CN103258172A - Off-chip Nor Flash bus interface hardware encryption device - Google Patents

The invention relates to an off-chip Nor Flash bus interface hardware encryption device which comprises an EMI (external memory interface), a data reading decryption passage, a data reading bypass passage, a data writing passage and an AES (advanced encryption standard) encryption engine, wherein the EMI is used for CPU (central processing unit) extensible external memories, the three passages connects the EMI with external Nor Flash memories, the AES encryption engine is connected between a CPU and the data reading decryption passage and used for plaintext data encryption, and the data reading decryption passage comprises an address analyzing unit, an address comparing unit, an indication control unit, a cipher text buffer unit, an AES decryption engine, a plaintext buffer unit and a secret key storage unit. Hardware-software combination is used to provide data encryption for off-chip Nor Flash memories. The device supports a bypass function, data can be written into off-chip Nor Flash memories in plaintext and read in plaintext, so that data storage flexibility is achieved. By the device which is flexible in extensibility, easy to design, high in reliability and safety and the like, Nor Flash bus interface encryption is achieved.

The outer Nor Flash bus interface hardware encipher device of a kind of chip slapper

Technical field

The present invention relates to computer science, information security, built-in terminal field, particularly the outer Nor Flash memory bus interface encryption technology field of sheet.

Background technology

The Flash storer is owing to have characteristics such as little, low in energy consumption, the intrinsic involatile of volume, reliable and stable, data holding time are long, its erasable number of times nearly 100,000 times, Data Update speed is fast more a lot of than EEPROM, under powering-off state, also can preserve data, be widely used in the embedded product, be used for preserving some important configuration informations; In addition, a kind of as in the Flash storer of Nor Flash has and can read data, the fast characteristics of reading speed at random; Supporting pieces moves on using, and program can directly be moved in FLASH, and need not to import other data storage device; Therefore, a lot of embedded products and application system thereof all use Nor Flash as the storer of program and data.

But, because Nor Flash memory interface sequential logic is fairly simple, only address bus, data bus and control bus; Illegal rival can be by reading data on the Nor Flash memory chip, by plagiarizing or the replicated product circuit board, can copy other people product easily or crack data on the product sheet, form unequal competition, not only encroach on rival's rights and interests, also the interests of serious harm End-Customer; Therefore, some Nor Flash producers increase safety protection function at Nor Flash chip, protect information security; Adopt the Krypto safety technique as Micro company, this technology can and be wiped protection scheme strengthening system level protection mechanism by reading and writing, protects the data information security on the Nor Flash sheet; But, in system work process, still can be by instrument monitoring bus signals such as logic analysers, to reach the purpose that cracks data on the sheet.

Software scenario is generally adopted in data protection to Nor Flash now, earlier data encryption then programming to Nor Flash; When using data, the data of crossing by reading encrypted in system also use software to be decrypted; There is following defective in this implementation: the first, and data must be encrypted programming more earlier, the disappearance dirigibility; The second, generally use same key that data are encrypted, namely key is single, if support the key that each product is different, produces and software output complexity; The 3rd, one of key is to exist when data encryption and use, and another is to solidify in software, all has potential safety hazard, namely has easily the risk by other people steal.

The AES cryptographic algorithm is that (Advanced Encryption Standard AES), claims the Rijndael enciphered method again, is a kind of block encryption standard that Federal Government adopts for Advanced Encryption Standard in the cryptography; This standard is used for substituting original DES, analyzed in many ways and widely the whole world use; Through the selection flow process in 5 years, Advanced Encryption Standard was published on FIPS PUB 197 by National Institute of Standards and Technology (NIST) November 26 calendar year 2001, and became effective standard on May 26th, 2002; Aes algorithm is a kind of symmetric key algorithm, namely uses identical secret key encryption and data decryption; At present, the software and hardware of aes algorithm is realized all ripe.

Summary of the invention

The technical problem to be solved in the present invention is to reach data information security on the protection Nor Flash sheet for the outer Nor Flash bus interface of sheet provides a kind of data encrypting and deciphering technical method.

The present invention is achieved in that the outer Nor Flash bus interface hardware encipher device of a kind of chip slapper, it is characterized in that, comprising: external bus interface EMI is used for CPU expansion external memory storage; Be connected to three passages of external bus interface and outside Nor Flash storer: data read decryption channel, data read bypass channel and data write passage, and described three passages are realized the read-write operation of the storer of CPU; AES crypto engine: connect between CPU processor and the data read decryption channel, be used for clear data and encrypt.

Described data read decryption channel comprises address resolution unit, address comparing unit, reading control module, ciphertext buffer cell, AES decryption engine, the plaintext buffer cell that connects successively, wherein the address comparing unit also connects expressly buffer cell, reading control module, ciphertext buffer cell also are connected to outside Nor Flash storer, address resolution unit and plaintext buffer cell are connected to external bus interface EMI respectively, key storing unit connects AES decryption engine and AES crypto engine respectively, is used for the storage AES key.

Described data write passage and are not with the automatic encryption function of hardware; For non-vital data, data can be by the software outside Nor Flash storer that writes direct; For security information, data write outside Nor Flash storer after can using hardware cryptographic engine to encrypt earlier again.

Described data read decryption channel adopts hardware-accelerated realization, can directly read clear data to the enciphered data that is stored on the outside Nor Flash storer by bus; And directly read the data that are stored on the Nor Flash by the data read bypass channel.

Described AES data encrypting and deciphering is piecemeal, and it reads that to write all be to be unit with the encryption and decryption piece concerning outside Nor Flash storer.

Described key for the AES encryption and decryption produces at random, when each software upgrading, be updated to key storing unit automatically synchronously, this key after entering personal code work, has only AES crypto engine, AES decryption engine to visit by safe Boot control on the sheet.

Described ciphertext buffer cell and plaintext buffer cell are that piecemeal is read and is stored in the ciphertext buffer cell when reading ciphertext from outside Nor Flash storer, then through being stored in expressly buffer cell after the deciphering of AES decryption engine again; CPU reads required data from interface bus afterwards, but realizes execution pattern on the supporting pieces.

The cryptographic algorithm of described AES crypto engine also can realize with software.

The invention has the advantages that: the outer Nor Flash bus interface hardware encipher device of chip slapper of the present invention, use aes algorithm, by the encryption of hardware realization to bus interface, its key is by producing at random, be stored in certain storage unit on the SOC sheet, this storage unit starts the back by top BOOT control in system, has only AES encryption and decryption engine to visit after the control; The present invention uses the scheme of software and hardware combining, and being embodied as the outer Nor Flash storage of sheet provides data encryption, and software is realized writing Nor Flash after a data that will write Nor Flash is encrypted through hardware cryptographic engine; Automatic deciphering is read hardware realizes reading data from Nor Flash after; The present invention is by encryption, the decryption mechanisms of separate type, and by pass mechanism is provided, for product development provides more flexibility, have expansion flexibly, design easily, characteristics such as good reliability, degree of safety height.

Description of drawings

The present invention is further illustrated in conjunction with the embodiments with reference to the accompanying drawings.

Fig. 1: the present invention's logic and application schematic block diagram.

Embodiment

Relevant feature of the present invention and technology contents please refer to following detailed description and accompanying drawing, and accompanying drawing only provides reference and explanation, and the present invention is limited.

Fig. 1 is the logic of the outer Nor Flash bus interface hardware encipher device of a kind of chip slapper of the present invention and uses schematic block diagram; On the whole, master cpu is connected with outside Nor Flash storer and reference-to storage by external interface bus EMI.

External bus interface encryption and decryption of the present invention partly comprises: external bus interface EMI: be used for CPU expansion external memory storage; Three passages that connect external bus interface and Nor Flash storer: data read decryption channel, data read bypass channel and data write passage; AES crypto engine: be used for clear data and encrypt; Wherein, the data read decryption channel comprises address resolution unit, address comparing unit, reading control module, ciphertext buffer cell, AES decryption engine, plaintext buffer cell, key storing unit.

Encryption and decryption of the present invention is used aes algorithm, is example to use 128 keys, and data must be that unit is encrypted and decryption processing with 128; But bus interface generally is 8,16 or 32, and Nor Flash commonly used generally is 16; Therefore, bus data will carry out encryption and decryption, will read the storer piecemeal; The reading control module plays this effect among Fig. 1; In addition, because block data can not directly deliver on the bus again, even the data after the deciphering, so increased by two buffer zones, i.e. ciphertext buffer cell and expressly buffer cell; The ciphertext buffer cell is deposited the block data of reading from Nor Flash storer, and expressly buffer cell is deposited the clear data to generating after the decrypt ciphertext.

Its data read decryption channel is work like this:

1) send when reading Nor Flash data command as CPU, at first address resolution unit is resolved the address information on the bus, decomposites piecemeal entry address and piece bias internal address;

2) whether by the address comparing unit compared in the piecemeal entry address that parses, it is consistent with the entry address of analyzing the data loading last time to compare this entry address again;

3) if comparison address unanimity illustrates that then this block data loads, namely the data that will read have left in the plaintext buffer cell; Then, according to the piece bias internal address that the first step is resolved, obtain data from the corresponding skew of plaintext buffer cell, output on the data bus; Master cpu just reads desired data like this, and this situation is called hits;

4) if comparison address and to be loaded into port address last time inconsistent is called in the unnatural death, then give the reading control module with this new port address that is loaded into;

5) reading control once loads 128 (i.e. 16 bytes) data to the ciphertext buffer cell according to the configuration of Nor Flash interface sequence the Nor Flash storer outside sheet;

6) notice AES decryption engine was decrypted ciphertext after data loaded and finish, and put into expressly buffer cell after the generation expressly;

7) clear data generates the piece bias internal address that resolve according to the first step back, from expressly cushioning corresponding skew obtains data, outputs on the data bus, and master cpu just reads desired data like this.

Above-mentioned is the process that reads of enciphered data; To writing of enciphered data, data of the present invention write passage and are not with the automatic encryption function of hardware; Storing Nor Flash after whether data need to encrypt into is to be realized determining by software; According to user's needs, for non-vital data, data can not be encrypted by the software Nor Flash that writes direct; For security information, data write Nor Flash after can using hardware cryptographic engine to encrypt earlier again; Be that the present invention uses a kind of scheme of software and hardware combining that enciphered data is written in the Nor Flash storer; This method can namely be stored security information such as important program and data for the user is implemented on the Nor Flash memory bank, also stores other non-important program and data; Data write this realization mechanism of passage, also for system support the Nor Flash chip of various models provide may and convenient; Because, Nor Flash to different model, its control command or time sequential routine may be inconsistent, if use pure hardware encipher to write realization, certainly will be various Nor Flash control commands or the different logic of sequential realization, in the complexity that increases design, the dirigibility of the system of reduction.

Be not encrypted for non-significant data and be stored in Nor Flash, the mechanism that the present invention is not decrypted when also supporting data read in design, namely the data read bypass channel is realized.

Among the present invention, AES encrypts, decryption engine all will be used AES key; This key is stored in key storing unit; AES key generates at random by the random number generation module, generates automatically when every software upgrading and renewal synchronously; This key storing unit is controllable in design, can dispose by software, makes this unit not controlled by CPU, and can only be read by AES crypto engine and decryption engine; Realize this control by top Boot on using, in case system jumps out top Boot like this, the user just again can't visit this AES key; Thereby guarantee that in whole software code operational process, program can not touch key, guaranteed that key can not reveal; Because top Boot is realized and maintenance by production producer, therefore can guarantee that this key is shielded, guarantee that also this key can be by random distorting (do not distort the ciphertext that will cause storing and can't recover its cleartext information) simultaneously.

The above is the specific embodiment of the present invention, and in order to limit the present invention, in the technical scope that the present invention discloses, any modification and replacement that the present invention is made all should not be encompassed within protection scope of the present invention.