CN111444553A - Secure storage implementation method and system supporting TEE extension - Google Patents

Abstract

The invention discloses a security storage implementation method and system supporting TEE expansion. The method of the invention includes obtaining the authentication master key Key _RPMB of the RPMB partition; realizing the encrypted storage of the hierarchical key system based on the authentication master key Key _RPMB , And the authentication master key Key _RPMB adopts the method based on PUF protection. The invention can persist digital information during system operation and power failure, and can effectively prevent illegal access and tampering from inside and outside the TEE, including threats such as online software attacks and static physical pin snooping. The file storage in TEE can resist threats or attacks from many aspects. Even if the attacker obtains the secret key of the RPMB partition, the RPMB file system cannot be decrypted; even if there is an insecure application in the TEE system, the application can read and write RPMB. Partition, but also cannot obtain other applications and related file information in TEE.

Description

Secure storage implementation method and system supporting TEE extension

technical field

The invention relates to a secure storage technology, in particular to a secure storage implementation method and system supporting TEE expansion.

Background technique

TEE (Trusted Execution Environment), also known as Trusted Execution Environment, is a secure area isolated from the host system and runs in parallel with the host operating system as an independent environment. TEE technology protects data and code by using hardware and software, thereby ensuring that the confidentiality and integrity of code and data loaded in the secure area are protected, obtaining stronger security guarantees than traditional REE (Rich Execution Environment) environments. Trusted applications running in the TEE have access to the full capabilities of the main processor and memory on the platform, while hardware isolation protects these components from user-installed applications running in the main operating system. At present, common TEE technologies include TrustZone and SGX.

ARM proposed the TrustZone extension technology to create a TEE. By dividing all software resources and hardware resources into trusted areas and untrusted areas, they are used as TEE and REE respectively to protect sensitive data and applications. TrustZone can ensure that the secure state software starts first at power-on, and verifies the subsequent loaded boot images step by step. When TrustZone is enabled, the physical processor can switch between two security modes, defined as normal world (running the host OS) and secure state (secure world, running the TEE OS), respectively. TrustZone adds an additional control signal bit to the system bus for the read and write of each channel, called the NS (Non-Secure) bit, which can divide resources such as memory into secure and non-secure states through the NS bit. In the processor architecture, each physical processor core is virtualized into a secure core (Secure) and a non-secure core (Non-Secure). The non-secure core can only access non-secure system resources, while the secure core can access all resources. Use Monitor mode to switch between TEE and REE.

The full name of SGX is Intel Software Guard Extensions, which is an extension to the Intel System (IA) to enhance the security of software. SGX builds TEE by creating an enclave, which encapsulates the security operations of legal software in an enclave. , protect it from malware, and neither privileged nor unprivileged software can access the enclave. That is to say, once the software and data are located in the enclave, even the operating system or the VMM (Hypervisor) cannot affect the code and data in the enclave. The security boundary of the enclave contains only the CPU and itself. There are obvious differences between SGX TEE and TrustZone TEE. In TrustZone TEE, the CPU is divided into two isolated environments (safe world and normal world), and the two communicate with each other through SMC instructions; while in SGX, one CPU can run multiple safe enclaves, Concurrent execution is also possible. The protection of SGX is for the address space of the application. SGX uses the instructions provided by the processor to divide a part of the memory area (EPC) and map the enclave in the application address space to this part of the memory area. This part of the memory area is encrypted, and encryption and address translation are performed by the memory control unit in the CPU.

TEE technology recommends encapsulating secure resources inside the SoC chip to prevent physical snooping with pins. However, due to technical and cost constraints, large-capacity permanent storage is generally not packaged in SoCs, and SGX does not even design a dedicated hardware persistent storage unit. In this case, there are three categories of persistent storage schemes available within a TEE:

One is to borrow the same communication mechanism and encryption technology as REE, and use REE's encrypted file system to implement. The biggest flaw of this method is that it cannot prevent malicious deletion and other attacks.

The second is to implement through an external IO device with a security mechanism. For example, the OPTEE project for TrustZone recommends using the RPMB (Replay Protected Memory Block) partition of eMMC memory to achieve secure read, write, and storage of large amounts of data. RPMB (Replay Protected Memory Block) Partition is a partition with security features in eMMC. When eMMC writes data to RPMB, it will verify the validity of the data. Only the specified Host can write it. At the same time, when reading data, it also provides a signature mechanism to ensure that the data read by the Host is the internal data of RPMB, and Not the data forged by the attacker. RPMB can authenticate write operations, but reading does not require authentication, and anyone can perform read operations, so the data stored in RPMB is usually encrypted before being stored.

Third, by adding virtual isolation technology to IO hardware, it can also provide isolated storage capabilities for TEEs, but this method does not consider the protection of direct attacks and reads on physical storage, so there are large security loopholes.

Through comparative analysis, it can be seen that when establishing secure storage outside the SoC, two technologies are indispensable, one is an anti-tampering/deletion mechanism, and the other is an encryption mechanism. When the storage mechanism meets these requirements, it can obtain the same level of protection capability as TEE, that is, it can protect both online software attacks and physical attacks at the pin level of the device itself.

At present, there are still many security problems in the encrypted storage of security devices. Taking the eMMC storage RPMB partition as an example, the security of the RPMB partition key has become a new problem. First, because each RPMB hardware has only a unique and unchangeable secret key, once the secret key is exposed, the security of the entire partition will lose its protection; Therefore, it is impossible for the CPU manufacturer to "seal" the key of the RPMB partition. Third, the eMMC memory may need to be repaired and replaced after the product leaves the factory, and the update of the RPMB key will also cause problems.

The RPMB partition key is only a data writing key and does not provide encryption support for the written data, so an encryption and decryption mechanism needs to be established. If a unified encryption and decryption key is used, although the TEE operating system can use a high-strength encryption algorithm and a long enough key to ensure the security of the ciphertext, there may be many different applications (ie TA, TrustedApplication) in the TEE, and these TAs are Having permission to read and change the RPMB partition, and can access each other's data at will, also brings security risks. If some TAs contain loopholes or defective codes, the data security of all TEEs may be lost.

There is a consensus in the field of digital security that choosing a sufficiently secure encryption algorithm is not difficult, but key management. For secure storage in TEE, it is necessary to ensure the security of keys in various scenarios, one is the online security when the system is running normally, the other is the security when the system is offline (even detected by hardware), and the third is the security of the system Safety when updating or maintaining (including factory initialization). The general key management scheme needs to store the key and take it out when it is used, and there is a risk of exposure in the above-mentioned situations.

PUF (Physically Unclonable Function) is a one-way function in the form of hardware, which is a physically defined "digital fingerprint" as a unique identifier for semiconductor devices such as microprocessors. They are generated based on unique physical changes that occur naturally during semiconductor manufacturing and can be used to implement security functions such as device authentication, key generation for cryptographic protocols, seeding for random number generators, and more. There are many practical PUFs, such as PUF based on device delay, PUF based on memory access randomness, and so on. Using the PUF feature of the initial power-on value of the CPU on-chip SRAM, not only can the initial key at power-on be obtained, but also the subsequent reading of the key can be prevented by writing to the SRAM after reading the key. Burn after reading" effect. Algorithms related to key management such as key generation and update can be constructed based on the one-way function characteristic of PUF. The fuzzy extractor is composed of two parts, the security summary and the random extractor, which respectively realize the error correction of the PUF response and the compression and generation of the key. Secure Sketch provides a way to reconstruct reliable results from noisy PUF responses and guarantee results with high residual entropy. And the fuzzy extractor accumulates the entropy in the error-corrected stable PUF response into the generated key. The fuzzy extractor consists of two stages: Enrollment and Reconstruction. During the registration phase, the key is programmed into the device, a process similar to the key programming phase in traditional non-volatile memory-based key storage methods. First, the PUF response R is read and fed into the fuzzy extractor as the reference response R _ref for generating the key. On the one hand, help data h for response error correction is generated using the registration process of the security profile and stored in the non-volatile memory of the system. On the other hand, the random extractor compresses the reference response to generate a key with sufficient entropy value. During the reconstruction phase, the PUF response R' is read again, which will be somewhat different (error) compared to the reference response due to noise. If the error rate of the response is within the designed error correction capability, then with the help of the help data h, the safe rough recovery process can correct the errors in the PUF response R' and recover the same response as _Rref . The random extractor then generates the same key with the recovered response.

SUMMARY OF THE INVENTION

The technical problem to be solved by the present invention: aiming at the above-mentioned problems of the prior art, a method and system for realizing safe storage supporting TEE expansion are provided. Illegal access and tampering inside and outside the TEE, including threats such as online software attacks and static physical pin snooping. With the help of multi-layer key management, the file storage in TEE can resist threats or attacks from many aspects. Even if the attacker obtains the key of the RPMB partition, the RPMB file system cannot be decrypted; even if there are insecure applications in the TEE system , the application can read and write the RPMB partition, but cannot obtain other applications and related file information in the TEE.

In order to solve the above-mentioned technical problems, the technical scheme adopted in the present invention is:

A secure storage implementation method supporting TEE extension, the implementation steps include:

1) Obtain the authentication master key Key _RPMB of the RPMB partition;

2) Encrypted storage of hierarchical key system based on the authentication master key Key _RPMB : In the kernel layer of the trusted execution environment TEE, use the specified key generation algorithm to generate a root key based on the authentication master key Key _RPMB Key _R is used for encryption and decryption at the kernel layer, and in the life cycle of the TEE, the root key Key _R always exists in the secure memory and kernel-mode address space; in the application layer of the TEE, for Each trusted application TA generates a unique storage key Key _A of the trusted application TA based on the universal unique identifier UUID and the root key Key _R of the trusted application TA for the files belonging to the trusted application TA Storage encryption and decryption; at the file layer of the trusted execution environment TEE, for each file, an independent key Key _F is generated based on the storage key Key _A of the trusted application TA to which it belongs, for write encryption and reading of the file decrypt.

Optionally, the detailed steps of step 1) include:

1.1) Obtain the read value of the PUF function circuit of the CPU;

1.2) XOR the read value of the PUF function circuit and the auxiliary data Data _KA stored in the conventional memory;

1.3) Perform a specified decoding operation on the result of the XOR operation to obtain the key Key _S ;

1.4) Obtain the authentication master key Key _RPMB by passing the seed key Key _S through the specified encryption process.

Optionally, the decoding operation specified in step 1.3) is BCH decoding.

Optionally, the encryption processing specified in step 1.4) specifically refers to performing encryption processing using the key derivation function KDF defined in the security specification.

Optionally, before step 1), it also includes the step of generating the authentication master key Key _RPMB when leaving the factory:

S1) Randomly select the seed key Key _S ;

S2) obtain the authentication master key Key _RPMB through the specified encryption processing by the kind secret key Key _S ; and write the one-time password key register of the memory RPMB partition;

S3) Perform the specified encoding operation on the seed key Key _S , and the specified encoding operation is the inverse operation of the decoding operation specified in step 1.3); obtain the read value of the PUF function circuit of the CPU, and combine the encoding operation result with The read value of the PUF function circuit is XORed to obtain the auxiliary data Data _KA , and finally the seed key Key _S is destroyed, and the auxiliary data Data _KA is saved in the conventional memory of the device for persistent storage.

Optionally, it also includes the steps of performing steps S1) to S3) to update the authentication master key Key _RPMB after replacing the conventional memory.

In addition, the present invention also provides a secure storage implementation system supporting TEE extension, the secure storage implementation system being programmed or configured to perform the steps of the secure storage implementation method supporting TEE extension.

In addition, the present invention also provides a secure storage implementation system supporting TEE extension, including computer equipment, the computer equipment is programmed or configured to perform the steps of the secure storage implementation method supporting TEE extension, or the memory of the computer equipment is stored with A computer program programmed or configured to execute a secure storage implementation method supporting TEE extensions.

In addition, the present invention also provides a computer-readable storage medium on which a computer program programmed or configured to execute a secure storage implementation method supporting TEE extension is stored.

Compared with the prior art, the present invention has the following advantages: in order to ensure that the stored data of the present invention is not illegally snooped, the kernel layer, application layer and file layer of the TEE are encrypted with different keys, and these keys are encrypted. A tree-like relationship is formed, so that different applications and files in the TEE can be isolated to prevent the data of one application from being accessed by other applications. Based on such a design, the file storage in TEE can resist threats or attacks from multiple aspects. Even if the attacker obtains the secret key of the RPMB partition, he cannot decrypt the RPMB file system; even if there is an insecure application in the TEE system, the application can read and write the RPMB partition, but cannot obtain other applications and related file information in the TEE.

Description of drawings

FIG. 1 is a schematic diagram of a basic flow of a method according to an embodiment of the present invention.

FIG. 2 is a schematic diagram of the principle of obtaining the authentication master key Key _RPMB in an embodiment of the present invention.

FIG. 3 is a schematic diagram of a principle of generating (updating) an authentication master key Key _RPMB in an embodiment of the present invention.

FIG. 4 is a schematic diagram of a tree structure of a hierarchical key system according to an embodiment of the present invention.

Detailed ways

The technical solution of this embodiment is described in an example below. In the embodiment, this embodiment selects the TEE environment of TrustZone, assumes that there is an RPMB partition of the eMMC memory in the hardware system, and assumes that the write key of the RPMB partition is the authentication master key Key _RPMB . Suppose the practical application has the following requirements for the use of the authentication master key Key _RPMB . The secret key is separated from the TEEOS image, and the eMMC external storage is used, which can be replaced when the eMMC card is replaced, and the secret key information cannot be obtained from the externally stored information. Therefore, the protection of the RPMB key should not only resist malicious code attacks from the REE environment, but also resist detection and attacks on the external ports of the SoC chip through laboratory equipment.

In this embodiment, it is assumed that there is a conventional memory similar to eMMC memory in the system, which supports data write control through password authentication. This embodiment does not limit the read operation of data. In this embodiment, the authentication key used for data writing is called the master key, which is denoted as the authentication master key Key _RPMB .

As shown in FIG. 1 , the implementation steps of the secure storage implementation method for supporting TEE extension in this embodiment include:

1) Obtain the authentication master key Key _RPMB of the RPMB partition;

2) Encrypted storage of hierarchical key system based on the authentication master key Key _RPMB : In the kernel layer of the trusted execution environment TEE, use the specified key generation algorithm to generate a root key based on the authentication master key Key _RPMB Key _R is used for encryption and decryption at the kernel layer, and in the life cycle of the TEE, the root key Key _R always exists in the secure memory and kernel-mode address space; in the application layer of the TEE, for Each trusted application TA generates a unique storage key Key _A of the trusted application TA based on the universal unique identifier UUID and the root key Key _R of the trusted application TA for the files belonging to the trusted application TA Storage encryption and decryption; at the file layer of the trusted execution environment TEE, for each file, an independent key Key _F is generated based on the storage key Key _A of the trusted application TA to which it belongs, for write encryption and reading of the file decrypt.

Step 1) of this embodiment further implements PUF-based key protection, which is used to protect the write authentication master key of the secure storage device, prevent key leakage during runtime and physical static snooping, and supports key renew. As shown in Figure 2, the detailed steps of step 1) include:

1.1) Obtain the read value of the PUF function circuit of the CPU (represented as PUF in Figure 2);

1.2) XOR the read value of the PUF function circuit and the auxiliary data Data _KA stored in the conventional memory;

1.3) Perform a specified decoding operation on the result of the XOR operation to obtain the key Key _S ;

1.4) Obtain the authentication master key Key _RPMB by passing the seed key Key _S through the specified encryption process.

The basic idea of this embodiment for the protection of the storage authentication master key Key _RPMB is: in the SoC external persistent storage device, only the auxiliary data Data _KA used to synthesize the authentication master key Key _RPMB is stored, and the authentication is performed through the PUF technology. The generation and recovery of the master key Key _RPMB ; the authentication master key Key _RPMB is only used in the secure memory of the SoC chip as a kernel service, and only the encrypted or signed interface is reserved for the TEE application. It should be noted that special security protection is not required for the auxiliary data Data _KA . On the one hand, exposing the auxiliary data Data _KA will not cause the exposure of the authentication master key Key _RPMB ; on the other hand, when an attacker deletes or tampers the auxiliary data Data _KA , it can be detected by the system in time, thereby terminating subsequent operations. The authentication master key Key _RPMB is only useful during power-on and startup, and there is no risk of denial of service attacks caused by tampering during operation.

In this embodiment, the decoding operation specified in step 1.3) is BCH decoding.

In this embodiment, the encryption processing specified in step 1.4) specifically refers to performing encryption processing using the key derivation function KDF defined in the security specification.

In this embodiment, step 1) also includes the step of generating the authentication master key Key _RPMB when leaving the factory as shown in Figure 3:

S1) Randomly select the seed key Key _S ;

S2) obtain the authentication master key Key _RPMB through the specified encryption processing by the kind secret key Key _S ; and write the one-time password key register of the memory RPMB partition;

S3) Perform the specified encoding operation on the seed key Key _S , and the specified encoding operation is the inverse operation of the decoding operation specified in step 1.3); obtain the read value of the PUF function circuit of the CPU, and combine the encoding operation result with The read value of the PUF function circuit is XORed to obtain the auxiliary data Data _KA , and finally the seed key Key _S is destroyed, and the auxiliary data Data _KA is saved in the conventional memory of the device for persistent storage.

This embodiment also includes the steps of performing steps S1) to S3) to update the authentication master key Key _RPMB after replacing the conventional memory.

Referring to the foregoing description, it can be known that the PUF-based key protection in this embodiment involves three parts: generation, recovery and update for the authentication master key Key _RPMB . The generation process is carried out at the factory, that is, the aforementioned steps S1) to S3) are performed; the recovery is used for each device restart and before the RPMB partition needs to be read and written, that is, the steps 1.1) to 1.4) are performed; For other reasons, the conventional memory needs to be replaced, and the basic process is the same as the generation process, that is, the foregoing steps S1) to S3) are performed.

To sum up, the PUF-based key protection in this embodiment has the following advantages: First, by utilizing the characteristics of PUF, the exposure time of the protected authentication master key Key _RPMB useful information is minimized. This is the read opportunity for PUF values (like RAM-based PUFs) that only exist at the beginning of system power-up. However, the useful information of the authentication master key Key _RPMB cannot be read through the static reading of the external interface of the chip, the malicious code of REE after power-on, or the malicious code in the TEE application. Protection of the key Key _RPMB . Secondly, flexible requirements such as key replacement and revocation can be met. This embodiment does not use the PUF value as the authentication master key Key _RPMB , but uses PUF and an intermediate auxiliary value to generate the authentication master key Key _RPMB . The auxiliary value can update the authentication master key Key _RPMB or invalidate the original authentication master key Key _RPMB . The intermediate auxiliary value has no confidentiality requirement, which makes the scheme have good applicability and flexibility.

The encryption storage method of the hierarchical key system implemented in step 2) in this embodiment can realize the distribution and management of private keys for different software subjects in the TEE, preventing illegal snooping of the TEE from other applications in the TEE. When implementing the encrypted storage of the hierarchical key system based on the authentication master key Key _RPMB in step 2):

2.1. In the kernel layer of the trusted execution environment TEE (TEE kernel, as shown in Figure 4, at the bottom layer): use the key generation algorithm to generate a new root key (ROOT Key) based on the authentication master key Key _RPMB The root key Key _R is used for encryption and decryption at the kernel layer. It should be noted that the seed key Key _S can be randomly generated, or the ID _SoC of the same SoC chip can be used, so that the generation mechanism of the root key Key _R can also be associated with the ID code of the SoC chip to achieve the same platform. bind. In the present embodiment, the key generation algorithm adopts KDF, and the ID code ID _SoC of the SoC chip is used as the seed key Key _S , so the expression for generating the root key Key _R is expressed as: Key _R := KDF(Key _RPMB ,ID _SoC ) ,As shown in Figure 4. During the life cycle of the TEE, the root key Key _R always exists in the secure memory and will not leak to the non-secure area.

2.2. In the application layer of the trusted execution environment TEE (as shown in Figure 4, it is located in the middle layer): for each trusted application TA based on the universal unique identifier UUID of the trusted application TA and the root key Key _R The unique storage key Key _A of the trusted application TA is used for file storage encryption and decryption belonging to the trusted application TA; for each trusted application TA (Trusted Application) application, a separate storage key Key is generated by the kernel _A , the storage key Key _A is jointly generated by the root key Key _R and the Universal Unique Identifier (UUID) applied by the trusted application TA. In this embodiment, the key generation algorithm adopts KDF, so it can be expressed as Key _A := KDF (Key _R , UUID _TA ). The purpose of Key _A is to encrypt and decrypt the file storage belonging to the trusted application TA. Since each TA uses an independent Key _A , it can be ensured that applications in the TEE cannot obtain storage information of other TAs, thereby ensuring the independence of application resources in the TEE. As shown in FIG. 4 , the expression of the storage key Key _A1 of the trusted application TA ₁ is expressed as: Key _A1 := KDF(Key _R , UUID _TA1 ), the expression of the storage key Key _A2 of the trusted application TA ₂ It is expressed as: Key _A2 :=KDF(Key _R ,UUID _TA2 ),…, the expression of the storage key Key _An of the trusted application TA _n is expressed as: Key _An := KDF(Key _R ,UUID _TAn ).

2.3. In the file layer of the trusted execution environment TEE (as shown in Figure 4, located at the top layer), for each file, an independent key Key _F is generated based on the storage key Key _A of the trusted application TA to which it belongs. Write encryption and read decryption of files. An independent secret key Key _F can also be used for each file to encrypt the file data. The Key _F is encrypted by the Key _A of the TA and stored in the corresponding file system, and is decrypted using the corresponding Key _A during access, which can further ensure the independence of the data. In this embodiment, the key generation algorithm adopts KDF, and the expression for generating an independent key Key _F based on the stored key Key _A of the trusted application TA is: Key _F := KDF(Key A , UUID F ), where Key F := KDF(Key _A , UUID _F ), where Key _A is the storage key of the trusted application TA to which it belongs, and UUID _F is the unique identification code of the file (generated according to the hash algorithm, etc.). The top layer shown in FIG. 4 is only an example of m files of the trusted application TA ₂ , wherein FILE ₁ to FILE _m belonging to the trusted application TA ₂ at the top layer represent m files, and the corresponding independent keys Key _F are respectively are Key _F1 to Key _Fm . In m files FILE ₁ to FILE _m , the expression of the secret key Key _F1 of the file FILE ₁ is expressed as: Key _F1 := KDF(Key _A2 ,UUID _F1 ), and the expression of the secret key Key _F2 of the file FILE ₂ is expressed as : Key _F2 := KDF(Key _A2 , UUID _F2 ), ..., the expression of the key Key _Fm of the file FILE _m is expressed as: Key _Fm := KDF(Key _A2 , UUID _Fm ).

To ensure that the stored data in this embodiment is not illegally spied on, different software security layers in the TEE use different keys to encrypt the stored data, and these keys are in a tree-like relationship. In this way, different levels of applications and software modules in the TEE can be isolated to store information, preventing the data of one application from being illegally accessed by other software modules. Specifically, the storage master key can be used to generate a root key for encryption. When the software layer grows from the bottom to the upper layer - or from low privilege to high privilege, the derived keys are added for different layers. The high-level key Generated from its parent node key. That is, software modules at the same level use different keys, but the encrypted data they store can be decrypted indirectly using the key of their immediate parent. Therefore, the encryption storage method of the hierarchical key system implemented in step 2) in this embodiment can realize the distribution and management of private keys for different software subjects in the TEE, preventing illegal snooping of the TEE from other applications in the TEE.

In addition, the present embodiment also provides a secure storage implementation system supporting TEE extension, where the secure storage implementation system is programmed or configured to execute the steps of the foregoing secure storage implementation method supporting TEE extension.

In addition, this embodiment also provides a secure storage implementation system supporting TEE extension, including computer equipment, the computer equipment is programmed or configured to perform the steps of the foregoing method for implementing secure storage supporting TEE extension, or on the memory of the computer equipment. Stored is a computer program programmed or configured to execute the aforementioned TEE extension-enabled secure storage implementation method.

In addition, this embodiment also provides a computer-readable storage medium, where a computer program programmed or configured to execute the foregoing method for implementing the secure storage supporting TEE extension is stored thereon.

As will be appreciated by those skilled in the art, the embodiments of the present application may be provided as a method, a system, or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein. The present application refers to flowcharts of methods, apparatus (systems), and computer program products according to embodiments of the present application and/or processor-executed instructions generated for implementing a process or processes and/or block diagrams in a flowchart. A means for the function specified in a block or blocks. These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory result in an article of manufacture comprising instruction means, the instructions An apparatus implements the functions specified in a flow or flows of the flowcharts and/or a block or blocks of the block diagrams. These computer program instructions can also be loaded on a computer or other programmable data processing device to cause a series of operational steps to be performed on the computer or other programmable device to produce a computer-implemented process such that The instructions provide steps for implementing the functions specified in one or more of the flowcharts and/or one or more blocks of the block diagrams.

The above are only the preferred embodiments of the present invention, and the protection scope of the present invention is not limited to the above-mentioned embodiments, and all technical solutions under the idea of the present invention belong to the protection scope of the present invention. It should be pointed out that for those skilled in the art, some improvements and modifications without departing from the principle of the present invention should also be regarded as the protection scope of the present invention.

Claims (9)

1. a security storage implementation method that supports TEE expansion, is characterized in that implementing step comprises: 1) Obtain the authentication master key Key _RPMB of the RPMB partition; 2) Encrypted storage of hierarchical key system based on the authentication master key Key _RPMB : In the kernel layer of the trusted execution environment TEE, use the specified key generation algorithm to generate a root key based on the authentication master key Key _RPMB Key _R is used for encryption and decryption at the kernel layer, and in the life cycle of the TEE, the root key Key _R always exists in the secure memory and kernel-mode address space; in the application layer of the TEE, for Each trusted application TA generates a unique storage key Key _A of the trusted application TA based on the universal unique identifier UUID and the root key Key _R of the trusted application TA for the files belonging to the trusted application TA Storage encryption and decryption; at the file layer of the trusted execution environment TEE, for each file, an independent key Key _F is generated based on the storage key Key _A of the trusted application TA to which it belongs, for write encryption and reading of the file decrypt. 2. The secure storage implementation method supporting TEE extension according to claim 1, wherein the detailed steps of step 1) comprise: 1.1) Obtain the read value of the PUF function circuit of the CPU; 1.2) XOR the read value of the PUF function circuit and the auxiliary data Data _KA stored in the conventional memory; 1.3) Perform a specified decoding operation on the result of the XOR operation to obtain the key Key _S ; 1.4) Obtain the authentication master key Key _RPMB by passing the seed key Key _S through the specified encryption process. 3 . The secure storage implementation method supporting TEE extension according to claim 2 , wherein the decoding operation specified in step 1.3) is BCH decoding. 4 . 4 . The method for implementing secure storage supporting TEE extension according to claim 2 , wherein the encryption processing specified in step 1.4) specifically refers to performing encryption processing using the key derivation function KDF defined in the security specification. 5 . 5. The secure storage implementation method supporting TEE extension according to claim 2, wherein before step 1), it also includes the step of generating the authentication master key Key _RPMB when leaving the factory: S1) Randomly select the seed key Key _S ; S2) obtain the authentication master key Key _RPMB through the specified encryption process by the kind secret key Key _S ; and write the one-time key register of the memory RPMB partition; S3) Perform the specified encoding operation on the seed key Key _S , and the specified encoding operation is the inverse operation of the decoding operation specified in step 1.3); obtain the read value of the PUF function circuit of the CPU, and combine the encoding operation result with The read value of the PUF function circuit is XORed to obtain the auxiliary data Data _KA , and finally the seed key Key _S is destroyed, and the auxiliary data Data _KA is saved in the conventional memory of the device for persistent storage. 6 . The method for implementing secure storage supporting TEE extension according to claim 5 , further comprising a step of performing steps S1 ) to S3 ) after replacing the conventional memory to update the authentication master key Key _RPMB . 7 . 7 . A secure storage implementation system supporting TEE extension, wherein the secure storage implementation system is programmed or configured to execute the steps of the secure storage implementation method supporting TEE extension according to any one of claims 1 to 6 . 8. A secure storage implementation system supporting TEE extension, comprising computer equipment, characterized in that the computer equipment is programmed or configured to execute the implementation of the secure storage implementation method supporting TEE extension according to any one of claims 1 to 6 step, or a computer program programmed or configured to execute the method for implementing the secure storage supporting TEE extension described in any one of claims 1 to 6 is stored in the memory of the computer device. 9. A computer-readable storage medium, characterized in that a computer programmed or configured to execute the secure storage implementation method supporting TEE extension according to any one of claims 1 to 6 is stored on the computer-readable storage medium program.

Images