TW201818258A - Data storage method utilized in non-volatile storage space in integrated circuit, and trusted integrated circuit - Google Patents

Abstract

A data storage method utilized in a non-volatile storage space in an integrated circuit (IC), and a trusted integrated circuit. The data storage method comprises: creating, in the integrated circuit, the non-volatile storage space; wherein the non-volatile storage space has attributes including a parameter representing storage of owner data in the non-volatile storage space, and a storage address range of the owner data; and the storage address range of the owner data represents a maximum data length allowable for requesting data from the integrated circuit. The method resolves a technical issue in the prior art in which when reading, from a non-volatile space of a trusted IC, the raw data, the read raw data has low accuracy.

Description

   Data storage method for non-volatile storage space in chip and trusted chip   

The present invention relates to the field of data storage, and in particular, to a data storage method for a nonvolatile storage space in a chip and a trusted chip.

Users can create non-volatile space in the trusted security chip, and can assign the attributes shown in Table 1 to the non-volatile space:     

FIG. 1 shows a schematic diagram of an interaction of a user to obtain non-volatile space data according to the prior art. As shown in FIG. 1, it specifically includes the following steps: (1) The owner C initiates access to the non-volatile chip T to access the non-volatile space T Space request; (2) the trusted chip T responds to the request of the owner C, asking it to feedback the password, the non-volatile space number, and the data length; (3) the owner C returns the password, the non-volatile space number to be accessed, The non-volatile data length is given to the trusted chip T; (4) The trusted chip T verifies the correctness of the password and the index number of the non-volatile space, and whether the data length L of the non-volatile space satisfies the following formula: L ｜ Last_adress-First_adress ｜ (1)

In the above formula, First_adress represents the initial physical address of the non-volatile space, and Last_adress represents the last physical address of the non-volatile space.

If the password and the non-volatile space number are correct, and the data length L obtained by it also satisfies formula (1), the trusted chip returns the data to be accessed by the owner C, and the process ends. Otherwise, the process is terminated directly.

The existing international TCG standard security chip regulates the fixed size and access authorization of the non-volatile space of the trusted security chip. In this specification, the status identification data is preset to 0, which is easy to be confused with the owner data 0, resulting in user access. In the case of data, some of the obtained data may be the status identification data 0, rather than the data 0 actually stored by the user. For example, owner C applies for a 6-byte non-volatile space that stores 4 bytes of data, as shown in Table 2: the owner space number is 1, the owner name is C, and the owner space The size of the corresponding non-volatile space is 6 bytes, that is, the data length can be up to 6 bytes. The corresponding physical address is FFFFF0 ~ FFFFF6, and 4 bytes are stored in its physical address. The main written data is "1101". The TCG standard presets the two-byte tuple without written data as 00, that is, the master data is 1101 00 (Bold italic numbers indicate status data, non-bold numbers indicate Owner profile, as shown in Table 1).

When the stored data is long and frequently changed, the owner C may not be able to remember how long and what data he has stored, such as when the owner C and the owner obtain the data length 5 from the user, and Respond to the information requested by the trusted chip: the user enters the correct password ****, Nv_index number 1, after receiving the information, the trusted chip verifies the correctness of the password and the NV index number, and also verifies its length 5 <6, It is within the allowable range, so the length of the data returned to the owner C is 1101 0. In this way, the original data of the owner C has been changed from 1101 to 1101 0 , causing data errors.

Aiming at the technical problem that the original data read from the non-volatile space of the trusted security chip in the prior art is poor in accuracy, no effective solution has been proposed at present.

An embodiment of the present invention provides a data storage method for a non-volatile storage space in a chip and a trusted chip, so as to at least solve the problem in the prior art when reading original data from the non-volatile space of a trusted security chip. Technical issues with poor accuracy of the original data.

According to an aspect of an embodiment of the present invention, a data storage method for a non-volatile storage space in a chip is provided, including: creating a non-volatile storage space in a chip, wherein the attributes of the non-volatile storage space include at least : Parameters used to characterize the storage of owner data in non-volatile storage space, the storage address range of the owner data; among them, the storage address range of the owner data is used to characterize the largest data when data is allowed to be requested from the chip length.

According to another aspect of the embodiments of the present invention, a method for acquiring data stored in a chip is also provided, including: receiving an access request for accessing a non-volatile storage space of the chip; responding to the access request, obtaining Verification information and required data length; In the case of verification verification information, determine whether the required data length is within the storage address range of the owner data preset in the non-volatile storage space; if required, If the length of the data is within the storage address range of the owner data, the content of the owner data is allowed to be returned. Among them, the storage address range of the owner data is used to characterize the maximum data length when data is requested from the chip.

According to another aspect of the embodiments of the present invention, a trusted chip is further provided, including: a memory, including a non-volatile storage space, wherein the attributes of the non-volatile storage space at least include: The parameters of the owner data stored in the volatile storage space are the storage address range of the owner data. The storage address range of the owner data is used to represent the maximum data length when the data is allowed to be requested from the chip.

According to another aspect of the embodiments of the present invention, a system for acquiring data stored in a chip is also provided, including: an access device end for issuing an access request for accessing a non-volatile storage space of the chip The trusted chip communicates with the access device to respond to the access request and obtain the authentication information returned by the access device and the required data length. If the authentication information passes, the required data length is required. Within the storage address range of the owner data, it is allowed to return the content of the owner data; among them, the storage address range of the owner data is used to characterize the maximum data length when the data is allowed to be requested from the chip.

According to another aspect of the embodiments of the present invention, a device for acquiring data stored in a chip is further provided, including: a receiving module for receiving an access request for accessing a non-volatile storage space of the chip; The response module is used to respond to the access request to obtain the verification information and the required data length; the judgment module is used to determine whether the required data length is in the non-volatile storage space when the verification information is passed Within the storage address range of the owner data set in advance; a control module for allowing the content of the owner data to be returned if the length of the requested data is within the storage address range of the owner data; among them, The storage address range of the owner data is used to characterize the maximum data length when data is allowed to be requested from the chip.

In the embodiment of the present invention, the method of limiting the storage address range of the owner data is adopted. After the nonvolatile storage space is created in the chip, the owner data is written into the nonvolatile storage space, and according to the owner data, The size determines the storage address range of the owner's data, and returns the data that the owner needs to obtain according to the size of the owner's data and the storage address range of the owner's data. The purpose of accurately obtaining the owner's data is achieved, thereby ensuring the ownership. The main technical effect of obtaining the correctness of the original data, thereby solving the technical problem of poor accuracy of the read original data when the original technology reads the original data from the non-volatile space of the trusted security chip.

10‧‧‧Computer Terminal

102a ~ 102n‧‧‧Processor

104‧‧‧Memory

801‧‧‧Memory

901‧‧‧Access device side

903‧‧‧trusted chip

1001‧‧‧Receiving module

1003‧‧‧ Response Module

1005‧‧‧Judgment Module

1007‧‧‧Control Module

1009‧‧‧write module

1101‧‧‧Memory

1103‧‧‧Processor

S302 ~ S304‧‧‧ steps

S502 ~ S508‧‧‧step

S702 ~ S708‧‧‧step

The drawings described herein are used to provide a further understanding of the present invention and constitute a part of the present application. The schematic embodiments of the present invention and the descriptions thereof are used to explain the present invention, and do not constitute an improper limitation on the present invention. In the drawings: FIG. 1 is a schematic diagram of the interaction of a user to obtain non-volatile space data according to the prior art; FIG. 2 is a block diagram of the hardware structure of an optional computer terminal according to an embodiment of the present invention; FIG. 3 is A flowchart of a method for storing data in a non-volatile storage space in a chip according to an embodiment of the present invention; FIG. 4 is a flowchart of a method for storing data in a non-volatile storage space in a chip according to an embodiment of the present invention; 5 is a flowchart of an optional method for accessing owner data of a non-volatile storage space according to an embodiment of the present invention; FIG. 6 is a schematic structural diagram of an optional TCG trust chain according to an embodiment of the present invention; 7 is a flowchart of a method for acquiring data stored in a wafer according to an embodiment of the present invention; FIG. 8 is a schematic structural diagram of a trusted wafer according to an embodiment of the present invention; FIG. 9 is an acquisition according to an embodiment of the present invention FIG. 10 is a schematic structural diagram of a device for acquiring data stored in a wafer according to an embodiment of the present invention; and FIG. 11 is a diagram illustrating a root system. Block diagram showing the computer terminal of an alternative embodiment of the present invention.

In order to enable those skilled in the art to better understand the solutions of the present invention, the technical solutions in the embodiments of the present invention will be described clearly and completely in combination with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only The embodiments are part of the present invention, but not all the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those with ordinary knowledge in the art without making creative work should fall within the protection scope of the present invention.

It should be noted that the terms “first” and “second” in the scope of the description and patent application of the present invention and the above drawings are used to distinguish similar objects, and are not necessarily used to describe a specific order or sequence. It should be understood that the materials used as such are interchangeable under appropriate circumstances so that the embodiments of the invention described herein can be implemented in an order other than those illustrated or described herein. Furthermore, the terms "including" and "having" and any of their variations are intended to cover non-exclusive inclusions, for example, a process, method, system, product, or device that includes a series of steps or units need not be limited to those explicitly listed Those steps or units may instead include other steps or units not explicitly listed or inherent to these processes, methods, products or equipment.

First of all, some terms or terms appearing during the description of the embodiments of this application are applicable to the following explanations: Non-volatile memory (Non-volatile memory, referred to as Nv), as a storage technology, it can ensure that the device is powered off. When data is stored in the device, it will not be lost, which is often used to protect users' very sensitive data.

Owner data refers to the data stored in the storage device by the user, and the owner refers to the subject that operates the data.

Trustworthy means that an entity has been operating for a specific purpose in a predictable manner.

Trusted computing is a trusted computing platform supported by hardware security modules that is widely used in computing and communication systems. Using this trusted computing platform can improve the overall security of the system. Its core mechanism is to build a trusted computing environment through a chain of trust mechanism.

The trusted security chip is a chip with the function of generating encryption and decryption keys. The trusted security chip can also perform high-speed data encryption and decryption, and act as an auxiliary processor to protect the basic input and output system and operating system from being modified.

Example 1

According to an embodiment of the present invention, a method embodiment of a data storage method for a non-volatile storage space in a chip is also provided.

The method embodiments provided in Embodiment 1 of this application may be executed in a mobile terminal, a computer terminal, or a similar computing device. FIG. 2 shows a block diagram of a hardware structure of a computer terminal (or mobile device) for implementing a data storage method of a non-volatile storage space in a chip. As shown in FIG. 2, the computer terminal 10 (or the mobile device 10) may include one or more (shown by 102a, 102b, ..., 102n in the figure) a processor 102 (the processor 102 may include It is not limited to a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission module 4 for communication functions. In addition, it can also include: display, input / output interface (I / O interface), universal serial bus (USB) communication port (can be included as one of the communication ports of the I / O interface), network Interface, power supply and / or camera. Those skilled in the art can understand that the structure shown in FIG. 2 is only a schematic diagram, and does not limit the structure of the electronic device. For example, the computer terminal 10 may further include more or fewer components than those shown in FIG. 2, or have a configuration different from that shown in FIG. 2.

It should be noted that the one or more processors 102 and / or other data processing circuits described above may generally be referred to herein as "data processing circuits." The data processing circuit may be fully or partially embodied as software, hardware, firmware, or any other combination. In addition, the data processing circuit may be a single independent processing module, or all or part of the data processing circuit may be incorporated into any one of the other components in the computer terminal 10 (or mobile device). As mentioned in the embodiment of the present application, the data processing circuit is controlled as a processor (for example, selection of a variable resistance terminal path connected to an interface).

The memory 104 may be used to store software programs and modules of application software, such as a program instruction / data storage device corresponding to a data storage method of a non-volatile storage space in a chip in the embodiment of the present invention. The software programs and modules in the memory 104 execute various functional applications and data processing, that is, implement the above-mentioned application program's vulnerability detection method. The memory 104 may include high-speed random access memory, and may further include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory remotely disposed relative to the processor 102, and these remote memories may be connected to the computer terminal 10 through a network. Examples of the above network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

What needs to be explained here is that in some optional embodiments, the computer device (or mobile device) shown in FIG. 2 described above may include hardware components (including circuits) and software components (including those stored on computer-readable media). Computer code), or a combination of hardware and software components. It should be noted that FIG. 2 is only one example of a specific specific example, and is intended to illustrate the types of components that may be present in the computer device (or mobile device) described above.

Under the above-mentioned operating environment, the present application provides a data storage method for a non-volatile storage space in a chip as shown in FIG. 3. 3 is a flowchart of a method for storing data in a non-volatile storage space in a chip according to Embodiment 1 of the present invention, including the following steps:

Step S302, a non-volatile storage space is created in the chip, wherein the attributes of the non-volatile storage space include at least: parameters for characterizing the storage of the owner data in the non-volatile storage space, and the storage of the owner data Address range; where the storage address range of the owner data is used to characterize the maximum data length when data is allowed to be requested from the chip.

In the technical solution defined in the above step S302, the storage mode of the non-volatile storage space may adopt a big-endian mode and a little-endian mode. The big-endian mode means that the high byte of data is stored in the low address of the internal memory. The low byte of the data is stored in the high address of the internal memory; the little-endian mode means that the high byte of the data is stored in the high address of the internal memory and the low byte of the data is stored in the internal low address This storage mode can effectively combine the height of the address with the bit weight of the data. The weight of the data at the high address is high, and the weight of the data at the low address is low.

It should be noted that one of the owner data of the non-volatile storage space is the data stored in the non-volatile storage space by the user. For example, if the data stored by the user is "1101", the data is Owner data stored in non-volatile storage space; another attribute of non-volatile storage space is the length of the storage address range of the owner data is the maximum data length that allows users to read the non-volatile storage space, For example, the storage address range of the owner data is: FFFFF0 ~ FFFFF6. The maximum data length when the user is allowed to request data from the chip is 7. In addition, the creation of non-volatile storage space in the chip can ensure that the data stored in the chip will not be lost when the device is powered off, so it can be used to store more important data.

Based on the solution disclosed in step S302 of the above embodiment, it can be learned that a non-volatile storage space is created in the chip, which can ensure that the data stored by the user will not be lost when the device is powered off, thereby improving data storage. Security.

Optionally, the attributes of the non-volatile storage space further include at least one of the following: space number, space owner name, space authorization password, space size, and space entity address range.

In an optional embodiment, Table 3 is an attribute table of the non-volatile storage space in which the owner data has been written, as shown in Table 3.

In Table 3, the owner space number is 1, the space owner name is C, and the owner space number is 1. The owner space size is 6 bytes, that is, the data length can be up to 6 bytes, which corresponds to The space physical address range is FFFFF0 ~ FFFFF6, and 4 bytes are stored in its physical address. The storage address range is FFFFF1 ~ FFFFF4, and the owner data written is "1101".

Optionally, FIG. 4 shows a flowchart of a method for storing data in a non-volatile storage space in a chip after the non-volatile storage space is created in the chip. As shown in FIG. 4, the method further includes the following steps:

In step S304, the owner data is written into the non-volatile storage space, and the storage address range of the owner data is determined according to the size of the owner data. The initial storage address and the end storage of the data block of the owner data are determined. Address to determine the storage address range.

In an optional embodiment, when the storage mode of the owner data is a little-endian mode, assuming that the size of the owner data is L, the initial storage address of the data block of the owner data, that is, the owner data The internal memory address where the low byte is located is Min_adress, and the storage address at the end of the data block belonging to the owner data, that is, the internal memory address where the high byte of the owner data is located is Max_adress. : L ｜ Max_adress-Min-adress ｜ (2)

Therefore, according to the size L of the owner data and the initial storage address Min_adress of the owner data, the last address Max_adress of the owner data can be determined, and the storage address range of the owner data can be determined. For example, if the owner data written to the non-volatile storage space is "1101" and the size of the owner data is 4 bytes, then the length of the storage address range of the owner data is also 4 bytes. If the initial storage address of the owner data at this time is FFFFF1, the last address of the owner data is FFFFF4, and the storage address range of the data block of the owner data is FFFFF1 ~ FFFFF4.

Optionally, FIG. 5 shows how to access the nonvolatile storage space after the owner data is written into the nonvolatile storage space and the storage address range of the owner data is determined according to the size of the owner data. The method flow chart of the owner data, as shown in FIG. 5, the method includes the following steps: step S502, receiving an access request for accessing the non-volatile storage space; step S504, responding to the access request, obtaining verification information And the required data length; step S506, if the verification information passes, determine whether the required data length is within the storage address range of the owner data; step S508, if the required data length is within the owner Within the storage address range of the data, it is allowed to return the content of the owner data.

As an optional embodiment, the access device end initiates a request for accessing the non-volatile space to the trusted chip. After receiving the non-volatile space request sent by the access device end, the trusted chip responds to the access device end. Request and request the access device to feedback the verification information and the length information of the owner data; the access device sends verification information and the length information of the owner data to the trusted chip, for example, the length of the accessed owner data is 4 Bytes; the trusted chip verifies whether the verification information returned by the access device meets the requirements, and if the verification information meets the requirements, determines whether the length of the data to be requested is within the storage address range of the owner data, for example, The required data length is 4 bytes. The storage address range of the owner data is FFFFF1 ~ FFFFF4. The maximum storage length of the owner data is 4 bytes. The requested data length satisfies formula (2). The letter chip allows access to the owner data and returns the owner data with the storage address range of FFFFF1 ~ FFFFF4.

It should be noted that the above verification information can be used to verify whether the access device has access permissions and determine the location where the access device accesses data, thereby further improving the accuracy of the access data.

Optionally, if the length of the requested data is outside the storage address range of the owner data, the process of obtaining the owner data is suspended, and / or the prompt information used to characterize the request failure is output.

As an optional embodiment, when the trusted chip verifies that the authentication information returned by the access device meets the requirements, the trusted chip further determines whether the length of the data to be requested is within the storage address range of the owner data. If the requested data length is outside the storage address range of the owner data, for example, the required data length is 4 bytes, and the storage address range of the owner data is FFFFF1 ~ FFFFF3. The storage length is 3 bytes, and the requested data length does not satisfy formula (2). Therefore, the trusted chip does not allow access to the owner data, directly terminates the process, and outputs a prompt message for the failure of the request.

Optionally, the authentication information includes at least one of the following: a space number and a password to be accessed.

As an optional embodiment, verifying the space number that needs to be accessed can confirm whether the space number is stored in the trusted chip, and further verifying the password can confirm whether the currently accessed user has access rights, which can further improve Accuracy of access to data.

Optionally, if the verification information fails to be verified, a prompt message indicating that the owner data cannot be obtained is returned.

In an optional embodiment, the user needs to access the space number 2 but the owner data of the space number 2 does not exist in the trusted chip. In this case, the process of obtaining the owner data is suspended, And send prompt information to the access device end, prompting that there is no owner data with space number 2. In another optional embodiment, the user needs to access the space number 2 and the owner chip has the space number 2 in the trusted chip. When the password is detected to be incorrect, in this case, it will also be suspended. The process of obtaining the owner's information, and sending reminder information to the access device, prompting that the password is incorrect, and asking it to operate again.

In a preferred embodiment, the owner C applies for a 6-byte non-volatile space, which stores data of 4 bytes, as shown in Table 4: the owner space number Nv_index is 1, and the space The owner name User_name is C, and the space size Nv_Size corresponding to the owner space number 1 is 6 bytes, that is, the data length can be up to 6 bytes; its corresponding physical address is FFFFF0 ~ FFFFF6, in the physical address 4 bytes are stored. The data written by the owner is "1101". The TCG standard presets the owner data that is not written as 00 , that is, the data data item data is 1101 00 (the bold italic number indicates the status Data, bold numbers indicate owner data, as shown in Table 4).

When the stored data is long and frequently changed, the owner may not remember how long the data is stored in the storage space. For example, when the owner requested that the length of the data from the trusted chip be 5 and responded to The information that the chip requires feedback includes: the correct password **** entered by the owner, and the space number Nv_index 1. After receiving the above verification information, the trusted chip verifies that the password and space number are correct and verifies their requirements. The length 5 of the acquired data is greater than the length 4 of the owner data. Since the requested data length is not within the range allowed by the owner, the trusted chip prompts the requested data to exceed the pre-stored range and terminates the process of obtaining the owner data.

Trusted computing can perform security protection at the same time as the calculation operation, so that the calculation result is always consistent with the expectation, and the calculation process can be measured and controlled without being disturbed.

The core elements of trusted computing are the trusted chain and the trusted root. Among them, trusted computing can build a trusted computing environment through a trusted chain mechanism. When the trusted root is a trusted chip containing non-volatile storage space, there is another alternative embodiment, which is as follows: Currently, trusted computing has a domestic trusted platform control module (Trusted Platform Control Module). (TPCM) and Trusted Platform Module (TPM) of the International TCG Standards Organization.

The core elements of trusted computing are the trusted chain and the trusted root. The Trusted Platform Module (TPM) in the TCG specification is the hardware trusted root of the trusted computing platform. The TPM is to provide protected security. Storage, cryptographic computing security chip. The TPM is physically connected to the computing platform and connected to the CPU through an external bus. For example, the PC platform is directly cured on the motherboard and connected through the LPC bus.

The definition of trusted is given in the TCG specification: An entity has been operating in a predictable manner for a specific purpose. The core mechanism of trusted computing is to build a trusted computing environment through the trust chain mechanism. Whether the current operating entity is trusted is based on whether the previous operating process of the system is trusted. Based on this trust relationship, if the system starts from an initial root of trust, this trust can be maintained in a transitive manner at each transition of the platform's computing environment, thereby establishing a level of verification, a level of trust on the computing platform. The first-level trusted chain, the computing environment is always trusted, and it can be trusted by local users or remote entities. Figure 6 shows the structure of the TCG trust chain. As shown in Figure 6, solid arrows in the figure represent trusted metric connections, dotted arrows represent trusted report connections, bold solid arrows represent trusted storage connections, and bold Dotted arrows indicate trusted network connections.

The key technologies of trusted computing include trusted metrics, trusted reports, trusted storage, and trusted network connections.

The Trusted Platform Control Module TPCM implements the basic functions of the Trusted Platform Module. Its functional composition is basically the same as that of the TPM, but because the core measurement root CRTM of the TPM is in the basic input and output system BIOS and is not protected by the TPM, so TPCM proposed a new design of the trusted metric root, solved the problem of the initial metric point of the trusted metric root, changed the startup and measurement order, and based on this, established a trust chain metric process using the chip as the root of trust. The start of the entire system, I / O interface control, and system configuration are controlled by the chip, which reflects the chip's control of system credibility.

During the transfer of operation control of the computing platform, the trusted root TPCM judges whether the authenticity and integrity of the execution code at the next level has been tampered with. If not, the system passes the operation control to the trusted execution code at the next level. The trust scope is expanded to the next level of function code; similarly, the continuous transfer of system control power can realize the establishment and transfer process of the trust chain, and finally the system-wide trusted construction. A complete system trusted transfer process starts from the trusted root, the system control order is transferred from the trusted platform control module to the trusted BIOS, and then to the trusted operating system loader, from the trusted operating system The loader is passed to the trusted operating system, and then from the trusted operating system to the trusted application.

The trusted security chip has the function of generating encryption and decryption keys, can also perform high-speed data encryption and decryption, and acts as an auxiliary processor to protect the BIOS and operating system from being modified.

The TPM security chip is very versatile and can be used with special software to achieve the following uses:

(1) Store and manage BIOS power-on passwords and hard disk passwords. In the past, these tasks were performed by the BIOS. Friends who have played it may know that if you forget the password, you only need to remove the CMOS battery and discharge the CMOS to clear the password. These keys are actually stored in the storage unit that is solidified on the wafer, and their information will not be lost even if power is lost. Compared with the BIOS management password, the security of the TPM security chip is greatly improved.

(2) The TPM security chip can perform a wide range of encryption. In addition to the traditional boot encryption and hard disk encryption, the TPM security chip can also encrypt system login and application software login. For example, MSN, QQ, online games, and online banking login information and passwords can be encrypted by TPM before being transmitted, so there is no need to worry about the information and password being stolen.

(3) Encrypt any partition of the hard disk. You can encrypt any hard disk partition on the notebook, and you can also put some sensitive files into this partition for security. For example, the one-button recovery function used by some manufacturers is one of the concentrated manifestations of this purpose (it places the system image in a TPM-encrypted partition). There are also some large commercial software companies (such as: Microsoft) will also use it as a means of encrypted partitions (such as: the famous BitLocker).

It should be noted that, for the foregoing method embodiments, for simplicity of description, they are all described as a series of action combinations, but those skilled in the art should know that the present invention is not limited by the described action order. Because according to the present invention, certain steps may be performed in another order or simultaneously. Secondly, those skilled in the art should also know that the embodiments described in the description are all preferred embodiments, and the actions and modules involved are not necessarily required by the present invention.

Through the description of the above embodiments, a person skilled in the art can clearly understand that the method according to the above embodiments can be implemented by means of software plus a necessary universal hardware platform, and of course, also by hardware, but in many cases The former is a better implementation. Based on such an understanding, the technical solution of the present invention, in essence, or a part that contributes to the existing technology, can be embodied in the form of a software product. The computer software product is stored in a storage medium (such as ROM / RAM, magnetic disk, optical disk). ) Includes several instructions for causing a terminal device (which may be a mobile phone, a computer, a server, or a network device, etc.) to execute the methods of the embodiments of the present invention.

Example 2

According to an embodiment of the present invention, an embodiment of a method for acquiring data stored in a wafer is also provided.

This application provides a method for acquiring data stored in a chip as shown in FIG. 7. 7 is a flowchart of a method for acquiring data stored in a wafer according to Embodiment 2 of the present invention. It includes the following steps: Step S702, receiving an access request for accessing the nonvolatile storage space of the chip; Step S704, responding to the access request, obtaining verification information and the required data length; and step S706, verifying the verification information In the case of passing, it is judged whether the length of the data to be requested is within the storage address range of the owner data preset in the non-volatile storage space; step S708, if the length of the data to be requested is in the storage position of the owner data Within the address range, the content of the owner data is allowed to be returned; among them, the storage address range of the owner data is used to represent the maximum data length when the data is allowed to be requested from the chip.

In the solution defined in the above steps S702 to S708, the access chip may be a trusted chip, and the trusted chip includes a non-volatile storage space. The storage mode of the above non-volatile storage space can adopt big-endian mode and little-endian mode. When the storage mode of the owner data is little-endian mode, it is assumed that the size of the owner data is L, and the size of the data block of the owner data is The initial storage address, that is, the internal memory address of the low byte that belongs to the master data is Min_adress, and the last storage address of the data block that belongs to the master data, that is, the internal memory address of the high byte that belongs to the master data is Max_adress. , Then L, Min_adress, and Max_adress satisfy the following formula: L ｜ Max_adress-Min_adress ｜

After the access device side initiates a request for accessing the non-volatile space to the trusted chip, the trusted chip receives the non-volatile space request sent by the access device side, responds to the request of the access device side, and requests the access device The client sends verification information and the length information of the owner data; the access device sends verification information and the length information of the owner data to the trusted chip, for example, the length of the accessed owner data is 4 bytes; the trusted chip Verify whether the verification information returned by the access device meets the requirements. In the case that the verification information meets the requirements, determine whether the length of the data to be requested is within the storage address range of the owner data. For example, the length of the data to be requested is 4 Bytes. The storage address range of the owner data is FFFFF1 ~ FFFFF4. The maximum storage length of the owner data is 4 bytes. The requested data length meets the formula: L ｜ Max_adress-Min_adress ｜

Therefore, the trusted chip allows access to the owner data and returns the owner data with the storage address range of FFFFF1 ~ FFFFF4.

It should be noted that the above verification information can be used to verify whether the access device has access permissions and determine the location where the access device accesses data, thereby further improving the accuracy of the access data. The storage mode of the above non-volatile storage space can use big-endian mode and little-endian mode. Big-endian mode means that the high byte of data is stored in the low address of internal memory, and the low byte of data is stored in internal memory. The high-end address of the address; and the little-endian mode means that the high-order bytes of data are stored in the high-address of internal memory, and the low-order bytes of data are stored in the internal low-address. This storage mode can The bit weights of the data are effectively combined, and the weights of the data of the high address part are high, and the weights of the data of the low address part are low.

Based on the solutions disclosed in steps S702 to S708 of the above embodiment, it can be learned that after creating a non-volatile storage space in a chip, the owner data is written into the non-volatile storage space, and determined according to the size of the owner data The storage address range of the owner's data, according to the size of the owner's data and the storage address range of the owner's data, returns the data that the owner needs to obtain. The purpose of accurately obtaining the owner's data is achieved, thereby ensuring that the owner obtains the original data. The technical effect of the correctness of the data further solves the technical problem of poor accuracy of the read original data when the original technology reads the original data from the non-volatile space of the trusted security chip.

Optionally, the attributes of the non-volatile storage space further include at least one of the following: space number, space owner name, space authorization password, space size, and space entity address range.

In an optional embodiment, Table 5 is an attribute table of the non-volatile storage space in which the owner data has been written, as shown in Table 5.

In Table 5, the owner space number is 1, the space owner name is C, and the owner space number is 1. The owner space size is 6 bytes, that is, the data length can be up to 6 bytes, which corresponds to The space physical address range is FFFFF0 ~ FFFFF6, and 4 bytes are stored in its physical address. The storage address range is FFFFF1 ~ FFFFF4, and the owner data written is "1101".

Optionally, before receiving the access request for the non-volatile storage space for accessing the chip, the method further includes: writing owner data to the non-volatile storage space, and determining the owner's data according to the size of the owner data. The storage address range of the master data, where the storage address range is determined by the initial storage address and the end storage address of the data block that is the master data.

In an optional embodiment, when the storage mode of the owner data is a little-endian mode, assuming that the size of the owner data is L, the initial storage address of the data block of the owner data, that is, the owner data The internal memory address where the low byte is located is Min_adress, and the storage address at the end of the data block belonging to the owner data, that is, the internal memory address where the high byte of the owner data is located is Max_adress, then L, Min_adress and Max_adress satisfy the following formula : L ｜ Max_adress-Min_adress ｜

Therefore, according to the size L of the owner data and the initial storage address Min_adress of the owner data, the last address Max_adress of the owner data can be determined, and the storage address range of the owner data can be determined. For example, if the owner data written to the non-volatile storage space is "1101" and the size of the owner data is 4 bytes, then the length of the storage address range of the owner data is also 4 bytes. If the initial storage address of the owner data at this time is FFFFF1, the last address of the owner data is FFFFF4, and the storage address range of the data block of the owner data is FFFFF1 ~ FFFFF4.

Optionally, if the length of the requested data is outside the storage address range of the owner data, the process of obtaining the owner data is suspended, and / or the prompt information used to characterize the failure of the request is output.

As an optional embodiment, when the trusted chip verifies that the authentication information returned by the access device meets the requirements, the trusted chip further determines whether the length of the data to be requested is within the storage address range of the owner data. If the requested data length is outside the storage address range of the owner data, for example, the required data length is 4 bytes, and the storage address range of the owner data is FFFFF1 ~ FFFFF3. The storage length is 3 bytes, and the requested data length does not satisfy the formula L ｜ Max_adress-Min_adress ｜, therefore, the trusted chip does not allow access to the owner's data, directly terminates the process, and outputs a prompt message that the request failed.

Example 3

According to an embodiment of the present invention, an embodiment of a trusted chip is also provided.

This application provides a schematic structural diagram of a trusted chip as shown in FIG. 8. FIG. 8 is a schematic structural diagram of a trusted chip according to Embodiment 3 of the present invention. The trusted chip includes a memory 801. The memory 801 includes a non-volatile storage space, and the attributes of the non-volatile storage space include at least: parameters for characterizing the owner data stored in the non-volatile storage space, and the storage of the owner data Address range; where the storage address range of the owner data is used to characterize the maximum data length when data is allowed to be requested from the chip.

In the technical solution defined by the memory 801, the storage mode of the non-volatile storage space may adopt a big-endian mode and a little-endian mode. The big-endian mode means that the high-order byte of data is stored in the low-address of the internal memory , And the low byte of the data is stored in the high address of the internal memory; the little-endian mode means that the high byte of the data is stored in the high address of the internal memory, and the low byte of the data is stored in the internal low address In medium, this storage mode can effectively combine the height of the address with the bit weight of the data. The data of the high address part has a high weight and the data of the low address part has a low weight.

It should be noted that one of the owner data of the non-volatile storage space is the data stored in the non-volatile storage space by the user. For example, if the data stored by the user is "1101", the data is Owner data stored in non-volatile storage space; another attribute of non-volatile storage space is the length of the storage address range of the owner data is the maximum data length that allows users to read the non-volatile storage space, For example, the storage address range of the owner data is: FFFFF0 ~ FFFFF6. The maximum data length when the user is allowed to request data from the chip is 7. In addition, the creation of non-volatile storage space in the chip can ensure that the data stored in the chip will not be lost when the device is powered off, so it can be used to store more important data.

It can be known from the above that creating a non-volatile storage space in the chip can ensure that the data stored in the chip by the user will not be lost when the device is powered off, thereby improving the security of data storage.

Example 4

According to an embodiment of the present invention, an embodiment of a system for acquiring data stored in a wafer is also provided.

The present application provides a system for acquiring data stored in a chip as shown in FIG. 9. 9 is a schematic structural diagram of a system for acquiring data stored in a chip according to Embodiment 4 of the present invention. The system includes: an access device end 901 and a trusted chip 903. Among them, the access device end 901 is used to issue an access request for accessing the non-volatile storage space of the chip; the trusted chip 903 communicates with the access device end to respond to the access request and obtain access The verification information returned by the device and the length of the requested data. In the case that the verification information passes, if the requested data length is within the storage address range of the owner data, the content of the owner data is allowed to be returned; The storage address range of the owner data is used to characterize the maximum data length when data is allowed to be requested from the trusted chip.

In an optional embodiment, the trusted chip includes a non-volatile storage space. The storage mode of the above non-volatile storage space can adopt big-endian mode and little-endian mode. When the storage mode of the owner data is little-endian mode, it is assumed that the size of the owner data is L, and the size of the data block of the owner data is The initial storage address, that is, the internal memory address of the low byte that belongs to the master data is Min_adress, and the last storage address of the data block that belongs to the master data, that is, the internal memory address of the high byte that belongs to the master data is Max_adress. , Then L, Min_adress, and Max_adress satisfy the following formula: L ｜ Max_adress-Min_adress ｜

After the access device side initiates a request for accessing the non-volatile space to the trusted chip, the trusted chip receives the non-volatile space request sent by the access device side, responds to the request of the access device side, and requests the access device The client sends verification information and the length information of the owner data; the access device sends verification information and the length information of the owner data to the trusted chip, for example, the length of the accessed owner data is 4 bytes; the trusted chip Verify whether the verification information returned by the access device meets the requirements. In the case that the verification information meets the requirements, determine whether the length of the data to be requested is within the storage address range of the owner data. For example, the length of the data to be requested is 4 Bytes. The storage address range of the owner data is FFFFF1 ~ FFFFF4. The maximum storage length of the owner data is 4 bytes. The requested data length meets the formula: L ｜ Max_adress-Min_adress ｜

Therefore, the trusted chip allows access to the owner data and returns the owner data with the storage address range of FFFFF1 ~ FFFFF4.

It should be noted that the above verification information can be used to verify whether the access device has access permissions and determine the location where the access device accesses data, thereby further improving the accuracy of the access data. The storage mode of the above non-volatile storage space can use big-endian mode and little-endian mode. Big-endian mode means that the high byte of data is stored in the low address of internal memory, and the low byte of data is stored in internal memory. The high-end address of the address; and the little-endian mode means that the high-order bytes of data are stored in the high-address of internal memory, and the low-order bytes of data are stored in the internal low-address. This storage mode can The bit weights of the data are effectively combined, and the weights of the data of the high address part are high, and the weights of the data of the low address part are low.

It can be known from the above that after creating a non-volatile storage space in the chip, the owner data is written into the non-volatile storage space, and the storage address range of the owner data is determined according to the size of the owner data. The size and storage address range of the owner's data returns the data that the owner needs to obtain, achieving the purpose of accurately obtaining the owner's data, thereby achieving the technical effect of ensuring the correctness of the original data obtained by the owner, thereby solving the existing technology When reading the original data from the non-volatile space of the trusted security chip, the technical problem of the read original data is inaccurate.

Optionally, the trusted chip 903 is also used to write the owner data into the non-volatile storage space, and determine the storage address range of the owner data according to the size of the owner data. To determine the range of storage addresses.

Example 5

According to an embodiment of the present invention, a device for acquiring data stored in a chip for implementing the above embodiment 2 is also provided. As shown in FIG. 10, the device includes a receiving module 1001, a response module 1003, and a judgment module. Group 1005 and control module 1007. The receiving module 1001 is used to receive an access request for accessing the non-volatile storage space of the chip; the response module 1003 is used to respond to the access request, obtain verification information and the required data length; judge Module 1005 is used to determine whether the length of the data to be requested is within the storage address range of the owner data preset in the non-volatile storage space when the verification information passes; the control module 1007 is used to If the length of the requested data is within the storage address range of the owner data, the content of the owner data is allowed to be returned; among them, the storage address range of the owner data is used to represent the maximum data when the data is allowed to be requested from the chip length.

The access chip may be a trusted chip, and the trusted chip includes a non-volatile storage space. The storage mode of the above non-volatile storage space can adopt big-endian mode and little-endian mode. When the storage mode of the owner data is little-endian mode, it is assumed that the size of the owner data is L, and the size of the data block of the owner data is The initial storage address, that is, the internal memory address of the low byte that belongs to the master data is Min_adress, and the last storage address of the data block that belongs to the master data, that is, the internal memory address of the high byte that belongs to the master data is Max_adress. , Then L, Min_adress, and Max_adress satisfy the following formula: L ｜ Max_adress-Min_adress ｜

After the access device side initiates a request for accessing the non-volatile space to the trusted chip, the trusted chip receives the non-volatile space request sent by the access device side, responds to the request of the access device side, and requests the access device The client sends verification information and the length information of the owner data; the access device sends verification information and the length information of the owner data to the trusted chip, for example, the length of the accessed owner data is 4 bytes; the trusted chip Verify whether the verification information returned by the access device meets the requirements. In the case that the verification information meets the requirements, determine whether the length of the data to be requested is within the storage address range of the owner data. For example, the length of the data to be requested is 4 Bytes. The storage address range of the owner data is FFFFF1 ~ FFFFF4. The maximum storage length of the owner data is 4 bytes. The requested data length meets the formula: L ｜ Max_adress-Min_adress ｜

Therefore, the trusted chip allows access to the owner data and returns the owner data with the storage address range of FFFFF1 ~ FFFFF4.

It should be noted that the above verification information can be used to verify whether the access device has access permissions and determine the location where the access device accesses data, thereby further improving the accuracy of the access data. The storage mode of the above non-volatile storage space can use big-endian mode and little-endian mode. Big-endian mode means that the high byte of data is stored in the low address of internal memory, and the low byte of data is stored in internal memory. The high-end address of the address; and the little-endian mode means that the high-order bytes of data are stored in the high-address of internal memory, and the low-order bytes of data are stored in the internal low-address. This storage mode can The bit weights of the data are effectively combined, and the weights of the data of the high address part are high, and the weights of the data of the low address part are low.

It can be known from the above that after creating a non-volatile storage space in the chip, the owner data is written into the non-volatile storage space, and the storage address range of the owner data is determined according to the size of the owner data. The size and storage address range of the owner's data returns the data that the owner needs to obtain, achieving the purpose of accurately obtaining the owner's data, thereby achieving the technical effect of ensuring the correctness of the original data obtained by the owner, thereby solving the existing technology When reading the original data from the non-volatile space of the trusted security chip, the technical problem of the read original data is inaccurate.

What needs to be explained here is that the above-mentioned receiving module 1001, response module 1003, judgment module 1005, and control module 1007 correspond to steps S702 to S708 in Embodiment 2. The four modules and the corresponding steps are implemented. The examples and application scenarios are the same, but are not limited to the content disclosed in the above embodiment 2. It should be noted that, as a part of the device, the above module can be run in the computer terminal 10 provided in the first embodiment.

Optionally, the attributes of the non-volatile storage space further include at least one of the following: space number, space owner name, space authorization password, space size, and space entity address range.

In an optional embodiment, Table 6 is an attribute table of the non-volatile storage space in which the owner data has been written, as shown in Table 6.

In Table 6, the owner space number is 1, the space owner name is C, and the owner space number is 1. The owner space size is 6 bytes, that is, the data length can be up to 6 bytes, which corresponds to The space physical address range is FFFFF0 ~ FFFFF6, and 4 bytes are stored in its physical address. The storage address range is FFFFF1 ~ FFFFF4, and the owner data written is "1101".

Optionally, as shown in FIG. 10, the device for acquiring data stored in the chip further includes: a writing module 1009 for writing the owner data to the non-volatile storage space, and according to the data of the owner data, The size determines the storage address range of the owner data, wherein the storage address range is determined by the initial storage address and the end storage address of the data block of the owner data.

In an optional embodiment, when the storage mode of the owner data is a little-endian mode, assuming that the size of the owner data is L, the initial storage address of the data block of the owner data, that is, the owner data The internal memory address where the low byte is located is Min_adress, and the storage address at the end of the data block belonging to the owner data, that is, the internal memory address where the high byte of the owner data is located is Max_adress, then L, Min_adress and Max_adress satisfy the following formula : L ｜ Max_adress-Min_adress ｜

Therefore, according to the size L of the owner data and the initial storage address Min_adress of the owner data, the last address Max_adress of the owner data can be determined, and the storage address range of the owner data can be determined. For example, if the owner data written to the non-volatile storage space is "1101" and the size of the owner data is 4 bytes, then the length of the storage address range of the owner data is also 4 bytes. If the initial storage address of the owner data at this time is FFFFF1, the last address of the owner data is FFFFF4, and the storage address range of the data block of the owner data is FFFFF1 ~ FFFFF4.

Optionally, if the length of the requested data is outside the storage address range of the owner data, the process of obtaining the owner data is suspended, and / or the prompt information used to characterize the request failure is output.

As an optional embodiment, when the trusted chip verifies that the authentication information returned by the access device meets the requirements, the trusted chip further determines whether the length of the data to be requested is within the storage address range of the owner data. If the requested data length is outside the storage address range of the owner data, for example, the required data length is 4 bytes, and the storage address range of the owner data is FFFFF1 ~ FFFFF3. The storage length is 3 bytes, and the requested data length does not satisfy the formula L ｜ Max_adress-Min_adress ｜, therefore, the trusted chip does not allow access to the owner's data, directly terminates the process, and outputs a prompt message that the request failed.

Example 6

An embodiment of the present invention may provide a computer terminal, and the computer terminal may be any computer terminal device in a computer terminal group. Optionally, in this embodiment, the computer terminal described above may also be replaced with a terminal device such as a mobile terminal.

Optionally, in this embodiment, the computer terminal may be located in at least one network device among a plurality of network devices in a computer network.

Optionally, FIG. 11 is a structural block diagram of a computer terminal according to an embodiment of the present invention. As shown in FIG. 11, the computer terminal A may include: one or more processors (only one is shown in the figure) a processor 1103 and a memory 1101.

The memory can be used to store software programs and modules, such as the program instructions / modules corresponding to the security vulnerability detection method and device in the embodiments of the present invention. The processor runs the software programs and modules stored in the memory, thereby Perform various functional applications and data processing, that is, to achieve the above-mentioned detection method of system vulnerability attacks. The memory may include high-speed random memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include a memory remotely disposed relative to the processor, and these remote memories may be connected to the terminal A through a network. Examples of the above network include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.

The processor can call the information and applications stored in the memory through the transmission device to perform the following steps: create a non-volatile storage space in the chip, wherein the attributes of the non-volatile storage space include at least: The parameters of the owner data are stored in the non-volatile storage space, and the address range of the owner data is stored therein. The address range of the owner data is used to represent the maximum data length when the data is allowed to be requested from the chip.

Optionally, the processor may also execute the code of the following steps: write the owner data into the non-volatile storage space, and determine the storage address range of the owner data according to the size of the owner data, wherein, through the owner The initial storage address and the last storage address of the data block of the master data determine the storage address range.

Optionally, the processor may further execute code of the following steps: receiving an access request for accessing the non-volatile storage space; responding to the access request, obtaining verification information and a required data length; verifying and verifying When the information passes, determine whether the length of the data to be requested is within the storage address range of the owner's data; if the length of the data to be requested is within the storage address range of the owner's data, return of the owner's data is allowed content.

Optionally, the processor may further execute code of the following steps: if the requested data length is outside the storage address range of the owner data, the process of obtaining the owner data is suspended, and / or the output is used for characterization Notification of failed request.

According to the embodiment of the present invention, a method for obtaining data stored in a chip is provided. After creating a non-volatile storage space in the chip, the owner data is written into the non-volatile storage space, and according to the owner, The size of the data determines the storage address range of the owner's data, and returns the data that the owner needs to obtain according to the size of the owner's data and the storage address range of the owner's data. The purpose of accurately obtaining the owner's data is achieved, thereby guaranteeing The technical effect that the owner obtains the correctness of the original data, thereby solving the technical problem of poor accuracy of the read original data when the original technology reads the original data from the non-volatile space of the trusted security chip.

Those skilled in the art can understand that the structure shown in FIG. 11 is only a schematic, and the computer terminal may also be a smart phone (such as an Android phone, an iOS phone, etc.), a tablet computer, an applause computer, and a mobile Internet device (Mobile Internet Devices). , MID), PAD and other terminal equipment. FIG. 11 does not limit the structure of the electronic device. For example, the computer terminal 11 may further include more or less components (such as a network interface, a display device, etc.) than those shown in FIG. 11, or may have a configuration different from that shown in FIG. 11.

Those skilled in the art can understand that all or part of the steps in the various methods of the above embodiments can be completed by a program instructing the hardware related to the terminal device. The program can be stored in a computer-readable storage medium. The storage medium It may include: flash drive, read-only memory (ROM), random access memory (RAM), magnetic disk or optical disk, etc.

Example 7

An embodiment of the present invention also provides a storage medium. Optionally, in this embodiment, the foregoing storage medium may be used to store code executed by the method for obtaining data stored in a chip provided in the foregoing Embodiment 2.

Optionally, in this embodiment, the storage medium may be located in any computer terminal in a computer terminal group in a computer network, or in any mobile terminal in a mobile terminal group.

Optionally, in this embodiment, the storage medium is configured to store code for performing the following steps: receiving an access request for a non-volatile storage space for accessing the chip; responding to the access request and obtaining verification Information and required data length; in the case of verification verification information, determine whether the required data length is within the storage address range of the owner data preset in the non-volatile storage space; if the requested If the data length is within the storage address range of the owner data, the content of the owner data is allowed to be returned; among them, the storage address range of the owner data is used to characterize the maximum data length when the data is allowed to be requested from the chip.

Optionally, in this embodiment, the storage medium is configured to store code that is further used to perform the following steps: write the owner data to the non-volatile storage space, and determine the owner data according to the size of the owner data Of storage address ranges, where the storage address range is determined by the initial storage address and the end storage address of the data block that owns the data.

Optionally, in this embodiment, the storage medium is configured to store code that is also used to perform the following steps: if the requested data length is outside the storage address range of the owner data, the acquisition of the owner data is suspended Process, and / or output a message to indicate that the request failed.

The sequence numbers of the foregoing embodiments of the present invention are only for description, and do not represent the superiority or inferiority of the embodiments.

In the above embodiments of the present invention, the description of each embodiment has its own emphasis. For a part that is not described in detail in an embodiment, reference may be made to the description of other embodiments.

In the several embodiments provided in this application, it should be understood that the disclosed technical content may be implemented in other ways. The device embodiments described above are merely schematic. For example, the division of units is only a logical function division. In actual implementation, there may be another division manner. For example, multiple units or components may be combined or integrated into another unit. A system or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, units or modules, and may be electrical or other forms.

The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, which may be located in one place, or may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objective of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated into one processing unit, or each unit may exist separately physically, or two or more units may be integrated into one unit. The above integrated unit may be implemented in the form of hardware or in the form of software functional unit.

When the integrated unit is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention essentially or part that contributes to the existing technology or all or part of the technical solution can be embodied in the form of a software product, which is stored in a storage medium, It includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present invention. The aforementioned storage media include: USB flash drives, Read-Only Memory (ROM), Random Access Memory (RAM), mobile hard disks, magnetic disks, or optical disks. Code media.

The above are only the preferred embodiments of the present invention. It should be noted that for those with ordinary knowledge in the technical field, without departing from the principles of the present invention, several improvements and retouches can be made. It is regarded as the protection scope of the present invention.

Claims (14)

    A trusted chip includes: a memory, including a non-volatile storage space, wherein the attributes of the non-volatile storage space at least include: used to characterize storing owner data in the non-volatile storage space Parameters, and the storage address range of the owner's data; where the storage address range of the owner's data is used to characterize the maximum data length when data is allowed to be requested from the chip.         A system for acquiring data stored in a chip, comprising: an access device end for issuing an access request for a non-volatile storage space for accessing the chip; a trusted chip, and the access Device-side communication is used to respond to the access request to obtain the authentication information returned by the access device and the required data length. In the case of verifying that the authentication information passes, if the required data length is in the owner data Within the storage address range, the content of the owner data is allowed to be returned; the storage address range of the owner data is used to characterize the maximum data length when data is allowed to be requested from the trusted chip.         A data storage method for a non-volatile storage space in a chip, comprising: creating a non-volatile storage space in a chip, wherein the attributes of the non-volatile storage space at least include: The parameter of the owner data is stored in the volatile storage space, and the address range of the owner data is used for storing the address range of the owner data.         The method according to item 3 of the scope of patent application, wherein the attributes of the non-volatile storage space further include at least one of the following: space number, space owner name, space authorization password, space size, and space entity address range .         The method according to item 3 or 4 of the scope of patent application, wherein after the non-volatile storage space is created in the chip, the method further comprises: writing the owner data to the non-volatile storage space, and according to the The size of the owner data determines the storage address range of the owner data, wherein the storage address range is determined by the initial storage address and the end storage address of the data block of the owner data.         The method according to item 5 of the scope of patent application, wherein after writing the owner data into the non-volatile storage space and determining the storage address range of the owner data according to the size of the owner data, the The method further includes: receiving an access request for accessing the non-volatile storage space; responding to the access request, obtaining verification information and a required data length; and in the case of verifying that the verification information passes, determining the required request Whether the length of the data is within the storage address range of the owner's data; if the requested data length is within the storage address range of the owner's data, the content of the owner's data is allowed to be returned.         The method according to item 6 of the scope of patent application, wherein if the length of the requested data is outside the storage address range of the owner data, the process of obtaining the owner data is suspended, and / or the output is used for Information indicating that the request failed.         The method according to item 6 of the scope of patent application, wherein the verification information includes at least one of the following: a space number and a password to be accessed.         The method according to item 6 of the scope of patent application, wherein when the verification of the verification information fails, the prompt information that the owner information cannot be obtained is returned.         A method for acquiring data stored in a chip, comprising: receiving an access request for accessing a non-volatile storage space of the chip; responding to the access request, obtaining authentication information and a required data length ; In the case of verifying that the verification information passes, determine whether the required data length is within the storage address range of the owner data preset in the non-volatile storage space; if the required data length is within the Within the storage address range of the owner data, it is allowed to return the content of the owner data; among them, the storage address range of the owner data is used to characterize the maximum data length when data is allowed to be requested from the chip.         The method according to item 10 of the scope of patent application, wherein the attributes of the non-volatile storage space further include at least one of the following: space number, space owner name, space authorization password, space size, and space entity address range .         The method according to item 10 or 11 of the patent application scope, wherein before receiving an access request for accessing the non-volatile storage space of the chip, the method further comprises: writing to the non-volatile storage space The owner data, and the storage address range of the owner data is determined according to the size of the owner data, wherein the storage address is determined by the initial storage address and the end storage address of the data block of the owner data range.         The method according to item 10 of the scope of patent application, wherein if the length of the requested data is outside the storage address range of the owner data, the process of obtaining the owner data is suspended, and / or the output is used for Information indicating that the request failed.         A device for acquiring data stored in a chip, comprising: a receiving module for receiving an access request of a non-volatile storage space for accessing the chip; and a response module for responding to the storage Fetch the request to obtain the verification information and the required data length; the judgment module is used to determine whether the required data length is in the owner set in the non-volatile storage space if the verification information passes. The data is within the storage address range; the control module is used to allow the content of the owner's data to be returned if the length of the requested data is within the storage address range of the owner's data; The data storage address range is used to characterize the maximum data length when data is allowed to be requested from the chip.