CN109697174B - Sensitive partition protection method for airborne computer storage system - Google Patents
Sensitive partition protection method for airborne computer storage system Download PDFInfo
- Publication number
- CN109697174B CN109697174B CN201811533512.9A CN201811533512A CN109697174B CN 109697174 B CN109697174 B CN 109697174B CN 201811533512 A CN201811533512 A CN 201811533512A CN 109697174 B CN109697174 B CN 109697174B
- Authority
- CN
- China
- Prior art keywords
- partition
- logic
- protection
- storage system
- register
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000005192 partition Methods 0.000 title claims abstract description 104
- 238000000034 method Methods 0.000 title claims abstract description 27
- 230000015654 memory Effects 0.000 claims description 24
- 230000006870 function Effects 0.000 claims description 9
- 238000012423 maintenance Methods 0.000 claims description 4
- 230000008859 change Effects 0.000 claims description 3
- 230000008569 process Effects 0.000 claims description 3
- 238000011217 control strategy Methods 0.000 abstract description 2
- 238000007726 management method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 3
- 230000007704 transition Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1408—Protection against unauthorised use of memory or access to memory by using cryptography
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F12/00—Accessing, addressing or allocating within memory systems or architectures
- G06F12/14—Protection against unauthorised use of memory or access to memory
- G06F12/1416—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights
- G06F12/1425—Protection against unauthorised use of memory or access to memory by checking the object accessibility, e.g. type of access defined by the memory independently of subject rights the protection being physical, e.g. cell, word, block
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a sensitive partition protection method for an airborne computer storage system based on the characteristics of the airborne computer storage system, and belongs to the field of airborne computer design. The storage system of the airborne computer adopts a partition management mode, and the access authority is controlled through designing an electronic hardware logic, and the protection strategy is flexibly configured by software, so that the access control of the partition is realized, different control strategies are selected to realize the key protection of the sensitive partition, and the data loss or damage caused by illegal operation or misoperation of the sensitive partition is avoided. The partition range protected in the method can be flexibly configured, the protection strategy can be selected, and the hardware data encryption function can be configured. The method has strong universality.
Description
Technical Field
The invention discloses a sensitive partition protection method of an airborne computer storage system, which is provided based on the characteristics of the airborne computer storage system, and belongs to the field of airborne computer design.
Background
Storage media in hardware design typically use word expansion or bit expansion techniques to splice pieces of small capacity or low bit width memory into storage media that meet system requirements. The word expansion is a method for expanding a storage medium with larger storage capacity by using a plurality of memories with the same bit width, and the word expansion only expands the capacity of the memories; the bit expansion is an expansion method for combining a plurality of memories with a small number of bits into a storage medium with a large number of bits, and expands not only the capacity of the memory but also the bit width of the memory.
Multiple low-bit-width (8-bit or 16-bit) memories are often used in on-board computer systems to implement high-bit-width (32-bit or 64-bit) storage media by bit expansion. In an onboard computer system, a partition management method is adopted to manage a storage medium. Data that is lost or damaged and can cause significant loss or increase maintenance costs is referred to as sensitive data, and partitions storing the sensitive data are referred to as sensitive partitions.
Each partition in a memory system implemented by bit expansion comprises a partial memory space configuration of a plurality of memories. The memory is realized by a multi-purpose FLASH, and the FLASH chip is generally designed with write-protection signals and can be controlled by software or hardware. This signal may enable whether a write operation is allowed to be performed on the entire FLASH chip. The write protect signal of the memory itself cannot meet the partition protection requirements of the on-board computer storage system.
And designing storage space access right control logic in decoding logic of the storage system, and designing configuration software in the software to realize partition protection of access resources. And the key protection of the sensitive partition is realized, and the data loss or damage caused by illegal operation or misoperation is avoided.
Disclosure of Invention
The purpose of the invention is that: in view of the importance of the sensitive partition, a protection method for the sensitive partition of the storage system of the airborne computer is provided. The access control of the partition is realized by designing a protection strategy which is flexibly configured by the electronic hardware logic control access authority and software, and the key protection of the sensitive partition can be realized by selecting different control strategies, so that the data loss or damage to the illegal operation or misoperation of the sensitive partition is avoided.
The technical scheme of the invention is as follows: the sensitive partition protection method for the storage system of the airborne computer is realized based on the characteristic of partition management of the storage system of the airborne computer, and the storage system comprises a processor unit, a logic decoding unit (FPGA) and a storage medium; the storage medium adopts a bit expansion technology to expand a plurality of storage media with few bits into a storage medium with more bits; each partition of the storage medium in the storage system contains a plurality of portions of the storage medium having a small number of bits; the logic decoding unit decodes the control signal and the address of the memory bus of the processor unit into the control signal of the memory medium to finish the access of the processor to the memory medium; the storage medium completes the writing or reading of the data according to the control signal of the logic decoding unit.
The storage medium adopts a bit expansion technology to expand a plurality of storage media with small bit numbers into a storage medium with large bit numbers. Each partition of the storage system contains a part of a plurality of storage media with small digits, and the protection measures (write protection functions) of the storage media with small digits cannot meet the requirements of sensitive partition protection.
The logic decoding unit designs protection logic and encryption logic in logic decoding to finish judgment of access authority and inhibit misoperation. The protection logic comprises address space judgment logic of the protection partition, access right judgment logic and protection enabling/disabling judgment logic; the encryption logic includes encryption enable/disable decision logic, encryption logic.
The processor unit is provided with corresponding configuration software, so that address space setting, access authority setting, protection function enabling setting (default disabling) and encryption enabling setting of the partition to be protected can be realized. The configuration information is set in a product maintenance state, and a user does not have the right to change related parameters in the use process, so that key protection of sensitive information is realized.
The invention has the advantages that: the partition protection of the storage system is realized through the programmable logic (electronic hardware), and the reliability is high; simultaneously, an encryption function is designed; the software can flexibly set the protection function and the protection strategy according to the use requirement of the system, and has higher flexibility. Meanwhile, the method has strong universality in other storage systems.
Drawings
Fig. 1 is a block diagram of the system architecture of the present invention.
FIG. 2 is a software and hardware configuration diagram of access rights of a partition of a storage system.
FIG. 3 is a state transition diagram for a storage system guard partition access operation.
Detailed Description
The method is realized based on the characteristic of partition management of a storage system of an onboard computer, and the storage system comprises a processor unit, a logic decoding unit (FPGA) and a storage medium. The storage medium adopts a bit expansion technique to expand a plurality of storage media with a small number of bits into a storage medium with a large number of bits. Each partition of the storage medium in the storage system contains a plurality of portions of the storage medium having a small number of bits; the logic decoding unit decodes the control signal and the address of the memory bus of the processor unit into the control signal of the memory medium to finish the access of the processor to the memory medium; the storage medium completes the writing or reading of the data according to the control signal of the logic decoding unit.
In the method for protecting the sensitive partition of the airborne computer storage system, the storage medium adopts a bit expansion technology to expand a plurality of storage media with small bit numbers into a storage medium with more bit numbers. Each partition of the storage system contains a part of a plurality of storage media with small digits, and the protection measures (write protection functions) of the storage media with small digits cannot meet the requirements of sensitive partition protection.
In the protection method for the sensitive partition of the airborne computer storage system, the logic decoding unit designs protection logic and encryption logic in logic decoding, so that judgment of access authority is completed, and misoperation is forbidden. The protection logic comprises address space judgment logic of the protection partition, access right judgment logic and protection enabling/disabling judgment logic; the encryption logic includes encryption enable/disable decision logic, encryption logic.
In the method for protecting the sensitive partition of the airborne computer storage system, corresponding configuration software is designed in the processor unit, so that address space setting, access right setting, protection function enabling setting (default disabling) and encryption enabling setting of the partition to be protected can be realized. The configuration information is set in a product maintenance state, and a user does not have the right to change related parameters in the use process, so that key protection of sensitive information is realized.
The present invention will be described in further detail below.
The method is realized based on the characteristic of partition management of a storage system of an onboard computer, and the storage system comprises a processor unit, a logic decoding unit (FPGA) and a storage medium. The storage medium adopts a bit expansion technique to expand a plurality of storage media with a small number of bits into a storage medium with a large number of bits. Each partition of the storage medium in the storage system contains a plurality of portions of the storage medium having a small number of bits; the logic decoding unit decodes the control signal and the address of the memory bus of the processor unit into the control signal of the memory medium to finish the access of the processor to the memory medium; the storage medium completes the writing or reading of the data according to the control signal of the logic decoding unit. The storage system architecture is shown in fig. 1.
The hardware logic is provided with a limited partition address register, a limited partition access authority register, a limited partition enabling register and a limited partition encryption enabling register. The limited partition address register stores the starting address and the ending address of the limited partition, the software is configurable, the design goal of flexible configuration of the limited partition is realized, and the definition of the limited partition address register is shown in table 1.
The access right register of the limited partition sets whether the read right and the write right of the limited partition are limited, different settings correspond to different rights, and the access right combination comprises: readable and writable, allow read inhibit write, inhibit read allow write, inhibit read inhibit write. The limited partition access rights register definition is shown in table 2.
The limited partition enable register identifies whether the partition limitation is valid, if not, partition access limitation is not performed, and if so, partition access limitation is performed according to the settings of the limited partition address register and the limited partition access authority register, and the definition of the limited partition enable register is shown in table 3.
When the encryption enabling register of the limited partition is effective, the written data is encrypted through hardware logic and then stored in a storage medium, and the read data is decrypted and then output. The encryption strategy of bit inversion is designed in the logic. The restricted partition data encryption enable register definition is shown in table 4.
Table 1 restricted partition address register
Note that: addr_start_l: partition start address low end; initializing the value to 0;
addr_start_h: a partition start address high end; initializing the value to 0;
addr_end_l: the partition end address low end; initializing the value to 0;
addr_end_h: the partition end address low end; the initialization value is 0.
Table 2 restricted partition access rights register
Note that: r:0 indicates that the read operation is permitted, and 1 indicates that the read operation is prohibited; initializing the value to 0;
w:0 indicates that write operation is permitted, 1 indicates that write operation is prohibited; initializing the value to 0;
e:0 indicates that the erase operation is permitted, 1 indicates that the erase operation is prohibited; the initialization value is 0.
Table 3 restricted partition enable register
Note that: EN:0 represents unlimited access rights, 1 represents limited access rights; the initialization value is 0.
Table 4 restricted partition data encryption enable register
Note that: EN:0 represents that the data is not encrypted, 1 represents that the data is encrypted; the initialization value is 0.
The access right limitation of the storage partition is completed by software and hardware, the software is responsible for initial configuration, and the logic is responsible for management of the access right. The setup flow is shown in fig. 2. Configuring access rights of the limited partition, setting the enabled limited partition, and setting a encryption enable register. After the guard function is enabled, the flow of one access operation of the processor to the storage medium is shown in fig. 3.
Claims (4)
1. A sensitive partition protection method of an airborne computer storage system is characterized in that: the method is realized based on the characteristic of partition management of a storage system of an onboard computer, wherein the storage system comprises a processor unit, a logic decoding unit and a storage medium; the storage medium adopts a bit expansion technology to expand a plurality of storage media with few bits into a storage medium with more bits; each partition of the storage medium in the storage system contains a plurality of portions of the storage medium having a small number of bits; the logic decoding unit decodes the control signal and the address of the memory bus of the processor unit into the control signal of the memory medium to finish the access of the processor to the memory medium; the storage medium completes the writing or reading of data according to the control signal of the logic decoding unit;
a limited partition address register, a limited partition access authority register, a limited partition enabling register and a limited partition encryption enabling register are designed in hardware logic; storing a starting address and an ending address of the limited partition in a limited partition address register, wherein software is configurable, and the design goal of flexible configuration of the limited partition is realized;
the access right register of the limited partition sets whether the read right and the write right of the limited partition are limited, different settings correspond to different rights, and the access right combination comprises: readable and writable, allow read inhibit write, inhibit read allow write and inhibit read inhibit write;
the limited partition enabling register identifies whether the partition limitation is valid or not, if the limited partition enabling register is set to be invalid, partition access limitation is not performed, and if the limited partition enabling register is set to be valid, the partition access limitation is performed according to the settings of the limited partition address register and the limited partition access authority register;
when the encryption enabling register of the limited partition is effective, the written data is encrypted through hardware logic and then stored in a storage medium, and the read data is output after decryption;
the access authority limit of the storage partition is completed by software and hardware together, the software is responsible for initial configuration, and the logic is responsible for management of the access authority; configuring access rights of the limited partition, setting an enabling limited partition, and setting an encryption enabling register; after the guard function is enabled, the processor accesses the storage medium once.
2. The method for protecting sensitive partitions of an on-board computer storage system of claim 1, wherein: the storage medium adopts a bit expansion technology to expand a plurality of storage media with few bits into a storage medium with more bits; each partition of the storage system contains a part of a plurality of storage media with low digits, and the protection measures of the storage media with low digits cannot meet the requirements of sensitive partition protection.
3. The method for protecting sensitive partitions of an on-board computer storage system of claim 1, wherein: the logic decoding unit designs protection logic and encryption logic in logic decoding to finish judgment of access authority and inhibit misoperation; the protection logic comprises address space judgment logic, access right judgment logic and protection enabling/disabling judgment logic of the protection partition; the encryption logic includes encryption enable/disable decision logic and encryption logic.
4. The method for protecting sensitive partitions of an on-board computer storage system of claim 1, wherein: corresponding configuration software is designed in the processor unit, and address space setting, access right setting, protection function enabling setting and encryption enabling setting of the partition to be protected can be realized; the configuration information is set in a product maintenance state, and a user does not have the right to change related parameters in the use process, so that key protection of sensitive information is realized.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811533512.9A CN109697174B (en) | 2018-12-14 | 2018-12-14 | Sensitive partition protection method for airborne computer storage system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811533512.9A CN109697174B (en) | 2018-12-14 | 2018-12-14 | Sensitive partition protection method for airborne computer storage system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109697174A CN109697174A (en) | 2019-04-30 |
| CN109697174B true CN109697174B (en) | 2023-06-23 |
Family
ID=66231749
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811533512.9A Active CN109697174B (en) | 2018-12-14 | 2018-12-14 | Sensitive partition protection method for airborne computer storage system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109697174B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112231178B (en) * | 2020-11-03 | 2023-11-24 | 中国航空工业集团公司西安航空计算技术研究所 | Power-on time timing system suitable for airborne high-safety computer |
| CN114327263B (en) * | 2021-12-15 | 2024-12-17 | 中国航空工业集团公司成都飞机设计研究所 | Multi-level management method for NVM (non-volatile memory) of flight control computer |
Family Cites Families (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100390817C (en) * | 2003-06-10 | 2008-05-28 | 大唐微电子技术有限公司 | IC smart card with dynamic logic sectorization and access right control function and implementing method thereof |
| CN100356342C (en) * | 2003-11-18 | 2007-12-19 | 株式会社瑞萨科技 | Information processing unit |
| CN1251065C (en) * | 2003-11-21 | 2006-04-12 | 苏州国芯科技有限公司 | Flushbonding CPU for information safety |
| CN100561449C (en) * | 2005-09-23 | 2009-11-18 | 中国科学院计算技术研究所 | A hard disk sector-level data encryption and decryption method and system |
| US8341430B2 (en) * | 2008-10-03 | 2012-12-25 | Microsoft Corporation | External encryption and recovery management with hardware encrypted storage devices |
| US8719901B2 (en) * | 2008-10-24 | 2014-05-06 | Synopsys, Inc. | Secure consultation system |
| KR101577886B1 (en) * | 2011-06-29 | 2015-12-15 | 인텔 코포레이션 | Method and apparatus for memory encryption with integrity check and protection against replay attacks |
| CN103136124B (en) * | 2011-11-28 | 2015-12-09 | 国民技术股份有限公司 | A kind of intelligent card hardware firewall system and its implementation |
| CN102999453B (en) * | 2012-10-12 | 2015-09-09 | 杭州中天微系统有限公司 | For the general non-volatile memory control device that System on Chip/SoC is integrated |
| CN103714626B (en) * | 2013-05-01 | 2017-09-08 | 汪风珍 | Many password early warning types can different card control bank card |
| CN106934258B (en) * | 2015-12-31 | 2023-12-15 | 兆易创新科技集团股份有限公司 | Embedded system |
| CN105787360B (en) * | 2016-03-02 | 2019-01-04 | 杭州字节信息技术有限公司 | A kind of Implementation Technology of embedded system memory safe access control |
| CN106485131A (en) * | 2016-11-02 | 2017-03-08 | 黄松柏 | Interactive obscure type dynamic encryption lock control system |
| US10747565B2 (en) * | 2017-04-18 | 2020-08-18 | Amazon Technologies, Inc. | Virtualization of control and status signals |
| CN107832635A (en) * | 2017-11-29 | 2018-03-23 | 鼎信信息科技有限责任公司 | Access right control method, device, equipment and computer-readable recording medium |
| CN108123791B (en) * | 2017-12-26 | 2019-03-08 | 衡阳师范学院 | A kind of implementation method and device of lightweight block cipher SCS |
-
2018
- 2018-12-14 CN CN201811533512.9A patent/CN109697174B/en active Active
Non-Patent Citations (1)
| Title |
|---|
| BIOS级的涉密计算机硬件安全防护;于晴;王海洋;;信息网络安全(第12期);第81-82页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109697174A (en) | 2019-04-30 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11416417B2 (en) | Method and apparatus to generate zero content over garbage data when encryption parameters are changed | |
| US8041912B2 (en) | Memory devices with data protection | |
| US9135459B2 (en) | Security management unit, host controller interface including same, method operating host controller interface, and devices including host controller interface | |
| KR100906175B1 (en) | Memory device with data security on the processor | |
| US20100058066A1 (en) | Method and system for protecting data | |
| CN110968254B (en) | Partition protection method and device for nonvolatile memory | |
| US7752407B1 (en) | Security RAM block | |
| CN109697174B (en) | Sensitive partition protection method for airborne computer storage system | |
| CN106295414B (en) | Non-volatile memory with partitioned write protection and protection position scrambling processing and write operation method thereof | |
| US7761654B2 (en) | System and method of utilizing off-chip memory | |
| US20190377693A1 (en) | Method to generate pattern data over garbage data when encryption parameters are changed | |
| KR101789846B1 (en) | Memory module for simultaneously providing at least one secure and at least one insecure memory area | |
| US7054121B2 (en) | Protection circuit for preventing unauthorized access to the memory device of a processor | |
| KR102414866B1 (en) | Information processing device, control method and program of information processing device | |
| US20080034150A1 (en) | Data processing circuit | |
| CN108830114B (en) | Data processing method and device of nonvolatile memory and storage medium | |
| US6556476B1 (en) | Non-volatile memory data protection | |
| US9373377B2 (en) | Apparatuses, integrated circuits, and methods for testmode security systems | |
| JP2000181802A (en) | Semiconductor storage device | |
| US20200192824A1 (en) | Security memory device and operation method thereof | |
| CN118627141B (en) | A mobile hard disk security method and device based on satellite authorization | |
| US8924672B2 (en) | Device with processing unit and information storage | |
| KR100398620B1 (en) | Memory device having circuit for scrambling data | |
| CN119597704A (en) | Network-on-chip system, access processing method thereof, and system-on-chip | |
| Xiao et al. | A physically-secure write scheme of Multi-time Programmable RRAM for critical information storage |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |