Access right detection apparatus, method and device
By introducing firewall unit inspection access permissions into NoC, the lack of flexibility in the access permission inspection mechanism of NoC is solved, enabling dynamic switching and customized design of access permissions, and improving the security and flexibility of data access.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- HAINING ESWIN IC DESIGN CO LTD
- Filing Date
- 2023-05-10
- Publication Date
- 2026-07-03
AI Technical Summary
In existing technologies, Network on Chip (NoC) lacks a flexible access control mechanism for data access security, making it difficult to achieve dynamic access control switching and customized design.
A transport-level security mechanism is adopted, which introduces a firewall unit into the on-chip network to detect the access rights of the main access unit to the target register, and configures the access rights policy according to the packet header information, thereby improving the flexibility of access rights detection.
It enables flexible setting of access permission policies according to actual needs, improving the security and flexibility of data access in NoC and adapting to the dynamic switching requirements of access permissions in different scenarios.
Smart Images

Figure CN116668088B_ABST
Abstract
Description
Technical Field
[0001] This application relates to the field of chip security technology, and in particular to an access permission detection device, method and apparatus. Background Technology
[0002] Network on Chip (NoC) is a new communication method for System on Chip (SoC). It is a major component of multi-core technology and enables communication between modules in digital circuits.
[0003] To improve data access security in NoC, appropriate security mechanisms need to be implemented. Therefore, there is an urgent need to provide an access permission detection scheme to achieve secure access. Summary of the Invention
[0004] This application provides an access permission detection device, method, and apparatus to detect access permissions.
[0005] In a first aspect, this application provides an access permission detection device, comprising a firewall unit, a first network interface unit, and a second network interface unit, wherein:
[0006] The first network interface unit is used to receive access data packets sent by the main access unit and send the access data packets to the firewall unit. The access data packets are used to request access to the target register in the slave access unit.
[0007] The firewall unit is configured to determine, based on the header information in the access data packet, whether the main access unit has access rights to the target register; and, based on whether the main access unit has access rights to the target register, whether to send the access data packet to the target register through the second network interface unit.
[0008] In one possible implementation, the firewall unit includes a first detection subunit and a second detection subunit, and the packet header information includes tag information associated with the access unit; wherein:
[0009] The first detection subunit is used to determine a detection result based on the tag information, and the detection result is used to indicate whether the main access unit has access rights to the slave access unit;
[0010] The second detection subunit is used to determine, based on the detection result, whether the main access unit has access rights to the target register.
[0011] In one possible implementation, the tag information includes an access unit tag, a security tag, and a read / write tag; the first detection subunit is specifically used for:
[0012] If the security label indicates that the access data packet belongs to a secure access data packet, or if the slave access unit label indicates that the slave access unit has a security protection mechanism, then the master access unit is determined to have pass-through access to the slave access unit.
[0013] If the security tag indicates that the access data packet is not a secure access data packet, and the slave access unit tag indicates that the slave access unit does not have a security protection mechanism, the master access unit determines whether it has access rights to the slave access unit based on the read / write tag.
[0014] In one possible implementation, the firewall unit further includes a first register unit; wherein:
[0015] The first register unit is used to store the read / write permission information from the access unit;
[0016] The step of the first detection subunit determining whether the master access unit has access rights to the slave access unit based on the read / write tag includes:
[0017] Based on the read / write tag, the target access operation of the main access unit on the target register is determined, and the target access operation is either a read access or a write access;
[0018] Based on the unit read / write permission information of the access unit, determine whether to allow the target access operation to be performed on the access unit;
[0019] If the target access operation is permitted to be performed on the slave access unit, it is determined that the master access unit has access rights to the slave access unit;
[0020] If the target access operation is not allowed to be performed on the slave access unit, it is determined that the master access unit does not have access rights to the slave access unit.
[0021] In one possible implementation, the packet header information further includes the address information of the target register; the second detection subunit is specifically used for:
[0022] If the master access unit has pass-through access to the slave access unit, it is determined that the master access unit has access to the target register;
[0023] If the master access unit has access rights to the slave access unit, determine whether the master access unit has access rights to the target register based on the address information;
[0024] If the master access unit does not have access to the slave access unit, it is determined that the master access unit does not have access to the target register.
[0025] In one possible implementation, the step of the second detection subunit determining whether the main access unit has access to the target register based on the address information includes:
[0026] The type of the target register is determined based on the address information, and the type of the target register is one of a general-purpose register, a secure-access-only register, or a register with variable access permissions.
[0027] If the target register is of the type of a general-purpose register, then the main access unit is determined to have access rights to the target register;
[0028] If the target register is of the type of secure-only register, then it is determined that the main access unit does not have access rights to the target register;
[0029] If the target register is of the type of variable access register, then the main access unit determines whether it has access to the target register based on the read / write tag.
[0030] In one possible implementation, the firewall unit further includes a second register unit; wherein:
[0031] The second register unit is used to store register read / write permission information of the register in the access unit;
[0032] The second detection subunit determines whether the main access unit has access to the target register based on the read / write tag, including the following steps:
[0033] Based on the read / write tag, the target access operation of the main access unit on the target register is determined, and the target access operation is either a read access or a write access;
[0034] Based on the register read / write permission information of the target register, determine whether the target access operation is allowed to be performed on the target register;
[0035] If the target access operation is permitted to be performed on the target register, it is determined that the main access unit has access rights to the target register;
[0036] If the target access operation is not allowed to be performed on the target register, it is determined that the main access unit does not have access rights to the target register.
[0037] Secondly, this application provides an access permission detection method, the method comprising:
[0038] The first network interface unit receives an access data packet sent by the master access unit, the access data packet being used to request access to a target register in the slave access unit;
[0039] Based on the header information in the access data packet, determine whether the main access unit has access rights to the target register;
[0040] Based on whether the main access unit has access rights to the target register, it is determined whether to send the access data packet to the target register through the second network interface unit.
[0041] In one possible implementation, the packet header information includes tag information associated with the slave access unit; determining whether the master access unit has access to the target register based on the packet header information in the access data packet includes:
[0042] Based on the tag information, a detection result is determined, and the detection result is used to indicate whether the main access unit has access rights to the slave access unit;
[0043] Based on the detection results, determine whether the main access unit has access to the target register.
[0044] In one possible implementation, the tag information includes an access unit tag, a security tag, and a read / write tag; determining the detection result based on the tag information includes:
[0045] If the security label indicates that the access data packet belongs to a secure access data packet, or if the slave access unit label indicates that the slave access unit has a security protection mechanism, then the master access unit is determined to have pass-through access to the slave access unit.
[0046] If the security tag indicates that the access data packet is not a secure access data packet, and the slave access unit tag indicates that the slave access unit does not have a security protection mechanism, the master access unit determines whether it has access rights to the slave access unit based on the read / write tag.
[0047] In one possible implementation, determining whether the master access unit has access rights to the slave access unit based on the read / write tag includes:
[0048] Based on the read / write tag, the target access operation of the main access unit on the target register is determined, and the target access operation is either a read access or a write access;
[0049] Based on the unit read / write permission information of the access unit, determine whether to allow the target access operation to be performed on the access unit;
[0050] If the target access operation is permitted to be performed on the slave access unit, it is determined that the master access unit has access rights to the slave access unit;
[0051] If the target access operation is not allowed to be performed on the slave access unit, it is determined that the master access unit does not have access rights to the slave access unit.
[0052] In one possible implementation, the packet header information further includes the address information of the target register; determining whether the main access unit has access rights to the target register based on the detection result includes:
[0053] If the master access unit has pass-through access to the slave access unit, it is determined that the master access unit has access to the target register;
[0054] If the master access unit has access rights to the slave access unit, determine whether the master access unit has access rights to the target register based on the address information;
[0055] If the master access unit does not have access to the slave access unit, it is determined that the master access unit does not have access to the target register.
[0056] In one possible implementation, determining whether the main access unit has access to the target register based on the address information includes:
[0057] The type of the target register is determined based on the address information, and the type of the target register is one of a general-purpose register, a secure-access-only register, or a register with variable access permissions.
[0058] If the target register is of the type of a general-purpose register, then the main access unit is determined to have access rights to the target register;
[0059] If the target register is of the type of secure-only register, then it is determined that the main access unit does not have access rights to the target register;
[0060] If the target register is of the type of variable access register, then the main access unit determines whether it has access to the target register based on the read / write tag.
[0061] In one possible implementation, determining whether the main access unit has access to the target register based on the read / write tag includes:
[0062] Based on the read / write tag, the target access operation of the main access unit on the target register is determined, and the target access operation is either a read access or a write access;
[0063] Based on the register read / write permission information of the target register, determine whether the target access operation is allowed to be performed on the target register;
[0064] If the target access operation is permitted to be performed on the target register, it is determined that the main access unit has access rights to the target register;
[0065] If the target access operation is not allowed to be performed on the target register, it is determined that the main access unit does not have access rights to the target register.
[0066] Thirdly, this application provides an electronic device including an access permission detection device as described in any of the first aspects.
[0067] Fourthly, this application provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the access permission detection method as described in the second aspect.
[0068] The access permission detection apparatus, method, and device provided in this application include a firewall unit, a first network interface unit, and a second network interface unit. The first network interface unit receives access data packets sent by a master access unit and sends access data packets to the firewall unit. These access data packets request access to a target register in a slave access unit. The firewall unit determines whether the master access unit has access permission to the target register based on the header information in the access data packets. If the master access unit has access permission to the target register, the firewall unit sends the access data packets to the second network interface unit, which then sends the access data packets to the target register, thus enabling access. The solution in this application provides a transport-level security mechanism that, instead of directly configuring the access permissions of the slave access unit, configures and detects the access permissions of the slave access unit through the firewall unit. During the process of the master access unit accessing the target register in the slave access unit through the first and second network interface units, access permission detection is achieved by setting firewall units in the first and second network interface units. This allows the access permission strategy of the firewall unit to be set according to actual needs, improving the flexibility of access permission detection. Attached Figure Description
[0069] To more clearly illustrate the technical solutions in this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0070] Figure 1 This is a schematic diagram of the access permission detection device provided in the embodiments of this application;
[0071] Figure 2 A schematic diagram illustrating the access permission detection device provided in this application embodiment performing access permission detection;
[0072] Figure 3 This is a schematic diagram of the internal structure of the firewall unit provided in the embodiments of this application;
[0073] Figure 4 This is a flowchart illustrating the process of the first detection subunit detecting the access permissions of the main access unit to the slave access unit, as provided in an embodiment of this application.
[0074] Figure 5 A schematic diagram illustrating the process of the first detection subunit detecting the access rights of the main access unit to the target register provided in an embodiment of this application;
[0075] Figure 6A flowchart illustrating the access permission detection method provided in this application embodiment;
[0076] Figure 7 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation
[0077] To make the objectives, technical solutions, and advantages of this application clearer, the technical solutions of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.
[0078] In the embodiments of this application, "at least one" refers to one or more, and "more than one" refers to two or more. "And / or" describes the relationship between related objects, indicating that three relationships can exist. For example, A and / or B can represent: A existing alone, A and B existing simultaneously, and B existing alone, where A and B can be singular or plural. In the textual description of this application, the character " / " generally indicates that the preceding and following related objects have an "or" relationship.
[0079] NoC is a new communication method for SoC and a major component of multi-core technology, enabling communication between modules in digital circuits.
[0080] To enhance data access security in NoC, appropriate security mechanisms must be implemented. These mechanisms are categorized into transaction-level and transport-level security mechanisms. In NoC, transaction-level security can be mapped from the Advanced Microcontroller Bus Architecture (AMBA) bus signals (AxPROT) or user-defined signals (ReqUser) to NoC security flags. By defining security flag values, transaction access to target regions in the address mapping can be filtered.
[0081] Transaction-level security mechanisms can impose specific security restrictions on an entire contiguous address range and are a standard security mechanism. The system predefines a security flag value; the value of the access request after address mapping is compared with the security flag value. If they match, access to the address range is allowed; otherwise, access is denied. However, transaction-level security mechanisms cannot have their security policies changed after configuration and are difficult to customize for specific needs. For example, during SoC operation, certain addresses in the SoC's registers may have different protection policies in different scenarios, involving dynamic switching of access permissions, which is difficult to achieve using transaction-level security mechanisms.
[0082] Therefore, this application provides an access permission detection device that employs a transport-level security mechanism. By adding a firewall unit to perform access permission detection, the process of access permission detection is extracted and executed by the firewall unit. This allows the firewall unit to be set up in an appropriate location according to actual needs, improving the flexibility of the security mechanism. The following is in conjunction with... Figure 1 The solutions of the embodiments of this application will be described.
[0083] Figure 1 This is a schematic diagram of the access permission detection device provided in the embodiments of this application, as shown below. Figure 1 As shown, the device includes a first network interface unit 11, a firewall unit 12, and a second network interface unit 13, wherein:
[0084] The first network interface unit 11 is used to receive access data packets sent by the main access unit and send access data packets to the firewall unit 12. The access data packets are used to request access to the target register in the slave access unit.
[0085] Firewall unit 12 is used to determine whether the main access unit has access rights to the target register based on the header information in the access data packet; and to determine whether to send the access data packet to the target register through the second network interface unit 13 based on whether the main access unit has access rights to the target register.
[0086] The access permission detection device in this application embodiment can be part of NoC, and the access permission detection device includes firewall unit 12, first network interface unit 11 and second network interface unit 13.
[0087] Figure 2 A schematic diagram illustrating the access permission detection device provided in this application embodiment performing access permission detection, as shown below. Figure 2 As shown, the firewall unit and the first network interface unit, the firewall unit and the second network interface unit, and the first network interface unit and the second network interface unit can all be connected via a bus.
[0088] A NoC can include a master access unit and multiple slave access units, where the master access unit is the unit that initiates the access, and the slave access units are the units that may be accessed. For any slave access unit, it can include one or more registers, and the master access unit can access one of the registers in the slave access unit.
[0089] In a single access operation, the master access unit can access a specific register within a slave access unit. In this embodiment, the master access unit accesses the target register within the slave access unit. First, the master access unit sends an access data packet through the first network interface unit 11. After receiving the access data packet sent by the master access unit, the first network interface unit 11 sends the access data packet to the firewall unit 12.
[0090] The access packet is an access request initiated by the primary access unit. The access request is in the form of a data packet and is used to request access to the target register in the secondary access unit. The access packet includes header information. After receiving the access packet, the firewall unit 12 performs an access permission check on the primary access unit based on the header information to determine whether the primary access unit has access permission to the target register in the secondary access unit.
[0091] If firewall unit 12 determines that the master access unit has access rights to the target register in the slave access unit, firewall unit 12 sends the access data packet to the second network interface unit 13, and the second network interface unit 13 sends the access data packet to the slave access unit to realize access to the target register in the slave access unit.
[0092] If firewall unit 12 determines that the master access unit does not have access to the target register in the slave access unit, the second network interface unit 13 sends an error response to the first network interface unit 11. The first network interface unit 11 can return the error response to the master access unit, indicating that the master access unit does not have access to the target register in the slave access unit.
[0093] The access permission detection device provided in this application includes a firewall unit, a first network interface unit, and a second network interface unit. The first network interface unit receives access data packets sent by a master access unit and sends access data packets to the firewall unit. These access data packets request access to a target register in the slave access unit. The firewall unit determines whether the master access unit has access permission to the target register based on the header information in the access data packets. If the master access unit has access permission, the firewall unit sends the access data packets to the second network interface unit, which then sends the access data packets to the target register, thus enabling access. This application provides a transport-level security mechanism that, instead of directly configuring the access permissions of the slave access unit, configures and detects the access permissions of the slave access unit through the firewall unit. During the process of the master access unit accessing the target register in the slave access unit through the first and second network interface units, access permission detection is achieved by setting up firewall units in the first and second network interface units. This allows for setting the access permission strategy of the firewall unit according to actual needs, improving the flexibility of access permission detection.
[0094] Based on any of the above embodiments, the solutions of the embodiments of this application will be described in detail below with reference to the accompanying drawings.
[0095] Figure 3 This is a schematic diagram of the internal structure of the firewall unit provided in the embodiments of this application, such as... Figure 3 As shown, the firewall unit includes a first detection subunit and a second detection subunit, both of which are used to detect access permissions.
[0096] The header information of the access data packet includes tag information associated with the slave access unit. The first detection subunit is used to determine the detection result based on the tag information. The detection result is used to indicate whether the master access unit has access rights to the slave access unit.
[0097] That is, the first detection subunit detects the access permissions at the slave access unit level. When the master access unit wants to access the target register in the slave access unit, it first checks whether the master access unit has access permissions to the slave access unit.
[0098] The following will combine Figure 4 The detection process of the first detection subunit is introduced.
[0099] Figure 4 This is a flowchart illustrating the process by which the first detection subunit detects the access permissions of the main access unit to the slave access unit, as provided in an embodiment of this application. Figure 4 As shown, it includes:
[0100] S41, the first detection subunit determines whether the access data packet belongs to a secure access data packet, or whether the access unit has a security protection mechanism. If yes, then execute S43; otherwise, execute S42.
[0101] The header information of the access data packet includes tag information associated with the access unit. Based on this tag information, it can be determined whether the access data packet is a secure access data packet and whether the access unit has a security protection mechanism.
[0102] In one possible implementation, the tag information includes a security tag, which indicates whether the access packet is a secure access packet. If the security tag indicates that the access packet is a secure access packet, then the access by the master access unit to the destination register in the slave access unit can be determined to be a secure access, thus confirming that the master access unit has pass-through access to the slave access unit.
[0103] Taking the field Rx_0_Flag_Prot_1 as a security tag as an example, a value of 1 in Rx_0_Flag_Prot_1 indicates that the access packet is not a secure access packet, while a value of 0 indicates that the access packet is a secure access packet. Therefore, after obtaining the value of Rx_0_Flag_Prot_1 from the packet header information, the first detection subunit determines that if Rx_0_Flag_Prot_1 = 1, the access packet is not a secure access packet; if Rx_0_Flag_Prot_1 = 0, the access packet is secure.
[0104] In one possible implementation, the tag information includes a slave access unit tag, which is the identifier of the slave access unit, and each slave access unit corresponds to a unique slave access unit tag.
[0105] For any given slave access unit, whether it has a security protection mechanism is pre-configured; that is, the first detection subunit knows whether each slave access unit has a security protection mechanism. Therefore, after obtaining the slave access unit tag, the first detection subunit can uniquely identify the slave access unit based on the slave access unit tag, thereby determining whether the slave access unit has a security protection mechanism.
[0106] For any slave access unit, the slave access unit has a security protection mechanism, which can also be referred to as the slave access unit having security awareness. This means that the slave access unit has corresponding security measures for the master access unit that wants to access it. For example, it can perform corresponding security checks on the master access unit or perform corresponding security checks on the access data packets sent by the master access unit. These are determined by the policy configured by the slave access unit itself. In the embodiments of this application, the specific security policy in the security protection mechanism of the slave access unit is not limited.
[0107] Taking the field Rx_0_SlvLabel as the tag of the access unit as an example, after the first detection sub-unit obtains the field Rx_0_SlvLabel from the packet header information, it can determine whether the access unit has a security protection mechanism based on the field Rx_0_SlvLabel.
[0108] S42, the first detection subunit determines whether the target access operation of the main access unit to the target register is a read access or a write access based on the read / write tag. If it is a read access, then execute S44; if it is a write access, then execute S46.
[0109] If the security label indicates that the access data packet is not a secure access data packet, it means that the access of the master access unit to the target register in the slave access unit is not a secure access and subsequent permission checks are required to determine that the master access unit does not have pass-through access to the slave access unit.
[0110] If the access unit does not have a security protection mechanism, it means that the access unit does not have a mechanism to perform corresponding security checks on the access data packets sent by the master access unit, and therefore it is determined that the master access unit does not have pass-through access rights to the access unit.
[0111] In summary, if the security label indicates that the access data packet is not a secure access data packet, or if the secondary access unit label indicates that the secondary access unit does not have a security protection mechanism, then it is determined that the primary access unit does not have pass-through access to the secondary access unit.
[0112] Therefore, the first detection subunit determines whether the master access unit has access rights to the slave access unit based on the read / write tag in the tag information.
[0113] like Figure 3 As shown, the firewall unit also includes a first register unit, which is used to store multiple read / write permission information from the access unit.
[0114] For each slave access unit, the first register unit includes two storage units, which respectively store the read permission information and write permission information (i.e., the unit read and write permission information of the slave access unit). The read permission information is used to indicate whether read access to the slave access unit is allowed, and the write permission information is used to indicate whether write access to the slave access unit is allowed.
[0115] The header information also includes a read / write tag, which indicates whether the access operation of the master access unit to the target register is a read or write access. Based on the read / write tag, the first detection subunit can determine the target access operation of the master access unit on the target register, and whether the target access operation is a read or write access. Then, based on the slave access unit's read / write permission information, the first detection subunit determines whether to allow the target access operation to be performed on the slave access unit.
[0116] For example, if the read / write tag indicates that the target access operation of the master access unit to the target register is a read access, then the first detection subunit determines from the unit read / write permission information stored in the first register unit whether read access to the slave access unit is allowed; if the read / write tag indicates that the target access operation of the master access unit to the target register is a write access, then the first detection subunit determines from the unit read / write permission information stored in the first register unit whether write access to the slave access unit is allowed.
[0117] If the target access operation is allowed to be performed on the slave access unit, it is determined that the master access unit has access rights to the slave access unit; if the target access operation is not allowed to be performed on the slave access unit, it is determined that the master access unit does not have access rights to the slave access unit.
[0118] S43, determine that the detection result indicates that the master access unit has pass-through access to the slave access unit.
[0119] If the security label indicates that the access data packet is a secure access data packet, it means that the access of the master access unit to the target register in the slave access unit is a secure access, and no further permission detection is required, thus confirming that the master access unit has pass-through access to the slave access unit.
[0120] If the slave access unit has a security protection mechanism, it means that the slave access unit will perform corresponding security checks on the access data packets sent by the master access unit, and no additional processing of the access data packets is required. Even if the access data packet is not a secure access data packet, the slave access unit can still be protected by its security protection mechanism. Therefore, if it is determined that the slave access unit has a security protection mechanism, it is determined that the master access unit has direct access permission to the slave access unit.
[0121] In summary, if the security label indicates that the access data packet belongs to a secure access data packet, or if the secondary access unit label indicates that the secondary access unit has a security protection mechanism, then it is determined that the primary access unit has pass-through access rights to the secondary access unit.
[0122] S44, the first detection subunit determines whether a read access to the slave access unit is allowed. If yes, then execute S47; otherwise, execute S45.
[0123] If the target access operation is a read access, the first detection subunit determines whether a read access to the slave access unit is allowed based on the slave access unit's read / write permission information stored in the first register unit. If yes, the master access unit is determined to have access permission to the slave access unit; otherwise, the master access unit is determined not to have access permission to the slave access unit.
[0124] S45, it is determined that the detection result indicates that the master access unit does not have access rights to the slave access unit.
[0125] S46, the first detection subunit determines whether write access to the slave access unit is allowed. If yes, then execute S47; otherwise, execute S45.
[0126] If the target access operation is a write access, the first detection subunit determines whether write access to the slave access unit is allowed based on the slave access unit's read / write permission information stored in the first register unit. If yes, the master access unit is determined to have access permission to the slave access unit; otherwise, the master access unit is determined not to have access permission to the slave access unit.
[0127] S47, determine that the detection result indicates that the master access unit has access rights to the slave access unit.
[0128] In the above embodiments, the process by which the first detection subunit detects whether the master access unit has access rights to the slave access unit and obtains the detection result is described. After obtaining the detection result, the second detection subunit in the firewall unit determines whether the master access unit has access rights to the target register based on the detection result. The following section will further elaborate on this process. Figure 5 This process will be described.
[0129] Figure 5 This is a schematic diagram illustrating the process of the first detection subunit detecting the access rights of the main access unit to the target register provided in an embodiment of this application, as shown below. Figure 5 As shown, it includes:
[0130] S501, the second detection subunit determines the value of the detection result.
[0131] After processing the access data packet, the first detection subunit obtains the detection result and sends it to the second detection subunit. The detection result is used to indicate whether the master access unit has access rights to the slave access unit.
[0132] S502, if the detection result is 2b'00, then it is determined that the main access unit does not have access to the target register.
[0133] In this embodiment, the detection result is represented by the field target_access. When target_access = 2b'00, it indicates that the detection result shows that the master access unit does not have access rights to the slave access unit. In this case, it is determined that the master access unit does not have access rights to the target register.
[0134] S503, if the detection result is 2b'10, then it is determined that the main access unit has access to the target register.
[0135] When target_access = 2b'10, it indicates that the detection result shows that the master access unit has pass-through access to the slave access unit. At this time, it is determined that the master access unit has access to the target register.
[0136] S504, if the detection result is 2b'01, the second detection subunit determines the type of the target register based on the address information.
[0137] When target_access = 2b'01, it indicates that the detection result shows that the master access unit has access rights to the slave access unit, but whether the master access unit has access rights to the target register in the slave access unit still needs to be further determined.
[0138] It should be noted that, in this embodiment of the application, using a detection result value of 2b'00 to indicate that the main access unit does not have access to the slave access unit, using a detection result value of 2b'10 to indicate that the main access unit has direct access to the slave access unit, and using a detection result value of 2b'01 to indicate that the main access unit has access to the slave access unit are merely examples. These three different detection results can also be indicated by other possible values, and this embodiment of the application does not limit this.
[0139] In this embodiment of the application, whether the main access unit has access rights to the target register is determined by judging the type of the target register. The types of target registers include secure-only registers, ordinary registers, and registers with variable access rights.
[0140] The header information of the access data packet also includes the address information of the destination register. The destination register can be determined based on the address information of the destination register. The second detection subunit can also determine whether the destination register belongs to a special register based on the address information of the destination register. The special registers include secure-only registers and registers with variable access permissions.
[0141] S505, if the target register is a secure-access-only register, determine that the main access unit does not have access rights to the target register.
[0142] A security-only register refers to a register that allows only secure access. An access packet is considered secure when its security label indicates it is a secure access packet, or when its access unit label indicates it has a security protection mechanism. In this embodiment, the access packet in this case is not a secure access. Therefore, if the target register is a security-only register, it is determined that the master access unit does not have access to the target register.
[0143] S506, if the target register is a general-purpose register, determine that the main access unit has access rights to the target register.
[0144] Ordinary registers have lower security requirements, so if the target register is an ordinary register, the main access unit is guaranteed to have access to the target register.
[0145] S507, if the target register is a variable access register, the second detection subunit determines the target access operation of the main access unit on the target register based on the read / write tag.
[0146] A variable access register is a register whose access permissions can change as needed. In some cases, the register has access permissions, while in others, it does not, requiring further judgment.
[0147] The read / write tag is used to indicate whether the main access unit's access operation to the target register is a read access or a write access. If the target register is a variable access register, the second detection subunit can determine the target access operation of the main access unit to the target register based on the read / write tag, and whether the target access operation is a read access or a write access.
[0148] S508, the second detection subunit determines whether target access operation is allowed to be performed on the target register based on the register read / write permission information of the target register. If yes, then S510 is executed; otherwise, S509 is executed.
[0149] like Figure 3As shown, the firewall unit also includes a second register unit, which is used to store register read / write permission information of the registers in each slave access unit. The multiple slave access units include the slave access unit accessed by the master access unit in this access.
[0150] For any register within each access unit, the second register unit includes two storage units for that register, storing the read permission information and write permission information (i.e., register read / write permission information) of that register, respectively. The read permission information indicates whether read access to the register is permitted, and the write permission information indicates whether write access to the register is permitted.
[0151] Then, the first detection subunit determines whether to allow target access operations on the target register based on the register unit read / write permission information of the target register.
[0152] For example, if the read / write tag indicates that the main access unit's target access operation to the target register is a read access, then the second detection subunit determines whether read access to the target register is allowed from the register read / write permission information stored in the second register unit; if the read / write tag indicates that the main access unit's target access operation to the target register is a write access, then the second detection subunit determines whether write access to the target register is allowed from the register read / write permission information stored in the second register unit.
[0153] S509 determines that the main access unit does not have access to the target register.
[0154] If target access operations are not permitted on the target register, it is determined that the main access unit does not have access rights to the target register.
[0155] S510, determine that the main access unit has access rights to the target register.
[0156] If target access operations are permitted on the target register, determine that the main access unit has access rights to the target register.
[0157] In summary, the main access unit is determined to have access to the target register when at least one of the following conditions is met:
[0158] 1.1 The master access unit does not have access rights to the slave access unit;
[0159] 1.2 The target register is a general-purpose register;
[0160] 1.3 The target register is a variable access register, and the variable access register allows target access operations to be performed on the target register.
[0161] In summary, the main access unit is determined to have access to the target register when at least one of the following conditions is met:
[0162] 2.1 The master access unit has direct access permission to the slave access unit;
[0163] 2.2 The target register is a security-only register;
[0164] 2.3 The target register is a variable access register, and a variable access register does not allow target access operations to be performed on the target register.
[0165] exist Figure 5 In the example flow, the firewall unit ultimately receives a field indicating whether the primary access unit has access to the target register. Taking `target_reg_access` as an example, if any of conditions 1.1-1.3 above are met, `target_reg_access` is assigned the value 1'b1; if any of conditions 2.1-2.3 above are met, `target_reg_access` is assigned the value 1'b0. Therefore, if `target_reg_access = 1'b1`, the primary access unit has access to the target register, and the firewall unit sends the access packet to the secondary access unit through the second network interface unit to access the target register; if `target_reg_access = 1'b0`, the primary access unit does not have access to the target register, and the second network interface unit returns an error response to the primary access unit through the first network interface unit, indicating that the primary access unit does not have permission to access the target register.
[0166] In summary, the solution of this application provides a transport-level security mechanism. Instead of directly configuring the access permissions of the slave access unit, it configures and detects the access permissions of the slave access unit through a firewall unit. During the process of the master access unit accessing the target register in the slave access unit through the first network interface unit and the second network interface unit, access permission detection is achieved by setting firewall units in the first and second network interface units. This allows the access permission policy of the firewall unit to be set according to actual needs, improving the flexibility of access permission detection. The number of firewall units can be set as needed, as can the location and internal logic of the firewall units. Furthermore, the configuration of the first and second register units within the firewall units can be freely modified vertically to change the security policy, thus meeting the requirement of changeable register access permissions and flexibly satisfying the security encryption strategy of the SoC.
[0167] Figure 6 This is a flowchart illustrating the access permission detection method provided in the embodiments of this application, as shown below. Figure 6 As shown, it includes:
[0168] S61, receive an access data packet sent by the master access unit through the first network interface unit, the access data packet being used to request access to the target register in the slave access unit;
[0169] S62, determine whether the main access unit has access rights to the target register based on the header information in the access data packet;
[0170] S63, depending on whether the main access unit has access rights to the target register, determine whether to send the access data packet to the target register through the second network interface unit.
[0171] In one possible implementation, the packet header information includes tag information associated with the slave access unit; determining whether the master access unit has access to the target register based on the packet header information in the access data packet includes:
[0172] Based on the tag information, a detection result is determined, and the detection result is used to indicate whether the main access unit has access rights to the slave access unit;
[0173] Based on the detection results, determine whether the main access unit has access to the target register.
[0174] In one possible implementation, the tag information includes an access unit tag, a security tag, and a read / write tag; determining the detection result based on the tag information includes:
[0175] If the security label indicates that the access data packet belongs to a secure access data packet, or if the slave access unit label indicates that the slave access unit has a security protection mechanism, then the master access unit is determined to have pass-through access to the slave access unit.
[0176] If the security tag indicates that the access data packet is not a secure access data packet, and the slave access unit tag indicates that the slave access unit does not have a security protection mechanism, the master access unit determines whether it has access rights to the slave access unit based on the read / write tag.
[0177] In one possible implementation, determining whether the master access unit has access rights to the slave access unit based on the read / write tag includes:
[0178] Based on the read / write tag, the target access operation of the main access unit on the target register is determined, and the target access operation is either a read access or a write access;
[0179] Based on the unit read / write permission information of the access unit, determine whether to allow the target access operation to be performed on the access unit;
[0180] If the target access operation is permitted to be performed on the slave access unit, it is determined that the master access unit has access rights to the slave access unit;
[0181] If the target access operation is not allowed to be performed on the slave access unit, it is determined that the master access unit does not have access rights to the slave access unit.
[0182] In one possible implementation, the packet header information further includes the address information of the target register; determining whether the main access unit has access rights to the target register based on the detection result includes:
[0183] If the master access unit has pass-through access to the slave access unit, it is determined that the master access unit has access to the target register;
[0184] If the master access unit has access rights to the slave access unit, determine whether the master access unit has access rights to the target register based on the address information;
[0185] If the master access unit does not have access to the slave access unit, it is determined that the master access unit does not have access to the target register.
[0186] In one possible implementation, determining whether the main access unit has access to the target register based on the address information includes:
[0187] The type of the target register is determined based on the address information, and the type of the target register is one of a general-purpose register, a secure-access-only register, or a register with variable access permissions.
[0188] If the target register is of the type of a general-purpose register, then the main access unit is determined to have access rights to the target register;
[0189] If the target register is of the type of secure-only register, then it is determined that the main access unit does not have access rights to the target register;
[0190] If the target register is of the type of variable access register, then the main access unit determines whether it has access to the target register based on the read / write tag.
[0191] In one possible implementation, determining whether the main access unit has access to the target register based on the read / write tag includes:
[0192] Based on the read / write tag, the target access operation of the main access unit on the target register is determined, and the target access operation is either a read access or a write access;
[0193] Based on the register read / write permission information of the target register, determine whether the target access operation is allowed to be performed on the target register;
[0194] If the target access operation is permitted to be performed on the target register, it is determined that the main access unit has access rights to the target register;
[0195] If the target access operation is not allowed to be performed on the target register, it is determined that the main access unit does not have access rights to the target register.
[0196] Figure 7 An example is a schematic diagram of the physical structure of an electronic device, such as... Figure 7 As shown, the electronic device may include a processor 710, a communications interface 720, a memory 730, and a communication bus 740, wherein the processor 710, communications interface 720, and memory 730 communicate with each other via the communication bus 740. The processor 710 can invoke logical instructions in the memory 730 to execute an access permission detection method. This method includes: receiving an access data packet sent by a master access unit through a first network interface unit, the access data packet being used to request access to a target register in a slave access unit; determining, based on the header information in the access data packet, whether the master access unit has access permission to the target register; and determining, based on whether the master access unit has access permission to the target register, whether to send the access data packet to the target register through a second network interface unit.
[0197] Furthermore, the logical instructions in the aforementioned memory 730 can be implemented as software functional units and, when sold or used as independent products, can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or a portion of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods described in the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0198] In another aspect, this application also provides a non-transitory computer-readable storage medium storing a computer program thereon. When executed by a processor, the computer program implements the access permission detection method provided by the above methods. The method includes: receiving an access data packet sent by a master access unit through a first network interface unit, the access data packet being used to request access to a target register in a slave access unit; determining, based on the header information in the access data packet, whether the master access unit has access permission to the target register; and determining, based on whether the master access unit has access permission to the target register, whether to send the access data packet to the target register through a second network interface unit.
[0199] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.
[0200] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.
[0201] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.
Claims
1. An access permission detection device, characterized in that, It includes a firewall unit, a first network interface unit, and a second network interface unit, wherein: The first network interface unit is used to receive access data packets sent by the main access unit and send the access data packets to the firewall unit. The access data packets are used to request access to the target register in the slave access unit. The firewall unit is configured to determine, based on the header information in the access data packet, whether the main access unit has access rights to the target register; and, based on whether the main access unit has access rights to the target register, whether to send the access data packet to the target register through the second network interface unit. The firewall unit includes a first detection subunit and a second detection subunit, and the packet header information includes tag information associated with the access unit; wherein: The first detection subunit is used to determine a detection result based on the tag information, and the detection result is used to indicate whether the main access unit has access rights to the slave access unit; The second detection subunit is used to determine, based on the detection result, whether the main access unit has access rights to the target register; Determining whether the main access unit has access to the target register based on the detection result includes: If the master access unit has pass-through access to the slave access unit, it is determined that the master access unit has access to the target register; If the master access unit has access rights to the slave access unit, determine whether the master access unit has access rights to the target register based on the address information of the target register in the packet header information; If the master access unit does not have access rights to the slave access unit, it is determined that the master access unit does not have access rights to the target register. The tag information includes an access unit tag, a security tag, and a read / write tag; the first detection subunit is specifically used for: If the security label indicates that the access data packet belongs to a secure access data packet, or if the slave access unit label indicates that the slave access unit has a security protection mechanism, then the master access unit is determined to have pass-through access to the slave access unit. If the security tag indicates that the access data packet is not a secure access data packet, and the slave access unit tag indicates that the slave access unit does not have a security protection mechanism, the master access unit is determined to have access rights to the slave access unit based on the read / write tag. The firewall unit further includes a first register unit; wherein: The first register unit is used to store the read / write permission information from the access unit; The step of the first detection subunit determining whether the master access unit has access rights to the slave access unit based on the read / write tag includes: Based on the read / write tag, the target access operation of the main access unit on the target register is determined, and the target access operation is either a read access or a write access; Based on the unit read / write permission information of the access unit, determine whether to allow the target access operation to be performed on the access unit; If the target access operation is permitted to be performed on the slave access unit, it is determined that the master access unit has access rights to the slave access unit; If the target access operation is not allowed to be performed on the slave access unit, it is determined that the master access unit does not have access rights to the slave access unit; The step of the second detection subunit determining whether the main access unit has access to the target register based on the address information includes: The type of the target register is determined based on the address information, and the type of the target register is one of a general-purpose register, a secure-access-only register, or a register with variable access permissions. If the target register is of the type of a general-purpose register, then the main access unit is determined to have access rights to the target register; If the target register is of the type of secure-only register, then it is determined that the main access unit does not have access rights to the target register; If the target register is of the type of variable access register, then based on the read / write tag, it is determined whether the main access unit has access to the target register; The firewall unit further includes a second register unit; wherein: The second register unit is used to store register read / write permission information of the register in the access unit; The second detection subunit determines whether the main access unit has access to the target register based on the read / write tag, including the following steps: Based on the read / write tag, the target access operation of the main access unit on the target register is determined, and the target access operation is either a read access or a write access; Based on the register read / write permission information of the target register, determine whether the target access operation is allowed to be performed on the target register; If the target access operation is permitted to be performed on the target register, it is determined that the main access unit has access rights to the target register; If the target access operation is not allowed to be performed on the target register, it is determined that the main access unit does not have access rights to the target register.
2. An access permission detection method, executed by the access permission detection device according to claim 1, characterized in that, The method includes: The first network interface unit receives an access data packet sent by the master access unit, the access data packet being used to request access to a target register in the slave access unit; Based on the header information in the access data packet, determine whether the main access unit has access rights to the target register; the determination of whether the main access unit has access rights to the target register based on the header information in the access data packet includes: Based on the tag information in the header information, the detection result is determined, and the detection result is used to indicate whether the main access unit has access rights to the slave access unit; Determining whether the master access unit has access to the target register based on the detection result; the determination of whether the master access unit has access to the target register based on the detection result includes: if the master access unit has pass-through access to the slave access unit, determining that the master access unit has access to the target register; if the master access unit has access to the slave access unit, determining whether the master access unit has access to the target register based on the address information of the target register in the packet header information; if the master access unit does not have access to the slave access unit, determining that the master access unit does not have access to the target register. Based on whether the main access unit has access rights to the target register, it is determined whether to send the access data packet to the target register through the second network interface unit.
3. An electronic device, characterized in that, Includes the access permission detection device as described in claim 1.
4. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by the processor, it implements the access permission detection method as described in claim 2.