A secure running system based on a secure solid state disk and a TEE

By combining a secure solid-state drive with a TEE, the problems of insufficient underlying data security protection in TEE and lack of rollback protection for secure system operations are solved. Hardware encryption and decryption and dedicated secure storage are implemented, thereby improving data security and system rollback protection capabilities.

CN122020745BActive Publication Date: 2026-06-23JIANGSU XINSHENG INTELLIGENT TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
JIANGSU XINSHENG INTELLIGENT TECH CO LTD
Filing Date
2026-04-13
Publication Date
2026-06-23

AI Technical Summary

Technical Problem

In existing technologies, TEE's underlying data security protection is insufficient, lacking a dedicated secure storage area, and the system's secure operations are not protected against rollback, posing risks of data leakage and rollback attacks.

Method used

It adopts a combination of secure solid-state drives and TEE, and uses the main control chip to encrypt and decrypt data, provides a dedicated secure storage area, and records the data operation status to ensure the security of sensitive data and the system's anti-rollback capability.

Benefits of technology

Hardware encryption and decryption of underlying data is implemented to prevent plaintext data leakage, improve the storage security of sensitive data, prevent data interception and rollback attacks, and reduce hardware procurement and adaptation costs.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122020745B_ABST
    Figure CN122020745B_ABST
Patent Text Reader

Abstract

The application discloses a kind of safe running systems based on secure solid state disk and TEE, it is related to safe storage technical field, including general execution environment REE and trusted execution environment TEE connected by trusted channel, the hardware layer of trusted execution environment TEE includes secure solid state disk, secure solid state disk includes main control chip, special safe storage area and conventional storage area, main control chip is used to carry out data encryption and decryption and provide the highest level key storage and operation environment, special safe storage area is used to access sensitive and highly confidential data, conventional storage area is used to access general system file data, and record the state information of data reading operation.The application adopts the architecture of TEE+secure solid state disk to realize security protection, to replace traditional TPCM, TCM chip and the like hardware with secure solid state disk, provide underlying data security and key security support for TEE by secure solid state disk, realize anti-rollback attack.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of secure storage technology, and more specifically to a secure operating system based on a secure solid-state drive and a TEE. Background Technology

[0002] In the field of security equipment, a common approach is to use a TEE (Trusted Execution Environment) + REE (Rich Execution Environment) to ensure the security of host and system operations. REE is a general-purpose, open functional execution environment that primarily runs user operating systems and functional software programs; TEE is a secure, isolated trusted execution environment that primarily performs secure and reliable operations such as authentication and data encryption / decryption. The REE and TEE environments are isolated from each other. The REE can initiate security service requests to the TEE through a specific interface, and the TEE receives and executes the requests from the REE, returning the results. Compared to pure software encryption schemes (such as secure multi-party computation and homomorphic encryption), TEE has a significant performance advantage, with a much lower computational overhead. However, the implementation of TEE depends on the underlying hardware. Different manufacturers' implementation schemes may have differences and potential vulnerabilities, and there are some shortcomings as follows: (1) Insufficient protection of underlying data security: If the operating system and file storage in the TEE environment do not have hard disks to implement data encryption and decryption, plaintext and sensitive data may be directly written to the hard disk, which may pose a risk of data theft; if software is used to encrypt and decrypt data, there will be a risk of slow data read and write speed and the encryption key being exposed in memory during operation. (2) No dedicated secure data storage area: Since TEE involves sensitive data, if there is no independent dedicated secure data storage area, the plaintext or ciphertext of this sensitive data may be seen by the outside, which may pose a risk of targeted cracking or destruction. (3) No rollback protection for system security operations: When TEE accesses system data, it may only perform encrypted writing and decrypted reading of data, without recording the state of the data, which may pose a risk of ciphertext being intercepted and subject to rollback attacks. Summary of the Invention

[0003] The purpose of this invention is to overcome the shortcomings of the prior art and provide a secure operating system based on a secure solid-state drive and a TEE, ensuring the security of the underlying hardware and data.

[0004] The objective of this invention is achieved through the following technical solution:

[0005] A secure operating system based on a secure solid-state drive (SSD) and a Trusted Execution Environment (TEE) includes a general execution environment (REE) and a trusted execution environment (TEE) connected via a trusted channel. The application layer of the TEE includes trusted applications that receive trusted service requests and store the processing results. The system layer of the TEE includes a secure operating system and hardware management. The secure operating system handles trusted service request processing, scheduling, access control, and result management. The hardware layer of the TEE includes a secure SSD comprising a controller chip, a dedicated secure storage area, and a regular storage area. The controller chip performs data encryption and decryption and provides a high-level key storage and computing environment. The dedicated secure storage area stores sensitive and highly confidential data, and the regular storage area stores general system file data and records the status information of data read operations. The interface layer of the TEE is a trusted channel, which enables trusted interaction between the system layer and the hardware layer of the TEE.

[0006] Furthermore, the data encryption and decryption process of the secure solid-state drive is as follows:

[0007] When the secure solid-state drive is powered on for the first time, the controller chip of the secure solid-state drive randomly generates a data encryption key;

[0008] In a Trusted Execution Environment (TEE), the secure operating system performs write and read operations on relevant I / O data based on trusted business requests.

[0009] The controller chip of a secure solid-state drive uses a data encryption key to automatically encrypt and decrypt the read I / O data. The encryption and decryption operations include symmetric encryption and decryption and asymmetric encryption and decryption.

[0010] Furthermore, the secure solid-state drive provides a dedicated secure storage area for the Trusted Execution Environment (TEE). This dedicated secure storage area is used to access sensitive and highly confidential data, including user passwords, program security configuration information, and system security data backup information. The dedicated secure storage area is not visible to the outside world, and the TEE performs read and write operations on the dedicated secure storage area of ​​the secure solid-state drive through a trusted hard disk API interface.

[0011] Furthermore, the Trusted Execution Environment (TEE) performs read and write operations on the dedicated secure storage area of ​​the secure solid-state drive through a trusted hard disk API interface, specifically including the following sub-steps:

[0012] Trusted services initiate Get or Set requests with authority authentication information.

[0013] The Trusted Execution Environment (TEE) initiates a session start request to the secure solid-state drive (SSD) through the SSD SDK's disk API. The session start request includes authority authentication information.

[0014] The secure solid-state drive uses the received authority authentication information for authentication, and generates a session ID after successful authentication;

[0015] The secure solid-state drive requests session synchronization from the Trusted Execution Environment (TEE) based on the generated session ID;

[0016] The Trusted Execution Environment (TEE) obtains or sets object values ​​from the Dedicated Secure Storage Area and sends a Session ID and an LBA, where the LBA is the location in the Dedicated Secure Storage Area that needs to be operated on.

[0017] The secure solid-state drive completes the Get or Set operation;

[0018] The secure solid-state drive returns the status and data information of the completed operation to the Trusted Execution Environment (TEE).

[0019] Within the same session validity period, the Trusted Execution Environment (TEE) performs multiple read and write operations on the dedicated secure storage area. After the operation is completed, it sends a session termination request to the secure solid-state drive.

[0020] After receiving the session termination request command, the secure solid-state drive closes the current session and returns the status to the Trusted Execution Environment (TEE).

[0021] Furthermore, after user programs in the general execution environment (REE) complete identity authentication and authorization through the trusted channel provided by the TEE, the TEE agent enables indirect access to the dedicated secure storage area.

[0022] Furthermore, the steps for a Trusted Execution Environment (TEE) to write files to the regular storage area of ​​a secure solid-state drive include:

[0023] Trusted Execution Environment (TEE) receives the file to be written through the read / write interface;

[0024] Determine whether the file to be written is a high-security file. If it is not a high-security file, write the file directly to the regular storage area of ​​the secure SSD. If it is a high-security file, perform a hash operation on the file and use the hash value, owner ID, and write time to generate a status information ID for the data. After writing the file name and status information ID to the dedicated secure storage area and the Trusted Execution Environment (TEE) memory, write the file to the regular storage area of ​​the secure SSD.

[0025] Furthermore, the steps for a Trusted Execution Environment (TEE) to read files from the regular storage area of ​​a secure solid-state drive include:

[0026] Trusted Execution Environment (TEE) reads files through a read / write interface;

[0027] Determine if the file to be read is a high-security file. If it is a high-security file, first compare the status information IDs of the Trusted Execution Environment (TEE) memory and the dedicated secure storage area. If they are inconsistent, it means that the operation to read the file did not come from the Trusted Execution Environment (TEE) or that there are replay or rollback tools, and return failure.

[0028] If the status information ID matches, the file is read from the secure solid-state drive, and the status information ID of the data is generated using the file's hash value, owner ID, and read time. The latest status information ID is then updated in the Trusted Execution Environment (TEE) memory and the dedicated secure storage area.

[0029] The beneficial effects of this invention are:

[0030] (1) This invention solves the problem of insufficient underlying data security protection. In the TEE environment, all data written to the disk is encrypted and decrypted by the hardware of the secure solid-state drive controller chip, which not only avoids the leakage of plaintext data, but also solves the problems of slow software encryption and decryption speed and easy exposure of keys. Moreover, the encryption and decryption operation does not affect the performance of the device.

[0031] (2) The present invention provides a dedicated secure storage area that is not visible to the outside through a secure solid-state drive, which is only allowed to be accessed by TEE through a dedicated authentication interface, ensuring that sensitive data will not be read, cracked or destroyed by the outside, thus improving the storage security of sensitive data.

[0032] (3) This invention targets high-security files and records and updates the file operation status at both ends of the TEE memory and the dedicated secure storage area through the generation, storage and verification mechanism of status information ID, which effectively prevents data interception and rollback attacks and improves the security of system operation.

[0033] (4) This invention uses a secure solid-state drive as an SE, which has its own independent hardware security chip. It does not require additional adaptation of encryption chips such as TPCM and TCM, nor does it require modification of host hardware. This reduces hardware procurement and adaptation costs, making the solution more economical and highly portable, and thus has higher commercial promotion value. Attached Figure Description

[0034] Figure 1 This is an architecture diagram of a secure operating system based on a secure solid-state drive and a TEE.

[0035] Figure 2 This diagram illustrates the data interaction between a Trusted Execution Environment (TEE) and a secure solid-state drive (SSD) via a trusted hard disk API interface for reading and writing operations.

[0036] Figure 3 A flowchart illustrating the write operation of a file in the regular storage area of ​​a secure solid-state drive by a Trusted Execution Environment (TEE).

[0037] Figure 4 This is a flowchart illustrating the process of a Trusted Execution Environment (TEE) reading files from a regular storage area on a secure solid-state drive. Detailed Implementation

[0038] The technical solution of the present invention will be clearly and completely described below with reference to the embodiments. Obviously, the described embodiments are only some embodiments of the present invention, and not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of the present invention.

[0039] See Figures 1-4 The present invention provides a technical solution:

[0040] A secure operating system based on a secure solid-state drive and a TEE, such as Figure 1 The system comprises a general execution environment (REE) and a trusted execution environment (TEE) connected via a trusted channel. The TEE's application layer includes trusted applications that receive trusted service requests and store the processing results. The TEE's system layer includes a secure operating system and hardware management. The secure operating system handles trusted service request processing, scheduling, access control, and result management. The TEE's hardware layer includes a secure solid-state drive (SSD). This SSD comprises a controller chip, a dedicated secure storage area, and a regular storage area. The controller chip performs data encryption and decryption and provides a high-level key storage and computing environment. The dedicated secure storage area stores sensitive and highly confidential data, while the regular storage area stores general system file data and records the status information of data read operations. The TEE's interface layer is a trusted channel, which enables trusted interaction between the system layer and the hardware layer.

[0041] In this embodiment, the data encryption and decryption process of the secure solid-state drive is as follows:

[0042] When the secure solid-state drive is powered on for the first time, the controller chip of the secure solid-state drive randomly generates a data encryption key;

[0043] In a Trusted Execution Environment (TEE), the secure operating system performs write and read operations on relevant I / O data based on trusted business requests.

[0044] The controller chip of a secure solid-state drive uses a data encryption key to automatically encrypt and decrypt the read I / O data. The encryption and decryption operations include symmetric encryption and decryption and asymmetric encryption and decryption.

[0045] The main control chip automatically encrypts and decrypts I / O data using a data encryption key, and all encryption and decryption operations are completed internally within the secure SSD, ensuring that the data stored on the secure SSD is encrypted to guarantee data security. Furthermore, since I / O data encryption and decryption are performed by the main control chip, the time overhead of these operations is minimal and does not affect performance. Because the secure SSD is equipped with an independent hardware security main control chip, it can also be used as a Security Element (SE), giving it resistance to side-channel analysis and protection against physical attacks. Encryption and decryption operations for TEE sensitive information can all be performed through the SE, thus preventing plaintext keys from appearing in memory. In a TEE environment, data is encrypted and decrypted by the secure SSD's main control chip in hardware, avoiding plaintext data leakage and solving the problems of slow software encryption / decryption speeds and easy key exposure.

[0046] The secure solid-state drive provides a dedicated secure storage area for the Trusted Execution Environment (TEE). This dedicated secure storage area is used to access sensitive and highly confidential data, including user passwords, program security configuration information, and system security data backup information. The dedicated secure storage area is not visible to the outside world, and the TEE performs read and write operations on the dedicated secure storage area of ​​the secure solid-state drive through a trusted hard disk API interface.

[0047] By providing a dedicated secure storage area that is not visible to the outside through a secure solid-state drive, and allowing TEEs to access it only through a dedicated authentication interface, sensitive data is ensured to be protected from being read, cracked, or destroyed by external parties, thereby improving the storage security of sensitive data.

[0048] like Figure 2 As shown, the Trusted Execution Environment (TEE) performs read and write operations on the dedicated secure storage area of ​​the secure solid-state drive through a trusted hard disk API interface, specifically including the following sub-steps:

[0049] Trusted services initiate Get or Set requests with authority authentication information.

[0050] The Trusted Execution Environment (TEE) initiates a session start request to the secure solid-state drive (SSD) through the SSD SDK's disk API. The session start request includes authority authentication information.

[0051] The secure solid-state drive verifies the received authority authentication information, generates a session ID after successful verification, and sends it back to the TEE kernel.

[0052] The secure solid-state drive requests session synchronization from the Trusted Execution Environment (TEE) based on the generated session ID;

[0053] The Trusted Execution Environment (TEE) obtains or sets object values ​​from the Dedicated Secure Storage Area and sends a Session ID and an LBA, where the LBA is the location in the Dedicated Secure Storage Area that needs to be operated on.

[0054] The secure solid-state drive completes the Get or Set operation;

[0055] The secure solid-state drive returns the status and data information of the completed operation to the Trusted Execution Environment (TEE).

[0056] Within the same session validity period, the Trusted Execution Environment (TEE) performs multiple read and write operations on the dedicated secure storage area. After the operation is completed, it sends a session termination request to the secure solid-state drive.

[0057] After receiving the session termination request command, the secure solid-state drive closes the current session and returns the status to the Trusted Execution Environment (TEE).

[0058] User programs within the REE (Free Execution Environment) complete authentication and authorization through a trusted channel provided by the TEE (Trusted Execution Environment), and then the TEE acts as a proxy to indirectly access the dedicated secure storage area. When a user application in the REE environment needs to access the dedicated secure storage area, the following steps are executed: A1: The application initiates an access request with authentication information to the TEE through the Object Get / Set API provided by the TEE; A2: The TEE authenticates the application's authentication information. If authentication is successful, the TEE acts as a proxy to complete data access according to the steps described above for reading and writing to the dedicated secure storage area; A3: The TEE sends the access result back to the application in the REE through a trusted channel; if authentication fails, the TEE directly returns an access failure message to the application and rejects subsequent operations.

[0059] When the TEE reads and writes files in the non-dedicated secure storage area on the disk, for file read / write operations with high security requirements, the status number information of the read / write operation needs to be recorded simultaneously on the TEE's memory and the secure hard disk to prevent data interception and rollback.

[0060] like Figure 3 As shown, the steps for a Trusted Execution Environment (TEE) to write files to a regular storage area on a secure solid-state drive include:

[0061] Trusted Execution Environment (TEE) receives the file to be written through the read / write interface;

[0062] Determine whether the file to be written is a high-security file. If it is not a high-security file, write the file directly to the regular storage area of ​​the secure SSD. If it is a high-security file, perform a hash operation on the file and use the hash value, owner ID, and write time to generate a status information ID for the data. After writing the file name and status information ID to the dedicated secure storage area and the Trusted Execution Environment (TEE) memory, write the file to the regular storage area of ​​the secure SSD.

[0063] like Figure 4 As shown, the steps for a Trusted Execution Environment (TEE) to read files from a regular storage area on a secure solid-state drive include:

[0064] Trusted Execution Environment (TEE) reads files through a read / write interface;

[0065] Determine if the file to be read is a high-security file. If it is a high-security file, first compare the status information IDs of the Trusted Execution Environment (TEE) memory and the dedicated secure storage area. If they are inconsistent, it means that the operation to read the file did not come from the Trusted Execution Environment (TEE) or that there are replay or rollback tools, and return failure.

[0066] If the status information ID matches, the file is read from the secure solid-state drive, and the status information ID of the data is generated using the file's hash value, owner ID, and read time. The latest status information ID is then updated in the Trusted Execution Environment (TEE) memory and the dedicated secure storage area.

[0067] This invention targets high-security files and, through a mechanism for generating, storing, and verifying status information IDs, records and updates file operation status on both ends of the TEE memory and a dedicated secure storage area. This effectively prevents data interception and rollback attacks, thereby improving the security of system operations.

[0068] This invention employs a TEE + secure solid-state drive architecture to achieve security protection. It replaces traditional TPCM, TCM chips and other hardware with a secure solid-state drive, providing underlying data security and key security support for the TEE. At the same time, it sets up a dedicated secure storage area and records the system's secure data operation status, thereby preventing rollback attacks.

[0069] The above description is merely a preferred embodiment of the present invention. It should be understood that the present invention is not limited to the forms disclosed herein and should not be construed as excluding other embodiments. It can be used in various other combinations, modifications, and environments, and can be altered within the scope of the concept described herein through the above teachings or related technologies or knowledge. Modifications and variations made by those skilled in the art that do not depart from the spirit and scope of the present invention should be within the protection scope of the appended claims.

Claims

1. A secure operating system based on a secure solid-state drive and a TEE, characterized in that, The system includes a general execution environment (REE) and a trusted execution environment (TEE) connected via a trusted channel. The application layer of the TEE includes trusted applications, which receive trusted service requests and store the processing results of these requests. The system layer of the TEE includes a secure operating system and hardware management. The secure operating system is used for processing trusted service requests, scheduling trusted services, managing the permissions of trusted services, and managing the processing results of trusted services. The hardware layer of the TEE includes a secure solid-state drive (SSD). The SSD includes a main control chip, a dedicated secure storage area, and a regular storage area. The main control chip is used for data encryption and decryption and provides the highest level of key storage and computing environment. The dedicated secure storage area is used to access sensitive and highly confidential data. The regular storage area is used to access general system file data and record the status information of data read operations. The interface layer of the Trusted Execution Environment (TEE) is the Trusted Channel, which is used to enable trusted interaction between the system layer and the hardware layer of the TEE. The steps involved in a Trusted Execution Environment (TEE) reading files from a regular storage area on a secure solid-state drive include: Trusted Execution Environment (TEE) reads files through a read / write interface; Determine if the file to be read is a high-security file. If it is a high-security file, first compare the status information IDs of the Trusted Execution Environment (TEE) memory and the dedicated secure storage area. If they are inconsistent, it means that the operation to read the file did not come from the Trusted Execution Environment (TEE) or that there are replay or rollback tools, and return failure. If the status information ID matches, the file is read from the secure solid-state drive, and the status information ID of the data is generated using the file's hash value, owner ID, and read time. The latest status information ID is then updated in the Trusted Execution Environment (TEE) memory and the dedicated secure storage area.

2. The secure operating system based on a secure solid-state drive and a TEE according to claim 1, characterized in that: The secure solid-state drive performs data encryption and decryption as follows: When the secure solid-state drive is powered on for the first time, the controller chip of the secure solid-state drive randomly generates a data encryption key; In a Trusted Execution Environment (TEE), the secure operating system performs write and read operations on relevant I / O data based on trusted business requests. The controller chip of a secure solid-state drive uses a data encryption key to automatically encrypt and decrypt the read I / O data. The encryption and decryption operations include symmetric encryption and decryption and asymmetric encryption and decryption.

3. A secure operating system based on a secure solid-state drive and a TEE according to claim 1, characterized in that: The secure solid-state drive provides a dedicated secure storage area for the Trusted Execution Environment (TEE). This dedicated secure storage area is used to access sensitive and highly confidential data, including user passwords, program security configuration information, and system security data backup information. The dedicated secure storage area is not visible to the outside world, and the TEE performs read and write operations on the dedicated secure storage area of ​​the secure solid-state drive through a trusted hard disk API interface.

4. A secure operating system based on a secure solid-state drive and a TEE according to claim 3, characterized in that: The Trusted Execution Environment (TEE) performs read and write operations on the dedicated secure storage area of ​​the secure solid-state drive through a trusted hard disk API interface, specifically including the following sub-steps: Trusted services initiate Get or Set requests with authority authentication information. The Trusted Execution Environment (TEE) initiates a session start request to the secure solid-state drive (SSD) through the SSD SDK's disk API. The session start request includes authority authentication information. The secure solid-state drive uses the received authority authentication information for authentication, and generates a session ID after successful authentication; The secure solid-state drive requests session synchronization from the Trusted Execution Environment (TEE) based on the generated session ID; The Trusted Execution Environment (TEE) obtains or sets object values ​​from the Dedicated Secure Storage Area and sends a Session ID and an LBA, where the LBA is the location in the Dedicated Secure Storage Area that needs to be operated on. The secure solid-state drive completes the Get or Set operation; The secure solid-state drive returns the status and data information of the completed operation to the Trusted Execution Environment (TEE). Within the same session validity period, the Trusted Execution Environment (TEE) performs multiple read and write operations on the dedicated secure storage area. After the operation is completed, it sends a session termination request to the secure solid-state drive. After receiving the session termination request command, the secure solid-state drive closes the current session and returns the status to the Trusted Execution Environment (TEE).

5. A secure operating system based on a secure solid-state drive and a TEE according to claim 1, characterized in that: User programs in the general execution environment (REE) complete identity authentication and authorization through the trusted channel provided by the TEE, and then the TEE agent enables indirect access to the dedicated secure storage area.

6. A secure operating system based on a secure solid-state drive and a TEE according to claim 1, characterized in that: The steps involved in a Trusted Execution Environment (TEE) performing a write operation on a file in the regular storage area of ​​a secure solid-state drive include: Trusted Execution Environment (TEE) receives the file to be written through the read / write interface; Determine whether the file to be written is a high-security file. If it is not a high-security file, write the file directly to the regular storage area of ​​the secure SSD. If it is a high-security file, perform a hash operation on the file and use the hash value, owner ID, and write time to generate a status information ID for the data. After writing the file name and status information ID to the dedicated secure storage area and the Trusted Execution Environment (TEE) memory, write the file to the regular storage area of ​​the secure SSD.