A terminal external global security management and control device
By using an external global security management device, the challenges of sovereignty deficiency, cross-platform unified management and compliance in the terminal security system are solved, realizing independent and controllable full-link security management, adapting to global compliance requirements, and applicable to a variety of terminal devices.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- 廖长林
- Filing Date
- 2026-04-18
- Publication Date
- 2026-06-16
AI Technical Summary
In the existing terminal security system, the control of the built-in root of trust is in the hands of the chip manufacturer, which poses a risk of lack of sovereignty. It is difficult to achieve unified security management across platforms, hardware resources are limited, it cannot adapt to global compliance requirements, and there are compliance risks in cross-border data transmission.
It adopts an external terminal-based full-domain security management device, including a global security policy unit, a full-domain security execution unit, a hardware physical isolation array, a full-domain compliance management unit, and a native terminal compatible interface unit, to achieve security management independent of the main control chip. It supports full-link permissions, key transfer, data transmission, and artificial intelligence model scheduling, and has a hardware-level anomaly circuit breaker mechanism and cross-border compliance management.
It achieves independent and controllable security management sovereignty, supports unified security management across platforms, adapts to global compliance requirements, prevents data leakage, reduces deployment costs, and is applicable to a variety of terminal devices.
Smart Images

Figure FT_1 
Figure FT_2 
Figure FT_3
Abstract
Description
Technical Field
[0001] This invention relates to the field of terminal security technology, and in particular to an external terminal-based global security management device. Background Technology
[0002] Existing endpoint security systems generally adopt an architecture with a built-in root of trust in the main control chip, which has the following drawbacks: 1. The control of the built-in root of trust is usually in the hands of the chip manufacturer, which poses a risk of lack of sovereignty and cannot meet the requirements of independent control of critical information infrastructure; 2. Different manufacturers have inconsistent built-in root of trust standards, making it impossible to achieve unified security management across platforms and terminals; 3. The hardware resources of the built-in security zone are limited and cannot meet the growing demands for complex security policies, encryption operations, and compliance management. 4. It cannot flexibly adapt to the full-domain data compliance requirements of different regions around the world, and there are compliance risks in cross-border data transmission; Therefore, there is an urgent need for an external, all-domain security management device that can operate independently of the terminal's main control chip's native root of trust, enabling unified security management of the terminal's underlying permissions, key transfer, data transmission, and artificial intelligence model scheduling. Summary of the Invention
[0003] The purpose of this invention is to overcome the shortcomings of the prior art and provide an external terminal-based global security management device that can independently of the terminal's main control chip's native root of trust to achieve full-link security management of the terminal, while being compatible with existing terminal hardware and software systems and flexibly adapting to global compliance requirements in different regions around the world. To achieve the above objectives, the present invention adopts the following technical solution: An external terminal-based global security management device includes a global security policy unit, a global security execution unit, a hardware physical isolation array, a global compliance management unit, and a native terminal compatibility interface unit; The global security policy unit is used to store and execute global permission rules, security policies, and compliance standards. The global security execution unit is communicatively connected to the global security policy unit and is used to perform hardware-level real-time control and unbypassable abnormal circuit breaking on terminal underlying permissions, key transfer, data transmission, and artificial intelligence model scheduling according to the global permission rules. The control is not affected by terminal software layer modification or bypass, and a security recovery mechanism is supported after abnormal circuit breaking. The hardware physical isolation array is communicatively connected to the global security policy unit and the global security execution unit, respectively, to achieve physical isolation of data and instructions with different security levels; The full-domain compliance control unit is communicatively connected to the full-domain security execution unit and is used to perform access control and circuit breaker control on cross-border data transmission according to full-domain compliance requirements; The native terminal compatibility docking unit is connected to the native root of trust of the terminal main control chip and the device operating system kernel respectively, so as to achieve seamless compatibility with the existing terminal hardware and software system; Furthermore, the hardware physical isolation array includes at least one independent physical isolation partition, and the number of partitions can be dynamically adjusted according to security requirements; Furthermore, the global security policy unit and the global security execution unit can be integrated into the same semiconductor chip, or they can be independently set in different semiconductor chips. Furthermore, the native terminal compatible docking unit can retain all the functions of the native root of trust of the terminal main control chip, or partially / completely replace the functions of the native root of trust of the terminal main control chip. Furthermore, the global security execution unit may integrate a national commercial cryptographic encryption module, or may not integrate any specific encryption algorithm module; Furthermore, the global security execution unit can control financial payment keys, government keys, and user privacy data, or only control general data transmission links; Furthermore, the artificial intelligence model scheduling and control includes the control of permissions and data flow for artificial intelligence models running inside the terminal main control chip and artificial intelligence models running outside the terminal; Furthermore, the native operating system key can be stored in the global security execution unit or stored in the terminal's native system, and its signature verification and transfer control can be performed only through the device. Furthermore, the comprehensive compliance control unit may only control data outbound, or only control data inbound, or simultaneously control bidirectional data transmission. Furthermore, the device can be used as a purely external independent hardware module, or semi-integrated into the terminal motherboard, or embedded in the terminal main control chip package.
[0004] Beneficial effects The present invention has the following beneficial effects: 1. It adopts an external architecture, independent of the native root of trust of the terminal main control chip, realizing independent and controllable security management sovereignty, and can meet the independent controllability and security requirements of critical information infrastructure; 2. It adopts a unified security management architecture across the entire domain, which can achieve full-link security management of terminal underlying permissions, key transfer, data transmission and artificial intelligence model scheduling; 3. Hardware physical isolation arrays can achieve physical isolation of data and instructions with different security levels, effectively preventing data leakage and malicious attacks; 4. The global compliance control unit can flexibly adapt to global data security standards in different regions around the world, solving the compliance challenges of cross-border data transmission; 5. The native terminal compatibility interface unit can achieve seamless compatibility with existing terminal hardware and software systems, without the need for large-scale modification of existing terminals, thus reducing deployment costs; 6. The device has a flexible and diverse form factor. It can be used as a purely external independent hardware module, a semi-integrated module, or embedded in the main control chip package, making it suitable for various terminal devices. Attached Figure Description
[0005] Figure 1 This is a schematic diagram of the overall architecture of Embodiment 1 of the present invention; Figure 2 This is a schematic diagram of the discrete chip architecture of Embodiment 2 of the present invention; Figure 3 This is a schematic diagram of the single-chip integrated architecture of Embodiment 3 of the present invention. Detailed Implementation
[0006] The present invention will now be described in detail with reference to the accompanying drawings and specific embodiments: Example 1
[0007] like Figure 1 As shown, this embodiment provides a terminal external global security management device, including a global security policy unit 1, a global security execution unit 2, a hardware physical isolation array 3, a global compliance management unit 4, and a native terminal compatibility interface unit 5; Global Security Policy Unit 1 is used to store and enforce global permission rules, security policies, and compliance standards; The global security execution unit 2 is connected to the global security policy unit 1 and is used to perform hardware-level real-time control and unbypassable abnormal circuit breaking on terminal underlying permissions, key transfer, data transmission and artificial intelligence model scheduling according to global permission rules. The control is not affected by terminal software layer modification or bypass, and a security recovery mechanism is supported after abnormal circuit breaking. The hardware physical isolation array 3 is communicatively connected to the global security policy unit 1 and the global security execution unit 2, respectively, to achieve physical isolation of data and instructions with different security levels; The full-domain compliance control unit 4 is connected to the full-domain security execution unit 2 for access control and circuit breaker control of cross-border data transmission in accordance with full-domain compliance requirements; The native terminal compatibility docking unit 5 is connected to the native root of trust 61 of the terminal main control chip 6 and the operating system kernel 7 respectively, in order to achieve seamless compatibility with the existing terminal hardware and software system; In this embodiment, the global security policy unit 1 and the global security execution unit 2 are independently set in different semiconductor chips, the hardware physical isolation array 3 contains 3 independent physical isolation partitions, and the global security execution unit 2 integrates a national commercial cryptographic encryption module. Example 2
[0008] like Figure 2 As shown, the difference between this embodiment and embodiment 1 is that the global security policy unit 1 and the global security execution unit 2 are integrated in the same semiconductor chip 8, the hardware physical isolation array 3 contains 5 independent physical isolation partitions, and the device is integrated on the terminal motherboard 9 as a semi-built-in module. Example 3
[0009] The difference between this embodiment and Embodiment 1 is that the device is a purely external independent hardware module that connects to the terminal via a USB interface. The global security execution unit 2 does not integrate any specific encryption algorithm module and only manages the general data transmission link.
Claims
1. A terminal-external global security control device, characterized in that, include: • Global security policy unit, used to store and enforce global permission rules, security policies and compliance standards; • A global security execution unit, which is connected to the global security policy unit, is used to perform hardware-level real-time control and unbypassable circuit breaking of terminal underlying permissions, key transfer, data transmission, and artificial intelligence model scheduling according to the global permission rules. The control is not affected by terminal software layer modification or bypass, and a security recovery mechanism is supported after the circuit breaking is abnormal. • A hardware physical isolation array, which is communicatively connected to the global security policy unit and the global security execution unit, is used to achieve physical isolation of data and instructions with different security levels; • The overall compliance control unit is communicatively connected to the overall security execution unit and is used to control access and circuit breaker for cross-border data transmission according to overall compliance requirements; • Native terminal compatibility docking unit, which communicates with the native root of trust of the terminal main control chip and the device operating system kernel respectively, to achieve seamless compatibility with existing terminal hardware and software systems.
2. The terminal external global security control device according to claim 1, characterized in that, The hardware physical isolation array contains at least one independent physical isolation partition, and the number of partitions can be dynamically adjusted according to security requirements.
3. The terminal external global security control device according to claim 1, characterized in that, The global security policy unit and the global security execution unit can be integrated into the same semiconductor chip, or they can be set independently in different semiconductor chips.
4. The terminal external global security control device according to claim 1, characterized in that, The native terminal compatible docking unit can retain all the functions of the native root of trust of the terminal main control chip, or partially / completely replace the functions of the native root of trust of the terminal main control chip.
5. The terminal external global security control device according to claim 1, characterized in that, The global security execution unit may integrate a national commercial cryptographic encryption module or may not integrate any specific encryption algorithm module.
6. The terminal external global security control device according to claim 1, characterized in that, The comprehensive security execution unit can control financial payment keys, government keys, and user privacy data, or only control general data transmission links.
7. The terminal external global security control device according to claim 1, characterized in that, The scheduling and control of the artificial intelligence model includes the control of permissions and data flow for artificial intelligence models running inside the terminal's main control chip and artificial intelligence models running outside the terminal.
8. The terminal external global security control device according to claim 1, characterized in that, The operating system native key can be stored in the global security execution unit or stored in the terminal's native system, and its signature verification and transfer control can only be performed through the device.
9. The terminal external global security control device according to claim 1, characterized in that, The comprehensive compliance control unit can control data outbound only, data inbound only, or both bidirectional data transmission simultaneously.
10. The terminal external global security control device according to claim 1, characterized in that, The device can be used as a purely external independent hardware module, or semi-integrated into the terminal motherboard, or embedded in the terminal main control chip package.