Search

CN-114722410-B - Password module, password operation method, CPU chip and electronic equipment

CN114722410BCN 114722410 BCN114722410 BCN 114722410BCN-114722410-B

Abstract

The embodiment of the invention discloses a cryptographic module, a cryptographic operation method, a CPU chip and electronic equipment, wherein the cryptographic module is internally arranged in a central processing unit CPU and is isolated from the CPU operation core, the cryptographic module comprises a security processor, a cryptographic coprocessor and a cryptographic coprocessor, the security processor is used for receiving a cryptographic service request sent by the CPU operation core, acquiring an internal key and sending the internal key to the cryptographic coprocessor, the cryptographic coprocessor is used for reading source data corresponding to the cryptographic service request from a system memory, carrying out cryptographic service response according to the internal key and the source data and storing a response result to the system memory, codes and data when the security processor operates are stored in the security memory outside the CPU, and hardware is used for encrypting and protecting consistency of access contents when the security processor accesses the security memory. The technical scheme provided by the embodiment of the invention can be suitable for the scene that the password module is needed in the password application such as the password machine and the like, can reduce the cost and complexity of the design of the password module and enhance the safety of the password module.

Inventors

  • CHEN SHAN
  • YING ZHIWEI

Assignees

  • 海光信息技术股份有限公司

Dates

Publication Date
20260505
Application Date
20220413

Claims (10)

  1. 1. A cryptographic module, wherein the cryptographic module is built-in to a central processing unit CPU and isolated from a CPU operation core, the cryptographic module comprising: The system comprises a CPU operation core, a security processor, a hard disk file system, a memory management module and a memory management module, wherein the CPU operation core is used for receiving a password service request sent by the CPU operation core, acquiring an internal key and sending the internal key to the password coprocessor; the cipher coprocessor is used for reading source data corresponding to the cipher service request from the system memory, responding the cipher service according to the internal key and the source data, and storing a response result to the system memory; The internal key is divided into a device key and a user key, wherein the device key is bound with the device, each bound device is unique, and the device key represents the identity information of the device; the code and data of the safe processor in operation are stored in a safe memory outside the CPU, and the hardware encrypts and protects the access content when the safe processor accesses the safe memory.
  2. 2. The cryptographic module of claim 1, wherein the secure processor is further configured to: internal key management communication is carried out with the CPU operation core through a management interface; According to the internal key management operation of CPU operation core, the internal key in the external safe nonvolatile memory of CPU is managed or And when the internal key mirror image is updated, the CPU operation core is instructed to update the updated internal key mirror image to the hard disk file system.
  3. 3. The cryptographic module of claim 2, wherein the security processor is configured to, when the internal key management operation is an export/import internal key operation: Combining the on-chip confidential information and the internal key management operation password to generate a protection key; encrypting and protecting consistency of the internal key to be exported by using the protection key; Or the protection key is utilized to decrypt the internal key to be imported and check the consistency.
  4. 4. The cryptographic module of claim 1, wherein the secure processor is further configured to negotiate a communication key with a user application on the CPU operation core via the service interface to establish a secure session; the secure processor encrypts and decrypts the cryptographic business service communication data using the communication key within the context of the secure session with the user application on the CPU arithmetic core.
  5. 5. A method of cryptographic operation for use with a secure processor, the method comprising: Receiving a password service request sent by a CPU operation core; Acquiring an internal key; the method comprises the steps of obtaining an internal key, namely reading the internal key from a safe nonvolatile memory outside a CPU, wherein the access content is encrypted and consistency protected when the safe nonvolatile memory is accessed; The method comprises the steps of sending an internal key to a password coprocessor to instruct the password coprocessor to read source data corresponding to a password service request from a system memory, respond to the password service according to the internal key and the source data, and store a response result to the system memory; the code and data of the safe processor in operation are stored in a safe memory outside the CPU, and the hardware encrypts and protects the access content when the safe processor accesses the safe memory.
  6. 6. The cryptographic operation method according to claim 5, wherein the method further comprises: internal key management communication is carried out with the CPU operation core through a management interface; According to the internal key management operation of CPU operation core, the internal key in the external safe nonvolatile memory of CPU is managed or And when the internal key mirror image is updated, the CPU operation core is instructed to update the updated internal key mirror image to the hard disk file system.
  7. 7. The cryptographic operation method according to claim 6, wherein when the internal key management operation is an export/import internal key operation, the internal key management includes: Combining the on-chip confidential information and the internal key management operation password to generate a protection key; encrypting and protecting consistency of the internal key to be exported by using the protection key; Or the protection key is utilized to decrypt the internal key to be imported and check the consistency.
  8. 8. The cryptographic operation method according to claim 5, further comprising negotiating a communication key with a user application on the CPU operation core through a service interface, establishing a secure session; And encrypting and decrypting the cipher business service communication data in the context of the secure session with the user application on the CPU operation core using the communication key.
  9. 9. A CPU chip comprising a CPU operation core and a cryptographic module as set forth in any one of claims 1 to 4.
  10. 10. An electronic device comprising a housing, a processor, a memory, a circuit board and a power supply circuit, wherein the circuit board is arranged inside a space enclosed by the housing, the processor and the memory are arranged on the circuit board, the power supply circuit is used for supplying power to each circuit or device of the electronic device, the memory is used for storing executable program codes, and the processor is used for executing a program corresponding to the executable program codes by reading the executable program codes stored in the memory and executing the method according to any one of the preceding claims 5-8.

Description

Password module, password operation method, CPU chip and electronic equipment Technical Field The present invention relates to the field of information security technologies, and in particular, to a cryptographic module, a cryptographic operation method, a CPU chip, and an electronic device. Background In related cryptographic applications such as cryptographic engines, a dedicated cryptographic module is often required, where the cryptographic module provides a certain function of key management in addition to efficient cryptographic operation, so as to ensure the security of the key. The currently common cryptographic module is a dedicated cryptographic card, as shown in fig. 1. The password card is inserted on the system main board and is connected with the CPU through the PCIE bus, and the function of the password module is realized by the password card. However, the external special password card generally has the following main disadvantages: In terms of cost, the password card needs to use additional hardware, so that the hardware cost is increased; in terms of safety, the password card is completely connected with the CPU through an external bus, so that the exposed surface is increased, and the password card is easy to be physically attacked by buses. Disclosure of Invention In view of this, the embodiment of the invention provides a cryptographic module, a cryptographic operation method, a CPU chip and an electronic device, so as to reduce the cost of the cryptographic module design and enhance the security thereof. In a first aspect, an embodiment of the present invention provides a cryptographic module, the cryptographic module being built in a CPU and isolated from a CPU operation core, the cryptographic module comprising: the security processor is used for receiving the password service request sent by the CPU operation core, acquiring an internal key and sending the internal key to the password coprocessor; the cipher coprocessor is used for reading source data corresponding to the cipher service request from the system memory, responding the cipher service according to the internal key and the source data, and storing a response result to the system memory; the code and data of the safe processor in operation are stored in a safe memory outside the CPU, and the hardware encrypts and protects the access content when the safe processor accesses the safe memory. Optionally, the secure processor is configured to obtain the internal key, and specifically includes: the secure processor reads the internal key from a secure non-volatile memory external to the CPU, wherein the secure processor encrypts and consistency protects access content when accessing the secure non-volatile memory. Optionally, the secure processor is configured to obtain the internal key, and specifically includes: the security processor reads the key image from the system memory, decrypts the key image and uses the decrypted key image as an internal key after consistency verification; The key mirror image in the system memory is read from the hard disk file system in advance by the CPU operation core. Optionally, the secure processor is further configured to: internal key management communication is carried out with the CPU operation core through a management interface; According to the internal key management operation of CPU operation core, the internal key in the external safe nonvolatile memory of CPU is managed or And when the internal key mirror image is updated, the CPU operation core is instructed to update the updated internal key mirror image to the hard disk file system. Optionally, when the internal key management operation is an export/import internal key operation, the security processor is specifically configured to: Combining the on-chip confidential information and the internal key management operation password to generate a protection key; encrypting and protecting consistency of the internal key to be exported by using the protection key; Or the protection key is utilized to decrypt the internal key to be imported and check the consistency. Optionally, the security processor is further configured to negotiate a communication key with a user application on the CPU computing core through a service interface, and establish a secure session; the secure processor encrypts and decrypts the cryptographic business service communication data using the communication key within the context of the secure session with the user application on the CPU arithmetic core. In a second aspect, an embodiment of the present invention provides a cryptographic operation method, applied to a secure processor, where the method includes: Receiving a password service request sent by a CPU operation core; Acquiring an internal key; the internal key is sent to the password coprocessor to instruct the password coprocessor to read source data corresponding to the password service request from the system memory, respond to the password servi