CN-122020745-A - Safe operation system based on safe solid state disk and TEE

Abstract

The invention discloses a safe operation system based on a safe solid state disk and a TEE, which relates to the technical field of safe storage, and comprises a general execution environment REE and a trusted execution environment TEE which are connected through a trusted channel, wherein a hardware layer of the trusted execution environment TEE comprises the safe solid state disk, the safe solid state disk comprises a main control chip, a special safe storage area and a conventional storage area, the main control chip is used for encrypting and decrypting data and providing a highest-level key storage and operation environment, the special safe storage area is used for accessing sensitive and highly secret data, and the conventional storage area is used for accessing general system file data and recording state information of data reading operation. According to the invention, the safety protection is realized by adopting the architecture of the TEE+the safety solid state disk, the safety solid state disk is used for replacing hardware such as the traditional TPCM, the traditional TCM chip and the like, and the rollback attack is realized by providing the bottom data safety and the secret key safety support for the TEE through the safety solid state disk.

Inventors

• ZENG WEI
• YANG WANYUN
• MA YI
• XIONG WEI

Assignees

• 芯盛智能科技(湖南)有限公司

Dates

Publication Date

20260512

Application Date

20260413

Claims (7)

1. 1. The safe operation system based on the safe solid state disk and the TEE is characterized by comprising a general execution environment REE and a trusted execution environment TEE which are connected through a trusted channel, wherein an application layer of the trusted execution environment TEE comprises a trusted application, the trusted application is used for receiving a trusted service request and storing processing result data of the trusted service request, a system layer of the trusted execution environment TEE comprises a safe operation system and hardware management, the safe operation system is used for processing the trusted service request, scheduling the trusted service, managing authority of the trusted service and managing the processing result of the trusted service, a hardware layer of the trusted execution environment TEE comprises a safe solid state disk, the safe solid state disk comprises a main control chip, a special safe storage area and a conventional storage area, the main control chip is used for conducting data encryption and decryption and providing a highest-level key storage and an operation environment, the special safe storage area is used for accessing sensitive and highly secret data, the conventional storage area is used for accessing general system file data and recording state information of data reading operation, and an interface layer of the trusted execution environment TEE is used for realizing interaction of the trusted execution environment TEE and the hardware layer of the trusted execution environment.
2. 2. The safe operation system based on the safe solid state disk and the TEE, according to claim 1, is characterized in that the process of encrypting and decrypting the data by the safe solid state disk is as follows: when the safe solid state disk is powered on for the first time, a main control chip of the safe solid state disk randomly generates a data encryption key; in a Trusted Execution Environment (TEE), the security operating system performs write operation and read operation on related IO data according to a trusted service request; the main control chip of the secure solid state disk uses the data encryption key to automatically encrypt and decrypt the read IO data, wherein the encryption and decryption operation comprises symmetric encryption and decryption and asymmetric encryption and decryption.
3. 3. The safe operation system based on the safe solid state disk and the TEE, which is disclosed in claim 1, is characterized in that the safe solid state disk provides a special safe storage area for a trusted execution environment TEE, the special safe storage area is used for accessing sensitive and highly secret data, the special safe storage area comprises a user password, safety configuration information of a program and state backup information of system safe data, the special safe storage area is invisible to the outside, and the trusted execution environment TEE performs read-write operation on the special safe storage area of the safe solid state disk through a trusted hard disk API interface.
4. 4. The safe operation system based on the safe solid state disk and the TEE according to claim 3, wherein the trusted execution environment TEE performs read-write operation on a special safe storage area of the safe solid state disk through a trusted hard disk API interface, and specifically comprises the following sub-steps: The trusted service initiates Get or Set request operation with authority authentication information; the trusted execution environment TEE initiates a session starting request to the secure solid state disk through a hard disk API of the secure solid state disk SDK, wherein the session starting request is provided with authority authentication information; The secure solid state disk performs authentication by using the received authentication information, and generates a session ID after the authentication is passed; the secure solid state disk requests session synchronization from the trusted execution environment TEE based on the generated session ID; The trusted execution environment TEE acquires or sets an object value from a special safe storage area and sends a session ID and an LBA, wherein the LBA is a position of the special safe storage area which needs to be operated; the safe solid state disk completes Get or Set operation; The safe solid state disk returns the state and data information of the completed operation to the trusted execution environment TEE; In the same effective time of call back, the trusted execution environment TEE performs read-write operation on the special-purpose safe storage area for a plurality of times, and sends a session ending request to the safe solid state disk after the operation is completed; and after receiving the session ending request command, the secure solid state disk closes the current session and returns the state to the trusted execution environment TEE.
5. 5. The safe operation system based on the safe solid state disk and the TEE of claim 1, wherein the user program under the general execution environment REE realizes indirect access to the special safe storage area by a TEE agent after the user program completes identity authentication and authentication through a trusted channel provided by the TEE.
6. 6. The safe operating system based on the safe solid state disk and the TEE, as set forth in claim 1, wherein the step of the trusted execution environment TEE writing the file in the regular storage area of the safe solid state disk comprises the steps of: the trusted execution environment TEE receives a file to be written through a read-write interface; and if the file is the high-security file, carrying out Hash operation on the file, generating a state information ID of the data by using a Hash value, an owner ID and writing time, writing the file name and the state information ID into a special security storage area and a Trusted Execution Environment (TEE) memory, and then writing the file into the conventional storage area of the secure solid state disk.
7. 7. The safe operating system based on the safe solid state disk and the TEE, as set forth in claim 1, wherein the step of the trusted execution environment TEE performing a read operation on a file in a regular storage area on the safe solid state disk comprises: the trusted execution environment TEE reads the file through a read-write interface; judging whether the file to be read is a high-security file, if so, comparing whether the state information IDs of the memory of the trusted execution environment TEE and the special security storage area are consistent, if not, indicating that the operation of reading the file is not from the trusted execution environment TEE, or a replay and rollback tool exists, and returning to failure; If the status information IDs are consistent, reading the file from the secure solid state disk, generating the status information ID of the data by using the hash value, the owner ID and the reading time of the file, and updating the latest status information ID into the trusted execution environment TEE memory and the special secure storage area.

Description

Safe operation system based on safe solid state disk and TEE Technical Field The invention relates to the technical field of safe storage, in particular to a safe operation system based on a safe solid state disk and a TEE. Background In the field of security devices, a common solution is to use TEE (trusted execution environment) +ree (rich execution environment) to ensure operation security of hosts and systems. The REE is a general and open function execution environment, mainly running user operating system, functional software program and the like, and the TEE is a safe and isolated trusted execution environment, mainly executing safe and reliable operations such as identity authentication, data encryption and decryption and the like. The REE environment and the TEE environment are isolated from each other, the REE can initiate a security service request to the TEE through a specific interface, and the TEE receives and executes the request from the REE and returns a result. TEE has significant advantages in performance over pure software encryption schemes (e.g., secure multi-party computing, homomorphic encryption), with computing losses much lower than the latter. However, the implementation of the TEE depends on the bottom hardware, and different manufacturers may have differences and potential vulnerabilities, and the following disadvantages are that (1) the security protection of the bottom data is insufficient, namely, an operating system and a file running in the TEE environment are stored, if encryption and decryption of access data are not realized by the hard disk, plaintext and sensitive data may be directly written into the hard disk, and the potential risk of data theft exists, if software is adopted to encrypt and decrypt the data, the data reading and writing speed is slow, and the risk of exposing in a memory when the encryption key is operated exists. (2) There is no dedicated secure data storage area, since TEE involves a separate dedicated secure data storage area for sensitive data, the plaintext or ciphertext of which is likely to be seen externally, with the risk of targeted cracking or corruption. (3) The system safety operation is not rollback-proof, namely, the TEE can only carry out encryption writing, decryption reading and recording of the state of the data when the system data is accessed each time, and the risk that ciphertext is intercepted and is subject to rollback attack exists. Disclosure of Invention The invention aims to overcome the defects of the prior art, and provides a safe operation system based on a safe solid state disk and a TEE, which ensures the safety of bottom hardware and data. The aim of the invention is realized by the following technical scheme: The safe operation system based on the safe solid state disk and the TEE comprises a general execution environment REE and a trusted execution environment TEE which are connected through a trusted channel, wherein an application layer of the trusted execution environment TEE comprises a trusted application, the trusted application is used for receiving a trusted service request and storing processing result data of the trusted service request, a system layer of the trusted execution environment TEE comprises a safe operation system and hardware management, the safe operation system is used for processing the trusted service request, scheduling the trusted service, managing authority of the trusted service and managing the processing result of the trusted service, a hardware layer of the trusted execution environment TEE comprises a safe solid state disk, the safe solid state disk comprises a main control chip, a special safe storage area and a conventional storage area, the main control chip is used for conducting data encryption and decryption and providing a key storage and an operation environment of the highest level, the special safe storage area is used for accessing sensitive and highly secret data, the conventional storage area is used for accessing general system file data and recording state information of data reading operation, and an interface layer of the trusted execution environment TEE is the trusted channel, and the trusted execution environment TEE comprises a safe solid state disk, the main storage area and a main storage area, and a normal storage area is used for conducting data encryption and a key storage, and a normal storage. Further, the process of encrypting and decrypting the data by the secure solid state disk comprises the following steps: when the safe solid state disk is powered on for the first time, a main control chip of the safe solid state disk randomly generates a data encryption key; in a Trusted Execution Environment (TEE), the security operating system performs write operation and read operation on related IO data according to a trusted service request; the main control chip of the secure solid state disk uses the data encryption key to automatically encrypt and decr