Search

CN-122020744-A - EMMc memory with encryption and decryption functions

CN122020744ACN 122020744 ACN122020744 ACN 122020744ACN-122020744-A

Abstract

The invention discloses a eMMc memory with encryption and decryption functions, which comprises a eMMc control unit, a Flash storage unit and a host interface. The eMMc control unit comprises an encryption algorithm module used for encrypting data during writing, a decryption algorithm module used for decrypting data during reading, a key management unit used for providing encryption and decryption keys, and an encryption enabling control unit used for controlling enabling or disabling of encryption operation according to a host command. Therefore, written plaintext is encrypted and stored in the eMMc memory with encryption and decryption functions, ciphertext is ensured to be in Flash, and data leakage is prevented. Two modes are supported during reading, namely plaintext data is returned to realize seamless compatibility with a general host, ciphertext data is returned to provide stronger data protection, and an encryption key can be selectively issued at the same time, so that double protection is realized, and the safety is further improved.

Inventors

  • WANG JINXIAN
  • MA YI
  • XIONG WEI

Assignees

  • 芯盛智能科技(湖南)有限公司

Dates

Publication Date
20260512
Application Date
20260413

Claims (10)

  1. 1. The eMMc memory with encryption and decryption functions comprises a eMMc control unit and a Flash storage unit connected with the eMMc control unit, wherein the eMMc control unit is provided with a host interface for communicating with a host, and the eMMc control unit is characterized in that: The encryption algorithm module is arranged on a data writing path from the host interface to the Flash storage unit and used for encrypting the writing data; The decryption algorithm module is arranged on a data reading path from the Flash storage unit to the host interface and used for decrypting the read data; a key management unit for providing encryption and decryption keys for the encryption algorithm module and the decryption algorithm module, and And the encryption enabling control unit is connected with the command channel of the host interface and used for controlling the encryption algorithm module to enable or disable encryption operation on corresponding written data according to a command from the host.
  2. 2. The memory eMMc with encryption and decryption functions according to claim 1, wherein the encryption enabling control unit determines, according to the command, that the encryption algorithm module disables an encryption operation on a control command that is internally parsed by the eMMc control unit when the encryption enabling control unit determines that the data is to be written; the encryption enabling control unit comprises a command analysis subunit and an encryption strategy subunit, wherein the command analysis subunit is used for analyzing a command from a host computer to identify whether the data to be written comprise the control command, the encryption strategy subunit generates an encryption enabling signal according to the identification result of the command analysis subunit, and the encryption algorithm module selectively executes encryption operation on valid data in the data to be written in response to the encryption enabling signal and transmits the control command to the Flash storage unit in a plaintext form.
  3. 3. The memory eMMc with the encryption and decryption functions of claim 1, wherein the encryption algorithm adopted by the encryption algorithm module and the decryption algorithm adopted by the decryption algorithm module are mutually reversible algorithms, so that the same secret key can encrypt and decrypt data; Wherein the encryption algorithm and the decryption algorithm are configured to: When the same secret key is adopted, ciphertext data obtained by encrypting plaintext data through the encryption algorithm can be restored to the plaintext data after being decrypted through the decryption algorithm, and different ciphertext results are obtained by encrypting the same data through different secret keys.
  4. 4. The memory with encryption and decryption functions eMMc according to claim 1, wherein the key management unit receives and stores a key issued by the host through the command channel; The key management unit comprises a key storage subunit and a key selection subunit, wherein the key storage subunit is used for storing at least one group of keys issued by a host, the key selection subunit is connected with the command channel and is used for selecting a key used for a current writing operation or reading operation from the key storage subunit according to a key selection command from the host, and the encryption algorithm module and the decryption algorithm module execute corresponding encryption or decryption operation based on the key selected by the key selection subunit.
  5. 5. The memory eMMc with the encryption and decryption functions of claim 1, wherein the key management unit automatically generates and manages the encryption and decryption keys in the eMMc memory; The key management unit comprises a key generation subunit and a key life cycle management subunit, wherein the key generation subunit is used for automatically generating the encryption and decryption key when the eMMc memory is electrified and initialized or when an internal trigger instruction is received, and the key life cycle management subunit is used for updating, invalidating and destroying the automatically generated key so as to encrypt data written in different batches and data in different logic address ranges by using different keys.
  6. 6. The memory eMMc with encryption and decryption functions according to claim 1 or 5, wherein the eMMc control unit further includes a decryption enable control unit for controlling the decryption algorithm module to selectively output decrypted plaintext data or ciphertext data read directly from the Flash storage unit according to a command of a configuration or host; The decryption algorithm module is configured to bypass decryption operation when the decryption enabling control unit determines to output ciphertext data according to a preset register configuration value from a host, directly output the ciphertext data stored in the Flash storage unit to the host interface, and configured to execute decryption operation on the ciphertext data read from the Flash storage unit and then output the ciphertext data to the host interface when the decryption enabling control unit determines to output plaintext data.
  7. 7. The memory eMMc with the encryption and decryption functions of claim 6, wherein the key management unit automatically generates a key, the decryption enable control unit is configured to control the decryption algorithm module to output decrypted plaintext data by default, and in a mode of outputting plaintext data by default, data transmitted between the host interface and the host are all in plaintext form; The encryption algorithm module automatically encrypts plaintext data sent by a host computer on a writing path and stores the encrypted plaintext data in the Flash storage unit, and the decryption algorithm module automatically decrypts ciphertext data read from the Flash storage unit on a reading path and restores the decrypted ciphertext data into plaintext data and transmits the plaintext data to the host computer, so that the encrypted plaintext data is compatible with a standard eMMc protocol host computer.
  8. 8. The memory eMMc with encryption and decryption functions of claim 6, wherein the eMMc control unit further includes a key encryption module, and the decryption enable control unit is further configured to: when the decryption algorithm module is controlled to output ciphertext data, the key encryption module is triggered to encrypt the encryption and decryption key which is currently used, and the encrypted key is sent to a host through the host interface; The key encryption module adopts an encryption algorithm independent of the encryption algorithm module and is used for carrying out encryption protection on an encryption and decryption key provided by the key management unit, the decryption enabling control unit generates a key enabling signal when receiving an output ciphertext data command from the host, the key encryption module responds to the key enabling signal to carry out encryption operation on the encryption and decryption key which is currently used, and the encrypted key is returned to the host through the command channel or the data channel, so that the host obtains an original key for decrypting the ciphertext data through decrypting the encrypted key.
  9. 9. The memory with encryption and decryption functions eMMc of claim 2, wherein the command is a packet command in eMMc protocol, the data to be written includes PACKED HEADER and valid data, the encryption enable control unit is configured to disable encryption operation for PACKED HEADER and enable encryption operation for the valid data; The encryption enabling control unit is configured to parse the command type in the packet command, detect the data stream transmitted in the data channel when recognizing that the packet write operation is currently performed, do not encrypt the PACKED HEADER part with a fixed length, perform encryption processing on the valid data part corresponding to the data length indicated in PACKED HEADER, and disable the encryption operation for PACKED HEADER sent through the data channel when recognizing that the packet read operation is currently performed, so as to ensure that the eMMc control unit can correctly parse the control information in PACKED HEADER.
  10. 10. The memory eMMc with encryption and decryption functions according to claim 2, wherein the encryption enable control unit is further configured to: determining a storage area attribute corresponding to the data to be written according to address information or a logic block address range carried in the command, wherein the storage area attribute comprises an encryption protection area and a plaintext area; When the storage area attribute is marked as an encryption protection area, the encryption algorithm module is forcedly started to encrypt the written data, and the encrypted data is stored into a corresponding encryption storage partition in the Flash storage unit; When the storage area attribute is marked as a plaintext area, forcible disabling the encryption operation of the encryption algorithm module on the written data, and directly storing the written data in a plaintext form to a corresponding plaintext storage partition in the Flash storage unit; And the encryption enabling control unit is further used for reading a partition configuration table from the Flash storage unit when the eMMc memory is electrified and initialized, wherein the partition configuration table is used for defining storage area attributes corresponding to different logic address ranges and managing the storage space by area encryption.

Description

EMMc memory with encryption and decryption functions Technical Field The invention relates to the technical field of encryption, in particular to a eMMc memory with an encryption and decryption function. Background In some special scenarios, data requires plaintext writing and ciphertext reading. The data is not leaked by replacing the host. However, as information datamation progresses, information security faces more and more threats, and in eMMc storage, there is also a risk of information leakage. For example, in some eMMc storage devices, when the device is scrapped or replaced, the device needs to be disassembled, and the eMMc chip is punched and destroyed to ensure that the information is not leaked. Once the data eMMc memory is not completely destroyed, there is an opportunity to read the data from NAND FLASH in eMMc memory. Resulting in data leakage. In the prior art, part of the technology adopts a hardware encryption device which physically separates an encryption and decryption module from a storage module, and key pairing is carried out through an external management module so as to control the on-off of a data link. However, such schemes require additional hardware modules and complex out-of-band interaction procedures, increasing system cost and design complexity, and are not particularly suitable for embedded eMMc storage scenarios that require extremely high volume, cost, and compatibility requirements. In addition, this scheme also fails to achieve refined, selective encryption of command content-based data streams that follow the eMMc protocol. Disclosure of Invention The invention aims to overcome the defects of the prior art, provides the eMMc memory with the encryption and decryption functions, supports the fact that after a host writes plaintext data into eMMc, the inside of the eMMc memory converts the plaintext into ciphertext, and then the ciphertext data is stored in NAND FLASH, and plays a role in protecting the data even if the data is read out from NAND FLASH and is also encrypted data. The aim of the invention is realized by the following technical scheme: The application discloses a eMMc memory with encryption and decryption functions, which comprises a eMMc control unit and a Flash storage unit connected with the eMMc control unit, wherein the eMMc control unit is provided with a host interface for communicating with a host, and is characterized by further comprising an encryption algorithm module, a decryption algorithm module, a key management unit and an encryption enabling control unit, wherein the encryption algorithm module is arranged on a data writing path from the host interface to the Flash storage unit and used for encrypting writing data, the decryption algorithm module is arranged on a data reading path from the Flash storage unit to the host interface and used for decrypting reading data, the key management unit is used for providing encryption and decryption keys for the encryption algorithm module and the decryption algorithm module, and the encryption enabling control unit is connected with a command channel of the host interface and used for controlling the encryption algorithm module to enable or disable encryption operation on corresponding writing data according to commands from the host. Further, the encryption enabling control unit determines that the data to be written is used for controlling the encryption algorithm module to disable encryption operation on the control command when the control command is analyzed in the eMMc control unit according to the command, the encryption enabling control unit comprises a command analysis subunit and an encryption strategy subunit, the command analysis subunit is used for analyzing the command from the host to identify whether the data to be written comprises the control command or not, the encryption strategy subunit generates an encryption enabling signal according to the identification result of the command analysis subunit, and the encryption algorithm module selectively executes encryption operation on the effective data in the data to be written according to the encryption enabling signal and transmits the control command to the Flash storage unit in a plaintext form. Further, the encryption algorithm adopted by the encryption algorithm module and the decryption algorithm adopted by the decryption algorithm module are mutually reversible algorithms, so that the same secret key can encrypt and decrypt data, wherein the encryption algorithm and the decryption algorithm are configured to encrypt plaintext data to obtain ciphertext data when the same secret key is adopted, decrypt the ciphertext data by the decryption algorithm and recover the ciphertext data, and encrypt the same data by different secret keys to obtain different ciphertext results. The key management unit is used for receiving and storing keys issued by a host through the command channel, the key management unit comprises a key storage subun