Search

CN-122020681-A - Singlechip TEE system based on external TPCM and measurement method and device thereof

CN122020681ACN 122020681 ACN122020681 ACN 122020681ACN-122020681-A

Abstract

The application discloses a singlechip TEE system based on an external TPCM and a measurement method and device thereof. The method comprises the steps of sending a measurement instruction to a TEE measurement agent of a Trusted Execution Environment (TEE) through an interrupt pin, measuring content to be measured through a logic code for executing trusted measurement by the TEE measurement agent to obtain a measurement result, acquiring the measurement result of the TEE measurement agent through a bus pin, verifying the measurement result according to an expected result stored by the TEE measurement agent or a result allowed by a policy, and executing a corresponding security policy according to the verification result. The application solves the technical problem of lower safety of MCU in the related art.

Inventors

  • Duan Guna
  • TIAN JIANSHENG
  • SHEN JUNWEI
  • LIU DAN
  • XUAN YANJIE

Assignees

  • 北京可信华泰技术服务有限公司
  • 北京可信华泰信息技术有限公司

Dates

Publication Date
20260512
Application Date
20251225

Claims (10)

  1. 1. Singlechip TEE system based on external TPCM, its characterized in that includes: The single chip microcomputer is provided with a Trusted Execution Environment (TEE), and the Trusted Execution Environment (TEE) is provided with a logic code for trusted measurement; the external TPCM is connected with the pins of the singlechip, controls the trusted execution environment TEE to run the logic codes of the trusted measurement through the TEE measurement proxy of the trusted execution environment TEE, and processes the measurement result of the trusted execution environment TEE.
  2. 2. The system of claim 1, wherein the single-chip microcomputer has an interrupt pin and a bus pin, the external TPCM is connected with the interrupt pin and the bus pin, respectively, the external TPCM triggers the trusted execution environment TEE to run the logic code of the trusted metric through the interrupt pin, and performs information interaction with the trusted execution environment TEE through the bus pin.
  3. 3. The system of claim 2, wherein the external TPCM comprises: the storage module is used for storing the root key, the policy file, the measurement result and the verification report, and has a physical attack resistance function; the cryptographic module is used for executing cryptographic operation by adopting a cryptographic coprocessor; the strategy module is used for storing and executing the security strategy; The judging module is used for verifying the measurement result of the trusted execution environment TEE; The control module is used for executing a corresponding security policy according to the verification result; an interrupt controller for managing interrupt signals sent to the trusted execution environment TEE through the interrupt pins; An interface controller for managing a communication protocol of the bus pins; Clock and power management for managing the clock and power of the chip; and the processor is used for executing the firmware and processing related tasks.
  4. 4. The system of claim 2, wherein the single-chip microcomputer further has a rich execution environment REE, and the external TPCM comprises: a communication and interface module for communicating with the outside as a unique controlled channel; A metrics module, as an engine, for performing metrics calculations; The memory access module is used for accessing the memories of the rich execution environment REE and the trusted execution environment TEE; And the security support module is used for ensuring confidentiality and integrity of communication with the external TPCM and storing a session key issued by the external TPCM for the current session so as to encrypt and sign the content of the current session by using the session key.
  5. 5. The utility model provides a measurement method of singlechip TEE system based on external TPCM, its characterized in that is applied to external TPCM, and the method includes: sending a measurement instruction to a TEE measurement agent of a Trusted Execution Environment (TEE) through an interrupt pin, wherein the TEE measurement agent is used for measuring the content to be measured by a logic code for executing the trusted measurement to obtain a measurement result, and the Trusted Execution Environment (TEE) is positioned in a singlechip; acquiring a measurement result of the TEE measurement agent through a bus pin; verifying the measurement result according to the expected result stored by the user or the result allowed by the strategy; And executing the corresponding security policy according to the verification result.
  6. 6. The method of claim 5, wherein sending the measurement instruction to the TEE measurement proxy of the trusted execution environment TEE via the interrupt pin comprises: The external TPCM triggers dynamic metrics as needed to send a metric instruction to the TEE metric proxy according to the following metric policy: An event triggering type measurement strategy that the external TPCM is triggered when a specific security sensitive event occurs; a random sampling measurement strategy, wherein a true random number generator in the external TPCM generates random delay, and when the delay arrives, an interrupt is initiated to measure; and the differential measurement strategy is to measure only the memory area with change after obtaining one credible state of all the memory areas.
  7. 7. The utility model provides a measurement method of singlechip TEE system based on external TPCM, characterized in that is applied to the TEE measurement agency of trusted execution environment TEE, the method includes: receiving a measurement instruction sent by an external TPCM through an interrupt pin; obtaining content to be measured, and executing logic codes of trusted measurement to measure the content to be measured to obtain a measurement result; And sending the measurement result to the external TPCM through a bus pin, wherein the external TPCM is used for verifying the measurement result according to the expected result stored by the external TPCM or the result allowed by the policy, and executing the security policy corresponding to the verification result.
  8. 8. Measurement device of singlechip TEE system based on external TPCM, its characterized in that is applied to external TPCM, the device includes: the device comprises a sending unit, a measuring unit and a measuring unit, wherein the sending unit is used for sending a measuring instruction to a TEE measuring agent of a Trusted Execution Environment (TEE) through an interrupt pin, the TEE measuring agent is used for measuring the content to be measured by a logic code for executing trusted measurement to obtain a measuring result, and the Trusted Execution Environment (TEE) is positioned in a singlechip; An obtaining unit, configured to obtain a measurement result of the TEE measurement agent through a bus pin; the verification unit is used for verifying the measurement result according to the expected result stored by the verification unit or the result allowed by the strategy; And the execution unit is used for executing the corresponding security policy according to the verification result.
  9. 9. A measurement device of a monolithic computer TEE system based on external TPCM, characterized by being applied to a TEE measurement proxy of a trusted execution environment TEE, the device comprising: The receiving unit is used for receiving the measurement instruction sent by the external TPCM through the interrupt pin; The measuring unit is used for acquiring the content to be measured, and executing logic codes of trusted measurement to measure the content to be measured to obtain a measuring result; and the transmission unit is used for transmitting the measurement result to the external TPCM through the bus pin, wherein the external TPCM is used for verifying the measurement result according to the expected result stored by the external TPCM or the result allowed by the policy and executing the security policy corresponding to the verification result.
  10. 10. A computer readable storage medium, characterized in that the storage medium comprises a stored program, wherein the program when run performs the method of any of the preceding claims 5 to 7.

Description

Singlechip TEE system based on external TPCM and measurement method and device thereof Technical Field The application relates to the field of computer security, in particular to a singlechip TEE system based on external TPCM, and a measurement method and a measurement device thereof. Background This section is intended to provide a background or context for the matter recited in the claims or specification, which is not admitted to be prior art by inclusion in this section. The single-chip microcomputer system is a highly integrated microcomputer system, basic components of a computer are integrated on a chip, and a typical single-chip microcomputer system is characterized in that the core of the single-chip microcomputer system is a single-chip microcomputer chip. The singlechip system is used as a core component of the embedded system, becomes the key of the intellectualization and automation of modern electronic products by the miniaturization, high reliability, low cost and excellent control capability, and is widely applied to the fields of industrial control, household appliances, automobile electronics and the like. The safe MCU scheme has low cost and low safety. In view of the above problems, no effective solution has been proposed at present. Disclosure of Invention The embodiment of the application provides a singlechip TEE system based on an external TPCM, and a measurement method and a measurement device thereof, which at least solve the technical problem of lower safety of MCU in the related technology. According to one aspect of the embodiment of the application, a singlechip TEE system based on an external TPCM is provided, and the singlechip TEE system comprises a singlechip, an external TPCM and an external TPCM, wherein the singlechip is provided with a trusted execution environment TEE, the trusted execution environment TEE is provided with logic codes of trusted measurement, the external TPCM is connected with pins of the singlechip, and the external TPCM controls the trusted execution environment TEE to run the logic codes of the trusted measurement through a TEE measurement agent of the trusted execution environment TEE and processes measurement results of the trusted execution environment TEE. Optionally, the single chip microcomputer is provided with an interrupt pin and a bus pin, the external TPCM is respectively connected with the interrupt pin and the bus pin, the external TPCM triggers the trusted execution environment TEE to run the logic code of the trusted measurement through the interrupt pin, and performs information interaction with the trusted execution environment TEE through the bus pin. Optionally, the external TPCM includes a storage module configured to store a root key, a policy file, a measurement result, and a verification report, where the storage module has a physical attack resistance function, a cryptographic module configured to perform cryptographic operations using a cryptographic coprocessor, a policy module configured to store and perform a security policy, a arbitration module configured to verify the measurement result of the trusted execution environment TEE, a control module configured to perform a corresponding security policy according to the verification result, an interrupt controller configured to manage an interrupt signal sent to the trusted execution environment TEE through the interrupt pin, an interface controller configured to manage a communication protocol of the bus pin, clock and power management of a chip, and a processor configured to execute firmware and process related tasks. Optionally, the single chip microcomputer is further provided with a rich execution environment REE, the external TPCM comprises a communication and interface module, a measurement module, a memory access module and a security support module, wherein the communication and interface module is used for communicating with the outside as a unique controlled channel, the measurement module is used as an engine for executing measurement calculation, the memory access module is used for accessing memories of the rich execution environment REE and the trusted execution environment TEE, the security support module is used for ensuring confidentiality and integrity of communication with the external TPCM, and the security support module is used for storing a session key issued by the external TPCM for the current session so as to encrypt and sign contents of the current session by using the session key. According to another aspect of the embodiment of the application, a measurement method of a singlechip TEE system based on external TPCM is provided, which comprises the steps of sending a measurement instruction to a TEE measurement agent of a trusted execution environment TEE through an interrupt pin, wherein the TEE measurement agent is used for executing logic codes of trusted measurement to measure content to obtain a measurement result, the trusted execution envir