Access control apparatus, method, medium, chip and device

By using the hardware bypass control module of the access control device, the problem of large software configuration workload during the chip startup phase is solved, achieving efficient and secure access control and improving chip startup efficiency and flexibility.

CN122372244APending Publication Date: 2026-07-10XG TECHNOLOGIES PTE LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
XG TECHNOLOGIES PTE LTD
Filing Date
2026-03-27
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

During the chip startup phase, existing technologies require software to switch most of the device resource attributes from secure to insecure, resulting in a huge configuration workload and affecting the chip startup efficiency.

Method used

An access control device is adopted, which includes an access permission isolation module and a bypass control module. The authentication function of the access permission isolation module is enabled or disabled through the hardware bypass control module, avoiding reliance on a large amount of software configuration and allowing direct access to the required resources.

Benefits of technology

It improves chip boot efficiency, enhances the security and flexibility of the boot process, and reduces software configuration workload.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122372244A_ABST
    Figure CN122372244A_ABST
Patent Text Reader

Abstract

The present disclosure provides an access control device, method, medium, chip and equipment, comprising: an access permission isolation module configured to, in a working state, determine access permission of a master device based on an access request of the master device, and transmit the access request to a corresponding slave device or intercept the access request based on the access permission; a bypass control module configured to: based on a bypass enable state, control the access permission isolation module to be in a bypass state and transmit the access request to the corresponding slave device, or control the access permission isolation module to be in the working state, thereby enabling or disabling the authentication function of the access permission isolation module through the bypass control module of the hardware, and in the chip startup, verification or debugging stage, without relying on a large amount of software configuration workload, the resources that need to be accessed can be accessed, the chip startup efficiency is effectively improved, and the safety and flexibility of the startup process can be improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to integrated circuit technology, and in particular to an access control device, method, medium, chip, and apparatus. Background Technology

[0002] Access control for chips is typically implemented using firewalls. Firewalls usually assume all managed slave resources are secure by default, allowing only secure master devices to access slaves. If an insecure master device wants to access a slave, it must first configure the slave's resource attributes to be insecure. Master devices include, for example, the Central Processing Unit (CPU) and controllers. Slave devices include, for example, external devices (peripherals) and memory. Peripherals can include general data transmission protocol interface peripherals, general control peripherals, pulse width modulation interfaces, accelerometer peripherals, and system function peripherals.

[0003] During the chip startup phase, it needs to access most of the slave device resources. In related technologies, the attributes of most slave device resources are usually switched from secure to insecure through software. This involves a huge amount of configuration work and affects the chip startup efficiency. Summary of the Invention

[0004] Embodiments of this disclosure provide an access control device, method, medium, chip, and apparatus that can reduce software configuration workload, thereby improving chip boot efficiency and enhancing the security and flexibility of the boot process.

[0005] A first aspect of this disclosure provides an access control device, comprising: an access permission isolation module configured to, in an operating state, determine the access permission of a master device based on an access request from a master device, and, based on the access permission, transmit the access request to a corresponding slave device or intercept the access request; and a bypass control module configured to, based on a bypass enable state, control the access permission isolation module to be in a bypass state and transmit the access request to the corresponding slave device, or control the access permission isolation module to be in the operating state.

[0006] A second aspect of this disclosure provides an access control method, comprising: a bypass control module controlling an access permission isolation module to be in a bypass state based on a bypass enable state, and transmitting an access request from a master device to a corresponding slave device; or, the bypass control module controlling the access permission isolation module to be in a working state based on the bypass enable state; the access permission isolation module, in the working state, determining the access permission of the master device based on the access request of the master device, and transmitting the access request to a corresponding slave device or intercepting the access request based on the access permission.

[0007] A third aspect of this disclosure is to provide a computer-readable storage medium storing a computer program that is executed by a processor to perform the access control method described in any of the above embodiments of this disclosure.

[0008] A fourth aspect of this disclosure provides an electronic device, the electronic device comprising: a processor; a memory for storing executable instructions of the processor; and an access control device provided in any of the above embodiments; the processor being configured to read the executable instructions from the memory, and the processor executing the executable instructions to control the access control device to implement the access control method described in any of the above embodiments of this disclosure.

[0009] A fifth aspect of this disclosure provides a chip including the access control device provided in any of the above embodiments of this disclosure.

[0010] A sixth aspect of the present disclosure provides a computer program product that, when instructions in the computer program product are executed by a processor, performs the access control method provided in any of the above embodiments of the present disclosure.

[0011] Based on the access control device, method, medium, chip, and apparatus provided in the above embodiments of this disclosure, the access permission isolation module, in its working state, can determine the access permission of the master device based on the access request of the master device, and based on the access permission, transmit the access request to the corresponding slave device or intercept the access request. The bypass control module can control the access permission isolation module to be in a bypass state based on the bypass enable state, thereby preventing the access permission isolation module from intercepting access requests and transmitting them to the corresponding slave device during chip startup by configuring the bypass enable state, or controlling the access permission isolation module to be in a working state to authenticate the access request of the master device. It is evident that the access control device of this disclosure enables or disables the authentication function of the access permission isolation module through a hardware bypass control module. During the chip startup, verification, or debugging phase, it can access the required resources without relying on a large amount of software configuration work, effectively improving chip startup efficiency and enhancing the security and flexibility of the startup process. Attached Figure Description

[0012] Figure 1 This is an exemplary application scenario of the access control device provided in this disclosure; Figure 2 This is a schematic diagram of the structure of an access control device provided in an exemplary embodiment of the present disclosure; Figure 3 This is a schematic diagram of the structure of an access control device provided in another exemplary embodiment of this disclosure; Figure 4 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 5 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 6 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 7 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 8 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 9 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 10 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 11 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 12 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 13 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 14 This is a schematic diagram of the structure of a bypass control module provided in an exemplary embodiment of this disclosure; Figure 15 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 16 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure; Figure 17 This is a flowchart illustrating an exemplary embodiment of the access control method provided in this disclosure; Figure 18 This is a structural diagram of an electronic device provided in an embodiment of this disclosure. Detailed Implementation

[0013] To explain this disclosure, exemplary embodiments of the disclosure will now be described in detail with reference to the accompanying drawings. Obviously, the described embodiments are only a part of the embodiments of the disclosure, and not all of them. It should be understood that the disclosure is not limited to exemplary embodiments.

[0014] It should be noted that, unless otherwise specifically stated, the relative arrangement, numerical expressions, and values ​​of the components and steps set forth in these embodiments do not limit the scope of this disclosure.

[0015] This disclosure outlines In developing this disclosure, the inventors discovered that in scenarios where chip access control is implemented based on a firewall, the firewall typically assumes that all slave device resources it controls are secure. Only secure master devices can access slave devices. If an insecure master device wants to access a slave device, it needs to pre-configure the slave device's resource attributes as insecure. Master devices include, for example, central processing units (CPUs) and controllers. Slave devices include, for example, peripherals and memory. Peripherals can include general data transmission protocol interface peripherals, general control peripherals, pulse width modulation interfaces, accelerometer peripherals, system function peripherals, etc.

[0016] During the chip startup phase, it needs to access most of the slave device resources. In related technologies, the attributes of most slave device resources are usually switched from secure to insecure through software. This involves a huge amount of configuration work and affects the chip startup efficiency.

[0017] Exemplary Overview Figure 1 This is an exemplary application scenario of the access control device provided in this disclosure. For example... Figure 1 As shown, chip 10 may include one or more master devices 11, multiple slave devices 12, and an access control device 20. During the startup, verification, or debugging phase of chip 10, the access control device 20 of this embodiment can control the master device 11's access to the slave devices 12. The master device 11 includes, but is not limited to, a CPU and a controller. The slave devices 12 include, but are not limited to, various peripherals and memory. Specifically, the access control device 20 of this disclosure includes an access permission isolation module and a bypass control module. The access permission isolation module is used to determine the access permission of the master device based on the access request of the master device when in the working state, and transmit the access request to the corresponding slave device or intercept the access request based on the access permission. The bypass control module is used to control the access permission isolation module to be in a bypass state and transmit the access request to the corresponding slave device based on the bypass enable state, or to control the access permission isolation module to be in the working state.

[0018] The access control device disclosed herein enables or disables the authentication function of the access permission isolation module through a hardware bypass control module. During the chip startup, verification, or debugging phase, it can access the required resources without relying on a large amount of software configuration work, effectively improving chip startup efficiency and enhancing the security and flexibility of the startup process.

[0019] Exemplary device Figure 2 This is a schematic diagram of the structure of an access control device provided in an exemplary embodiment of this disclosure. The access control device provided in this embodiment can be applied to electronic devices and chips. Electronic devices may include, but are not limited to, in-vehicle computing platforms (or in-vehicle terminals), embodied intelligent agents, mobile phones, tablets, wearable devices, etc. Chips may include, but are not limited to, intelligent driving chips, intelligent cockpit chips, cockpit-driver integrated chips, chips on embodied intelligent agents, chips on mobile phones, chips on tablets, chips on wearable devices, etc. Figure 2 As shown, the access control device in this embodiment may include: an access permission isolation module 21 and a bypass control module 22.

[0020] Access permission isolation module 21 is configured to, in the working state, determine the access permission of the master device based on the access request of the master device, and transmit the access request to the corresponding slave device or intercept the access request based on the access permission; bypass control module 22 is configured to: control access permission isolation module 21 to be in bypass state and transmit the access request to the corresponding slave device based on the bypass enable state, or control access permission isolation module 21 to be in working state.

[0021] The access permission isolation module 21 is a hardware module used to authenticate access requests from the master device. The bypass control module 22 is a hardware module used to control whether the access permission isolation module 21 needs to operate (i.e., whether the authentication function needs to be performed). When operating, the access permission isolation module 21 can authenticate access requests from the master device, that is, determine the master device's access permissions based on the access requests. When in bypass mode, the authentication function is bypassed, meaning that authentication of access requests from the master device is not required, allowing access requests from the master device to be transmitted to the slave device.

[0022] Access permissions can include both authorized and unauthorized access. Only when the master device has authorized access will the access permission isolation module 21 transmit the access request to the corresponding slave device. When the master device has unauthorized access, the access permission isolation module 21 intercepts the master device's access request, thus isolating the master device's access request and preventing it from being transmitted to the slave device.

[0023] The bypass enable state indicates whether the access permission isolation module 21 needs to be bypassed. The bypass enable state can include two states: enabled and disabled (or disabled). When the bypass enable state is enabled, the bypass control module 22 controls the access permission isolation module 21 to be in the bypass state. It does not need to authenticate the access request of the master device. As long as the access request of the master device is obtained, the access request can be transmitted to the corresponding slave device.

[0024] In some optional embodiments, the connection relationships between the access permission isolation module 21, the bypass control module 22, the master device, and the slave device can be configured according to actual needs. For example, the access permission isolation module 21 is coupled to both the master device and the bypass control module 22, and the bypass control module 22 is coupled to the access permission isolation module 21, the master device, and the slave device. When the access permission isolation module 21 is in the working state, it transmits the access request with authorized access to the slave device through the bypass control module 22. Alternatively, the bypass control module 22 is coupled to both the master device and the slave device; the access permission isolation module 21 is coupled to both the bypass control module and the slave device. The master device's access request is transmitted from the bypass control module 22 to the slave device or the access permission isolation module 21. As long as the dynamic switching between the bypass state and the working state of the access permission isolation module 21 can be achieved, the connection relationships between the various parts are not limited in this embodiment. Optionally, the access permission isolation module 21, the bypass control module 22, the master device, and the slave device can be connected via a bus or other connection methods.

[0025] Optionally, the master device may include, but is not limited to, processors, controllers, etc. Processors include, but are not limited to, central processing units (CPUs) and other types of processors. Controllers include, but are not limited to, DMA (Direct Memory Access) controllers. Slave devices may include, but are not limited to, peripherals, memory, etc. Peripherals include, but are not limited to, general data transmission protocol interface peripherals, general control peripherals, accelerator-type peripherals, and system function peripherals. General data transmission protocol interface peripherals include, but are not limited to, SPI (Serial Peripheral Interface), UART (Universal Asynchronous Receiver / Transmitter), MAC (Media Access Control), USB (Universal Serial Bus), etc.; general control peripherals are used to perform specific operation control on pins, and include, but are not limited to, general purpose input / output (GPIO) interfaces, pulse width modulation interfaces, etc.; accelerator-type peripherals include, but are not limited to, image codecs, high-speed encryption / decryption engines, etc.; system function peripherals include, but are not limited to, timers, interrupt controllers (INTC), etc.

[0026] In some alternative embodiments, the access permission isolation module 21 may be implemented based on registers, hardware logic units for access permission control, etc.

[0027] In some alternative embodiments, the bypass control module 22 may be implemented based on one or more hardware units such as a controller, microcontroller, selector (MUX).

[0028] The access control device provided in this disclosure has an access permission isolation module that, when in operation, can determine the access permissions of the master device based on the master device's access request, and based on the access permissions, transmit the access request to the corresponding slave device or intercept the access request. The bypass control module can control the access permission isolation module to be in a bypass state based on a bypass enabled state. Therefore, during chip startup, by configuring the bypass enabled state, the access permission isolation module can be prevented from intercepting access requests and transmitting them to the corresponding slave device, or the access permission isolation module can be controlled to be in an operational state to authenticate the master device's access requests. It is evident that the access control device of this disclosure enables or disables the authentication function of the access permission isolation module through a hardware bypass control module. During chip startup, verification, or debugging phases, it can access the required resources without relying on a large amount of software configuration work, effectively improving chip startup efficiency and enhancing the security and flexibility of the startup process.

[0029] Figure 3 This is a schematic diagram of the structure of an access control device provided in another exemplary embodiment of this disclosure.

[0030] In some alternative embodiments, based on any of the above embodiments, such as Figure 3 As shown, the access permission isolation module 21 is coupled to the master device 11; the bypass control module 22 is coupled to the master device 11, the access permission isolation module 21 and multiple slave devices 12 respectively.

[0031] Bypass control module 22 is specifically configured as follows: In response to the bypass enable state being enabled, the access permission isolation module 21 is in bypass state, transmitting the access request from the master device 11 to the corresponding slave device 12; or, in response to the bypass enable state being disabled, the access permission isolation module 21 is in working state, so that the access permission isolation module 21 determines the access permission of the master device 11 based on the access request of the master device 11. If the access permission is authorized, the access permission isolation module 21 transmits the access request to the bypass control module 22; if the access permission is unauthorized, the access permission isolation module 21 intercepts the access request, preventing the master device 11 from accessing the slave device 12.

[0032] In response to the access request from the master device transmitted by the access permission isolation module 21, the bypass control module 22 transmits the access request to the corresponding slave device 12.

[0033] Here, master device 11 can be any one of multiple master devices, see [reference]. Figure 3 As shown, when the bypass is enabled, the bypass control module 22 puts the access permission isolation module 21 into bypass mode. Access requests initiated by the master device 11 are transmitted to the bypass control module 22 through the bypass, and the bypass control module 22 transmits the access request to the corresponding slave device. When the bypass is disabled, the bypass control module 22 puts the access permission isolation module 21 into working mode, disconnects the bypass, and the access request initiated by the master device 11 is transmitted to the access permission isolation module 21. The access permission isolation module 21 determines the access permission of the master device 11 based on the access request. If the master device 11 has authorized access, the access permission isolation module 21 transmits the access request to the bypass control module 22, and the bypass control module 22 transmits the access request from the access permission isolation module 21 to the corresponding authorized slave device. If the access permission is unauthorized, the access permission isolation module 21 intercepts the access request, so the access request will not be transmitted to the bypass control module, and therefore will not be transmitted to the slave device, preventing the master device 11 from accessing the corresponding slave device 12.

[0034] Optionally, the bypass control module 22 can be implemented based on a selector (MUX). For example, a two-to-one selector can be used. One input terminal (or first input terminal) of the selector is coupled to the output terminal of the access permission isolation module 21, and the other input terminal (or second input terminal) of the selector is coupled to the master device 11 through bypass. The output terminal of the selector is coupled to the slave device 12. When the bypass enable state is enabled, the input signal of the second input terminal is selected to be output from the output terminal. When the bypass enable state is disabled, the input signal of the first input terminal is selected to be output from the output terminal, thereby realizing the dynamic switching of the bypass state and working state of the access permission isolation module 21.

[0035] In some optional embodiments, the bypass enable state can be implemented by configuring the state of the state register, or by configuring the level of the enable signal line. For example, the state register is set to 1 to indicate enable and 0 to indicate disable. Alternatively, the enable signal line can be configured to be high to indicate enable and low to indicate disable. The specific method of configuring the bypass enable state is not limited.

[0036] In the embodiments of this disclosure, the bypass control module can control the access permission isolation module to be in a bypass state when the bypass enable state is enabled. This allows access requests from the master device to be transmitted to the bypass control module via the bypass, and then to the corresponding slave device via the bypass control module. This avoids the access permission isolation module isolating the master device's access requests. When the bypass enable state is disabled, the bypass control module can control the access permission isolation module to be in an active state to authenticate the master device's access requests, ensuring that only master devices with authorized access rights can access the corresponding slave devices, thereby ensuring the security of the slave devices. Therefore, by configuring the bypass enable state, the access permission isolation module can be placed in a bypass state during chip startup, debugging, and verification phases to allow the master device to access the slave devices. When the chip starts up and enters the active state, the bypass enable state is updated to disabled, enabling the access permission isolation module to enter the active state, ensuring that only master devices with authorized access rights can access the corresponding slave devices. This improves the efficiency and flexibility of the chip startup process while ensuring the security of the slave devices, effectively reducing the software configuration workload during the chip startup phase.

[0037] Figure 4 This is a schematic diagram of the structure of an access control device provided in another exemplary embodiment of the present disclosure.

[0038] In some alternative embodiments, based on any of the above embodiments, such as Figure 4 As shown, the bypass control module 22 is coupled to the master device 11, the access permission isolation module 21 and multiple slave devices 12 respectively; the access permission isolation module 21 is coupled to multiple slave devices 12.

[0039] Bypass control module 22 is specifically configured as follows: In response to the bypass enable state being enabled, the access control isolation module 21 is in the bypass state and transmits the access request of the master device 11 to the corresponding slave device 12; or, in response to the bypass enable state being disabled, the access control isolation module 21 is in the working state and transmits the access request of the master device 11 to the access control isolation module 21.

[0040] Access control isolation module 21 is specifically configured as follows: In operation, in response to receiving an access request from the master device 11 transmitted by the bypass control module 22, the access permissions of the master device 11 are determined based on the access request, and the access request is transmitted to the corresponding slave device 12 or the access request is intercepted based on the access permissions.

[0041] See Figure 4As shown, the bypass control module 22 is located between the access permission isolation module and the master device 11. When the bypass is enabled, the bypass control module 22 puts the access permission isolation module 21 into a bypass state. Access requests initiated by the master device 11 are transmitted to the bypass control module 22, which then transmits the access request to the corresponding slave device 12 via the bypass, preventing the access permission isolation module 21 from isolating the access request. When the bypass is disabled, the bypass control module 22 puts the access permission isolation module 21 into an active state. The bypass control module 22 transmits the received access request from the master device 11 to the access permission isolation module 21. Based on the access request, the access permission isolation module 21 determines the access permission of the master device 11 and, based on the access permission, transmits the access request to the corresponding slave device 12 or intercepts the access request. If the access permission is authorized, the access permission isolation module 21 transmits the access request to the corresponding slave device 12. If the access permission is unauthorized, the access permission isolation module 21 intercepts the access request, isolating the master device 11 from accessing the corresponding slave device.

[0042] Optionally, the bypass control module 22 can be implemented based on a controller, microcontroller, or hardware logic unit with corresponding control functions to control the dynamic switching between the bypass state and working state of the access permission isolation module 21.

[0043] In the embodiments of this disclosure, the bypass control module can control the access permission isolation module to be in a bypass state when the bypass enable state is enabled, transmitting the master device's access request to the corresponding slave device through the bypass, thus preventing the access permission isolation module from isolating the master device's access request. When the bypass enable state is disabled, the bypass control module can control the access permission isolation module to be in an active state, transmitting the master device's access request to the access permission isolation module, which then authenticates the master device's access request, ensuring that only master devices with authorized access rights can access the corresponding slave devices, thereby ensuring the security of the slave devices. Therefore, according to requirements, by configuring the bypass enable state, the access permission isolation module can be placed in a bypass state during chip startup, debugging, and verification stages, allowing the master device to access the slave device. When the chip starts up and enters the active state, the bypass enable state is updated to disabled, enabling the access permission isolation module to enter the active state, ensuring that only master devices with authorized access rights can access the corresponding slave devices. This improves the efficiency and flexibility of the chip startup process while ensuring the security of the slave devices, effectively reducing the software configuration workload during the chip startup phase.

[0044] In some alternative embodiments, Figure 5 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure. For example... Figure 5As shown, the access permission isolation module 21 is coupled to the master device 11, the slave device 12, and the bypass control module 22, respectively. The bypass control module 22 is also coupled to both the master device 11 and the slave device 12. When the bypass is enabled, the bypass control module 22 controls the access permission isolation module 21 to be in a bypass state. Access requests initiated by the master device 11 are transmitted to the bypass control module 22 through the bypass, and the bypass control module 22 transmits the access request to the corresponding slave device 12. When the bypass is disabled, the bypass control module 22 controls the access permission isolation module 21 to be in an active state, the bypass is disconnected, and access requests initiated by the master device 11 are transmitted to the access permission isolation module 21. The access permission isolation module 21 authenticates the access request. If it determines that the master device 11 has permission to access, the access permission isolation module 21 transmits the access request to the corresponding slave device 12. If it determines that the master device 11 does not have permission to access, the access permission isolation module 21 intercepts the access request.

[0045] Figure 6 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure.

[0046] In some alternative embodiments, based on any of the above embodiments, such as Figure 6 As shown, the access control module 21 includes a first isolation control unit 211 and a second isolation control unit 212; the bypass control module 22 includes a first bypass control unit 221 corresponding to the first isolation control unit 211 and a second bypass control unit 222 corresponding to the second isolation control unit.

[0047] The first isolation control unit 211 is coupled to the first slave device 121; the first bypass control unit 221 is coupled to both the first isolation control unit 211 and the first slave device 121.

[0048] The first isolation control unit 211 is configured to, in the working state, transmit the first access request of the master device 11 to the first slave device 121 based on the access permissions of the master device 11, or intercept the first access request.

[0049] The first bypass control unit 221 is configured to control the first isolation control unit 211 to be in a bypass state based on the first bypass enable state, and to transmit the first access request of the master device 11 to the first slave device 121 to the first slave device 121, or to control the first isolation control unit 211 to be in an operating state.

[0050] The second isolation control unit 212 is coupled to the second slave device 122; the second bypass control unit 222 is coupled to the second isolation control unit 212 and the second slave device 122 respectively.

[0051] The second isolation control unit 212 is also coupled to the first isolation control unit 211 and / or the first bypass control unit 221.

[0052] The second isolation control unit 212 is configured to: in the working state, in response to receiving a second access request from the master device 11 to the second slave device 122 transmitted by the first isolation control unit 211 or the first bypass control unit 221, determine the access rights of the master device 11 based on the second access request, and transmit the second access request to the second slave device 122 based on the access rights, or intercept the second access request.

[0053] The second bypass control unit 222 is configured to control the second isolation control unit 212 to be in a bypass state and transmit the second access request to the second slave device 122 based on the second bypass enable state, or to control the second isolation control unit 212 to be in an operating state.

[0054] The first isolation control unit 211 and the second isolation control unit 212 are two levels of isolation control units divided according to the criticality of the slave devices. The first isolation control unit 211 can be called the top-level isolation control unit, and the second isolation control unit 212 can be called the sub-level isolation control unit. The first isolation control unit 211 is used to manage critical slave devices in the chip or chip subsystem. Critical slave devices can be slave devices that are essential for the startup of the chip or subsystem. Critical slave devices include, but are not limited to, clock and reset generators (CRGs), power supplies, and security registers. The second isolation control unit 212 is used to manage other slave devices in the chip or chip subsystem. Other slave devices are slave devices other than the aforementioned critical slave devices. Other slave devices include, but are not limited to, various external devices and storage devices. External devices include, but are not limited to, general data transmission protocol interface peripherals, general control peripherals, pulse width modulation interfaces, accelerometer peripherals, and system function peripherals.

[0055] The first bypass control unit 221 is a hardware unit used to control the first isolation control unit 211 to be in bypass mode or operating mode. The second bypass control unit 222 is a hardware unit used to control the second isolation control unit 212 to be in bypass mode or operating mode.

[0056] The first slave device 121 is a slave device controlled by the first isolation control unit 211. For example, each slave device necessary for the startup of the chip or chip subsystem can be used as the first slave device 121.

[0057] The first bypass enabled state is the bypass enabled state of the first bypass control unit 221. In response to the first bypass enabled state being enabled, the first bypass control unit 221 controls the first isolation control unit 211 to be in a bypass state, so as to transmit the first access request from the master device 11 to the first slave device 121. When the first bypass enabled state is disabled, the first bypass control unit 221 controls the first isolation control unit 211 to be in an operating state. In the operating state, the first isolation control unit 211 determines the access permissions of the master device 11 based on the access request. If the access permissions are valid, the first isolation control unit 211 transmits the access request to the corresponding first slave device 121; or, if the access permissions are invalid, the first isolation control unit 211 intercepts the access request.

[0058] Optionally, the first isolation control unit 211 can be directly coupled to the first slave device 121, or coupled to the first slave device 121 through the first bypass control unit 221, and is not limited to this. Figure 6 The connection method is shown. When the first isolation control unit 211 is coupled to the first slave device 121 through the first bypass control unit 221, the first isolation control unit 211, in its working state, transmits the access request that is authorized to access to the first slave device 121 through the first bypass control unit 221.

[0059] In some optional embodiments, the first isolation control unit 211 may be directly coupled to the main device 11, or the first isolation control unit 211 may be coupled to the main device 11 through the first bypass control unit 221, and is not limited to these embodiments. Figure 6 The connection method is shown. When the first isolation control unit 211 is coupled to the main device 11 through the first bypass control unit 221, the first isolation control unit 221, in its working state, obtains the access request initiated by the main device 11 through the first bypass control unit 221.

[0060] The second slave device 122 is a slave device managed by the second isolation control unit 212. The second slave device 122 includes, but is not limited to, peripheral type slave devices, memory type slave devices, etc.

[0061] The second access request from the master device 11 to the second slave device 122 can be transmitted to the second isolation control unit 212 after authentication by the first isolation control unit 211, or transmitted to the second isolation control unit 212 through the first bypass control unit 221. When in operation, the second isolation control unit 212, in response to receiving the second access request from the master device 11 to the second slave device 122 transmitted by the first isolation control unit 211 or the first bypass control unit 221, determines the access rights of the master device 11 based on the second access request, and based on the access rights, transmits the second access request to the second slave device 122, or intercepts the second access request.

[0062] The second bypass enable state is the bypass enable state corresponding to the second bypass control unit 222. Optionally, the second bypass control unit 222 is coupled to the first isolation control unit 211 and / or the first bypass control unit 221. When the second bypass enable state is enabled, the second bypass control unit 222 controls the second isolation control unit 212 to be in a bypass state, and when it receives a second access request from the master device 11 to the second slave device 122 transmitted from the first isolation control unit 211 or the first bypass control unit 221, it transmits the second access request to the corresponding second slave device 122. Alternatively, when the second bypass enable state is disabled, it controls the second isolation control unit 212 to be in an operating state. In the operating state, in response to receiving a second access request from the master device 11 to the second slave device 122 transmitted from the first isolation control unit 211 or the first bypass control unit 221, the second isolation control unit 212 determines the access rights of the master device 11 based on the second access request, and transmits the second access request to the second slave device 122 based on the access rights, or intercepts the second access request.

[0063] Optionally, the second isolation control unit 212 can be coupled to the first isolation control unit 211 and / or the first bypass control unit 221 via the second bypass control unit 222. That is, the first isolation control unit 211 or the first bypass control unit 221 transmits the second access request to the second bypass control unit 222, and the second bypass control unit 222 transmits the second access request to the second isolation control unit 212 or to the corresponding second slave device 122.

[0064] Optionally, the second isolation control unit 212 may be directly coupled to the second slave device 122, or coupled to the second slave device through the second bypass control unit 222.

[0065] Optionally, the first isolation control unit 211 may be coupled to the second isolation control unit 212 and / or the second bypass control unit 222 via the first bypass control unit 221.

[0066] This disclosure does not limit the connection relationship between the second isolation control unit 212, the second bypass control unit 222, the first isolation control unit 211, the first bypass control unit 221, and the second slave device 122, as long as the transmission of the second access request to the second slave device 122 and the dynamic switching function between the bypass state and the working state of the second isolation control unit 212 can be realized. It is not limited to this. Figure 6 The connection relationships are shown. For example, you can refer to... Figure 3 , Figure 4 and Figure 5 The connection relationships between the access permission isolation module 21, the bypass control module 22, the master device 11, and the slave device 12 are shown below. The first isolation control unit 211 and the first bypass control unit 221 replace the master device 11, the second isolation control unit 212 replaces the access permission isolation module 21, the second bypass control unit 222 replaces the bypass control module 22, and the second slave device 122 replaces the slave device 12. The connection relationship between the first isolation control unit 211 and the first bypass control unit 221 can also be referenced. Figures 3 to 5 The first isolation control unit 211 replaces the access permission isolation module 21, the first bypass control unit 221 replaces the bypass control module 22, and the second isolation control unit 212 and the second bypass control unit 222 are used as slave devices.

[0067] In some optional embodiments, the first isolation control unit 211 can be implemented based on one or more of registers, controllers, microcontrollers, access permission isolation control hardware logic units, etc. The second isolation control unit 212 can be implemented based on one or more of registers, controllers, microcontrollers, access permission isolation control hardware logic units, etc. The first bypass control unit 221 and the second bypass control unit 222 can be implemented based on hardware units such as controllers, microcontrollers, selectors, etc.

[0068] Optionally, the first isolation control unit 211 and the second isolation control unit 212 may be, for example but not limited to, a firewall access control module (MPU) (Memory Protect Unit).

[0069] Optionally, the number of second isolation control units 212 may be one or more, and each second isolation control unit 212 may have a corresponding second bypass control unit 222. For example, the second slave devices can be divided into multiple groups as needed, and a corresponding second isolation control unit 212 and second bypass control unit 222 can be set for each group, which can further improve the management flexibility of each slave device. For example, peripheral type second slave devices can be grouped together, and storage type second slave devices can be grouped together, and second isolation control units 212 and second bypass control units 222 corresponding to peripheral type and storage type can be set respectively. Of course, this is only an exemplary grouping, and the actual application is not limited to the grouping of the above example.

[0070] In the embodiments of this disclosure, the first and second slave devices are managed by a first isolation control unit and a second isolation control unit, respectively. This allows for hierarchical management of the slave devices, with different levels granted different bypass control permissions. This facilitates designating the slave device necessary for chip startup as the first slave device. By configuring the first bypass enable state, the bypass and operating states of the first isolation control unit can be dynamically switched. This allows the authentication function of the first isolation control unit to be bypassed during startup, debugging, and verification phases, enabling the master device to quickly access the first slave device and improving startup efficiency. Furthermore, by configuring the second bypass enable state, the authentication function of the second isolation control unit can be flexibly controlled, effectively improving the flexibility of slave device management.

[0071] Figure 7 This is a schematic diagram of the structure of an access control device provided in another exemplary embodiment of the present disclosure.

[0072] In some alternative embodiments, such as Figure 7 As shown, the first slave device 121 includes a first register R1.

[0073] The first register R1, coupled to the second bypass control unit 222, is configured to store the second bypass enable state of the second bypass control unit 222.

[0074] The second bypass control unit 222 is specifically configured as follows: In response to the second bypass enable state in the first register R1 being enabled, the second isolation control unit 212 is controlled to be in bypass state and the second access request is transmitted to the second slave device 122; or, in response to the second bypass enable state in the first register R1 being disabled, the second isolation control unit 212 is controlled to be in working state.

[0075] The second isolation control unit 212 is specifically configured as follows: In the working state, in response to receiving a second access request from the master device to the second slave device transmitted by the first isolation control unit 211 or the first bypass control unit 221, the master device's access permission is determined based on the second access request; in response to the access permission being authorized, the second access request is transmitted to the second slave device 122; or, in response to the access permission being unauthorized, the second access request is intercepted.

[0076] The first register R1 can be any type of register. It serves as a first slave device 121, storing the second bypass enable states required by the second bypass control unit 222. Optionally, the bit width of the first register R1 can be set according to the number of second bypass control units 222. For example, when the number of second bypass control units 222 is N, the bit width of the first register R1 can be greater than or equal to N, ensuring that the first register R1 can store the second bypass enable states corresponding to each second bypass control unit 222. For example, if the first register R1 is an 8-bit register, it can support storing the second bypass enable states of up to 8 second bypass control units 222, with each bit of the first register R1 corresponding to one second bypass control unit. The second bypass enable states corresponding to different second bypass control units 222 can be the same or different, allowing for flexible control of each second isolation control unit 212 to be in bypass or working state by configuring the states of each bit of the first register R1.

[0077] In some optional embodiments, the first register R1 can be a security register. The second bypass enable state stored in the first register R1 can be configured by a secure master device or a master device with a higher security level via software. For example, during chip startup, the first register R1 is configured by the bootloader to switch the resources of the second slave device between secure and insecure states with a single click. For example, during startup, the state of the first register R1 is configured to indicate a disabled (e.g., all bits are 0) second bypass enable state. After startup is complete, the first register R1 is switched to indicate an enabled (e.g., all bits are 1) second bypass enable state. The specific switching timing can be set according to actual needs.

[0078] Optionally, the first register R1 can be coupled to the enable terminal of the second bypass control unit 222 to transmit the second bypass enable state to the enable terminal of the second bypass control unit 222, triggering the second bypass control unit 222 to control the state of the second isolation control unit 212. The specific working process of the second bypass control unit 222 and the second isolation control unit 212 is described in the foregoing embodiments and will not be repeated here.

[0079] In the embodiments of this disclosure, by using the first register as the first slave device to store the second bypass enable state, the corresponding second bypass enable state is provided to the second bypass control unit. This facilitates the authentication or bypassing of access requests to the second slave device at the sub-level by configuring the first register through a secure master device. When the first bypass enable state at the top level is disabled (i.e., the bypass function is off), only the secure master device can configure the first register, ensuring the security and effectiveness of the second bypass enable state.

[0080] In some alternative embodiments, Figure 8 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure. For example... Figure 8 As shown, the first isolation control unit 211 is coupled to the first slave device 121 through the first bypass control unit 221.

[0081] In some alternative embodiments, Figure 9 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure. For example... Figure 9 As shown, the second isolation control unit 212 is coupled to the second slave device 122 through the second bypass control unit 222.

[0082] In some optional embodiments, the apparatus of this disclosure may further include a register for storing a first bypass enable state, which may be coupled to the first bypass control unit 221 to provide the first bypass enable state to the enable terminal of the first bypass control unit 221. Optionally, the register may be a system-level security register, configured by a secure master device by running application software to ensure the flexibility and security of the first bypass enable state.

[0083] Figure 10 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure.

[0084] In some alternative embodiments, based on any of the above embodiments, such as Figure 10 As shown, the apparatus 20 in this embodiment further includes: The second register R2, coupled to the bypass control module 22, is configured to store the bypass enable state of the bypass control module 22.

[0085] Bypass control module 22 is specifically configured as follows: During the startup process of the system where the master device 11 is located, in response to the bypass enable state in the second register R2 being enabled, the access control isolation module 21 switches to the bypass state.

[0086] After the system has started up, in response to the bypass enable state in the second register R2 being updated from enabled to disabled, the access control isolation module 21 switches to the working state.

[0087] The system where the master device 11 resides can refer to the on-chip system or subsystem of the chip containing the master device 11. The second register R2 can be a system-level security register, configured by the secure master device. During system startup, the second register R2 is configured to store a bypass enable state indicating that it is enabled. In response to the bypass enable state in the second register R2 being enabled, the bypass control module 22 controls the access permission isolation module 21 to switch to the bypass state. After system startup is complete, in response to the bypass enable state in the second register R2 being updated from enabled to disabled, the bypass control module 22 controls the access permission isolation module 21 to switch to the working state. This allows for rapid access to the slave devices required during the startup phase and rapid restoration of authentication functions after successful startup, ensuring the security of the slave devices.

[0088] In some alternative embodiments, in the case of hierarchical control of slave devices, the second register R2 can be used to store the first bypass enable state of the first bypass control unit 221.

[0089] Figure 11 This is a schematic diagram of the structure of an access control device provided in another exemplary embodiment of the present disclosure.

[0090] In some alternative embodiments, based on any of the above embodiments, such as Figure 11 As shown, the slave device 12 includes a third register R3, which is coupled to the bypass control module 22 and the access permission isolation module 21, and is configured to store access permission control information.

[0091] Access control isolation module 21 is specifically configured as follows: In the working state, the access permissions of the main device 11 are determined based on the access requests and access permission control information of the main device 11.

[0092] The third register, R3, can be called the firewall register and is coupled to the access control isolation module 21. Access control information represents the access relationships between master devices with different identities and security attributes and each slave device. This access control information is the basis for authentication by the access control isolation module 21. Access control information includes, but is not limited to, the identity identifier (or device identifier) ​​of each master device, its security level (e.g., including but not limited to both secure and insecure levels), and the slave devices that a secure master device is allowed to access, as well as the slave devices that an insecure master device is allowed to access and / or not allowed to access. The specific content of the access control information can be set according to authentication requirements. When in operation, the access control isolation module 21 can determine the access permissions of the master device 11 based on its access request and access control information, and then transmit the access request to the slave device 12 or intercept the access request according to the access permissions. For example, the access request from the master device 11 may include the master device's identity, security level, and access address. The access permission isolation module 21 can determine the slave device to be accessed based on the access address. Based on the master device 11's identity, security level, and the slave device to be accessed, combined with access permission control information, the master device 11 can determine the access permissions of the slave device to be accessed. This only illustrates one exemplary authentication principle of the access permission isolation module 21; in actual applications, the specific authentication functions are not limited to the above example.

[0093] In the embodiments of this disclosure, access control information is stored in a third register to provide a valid reference for the access control isolation module and ensure the effectiveness of the authentication function of the access control isolation module.

[0094] In some alternative embodiments, the access control device 20 of this disclosure may include the third register R3 described above; that is, the third register R3 may be an internal register of the device.

[0095] Figure 12 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure.

[0096] In some alternative embodiments, such as Figure 12 As shown, the apparatus 20 in this embodiment further includes: Security access controller 23, coupled to third register R3, is configured as follows: In response to receiving a fourth access request from the first master device 111 to the third register R3, the security attribute of the fourth access request is determined based on the fourth access request; the fourth access request is used to configure access control information to the third register R3; in response to the security attribute being secure, the access control information is written to the third register R3 based on the fourth access request; or, in response to the security attribute being insecure, the fourth access request is intercepted.

[0097] The security access controller 23 is used to authenticate the fourth access request to access the third register R3. The third register R3 is an internal register of the Firewall and is also a slave device protected by the access control isolation module 21. Because the access control information stored in it is at a high security level, its security needs to be ensured. Therefore, the security access controller 23 is configured to separately verify the security attributes of the master device accessing the third register R3 to ensure the security of the third register R3. The first master device 111 can be any master device. Optionally, the first master device 111 is a secure master device, or the first master device 111 is the master device running the register configuration software.

[0098] The fourth access request to the third register R3 initiated by the first master device 111 is transmitted to the security controller 23 by the access permission isolation module 21 or the bypass control module 22. Based on the fourth access request, the security controller 23 determines its security attribute (or security level). If the security attribute is secure, the security controller 23 writes access permission control information into the third register R3. The fourth access request may include the access permission control information to be written to the third register R3. If the security attribute is insecure, the security controller 23 intercepts the fourth access request, preventing access to the third register R3 and ensuring the security of the third register R3.

[0099] Optionally, when the bypass is enabled, the fourth access request from the first master device 111 is transmitted to the security controller 23 via bypass. In this case, since the authentication function of the access permission isolation module 21 is disabled, the security controller 23 can authenticate the request before accessing the third register R3, ensuring the security of the third register R3. When the bypass is disabled, the fourth access request is transmitted to the security controller 23 after authentication by the access permission isolation module. The security controller 23 can perform secondary authentication before accessing the third register R3. Alternatively, the security controller can identify that the access request has been authenticated by the access permission isolation module, avoiding secondary authentication and directly accessing the third register R3. The identification method can be set according to actual needs. For example, when the access permission isolation module 21 and the bypass control module 22 are respectively coupled to the security controller 23, the fourth access request can be identified as originating from the access permission isolation module or the bypass control module 22 to determine whether the fourth access request has been authenticated by the access permission isolation module 21.

[0100] Optionally, the security authority controller 23 can determine whether the security attribute of the fourth access request is secure or insecure based on the security level included in the fourth access request.

[0101] Optionally, refer to Figures 3 to 5 The connection relationship between the access permission isolation module 21 and the bypass control module 22 is such that the security access controller 23 can be coupled to the access permission isolation module 21 and / or the bypass control module 22, but is not limited to... Figure 12 The connection relationships are shown.

[0102] Optionally, access control information can only be configured or modified by a secure master device or a master device with a higher security level. Specifically, the master device that can configure the third register R3 can be set according to requirements, and the identity and / or security level of the master device that is allowed to access the third register R3 can be set as reference information in the security access controller 23 so that the security access controller 23 can authenticate the fourth access request based on the set reference information.

[0103] In the embodiments of this disclosure, access requests to the third register are authenticated by a security access controller. Even when the bypass enable state is enabled (i.e., the access permission isolation module is in bypass state), only secure master devices are allowed to access the third register. This improves the access flexibility of other slave devices while ensuring the security of the third register.

[0104] In some alternative embodiments, such as Figure 6 , Figure 7In any of the hierarchical control slave device embodiments shown, each isolation control unit (e.g., the first isolation control unit 211 or the second isolation control unit 212) may include a third register in the slave device it controls for storing access control information corresponding to that isolation control unit. Optionally, any third register may have a corresponding security access controller to further improve the security of the access control information.

[0105] Figure 13 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure. For example... Figure 13 As shown, the security access controller 23 is coupled to the bypass control module 22, the access permission isolation module 21, and the third register R3. The bypass control module 22 is coupled to the first master device 111. The fourth access request from the first master device 111 is transmitted to the bypass control module 22. The bypass control module 22 controls the access permission isolation module 21 to be in a working state or a bypass state. When the access permission isolation module 21 is in a bypass state, the bypass control module 22 transmits the fourth access request to the security access controller 23. The security access controller 23 determines the security attribute of the fourth access request based on the fourth access request. In response to the security attribute being secure, the access permission control information is written to the third register R3 based on the fourth access request; or, in response to the security attribute being insecure, the fourth access request is intercepted. When the access permission isolation module 21 is in operation, the bypass control module 22 transmits the fourth access request to the access permission isolation module 21. Based on the fourth access request, the access permission isolation module 21 determines the access permission of the first master device 111. In response to the access permission being authorized, the fourth access request is transmitted to the security authority controller 23. Based on the fourth access request, the security authority controller 23 determines the security attribute of the fourth access request. In response to the security attribute being secure, the access permission control information is written to the third register R3 based on the fourth access request.

[0106] In some alternative embodiments, Figure 14 This is a schematic diagram of the structure of a bypass control module provided in an exemplary embodiment of this disclosure. Figure 14 As shown, the bypass control module 22 can be implemented using a selector (MUX). EN indicates the enable or bypass enable state. When EN is enabled, the bypass control module 22 selects to transmit the access request from the master device 11 input at input 1 to the slave device 12. When EN is disabled, the bypass control module 22 selects to transmit the access request from input 2, authenticated by the access permission isolation module 21, to the slave device 12. When EN is disabled, if the access permission isolation module 21 intercepts the access request, the access request will not be transmitted to the slave device 12.

[0107] In some alternative embodiments, Figure 15 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure. For example... Figure 15 As shown, the access control device 20 of this embodiment includes a first isolation control unit 211, a first bypass control unit 221, a plurality of second isolation control units 212, a second bypass control unit 222 corresponding to each second isolation control unit 212, a third register R3, and a security access controller 23 corresponding to the third register R3. The first isolation control unit 211 manages a plurality of first slave devices 121, which include, but are not limited to, a power supply, a CRG, and a first register R1. The connection relationship between the first bypass control unit 221, the first isolation control unit 211, the security access controller 23, the third register R3, and each first slave device 121 is as described in the foregoing embodiments. The connection relationship between the plurality of second isolation control units 212 and their corresponding second bypass control units 222, the first bypass control unit 221, the first isolation control unit 211, the first register R1, and the second slave devices 122 is as described in the foregoing embodiments and will not be repeated here.

[0108] In some alternative embodiments, Figure 16 This is a schematic diagram of the structure of an access control device provided in yet another exemplary embodiment of this disclosure. For example... Figure 16 As shown, the first bypass control unit 221 is disposed between the first isolation control unit 211 and the first slave device 121, and the second bypass control unit 222 is disposed between the second isolation control unit 212. For example, the first bypass control unit 221 and the second bypass control unit 222 are implemented through a selector. For the specific working principle, please refer to the foregoing embodiments, which will not be repeated here.

[0109] In practical applications, the connections between the various parts are not limited to... Figure 15 and Figure 16 The connection relationships are shown.

[0110] In related technologies, during the chip boot phase, software is needed to configure the security attributes of each slave device required for booting to be insecure, so that the master device can access most slave device resources during boot. This configuration workload is substantial and affects the chip's boot efficiency. Alternatively, the default authentication and control attributes can be changed according to the access priority of different resources. For example, the default security attribute of the slave devices used for booting can be changed from secure to insecure. This requires a clear implementation method in the chip design phase and places high demands on both software and hardware.

[0111] The access control device provided in this disclosure, by setting a corresponding bypass control module for the access permission isolation module, enables one-click enabling or disabling of the authentication function of the access permission isolation module. During chip startup, verification, and debugging phases, access to most slave device resources can be achieved without relying on a large amount of software configuration. By disabling the authentication function of the access permission isolation module, rapid access to most slave device resources is achieved. After chip startup, the authentication function of the access permission isolation module can be quickly enabled, ensuring the security of slave device resources during chip operation. Secondly, for the third register storing access permission control information, a security permission controller is added to achieve constant security of the third register, ensuring its security even when the access permission isolation module is bypassed. Thirdly, through a hierarchical permission isolation architecture, a top-down bypass control function is implemented, facilitating flexible management of the security attributes of slave devices and improving the flexibility and security of management. Furthermore, by setting a first register to configure the second bypass enable state of the second bypass control unit at the sub-level, security permission management of the bypass function configuration at the sub-level is achieved. This embodiment of the disclosure can effectively reduce the configuration operations of changing the security attributes of a device from secure to insecure through software during the startup, verification, and debugging stages, thereby effectively reducing the workload of software configuration and improving chip startup efficiency.

[0112] The embodiments described above can be implemented individually or in any combination without conflict. The specific implementation can be set according to actual needs, and this disclosure does not limit them.

[0113] Exemplary methods Figure 17 This is a flowchart illustrating an exemplary embodiment of the access control method provided in this disclosure. The access control method provided in this disclosure can be implemented using any of the access control devices provided in the above embodiments of this disclosure, such as... Figure 17 The method shown may include the following steps: Step 510: The bypass control module controls the access permission isolation module to be in bypass state based on the bypass enable state, and transmits the access request of the master device to the corresponding slave device; or, the bypass control module controls the access permission isolation module to be in working state based on the bypass enable state.

[0114] Step 520: When the access permission isolation module is in operation, it determines the access permission of the master device based on the access request of the master device, and transmits the access request to the corresponding slave device or intercepts the access request based on the access permission.

[0115] In some alternative embodiments, based on any of the above embodiments, the access permission isolation module is coupled to the master device; the bypass control module is coupled to the master device, the access permission isolation module and multiple slave devices respectively.

[0116] In step 510, the bypass control module controls the access permission isolation module to be in bypass mode based on the bypass enable state, and transmits the access request from the master device to the corresponding slave device; or, the bypass control module controls the access permission isolation module to be in working mode based on the bypass enable state, specifically including: When the bypass enable state is enabled, the bypass control module controls the access permission isolation module to be in bypass mode and transmits the access request from the master device to the corresponding slave device; or, when the bypass enable state is disabled, the bypass control module controls the access permission isolation module to be in working mode, so that the access permission isolation module, in working mode, determines the access permission of the master device based on the access request from the master device, and transmits the access request to the corresponding slave device or intercepts the access request based on the access permission; when the bypass control module receives the access request from the master device transmitted by the access permission isolation module, it transmits the access request to the corresponding slave device.

[0117] In some alternative embodiments, based on any of the above embodiments, the bypass control module is coupled to the master device, the access permission isolation module, and a plurality of slave devices respectively; the access permission isolation module is coupled to the plurality of slave devices.

[0118] In step 510, the bypass control module controls the access permission isolation module to be in bypass mode based on the bypass enable state, and transmits the access request from the master device to the corresponding slave device; or, the bypass control module controls the access permission isolation module to be in working mode based on the bypass enable state, including: When the bypass enable state is enabled, the bypass control module controls the access permission isolation module to be in bypass state and transmits the access request from the master device to the corresponding slave device; or, when the bypass enable state is disabled, the bypass control module controls the access permission isolation module to be in working state and transmits the access request from the master device to the access permission isolation module.

[0119] In step 520, the access permission isolation module, while in operation, determines the access permissions of the master device based on the access request from the master device, and based on the access permissions, transmits the access request to the corresponding slave device or intercepts the access request, including: When the access permission isolation module is in operation, it responds to the access request from the master device transmitted by the bypass control module, determines the access permission of the master device based on the access request, and transmits the access request to the corresponding slave device or intercepts the access request based on the access permission.

[0120] In some optional embodiments, based on any of the above embodiments, the access control module includes a first isolation control unit and a second isolation control unit; the bypass control module includes a first bypass control unit corresponding to the first isolation control unit and a second bypass control unit corresponding to the second isolation control unit.

[0121] The first isolation control unit is coupled to the first slave device; the first bypass control unit is coupled to both the first isolation control unit and the first slave device.

[0122] In step 510, the bypass control module controls the access permission isolation module to be in bypass mode based on the bypass enable state, and transmits the access request from the master device to the corresponding slave device; or, the bypass control module controls the access permission isolation module to be in working mode based on the bypass enable state, including: Based on the first bypass enable state, the first bypass control unit controls the first isolation control unit to be in bypass state, transmits the first access request from the master device to the first slave device to the first slave device, or controls the first isolation control unit to be in working state.

[0123] In step 520, the access permission isolation module, while in operation, determines the access permissions of the master device based on the access request from the master device, and based on the access permissions, transmits the access request to the corresponding slave device or intercepts the access request, including: When the first isolation control unit is in operation, it transmits the first access request from the master device to the first slave device based on the master device's access permissions, or intercepts the first access request.

[0124] In some alternative embodiments, the second isolation control unit is coupled to the second slave device; the second bypass control unit is coupled to both the second isolation control unit and the second slave device.

[0125] The second isolation control unit is also coupled to the first isolation control unit and the first bypass control unit.

[0126] In step 510, the bypass control module controls the access permission isolation module to be in a bypass state based on the bypass enable state, and transmits the access request from the master device to the corresponding slave device; or, the bypass control module controls the access permission isolation module to be in an active state based on the bypass enable state, further including: The second bypass control unit controls the second isolation control unit to be in bypass mode based on the second bypass enable state and transmits the second access request to the second slave device, or controls the second isolation control unit to be in working mode.

[0127] In step 520, the access permission isolation module, while in operation, determines the access permissions of the master device based on the access request from the master device, and based on the access permissions, transmits the access request to the corresponding slave device or intercepts the access request. This also includes: When the second isolation control unit is in operation, in response to receiving a second access request from the master device to the second slave device transmitted by the first isolation control unit or the first bypass control unit, it determines the access permissions of the master device based on the second access request, and transmits the second access request to the second slave device based on the access permissions, or intercepts the second access request.

[0128] In some alternative embodiments, the first slave device includes a first register coupled to a second bypass control unit, the first register being used to store a second bypass enable state of the second bypass control unit.

[0129] The second bypass control unit, based on the second bypass enabled state, controls the second isolation control unit to be in bypass state and transmits the second access request to the second slave device, or controls the second isolation control unit to be in operating state, further including: The second bypass control unit, in response to the second bypass enable state in the first register being enabled, controls the second isolation control unit to be in bypass state and transmits the second access request to the second slave device; or, in response to the second bypass enable state in the first register being disabled, controls the second isolation control unit to be in working state.

[0130] When the second isolation control unit is in operation, in response to receiving a second access request from the master device to the second slave device transmitted by the first isolation control unit or the first bypass control unit, it determines the master device's access permissions based on the second access request, and transmits the second access request to the second slave device based on the access permissions, or intercepts the second access request, further including: When the second isolation control unit is in operation, in response to receiving a second access request from the master device to the second slave device transmitted by the first isolation control unit or the first bypass control unit, the second isolation control unit determines the access permission of the master device based on the second access request; in response to the access permission being authorized, the second isolation control unit transmits the second access request to the second slave device; or, in response to the access permission being unauthorized, the second isolation control unit intercepts the second access request.

[0131] In some optional embodiments, the method of this disclosure further includes: During the startup process of the system where the main device is located, the bypass control module responds to the bypass enable state in the second register and controls the access control isolation module to switch to the bypass state. After the system has started up, the bypass control module responds to the bypass enable state in the second register by updating from enabled to disabled, and the access control isolation module switches to the working state.

[0132] In some alternative embodiments, the slave device includes a third register for storing access control information.

[0133] In step 520, the access permission isolation module, while in operation, determines the access permissions of the master device based on the master device's access requests, including: When the access permission isolation module is in operation, it determines the access permissions of the master device based on the master device's access requests and access permission control information.

[0134] In some optional embodiments, before the access permission isolation module determines the access permissions of the master device based on the master device's access request and access permission control information while the access permission isolation module is in operation, the method of this disclosure embodiment further includes: In response to receiving a fourth access request from the first master device to the third register, the security authority controller determines the security attribute of the fourth access request based on the fourth access request, which is used to configure access control information to the third register; if the security attribute is secure, the security authority controller writes the access control information to the third register based on the fourth access request; or, if the security attribute is insecure, the security authority controller intercepts the fourth access request.

[0135] The embodiments described above can be implemented individually or in any combination without conflict. The specific implementation can be set according to actual needs, and this disclosure does not limit them.

[0136] The beneficial technical effects corresponding to the exemplary embodiments of this method can be found in the corresponding beneficial technical effects of the exemplary device section above, and will not be repeated here.

[0137] Any of the access control methods provided in this disclosure can be executed by any suitable electronic device with corresponding control functions, including but not limited to: terminal devices, servers, and other electronic devices or hardware within electronic devices. Further details will not be provided below.

[0138] Exemplary chip This disclosure provides a chip that includes the access control device 20 provided in any of the above embodiments of this disclosure.

[0139] In some alternative embodiments, the chip provided in this disclosure may further include one or more master devices.

[0140] In some optional embodiments, the chip provided in this disclosure may further include multiple slave devices. See also Figure 1As shown, I will not go into detail here.

[0141] Exemplary electronic devices Figure 18 This is a structural diagram of an electronic device provided in an embodiment of the present disclosure, including at least one processor 91, a memory 92, and an access control device 20 provided in any of the above embodiments of the present disclosure.

[0142] The processor 91 may be a central processing unit (CPU) or other form of processing unit with data processing capabilities and / or instruction execution capabilities, and may control other components in the electronic device 90 to perform desired functions.

[0143] The memory 92 may include one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and / or non-volatile memory. Volatile memory may include, for example, random access memory (RAM) and / or cache memory. Non-volatile memory may include, for example, read-only memory (ROM), hard disk, flash memory, etc. One or more computer program instructions may be stored on the computer-readable storage medium, and the processor 91 may execute one or more computer program instructions to implement the access control methods and / or other desired functions of the various embodiments of this disclosure described above.

[0144] In one example, the electronic device 90 may also include an input device 93 and an output device 94, which are interconnected via a bus system and / or other forms of connection mechanism (not shown).

[0145] The input device 93 may also include, for example, a touch screen, a microphone, various sensors, etc.

[0146] The output device 94 can output various information to the outside, including, for example, a display, a speaker, a communication network and its connected remote output devices, etc.

[0147] Of course, for the sake of simplicity, Figure 18 Only some of the components of the electronic device 90 relevant to this disclosure are shown, omitting components such as buses, input / output interfaces, etc. In addition, the electronic device 90 may include any other suitable components depending on the specific application.

[0148] Exemplary computer program products and computer-readable storage media In addition to the methods and apparatus described above, embodiments of this disclosure may also provide a computer program product, including computer program instructions that, when executed by a processor, cause the processor to perform the steps of the access control methods of the various embodiments of this disclosure described in the "Exemplary Methods" section above.

[0149] Computer program products can be written in any combination of one or more programming languages ​​to perform the operations of embodiments of this disclosure. These programming languages ​​include object-oriented programming languages ​​such as Java and C++, as well as conventional procedural programming languages ​​such as C or similar languages. The program code can be executed entirely on a user's computing device, partially on a user's computing device, as a standalone software package, partially on a user's computing device and partially on a remote computing device, or entirely on a remote computing device or server.

[0150] Furthermore, embodiments of this disclosure may also be computer-readable storage media storing computer program instructions thereon, which, when executed by a processor, cause the processor to perform the steps of the access control methods of the various embodiments of this disclosure described in the "Exemplary Methods" section above.

[0151] Computer-readable storage media may take the form of any combination of one or more readable media. A readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may include, but is not limited to, systems, apparatuses, or devices that are electrical, magnetic, optical, electromagnetic, infrared, or semiconductor, or any combination thereof. More specific examples of readable storage media (a non-exhaustive list) include: electrical connections having one or more wires, portable disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fibers, portable compact disk read-only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination thereof.

[0152] The basic principles of this disclosure have been described above with reference to specific embodiments. However, the advantages, benefits, and effects mentioned in this disclosure are merely examples and not limitations, and should not be considered as essential features of each embodiment of this disclosure. Furthermore, the specific details disclosed above are for illustrative and facilitative purposes only, and are not limitations. These details do not limit the scope of this disclosure to the necessity of employing the aforementioned specific details for implementation.

[0153] Various modifications and variations can be made to this disclosure without departing from the spirit and scope of this application. Therefore, if such modifications and variations fall within the scope of the claims of this disclosure and their equivalents, this disclosure is also intended to include such modifications and variations.

Claims

1. An access control device, comprising: The access permission isolation module is configured to, in the working state, determine the access permissions of the master device based on the access request of the master device, and based on the access permissions, transmit the access request to the corresponding slave device or intercept the access request; The bypass control module is configured to: control the access permission isolation module to be in a bypass state based on the bypass enable state and transmit the access request to the corresponding slave device, or control the access permission isolation module to be in the working state.

2. The apparatus according to claim 1, wherein, The access permission isolation module is coupled to the master device; the bypass control module is coupled to the master device, the access permission isolation module, and multiple slave devices respectively. The bypass control module is specifically configured as follows: In response to the bypass enable state being enabled, the access permission isolation module is controlled to be in bypass state, transmitting the access request from the master device to the corresponding slave device; or... In response to the bypass enable state being disabled, the access permission isolation module is controlled to be in the working state. In response to the access request from the master device transmitted by the access permission isolation module, the access request is transmitted to the corresponding slave device.

3. The apparatus according to claim 1, wherein, The bypass control module is coupled to the master device, the access permission isolation module, and multiple slave devices respectively; the access permission isolation module is coupled to the multiple slave devices. The bypass control module is specifically configured as follows: In response to the bypass enable state being enabled, the access permission isolation module is controlled to be in bypass state, and the access request from the master device is transmitted to the corresponding slave device; or... In response to the bypass enable state being disabled, the access permission isolation module is controlled to be in the working state, and the access request of the master device is transmitted to the access permission isolation module. The access control isolation module is specifically configured as follows: In operation, in response to receiving the access request from the master device transmitted by the bypass control module, the access permissions of the master device are determined based on the access request, and the access request is transmitted to the corresponding slave device or the access request is intercepted based on the access permissions.

4. The apparatus according to claim 1, wherein, The access control module includes a first isolation control unit and a second isolation control unit; the bypass control module includes a first bypass control unit corresponding to the first isolation control unit and a second bypass control unit corresponding to the second isolation control unit; The first isolation control unit is coupled to the first slave device; the first bypass control unit is coupled to both the first isolation control unit and the first slave device. The first isolation control unit is configured to, in the working state, transmit the first access request from the master device to the first slave device based on the access permissions of the master device, or intercept the first access request; The first bypass control unit is configured to, based on a first bypass enable state, control the first isolation control unit to be in a bypass state, transmit the first access request from the master device to the first slave device to the first slave device, or control the first isolation control unit to be in the working state. The second isolation control unit is coupled to the second slave device; the second bypass control unit is coupled to both the second isolation control unit and the second slave device. The second isolation control unit is also coupled to the first isolation control unit and / or the first bypass control unit; The second isolation control unit is configured to: in the working state, in response to receiving a second access request from the master device to the second slave device transmitted by the first isolation control unit or the first bypass control unit, determine the access rights of the master device based on the second access request, and transmit the second access request to the second slave device based on the access rights, or intercept the second access request; The second bypass control unit is configured to, based on the second bypass enable state, control the second isolation control unit to be in a bypass state and transmit the second access request to the second slave device, or control the second isolation control unit to be in the operating state.

5. The apparatus according to claim 4, wherein, The first slave device includes a first register; The first register, coupled to the second bypass control unit, is configured to store the second bypass enable state of the second bypass control unit; The second bypass control unit is specifically configured as follows: In response to the second bypass enable state in the first register being enabled, the second isolation control unit is controlled to be in bypass state, and the second access request is transmitted to the second slave device; or... In response to the second bypass enable state being disabled in the first register, the second isolation control unit is controlled to be in the working state; The second isolation control unit is specifically configured as follows: In the operating state, in response to receiving the second access request from the master device to the second slave device transmitted by the first isolation control unit or the first bypass control unit, the access permissions of the master device are determined based on the second access request; In response to the stated access permission being granted, the second access request is transmitted to the second slave device; or, In response to the stated access permission being invalid, the second access request is intercepted.

6. The apparatus according to claim 1, wherein, The device further includes: The second register, coupled to the bypass control module, is configured to store the bypass enable state of the bypass control module. The bypass control module is specifically configured as follows: During the startup process of the system where the main device is located, in response to the bypass enable state in the second register being enabled, the access permission isolation module is controlled to switch to the bypass state; After the system has started up, in response to the bypass enable state in the second register being updated from enabled to disabled, the access permission isolation module is controlled to switch to the working state.

7. The apparatus according to claim 1, wherein, The slave device includes a third register configured to store access control information; The access control isolation module is specifically configured as follows: In the working state, the access permissions of the main device are determined based on the access request of the main device and the access permission control information.

8. The apparatus according to claim 7, wherein, The device further includes: The security access controller, coupled to the third register, is configured as follows: In response to receiving a fourth access request from the first master device to the third register, the security attributes of the fourth access request are determined based on the fourth access request; the fourth access request is used to configure the access control information to the third register. In response to the security attribute being secure, based on the fourth access request, the access control information is written to the third register; or, In response to the security attribute being deemed insecure, the fourth access request is blocked.

9. An access control method, comprising: The bypass control module controls the access permission isolation module to be in bypass state based on the bypass enable state, and transmits the access request of the master device to the corresponding slave device; or, The bypass control module controls the access permission isolation module to be in working state based on the bypass enable state; In the working state, the access permission isolation module determines the access permission of the master device based on the access request of the master device, and transmits the access request to the corresponding slave device or intercepts the access request based on the access permission.

10. A computer-readable storage medium storing a computer program that is executed by a processor to perform the access control method of claim 9.

11. A chip comprising the access control device according to any one of claims 1-8.

12. An electronic device, the electronic device comprising: processor; Memory used to store the processor's executable instructions; And the access control device according to any one of claims 1-8; The processor is configured to read the executable instructions from the memory, and execute the executable instructions to control the access control device to implement the access control method of claim 9.