[go: up one dir, main page]

WO2019047745A1 - Procédé de partage de données, appareil terminal et support de stockage - Google Patents

Procédé de partage de données, appareil terminal et support de stockage Download PDF

Info

Publication number
WO2019047745A1
WO2019047745A1 PCT/CN2018/102692 CN2018102692W WO2019047745A1 WO 2019047745 A1 WO2019047745 A1 WO 2019047745A1 CN 2018102692 W CN2018102692 W CN 2018102692W WO 2019047745 A1 WO2019047745 A1 WO 2019047745A1
Authority
WO
WIPO (PCT)
Prior art keywords
platform
physical storage
virtual address
data
application
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2018/102692
Other languages
English (en)
Chinese (zh)
Inventor
赵泳清
吕达夫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Publication of WO2019047745A1 publication Critical patent/WO2019047745A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/10Address translation
    • G06F12/109Address translation for multiple virtual address spaces, e.g. segmentation
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/0802Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
    • G06F12/0806Multiuser, multiprocessor or multiprocessing cache systems
    • G06F12/084Multiuser, multiprocessor or multiprocessing cache systems with a shared cache
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present application relates to the field of computer technologies, and in particular, to a data sharing method, a terminal device, and a storage medium.
  • TEE Trusted Execution Environment
  • REE Rich Execution Environment
  • TEE is a secure area on the host processor's main processor that guarantees the security, confidentiality, and integrity of the code and data loaded into the environment.
  • TEE can provide security services for the REE corresponding operating system, such as REE needs to transfer data to the TEE for processing, etc., therefore, TEE and REE need to share data.
  • a shared space B needs to be set in the terminal device in advance, so that the application in the REE stores the shared data in the space A, and the shared data can be stored in the shared space B, and then Tell the TEE corresponding storage information.
  • the application in the TEE can obtain the shared data from the shared space B for processing, and store the processed data in the shared space B. Then, the application in the REE needs to copy the data in the shared space B back into the space A.
  • the above method of sharing data requires setting a dedicated shared space for shared data, and the shared space cannot be used by non-shared data, which causes waste of resources. Moreover, when the data needs to be shared, the same data in the device needs to be stored in two spaces, which also causes waste of resources.
  • the embodiment of the present application provides a data sharing method to reduce resource waste caused by sharing data.
  • the embodiment of the present application further provides a terminal device and a storage medium to ensure implementation and application of the foregoing system.
  • the embodiment of the present application discloses a data sharing method, which is applied to a terminal device, where the terminal device includes a first platform in a non-secure environment and a second platform in a trusted execution environment, the method.
  • the first platform determines a corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform; the second platform is based on the physical storage address. Mapping the corresponding second virtual address information in the trusted execution environment, and processing the shared data corresponding to the second virtual address information.
  • the embodiment of the present application further discloses a terminal device, where the terminal device includes a first platform in a non-secure environment and a second platform in a trusted execution environment; the first platform is configured to use the first data according to the shared data.
  • the virtual address information is used to determine the corresponding physical storage address, and the physical storage address is sent to the second platform.
  • the second platform is configured to map the corresponding storage address in the trusted execution environment according to the physical storage address.
  • the second virtual address information processes the shared data corresponding to the second virtual address information.
  • the embodiment of the present application further discloses a terminal device, including: one or more processors; and one or more machine-readable media having instructions stored thereon, when executed by the one or more processors, The terminal device is caused to perform a data sharing method as described in one or more of the embodiments of the present application.
  • the embodiment of the present application further discloses one or more machine readable mediums having stored thereon instructions that, when executed by one or more processors, cause the terminal device to perform one or more of the embodiments as described in the embodiments of the present application. Data sharing method.
  • the embodiments of the present application include the following advantages:
  • the first platform in the non-secure environment determines the corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform in the trusted execution environment, thereby There is no need to set a shared space dedicated to the shared data, and the space storage data is applied to reduce the waste of resources when needed; the second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address.
  • the shared data corresponding to the second virtual address information is processed. It can be seen that different platforms are mapped to different virtual address information for the shared data in the same physical storage address, thereby being in a non-secure environment and a trusted execution environment. Shared data can be obtained from the same physical storage address without wasting resources.
  • FIG. 1 is a schematic diagram of interaction between platforms according to an embodiment of the present application.
  • FIG. 3 is a flow chart showing the steps of another data sharing method embodiment of the present application.
  • FIG. 4 is a schematic diagram of interaction between a REE and a TEE according to the present application.
  • FIG. 5 is a structural block diagram of an embodiment of a terminal device of the present application.
  • FIG. 6 is a schematic structural diagram of hardware of an electronic device according to an embodiment of the present application.
  • FIG. 7 is a schematic structural diagram of hardware of an electronic device according to another embodiment of the present application.
  • TEE provides an isolated execution environment that provides security features including isolated execution, integrity of trusted applications, confidentiality of trusted data, secure storage, and more. Therefore, TEE provides a higher level of execution space than REE, such as the common mobile operating system (Android, etc.) execution environment; and more than the security element SE (Secure Element, such as smart card, SIM card, etc.) The function.
  • REE common mobile operating system
  • SE Secure Element
  • the non-secure environment and the trusted execution environment may implement and provide corresponding functions based on the corresponding platform, and the platform may provide an execution environment for the operating system, the driver, the application, and the like.
  • the non-secure environment corresponds to the first platform
  • the trusted execution environment corresponds to the second platform.
  • the first platform can provide a rich execution environment for operating systems such as Android and Linux
  • the trusted execution environment of the second platform can be based on the processor.
  • Technology is determined, such as Intel's trust enforcement technology, AMD's secure virtual machine, ARM's TrustZone, and more.
  • the application running in the REE is called a client application (CA), and the application running in the TEE is called a trusted application (TA).
  • the CA can invoke the interface to request security services from the TA.
  • the TA can access all functions of the device's main processor and memory.
  • the hardware isolation technology protects it from the user's App, which is installed in the main operating system environment, and the software and password isolation technology inside the TEE can protect each TA. Interact with each other so that they can be used simultaneously by multiple different service providers without compromising security.
  • the TA when the TA provides security services for the CA, it needs to obtain the application data corresponding to the CA, and then process the application data, and then feed back to the CA, which can be referred to as shared data, that is, both the CA and the TA are required. data.
  • the terminal device includes a first platform in a non-secure environment and a second platform in a trusted execution environment, where the first platform and the second platform are isolated.
  • the two platforms can support different operating systems, such as the first platform supports Android, Linux, etc., and the second platform supports an operating system that provides security services.
  • Both the first platform and the second platform support the running of the application, so the application in the first platform needs the application providing service in the second platform.
  • the payment application in the first platform performs the corresponding function of payment
  • the application in the second platform is required to provide sensitive data such as bank certificate and user data; for example, in the scenario of communication and encryption, the application of the first platform needs to be second.
  • Application of the platform to obtain keys, encrypted communication data, and the like.
  • the first platform may determine first virtual address information corresponding to the shared data, and then determine a physical storage address corresponding to the storage shared data based on the first virtual address information, where the shared data may be stored in one or more In the data block, one or more physical storage addresses can be determined.
  • the physical storage address can then be sent to the second platform.
  • the second platform may map the physical storage address, determine the corresponding second virtual address information, and then obtain the shared data according to the second virtual address information, and then process the shared data.
  • the terminal device includes various electronic devices such as a smart phone, a personal computer, an Internet of Things device, and a wearable device.
  • the shared data can be determined according to specific services, such as e-commerce, payment-related user passwords, credit card information, electronic bank vouchers, network accounts, etc.; such as keys, signatures, and the like related to data encryption; Sensitive data such as call content and short messages.
  • the embodiment of the present application does not need to set a shared space dedicated to shared data, and applies space storage data when needed, thereby reducing waste of resources, and mapping different platforms to different virtual address information for shared data in the same physical storage address.
  • both the first platform and the second platform can obtain shared data from the same physical storage address without causing waste of resources.
  • FIG. 2 a flow chart of steps of an embodiment of a data sharing method according to the present application is shown, which specifically includes the following steps:
  • Step 202 The first platform determines a corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform.
  • the first platform determines the corresponding physical storage address according to the first virtual address information of the shared data, including: the first platform stores the shared data in the first virtual address information, according to The first storage information determines a corresponding physical storage address.
  • the shared data that needs to be processed by the application in the second platform may be stored, and it is determined that the shared data is stored in the non-
  • the first virtual address information in the security environment, the first virtual address information corresponding to the memory space accessible in the non-secure environment, and then the corresponding one or more physical storage addresses may be obtained based on the first virtual address information mapping, and then Sending the first physical storage address to the second platform, so that the second platform can acquire the shared data.
  • Step 204 The second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address, and processes the shared data corresponding to the second virtual address information.
  • the second platform may map the physical storage address in the trusted execution environment to obtain corresponding second virtual address information, where the second virtual address information is accessible to the trusted execution environment.
  • the memory space can then be used to obtain shared data based on the second virtual address information, and then the shared data can be processed.
  • the processing operation of the application corresponding service in the first platform may be performed, and the processed data is stored in the corresponding memory space of the second virtual address information, and the first platform application may acquire the processed data based on the first virtual address information, and execute the Required operation.
  • the first platform in the non-secure environment determines the corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform in the trusted execution environment, thereby eliminating the need to set
  • the shared data-specific shared space is applied for the space storage data when there is a demand, and the waste of the resource is reduced.
  • the second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address.
  • the shared data corresponding to the second virtual address information is processed. It can be seen that different platforms are mapped to different virtual address information for the shared data in the same physical storage address, so that the non-secure environment and the trusted execution environment can be used. Obtaining shared data from the same physical storage address does not waste resources.
  • the shared data can be obtained from the same physical storage address, but different environments correspond to different virtual address information, so the data does not need to be copied in two storage spaces, and the resource consumption is reduced. On the basis of this, it also reduces data operations and reduces the burden on the equipment.
  • the first virtual address information includes: a first start address and a data size; and the second virtual address information includes: a second start address and a data size.
  • the first platform runs with a first application and the second platform runs with a second application. Therefore, applications in different execution environments can perform data interaction and share data for required processing.
  • the trusted execution environment can provide trusted service support for non-secure environments and ensure data security.
  • FIG. 3 a flow chart of steps of another data sharing method embodiment of the present application is shown, which specifically includes the following steps:
  • Step 302 The first application invokes a first function request address space, and acquires first storage information corresponding to the address space.
  • Step 304 Store the shared data in the address space according to the first storage information.
  • Step 306 Send the first storage information to the first platform.
  • the first platform runs the first application.
  • the data to be processed is determined to be shared data, so the The data size corresponding to the shared data, the address space requested by the first function is requested to be based on the data size, and the first start address corresponding to the first function is obtained based on the first function, and the first storage information is generated based on the first start address and the data size.
  • the shared data can then be stored in an address space corresponding to the first start address.
  • the first function is a malloc function
  • the malloc function can be called to allocate a space based on the data size, determine a corresponding first start address and data size, store the shared data in the space, and then send the first virtual address information. Give the first platform.
  • Step 308 the first platform calls a second function, and maps the first storage information in the non-secure environment to obtain a corresponding physical storage address.
  • the first platform may determine an interface function provided by the operating system, that is, a second function for converting between the virtual address and the physical storage address, for example, providing a conversion between the virtual address and the physical storage address for the non-secure environment. Therefore, the second function can be called, and the second function can perform calculation based on the first starting address and the data size in a non-secure environment to determine one or more physical storage addresses corresponding to the data.
  • Step 310 The first platform generates a corresponding array according to the physical storage address and the data size.
  • Step 312 The first platform sends the array to the second platform.
  • the data is usually discontinuously stored in the device hardware. Therefore, the physical storage addresses corresponding to the shared data are usually discontinuous.
  • an array may be generated according to the physical storage address and the data size. Each physical storage address and data size can be stored in the array. The array can then be transferred to the second platform so that the non-secure environment can inform the trusted execution environment of the shared data that needs to be processed and its storage location.
  • Step 314 The second platform parses the array to obtain a corresponding physical storage address and data size.
  • Step 316 invoking a third function, mapping the physical storage address in the trusted execution environment to determine second virtual address information.
  • the second platform may parse the array in the trusted execution environment, obtain each physical storage address and data size, and then call a third function, and the physical storage address in the trusted execution environment. Mapping is performed to determine that each physical storage address corresponds to the mapping to obtain an address space, that is, to determine a second starting address for storing the shared data in the trusted execution environment.
  • the second function is used to perform conversion between the virtual address and the physical storage address, for example, to provide a conversion between the virtual address and the physical storage address for the trusted execution environment, and the second function and the third function may be the same or different.
  • Step 318 The second platform sends the second virtual address information to the second application.
  • Step 320 The second application acquires corresponding shared data according to the second virtual address information, and processes the shared data in the trusted execution environment.
  • the second platform sends the second virtual address information to the corresponding second application, and then the second application may determine the second start address from the second virtual address information, obtain the shared data based on the second start address, and then The shared data is processed in the trusted execution environment, such as decryption based on a key, signature verification, bank certificate authentication, obtaining user data, and the like.
  • the second application determines that the data size is insufficient, sending a request to the first application to notify the first application to re-request the address space.
  • the data size required for the processed data can be obtained, so that the data size corresponding to the second virtual address information and the data size required after the processing can be determined, and the second virtual address is determined.
  • the request may be sent to the first application, the request is used to inform the data size of the required space, so that the first application may re-request the address space, and perform the above steps 302-322.
  • the shared data of the first application and the second application are obtained based on the first platform in the non-secure environment and the second platform in the trusted execution environment, that is, the data interaction is implemented based on the platform dimension, and the first application and the second application are implemented. Communication interactions between applications, such as request, response, instruction transfer, etc., based on application-oriented dimensions.
  • the shared data of the first platform and the second platform are stored in the same physical storage address instead of the set shared space, so the data size is not limited, and theoretically all the free memory space in the first platform can be shared. When there is no shared service, it will not occupy idle resources.
  • the first platform corresponds to a non-secure environment and the second platform corresponds to a trusted execution environment.
  • the first application CA is a payment application
  • the payment application runs in a non-secure environment REE
  • the second application TA is a security support application, or a plug-in corresponding to the payment application
  • the second application TA runs in a trusted execution environment TEE.
  • the CA needs to verify the account data, determine the data size of the application space is 268 KB, and then call the malloc function to allocate a 268 KB segment space X to determine the corresponding first virtual address information, where the first starting address is A001 and the data size is 268KB.
  • the account data that needs to be shared with the TA can then be stored in space X.
  • the CA then returns the first virtual address information to the driver of the non-secure environment.
  • the non-secure environment can be mapped according to the first virtual address information, and the corresponding physical storage addresses are: N0, N4, N5, N8, and N11. Since the physical storage addresses are not continuous, the data size and all physical storages can be obtained.
  • the address exists in the array share_pa_t.
  • a driver in a non-secure environment can send the set share_pa_t to the operating system TEE_OS of the trusted execution environment.
  • TEE_OS can parse the contents of the array share_pa_t, obtain the corresponding physical storage addresses (N0, N4, N5, N8, and N11, etc.) and the data size (268 KB), and then map based on the physical storage address and the data size to obtain the second virtual
  • the address information includes a second start address B001' and a data size of 268 KB.
  • the TEE_OS sends the second virtual address information to the second application TA, and the TA acquires account data based on the second virtual address information, and then verifies the account data.
  • the verification result may then be stored according to the second virtual address information, so that the CA can obtain operations required for the execution of the verification result, such as providing a payment function and the like.
  • the TA may determine the data size required after the account data is verified, and then compare the data size corresponding to the second virtual address information with the required data size, if the required data size No more than 268KB, that is, the requested space X is enough to accommodate the processed data, and can perform subsequent verification and other processing operations; conversely, if the required data size is greater than 268 KB, such as 300 KB, the applied space X is insufficient to accommodate the processing.
  • the data can be sent to the CA to inform that it needs 300KB of space, the CA re-applies, and performs the above process.
  • the embodiment of the present application does not need to pre-define the shared space, but can trust the physical storage address of the shared memory and the non-secure environment shared memory, thereby reducing the consumption of memory resources. Therefore, the driver of the non-secure environment does not need to send a request to the operating system of the trusted execution environment during the initialization phase to query the shared space, reduce the startup time of the device, and provide efficiency. And based on the shared physical storage address, the shared data between the trusted execution environment and the non-secure environment does not need to be replicated between different addresses, reducing data resources and processing time.
  • the embodiment further provides a terminal device, where the terminal device includes a first platform 502 in a non-secure environment and a second platform 504 in a trusted execution environment.
  • FIG. 5 a structural block diagram of an embodiment of a terminal device of the present application is shown, which may specifically include the following modules:
  • the first platform 502 is configured to determine a corresponding physical storage address according to the first virtual address information of the shared data, and send the physical storage address to the second platform.
  • the second platform 504 is configured to map the corresponding second virtual address information in the trusted execution environment according to the physical storage address, and process the shared data corresponding to the second virtual address information.
  • the first platform in the non-secure environment determines the corresponding physical storage address according to the first virtual address information of the shared data, and sends the physical storage address to the second platform in the trusted execution environment, thereby eliminating the need to set
  • the shared data-specific shared space is applied for the space storage data when there is a demand, and the waste of resources is reduced;
  • the second platform maps the corresponding second virtual address information in the trusted execution environment according to the physical storage address,
  • the shared data corresponding to the second virtual address information is processed. It can be seen that, for shared data in the same physical storage address, different platforms are mapped to different virtual address information, so that the non-secure environment and the trusted execution environment are available. Obtaining shared data in the same physical storage address does not waste resources.
  • the first platform and the second platform can obtain shared data from the same physical storage address, but different platforms correspond to different virtual address information, so the data does not need to be copied in two storage spaces, and on the basis of reducing resource occupation, It also reduces data operations and reduces the burden on the device.
  • the first virtual address information includes: a first start address and a data size; and the second virtual address information includes: a second start address and a data size.
  • the first platform runs with a first application and the second platform runs with a second application. Therefore, applications in different execution environments can perform data interaction and share data for required processing.
  • the trusted execution environment can provide trusted service support for non-secure environments and ensure data security.
  • the first platform is configured to store shared data in the first virtual address information, and determine a corresponding physical storage address according to the first storage information.
  • the first platform is configured to use the first function to call the first function request address space, obtain the first storage information corresponding to the address space, and store the shared data in the address space according to the first storage information, The first stored information is sent to the first platform.
  • the first platform is configured to invoke a second function, and map the first storage information in the non-secure environment to obtain a corresponding physical storage address.
  • the first platform is further configured to generate a corresponding array according to the physical storage address and the data size; the first platform sends the array to the second platform.
  • the second platform is configured to parse the array to obtain a corresponding physical storage address and a data size, and invoke a third function to map the physical storage address in the trusted execution environment to determine a second Virtual address information.
  • the second platform is configured to send the second virtual address information to the second application; the second application acquires corresponding shared data according to the second virtual address information, where the trusted execution environment is The shared data is processed.
  • the second platform is further configured to: if the second application determines that the data size is insufficient, send a request to the first application to notify the first application to re-request the address space.
  • the shared data of the first application and the second application is obtained based on the first platform in the non-secure environment and the second platform in the trusted execution environment, that is, the data interaction is implemented based on the platform dimension, and between the first application and the second application Communication interactions, such as request, response, instruction transfer, etc., based on application-oriented dimensions. Therefore, the shared data of the first platform and the second platform are stored in the same physical storage address instead of the set shared space, so the data size is not limited, and theoretically all the free memory space in the first platform can be shared. When there is no shared service, it will not occupy idle resources.
  • the first platform corresponds to a non-secure environment and the second platform corresponds to a trusted execution environment.
  • the first application CA runs in the non-secure environment REE
  • the second application TA runs in the trusted execution environment TEE.
  • the embodiment of the present application does not need to pre-define the shared space, but can trust the physical storage address of the shared memory and the non-secure environment shared memory, thereby reducing the consumption of memory resources. Therefore, the driver of the non-secure environment does not need to send a request to the operating system of the trusted execution environment during the initialization phase to query the shared space, reduce the startup time of the device, and provide efficiency. And based on the shared physical storage address, the shared data between the trusted execution environment and the non-secure environment does not need to be replicated between different addresses, reducing data resources and processing time.
  • the embodiment of the present application further provides a non-volatile readable storage medium, where the storage medium stores one or more programs, and when the one or more modules are applied to the device, the device may be executed.
  • the instructions of each method step in the embodiment of the present application is not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to, but not limited to the storage medium.
  • Embodiments of the present application provide one or more machine readable medium having stored thereon instructions that, when executed by one or more processors, cause an electronic device to perform the method as described in one or more of the above embodiments.
  • the electronic device includes a terminal device, a server, and the like.
  • FIG. 6 is a schematic structural diagram of hardware of an electronic device according to an embodiment of the present disclosure, where the electronic device may include a terminal device, a server, and the like.
  • the electronic device can include an input device 60, a processor 61, an output device 62, a memory 63, and at least one communication bus 64.
  • Communication bus 64 is used to implement a communication connection between components.
  • the memory 63 may include a high speed RAM (Random Access Memory), and may also include a non-volatile storage NVM (Non-Volatile Memory), such as at least one disk storage.
  • the memory 63 may store various programs for use. The various processing functions are completed and the method steps of the embodiment are implemented.
  • the processor 61 may be, for example, a central processing unit (CPU), an application specific integrated circuit (ASIC), a digital signal processor (DSP), a digital signal processing device (DSPD), and a programmable logic.
  • CPU central processing unit
  • ASIC application specific integrated circuit
  • DSP digital signal processor
  • DSPD digital signal processing device
  • programmable logic A device (PLD), field programmable gate array (FPGA), controller, microcontroller, microprocessor or other electronic component is implemented that is coupled to the input device 60 and output device 62 described above by a wired or wireless connection.
  • PLD field programmable gate array
  • controller microcontroller, microprocessor or other electronic component is implemented that is coupled to the input device 60 and output device 62 described above by a wired or wireless connection.
  • the input device 60 may include multiple input devices, for example, at least one of a user-oriented user interface, a device-oriented device interface, a software programmable interface, a camera, and a sensor.
  • the device-oriented device interface may be a wired interface used for data transmission between the device and the device, or may be a hardware insertion interface (for example, a USB interface, a serial port, etc.) for data transmission between the device and the device.
  • the user-oriented user interface may be, for example, a user-oriented control button, a voice input device for receiving voice input, and a touch-sensing device for receiving a user's touch input (eg, a touch screen with touch sensing function, touch
  • the programmable interface of the software may be, for example, an input for the user to edit or modify the program, such as an input pin interface or an input interface of the chip; optionally, the transceiver may have Radio frequency transceiver chip, baseband processing chip, and transceiver antenna for communication functions.
  • An audio input device such as a microphone can receive voice data.
  • Output device 62 may include an output device such as a display, an audio, or the like.
  • the processor of the device includes functions for executing modules of the network management device in each electronic device.
  • the specific functions and technical effects may be referred to the foregoing embodiments, and details are not described herein again.
  • FIG. 7 is a schematic structural diagram of hardware of an electronic device according to another embodiment of the present disclosure.
  • Figure 7 is a specific embodiment of the implementation of Figure 6.
  • the electronic device of this embodiment includes a processor 71 and a memory 72.
  • the processor 71 executes the computer program code stored in the memory 72 to implement the data sharing method of FIGS. 1 to 4 in the above embodiment.
  • the memory 72 is configured to store various types of data to support operation at the electronic device. Examples of such data include instructions for any application or method operating on an electronic device, such as messages, pictures, videos, and the like.
  • Memory 72 may include random access memory RAM and may also include non-volatile memory NVM, such as at least one disk storage.
  • processor 71 is disposed in processing component 70.
  • the electronic device can also include a communication component 73, a power component 74, a multimedia component 75, an audio component 76, an input/output interface 77, and/or a sensor component 78.
  • the components and the like included in the device are set according to actual requirements, which is not limited in this embodiment.
  • Processing component 70 typically controls the overall operation of the device.
  • Processing component 70 may include one or more processors 71 to execute instructions to perform all or part of the steps of the above-described methods of Figures 1-4.
  • processing component 70 can include one or more modules to facilitate interaction between component 70 and other components.
  • processing component 70 can include a multimedia module to facilitate interaction between multimedia component 75 and processing component 70.
  • Power component 74 provides power to various components of the device.
  • Power component 74 can include a power management system, one or more power sources, and other components associated with generating, managing, and distributing power for the electronic device.
  • the multimedia component 75 includes a display screen between the device and the user that provides an output interface.
  • the display screen can include a liquid crystal display (LCD) and a touch panel (TP). If the display includes a touch panel, the display can be implemented as a touch screen to receive input signals from the user.
  • the touch panel includes one or more touch sensors to sense touches, slides, and gestures on the touch panel. The touch sensor may sense not only the boundary of the touch or sliding action, but also the duration and pressure associated with the touch or slide operation.
  • the audio component 76 is configured to output and/or input an audio signal.
  • audio component 76 includes a microphone (MIC) that is configured to receive an external audio signal when the device is in an operational mode, such as a voice recognition mode.
  • the received audio signal may be further stored in memory 72 or transmitted via communication component 73.
  • audio component 76 also includes a speaker for outputting an audio signal.
  • the input/output interface 77 provides an interface between the processing component 70 and the peripheral interface module, which may be a click wheel, a button, or the like. These buttons may include, but are not limited to, a volume button, a start button, and a lock button.
  • Sensor assembly 78 includes one or more sensors for providing various aspects of state assessment for the device.
  • sensor component 78 can detect the on/off state of the device, the relative positioning of the components, and the presence or absence of user contact with the device.
  • Sensor assembly 78 can include a proximity sensor configured to detect the presence of nearby objects without any physical contact, including detecting the distance between the user and the device.
  • the sensor assembly 78 can also include a camera or the like.
  • Communication component 73 is configured to facilitate wired or wireless communication between the electronic device and other electronic devices.
  • the electronic device can access a wireless network based on a communication standard such as WiFi, 2G or 3G, or a combination thereof.
  • the electronic device may include a SIM card slot for inserting the SIM card, so that the device can log in to the GPRS network to establish communication with the server via the Internet.
  • the communication component 73, the audio component 76, the input/output interface 77, and the sensor component 78 involved in the embodiment of FIG. 7 can be implemented as an input device in the embodiment of FIG. 6.
  • An embodiment of the present application provides a terminal device, including: one or more processors; and one or more machine-readable media having stored thereon instructions, when executed by the one or more processors, The terminal device is caused to perform the method as described in one or more of the embodiments of the present application.
  • the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • Embodiments of the present application are described with reference to flowcharts and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the present application. It will be understood that each flow and/or block of the flowchart illustrations and/or FIG.
  • These computer program instructions can be provided to a processor of a general purpose computer, special purpose computer, embedded processor or other programmable data processing terminal device to produce a machine such that instructions are executed by a processor of a computer or other programmable data processing terminal device
  • Means are provided for implementing the functions specified in one or more of the flow or in one or more blocks of the flow chart.
  • the computer program instructions can also be stored in a computer readable memory that can direct a computer or other programmable data processing terminal device to operate in a particular manner, such that instructions stored in the computer readable memory produce an article of manufacture comprising the instruction device.
  • the instruction device implements the functions specified in one or more blocks of the flow or in a flow or block diagram of the flowchart.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

L'invention concerne un procédé de partage de données, un appareil terminal et un support de stockage. L'appareil terminal comprend une première plateforme dans un environnement d'exécution riche et une seconde plateforme dans un environnement d'exécution de confiance. Le procédé comprend les étapes suivantes : la première plateforme détermine, selon des premières informations d'adresse virtuelle de données partagées, une adresse de stockage physique correspondante et envoie l'adresse de stockage physique à la seconde plateforme (202) ; et la seconde plateforme met en oeuvre un mappage dans l'environnement d'exécution de confiance selon l'adresse de stockage physique, de façon à obtenir des secondes informations d'adresse virtuelle correspondantes, et traite des données partagées correspondant aux secondes informations d'adresse virtuelle (204). Le procédé acquiert des données partagées provenant de la même adresse de stockage physique, à la fois dans l'environnement d'exécution riche et dans l'environnement d'exécution de confiance sans gaspillage de ressources.
PCT/CN2018/102692 2017-09-06 2018-08-28 Procédé de partage de données, appareil terminal et support de stockage Ceased WO2019047745A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710797460.5 2017-09-06
CN201710797460.5A CN109460373B (zh) 2017-09-06 2017-09-06 一种数据共享方法、终端设备和存储介质

Publications (1)

Publication Number Publication Date
WO2019047745A1 true WO2019047745A1 (fr) 2019-03-14

Family

ID=65606037

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2018/102692 Ceased WO2019047745A1 (fr) 2017-09-06 2018-08-28 Procédé de partage de données, appareil terminal et support de stockage

Country Status (2)

Country Link
CN (1) CN109460373B (fr)
WO (1) WO2019047745A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112559203A (zh) * 2020-12-10 2021-03-26 上海连尚网络科技有限公司 一种实现业务层与so库进行数据交换的方法与装置
CN113609528A (zh) * 2021-07-14 2021-11-05 洛阳小行家科技有限公司 一种基于数字通行证的数据授权流通方法及系统

Families Citing this family (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110245001B (zh) * 2019-05-05 2023-04-18 创新先进技术有限公司 数据隔离方法及装置、电子设备
CN110348204B (zh) * 2019-06-17 2023-05-16 海光信息技术股份有限公司 一种代码保护系统、认证方法、装置、芯片及电子设备
CN110442462B (zh) 2019-07-16 2020-07-28 阿里巴巴集团控股有限公司 Tee系统中的多线程数据传输方法和装置
CN110442463B (zh) * 2019-07-16 2020-07-07 阿里巴巴集团控股有限公司 Tee系统中的数据传输方法和装置
US10699015B1 (en) 2020-01-10 2020-06-30 Alibaba Group Holding Limited Method and apparatus for data transmission in a tee system
CN110399235B (zh) 2019-07-16 2020-07-28 阿里巴巴集团控股有限公司 Tee系统中的多线程数据传输方法和装置
CN113688064B (zh) * 2020-05-18 2025-07-15 中科寒武纪科技股份有限公司 一种在存储器中为数据分配存储地址的方法和设备
CN114117460B (zh) * 2020-09-01 2024-08-20 富联精密电子(天津)有限公司 数据保护方法、装置、电子设备及存储介质
CN112214444A (zh) * 2020-09-24 2021-01-12 深圳云天励飞技术股份有限公司 一种核间通信方法、arm、dsp及终端
CN112783847B (zh) * 2021-01-18 2022-08-12 中国农业科学院深圳农业基因组研究所 数据共享方法及装置
CN114154163B (zh) * 2021-10-19 2023-01-10 北京荣耀终端有限公司 漏洞检测方法和装置
CN114090289A (zh) * 2021-11-17 2022-02-25 国汽智控(北京)科技有限公司 共享内存数据调用方法、装置、电子设备及存储介质
CN115017497B (zh) * 2021-11-24 2023-04-18 荣耀终端有限公司 信息处理方法、装置及存储介质
CN116090032B (zh) * 2022-06-29 2023-10-20 荣耀终端有限公司 显示方法及相关装置
CN117707799A (zh) * 2022-09-07 2024-03-15 华为技术有限公司 数据处理方法、终端设备和可读存储介质
CN116933271B (zh) * 2023-08-02 2024-12-13 北京火山引擎科技有限公司 数据处理方法、装置、设备和存储介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106203082A (zh) * 2016-06-29 2016-12-07 上海交通大学 基于虚拟化硬件特性的高效隔离内核模块的系统及方法
CN106354687A (zh) * 2016-08-29 2017-01-25 珠海市魅族科技有限公司 一种数据传输方法及系统
US20170206174A1 (en) * 2016-01-15 2017-07-20 Bittium Wireless Oy Secure memory storage
CN107038128A (zh) * 2016-02-03 2017-08-11 华为技术有限公司 一种执行环境的虚拟化、虚拟执行环境的访问方法及装置

Family Cites Families (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0871128A2 (fr) * 1997-04-10 1998-10-14 Digital Equipment Corporation Procédé et dispositif de fourniture d'une région partagée utilisant des tables de pages partagées
US6549996B1 (en) * 1999-07-02 2003-04-15 Oracle Corporation Scalable multiple address space server
US7114053B2 (en) * 2003-08-21 2006-09-26 Texas Instruments Incorporated Virtual-to-physical address conversion in a secure system
US20060143411A1 (en) * 2004-12-23 2006-06-29 O'connor Dennis M Techniques to manage partition physical memory
US7734890B2 (en) * 2006-10-06 2010-06-08 Okralabs Llc Method and system for using a distributable virtual address space
CN101819564B (zh) * 2009-02-26 2013-04-17 国际商业机器公司 协助在虚拟机之间进行通信的方法和装置
CN102110196B (zh) * 2009-12-25 2015-04-29 中国长城计算机深圳股份有限公司 并行运行多用户操作系统间的数据安全传输方法及系统
US20120110575A1 (en) * 2010-10-29 2012-05-03 Unisys Corp. Secure partitioning with shared input/output
US8656137B2 (en) * 2011-09-01 2014-02-18 Qualcomm Incorporated Computer system with processor local coherency for virtualized input/output
IN2014KN00998A (fr) * 2011-10-12 2015-09-04 C Sam Inc
US9311011B2 (en) * 2013-08-07 2016-04-12 Qualcomm Incorporated Dynamic address negotiation for shared memory regions in heterogenous multiprocessor systems
CN105446713B (zh) * 2014-08-13 2019-04-26 阿里巴巴集团控股有限公司 安全存储方法及设备
US9454497B2 (en) * 2014-08-15 2016-09-27 Intel Corporation Technologies for secure inter-virtual-machine shared memory communication
US9940456B2 (en) * 2014-12-16 2018-04-10 Intel Corporation Using trusted execution environments for security of code and data
CN104581214B (zh) * 2015-01-28 2018-09-11 三星电子(中国)研发中心 基于ARM TrustZone系统的多媒体内容保护方法和装置
CN106612306A (zh) * 2015-10-22 2017-05-03 中兴通讯股份有限公司 虚拟机的数据共享方法及装置
CN105488679B (zh) * 2015-11-23 2019-12-03 北京小米支付技术有限公司 基于生物识别技术的移动支付设备、方法和装置
CN106845174B (zh) * 2015-12-03 2020-07-10 福州瑞芯微电子股份有限公司 一种安全系统下的应用权限管理方法及系统

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170206174A1 (en) * 2016-01-15 2017-07-20 Bittium Wireless Oy Secure memory storage
CN107038128A (zh) * 2016-02-03 2017-08-11 华为技术有限公司 一种执行环境的虚拟化、虚拟执行环境的访问方法及装置
CN106203082A (zh) * 2016-06-29 2016-12-07 上海交通大学 基于虚拟化硬件特性的高效隔离内核模块的系统及方法
CN106354687A (zh) * 2016-08-29 2017-01-25 珠海市魅族科技有限公司 一种数据传输方法及系统

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112559203A (zh) * 2020-12-10 2021-03-26 上海连尚网络科技有限公司 一种实现业务层与so库进行数据交换的方法与装置
CN113609528A (zh) * 2021-07-14 2021-11-05 洛阳小行家科技有限公司 一种基于数字通行证的数据授权流通方法及系统

Also Published As

Publication number Publication date
CN109460373B (zh) 2022-08-26
CN109460373A (zh) 2019-03-12

Similar Documents

Publication Publication Date Title
WO2019047745A1 (fr) Procédé de partage de données, appareil terminal et support de stockage
TWI538462B (zh) 用於管理文件之數位使用權的方法、非暫時性電腦可讀媒體及行動運算裝置
US10409984B1 (en) Hierarchical data security measures for a mobile device
US9525675B2 (en) Encryption key retrieval
EP3921749A1 (fr) Dispositif et procédé d'authentification d'application dans un environnement d'exécution dans une zone de confiance
WO2018228199A1 (fr) Procédé d'autorisation et dispositif associé
CN112262547A (zh) 具有安全单元以提供根信任服务的数据处理加速器
CN112262546A (zh) 用于数据处理加速器的密钥分配和交换的方法和系统
CN112236972A (zh) 用于导出会话密钥以确保主机系统和数据处理加速器之间的信息交换信道的方法和系统
CN105493538A (zh) 用于安全元件中心式nfc架构的nfc访问控制的系统和方法
US20140258734A1 (en) Data security method and electronic device implementing the same
KR101837678B1 (ko) 신뢰실행환경 기반의 컴퓨팅 장치
CN111357255B (zh) 构建多个应用通用的可信应用
US20230161885A1 (en) Security architecture system, cryptographic operation method for security architecture system, and computing device
US11374898B1 (en) Use of partial hash of domain name to return IP address associated with the domain name
CN112292678A (zh) 用于验证将要由主机系统的数据处理加速器执行的内核对象的方法与系统
CN112352220A (zh) 保护由数据处理加速器处理的数据的方法和系统
CN112262545A (zh) 主机系统与数据处理加速器之间的证明协议
WO2014117648A1 (fr) Procédé et dispositif d'accès aux applications
CN112334902A (zh) 建立主机系统与数据处理加速器之间的安全信息交换信道的方法
CN107248078A (zh) 移动支付防护方法、移动终端及计算机可读存储介质
WO2024141008A1 (fr) Procédé de vérification, appareil associé et système de communication
CN106534047A (zh) 一种基于Trust应用的信息传输方法及装置
CN112236772A (zh) 用于管理数据处理加速器的内存的方法和系统
CN112352242A (zh) 具有本地时间单元以生成时间戳的数据处理加速器

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18854261

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18854261

Country of ref document: EP

Kind code of ref document: A1