CN-114041133-B - Integrated chip and data processing method

Abstract

An integrated chip and a data processing method are used for enhancing the safety of a system and improving the service processing efficiency of the system. The integrated chip comprises an application processor, a security processor, a storage controller and a security processor, wherein the application processor is used for writing first data into an off-chip memory through the storage controller in a common security mode, the address of the first data in the off-chip memory is a first address, the security processor is used for sending a first reading instruction to the storage controller in an enhanced security mode, the first reading instruction is used for requesting to read the first data under the first address, and the storage controller is used for reading the first data from the off-chip memory and sending the first data to the security processor.

Inventors

• GAO CHANGJIAN
• LIU YU

Assignees

• 华为技术有限公司
• 华为技术有限公司

Dates

Publication Date

20260421

Application Date

20190621

Priority Date

20190621

Claims (20)

1. 1. An integrated chip, comprising: The application processor is used for writing first data into the off-chip memory through the memory controller in a common security mode, wherein the address of the first data in the off-chip memory is a first address; A security processor configured to send a first read instruction to the memory controller in an enhanced security mode, the first read instruction being for requesting to read the first data at the first address; The safety processor is also used for processing the read first data in the enhanced safety mode and writing the processed data into the off-chip memory through the memory controller; The application processor is further configured to read the processed data from the off-chip memory through the storage controller in the normal security mode; the memory controller is configured to determine that the first address belongs to a first memory area of the off-chip memory, where the first memory area is configured to allow the processor in the normal security mode to perform a read/write operation and allow the processor in the enhanced security mode to perform a read operation; The storage controller determining that the secure processor is in the enhanced security mode and the first read instruction is a read instruction; the storage controller reads the first data and sends the first data to the secure processor.
2. 2. The integrated chip of claim 1, wherein the application processor, when reading the processed data from the off-chip memory by the memory controller, is specifically configured to: Transmitting a second reading instruction to the storage controller in the normal safety mode, wherein the second reading instruction is used for requesting to read the processed data; The storage controller is further used for reading the processed data from the off-chip memory and sending the processed data to the application processor.
3. 3. The integrated chip of claim 1, wherein the secure processor is further to: And after the processed data is written into the off-chip memory through the memory controller, notifying the application processor to read the processed data in an interrupt mode.
4. 4. The integrated chip of claim 1 or 2, wherein the application processor is further configured to: After the first data is written in the off-chip memory through the memory controller, the secure processor is informed to read the first data in an interrupt mode.
5. 5. The integrated chip of claim 1 or 2, wherein the secure processor is further to: and configuring the first storage area into a storage area which allows the processor in the normal safety mode to perform read-write operation and allows the processor in the enhanced safety mode to perform read operation.
6. 6. The integrated chip of claim 2, wherein the secure processor is configured to, when writing the processed data to the off-chip memory via the memory controller: the security processor sends a first writing instruction to the storage controller in the enhanced security mode, wherein the first writing instruction is used for requesting to write the processed data under a second address; the memory controller is further configured to: determining that the first writing instruction passes authentication; And writing the data obtained after the processing into the second address.
7. 7. The integrated chip of claim 6, wherein the memory controller, when determining that the first write instruction is authenticated, is specifically configured to: The memory controller determines that the second address belongs to a second memory area of the off-chip memory, and the second memory area is configured to allow the processor in the enhanced security mode to perform read-write operation and allow the processor in the normal security mode to perform read operation; the storage controller determines that the secure processor is in the enhanced security mode.
8. 8. The integrated chip of claim 7, wherein the secure processor is further to: The second storage area is configured to allow the processor in the enhanced security mode to perform read-write operations, and to allow the processor in the normal security mode to perform read operations.
9. 9. The integrated chip of claim 2, wherein the secure processor is further to: Writing second data in the off-chip memory by the memory controller in the enhanced security mode before processing the read first data, wherein an address of the second data in the off-chip memory is a third address; the security processor is specifically configured to, when processing the read first data in the enhanced security mode: Transmitting a third read instruction to the memory controller in the enhanced security mode, wherein the third read instruction is used for requesting to read the second data under the third address; reading, by the memory controller, the second data from the off-chip memory; And comparing the first data with the second data, and taking the comparison result as the processed data.
10. 10. The integrated chip of claim 1, wherein the memory controller is further to: and determining that the secure processor is in the enhanced secure mode if the enhanced security indication information in the first read instruction is a first specified value.
11. 11. The integrated chip of claim 10, wherein the enhanced security indication information is transmitted over a signal line on an internal bus of the integrated chip.
12. 12. The integrated chip of claim 1, wherein the application processor is further to: Time-sharing operation is in a non-secure mode and the normal secure mode.
13. 13. An integrated chip, comprising: A bus comprising a first signal line for transmitting enhanced safety indication information and a second signal line for transmitting normal safety indication information; The application processor is used for writing first data into the off-chip memory through the memory controller in a common security mode, wherein the address of the first data in the off-chip memory is a first address; The safety processor is used for sending a first reading instruction to the storage controller through the bus in an enhanced safety mode, and enhanced safety instruction information contained in the first reading instruction is transmitted through the first signal line; The safety processor is also used for processing the read first data in the enhanced safety mode and writing the processed data into the off-chip memory through the memory controller; the application processor is used for sending a second read instruction to the storage controller through the bus in a common safety mode, and common safety instruction information contained in the second read instruction is transmitted through the second signal line; The application processor is further configured to read the processed data from the off-chip memory through the storage controller in the normal security mode; A storage controller configured to determine that the secure processor is in the enhanced security mode in a case where enhanced security indication information included in the first read instruction is a first specified value; The memory controller is further configured to determine that the first address belongs to a first memory area of the off-chip memory, where the first memory area is configured to allow the processor in the normal security mode to perform a read/write operation and allow the processor in the enhanced security mode to perform a read operation; The storage controller determining that the secure processor is in the enhanced security mode and the first read instruction is a read instruction; the storage controller reads the first data and sends the first data to the secure processor.
14. 14. The integrated chip of claim 13, wherein the memory controller is further to: determining that the application processor is in the normal security mode under the condition that the normal security indication information in the second read instruction is a second specified value; and under the condition that the common safety indication information in the second read instruction is a third specified value, determining that the application processor is in a non-safety mode.
15. 15. A data processing method applied to an integrated chip as claimed in claims 1-12 or 13-14, comprising: The memory controller determines that the first address belongs to a first memory area of the off-chip memory by querying a local register, wherein the first memory area is configured to allow a processor in a normal security mode to perform read-write operation and allow a processor in an enhanced security mode to perform read operation; The storage controller determining that the secure processor is in the enhanced security mode and the first read instruction is a read instruction; the memory controller reads the first data from the off-chip memory and sends the first data to the secure processor.
16. 16. The method of claim 15, wherein the memory controller determining that the secure processor is in the enhanced security mode comprises: the storage controller determines that the secure processor is in the enhanced secure mode if the enhanced security indication information in the first read instruction is a first specified value.
17. 17. The method as recited in claim 16, further comprising: The storage controller receives first configuration information sent by the safety processor, wherein the first configuration information is used for indicating the first storage area to allow the processor in the common safety mode to perform read-write operation and allowing the processor in the enhanced safety mode to perform read operation; the memory controller saves the first configuration information in the local register.
18. 18. The method as recited in claim 16, further comprising: The storage controller receives a first writing instruction sent by the security processor after sending the first data to the security processor, wherein the first writing instruction is used for requesting writing of the processed data under a second address, and the processed data is obtained after the security processor processes the first data; The storage controller determines that the first write instruction passes authentication; and the storage controller writes the processed data into the second address.
19. 19. The method of claim 18, wherein the memory controller determining that the first write instruction is authenticated comprises: The storage controller determines that the second address belongs to a second storage area of the off-chip memory by querying a local register, wherein the second storage area is configured to allow the processor in the enhanced security mode to perform read-write operation and allow the processor in the normal security mode to perform read operation; the storage controller determines that the secure processor is in the enhanced security mode.
20. 20. The method as recited in claim 19, further comprising: The storage controller receives second configuration information sent by the secure processor, wherein the second configuration information is used for indicating the second storage area to allow the processor in the enhanced security mode to perform read-write operation and allow the processor in the normal security mode to perform read operation; The memory controller saves the second configuration information in the local register.

Description

Integrated chip and data processing method Technical Field The present application relates to the field of chip technologies, and in particular, to an integrated chip and a data processing method. Background With the development of intelligent terminals and the popularization of internet applications, the functions of the intelligent terminals are increasing. In many application scenarios, the security requirements on the intelligent terminal are also higher and higher, such as a mobile payment scenario, a mobile phone screen unlocking scenario, and the like. In order to improve the security of the system, the existing system on chip (SoC) generally adopts a trust zone architecture. In this architecture, the application processor (application processor, AP) operates in both non-secure (non-secure) and secure (secure) modes in a time-sharing manner. The AP processes general application programs when operating in a non-secure mode, and processes programs requiring secure processing when operating in a secure mode. However, there are many attack models and examples at present, so that the AP is unauthorized from the non-secure mode to the secure mode, and thus the security of the trust zone architecture is difficult to guarantee. The processing mode for enhancing the system security is to add an independent security processor based on a TrustZone architecture. That is, the SoC has integrated therein the AP and a separate secure processor, which may include the processor and other secure components therein. The security processor is an independent security domain in the SoC, and the security processor and the AP cannot be directly accessed, but can exchange information in an interrupt mode. As shown in fig. 1, when the AP transmits data to the secure processor, the AP first transmits the data to an Inbox (Inbox), and when the Inbox receives the data, the secure processor is triggered to interrupt, and the secure processor reads the data from the Inbox. When the security processor transmits data to the AP, the data is firstly transmitted to an sender box (Outbox), when Outbox receives the data, an interrupt message is sent to an interrupt controller, the interrupt controller triggers the AP to interrupt when receiving the interrupt message, and the AP reads the data from Outbox. With the information interaction scheme shown in fig. 1, the mailbox includes the combos and Outbox, and the combos and Outbox are typically on-chip buffers (buffers) of the SoC, which are fabricated in the same die (die) as the SoC. Because the storage space of the buffer area is limited, the efficiency of information interaction between the AP and the safety processor is lower, and particularly when a large data stream service is processed, the service processing time is greatly increased by adopting the scheme, and the service processing efficiency is influenced. Disclosure of Invention The embodiment of the application provides an integrated chip and a data processing method, which are used for enhancing the safety of a system and improving the service processing efficiency of the system. In a first aspect, an embodiment of the present application provides an integrated chip, including an application processor configured to write first data in an off-chip memory through a memory controller in a normal security mode, where an address of the first data in the off-chip memory is a first address, a security processor configured to send a first read instruction to the memory controller in an enhanced security mode, the first read instruction being configured to request to read the first data at the first address, and the memory controller configured to read the first data from the off-chip memory and send the first data to the security processor. With the integrated chip provided in the first aspect, after the application processor is configured to write the first data in the off-chip memory through the memory controller in the normal security mode, the security processor may read the first data through the memory controller in the enhanced security mode. By adopting the scheme, the application processor can transmit the first data to the security processor. In the integrated chip provided in the first aspect, the application processor and the security processor may implement data interaction through the off-chip memory under the control of the memory controller. Compared with the scheme that an application processor and a security processor interact in the prior art through mailbox (in and Outbox), the interaction scheme provided by the first aspect can improve the information interaction efficiency because the storage space and the transmission bandwidth of the off-chip memory are large, and particularly when large data stream service is processed, the service processing time can be greatly shortened through the data interaction of the off-chip memory, so that the service processing efficiency is improved. In one possible design, the se