Secure access control system, method and storage medium

By introducing an analog-to-digital conversion module and an access control module into the chip, combined with environmental parameters and pre-stored passwords, flexible access control for the code area and debugging function area is achieved. This solves the problems of lack of flexibility in access permissions and replay attacks in existing technologies, thereby improving security and reducing maintenance costs.

CN122153867APending Publication Date: 2026-06-05SHENZHEN INJOINIC TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHENZHEN INJOINIC TECH
Filing Date
2026-05-08
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing technologies cannot effectively distinguish between access permissions for the chip code area and the debug function area, resulting in a lack of flexibility in access permissions and problems such as replay attacks and high maintenance costs.

Method used

An analog-to-digital conversion module is used to collect environmental parameters, and a pre-stored password is used for authentication. A multi-level access control module is used to distinguish between the code area and the debugging function area for permission verification, including a first-level lock and a second-level lock mechanism to prevent replay attacks.

Benefits of technology

It enables flexible access control, improves security and protection levels, reduces maintenance costs, and prevents replay attacks and unauthorized access.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122153867A_ABST
    Figure CN122153867A_ABST
Patent Text Reader

Abstract

The embodiment of the application relates to the technical field of integrated circuit security, in particular to a secure access control system and method and a storage medium, a secure access control system comprising a debugging interface module, a storage module, an analog-digital conversion module and a permission control module, the storage module is configured to store a pre-stored password, the analog-digital conversion module is configured to collect environment parameters in response to the secure access control system entering a debugging mode, and the permission control module is electrically connected with the debugging interface module, the storage module and the analog-digital conversion module respectively and is configured to control the permission of an external device to access the secure access control system based on a permission verification result. The embodiment of the application constructs a multilevel secure access control mechanism, determines a corresponding access area according to an access address, and performs access in the corresponding access area, so that flexibility is improved, and it is not necessary to completely open the debugging interface module or completely disable the debugging interface module.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of integrated circuit security technology, and in particular to a secure access control system, method, and storage medium. Background Technology

[0002] JTAG (Joint Test Action Group) is a standard interface protocol for chip-level hardware debugging, testing, and programming. It is widely used in the development and mass production of chips such as MCUs, DSPs, FPGAs, and CPUs. With increasingly fierce competition in the mobile device and consumer electronics markets, the security of chip code has become a crucial aspect of protecting intellectual property. Currently, the market mainly uses methods such as fuse bit disabling, password verification, or pin multiplexing to protect JTAG and other debugging interfaces, but these methods have significant limitations.

[0003] The relevant technologies cannot distinguish between access permissions for the code section and the debugging function area, resulting in either fully opening the debugging interface or disabling it completely, lacking flexibility. Summary of the Invention

[0004] One objective of this application is to provide a secure access control system, method, and storage medium to improve the technical problem of inflexible access permissions in related technologies.

[0005] The first aspect of the present invention provides a secure access control system, comprising: Debug interface module; The storage module is configured to store pre-stored passwords; The analog-to-digital conversion module is configured to collect environmental parameters in response to the security access control system entering debug mode; The access control module is electrically connected to the debugging interface module, the storage module, and the analog-to-digital conversion module, respectively. It is configured to obtain an authentication result based on the environmental parameters, receive access information transmitted by an external device through the debugging interface module, the access information including an access address and an access password, determine the corresponding access area based on the access address, perform access verification processing on the authentication result and the access password based on the access area to obtain an access verification result, and control the access rights of the external device to the security access control system based on the access verification result.

[0006] Optionally, in a first implementation of the first aspect of the present invention, the access area includes a code area and a debugging function area of ​​the security access control system. The corresponding access area is determined based on the access address. Based on the access area, permission verification processing is performed on the authentication result and the access password to obtain a permission verification result. The permission control module is further configured to: Based on the access address, the access area is determined to be a code area. In response to the authentication result and the access password, the permission verification result is obtained as either allowing the external device to access the code area or disallowing the external device to access the code area. Based on the access address, the access area is determined to be a debugging function area. In response to the authentication result, the permission verification result is either allowing the external device to access the debugging function area or disallowing the external device to access the debugging function area.

[0007] Optionally, in a second implementation of the first aspect of the present invention, in response to the authentication result and the access password, if the permission verification result is to allow the external device to access the code area or not allow the external device to access the code area, the permission control module is further configured to: In response to the authentication result that the environment parameters are within a preset parameter range and the access password matches the pre-stored password, the permission verification result is that the external device is allowed to access the code area; In response to the authentication result that the environment parameters are not within the preset parameter range and the access password does not match the pre-stored password, the permission verification result is that the external device is prohibited from accessing the code area.

[0008] Optionally, in a third implementation of the first aspect of the present invention, the secure access control system further includes an AHB bus, the access area further includes a non-protected area, and in response to a mismatch between the access password and the pre-stored password, the access control module is further configured to: If the number of times the access password does not match the pre-stored password reaches a preset first threshold, a level 1 lock is triggered, wherein the level 1 lock prohibits access to the code area; The external device receives access information transmitted through the debug interface module, enabling the external device to access the unprotected area via the AHB bus.

[0009] Optionally, in a fourth implementation of the first aspect of the present invention, the secure access control system further includes a recovery control module, which is electrically connected to the permission control module, the debug interface module, and the storage module. The recovery control module includes a first-level recovery interface unit configured to receive an erase command transmitted by the external device through the first-level recovery interface unit in response to the first-level lock to clear the target data in the storage module.

[0010] Optionally, in a fifth implementation of the first aspect of the present invention, the secure access control system further includes an AHB bus, the access area further includes a non-protected area, and in response to the authentication result that the environmental parameters are not within a preset parameter range, the access control module is further configured to: If the number of environmental parameters that are not within the preset parameter range reaches a preset second threshold, a secondary lock is triggered, wherein the secondary lock is to prohibit the use of the analog-to-digital conversion module; The external device receives access information transmitted through the debug interface module, enabling the external device to access the unprotected area via the AHB bus.

[0011] Optionally, in a sixth implementation of the first aspect of the present invention, the secure access control system further includes a recovery control module, which is electrically connected to the permission control module, the debug interface module, and the storage module, respectively. The recovery control module includes a secondary recovery interface unit, and is configured to receive a recovery command transmitted by the external device through the secondary recovery interface unit in response to the secondary lock in order to recover the target data in the storage module. Optionally, in a seventh implementation of the first aspect of the present invention, in response to the authentication result and the access password, if the permission verification result is to allow the external device to access the debugging function area or not allow the external device to access the debugging function area, the permission control module is further configured to: In response to the access password matching the pre-stored password, the permission verification result is that the external device is allowed to access the debugging function area; If the access password does not match the pre-stored password, the permission verification result is that the external device is not allowed to access the debugging function area.

[0012] Optionally, in an eighth implementation of the first aspect of the present invention, the storage module is further configured as follows: Store the identification code and the encrypted XOR value; Perform a bitwise XOR operation between the identification code and the encrypted XOR value to obtain the pre-stored password.

[0013] Optionally, in a ninth implementation of the first aspect of the present invention, in response to the security access control system entering debug mode and collecting environmental parameters, the analog-to-digital conversion module is further configured to: The environmental parameters are continuously collected; In response to a preset number of voltage changes in the environmental parameter, a preset value is accumulated on the number of voltage changes in the environmental parameter.

[0014] A second aspect of the present invention provides a secure access control method applied to the aforementioned secure access control system, the secure access control method comprising: Obtain environment parameters and pre-stored password; Based on the aforementioned environmental parameters, the authentication result is obtained; Receive access information transmitted by external devices through the debugging interface module; The access area is determined based on the access information; Based on the authentication result and the access area, the access information is subjected to permission verification processing to obtain the permission verification result; Based on the permission verification result, the permission of the external device to access the security access control system is controlled.

[0015] A third aspect of the present invention provides a computer-readable storage medium storing a computer program, the computer program including program instructions that, when executed by a processor, cause the processor to perform the above-described secure access control method.

[0016] The embodiments of this application can achieve the following technical effects: In the embodiments of this application, the environmental parameters are collected only when the security access control system enters the debugging mode through the analog-to-digital conversion module. In the normal operation mode of the security access control system, the function of the analog-to-digital conversion module to collect environmental parameters is always turned off or in a dormant state, which effectively reduces the overall power consumption of the security access control system and improves energy efficiency. The security access control system is verified to be in the debugging mode through environmental parameters. The permission verification is only performed when the security access control system is in the debugging mode. The preset password is combined with the chip's operating environmental parameters to build a multi-level security access control mechanism. The corresponding access area is determined according to the access address, and access is performed in the corresponding access area, which improves flexibility and does not require the debugging interface module to be completely opened or completely disabled. Attached Figure Description

[0017] To more clearly illustrate the technical solutions of the embodiments of this application, the drawings used in the description of the embodiments of this application will be briefly introduced below. Obviously, the drawings described below are only some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0018] Figure 1 A schematic diagram of a secure access control system provided in this application embodiment; Figure 2 A schematic diagram of a secure access control system provided in another embodiment of this application; Figure 3A schematic diagram of the system architecture of a secure access control system provided in another embodiment of this application; Figure 4 A schematic diagram of the system architecture of a secure access control system provided in another embodiment of this application; Figure 5 A schematic diagram of the system architecture of a secure access control system provided in another embodiment of this application; Figure 6 A flowchart illustrating a secure access control method provided in an embodiment of this application; Figure 7 A flowchart illustrating a secure access control method provided in another embodiment of this application; Figure 8 This is a schematic diagram of the structure of a secure access control device provided in an embodiment of this application. Detailed Implementation

[0019] To make the objectives, technical solutions, and advantages of this application clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are for illustrative purposes only and are not intended to limit the scope of this application. All other embodiments obtained by those skilled in the art based on the embodiments in this application without inventive effort are within the scope of protection of this application.

[0020] It should be noted that, unless there is a conflict, the various features in the embodiments of this application can be combined with each other, all of which are within the protection scope of this application. Furthermore, although functional modules are divided in the device schematic diagram and a logical order is shown in the flowchart, in some cases, the steps shown or described can be executed in a different order than the module division in the device or the order in the flowchart. Moreover, the terms "first," "second," and "third" used in this application do not limit the data or execution order, but only distinguish identical or similar items with essentially the same function and effect.

[0021] Unless otherwise defined, all technical and scientific terms used in this specification have the same meaning as commonly understood by one of ordinary skill in the art to which this application belongs. The terminology used in this specification is for the purpose of describing particular embodiments only and is not intended to limit the scope of this application. The term "and / or" as used in this specification includes any and all combinations of one or more of the associated listed items.

[0022] Currently, the main methods used in the market still have the following limitations: Many related encryption technologies employ fixed algorithms and static scrambling rules, such as the Feistel structure encryption method described in Chinese patent CN120105501A. These schemes suffer from problems such as high rule predictability, large overhead for full-disk encryption, and lack of dynamic adaptability.

[0023] Furthermore, the relevant JTAG interface protection mechanisms are inadequate: the protection schemes mainly include fuse bit disabling, password verification, and pin multiplexing, but these schemes lack a linkage mechanism with the storage encryption state, and cannot achieve precise access control that "allows authorized customers to debug but prohibits code reading".

[0024] The relevant technologies lack dynamic authentication mechanisms based on runtime parameters, making them unable to prevent replay attacks and unauthorized access. A replay attack refers to an attacker intercepting previously sent legitimate data, without cracking or modifying it, and resending it verbatim, misleading the system into believing it is a legitimate re-operation, thereby deceiving the system into performing the same action repeatedly.

[0025] The relevant technologies are often unable to recover after the circuit breaker is triggered, or require a complete physical break, which increases maintenance costs.

[0026] In view of this, the encryption scheme in the embodiments of this application has low predictability and dynamic adaptability. The permission verification scheme can achieve precise permission control that allows authorized customers to debug but prohibits code reading, prevents replay attacks, and has low maintenance costs.

[0027] The following embodiments of this application provide a secure access control system. This secure access control system is applied to an embedded SOC (System on Chip) chip; please refer to [link to relevant documentation]. Figure 1 The security access control system 100 includes a debugging interface module 11, a storage module 12, an analog-to-digital conversion module 19, and an access control module 13. The access control module 13 is electrically connected to the debugging interface module 11, the storage module 12, and the analog-to-digital conversion module 19, respectively.

[0028] Storage module 12 stores the identification code, encrypted XOR value, pre-stored password, and part of the application code. The identification code refers to the encrypted MAC address, chip serial number, or customer-defined password. The identification code is the unique ID of the SOC chip 101, ensuring hardware-level uncopyability of the authentication. The identification code is written by authorized customers using specialized tools during the production line stage and cannot be read through software or conventional debugging interfaces, preventing replay attacks. The encrypted XOR value refers to the key used to perform the XOR operation.

[0029] The storage module 12 includes an MTP (Multi-Time Programmable Memory) storage module 122 for storing firmware code and an SRAM (Static Random Access Memory) storage module 121. The MTP storage module 122 is a non-volatile memory, and the data is not lost when the power is off. It can be burned and programmed multiple times. The MTP storage module 122 is used to store identification codes and encrypted XOR values. The SRAM storage module 121 is a volatile memory, and the data is immediately lost when the power is off. It has extremely fast read and write speeds and is used as memory during chip operation. The SRAM storage module 121 is used to store the currently executing program code, runtime variables, stack, temporary data after key decryption, and temporary information during debugging.

[0030] In some embodiments, a pre-stored password is obtained by performing a bitwise XOR operation on the identification code and the encrypted XOR value.

[0031] When the SOC chip 101 is manufactured, the storage area of ​​the MTP storage module 122 is all 0. During the production testing phase, a unique identification code is burned into the MTP storage module 122. The identification code and the encrypted XOR value are compared bit by bit. Same numbers result in 0, and different numbers result in 1, ultimately yielding the pre-stored password. For example, if the identification code is 10110010 and the encrypted XOR value is 11001010, then after the XOR operation, the pre-stored password is 01111000. The security access control system 100 also includes an XOR gate 1224, which performs the XOR operation.

[0032] The analog-to-digital conversion module 19 is used to collect environmental parameters in response to the security access control system 100 entering the debugging mode.

[0033] In some embodiments, please refer to Figure 2The security access control system 100 also includes a processor 14, an AHB bus 17, an MTP controller 15, a power supply interface 18, and a recovery control module 16. The access control module 13 includes an access controller 131. The processor 14, MTP controller 15, access controller 131, analog-to-digital converter module 19, SRAM storage module 121, and recovery control module 16 are all connected to the AHB bus 17. The processor 14 is connected to the MTP controller 15, the MTP controller 15 is connected to the MTP storage module 122, and the power supply interface 18 is connected to the analog-to-digital converter module 19. The processor 14 in the security access control system 100 can be a CPU. The AHB (Advanced High-performance) bus... Bus 17 (on-chip high-performance system bus) is used to realize data interaction and address transmission between high-speed modules such as processor 14, memory module 12, debug interface module 11, and access control module 13. MTP controller 15 is used to receive control commands from access control module 13 or processor 14, manage read, write, program, and erase operations of MTP memory module 122, parse address signals of MTP address space 1221, realize precise control of MTP memory module 122, and provide feedback on the working status of MTP memory module 122. Access controller 131 is used to complete access address decoding, authentication, access control, and AHB bus 17 response control, and is the core of access control of the entire secure access control system 100. Power supply interface 18 includes a dedicated chip power pad that provides independent working voltage / programming voltage for MTP memory module 12. A stable reference voltage is input to analog-to-digital converter module 19 through power supply interface 18. Recovery control module 16 is used to perform corresponding recovery operations according to the access lock level.

[0034] In some embodiments, please refer to Figure 3The MTP storage module 122 also includes an MTP address space 1221, an encrypted XOR value register 1223, multiple identification code registers 1222, and an XOR gate 1224. The MTP address space 1221 is a continuous address range mapped by the MTP storage module 12 in the SOC chip 101, with a continuous address range of 0x4000_0000 to 0x4000_03ff. The encrypted XOR value register 1223 and the identification code register 1222 are respectively mapped to the MTP address space 1221. The input of the XOR gate 1224 is conveniently connected to the code area of ​​the encrypted XOR value register 1223 and the MTP address space 1221. The XOR gate 1224 performs an XOR encryption on the data in the MTP and the encrypted XOR value to obtain encrypted data. The encrypted data is output from the output of the XOR gate 1224 to the AHB bus 17, realizing the encryption control of the data reading path of the MTP storage module 122 to the AHB bus 17. The encrypted XOR value register 1223 stores the encrypted XOR value, and the identification code register 1222 stores the identification code. Debug mode refers to the operating mode of the security access control system 100 in response to JTAG debug commands transmitted by the external device 200, allowing debug tools to access and control the resources of the storage module 12, encrypted XOR value register 1223, identification code register 1222, and AHB bus 17. The external device 200 includes a debug fixture. Environmental parameters refer to the voltage parameters of the GPIO pins of the SOC chip 101. The debug fixture is used to connect to the GPIO pins, and the debug fixture applies voltage to the GPIO pins. When the security access control system 100 enters debug mode, the analog-to-digital converter module 19 begins to acquire the GPIO pin voltages. The acquisition speed is very fast, and the acquisition can be completed in a dozen or so clock cycles.

[0035] Please see Figure 3The identification code (lower 32 bits) refers to the chip's unique identification code, consisting of 32 consecutive bits in the middle and lower positions. The identification code (higher 32 bits) refers to the chip's unique identification code, consisting of 32 consecutive bits in the middle and higher positions. Other parameters can be auxiliary information such as SOC chip configuration and status. When the address range is 4000_0000, it corresponds to the mapped identification code (lower 32 bits); when the address range is 4000_0004, it corresponds to the mapped identification code (higher 32 bits); when the address range is 4000_0008, it corresponds to the mapped encrypted XOR value; when the address range is 4000_000c~4000_0010, it corresponds to the mapped other parameters; and when the address range is 4000_0014~4000_00ff, it corresponds to the mapped code area. Sensitive information such as identification codes and encrypted XOR values ​​are automatically loaded from the MTP address space 1221 into the corresponding registers by the internal hardware only during the power-on initialization phase of the SOC chip 101. External debugging devices cannot directly read the original sensitive data in the MTP address space 1221 through the AHB bus 17, thus preventing the leakage of identity information from the source.

[0036] Because the identification code in the MTP storage module 122 is programmed with a non-zero value, while the default value of the identification code register 1222 is 0, the security access control system 100 enters an encrypted state after the identification code is programmed. The debug interface module 11 cannot read the data in the MTP storage module 122 and the SRAM storage module 121 via the AHB bus 17. However, the identification code register 1222 can be read and written through the debug interface module 11, allowing the customer to unlock the device by entering the correct identification code.

[0037] The access control module 13 is electrically connected to the debugging interface module 11, the storage module 12, and the analog-to-digital conversion module 19, respectively. It is configured to obtain the authentication result based on environmental parameters, receive access information transmitted by the external device 200 through the debugging interface module 11, the access information including the access address and access password, determine the corresponding access area based on the access address, perform access verification processing on the authentication result and access password based on the access area, obtain the access verification result, and control the access of the external device 200 to the security access control system 100 based on the access verification result.

[0038] External device 200 can be a debugging tool. The debugging interface module 11 includes a JTAG (Joint Test Action Group) interface. The debugging tool enters debugging mode through the JTAG interface. The processor 14 sends an indication signal to the debugging tool; a high-level indication signal indicates that the security access control system 100 has entered debugging mode. The authentication result refers to the result of comparing the environmental parameters collected by the security access control system 100 with a preset parameter range, resulting in whether the authentication passed or failed.

[0039] The access address includes the address of MTP storage module 122, the address of SRAM storage module 121, or the address of the debug function area. The access password is an identification code used to unlock debugging. The access area includes the code area and the debug function area of ​​the security access control system 100. The access area corresponding to the address of MTP storage module 122 or SRAM storage module 121 is the code area, and the access area corresponding to the address of the debug function area is the debug function area.

[0040] Furthermore, the storage address of the MTP storage module 122 is divided. The MTP storage module 122 also includes an INFOMATION area and a MAIN area. The INFOMATION area can only store the identification code and other chip parameters, while the MAIN area is used to store the customer's firmware code. The INFOMATION area stores the identification code and the encrypted XOR value, which are latched into the identification code register 1222 and the encrypted XOR value register 1223 respectively only when the SOC chip 101 is powered on, preventing software rewriting. Customers can customize the bit width of the identification code according to their needs. The bit width refers to the number of binary bits contained in the identification code, used to characterize the data length of the identification code. The larger the bit width, the more possible identification code combinations, making it more difficult to crack.

[0041] In some embodiments, please refer to Figure 4 The access control module 13 includes an address decoding unit 134, an access judgment unit 135, a response control unit 136, and a first AND gate 137 connected in sequence. The address decoding unit 134 and the access judgment unit 135 are respectively connected to the first AND gate 137. The response control unit 136 is connected to the access judgment unit 135. The address decoding unit 134 is used to identify the access address range. The access judgment unit 135 is used to determine the access permission based on the access address and the authentication result. The access judgment unit 135 determines whether the input access password matches the identification code in the identification code register 1222. The response control unit 136 is used to control the AHB bus 17 to respond to the access request of the external device 200 based on the access judgment result, so as to realize the final control of access permissions. When the external device 200 is allowed to access, it is allowed to transmit data and address. When the external device 200 is prohibited from accessing, it is allowed to refuse transmission and keep locked. The first AND gate 137 is used to receive the signals output by the address decoding unit 134 and the permission judgment unit 135. When the signals output by the address decoding unit 134 and the permission judgment unit 135 are both valid signals, a high level is output to the MTP storage module 122 or the SRAM storage module 121.

[0042] Please see Figure 4The address decoding unit 134 receives the access address from the AHB bus 17, parses the access address, and determines whether the access address belongs to the valid address range of the MTP storage module 122 address or the SRAM storage module 121 address. The address decoding unit 134 outputs an access address correct signal to the first AND gate 137. The access control unit 135 receives the access password from the AHB bus 17, compares the access password input by the external device 200 with the password pre-stored in the SOC chip 101, and the identification code register 1222 outputs an identification code correct signal or an identification code error count signal. The identification code correct signal is input to the first AND gate 137, and the identification code error count signal is input to the response control. The control unit 136 outputs a high level only when both input signals of the first AND gate 137 are valid simultaneously, allowing access to the MTP storage module 122 or the SRAM storage module 121. The MTP storage module 122 or the SRAM storage module 121 receives the access permission signal, inputs the code data and the encrypted XOR value in the encrypted XOR value register 1223 to the XOR gate 1224 for encryption, obtains encrypted data, and outputs the encrypted data to the AHB bus 17. The control unit 136 accumulates the number of times the identification code is sent. When the number exceeds a preset first threshold, it prohibits the external device 200 from accessing the code area, cuts off the access path of the AHB bus 17 to the code area, and improves access security.

[0043] In some embodiments, the MTP storage module 122 further includes an MTP programming interface and an MTP reading interface. The MTP programming interface is used to perform write and programming operations on the MTP storage module 12. During the production stage of the SOC chip 101, key information such as the identification code is programmed into the MTP storage module 12 in one go. It is protected by the access control module 13, and the MTP can only be programmed under the unlocked condition.

[0044] The MTP read interface is used to read the burned data from the MTP storage module 122. It is used by the access control module 13 to obtain the identification code during the authentication process. The MTP read interface is used for the encryption control of the MTP storage module 122 reading data to the AHB bus 17. All data must be processed by the XOR gate 1224 before being sent to the AHB bus 17, and the data is further encrypted at the lowest cost.

[0045] Access verification processing refers to the process by which the security access control system 100 determines and controls the access permissions of debugging access requests based on the access password and / or authentication results. Access verification result refers to the final decision output by the security access control system 100 after completing identity verification and access determination, indicating whether debugging access is allowed or denied.

[0046] The access control module 13 combines environmental parameters collected by the analog-to-digital conversion module 19 to complete identity verification, and simultaneously performs dual verification using the access password transmitted from the external device 200. This effectively avoids the vulnerability of single verification methods to cracking and imitation, significantly improving the access security of the debugging interface module 11. The access control module 13 implements partitioned access control based on access addresses, providing finer-grained permissions. The system automatically distinguishes corresponding access areas based on access addresses and employs differentiated permission verification strategies for different access areas. This achieves refined access control for different resources such as the storage module 12 and registers, avoiding a one-size-fits-all approach and balancing security with flexibility. The access control module 13 automatically completes the entire process of environmental parameter identification, access information parsing, access area determination, password verification, and permission decision-making without manual intervention, reducing logical errors and improving system stability and response speed. Through dual access verification combining environmental parameter verification and access password verification, it effectively identifies and blocks unauthorized access attempts by debugging devices, preventing unauthorized reading and tampering of sensitive resources such as the storage module 12 and critical registers of the secure access control system 100.

[0047] In this embodiment, the analog-to-digital converter 19 collects environmental parameters only when the security access control system 100 enters debug mode. During normal operation, the analog-to-digital converter 19's function of collecting environmental parameters is always off or in a dormant state, effectively reducing the overall power consumption of the security access control system 100 and improving energy efficiency. The environmental parameters are used to verify whether the security access control system 100 is in debug mode. Only when the security access control system 100 is in debug mode is permission verification performed. The pre-stored password is combined with the chip's operating environmental parameters to construct a multi-layered security access control mechanism. The corresponding access area is determined according to the access address, and access is performed in the corresponding access area, improving flexibility. It is not necessary to completely open or completely disable the debug interface module 11.

[0048] In some embodiments, the corresponding access zone is determined based on the access address, and the authentication result and access password are processed for permission verification based on the access zone to obtain the permission verification result. The permission control module 13 is also configured to: Based on the access address, the access area is determined to be the code area. In response to the authentication result and access password, the permission verification result is either "external device 200 is allowed to access the code area" or "external device 200 is not allowed to access the code area". Based on the access address, the access area is determined to be the debug function area. In response to the authentication result, the permission verification result is either "external device 200 is allowed to access the debug function area" or "external device 200 is not allowed to access the debug function area".

[0049] The secure access control system 100 distinguishes between the code area and the debugging function area based on the access address. It adopts independent permission judgment logic for areas with different security levels to achieve more refined and flexible security control. Strict dual verification conditions are set for the highly sensitive code area to effectively prevent unauthorized devices from reading, tampering with, and cracking the program code, thus ensuring the security of the SOC chip 101 firmware. The debugging function area only requires identity verification. By implementing different verification mechanisms for different areas, it can effectively resist cracking, replay, and spoofing attacks targeting the unified interface, thereby improving the security protection level of the secure access control system 100.

[0050] In some embodiments, in response to the authentication result and access password, if the permission verification result is to allow external device 200 to access the code area or not allow external device 200 to access the code area, the permission control module 13 is further configured to: If the authentication result is that the environment parameters are within the preset parameter range and the access password matches the pre-stored password, the permission verification result is that external device 200 is allowed to access the code area. If the authentication result is that the environment parameters are not within the preset parameter range and the access password does not match the pre-stored password, the permission verification result is that external device 200 is prohibited from accessing the code area.

[0051] The preset parameter range refers to the legal range of environmental parameters that are preset when the SOC chip 101 is manufactured or configured. It is used to determine whether the external environmental parameters are legal and valid. In this embodiment, the preset parameter range is set to 1.85V ±0.05V. By collecting the dynamic voltage of the GPIO pin, the dynamic adaptability of the encryption scheme is improved.

[0052] Access to the code area requires both valid environment parameters and a matching access password. Authentication and permission verification effectively prevent single-method attacks from being cracked, forged, or replay-based, significantly improving code area access security. By adding a hardware-level verification dimension through environment parameter validation, attackers cannot breach the protection with just the access password, enhancing the security access control system's resistance to physical debugging attacks and side-channel attacks. In some embodiments, in response to a mismatch between the access password and the pre-stored password, the access control module 13 is further configured to: When the number of access passwords that do not match the pre-stored passwords reaches a preset first threshold, a level 1 lock is triggered. The level 1 lock is a code area that is prohibited from access. Access information transmitted by external device 200 through debug interface module 11 is received so that external device 200 can access the unprotected area through AHB bus 17.

[0053] The preset first threshold refers to the maximum number of consecutive times the access password does not match the pre-configured, pre-stored password, used to determine whether to trigger the locking mechanism. Level 1 locking means that after the number of incorrect access password attempts exceeds the limit, only access to the code area is blocked. The unprotected area refers to the public area or general-purpose register area within the SOC chip 101 with a lower security level that can be accessed without strict password verification, used for basic debugging and status query.

[0054] By counting the number of incorrect access password attempts and triggering a level-one lockout, attackers can be effectively prevented from brute-force attacks through multiple password attempts, thus enhancing the security of the secure access control system. Even if the access password does not match or the lockout conditions are met, access to the unprotected area is still allowed via the AHB bus, protecting the code area without affecting basic debugging functions.

[0055] In this embodiment of the application, the preset first threshold is set to 3, that is, when the number of times the access password does not match the pre-stored password reaches 3, the first level of locking is triggered. The value of the preset first threshold is not limited to the above value, and can be set according to the actual debugging environment.

[0056] In some embodiments, the security access control system 100 further includes a recovery control module 16, which is electrically connected to the access control module 13, the debugging interface module 11, and the storage module 12.

[0057] The recovery control module 16 includes a lock level determination unit and a first-level recovery interface unit.

[0058] The lock level determination unit is used to determine whether the current lock level is Level 1 or Level 2. The Level 1 recovery interface unit, in response to Level 1 lockout, receives an erase command transmitted by the external device 200 through the Level 1 recovery interface unit to clear the target data in the storage module 12. The erase command clears all data in the MTP storage module 122 and the SRAM storage module 121, and simultaneously clears the identification code register 1222 and the XOR encryption value register. This ensures that even if an attacker fails to completely erase the actual storage medium by not supplying high voltage to the MTP storage module 122, the data read by the JTAG interface through the AHB bus 17 will not be the original data because the XOR encryption value register has been cleared beforehand. The attacker will only obtain garbled data, further enhancing the security of the secure access control system 100.

[0059] In some embodiments, in response to the authentication result indicating that the environment parameters are not within the preset parameter range, the access control module 13 is further configured to: If the number of environmental parameters that are not within the preset parameter range reaches a preset second threshold, a secondary lockout is triggered. The secondary lockout prohibits the use of the analog-to-digital converter module 19 and receives access information transmitted by the external device 200 through the debugging interface module 11 so that the external device 200 can access the unprotected area through the AHB bus 17.

[0060] A preset second threshold is a pre-configured upper limit for the number of illegal environmental parameters, used to determine whether a secondary lockout is triggered. In this embodiment, the preset second threshold is set to 5. That is, when the number of times the environmental parameter falls within the preset parameter range reaches 5, the access is considered a malicious attack, the access control module triggers a secondary lockout, and the analog-to-digital conversion module 19 is completely disabled. The value of the preset second threshold is not limited to the above and can be adjusted according to the actual debugging environment. The secondary lockout refers to the security lockout action executed when the environmental parameters are illegal multiple times consecutively, used to further enhance the protection level of the security access control system 100. The primary lockout and the secondary lockout are independent of each other. Even if the secondary lockout is triggered, the external device 200 is still allowed to access the unprotected area through the AHB bus, ensuring that the basic debugging and status monitoring functions of the SOC chip 101 are available, and improving the fault tolerance of the security access control system 100. This embodiment does not require fuse bit disabling. After the primary lockout or the secondary lockout is triggered, a recovery operation can be performed, reducing maintenance costs.

[0061] In some embodiments, the recovery control module 16 includes a secondary recovery interface unit. The recovery control module 16 is configured to receive a recovery command transmitted by the external device 200 through the secondary recovery interface unit in response to a secondary lock in order to recover the target data in the storage module 12.

[0062] The secondary recovery interface unit is used to receive recovery commands. Recovery commands refer to restoring the security access control system 100 to its initial state, that is, the state before the erase command was executed. For secondary locks, after the recovery control module 16 completes the recovery operation, the security access control system 100 returns to its initial state, allowing the customer to continue debugging.

[0063] The recovery control module 16 also includes a lock level determination unit, which is used to determine the current lock level of the security access control system 100.

[0064] In some embodiments, in response to the authentication result and access password, if the permission verification result is to allow external device 200 to access the debug function area or not allow external device 200 to access the debug function area, the permission control module 13 is further configured to: If the access password matches the pre-stored password, the permission verification result is that external device 200 is allowed to access the debug function area. If the access password does not match the pre-stored password, the permission verification result is that external device 200 is not allowed to access the debug function area.

[0065] The debugging function area uses only the matching of the access password with the pre-stored password as the basis for permission determination, without the need for additional verification of environment parameters. This not only prevents the debugging function from being abused illegally, but also simplifies the debugging process, improves debugging efficiency, and adapts to the usage scenarios of the debugging function area. The permission verification of the debugging function area relies solely on password matching, with simple and rigorous rules. It eliminates the need for complex multi-condition joint judgments, reduces the logical complexity of the permission control module 13, facilitates hardware integration, reduces the probability of false judgments, and improves the operational stability of the secure access control system 100.

[0066] In some embodiments, in response to the security access control system 100 entering debug mode and collecting environmental parameters, the analog-to-digital conversion module 19 is further configured to: Continuously collect environmental parameters, and in response to voltage changes of environmental parameters a preset number of times, accumulate a preset value on the number of voltage changes of environmental parameters.

[0067] In this embodiment, the preset number of times is 3, that is, the preset number of voltage changes is counted only after the environmental parameter undergoes 3 voltage changes, in order to reduce sampling error.

[0068] Please see Figure 5The analog-to-digital conversion module 19 includes a parameter acquisition unit 191, a counter unit 192, and a second AND gate 193. The parameter acquisition unit 191 is used to acquire environmental parameters, and the counter unit 192 is used to measure the number of voltage changes. In this embodiment, the preset value is 1. During the detection of the GPIO pin voltage, each voltage change increments the counter by 1. The preset number and preset value are not limited to the above scheme and can be appropriately selected according to the actual debugging environment. The external device 200 applies a voltage signal to the GPIO pin of the SOC chip. Only a legitimate external device 200 will output voltage according to a specific pattern. The first input of the second AND gate 193 is connected to the ADC clock, and the second input of the second AND gate 193 is connected to the JTAG connection signal. The second AND gate 193 only outputs a high level when the JTAG interface is connected and the ADC clock is normal. Environmental parameter acquisition is only allowed when the debugging mode is enabled. The processor 14 monitors the connection status of the JTAG interface and reads the number of voltage changes in the counter unit 192 to confirm whether it is a legitimate external device 200. Verification is performed by applying a specific voltage waveform through a debugging fixture. Since it involves physical hardware connection and voltage waveform generation, it is difficult for unauthorized attackers to simulate the signal, thereby effectively preventing the SOC chip 101 from being replaced or cloned by unauthorized devices. Combining the JTAG interface connection status with the voltage sampling of the GPIO pins, voltage detection is only triggered in specific debugging modes, avoiding bypass attacks or interference to the SOC chip 101 under normal operating conditions, making the protection more targeted. Verification can be achieved using standard GPIO pins and the analog-to-digital converter module 19 without the need for additional expensive security chips, achieving high security protection at low cost. The ADC clock is a dedicated clock signal that provides a timing reference for the analog-to-digital converter module 19. It is used to control all timing operations of the analog-to-digital converter module 19, such as sampling, analog-to-digital conversion, and data output, and determines the sampling frequency, conversion accuracy, and operating status of the analog-to-digital converter module 19.

[0069] Please see Figure 6 This application also provides a secure access control method applied to the aforementioned secure access control system 100. The secure access control method includes the following steps: S101. Obtain environmental parameters and pre-stored password; S102. Based on the environment parameters, obtain the authentication result; S103, Receive access information transmitted by external device 200 through debug interface module 11; S104. Determine the access area based on the access information; S105. Based on the authentication result and the access area, perform permission verification processing on the access information to obtain the permission verification result; S106. Control the access permissions of external device 200 to the secure access control system 100 based on the permission verification result.

[0070] This application embodiment combines pre-stored passwords with chip operating environment parameters to construct a multi-layered security access control mechanism. The corresponding access area is determined based on the access address, and access is performed in the corresponding access area, improving flexibility and eliminating the need to completely open or completely disable the debug interface module.

[0071] This application proposes using an MTP storage module 122 to store a customer's unique identification code, ensuring the hardware-level non-copyability of identity authentication. The identification code is written by the authorized customer during the production line stage using a dedicated tool and cannot be read through software or conventional debugging interfaces.

[0072] This application embodiment combines the voltage parameters of the SOC chip 101 during operation with the counter unit 192, and uses a dual encryption method of identification code plus hardware conditions to exponentially increase the difficulty of cracking.

[0073] This application embodiment implements hierarchical access control between the code area and the debugging function area through the AHB bus 17 protocol. Authorized customers can perform debugging operations but are prohibited from reading the code storage area, while unauthorized users will be completely denied access.

[0074] The secure access control system 100 also includes an AHB permission register. If the access password is incorrect, a bus lock signal will be generated, and the bus lock signal output value will be sent to the AHB permission register to ensure the irreversibility of the bus lock operation and prevent software bypass.

[0075] Please see Figure 7 The security access control system 100 triggers the AHB bus 17 to lock due to security events such as unauthorized access, exceeding the limit for incorrect identification code attempts, or abnormal environmental parameters. The security access control method also includes the following steps: S107. The security access control system 100 enters the trigger bus lock state; S108. Confirm the current lock level based on the trigger bus lock status. The lock level includes level one lock and level two lock. S109. In response to the current lock level being Level 1 lock, a Level 1 lock recovery operation is performed, clearing the encrypted XOR value register 1223 and clearing all data in the MTP storage module 122 and the SRAM storage module 121. S110. In response to the current lockout level being Level 2, a Level 2 lockout recovery operation is performed, using external device 200 to recover the target data via the MTP programming interface. After the recovery operation is completed, the security access control system 100 returns to its initial state, allowing the customer to continue debugging.

[0076] This application embodiment designs a hierarchical locking mechanism with a first-level lock and a second-level lock. The first-level lock can be restored through authorized customer tools, while the second-level lock requires manufacturer-specific equipment to be restored, thus balancing security and maintenance costs.

[0077] This application embodiment has an AHB bus 17 read data protection function. The data in the code area is bitwise XORed with the pre-programmed encrypted XOR value before being sent to the AHB bus 17. No complex encryption algorithm is required. This ensures that the data will not be stolen during debugging and recovery operations while saving costs.

[0078] All the hardware in this application embodiment reuses the functional hardware that is already in the SOC chip 101, without adding any extra logic, which greatly reduces costs.

[0079] This application embodiment uses the CPU's internal JTAG connection signal as the gated clock enable signal. When no JTAG interface connection is detected, i.e., when the SOC chip 101 is working normally, the encryption hardware circuit in the analog-to-digital conversion module 19 does not work, which greatly reduces power consumption.

[0080] It should be noted that in the above embodiments, there is no necessarily a certain order between the steps. Those skilled in the art can understand from the description of the embodiments of this application that the above steps may have different execution orders in different embodiments, that is, they may be executed in parallel or in turn, etc.

[0081] See Figure 8 This application also provides a secure access control device 300, which includes one or more processors 14 and a memory 31. The memory 31 is connected to one or more processors 14, for example, via a bus.

[0082] Processor 14 is configured to support the security access control device 300 in performing the corresponding functions in the methods described in the above method embodiments. Processor 14 may be a central processing unit (CPU), a network processor (NP), a hardware chip, or any combination thereof. The aforementioned hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (PLD), or a combination thereof. The aforementioned PLD may be a complex programmable logic device (CPLD), a field-programmable gate array (FPGA), a generic array logic (GAL), or any combination thereof.

[0083] Memory 31 is used to store program code, etc. Memory 31 may include volatile memory (VM), such as random access memory (RAM); memory 31 may also include non-volatile memory (NVM), such as read-only memory (ROM), flash memory, hard disk drive (HDD), or solid-state drive (SSD); memory 31 may also include combinations of the above types of memory 31.

[0084] The memory 31 can be used to store non-volatile software programs, non-volatile computer-executable programs, and modules, such as the program instructions / modules corresponding to the secure access control method in the embodiments of this application. The processor 14 executes the secure access control method by running the non-volatile software programs, instructions, and modules stored in the memory 31, thereby implementing the secure access control method provided in the above-described method embodiments.

[0085] The memory 31 may include a program storage area and a data storage area, wherein the program storage area may store the operating system and application programs required for at least one function. In some embodiments, the memory 31 may optionally include a memory 31 remotely located relative to the processor 14. Examples of the aforementioned networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.

[0086] One or more modules are stored in memory 31. When executed by one or more processors 14, they perform the security access control method in any of the above method embodiments. For example, they perform the method steps described in the above method embodiments to realize the functions of the modules described in the above device embodiments.

[0087] This application also provides a computer-readable storage medium storing a computer program, the computer program including program instructions, which, when executed by a security access control device 300, cause the security access control device 300 to perform the method as described in the foregoing embodiments.

[0088] Those skilled in the art will understand that all or part of the processes in the methods of the above embodiments can be implemented by a computer program instructing related hardware. The program can be stored in a computer-readable storage medium, and when executed, it can include the processes of the embodiments of the methods described above. The storage medium can be a magnetic disk, optical disk, read-only memory (ROM), or random access memory (RAM), etc.

[0089] The above-disclosed embodiments are merely preferred embodiments of this application and should not be construed as limiting the scope of this application. Therefore, any equivalent variations made in accordance with the claims of this application shall still fall within the scope of this application.

Claims

1. A secure access control system, characterized in that, include: Debug interface module; The storage module is configured to store pre-stored passwords; The analog-to-digital conversion module is configured to collect environmental parameters in response to the security access control system entering debug mode; The access control module is electrically connected to the debugging interface module, the storage module, and the analog-to-digital conversion module, respectively. It is configured to obtain an authentication result based on the environmental parameters, receive access information transmitted by an external device through the debugging interface module, the access information including an access address and an access password, determine the corresponding access area based on the access address, perform access verification processing on the authentication result and the access password based on the access area to obtain an access verification result, and control the access rights of the external device to the security access control system based on the access verification result.

2. The secure access control system according to claim 1, characterized in that, The access area includes the code area and debugging function area of ​​the security access control system. The corresponding access area is determined based on the access address. Based on the access area, the authentication result and the access password are subjected to permission verification processing to obtain the permission verification result. The permission control module is further configured to: Based on the access address, the access area is determined to be a code area. In response to the authentication result and the access password, the permission verification result is obtained as either allowing the external device to access the code area or disallowing the external device to access the code area. Based on the access address, the access area is determined to be a debugging function area. In response to the authentication result, the permission verification result is either allowing the external device to access the debugging function area or disallowing the external device to access the debugging function area.

3. The secure access control system according to claim 2, characterized in that, In response to the authentication result and the access password, if the permission verification result is to allow the external device to access the code area or not allow the external device to access the code area, the permission control module is further configured to: In response to the authentication result that the environment parameters are within a preset parameter range and the access password matches the pre-stored password, the permission verification result is obtained that the external device is allowed to access the code area; In response to the authentication result that the environment parameters are not within the preset parameter range and the access password does not match the pre-stored password, the permission verification result is to prohibit the external device from accessing the code area.

4. The secure access control system according to claim 3, characterized in that, The secure access control system further includes an AHB bus, and the access zone further includes a non-protected zone. In response to a mismatch between the access password and the pre-stored password, the access control module is further configured to: If the number of times the access password does not match the pre-stored password reaches a preset first threshold, a level 1 lock is triggered, wherein the level 1 lock prohibits access to the code area; The external device receives access information transmitted through the debug interface module, enabling the external device to access the unprotected area via the AHB bus.

5. The secure access control system according to claim 4, characterized in that, The secure access control system further includes a recovery control module, which is electrically connected to the access control module, the debug interface module, and the storage module. The recovery control module includes a first-level recovery interface unit, which is configured to receive an erase command transmitted by the external device through the first-level lock in response to the first-level lock, so as to clear the target data in the storage module.

6. The secure access control system according to claim 3, characterized in that, The secure access control system further includes an AHB bus, and the access area further includes a non-protected area. In response to the authentication result indicating that the environment parameters are not within a preset parameter range, the access control module is further configured to: If the number of environmental parameters that are not within the preset parameter range reaches a preset second threshold, a secondary lock is triggered, wherein the secondary lock is to prohibit the use of the analog-to-digital conversion module; The external device receives access information transmitted through the debug interface module, enabling the external device to access the unprotected area via the AHB bus.

7. The secure access control system according to claim 6, characterized in that, The secure access control system further includes a recovery control module, which is electrically connected to the access control module, the debug interface module, and the storage module. The recovery control module includes a secondary recovery interface unit and is configured to receive a recovery command transmitted by the external device through the secondary recovery interface unit in response to the secondary lock in order to recover the target data in the storage module.

8. The secure access control system according to claim 2, characterized in that, In response to the authentication result and the access password, if the permission verification result is to allow the external device to access the debug function area or not allow the external device to access the debug function area, the permission control module is further configured to: In response to the access password matching the pre-stored password, the permission verification result is that the external device is allowed to access the debugging function area; If the access password does not match the pre-stored password, the permission verification result is that the external device is not allowed to access the debugging function area.

9. The secure access control system according to claim 1, characterized in that, The storage module is also configured to: Store the identification code and the encrypted XOR value; Perform a bitwise XOR operation between the identification code and the encrypted XOR value to obtain the pre-stored password.

10. The secure access control system according to claim 1, characterized in that, In response to the security access control system entering debug mode and collecting environmental parameters, the analog-to-digital conversion module is further configured to: The environmental parameters are continuously collected; In response to a preset number of voltage changes in the environmental parameter, a preset value is accumulated on the number of voltage changes in the environmental parameter.

11. A secure access control method, characterized in that, The secure access control method, applied to the secure access control system as described in any one of claims 1 to 10, comprises: Obtain environment parameters and pre-stored password; Based on the aforementioned environmental parameters, the authentication result is obtained; Receive access information transmitted by external devices through the debugging interface module; The access area is determined based on the access information; Based on the authentication result and the access area, the access information is subjected to permission verification processing to obtain the permission verification result; Based on the permission verification result, the permission of the external device to access the security access control system is controlled.

12. A computer-readable storage medium, characterized in that, The computer-readable storage medium stores a computer program, the computer program including program instructions that, when executed by a processor, cause the processor to perform the secure access control method as described in claim 11.