner data, that is, the memory address where the low byte of the owner data is located is Min _ address, and the last storage address of the data block of the owner data, that is, the memory address where the high byte of the owner data is located is Max _ address, L, Min _ address and Max _ address satisfy the following equation:
L≤|Max_adress-Min_adress|
therefore, the last address Max _ address of the owner data and the storage address range of the owner data can be determined from the size L of the owner data and the initial storage address Min _ address of the owner data. For example, if the owner data written in the nonvolatile memory space is "1101" and the size of the owner data is 4 bytes, the length of the storage address range of the owner data is 4 bytes, and if the initial storage address of the owner data at this time is fffffff 1, the end address of the owner data is fffffffff 4, and the storage address ranges of the data blocks of the owner data are fffffffff 1 to fff 4.
Optionally, if the data length required to be requested is outside the storage address range of the owner data, the process of acquiring the owner data is suspended, and/or prompt information for representing the failure of the request is output.
As an optional embodiment, in a case that the trusted chip verifies that the verification information returned by the access device side meets the requirement, the trusted chip further determines whether the data length required to be requested is within the storage address range of the owner data, and if the data length required to be requested is outside the storage address range of the owner data, for example, the data length required to be requested is 4 bytes, the storage address range of the owner data is fffffff 1 to FFFFF3, the maximum storage length of the owner data is 3 bytes, and the requested data length does not satisfy the formula L ≦ Max _ addresses-Min _ addresses |, so that the trusted chip does not allow access to the owner data, directly terminates the flow, and outputs prompt information indicating that the request fails.
Example 6
The embodiment of the invention can provide a computer terminal which can be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal may also be replaced with a terminal device such as a mobile terminal.
Optionally, in this embodiment, the computer terminal may be located in at least one network device of a plurality of network devices of a computer network.
Alternatively, fig. 11 is a block diagram of a computer terminal according to an embodiment of the present invention. As shown in fig. 11, the computer terminal a may include: one or more (only one shown) processors 1103 and a memory 1101.
The memory may be used to store software programs and modules, such as program instructions/modules corresponding to the security vulnerability detection method and apparatus in the embodiments of the present invention, and the processor executes various functional applications and data processing by operating the software programs and modules stored in the memory, that is, the above-mentioned method for detecting a system vulnerability attack is implemented. The memory may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located from the processor, and these remote memories may be connected to terminal a through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor can call the information and application program stored in the memory through the transmission device to execute the following steps: creating a non-volatile storage space in a chip, wherein the attributes of the non-volatile storage space at least comprise: the parameter is used for representing the storage of owner data in the nonvolatile storage space, and the storage address range of the owner data; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed.
Optionally, the processor may further execute the program code of the following steps: and writing the owner data into the nonvolatile storage space, and determining the storage address range of the owner data according to the size of the owner data, wherein the storage address range is determined by the initial storage address and the end storage address of the data block of the owner data.
Optionally, the processor may further execute the program code of the following steps: receiving an access request for accessing a non-volatile storage space; responding to the access request to obtain verification information and the data length required to be requested; under the condition that the verification information passes, judging whether the data length required to be requested is within the storage address range of the owner data; if the data length required to be requested is within the range of the storage address of the owner data, the content of the owner data is allowed to be returned.
Optionally, the processor may further execute the program code of the following steps: if the data length required to be requested is beyond the range of the storage address of the owner data, the process of acquiring the owner data is stopped, and/or prompt information used for representing the failure of the request is output.
By adopting the scheme of the method for acquiring the data stored in the chip provided by the embodiment of the invention, the owner data is written into the nonvolatile storage space after the nonvolatile storage space is created in the chip, the storage address range of the owner data is determined according to the size of the owner data, and the data required to be acquired by the owner is returned according to the size of the owner data and the storage address range of the owner data, so that the aim of accurately acquiring the owner data is fulfilled, the technical effect of ensuring the correctness of the acquisition of the original data by the owner is realized, and the technical problem of poor accuracy of the read original data when the original data is read from the nonvolatile space of the credible security chip in the prior art is further solved.
It can be understood by those skilled in the art that the structure shown in fig. 11 is only an illustration, and the computer terminal may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 11 is a diagram illustrating a structure of the electronic device. For example, the computer terminal 11 may also include more or fewer components (e.g., network interfaces, display devices, etc.) than shown in FIG. 11, or have a different configuration than shown in FIG. 11.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
Example 7
The embodiment of the invention also provides a storage medium. Optionally, in this embodiment, the storage medium may be configured to store the program code executed by the method for acquiring data stored in the chip provided in embodiment 2.
Optionally, in this embodiment, the storage medium may be located in any one of computer terminals in a computer terminal group in a computer network, or in any one of mobile terminals in a mobile terminal group.
Optionally, in this embodiment, the storage medium is configured to store program code for performing the following steps: receiving an access request for accessing a non-volatile memory space of a chip; responding to the access request to obtain verification information and the data length required to be requested; under the condition that the verification information passes, judging whether the data length required to be requested is within the storage address range of owner data preset in the nonvolatile storage space; if the data length required to be requested is within the range of the storage address of the owner data, allowing the content of the owner data to be returned; wherein the memory address range of the owner data is used to characterize the maximum data length when data requests to the chip are allowed.
Optionally, in this embodiment, the storage medium is configured to store program code for further performing the following steps: and writing the owner data into the nonvolatile storage space, and determining the storage address range of the owner data according to the size of the owner data, wherein the storage address range is determined by the initial storage address and the end storage address of the data block of the owner data.
Optionally, in this embodiment, the storage medium is configured to store program code for further performing the following steps: if the data length required to be requested is beyond the range of the storage address of the owner data, the process of acquiring the owner data is stopped, and/or prompt information used for representing the failure of the request is output.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the embodiments provided in the present application, it should be understood that the disclosed technology can be implemented in other ways. The above-described embodiments of the apparatus are merely illustrative, and for example, a division of a unit is merely a division of a logic function, and an actual implementation may have another division, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic or optical disk, and other various media capable of storing program codes.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that it is obvious to those skilled in the art that various modifications and improvements can be made without departing from the principle of the present invention, and these modifications and improvements should also be considered as the protection scope of the present invention.

Claims (12)

1. A trusted chip, comprising:
a memory comprising a non-volatile storage space, wherein attributes of the non-volatile storage space include at least: a parameter for characterizing the storage of owner data in the non-volatile memory space, and a storage address range of the owner data;
the memory address range of the owner data is used for representing the maximum data length when data are allowed to be requested to a chip;
wherein a storage address range of the owner data is determined according to a size of the owner data written to the nonvolatile storage space, wherein the storage address range is determined by an initial storage address and a last storage address of a data block of the owner data, and the storage address range of the owner data is the same as the length of the owner data.
2. A system for obtaining data stored in a chip, comprising:
the access device end is used for sending an access request for accessing the nonvolatile storage space of the chip;
the trusted chip is communicated with the access equipment end and used for responding to the access request, acquiring verification information returned by the access equipment end and the data length required to be requested, and allowing the content of the owner data to be returned if the data length required to be requested is within the range of the storage address of the owner data under the condition that the verification information passes;
the storage address range of the owner data is used for representing the maximum data length when the data is allowed to be requested from the credible chip;
the trusted chip is further configured to write the owner data into the nonvolatile storage space, and determine a storage address range of the owner data according to the size of the owner data, where the storage address range is determined by an initial storage address and a last storage address of a data block of the owner data, and the storage address range of the owner data is the same as the length of the owner data.
3. A method for storing data in a non-volatile memory space on a chip, comprising:
creating a non-volatile storage space in a chip, wherein attributes of the non-volatile storage space at least comprise: a parameter for characterizing the storage of owner data in the non-volatile memory space, the range of storage addresses of the owner data;
the memory address range of the owner data is used for representing the maximum data length when data are allowed to be requested to the chip;
wherein after creating the non-volatile storage space in the chip, the method further comprises: and writing the owner data into the nonvolatile storage space, and determining a storage address range of the owner data according to the size of the owner data, wherein the storage address range is determined by an initial storage address and a last storage address of a data block of the owner data, and the storage address range of the owner data is the same as the length of the owner data.
4. The method of claim 3, wherein the attributes of the non-volatile storage space further comprise at least one of: space number, space owner name, space authorization password, space size and space physical address range.
5. The method according to claim 3 or 4, wherein after writing the owner data to the non-volatile memory space and determining the memory address range of the owner data according to the size of the owner data, the method further comprises:
receiving an access request for accessing the non-volatile storage space;
responding to the access request to obtain verification information and the data length required to be requested;
under the condition that the verification information is verified to pass, judging whether the data length needing to be requested is within the storage address range of the owner data;
and if the length of the data needing to be requested is within the range of the storage address of the owner data, allowing the content of the owner data to be returned.
6. The method according to claim 5, wherein if the data length required to be requested is out of the storage address range of the owner data, the process of acquiring the owner data is aborted, and/or a prompt message for indicating that the request fails is output.
7. The method of claim 5, wherein the authentication information comprises at least one of: the space number, password, which needs to be accessed.
8. The method according to claim 5, wherein in a case where verification of the verification information fails, a prompt is returned that the owner data cannot be acquired.
9. A method of retrieving data stored in a chip, comprising:
receiving an access request for accessing a non-volatile memory space of a chip;
responding to the access request to obtain verification information and the data length required to be requested;
under the condition that the verification information is verified to pass, judging whether the data length needing to be requested is within a storage address range of owner data preset in the nonvolatile storage space or not;
if the length of the data needing to be requested is within the range of the storage address of the owner data, allowing the content of the owner data to be returned;
the memory address range of the owner data is used for representing the maximum data length when data are allowed to be requested to the chip;
wherein, before receiving an access request for accessing a non-volatile memory space of a chip, the method further comprises: and writing the owner data into the nonvolatile storage space, and determining a storage address range of the owner data according to the size of the owner data, wherein the storage address range is determined by an initial storage address and a last storage address of a data block of the owner data, and the storage address range of the owner data is the same as the length of the owner data.
10. The method of claim 9, wherein the attributes of the non-volatile storage space further comprise at least one of: space number, space owner name, space authorization code, space size and space physical address range.
11. The method according to claim 9, wherein if the data length required to be requested is out of the storage address range of the owner data, the process of acquiring the owner data is aborted, and/or a prompt message for indicating that the request fails is output.
12. An apparatus for retrieving data stored in a chip, comprising:
the receiving module is used for receiving an access request for accessing the nonvolatile storage space of the chip;
the response module is used for responding to the access request to obtain verification information and the data length required to be requested;
the judging module is used for judging whether the data length required to be requested is within a storage address range of owner data preset in the nonvolatile storage space or not under the condition that the verification information passes;
the control module is used for allowing the content of the owner data to be returned if the length of the data needing to be requested is within the range of the storage address of the owner data;
the memory address range of the owner data is used for representing the maximum data length when data are allowed to be requested to the chip;
wherein the apparatus further comprises: a write module, configured to write the owner data into the nonvolatile storage space, and determine a storage address range of the owner data according to a size of the owner data, where,
determining the storage address range through an initial storage address and an end storage address of the data block of the owner data, wherein the storage address range of the owner data is the same as the length of the owner data.
CN201610998449.0A 2016-11-11 2016-11-11 Data storage method of nonvolatile storage space in chip and credible chip Active CN108073351B (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201610998449.0A CN108073351B (en) 2016-11-11 2016-11-11 Data storage method of nonvolatile storage space in chip and credible chip
TW106127335A TW201818258A (en) 2016-11-11 2017-08-11 Data storage method utilized in non-volatile storage space in integrated circuit, and trusted integrated circuit
PCT/CN2017/108254 WO2018086469A1 (en) 2016-11-11 2017-10-30 Data storage method utilized in non-volatile storage space in integrated circuit, and trusted integrated circuit

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610998449.0A CN108073351B (en) 2016-11-11 2016-11-11 Data storage method of nonvolatile storage space in chip and credible chip

Publications (2)

Publication Number Publication Date
CN108073351A CN108073351A (en) 2018-05-25
CN108073351B true CN108073351B (en) 2021-06-15

Family

ID=62109463

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610998449.0A Active CN108073351B (en) 2016-11-11 2016-11-11 Data storage method of nonvolatile storage space in chip and credible chip

Country Status (3)

Country Link
CN (1) CN108073351B (en)
TW (1) TW201818258A (en)
WO (1) WO2018086469A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109634541B (en) * 2018-12-06 2022-06-10 中国船舶重工集团公司第七0七研究所 Printer information security monitoring method based on trusted computing
CN109670349B (en) 2018-12-13 2021-10-01 英业达科技有限公司 Hardware architecture of trusted computer and trusted starting method of computer
TWI687837B (en) * 2018-12-18 2020-03-11 英業達股份有限公司 Hardware structure of a trusted computer and trusted booting method for a computer
CN111625831B (en) * 2019-02-28 2023-05-30 阿里巴巴集团控股有限公司 Trusted security measurement method and device
TWI745784B (en) * 2019-11-08 2021-11-11 精品科技股份有限公司 Disc security system
CN112784322A (en) * 2019-11-08 2021-05-11 精品科技股份有限公司 Bit lock disk management system
TWI728635B (en) * 2020-01-02 2021-05-21 系微股份有限公司 Storage device information management method compatible with different storage specifications
TWI748633B (en) * 2020-09-07 2021-12-01 神雲科技股份有限公司 Server device and server system
CN115079803B (en) * 2022-05-20 2024-03-29 上海瑞浦青创新能源有限公司 Abnormal power-down data storage device suitable for microcontroller
CN117909284B (en) * 2024-03-13 2024-07-12 深圳曦华科技有限公司 Data access method, device, computer equipment and storage medium

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5742677A (en) * 1995-04-03 1998-04-21 Scientific-Atlanta, Inc. Information terminal having reconfigurable memory
US8286883B2 (en) * 2007-11-12 2012-10-16 Micron Technology, Inc. System and method for updating read-only memory in smart card memory modules
CN101477494B (en) * 2009-01-20 2011-12-21 成都市华为赛门铁克科技有限公司 Data write-in method and memory system
CN101986325A (en) * 2010-11-01 2011-03-16 山东超越数控电子有限公司 Computer security access control system and method
US8793462B2 (en) * 2011-05-24 2014-07-29 International Business Machines Corporation Implementing storage adapter performance optimization with enhanced resource pool allocation
US9152793B2 (en) * 2012-09-28 2015-10-06 Intel Corporation Methods, systems and apparatus to self authorize platform code
CN103645863B (en) * 2013-12-12 2017-12-08 北京奇安信科技有限公司 Method for reading data and system, the wiring method and system of shared drive
CN104951405B (en) * 2014-03-28 2019-09-06 三星电子株式会社 Storage system and the method that storage system is executed and verifies write-protect
US10146942B2 (en) * 2015-02-24 2018-12-04 Dell Products, Lp Method to protect BIOS NVRAM from malicious code injection by encrypting NVRAM variables and system therefor
CN105159847A (en) * 2015-08-12 2015-12-16 北京因特信安软件科技有限公司 Disk change record method based on trusted chip
CN105955916B (en) * 2016-04-29 2019-09-20 华为技术有限公司 A kind of method that writing immediate, equipment and system

Also Published As

Publication number Publication date
TW201818258A (en) 2018-05-16
CN108073351A (en) 2018-05-25
WO2018086469A1 (en) 2018-05-17

Similar Documents

Publication Publication Date Title
CN108073351B (en) Data storage method of nonvolatile storage space in chip and credible chip
US11477034B2 (en) Method and apparatus for processing account information in block chain, storage medium, and electronic apparatus
CN110113167B (en) Information protection method and system of intelligent terminal and readable storage medium
US10635790B2 (en) Systems and methods for providing identity assurance for decentralized applications
TWI667586B (en) System and method for verifying changes to uefi authenticated variables
US10516533B2 (en) Password triggered trusted encryption key deletion
CN107592964B (en) System, apparatus and method for multi-owner transfer of ownership of a device
US20100185843A1 (en) Hardware encrypting storage device with physically separable key storage device
EP2397959B1 (en) System and method for N-ary locality in a security co-processor
CN106656502A (en) Computer systems and safe execution method
US20200026882A1 (en) Methods and systems for activating measurement based on a trusted card
CN110875819B (en) Password operation processing method, device and system
US20180198620A1 (en) Systems and methods for assuring data on leased computing resources
CN106687985A (en) Method for privileged mode based secure input mechanism
US20210243030A1 (en) Systems And Methods To Cryptographically Verify An Identity Of An Information Handling System
CN109117643B (en) System processing method and related equipment
CN110008758A (en) ID obtaining method and device, electronic equipment and storage medium
CN109871715B (en) Access method and device of distributed storage file and storage medium
CN107924440B (en) Method, system, and computer readable medium for managing containers
CN108229210A (en) A kind of method, terminal and computer readable storage medium for protecting data
CN111934882B (en) Identity authentication method and device based on block chain, electronic equipment and storage medium
CN111506915B (en) Authorized access control method, device and system
US8185941B2 (en) System and method of tamper-resistant control
CN112445705B (en) Software running system, method and device based on trusted verification and computer equipment
CN111177752A (en) Credible file storage method, device and equipment based on static measurement

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant