CN101901629A

CN101901629A - Nonvolatile memory protecting system and method

Info

Publication number: CN101901629A
Application number: CN2009100989183A
Authority: CN
Inventors: 徐国柱
Original assignee: Hangzhou Silan Microelectronics Co Ltd
Current assignee: Hangzhou Silan Microelectronics Co Ltd
Priority date: 2009-05-25
Filing date: 2009-05-25
Publication date: 2010-12-01
Anticipated expiration: 2029-05-25
Also published as: CN101901629B

Abstract

The invention provides nonvolatile memory protecting system and method. The method comprises the following steps of: calling a protecting code from a memory by a control unit; and limiting an unauthorized user to program or verify data/program of a protecting area. Meanwhile, the data input into the memory is encrypted data; the nonvolatile memory protecting system realizes that different memories have different keys, is not limited to one encrypting method and can provide different key protections for different addresses; if the key needs to be modified, the operation is carried out just by programming without replacing hardware; in the invention, an address encrypting key is used for encrypting the memory address, and the data of the unauthorized user for accessing the memory address is scrambling data; and a data/program decrypting key is used for decrypting the data/program of the memory, thereby preventing the unauthorized user from illegally obtaining the data and resolving.

Description

Nonvolatile memory protection system and guard method

Technical field

The present invention relates to the protection system and the guard method of data/programming, data/program verification, address encryption, data/program deciphering of nonvolatile memory.

Background technology

Traditional nonvolatile memory cipher mode mainly contains following three classes: (1) carries out software cryptography by compiler to the data of storer, and the memory encryption that this method realizes cracks by the parsing of signal and communications protocol easily; (2) by hardware encryption module is set in storer, encrypting module adopts fixing particular encryption algorithm to realize, the memory encryption underaction that this method realizes uses identical cipher mode for different memory code; (3) mode by mask is solidificated in a ROM memory inside with key, the memory encryption that this method realizes is revised if desired, must revise in chip-scale, the relative second way, the cost that changes method modification encryption key is much smaller, can accomplish only to revise mask, thereby change key, but hardware modifications can not accomplish that each product uses different keys for bulk article, and key modification simultaneously needs must time and cost.

Summary of the invention

The present invention is intended to solve the deficiencies in the prior art; proposed memory data/programming, memory data/program verification, storage address encryption and memory data/program deciphering is carried out classification, multiple protective, is convenient to the nonvolatile memory protection system that realizes in batches.

The invention allows for the guard method of nonvolatile memory.

The invention allows for the control module that is used for storage protection system and guard method simultaneously.

A kind of nonvolatile memory protection system is memory program/calibration equipment, and it comprises: programming/verification unit, control module and storer:

Described control module comprises memory control module, key/protected code registers group, storage address selection module and protection module, wherein:

Memory control module is connected programming/verification unit by the control input end mouth one of control module with the first input control signal line (W15c), receives memory program or storer checking command that programming/verification unit is sent;

Memory control module is connected programming/verification unit by the address input end mouth one of control module with the first Input Address line (W16a), receives the memory addressing address that programming/verification unit is sent;

Storage address selects module to be connected programming/verification unit by the address input end mouth one of control module with the first Input Address line (W16a), receives the memory addressing address that programming/verification unit is sent;

Protection module is connected programming/verification unit by the data-in port one of control module with first input data line (w13d), receives the programming data/program of programming/verification unit output;

Protection module is by the data-out port one and first output data line (w37d) connected storage of control module, protected code according to the correspondence programming address that key/the protection register provides, carry out a kind of in the following operation: when (1) allows visit when protected code, to storer output programming data/program; (2) when the protected code disable access, change through protected code protection back to storer output, and do not change the data/program of memory content; (3) when the protected code disable access, not to storer output programming data/program;

Protection module is by the data-in port two and second input data line (w07d) connected storage of control module, and according to the verification address that storage address selects module to export, reception memorizer provides checking data/program;

Key/protected code registers group is by the data-in port two and second input data line (w07d) connected storage of control module; select the protected code address of module output according to storage address; the protected code of the corresponding address that reception memorizer provides; perhaps programming/obtain the protected code of corresponding address from storer before the verification, protected code passes to protection module by protected code data line (w43d) again.

Protection module is connected programming/verification unit by the data-out port two of control module with second output data line (w31d), the protected code of the corresponding verification address that provides according to key/protection register, carry out a kind of in the following operation: when (1) allows visit when protected code, to programming/verification unit output verification data/program; (2) when the protected code disable access, to the data of programming/verification unit output change after the protected code protection; (3) when the protected code disable access, not to programming/verification unit output verification data/program;

Memory control module is by the control output end mouth one and first output control signal wire (w57c) connected storage of control module, and control store is programmed or verification; Further when the address of programming or verification was the address in storage protection district, memory control module can also be forbidden the effect of the first input control signal line (W15c);

Storage address is selected address output end mouth one and first OPADD line (w67a) connected storage of module by control module, and the address output end mouth is selected output protection sign indicating number address or programming address/verification addressing address to storer;

Memory control module is by selecting control line (w56c) and select address wire (w56a) connected storage address selection module, control address selection module selection output protection sign indicating number address, programming address or verification address.

Memory control module connects key/protected code registers group by register controlled line (w54c), and control key/protected code registers group is upgraded the protected code order;

Key/protected code registers group offers memory control module by register data line (w45d) connected storage control module with the protected code after upgrading.

A kind of nonvolatile memory protection system is memory encryption/decryption device, and it comprises: CPU, encryption/decryption element, control module and storer:

Described encryption/decryption element connects CPU by CPU control signal wire (w02c), receives the instruction that CPU sends; Encryption/decryption element connects CPU by cpu address line (W02a), the address that storer address to be encrypted that reception CPU sends or storer are treated data decryption/program; Memory data/program after encryption/decryption element will be deciphered by cpu data line (w02d) offers CPU;

Described control module comprises memory control module, key/protected code registers group and storage address selection module, wherein:

Memory control module is connected encryption/decryption element by the control input end mouth two of control module with the second input control signal line (W25c), receives storage address encryption or memory data decryption instructions that encryption/decryption element is sent;

Memory control module is connected encryption/decryption element by the address input end mouth two of control module with the second Input Address line (W25a), receives the memory addressing address that encryption/decryption element is sent;

Storage address selects module to be connected encryption/decryption element by the address input end mouth three of control module with the 3rd Input Address line (W26a), receives the memory addressing address that encryption/decryption element is sent;

Key/protected code registers group is by the data-in port two and second input data line (w07d) connected storage of control module; according to the cipher key address that storage address selects module to export, storage address encryption key that reception memorizer provides or memory data/program decruption key.

Key/protected code registers group is connected encryption/decryption element by the data-out port three of control module with the 3rd output data line (w42d), provides data/program decruption key or address encryption key to encryption/decryption element;

Memory control module is by the control output end mouth one and first output control signal wire (w57c) connected storage of control module, and control store carries out storage address encryption or memory data/program deciphering;

Storage address is selected address output end mouth one and first OPADD line (w67a) connected storage of module by control module, the address output end mouth to its control signal of sending and address signal, is exported encryption address or data decryption/program address to storer according to memory control module;

Memory control module is by selecting control line (w56c) and select address wire (w56a) connected storage address selection module, control address selection module selection output encryption address or data decryption/program address.

Memory control module connects key/protected code registers group by register controlled line (w54c), and control key/protected code registers group is upgraded cipher key command;

Key/protected code registers group offers memory control module by register data line (w45d) connected storage control module with the key after upgrading.

Storer connects encryption/decryption element by second input data line (w07d), and providing to encryption/decryption element needs data decryption/program.

Further; encryption/decryption element obtains protected code from key/protected code registers group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and cpu address line (W02a); if not the user program of authorizing, then forbidden storage device visit.

A kind of nonvolatile memory protection system comprises: programming/verification unit, CPU, encryption/decryption element, control module and storer:

Key/protected code registers group is by the data-in port two and second input data line (w07d) connected storage of control module; select protected code, the cipher key address of module output according to storage address; reception memorizer provides corresponding protected code, key; perhaps at protected code, address encryption key, the memory data decruption key of programming, obtain from storer before the verification, deciphering, encryption programming data/program or checking data/program correspondence, protected code passes to protection module by protected code data line (w43d) again.

Memory control module is by the control output end mouth one and first output control signal wire (w57c) connected storage of control module, control store is programmed, verification, address encryption or memory data/program deciphering, further when the address of programming or verification was the address in storage protection district, memory control module can also be forbidden the effect of the first input control signal line (W15c);

Storage address is selected address output end mouth one and first OPADD line (w67a) connected storage of module by control module, the address output end mouth according to memory control module to its control signal of sending and address signal, under programming/verification state,, under storage address encryption/data decryption state, export encryption address or data decryption/program address to storer to storer output protection sign indicating number address or programming/verification addressing address;

Memory control module is by selecting control line (w56c) and selecting address wire (w56a) connected storage address selection module; control address selects module to select output protection sign indicating number address, programming address or verification address under programming/verification state;, control address selects module to select output encryption address or data decryption/program address under storage address encryption or data/program decrypted state.

Further; encryption/decryption element obtains protected code from key/protected code registers group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and address wire (W02a); if not the user program of authorizing, then forbidden storage device visit.

A kind of nonvolatile memory guard method is memory data/programming method, and it comprises the steps:

(1) programming/verification unit is sent programming instruction by the memory control module of the first input control signal line (W15c) connection control module to control module; Programming/verification unit is selected module and memory control module by the storage address that the first Input Address line (W16a) connects control module, the addressing address of output programming data/program correspondence; The programming data of programming/verification unit/program output terminal is exported programming data/program by the protection module of first input data line (w13d) connection control module;

(2) after the memory control module of control module receives programming instruction, memory control module is selected module output protection sign indicating number memory address by selecting address wire (w56a) to storage address, memory control module is by selecting the protected code memory address of control line (w56c) control store address selection module to the first OPADD line (w67a) output addressing address correspondence, memory control module provides the protected code of corresponding address by second input data line (w07d) to key/protected code registers group by control line (w57c) control store simultaneously, key/protected code registers group is upgraded protected code under the control of register controlled line (w54c), protected code after the renewal offers memory control module by register data line (w45d), and provides protection module by data line (w43d);

(3) memory control module judges according to the protected code that receives whether the addressing address that programming/verification unit is sent is the address in storage protection district: if the addressing address is not the address, protected location, the programming address of memory control module by selecting control line (w56c) notice storage address to select module to select the first Input Address line (W16a) to send, storage address selects module to offer storer by the first OPADD line (w67a) address of will programming, protection module offers storer with programming data/program by first output data line (w37d), storer under the control of control line (w57c), with programming data/procedure stores in the storage address of correspondence; If the addressing address is the address in storage protection district; the programming control signal that the memory control module shielding programming/verification unit first input control signal line (W15c) sends; perhaps programming data/the program of key/protected code registers group output protection sign indicating number interference protection module output, and do not change the content of storer.

Further, programming data/program of providing of programming/verification unit is enciphered data/program.

A kind of nonvolatile memory guard method is the checking memory data method, and it comprises the steps:

(1) programming/verification unit is sent checking command by the memory control module of the first input control signal line (W15c) connection control module to control module; Programming/verification unit is selected module and memory control module, the addressing address of output verification data/program correspondence by the storage address that the first Input Address line (W16a) connects control module;

(2) after the memory control module of control module receives checking command, memory control module is selected module output protection sign indicating number memory address by selecting address wire (w56a) to storage address, memory control module is by selecting the protected code memory address of control line (w56c) control store address selection module to the first OPADD line (w67a) output addressing address correspondence, memory control module provides the protected code of corresponding address by second input data line (w07d) to key/protected code registers group by control line (w57c) control store simultaneously, key/protected code registers group is upgraded protected code under the control of register controlled line (w54c), protected code after the renewal offers memory control module by register data line (w45d), and offers protection module by data line (w43d);

(3) memory control module judges according to the protected code that receives whether the addressing address that programming/verification unit is sent is the address in storage protection district: be not the address of protected location as the addressing address, the verification address of memory control module by selecting control line (w56c) notice storage address to select module to select the first Input Address line (W16a) to send, storage address selects module by the first OPADD line (w67a) the verification address to be offered storer, storer offers protection module with addressing address corresponding check data/program by data line (w07d) under the control of control line (w57c), protection module offers programming/verification unit by second output data line (w31d) and carries out verification; If the addressing address is the address in storage protection district; the verification control signal that memory control module shielding programming/verification unit is sent by the first input control signal line (W15c), the perhaps checking data/program of key/protected code registers group output protection sign indicating number interference protection module output.

The checking memory data method can be carried out separately, also can carry out after memory program data/program.

A kind of memory-protection method is the storage address encryption method, and it comprises the steps:

(1) encryption/decryption element connects CPU by CPU control signal wire (w02c), receives the instruction that CPU sends; Encryption/decryption element connects CPU by cpu address line (W02a), receives the storer address to be encrypted that CPU sends;

(2) encryption/decryption element obtains the encryption key of corresponding address from the key/protected code registers group of control module, utilize the address encryption key that the storer address to be encrypted that CPU sends is encrypted, memory control module is exported to by the second Input Address signal wire (w25a) in address after encryption/decryption element will be encrypted, exports to storage address by address signal line (w26a) and selects module; Encryption/decryption element is sent instruction by the storage control module of the second input control signal line (W25c) connection control module to memory control module;

(3) if the address after the encryption that memory control module receives is the address in storage protection district, then memory control module is interrupted the encryption address that the second OPADD signal wire (w25a) sends, if the address is the address of storer non-protection area after the encryption that memory control module receives, memory control module selects module to select address after the encryption that encryption/decryption element provides by the 3rd Input Address line (W26a) by selecting control line (w56c) notice storage address, and storage address selection module offers storer with encryption address by the first OPADD line (w67a);

Further; step (1) comprises that also encryption/decryption element obtains protected code from key/protected code registers group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and cpu address line (W02a); if not the user program of authorizing; then forbidden storage device visit; if user's running program of authorizing then continues step (2).

A kind of nonvolatile memory guard method is memory data/program decryption method, and it comprises the steps:

(1) encryption/decryption element connects CPU by CPU control signal wire (w02c), receives the reading memory data instruction that CPU sends; Encryption/decryption element connects CPU by cpu address line (W02a), needs the addressing address of data decryption/program correspondence in the storer that reception CPU sends;

(2) encryption/decryption element is sent reading memory data/programmed instruction by the memory control module of the second input control signal line (W25c) connection control module to control module; Encryption/decryption element is by the memory control module of the second Input Address line (W25a) connection control module, and by the 3rd Input Address line (w26a) connected storage address selection module, output needs the addressing address of data decryption/program correspondence;

(3) memory control module is selected the addressing address of encryption/decryption element by the output of the 3rd Input Address line (W26a) by selecting control line (w56c) control store address selection module, storage address selects module by the first OPADD line (w67a) the addressing address to be offered storer, storer provides the storage data of addressing address correspondence to encryption/decryption element by second input data line (w07d) under the control of the first output control signal wire (w57c);

(4) encryption/decryption element is deciphered the data/program decruption key of the 3rd output data line (w42d) output and the memory data that receives according to predefined mode, and the data/program after the deciphering offers CPU.

Further; step (1) comprises that also encryption/decryption element obtains protected code from key/protected code registers group group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control line (W02c) and cpu address line (W02a); if not the user program of authorizing; then forbidden storage device visit; if user's running program of authorizing then continues step (2).

The renewal of key of the present invention and protected code, except that the above-mentioned described renewal of the present invention, can also under following any situation, upgrade:

(1) system reset or when reading sequence and restarting, the protected code of readout memory protected location or key, key/protected code registers group that each protected code or the key of protected location are called in the control module correspondence;

(2) carry out that memory data/program verification, storage address are encrypted, the protected code or the key of readout memory protected location before memory data/program deciphering, with key/protected code registers group that each protected code or the key of protected location are called in the control module correspondence, the more new demand operating process under this kind situation can be tolerated the acquisition time of key and protected code;

(3) utilize free time; this free time is long a period of time; pattern that is in dormancy or standby as system etc. does not take the occasion of storer; the protected code of readout memory protected location or key, key/protected code registers group that each protected code or the key of protected location are called in the control module correspondence.

Programming of the present invention/verification unit connects external control, and described external control is any one among PC, CPU, FPGA, the CPLD.

The invention has the beneficial effects as follows: carried out cascade protection by memory data/programming, memory data/program verification, storage address encryption and memory data/program deciphering, wherein:

Memory data provided by the invention/programming device and programmed method thereof, the control by control module accesses protected code from storer, and restricting unauthorized user is to the data/programming in the address, protected location of storer; The data of input store are enciphered data; encrypted process is undertaken by host computer; and key together is programmed into storer; can realize that different storeies has different keys; encryption method also is not limited to a kind of, also can provide different cryptographic key protections for different addresses, if desired key is made amendment; do not need to change hardware, only need be undertaken by programming.

Memory data provided by the invention/program calibration equipment and method of calibration thereof, the control by control module accesses protected code from storer, and restricting unauthorized effectively user is to the data in the address, protected location of storer/program verification.

Storage address encryption device provided by the invention and encryption method thereof by the encryption of address encryption key to storage address, make the data of unauthorized user reference-to storage addressed memory be the upset data.

Memory data provided by the invention/program decryption device and decryption method thereof by the deciphering of data/program decruption key to memory data/program, prevents to resolve after the ill-gotten data of unauthorized user.

Utilize the storage control unit that the nonvolatile memory that provides is provided can realize above-mentioned various protections simultaneously, its control is simple, the saving cost.

Description of drawings

A kind of nonvolatile memory protection system that Fig. 1 proposes for the present invention, existing in fact reservoir programming/verification;

A kind of nonvolatile memory protection system that Fig. 2 proposes for the present invention, existing in fact reservoir encrypt/decrypt;

A kind of nonvolatile memory protection system that Fig. 3 proposes for the present invention, existing in fact reservoir programming/verification and memory encryption/deciphering;

Fig. 4 is the key/register protected code registers group of a kind of nonvolatile memory protection system of the present invention's proposition

Embodiment

Below in conjunction with accompanying drawing content of the present invention is further specified.

A kind of nonvolatile memory protection system be memory program/calibration equipment as shown in Figure 1, it comprises: programming/verification unit (01), control module (02) and storer (07):

Described control module (02) comprises memory control module (05), key/protected code registers group (04), storage address selection module (06) and protection module (03), wherein:

Memory control module (05) is connected programming/verification unit (01) by the control input end mouth one of control module (02) with the first input control signal line (W15c), receives memory program or storer checking command that programming/verification unit (01) is sent;

Memory control module (05) is connected programming/verification unit (01) by the address input end mouth one of control module (02) with the first Input Address line (W16a), receives the memory addressing address that programming/verification unit (01) is sent;

Storage address selects module (06) to be connected programming/verification unit (01) by the address input end mouth one of control module (02) with the first Input Address line (W16a), receives the memory addressing address that programming/verification unit (01) is sent;

Protection module (03) is connected programming/verification unit (01) by the data-in port one of control module (02) with first input data line (w13d), receives the programming data/program of programming/verification unit (01) output;

Protection module (03) is by the data-out port one and first output data line (w37d) connected storage of control module (02), protected code according to the correspondence programming address that key/the protection register provides, carry out a kind of in the following operation: when (1) allows visit when protected code, to storer output programming data/program; (2) when the protected code disable access, change through protected code protection back to storer output, and do not change the data/program of memory content; (3) when the protected code disable access, not to storer output programming data/program;

Protection module (03) is by the data-in port two and second input data line (w07d) connected storage of control module (02), and according to the verification address that storage address selects module (06) to export, reception memorizer provides checking data/program;

Key/protected code registers group (04) is by the data-in port two and second input data line (w07d) connected storage of control module (02); select the protected code address of module (06) output according to storage address; the protected code of the corresponding address that reception memorizer provides; perhaps programming/obtain the protected code of corresponding address from storer before the verification, protected code passes to protection module (03) by protected code data line (w43d) again.

Protection module (03) is connected programming/verification unit (01) by the data-out port two of control module (02) with second output data line (w31d), the protected code of the corresponding verification address that provides according to key/protection register, carry out a kind of in the following operation: when (1) allows visit when protected code, to programming/verification unit (01) output verification data/program; (2) when the protected code disable access, to the data of programming/verification unit (01) output change after the protected code protection; (3) when the protected code disable access, not to programming/verification unit (01) output verification data/program;

Memory control module (05) is by the control output end mouth one and first output control signal wire (w57c) connected storage of control module (02), and control store is programmed or verification; Further when the address of programming or verification was the address in storage protection district, memory control module (05) can also be forbidden the effect of the first input control signal line (W15c);

Storage address is selected address output end mouth one and first OPADD line (w67a) connected storage of module (06) by control module (02), and the address output end mouth is selected output protection sign indicating number address or programming address/verification addressing address to storer;

Memory control module (05) is by selecting control line (w56c) and select address wire (w56a) connected storage address selection module (06), control address selection module selection output protection sign indicating number address, programming address or verification address.

Memory control module (05) connects key/protected code registers group (04) by register controlled line (w54c), and control key/protected code registers group (04) is upgraded the protected code order;

Key/protected code registers group (04) offers memory control module (05) by register data line (w45d) connected storage control module (05) with the protected code after upgrading.

A kind of nonvolatile memory protection system is memory encryption/decryption device, and it comprises: CPU, encryption/decryption element, control module (02) and storer:

Described control module (02) comprises memory control module (05), key/protected code registers group (04) and storage address selection module (06), wherein:

Memory control module (05) is connected encryption/decryption element by the control input end mouth two of control module (02) with the second input control signal line (W25c), receives storage address encryption or memory data decryption instructions that encryption/decryption element is sent;

Memory control module (05) is connected encryption/decryption element by the address input end mouth two of control module (02) with the second Input Address line (W25a), receives the memory addressing address that encryption/decryption element is sent;

Storage address selects module (06) to be connected encryption/decryption element by the address input end mouth three of control module (02) with the 3rd Input Address line (W26a), receives the memory addressing address that encryption/decryption element is sent;

Key/protected code registers group (04) is by the data-in port two and second input data line (w07d) connected storage of control module (02); according to the cipher key address that storage address selects module (06) to export, storage address encryption key that reception memorizer provides or memory data/program decruption key.

Key/protected code registers group (04) is connected encryption/decryption element by the data-out port three of control module (02) with the 3rd output data line (w42d), provides data/program decruption key or address encryption key to encryption/decryption element;

Memory control module (05) is by the control output end mouth one and first output control signal wire (w57c) connected storage of control module (02), and control store carries out storage address encryption or memory data/program deciphering;

Storage address is selected address output end mouth one and first OPADD line (w67a) connected storage of module (06) by control module (02), the address output end mouth to its control signal of sending and address signal, is exported encryption address or data decryption/program address to storer according to memory control module (05);

Memory control module (05) is by selecting control line (w56c) and select address wire (w56a) connected storage address selection module (06), control address selection module selection output encryption address or data decryption/program address.

Memory control module (05) connects key/protected code registers group (04) by register controlled line (w54c), and control key/protected code registers group (04) is upgraded cipher key command;

Key/protected code registers group (04) offers memory control module (05) by register data line (w45d) connected storage control module (05) with the key after upgrading.

Further; encryption/decryption element obtains protected code from key/protected code registers group (04); judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and cpu address line (W02a); if not the user program of authorizing, then forbidden storage device visit.

A kind of nonvolatile memory protection system comprises: programming/verification unit (01), CPU, encryption/decryption element, control module (02) and storer:

Key/protected code registers group (04) is by the data-in port two and second input data line (w07d) connected storage of control module (02); select the protected code of module (06) output according to storage address; cipher key address; reception memorizer provides corresponding protected code; key; perhaps programming; verification; deciphering; obtain the protected code of programming data/program or checking data/program correspondence before encrypting from storer; the address encryption key; memory data decruption key, protected code pass to protection module (03) by protected code data line (w43d) again.

Memory control module (05) is by the control output end mouth one and first output control signal wire (w57c) connected storage of control module (02), control store is programmed, verification, address encryption or memory data/program deciphering, further when the address of programming or verification was the address in storage protection district, memory control module (05) can also be forbidden the effect of the first input control signal line (W15c);

Storage address is selected address output end mouth one and first OPADD line (w67a) connected storage of module (06) by control module (02), the address output end mouth according to memory control module (05) to its control signal of sending and address signal, under programming/verification state,, under storage address encryption/data decryption state, export encryption address or data decryption/program address to storer to storer output protection sign indicating number address or programming/verification addressing address;

Memory control module (05) is by selecting control line (w56c) and selecting address wire (w56a) connected storage address selection module (06); control address selects module to select output protection sign indicating number address, programming address or verification address under programming/verification state;, control address selects module to select output encryption address or data decryption/program address under storage address encryption or data/program decrypted state.

Further; encryption/decryption element obtains protected code from key/protected code registers group (04); judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and address wire (W02a); if not the user program of authorizing, then forbidden storage device visit.

(4) programming/verification unit (01) is sent programming instruction by the memory control module (05) of the first input control signal line (W15c) connection control module (02) to control module (02); Programming/verification unit (01) is selected module (06) and memory control module (05) by the storage address that the first Input Address line (W16a) connects control module (02), the addressing address of output programming data/program correspondence; The programming data of programming/verification unit (01)/program output terminal is exported programming data/program by the protection module (03) of first input data line (w13d) connection control module (02);

(5) after the memory control module (05) of control module (02) receives programming instruction, memory control module (05) is selected module (06) output protection sign indicating number memory address by selecting address wire (w56a) to storage address, memory control module (05) is by selecting the protected code memory address of control line (w56c) control store address selection module (06) to the first OPADD line (w67a) output addressing address correspondence, memory control module (05) provides the protected code of corresponding address by second input data line (w07d) to key/protected code registers group (04) by control line (w57c) control store simultaneously, key/protected code registers group (04) is upgraded protected code under the control of register controlled line (w54c), protected code after the renewal offers memory control module (05) by register data line (w45d), and provides protection module (03) by data line (w43d);

(6) memory control module (05) judges according to the protected code that receives whether the addressing address that programming/verification unit (01) is sent is the address in storage protection district: if the addressing address is not the address, protected location, the programming address of memory control module (05) by selecting control line (w56c) notice storage address to select module (06) to select the first Input Address line (W16a) to send, storage address selects module (06) to offer storer by the first OPADD line (w67a) address of will programming, protection module (03) offers storer with programming data/program by first output data line (w37d), storer under the control of control line (w57c), with programming data/procedure stores in the storage address of correspondence; If the addressing address is the address in storage protection district; the programming control signal that memory control module (05) shielding programming/verification unit (01) first input control signal line (W15c) sends; perhaps programming data/the program of key/protected code registers group (04) output protection sign indicating number interference protection module (03) output, and do not change the content of storer.

Further, programming data/program of providing of programming/verification unit (01) is enciphered data/program.

(4) programming/verification unit (01) is sent checking command by the memory control module (05) of the first input control signal line (W15c) connection control module (02) to control module (02); Programming/verification unit (01) is selected module (06) and memory control module (05), the addressing address of output verification data/program correspondence by the storage address that the first Input Address line (W16a) connects control module (02);

(5) after the memory control module (05) of control module (02) receives checking command, memory control module (05) is selected module (06) output protection sign indicating number memory address by selecting address wire (w56a) to storage address, memory control module (05) is by selecting the protected code memory address of control line (w56c) control store address selection module (06) to the first OPADD line (w67a) output addressing address correspondence, memory control module (05) provides the protected code of corresponding address by second input data line (w07d) to key/protected code registers group (04) by control line (w57c) control store simultaneously, key/protected code registers group (04) is upgraded protected code under the control of register controlled line (w54c), protected code after the renewal offers memory control module (05) by register data line (w45d), and offers protection module (03) by data line (w43d);

(6) memory control module (05) judges according to the protected code that receives whether the addressing address that programming/verification unit (01) is sent is the address in storage protection district: be not the address of protected location as the addressing address, the verification address of memory control module (05) by selecting control line (w56c) notice storage address to select module (06) to select the first Input Address line (W16a) to send, storage address selects module (06) by the first OPADD line (w67a) the verification address to be offered storer, storer offers protection module (03) with addressing address corresponding check data/program by data line (w07d) under the control of control line (w57c), protection module (03) offers programming/verification unit (01) by second output data line (w31d) and carries out verification; If the addressing address is the address in storage protection district; the verification control signal that memory control module (05) shielding programming/verification unit (01) is sent by the first input control signal line (W15c), the perhaps checking data/program of key/protected code registers group (04) output protection sign indicating number interference protection module (03) output.

(4) encryption/decryption element connects CPU by CPU control signal wire (w02c), receives the instruction that CPU sends; Encryption/decryption element connects CPU by cpu address line (W02a), receives the storer address to be encrypted that CPU sends;

(5) encryption/decryption element obtains the encryption key of corresponding address from the key/protected code registers group (04) of control module (02), utilize the address encryption key that the storer address to be encrypted that CPU sends is encrypted, memory control module (05) is exported to by the second Input Address signal wire (w25a) in address after encryption/decryption element will be encrypted, exports to storage address by address signal line (w26a) and selects module (06); Encryption/decryption element is sent instruction by the storage control module of the second input control signal line (W25c) connection control module (02) to memory control module (05);

(6) if the address after the encryption that memory control module (05) receives is the address in storage protection district, then memory control module (05) is interrupted the encryption address that the second OPADD signal wire (w25a) sends, if the address is the address of storer non-protection area after the encryption that memory control module (05) receives, memory control module (05) selects module (06) to select address after the encryption that encryption/decryption element provides by the 3rd Input Address line (W26a) by selecting control line (w56c) notice storage address, and storage address selection module (06) offers storer with encryption address by the first OPADD line (w67a);

Further; step (1) comprises that also encryption/decryption element obtains protected code from key/protected code registers group (04); judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and cpu address line (W02a); if not the user program of authorizing; then forbidden storage device visit; if user's running program of authorizing then continues step (2).

(5) encryption/decryption element connects CPU by CPU control signal wire (w02c), receives the reading memory data instruction that CPU sends; Encryption/decryption element connects CPU by cpu address line (W02a), needs the addressing address of data decryption/program correspondence in the storer that reception CPU sends;

(6) encryption/decryption element is sent reading memory data/programmed instruction by the memory control module (05) of the second input control signal line (W25c) connection control module (02) to control module (02); Encryption/decryption element connects the memory control module (05) of control module (02) by the second Input Address line (W25a), by the 3rd Input Address line (w26a) connected storage address selection module (06), output needs the addressing address of data decryption/program correspondence;

(7) memory control module (05) is selected the addressing address of encryption/decryption element by the output of the 3rd Input Address line (W26a) by selecting control line (w56c) control store address selection module (06), storage address selects module (06) by the first OPADD line (w67a) the addressing address to be offered storer, storer provides the storage data of addressing address correspondence to encryption/decryption element by second input data line (w07d) under the control of the first output control signal wire (w57c);

(8) encryption/decryption element is deciphered the data/program decruption key of the 3rd output data line (w42d) output and the memory data that receives according to predefined mode, and the data/program after the deciphering offers CPU.

Further; step (1) comprises that also encryption/decryption element obtains protected code from key/protected code registers group (04) group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control line (W02c) and cpu address line (W02a); if not the user program of authorizing; then forbidden storage device visit; if user's running program of authorizing then continues step (2).

As shown in Figure 4, the aforesaid storer of the present invention is a nonvolatile memory, and as disposable programmable memory, Flash etc., it is divided into:

---the protected location is used for memory data/program decruption key, storage address encryption key and protected code;

---non-protection area is used to store the data that do not need protection.

Data that need protection or program that described protected location can also further protect the user to make by oneself.

Described memory data/program decruption key, storage address encryption key and protected code are programmed in certain storer that pre-determines the address;

The data of the address storage that described storer is different or corresponding different protected code and the keys of program; the data of also can part different addresses storage or the identical protected code and the key of program correspondence, the data or the corresponding identical protected code and the key of program of all addresses storages that can certainly storer.

What should be understood that is, the foregoing description is just to explanation of the present invention, rather than limitation of the present invention, and any innovation and creation that do not exceed in the connotation scope of the present invention all fall within the protection domain of the present invention.

Claims

1. the nonvolatile memory protection system is characterized in that realizing memory program/verification, and it comprises: programming/verification unit, control module and storer:

Memory control module is by the control output end mouth one and first output control signal wire (w57c) connected storage of control module, and control store is programmed or verification;

2. nonvolatile memory protection system as claimed in claim 1 is characterized in that when the address of programming or verification is the address in storage protection district memory control module is forbidden the effect of the first input control signal line (W15c).

3. nonvolatile memory protection system as claimed in claim 1 is characterized in that programming data/program that described programming/verification unit provides is enciphered data/program.

4. nonvolatile memory protection system is characterized in that daring to memory encryption/deciphering, and it comprises: CPU, encryption/decryption element, control module and storer:

5. nonvolatile memory protection system as claimed in claim 4 is characterized in that encryption/decryption element obtains protected code from key/protected code registers group, judges whether by CPU control signal wire (W02c) and cpu address line (W02a)

Be whether CPU output user running program is user's running program of authorizing, if not the user program of authorizing, then forbidden storage device visit.

6. nonvolatile memory protection system is characterized in that comprising: programming/verification unit, CPU, encryption/decryption element, control module and storer:

Key/protected code registers group is by the data-in port two and second input data line (w07d) connected storage of control module, select protected code, the cipher key address of module output according to storage address, reception memorizer provides corresponding protected code, key, perhaps at protected code, address encryption key, the memory data decruption key of programming, obtain from storer before the verification, deciphering, encryption programming data/program or checking data/program correspondence, protected code passes to protection module by protected code data line (w43d) again;

Key/protected code registers group offers memory control module by register data line (w45d) connected storage control module with the protected code after upgrading;

7. nonvolatile memory protection system as claimed in claim 6 is characterized in that when the address of programming or verification is the address in storage protection district memory control module is forbidden the effect of the first input control signal line (W15c).

8. nonvolatile memory protection system as claimed in claim 6 is characterized in that programming data/program that described programming/verification unit provides is enciphered data/program.

9. nonvolatile memory protection system as claimed in claim 6; it is characterized in that described encryption/decryption element obtains protected code from key/protected code registers group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and address wire (W02a); if not the user program of authorizing, then forbidden storage device visit.

10. nonvolatile memory guard method is characterized in that carrying out memory data/programming, and it comprises the steps:

11. nonvolatile memory as claimed in claim 10 protection side, it is characterized in that programming/programming data/program that verification unit provides is enciphered data/program.

12. the nonvolatile memory guard method is characterized in that carrying out the checking memory data method, it comprises the steps:

13. nonvolatile memory guard method as claimed in claim 12, its feature is done any one replacement in following three kinds in the update method of the described key of step (2)/protected code registers group:

(1) system reset or when reading sequence and restarting, the protected code of readout memory protected location, key/protected code registers group that each protected code or the key of protected location are called in the control module correspondence;

(2) carry out the protected code or the key of readout memory protected location before memory data/program verification, each protected code of protected location is called in the key/protected code registers group of control module correspondence;

(3) utilize free time, the protected code of readout memory protected location is called in each protected code of protected location the key/protected code registers group of control module correspondence.

14. nonvolatile memory guard method as claimed in claim 12 is characterized in that this method is to carry out after the memory program data/program of claim 10.

15. the nonvolatile memory guard method is characterized in that carrying out storage address and encrypts, it comprises the steps:

(3) if the address after the encryption that memory control module receives is the address in storage protection district; then memory control module is interrupted the encryption address that the second OPADD signal wire (w25a) sends; if the address is the address of storer non-protection area after the encryption that memory control module receives; memory control module selects module to select address after the encryption that encryption/decryption element provides by the 3rd Input Address line (W26a) by selecting control line (w56c) notice storage address, and storage address selection module offers storer with encryption address by the first OPADD line (w67a).

16. nonvolatile memory guard method as claimed in claim 15; it is characterized in that step (1) comprises that also encryption/decryption element obtains protected code from key/protected code registers group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control signal wire (W02c) and cpu address line (W02a); if not the user program of authorizing; then forbidden storage device visit; if user's running program of authorizing then continues step (2).

17. a nonvolatile memory guard method is characterized in that carrying out memory data/program decryption method, it comprises the steps:

18. nonvolatile memory guard method as claimed in claim 17; step (1) comprises that also encryption/decryption element obtains protected code from key/protected code registers group group; judge whether it is whether CPU output user running program is user's running program of authorizing by CPU control line (W02c) and cpu address line (W02a); if not the user program of authorizing; then forbidden storage device visit; if user's running program of authorizing then continues step (2).