A terminal external global security management and control device

By using an external global security management device, the challenges of sovereignty deficiency, cross-platform unified management and compliance in the terminal security system are solved, realizing independent and controllable full-link security management, adapting to global compliance requirements, and applicable to a variety of terminal devices.

CN122226469APending Publication Date: 2026-06-16廖长林

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
廖长林
Filing Date
2026-04-18
Publication Date
2026-06-16

AI Technical Summary

Technical Problem

In the existing terminal security system, the control of the built-in root of trust is in the hands of the chip manufacturer, which poses a risk of lack of sovereignty. It is difficult to achieve unified security management across platforms, hardware resources are limited, it cannot adapt to global compliance requirements, and there are compliance risks in cross-border data transmission.

Method used

It adopts an external terminal-based full-domain security management device, including a global security policy unit, a full-domain security execution unit, a hardware physical isolation array, a full-domain compliance management unit, and a native terminal compatible interface unit, to achieve security management independent of the main control chip. It supports full-link permissions, key transfer, data transmission, and artificial intelligence model scheduling, and has a hardware-level anomaly circuit breaker mechanism and cross-border compliance management.

Benefits of technology

It achieves independent and controllable security management sovereignty, supports unified security management across platforms, adapts to global compliance requirements, prevents data leakage, reduces deployment costs, and is applicable to a variety of terminal devices.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure FT_1
    Figure FT_1
  • Figure FT_2
    Figure FT_2
  • Figure FT_3
    Figure FT_3
Patent Text Reader

Abstract

The application discloses a kind of terminal external global security management and control device, including global security policy unit, global security execution unit, hardware physical isolation array, global compliance control unit and native terminal compatible docking unit.Global security policy unit is used to store and execute global permission rules, security policy and compliance standard;Global security execution unit is used to control and the abnormal fusing of hardware level real-time management and control, which cannot be bypassed, to terminal bottom layer permission, key flow, data transmission, artificial intelligence model scheduling, and control is not affected by terminal software layer modification and bypass, supports security recovery mechanism after abnormal fusing;Hardware physical isolation array is used to realize the physical isolation of different security level data and instruction;Global compliance control unit is used to control access and fusing control to cross-border data transmission;Native terminal compatible docking unit is used to realize seamless compatibility with existing terminal hardware and software system.The application adopts external architecture, realizes the independent controllable of security management and control sovereignty, can carry out full-link security management and control to terminal, while compatible with existing terminal system, flexible adaptation global global compliance requirement.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the field of terminal security technology, and in particular to an external terminal-based global security management device. Background Technology

[0002] Existing endpoint security systems generally adopt an architecture with a built-in root of trust in the main control chip, which has the following drawbacks: 1. The control of the built-in root of trust is usually in the hands of the chip manufacturer, which poses a risk of lack of sovereignty and cannot meet the requirements of independent control of critical information infrastructure; 2. Different manufacturers have inconsistent built-in root of trust standards, making it impossible to achieve unified security management across platforms and terminals; 3. The hardware resources of the built-in security zone are limited and cannot meet the growing demands for complex security policies, encryption operations, and compliance management. 4. It cannot flexibly adapt to the full-domain data compliance requirements of different regions around the world, and there are compliance risks in cross-border data transmission; Therefore, there is an urgent need for an external, all-domain security management device that can operate independently of the terminal's main control chip's native root of trust, enabling unified security management of the terminal's underlying permissions, key transfer, data transmission, and artificial intelligence model scheduling. Summary of the Invention

[0003] The purpose of this invention is to overcome the shortcomings of the prior art and provide an external terminal-based global security management device that can independently of the terminal's main control chip's native root of trust to achieve full-link security management of the terminal, while being compatible with existing terminal hardware and software systems and flexibly adapting to global compliance requirements in different regions around the world. To achieve the above objectives, the present invention adopts the following technical solution: An external terminal-based global security management device includes a global security policy unit, a global security execution unit, a hardware physical isolation array, a global compliance management unit, and a native terminal compatibility interface unit; The global security policy unit is used to store and execute global permission rules, security policies, and compliance standards. The global security execution unit is communicatively connected to the global security policy unit and is used to perform hardware-level real-time control and unbypassable abnormal circuit breaking on terminal underlying permissions, key transfer, data transmission, and artificial intelligence model scheduling according to the global permission rules. The control is not affected by terminal software layer modification or bypass, and a security recovery mechanism is supported after abnormal circuit breaking. The hardware physical isolation array is communicatively connected to the global security policy unit and the global security execution unit, respectively, to achieve physical isolation of data and instructions with different security levels; The full-domain compliance control unit is communicatively connected to the full-domain security execution unit and is used to perform access control and circuit breaker control on cross-border data transmission according to full-domain compliance requirements; The native terminal compatibility docking unit is connected to the native root of trust of the terminal main control chip and the device operating system kernel respectively, so as to achieve seamless compatibility with the existing terminal hardware and software system; Furthermore, the hardware physical isolation array includes at least one independent physical isolation partition, and the number of partitions can be dynamically adjusted according to security requirements; Furthermore, the global security policy unit and the global security execution unit can be integrated into the same semiconductor chip, or they can be independently set in different semiconductor chips. Furthermore, the native terminal compatible docking unit can retain all the functions of the native root of trust of the terminal main control chip, or partially / completely replace the functions of the native root of trust of the terminal main control chip. Furthermore, the global security execution unit may integrate a national commercial cryptographic encryption module, or may not integrate any specific encryption algorithm module; Furthermore, the global security execution unit can control financial payment keys, government keys, and user privacy data, or only control general data transmission links; Furthermore, the artificial intelligence model scheduling and control includes the control of permissions and data flow for artificial intelligence models running inside the terminal main control chip and artificial intelligence models running outside the terminal; Furthermore, the native operating system key can be stored in the global security execution unit or stored in the terminal's native system, and its signature verification and transfer control can be performed only through the device. Furthermore, the comprehensive compliance control unit may only control data outbound, or only control data inbound, or simultaneously control bidirectional data transmission. Furthermore, the device can be used as a purely external independent hardware module, or semi-integrated into the terminal motherboard, or embedded in the terminal main control chip package.

[0004] Beneficial effects The present invention has the following beneficial effects: 1. It adopts an external architecture, independent of the native root of trust of the terminal main control chip, realizing independent and controllable security management sovereignty, and can meet the independent controllability and security requirements of critical information infrastructure; 2. It adopts a unified security management architecture across the entire domain, which can achieve full-link security management of terminal underlying permissions, key transfer, data transmission and artificial intelligence model scheduling; 3. Hardware physical isolation arrays can achieve physical isolation of data and instructions with different security levels, effectively preventing data leakage and malicious attacks; 4. The global compliance control unit can flexibly adapt to global data security standards in different regions around the world, solving the compliance challenges of cross-border data transmission; 5. The native terminal compatibility interface unit can achieve seamless compatibility with existing terminal hardware and software systems, without the need for large-scale modification of existing terminals, thus reducing deployment costs; 6. The device has a flexible and diverse form factor. It can be used as a purely external independent hardware module, a semi-integrated module, or embedded in the main control chip package, making it suitable for various terminal devices. Attached Figure Description

[0005] Figure 1 This is a schematic diagram of the overall architecture of Embodiment 1 of the present invention; Figure 2 This is a schematic diagram of the discrete chip architecture of Embodiment 2 of the present invention; Figure 3 This is a schematic diagram of the single-chip integrated architecture of Embodiment 3 of the present invention. Detailed Implementation

[0006] The present invention will now be described in detail with reference to the accompanying drawings and specific embodiments: Example 1

[0007] like Figure 1 As shown, this embodiment provides a terminal external global security management device, including a global security policy unit 1, a global security execution unit 2, a hardware physical isolation array 3, a global compliance management unit 4, and a native terminal compatibility interface unit 5; Global Security Policy Unit 1 is used to store and enforce global permission rules, security policies, and compliance standards; The global security execution unit 2 is connected to the global security policy unit 1 and is used to perform hardware-level real-time control and unbypassable abnormal circuit breaking on terminal underlying permissions, key transfer, data transmission and artificial intelligence model scheduling according to global permission rules. The control is not affected by terminal software layer modification or bypass, and a security recovery mechanism is supported after abnormal circuit breaking. The hardware physical isolation array 3 is communicatively connected to the global security policy unit 1 and the global security execution unit 2, respectively, to achieve physical isolation of data and instructions with different security levels; The full-domain compliance control unit 4 is connected to the full-domain security execution unit 2 for access control and circuit breaker control of cross-border data transmission in accordance with full-domain compliance requirements; The native terminal compatibility docking unit 5 is connected to the native root of trust 61 of the terminal main control chip 6 and the operating system kernel 7 respectively, in order to achieve seamless compatibility with the existing terminal hardware and software system; In this embodiment, the global security policy unit 1 and the global security execution unit 2 are independently set in different semiconductor chips, the hardware physical isolation array 3 contains 3 independent physical isolation partitions, and the global security execution unit 2 integrates a national commercial cryptographic encryption module. Example 2

[0008] like Figure 2 As shown, the difference between this embodiment and embodiment 1 is that the global security policy unit 1 and the global security execution unit 2 are integrated in the same semiconductor chip 8, the hardware physical isolation array 3 contains 5 independent physical isolation partitions, and the device is integrated on the terminal motherboard 9 as a semi-built-in module. Example 3

[0009] The difference between this embodiment and Embodiment 1 is that the device is a purely external independent hardware module that connects to the terminal via a USB interface. The global security execution unit 2 does not integrate any specific encryption algorithm module and only manages the general data transmission link.

Claims

1. A terminal-external global security control device, characterized in that, include: • Global security policy unit, used to store and enforce global permission rules, security policies and compliance standards; • A global security execution unit, which is connected to the global security policy unit, is used to perform hardware-level real-time control and unbypassable circuit breaking of terminal underlying permissions, key transfer, data transmission, and artificial intelligence model scheduling according to the global permission rules. The control is not affected by terminal software layer modification or bypass, and a security recovery mechanism is supported after the circuit breaking is abnormal. • A hardware physical isolation array, which is communicatively connected to the global security policy unit and the global security execution unit, is used to achieve physical isolation of data and instructions with different security levels; • The overall compliance control unit is communicatively connected to the overall security execution unit and is used to control access and circuit breaker for cross-border data transmission according to overall compliance requirements; • Native terminal compatibility docking unit, which communicates with the native root of trust of the terminal main control chip and the device operating system kernel respectively, to achieve seamless compatibility with existing terminal hardware and software systems.

2. The terminal external global security control device according to claim 1, characterized in that, The hardware physical isolation array contains at least one independent physical isolation partition, and the number of partitions can be dynamically adjusted according to security requirements.

3. The terminal external global security control device according to claim 1, characterized in that, The global security policy unit and the global security execution unit can be integrated into the same semiconductor chip, or they can be set independently in different semiconductor chips.

4. The terminal external global security control device according to claim 1, characterized in that, The native terminal compatible docking unit can retain all the functions of the native root of trust of the terminal main control chip, or partially / completely replace the functions of the native root of trust of the terminal main control chip.

5. The terminal external global security control device according to claim 1, characterized in that, The global security execution unit may integrate a national commercial cryptographic encryption module or may not integrate any specific encryption algorithm module.

6. The terminal external global security control device according to claim 1, characterized in that, The comprehensive security execution unit can control financial payment keys, government keys, and user privacy data, or only control general data transmission links.

7. The terminal external global security control device according to claim 1, characterized in that, The scheduling and control of the artificial intelligence model includes the control of permissions and data flow for artificial intelligence models running inside the terminal's main control chip and artificial intelligence models running outside the terminal.

8. The terminal external global security control device according to claim 1, characterized in that, The operating system native key can be stored in the global security execution unit or stored in the terminal's native system, and its signature verification and transfer control can only be performed through the device.

9. The terminal external global security control device according to claim 1, characterized in that, The comprehensive compliance control unit can control data outbound only, data inbound only, or both bidirectional data transmission simultaneously.

10. The terminal external global security control device according to claim 1, characterized in that, The device can be used as a purely external independent hardware module, or semi-integrated into the terminal motherboard, or embedded in the terminal main control chip package.