阅读说明：本技术 安全内核芯片 (Secure kernel chip ) 是由 许丰 于 2020-03-30 设计创作，主要内容包括：本发明公开了一种安全内核芯片,包括安全SPU和加密协处理器,采用自动加载随机噪声的指令体系,抗逻辑分析和DPA探测,通过扰乱加密总线对指令和数据做保护。所述安全SPU包括唯一编号、独立内存、程序存储器、数据存储器和控制加密协处理器及总线的接口,安全SPU启动程序根据加密逻辑和认证公钥,调用加密运算组件,能有效控制应用程序执行和安全更新,应用程序代码通过特定私钥签名,才能用安全SPU的指定公钥认证通过,安全SPU应用程序经过安全编译后,需要安全SPU处理才能正确执行,通过安全SPU的唯一编号或应用程序签名方的唯一编号能够计算认证用标识公钥,并保护数字签名,实现更安全的多应用。(The invention discloses a secure kernel chip, which comprises a secure SPU and an encryption coprocessor, adopts an instruction system for automatically loading random noise, resists logic analysis and DPA detection, and protects instructions and data by disturbing an encryption bus. The security SPU comprises a unique number, an independent memory, a program memory, a data memory and an interface for controlling an encryption coprocessor and a bus, a security SPU starting program calls an encryption operation component according to encryption logic and an authentication public key, and can effectively control execution and security updating of an application program, an application program code is signed by a specific private key and can be authenticated by using the specified public key of the security SPU, the security SPU application program can be correctly executed only by processing the security SPU after being safely compiled, an identification public key for authentication can be calculated by the unique number of the security SPU or the unique number of an application program signing party, and a digital signature is protected, so that more secure multi-application is realized.)

1. The secure kernel chip is characterized by at least comprising two independent CPUs, wherein at least comprising one secure SPU, the secure SPU, namely the secure CPU, is based on an independent secure kernel architecture, namely comprising a unique number, an independent memory, a program memory, a data memory, an encryption operation component and an encryption interface for controlling other CPUs and buses, a starting program in the secure SPU calls the encryption operation component according to an encryption logic and an authentication public key, so that the execution and the secure update of an operating system and an application program of all CPUs and SPUs can be effectively controlled, the operating system and the application program code can be authenticated by using the secure authentication public key of the SPU only through a specific private key signature, the operating system and the application program of all CPUs and SPUs can be correctly executed only by requiring the secure SPU to assist the processing after being compiled by a specific secure compiler, and the authentication public key can be calculated through the secure unique number or the unique number of a digital signature party, and protect the digital signature, realize the more secure multi-application.

2. The security kernel chip of claim 1, wherein the computing method of the authentication public key is an identification authentication method based on a combined public key, that is, a plurality of elliptic curve public and private key pairs are constructed, a plurality of coordinates are computed by using a digest value of the identification and a nonlinear algorithm, the corresponding public key points are added to the identification public key, and the corresponding private key is added to the identification private key in a modulo manner, so that each security CPU includes its own private key and public key matrix, and can directly compute the public key corresponding to the identification and verify the digital signature corresponding to the identification.

3. A secure kernel chip as claimed in claim 2 wherein said secure compiler performs encryption and digital signature operations with external secure hardware keys, each having a unique number representing the trusted identity of the operating system or application developer and facilitating traceability through digital signatures.

4. The security kernel chip of claim 3, wherein the security kernel chip further comprises a baseband chip, an audio/video multimedia processing chip, an application coprocessor chip, a memory controller, and a power management chip.

5. The secure kernel chip of claim 4, wherein the work flow of the secure kernel comprises: (1) setting a safe SPU in a safety kernel; (2) starting the information processing equipment, verifying the integrity of the current bottom firmware by the secure SPU, if the integrity is correct, executing the step (3) after completing normal system initialization, otherwise, stopping starting the information processing equipment; (3) verifying the integrity of the current operating system by the bottom firmware, if the integrity of the current operating system is correct, normally running the operating system, and otherwise, stopping loading the operating system; the SPU verifies the integrity of a monitoring program or a BIOS (basic input/output system), bottom firmware and an operating system in sequence in the starting process of the information processing equipment so as to ensure that after the information processing equipment is safely started, various keys in the system are called and managed by using an encryption operation component built in the SPU, and an application module is encrypted and decrypted so as to ensure the safety of the application module in a mobile phone or intelligent information equipment.

6. The secure kernel chip of claim 5, wherein the secure SPU has multiple secure partitions, and is capable of creating an interworking application, with electronic wallet and electronic passbook functions, by implementing a trusted authentication function through unique identifier operations, while being compatible with existing application system specifications; the trusted authentication is realized by binding key operation with the unique serial number of the secure SPU chip and/or the unique identification of the user; the credible authentication interconnection and intercommunication application is provided with a plurality of application catalogues, including an application compatible with the existing application system specification and an application with a credible authentication function; the application name and the issuing key with the credible authentication function can be customized by a user; the method can run in the existing application system under the condition of loading the unified key of the existing application system; the system can run in a system provided with the credible certificate under the condition of loading a custom key matched with the credible certificate.

7. The secure kernel chip of claim 6 wherein the secure SPU is capable of controlling the baseband to perform encryption and decryption on the HOST PCM, such that the voice signal is encrypted for transmission without being intercepted by the transmission channel, and the secure SPU is further capable of assigning a receiver to descramble the voice signal in conjunction with the identifier-based scrambling sequence.

8. The security kernel chip of claim 7, wherein the trusted authentication interworking applications further comprise applications conforming to the PBOC standard of the chinese people bank, and are operable in the PBOC system when loaded with an issued key of the PBOC system; the credible authentication interconnection and intercommunication application also comprises an application conforming to the international financial EMV standard, and can run in the EMV system under the condition of loading a secret key issued by the EMV system.

9. The security kernel chip of claim 8, wherein the trusted authentication is implemented by acquiring a unique number and an authentication key by the trusted authentication interworking application through a secure SPU internal security instruction according to a random number and an authentication application issued by a PSAM card in an external cloud service platform or a terminal, then performing an operation on the unique number and the random number by using the authentication key, returning an operation result to the external cloud service platform or the PSAM card, and determining validity of the trusted authentication interworking application by the external cloud service platform or the PSAM card; the source of the unique number is a user unique identifier written into the secure SPU by the trusted authentication interconnection application and/or a chip unique number of the secure SPU.

10. The security kernel chip of claim 9 wherein one portion of the random number is capable of verifying the correctness of another portion of the random number, and wherein the verification operation further requires the participation of one or more of a unique number, a specific key, authorization file data, and time data.

Technical Field

The invention relates to a secure kernel chip which comprises an integrated secure chip of an independent secure SPU, a CPU, a baseband, a multimedia processor and a memory controller and can be compatible with multiple applications.

Background

If a security processor with a unique number is added into a CPU kernel, the data and the unique number are associated, and the digital signature is protected by an authorization file bound with the unique number, a safer multi-application security SOC chip can be realized.

Disclosure of Invention

The invention discloses a safety kernel chip, which is characterized by at least comprising two independent CPUs, wherein at least comprising a safety SPU, the safety SPU is a safety CPU, which is based on an independent safety kernel architecture and comprises a unique number, an independent memory, a program memory, a data memory, an encryption operation component and an encryption interface for controlling other CPUs and buses, a starting program in the safety SPU calls the encryption operation component according to an encryption logic and an authentication public key, can effectively control the execution and the safety updating of operating systems and application programs of all CPUs and SPUs, the operating systems and the application program codes can pass the authentication of the authentication public key of the safety SPU through a specific private key signature, and the operating systems and the application programs of all CPUs and SPUs can be correctly executed only by the safety SPUs after being compiled by a specific safety compiler, the authentication public key can be calculated through the unique number of the secure SPU or the unique number of the digital signature party, and the digital signature is protected, so that more secure multi-application is realized.

Controlling the other CPUs to enter the encryption mode includes using HMAC operations.

The secure kernel chip is characterized in that the computing method of the authentication public key adopts an identification authentication method based on a combined public key, namely, a plurality of elliptic curve public and private key pairs are constructed, a plurality of coordinates are computed by using the abstract value of the identification and a nonlinear algorithm, the corresponding public key points are added to the identification public key respectively, and the corresponding private key is added to the identification private key in a modulo mode, so that each secure CPU comprises the own private key and a public key matrix, the public key corresponding to the identification can be directly computed, and the digital signature corresponding to the identification is verified.

The secure kernel chip is characterized in that the secure compiler performs encryption and digital signature operation through an external secure hardware key, each secure hardware key has a unique number, represents the trusted identity of an operating system or an application program developer, and is convenient to trace back through digital signatures.

The security kernel chip is characterized by further comprising a baseband chip, an audio and video multimedia processing chip, an application coprocessor chip, a memory controller and a power management chip.

The security kernel chip is characterized in that the work flow of the security kernel comprises: (1) setting a safe SPU in a safety kernel; (2) starting the information processing equipment, verifying the integrity of the current bottom firmware by the secure SPU, if the integrity is correct, executing the step (3) after completing normal system initialization, otherwise, stopping starting the information processing equipment; (3) verifying the integrity of the current operating system by the bottom firmware, if the integrity of the current operating system is correct, normally running the operating system, and otherwise, stopping loading the operating system; the SPU verifies the integrity of a monitoring program or a BIOS (basic input/output system), bottom firmware and an operating system in sequence in the starting process of the information processing equipment so as to ensure that after the information processing equipment is safely started, various keys in the system are called and managed by using an encryption operation component built in the SPU, and an application module is encrypted and decrypted so as to ensure the safety of the application module in a mobile phone or intelligent information equipment.

The secure kernel chip is characterized in that the secure SPU has multiple secure partitions, a trusted authentication function realized by unique identification operation, and is compatible with the existing application system specification, capable of creating interconnection and intercommunication applications, and has functions of an electronic wallet and an electronic passbook; the trusted authentication is realized by binding key operation with the unique serial number of the secure SPU chip and/or the unique identification of the user; the credible authentication interconnection and intercommunication application is provided with a plurality of application catalogues, including an application compatible with the existing application system specification and an application with a credible authentication function; the application name and the issuing key with the credible authentication function can be customized by a user; the method can run in the existing application system under the condition of loading the unified key of the existing application system; the system can run in a system provided with the credible certificate under the condition of loading a custom key matched with the credible certificate.

The secure kernel chip is characterized in that the secure SPU can control the baseband to realize encryption and decryption processing on the HOST PCM, so that voice signals are encrypted and transmitted without being intercepted by a transmission channel, and the secure SPU has the characteristic that an appointed receiver can descramble the voice signals by matching with a scrambling sequence based on an identifier.

The security kernel chip is characterized in that the credible authentication interconnection and intercommunication application also comprises an application which accords with the PBOC standard of the China people's bank and can run in the PBOC system under the condition of loading the PBOC system issued key; the credible authentication interconnection and intercommunication application also comprises an application conforming to the international financial EMV standard, and can run in the EMV system under the condition of loading a secret key issued by the EMV system.

The secure kernel chip is characterized in that the trusted authentication is specifically realized by acquiring a unique number and an authentication key by the trusted authentication interconnection and interworking application in a secure SPU internal security instruction mode according to a random number and an authentication application sent by a PSAM card in an external cloud service platform or a terminal, then operating the unique number and the random number by using the authentication key, returning an operation result to the external cloud service platform or the PSAM card, and judging the validity of the trusted authentication interconnection and interworking application by the external cloud service platform or the PSAM card; the source of the unique number is a user unique identifier written into the secure SPU by the trusted authentication interconnection application and/or a chip unique number of the secure SPU.

The secure kernel chip is characterized in that one part of the random number can check the correctness of the other part of the random number, and the check operation also needs one or more data of a unique number, a specific key, authorized file data and time data to participate.

Detailed Description

The security kernel chip has the specific implementation mode that a proper CPU kernel is selected for encryption operation improvement, various encryption operations such as HMAC and the like are arranged, a security SPU adopts an instruction system for automatically loading random noise, can resist logic analysis and DPA detection, adopts a low-frequency automatic suppression structure to prevent low-frequency analysis, adopts an anti-polishing sensor and a self-destruction device to prevent chip polishing detection, and adopts a disturbing encryption bus to protect loading instructions and data; the base band module with voice encryption is integrated, so that voice audio can be encrypted and decrypted, and coding and loss of a mobile network can be resisted; other built-in modules include a video processing chip, an audio processing chip, a demultiplexing processing chip, a memory controller, a built-in memory, and a cryptographic coprocessor. The security kernel chip supports a trusted authentication system, is compatible with the existing operating system, and can establish interconnection and intercommunication application. The trusted authentication is realized by binding the key operation to the chip unique number and/or the user unique identifier of the SPU; the existing application system key and the trusted certificate issuing system key are loaded, so that the system can be used in the existing application system and can also run in a safer trusted certificate system.